Add non-normative note about find-in-page details privacy

source

@@ -77019,6 +77019,17 @@ body { display:none }
    revealing algorithm</span> on <var>node</var>.</p></li>
   </ol>
 
+  <p class="XXX">When find-in-page auto-expands a <code>details</code> element like this, it will
+  fire a <code data-x="event-toggle">toggle</code> event. As with the separate <code
+  data-x="event-scroll">scroll</code> event that find-in-page fires, this event could be used by the
+  page to discover what the user is typing into the find-in-page dialog. If the page creates a tiny
+  scrollable area with the current search term and every possible next character the user could type
+  separated by a gap and observes which one the browser scrolls to, it can add that character to the
+  search term and update the scrollable area to incrementally build the search term. This attack
+  could be addressed regardless of whether the <code data-x="event-toggle">toggle</code> event or
+  the <code data-x="event-scroll">scroll</code> event is used by not acting on every character the
+  user types into the find-in-page dialog.</p>
+
   <h4>Interaction with selection</h4>
 
   <p>The find-in-page process is invoked in the context of a document, and may have an effect on