W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2010

[whatwg] Exposing spelling/grammar suggestions in

From: Roger Hågensen <rescator@emsai.net>
Date: Mon, 29 Nov 2010 23:37:20 +0100
Message-ID: <4CF42B20.3000908@emsai.net>
On 2010-11-29 23:08, Charles Pritchard wrote:
> Browser vendors may consider limiting such lookups, and that receiving 
> more than a thousand lookups means that a script has gone awry. Doing 
> so would limit any reasonable chance of a brute force attack 
> discovering anything. A brute force attack with getSpellingRanges 
> would use a dictionary to fill a contenteditable area and test to see 
> if the word is in the system dictionary. The success of such an attack 
> would be reasonably limited were spelling lookups limited by the UA.

This is all growing out of proportion, this whole issue can be resolved 
by just thinking logically.

If passwords are being stored in the dictionary then that is a security 
issue with the UA and not HTML etc.
If a dictionary stores user words without asking the user first or the 
user specifically stores it then that is a implementation issue of the 
dictionary/OS/UA/whatever.
Password fields should never have spell-checking enabled (not just for 
security reasons but because the dictionary might mess up the password 
you are typing causing a failed login)
A javascript or similar has no business stepping through the spelling 
dictionary, that is UA or OS territory, and I fail to see how a 
javascript could possible support all the hundred+ languages in use anyway.
Forms and content fields can have hinting, where they desire spell 
checking to be used (commentary fields on websites, article content 
fields etc), but it is up to the browser/user/OS settings if it'll 
auto-enable checking on those fields.

And currently this is mostly how browsers do this (some better or worse 
than others though).

Some CSS enhancements to possibly match the dictionary GUI to the site's 
look could be interesting though, but CSS stuff is another group than 
WHATWG so...

Only thing I see to miss in what is mentioned here is sitebased custom 
dictionaries,
that is something that could be and should be specced. For example, you 
might want to use the same base dictionary (original or user extended), 
but a different site/sub dictionary depending on if you are writing 
articles on Gamasutra or posting emails on WHATWG.
But again, the actual UI for that is as well the prerogative of the UA.

-- 
Roger "Rescator" H?gensen.
Freelancer - http://EmSai.net/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20101129/55da73f6/attachment.htm>
Received on Monday, 29 November 2010 14:37:20 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:28 UTC