- From: Charles Pritchard <chuck@jumis.com>
- Date: Sun, 28 Nov 2010 20:19:25 -0800
In thread. On Nov 28, 2010, at 8:03 PM, Cameron McCormack <cam at mcc.id.au> wrote: > Charles Pritchard: >> The content within an editable area is already exposed: xhr is >> available. > > That is data that the user has explicitly typed in, though. Yes, that's what I meant to point out by the statement. > >> I understand that a 'custom' system dictionary could expose >> private data ... Just as 'suggestions' on form elements do. > > Suggestions on form elements can?t be accessed by script on the page. > They only expose information that the user selects. Yes, that's what I meant. > >> What breach is enabled by using a limited spell check? > > (What does ?limited? mean?) > > If script can programmaticaly get at the spell check results, then it > exposes whether particular words are in the user?s dictionary to that > page. Limited, meaning not particular to a user's dictionary. > > The assertion is that it is a violation of the user?s privacy for a web > page to know whether a word is in the user?s dictionary or not. An API > to perform spelling checks and return their results would expose this > information. As currently handled, spelling checks are done purely at > the UI level, and information about the dictionary is not exposed to > script. Yes, and it's a valid assertion. That's why I'm looking for methods to work with that taken into account.
Received on Sunday, 28 November 2010 20:19:25 UTC