[whatwg] Client-side verification will never work in the real world
Max Romantschuk
max at provico.fi
Mon Jun 28 21:55:16 PDT 2004
Jason Lustig wrote:
> However - I am a believer that client-side form vefification - while a
> nice trick that will take care of most users - never will work with
> real-world, open (i.e. anyone can access them) web apps, like
> BBSes/forums/blogs.
At the end of section 2.1, right before section 2.1.1 reads the following:
"Servers should still perform type-checking on submitted data, as
malicious users or rogue user agents might submit data intended to
bypass this client-side type-checking. Validation done via script may
also be easily bypassed if the user has disabled scripting.
Additionally, legacy user agents do not support the validation features
described in this specification and will therefore submit data that has
not been checked."
Your point is valid, but client-side checking is a valuable tool. A
properly coded app will work fine despite malicious users, but users who
do play by the rules and have a compliant user agent will see a huge
boost in application responsiveness, as the amount of HTTP requests
required for a complex form will be reduced dramatically.
.max
PS. New to the list. Hi everyone :)
--
Max Romantschuk
http://max.nma.fi/
More information about the whatwg
mailing list