Open Bug 1917598 Opened 2 months ago Updated 15 days ago

CSS ::spelling-error and ::grammar-error pseudo element must be limited to typed text

Categories

(Core :: Layout, task)

Product:
Core
Component:
Layout
Type:
task

Tracking

()

People

(Reporter: freddy, Unassigned)

References

(Blocks 2 open bugs)

Details

There's a practical (though relatively low severity) xs-leak in which an attacker might infer content of a user's dictionary.

Safari seems to be mitigating this by limiting the styling to the text when the user is typing and does not appear to apply the style sheet in pre-filled forms, e.g., <textarea>obscure first name here</textarea>

(Credit goes to Artur Janc for showing this to me first)

(In reply to Frederik Braun [:freddy] from comment #0)

There's a practical (though relatively low severity) xs-leak in which an attacker might infer content of a user's dictionary.

I was maybe a bit too vague.

The idea is that you write a computationally heavy CSS animation on top of a textarea::grammar-error and then an incorrectly spelled term would cause the costly animation.
Probing the animation speed (e.g., using requestAnimationFrame) then allows to detect if the word inside of the textarea is in the dictionary or not.

You need to log in before you can comment on or make changes to this bug.