JavaScript security firm otto-js has shown how PII, company secrets and even passwords inadvertently could be sent to Microsoft and Google webservices, if enhanced spell check is enabled in Microsoft Edge or Google Chrome.
Besides risking sending passwords for company it-services, your company could also risk sending Personally Identifiable Information (PII) like social security numbers or even more sensitive data, when users are typing in the information in internal webbased applications.
The Microsoft version of enhanced spelling and grammar check uses Microsoft Editor, which is available as a browser extension for Edge, Chrome and Firefox.
For that reason you probably would want to prevent the use of enhanced spell checking.
This does not disable spell checking all together. It can still be running locally without sending data to web services.
But it does mean, that spell checking will be less thorough and informative.
Here’s how to disable enhanced spell checking and the Microsoft Editor browser extension:
Prevent Edge and Chrome from sending data to their spelling and grammar check web services
For Microsoft Edge
Disable this policy: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#microsofteditorproofingenabled
For Google Chrome
Disable this policy: https://chromeenterprise.google/policies/#SpellCheckServiceEnabled
Prevent the usage of Microsoft Editor browser extension
The best way to accomplish this is to ban all extensions except explicitly allowed extensions (and not include Microsoft Editor of course), aka browser whitelisting.
I have made a blog post on why and how to do that here:
Why and how to implement browser extension whitelisting — Avantia
However, if you’re not ready to do that, you could instead put Microsoft Editor extension on an extension block-list.
For Microsoft Edge
Use this policy: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensioninstallblocklist
and add the extension Id for Microsoft Editor to the list:
hokifickgkhplphjiodbggjmoafhignh (extension Id in Microsoft’s extension store)
gpaiobkfhnonedkhhfjpmhdalgeoebfa (extension Id in Chrome’s webshop)
I have provided both, as it is possible to install Chrome extensions in Microsoft Edge.
For Google Chrome
Use this policy: https://chromeenterprise.google/policies/#ExtensionInstallBlocklist
and add the extension Id for Microsoft Editor to the list:
gpaiobkfhnonedkhhfjpmhdalgeoebfa
For Mozilla Firefox
Use this policy: Administrative Templates/Mozilla/Firefox/Extensions/Extension Management
and add this JSON data to the policy setting:
{
"{c4fe3a44-5c58-4ee0-ba72-2430bbb1795f}": {
"installation_mode": "blocked"
},
}
{c4fe3a44-5c58-4ee0-ba72-2430bbb1795f} is the extension Id of Microsoft Editor in the Firefox add-ons store.