In thread.
On Nov 28, 2010, at 8:03 PM, Cameron McCormack <c...@mcc.id.au> wrote: > Charles Pritchard: >> The content within an editable area is already exposed: xhr is >> available. > > That is data that the user has explicitly typed in, though. Yes, that's what I meant to point out by the statement. > >> I understand that a 'custom' system dictionary could expose >> private data ... Just as 'suggestions' on form elements do. > > Suggestions on form elements can’t be accessed by script on the page. > They only expose information that the user selects. Yes, that's what I meant. > >> What breach is enabled by using a limited spell check? > > (What does “limited” mean?) > > If script can programmaticaly get at the spell check results, then it > exposes whether particular words are in the user’s dictionary to that > page. Limited, meaning not particular to a user's dictionary. > > The assertion is that it is a violation of the user’s privacy for a web > page to know whether a word is in the user’s dictionary or not. An API > to perform spelling checks and return their results would expose this > information. As currently handled, spelling checks are done purely at > the UI level, and information about the dictionary is not exposed to > script. Yes, and it's a valid assertion. That's why I'm looking for methods to work with that taken into account.
