-
Notifications
You must be signed in to change notification settings - Fork 639
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[css-text-3] Privacy Review - fingerprintability of the dictionaries #5630
Comments
Firefox currently ships a standard collection of dictionaries for all users. I think it's possible in theory for a user (maybe via an add-on) to add others but don't know if anyone is actually doing this. Also not sure if some Linux distros might be customizing what they include? |
Two notes:
|
@litherum Spell checking and grammar checking a) aren't part of css-text-3 and b) don't affect layout so can't be detected in the same way. |
For Blink:
We are shipping with built-in dictionaries on Windows, Linux, and ChromeOS. We are using system dictionaries on Android and Mac.
All dictionaries.
They are only for hyphenation. |
Regarding hyphenation in the macOS and iOS ports of WebKit:
|
Hey everyone 👋 Togheter with @dharb we conducted a privacy review of the CSS Text Module level 3 and presented it on the last PING meeting (minutes).
Two issues that we noted were:
A. Amount of details left up to UA can help uniquely identify browser vendor and, possibly, even individual browser versions (this was noted in #5574). We had a brief discussion about this with the group and concluded that the concern is minor as ATM those details are still being revealed by the user agent string.
B. Website can detect installed dictionaries by e.g. testing for language-specific hyphenation. This is much more concerning assuming that users can have a unique combination or versions of dictionaries installed. That being said, we didn't have enough knowledge about how those dictionaries are installed to fully asses the risk, so we decided to follow up with some questions:
I realize that those questions are asking about individual implementations and not the spec, but we are trying to asses the risk in the wild. All help answering those will be much appreciated 🙇♂️
The text was updated successfully, but these errors were encountered: