[whatwg] Exposing spelling/grammar suggestions in contentEditable from Charles Pritchard on 2010-12-02 (public-whatwg-archive@w3.org from December 2010)

From: Charles Pritchard <chuck@jumis.com>
Date: Thu, 02 Dec 2010 12:30:48 -0800
Message-ID: <4CF801F8.2090305@jumis.com>

On 11/28/2010 11:30 PM, Benjamin Hawkes-Lewis wrote:
> Breaches would include:
>
>     1. Detecting the user's language (including fine distinctions like
> British/US English).
>     2. Fingerprinting the user's system. Different systems likely use
> different dictionaries with different coverage. You could use
> dictionary profiles to guess at the user's system (potentially down to
> operating system and version).

I haven't seen a response on these issues: They're currently exposed via 
window.navigator,
so I'm just having a hard time seeing what the push-back is actually about.

I think a good case was made for NOT exposing actual spelling 
suggestions. I haven't heard one regarding exposing DOM ranges for 
mis-spelled text.
Limitations of the <input type="text"> element to a single range, is a 
reasonable issue..

But what is with these two above? They've been echoed, and seem to be 
more of a devil's advocate argument than
one rooted in evidence.

Has there been a fundamental discussion about security regarding locale 
fingerprinting?

At this point, we're talking about language codes as a level of personal 
privacy we reserve for a person's name, home address, etc. Has this 
point, and the potential for abuse, actually been discussed by experts?

I can tell you, that blocking the issue does have real usability costs: 
blocking the issue without expert review, means that we're weighing 
actual, measurable usability costs with perceived insecurities. That 
doesn't seem reasonable to me.

FWIW: It's reasonably simple to use a minimum of scripting code to 
detect an input language, given only a sentence or two of data. I 
understand that there are situations where language use is regulated, 
but those situations carry so many other reductions in freedom: I highly 
doubt that exposing input locale would be anything but trivial in 
comparison to other issues. And window.navigator already carries this 
data, for the most part.

Input locale is being discussed on www-dom for text entry.

Can I get some further, reasonable discussion, on this issue? It's fine 
that Benjamin brought up that such data could be exposed,
but when looked at in context of the current scripting environment: that 
data is already exposed.

-Charles

Received on Thursday, 2 December 2010 12:30:48 UTC