- From: Benjamin Hawkes-Lewis <bhawkeslewis@googlemail.com>
- Date: Mon, 29 Nov 2010 07:30:12 +0000
On Mon, Nov 29, 2010 at 4:19 AM, Charles Pritchard <chuck at jumis.com> wrote: >>> What breach is enabled by using a limited spell check? >> >> (What does ?limited? mean?) >> >> If script can programmaticaly get at the spell check results, then it >> exposes whether particular words are in the user?s dictionary to that >> page. > Limited, meaning not particular to a user's dictionary. Breaches would include: 1. Detecting the user's language (including fine distinctions like British/US English). 2. Fingerprinting the user's system. Different systems likely use different dictionaries with different coverage. You could use dictionary profiles to guess at the user's system (potentially down to operating system and version). Also your proposed limitation might well require user agents on some platforms to implement their own dictionary service as opposed to using platform dictionary services. For example, say you were building a user agent for OS X. AFAICT you can't exclude the user's dictionary when querying the system spellchecking API: http://developer.apple.com/library/mac/#documentation/Cocoa/Reference/ApplicationKit/Classes/NSSpellChecker_Class/Reference/Reference.html#//apple_ref/doc/uid/20000378 It would also make for a confusing user experience where the same spellchecking UI yields different results in some web applications for no obvious reason. If you don't need the user's dictionary or the same spellchecking UI, you could disable spellchecking with the "spellcheck" attribute and roll your own over XHR/web sockets. http://www.w3.org/TR/html5/editing.html#spelling-and-grammar-checking -- Benjamin Hawkes-Lewis
Received on Sunday, 28 November 2010 23:30:12 UTC