[html5] r2375 - [e] (0) Mention that client-side validation is not secure.

whatwg at whatwg.org whatwg at whatwg.org
Tue Oct 28 16:50:49 PDT 2008


Author: ianh
Date: 2008-10-28 16:50:48 -0700 (Tue, 28 Oct 2008)
New Revision: 2375

Modified:
   index
   source
Log:
[e] (0) Mention that client-side validation is not secure.

Modified: index
===================================================================
--- index	2008-10-28 23:22:34 UTC (rev 2374)
+++ index	2008-10-28 23:50:48 UTC (rev 2375)
@@ -555,7 +555,8 @@
       <ol>
        <li><a href=#definitions><span class=secno>4.10.14.1 </span>Definitions</a></li>
        <li><a href=#constraint-validation><span class=secno>4.10.14.2 </span>Constraint validation</a></li>
-       <li><a href=#the-constraint-validation-api><span class=secno>4.10.14.3 </span>The constraint validation API</a></ol></li>
+       <li><a href=#the-constraint-validation-api><span class=secno>4.10.14.3 </span>The constraint validation API</a></li>
+       <li><a href=#security-0><span class=secno>4.10.14.4 </span>Security</a></ol></li>
      <li><a href=#form-submission-0><span class=secno>4.10.15 </span>Form submission</a>
       <ol>
        <li><a href=#url-encoded-form-data><span class=secno>4.10.15.1 </span>URL-encoded form data</a></li>
@@ -616,12 +617,12 @@
       <ol>
        <li><a href=#navigating-auxiliary-browsing-contexts-in-the-dom><span class=secno>5.1.2.1 </span>Navigating auxiliary browsing contexts in the DOM</a></ol></li>
      <li><a href=#secondary-browsing-contexts><span class=secno>5.1.3 </span>Secondary browsing contexts</a></li>
-     <li><a href=#security-0><span class=secno>5.1.4 </span>Security</a></li>
+     <li><a href=#security-1><span class=secno>5.1.4 </span>Security</a></li>
      <li><a href=#groupings-of-browsing-contexts><span class=secno>5.1.5 </span>Groupings of browsing contexts</a></li>
      <li><a href=#browsing-context-names><span class=secno>5.1.6 </span>Browsing context names</a></ol></li>
    <li><a href=#the-default-view><span class=secno>5.2 </span>The default view</a>
     <ol>
-     <li><a href=#security-1><span class=secno>5.2.1 </span>Security</a></li>
+     <li><a href=#security-2><span class=secno>5.2.1 </span>Security</a></li>
      <li><a href=#apis-for-creating-and-navigating-browsing-contexts-by-name><span class=secno>5.2.2 </span>APIs for creating and navigating browsing contexts by name</a></li>
      <li><a href=#accessing-other-browsing-contexts><span class=secno>5.2.3 </span>Accessing other browsing contexts</a></ol></li>
    <li><a href=#origin><span class=secno>5.3 </span>Origin</a>
@@ -677,7 +678,7 @@
      <li><a href=#activating-state-object-entries><span class=secno>5.8.3 </span>Activating state object entries</a></li>
      <li><a href=#the-location-interface><span class=secno>5.8.4 </span>The <code>Location</code> interface</a>
       <ol>
-       <li><a href=#security-2><span class=secno>5.8.4.1 </span>Security</a></ol></li>
+       <li><a href=#security-3><span class=secno>5.8.4.1 </span>Security</a></ol></li>
      <li><a href=#history-notes><span class=secno>5.8.5 </span>Implementation notes for session history</a></ol></li>
    <li><a href=#browsing-the-web><span class=secno>5.9 </span>Browsing the Web</a>
     <ol>
@@ -716,7 +717,7 @@
       <ol>
        <li><a href=#user-tracking><span class=secno>5.10.4.1 </span>User tracking</a></li>
        <li><a href=#cookie-resurrection><span class=secno>5.10.4.2 </span>Cookie resurrection</a></ol></li>
-     <li><a href=#security-3><span class=secno>5.10.5 </span>Security</a>
+     <li><a href=#security-4><span class=secno>5.10.5 </span>Security</a>
       <ol>
        <li><a href=#dns-spoofing-attacks><span class=secno>5.10.5.1 </span>DNS spoofing attacks</a></li>
        <li><a href=#cross-directory-attacks><span class=secno>5.10.5.2 </span>Cross-directory attacks</a></li>
@@ -836,7 +837,7 @@
    <li><a href=#crossDocumentMessages><span class=secno>7.4 </span>Cross-document messaging</a>
     <ol>
      <li><a href=#introduction-4><span class=secno>7.4.1 </span>Introduction</a></li>
-     <li><a href=#security-4><span class=secno>7.4.2 </span>Security</a>
+     <li><a href=#security-5><span class=secno>7.4.2 </span>Security</a>
       <ol>
        <li><a href=#authors><span class=secno>7.4.2.1 </span>Authors</a></li>
        <li><a href=#user-agents><span class=secno>7.4.2.2 </span>User agents</a></ol></li>
@@ -27796,7 +27797,19 @@
 
