Disable Chrome and Edge enhanced spell check to prevent data leak

JavaScript security firm otto-js has shown how PII, company secrets and even passwords inadvertently could be sent to Microsoft and Google webservices, if enhanced spell check is enabled in Microsoft Edge or Google Chrome.

Besides risking sending passwords for company it-services, your company could also risk sending Personally Identifiable Information (PII) like social security numbers or even more sensitive data, when users are typing in the information in internal webbased applications.

Source: https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords

The Microsoft version of enhanced spelling and grammar check uses Microsoft Editor, which is available as a browser extension for Edge, Chrome and Firefox.


For that reason you probably would want to prevent the use of enhanced spell checking.

This does not disable spell checking all together. It can still be running locally without sending data to web services.
But it does mean, that spell checking will be less thorough and informative.

Here’s how to disable enhanced spell checking and the Microsoft Editor browser extension:


Prevent Edge and Chrome from sending data to their spelling and grammar check web services

For Microsoft Edge

Disable this policy: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#microsofteditorproofingenabled

For Google Chrome

Disable this policy: https://chromeenterprise.google/policies/#SpellCheckServiceEnabled

Prevent the usage of Microsoft Editor browser extension

The best way to accomplish this is to ban all extensions except explicitly allowed extensions (and not include Microsoft Editor of course), aka browser whitelisting.

I have made a blog post on why and how to do that here:

Why and how to implement browser extension whitelisting — Avantia


However, if you’re not ready to do that, you could instead put Microsoft Editor extension on an extension block-list.

For Microsoft Edge

Use this policy: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensioninstallblocklist

and add the extension Id for Microsoft Editor to the list:
hokifickgkhplphjiodbggjmoafhignh (extension Id in Microsoft’s extension store)
gpaiobkfhnonedkhhfjpmhdalgeoebfa (extension Id in Chrome’s webshop)

I have provided both, as it is possible to install Chrome extensions in Microsoft Edge.


For Google Chrome

Use this policy: https://chromeenterprise.google/policies/#ExtensionInstallBlocklist

and add the extension Id for Microsoft Editor to the list:
gpaiobkfhnonedkhhfjpmhdalgeoebfa


For Mozilla Firefox

Use this policy: Administrative Templates/Mozilla/Firefox/Extensions/Extension Management

and add this JSON data to the policy setting:

{
    "{c4fe3a44-5c58-4ee0-ba72-2430bbb1795f}":  {
                                    "installation_mode":  "blocked"
                                },
}

{c4fe3a44-5c58-4ee0-ba72-2430bbb1795f} is the extension Id of Microsoft Editor in the Firefox add-ons store.