TYPO3 Core

The following issue has been brought to the attention of the security team.
Source: https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords

Having manually(!) enabled "enhanced spell checking" in browsers, can lead to scenarios that password data is sent to remote services that actually take care of the spell checking. Since this issue is cause by browsers and the determination of "confidentiality" is fuzzy here, this issue is handled in public. For instance, any content that is only available in an intranet would be considered confidential, it's not only about password data.

The suggestion for the TYPO3 core is:

• https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/spellcheck
• use HTML attr spellcheck="false" for any <form> that is used for credentials
• use HTML attr spellcheck="false" for any <input type="password"> in case it might be used in combination with other content that should be spell checked (in terms of UX)