 
 
+  <h5 id=security-0><span class=secno>4.10.14.4 </span>Security</h5>
 
+  <p>Servers should not rely on client-side validation. Client-side
+  validation can be intentionally bypassed by hostile users, and
+  unintentionally bypassed by users of older user agents or automated
+  tools that do not implement these features. The constraint
+  validation features are only intended to improve the user
+  experience, not to provide any kind of security mechanism.</p>
+
+
+
+
+
   <h4 id=form-submission-0><span class=secno>4.10.15 </span>Form submission</h4>
 
   <p>When a form <var title="">form</var> is <dfn id=concept-form-submit title=concept-form-submit>submitted</dfn> from an element <var title="">submitter</var> (typically a button), the user agent must
@@ -28484,6 +28497,7 @@
 
 
 
+
   <h3 id=interactive-elements><span class=secno>4.11 </span>Interactive elements</h3>
 
   <h4 id=the-details-element><span class=secno>4.11.1 </span>The <dfn><code>details</code></dfn> element</h4>
@@ -31509,7 +31523,7 @@
   the user agent's interface, apart from the main content area.</p>
 
 
-  <h4 id=security-0><span class=secno>5.1.4 </span>Security</h4>
+  <h4 id=security-1><span class=secno>5.1.4 </span>Security</h4>
 
   <p>A <a href=#browsing-context>browsing context</a> <var title="">A</var> is
   <dfn id=allowed-to-navigate>allowed to navigate</dfn> a second <a href=#browsing-context>browsing
@@ -31791,7 +31805,7 @@
 
 
 
-  <h4 id=security-1><span class=secno>5.2.1 </span>Security</h4>
+  <h4 id=security-2><span class=secno>5.2.1 </span>Security</h4>
 
   <p>User agents must raise a <a href=#security-exception>security exception</a> whenever
   any of the members of a <code><a href=#window>Window</a></code> object are accessed by
@@ -35831,7 +35845,7 @@
 user reload must be equivalent to .reload()
 -->
 
-  <h5 id=security-2><span class=secno>5.8.4.1 </span>Security</h5>
+  <h5 id=security-3><span class=secno>5.8.4.1 </span>Security</h5>
 
   <p>User agents must raise a <a href=#security-exception>security exception</a> whenever
   any of the members of a <code><a href=#location>Location</a></code> object are accessed by
@@ -37630,7 +37644,7 @@
   privacy.</p>
 
 
-  <h4 id=security-3><span class=secno>5.10.5 </span>Security</h4>
+  <h4 id=security-4><span class=secno>5.10.5 </span>Security</h4>
 
   <h5 id=dns-spoofing-attacks><span class=secno>5.10.5.1 </span>DNS spoofing attacks</h5>
 
@@ -42717,7 +42731,7 @@
   </div>
 
 
-  <h4 id=security-4><span class=secno>7.4.2 </span>Security</h4>
+  <h4 id=security-5><span class=secno>7.4.2 </span>Security</h4>
 
   <h5 id=authors><span class=secno>7.4.2.1 </span>Authors</h5>
 

Modified: source
===================================================================
--- source	2008-10-28 23:22:34 UTC (rev 2374)
+++ source	2008-10-28 23:50:48 UTC (rev 2375)
@@ -31272,7 +31272,19 @@
 
 
 
+  <h5>Security</h5>
 
+  <p>Servers should not rely on client-side validation. Client-side
+  validation can be intentionally bypassed by hostile users, and
+  unintentionally bypassed by users of older user agents or automated
+  tools that do not implement these features. The constraint
+  validation features are only intended to improve the user
+  experience, not to provide any kind of security mechanism.</p>
+
+
+
+
+
   <h4>Form submission</h4>
 
   <p>When a form <var title="">form</var> is <dfn
@@ -32150,6 +32162,7 @@
 
 
 
+
   <h3 id="interactive-elements">Interactive elements</h3>
 
   <h4>The <dfn><code>details</code></dfn> element</h4>




More information about the Commit-Watchers mailing list