Did you know that input fields on a web form support spell checking by default in many web browsers? This is a feature of the browser that can help catch errors early for the end user. Recently, some testers found that some data may be leaked during the spell checking function to 3rd parties. Here is a reference article describing this: https://www.darkreading.com/application-security/spellchecking-google-chrome-microsoft-edge-browsers-leaks-passwords
The first point to make here is this is limited in the browser settings that may be enabled. For example, for Chrome it is when the enhanced spell check is enabled.
The other point to make up front is that apparently passwords were only at risk if the field had a “show password” option that was clicked. Password fields without a “show password” option were not at risk.
Recommendation
It is worth considering disabling spell checking on fields that don’t need it. For example, many sensitive fields might not benefit from spell checking. Things like Usernames, or Social Security Numbers don’t need spell checking. In these cases, it may be a good idea ot disable spell checking on the field. This can be done by setting the spellcheck attribute to false as shown below:
Simple TextBox
<input type=“text” spellcheck=“false”>
Text Area
<textarea spellcheck=“false”></textarea>
You could also cover the entire form by setting it at the form level as shown below:
<form spellcheck=“false”>
Conclusion
Just like caching, there are special considerations we want to consider when dealing with sensitive data. Even though the risk may require special circumstances and configurations that are out of your control, we can take proactive steps that are within our control. In this case, you have the ability to shut the spell checker off if it is not needed. It doesn’t make sense to turn it off for everything, but may make sense for sensitive fields.