[whatwg] Client-side verification will never work in the real world

Max Romantschuk max at provico.fi
Mon Jun 28 21:55:16 PDT 2004

Jason Lustig wrote:
> However - I am a believer that client-side form vefification - while a 
> nice trick that will take care of most users - never will work with 
> real-world, open (i.e. anyone can access them) web apps, like 
> BBSes/forums/blogs.

At the end of section 2.1, right before section 2.1.1 reads the following:

"Servers should still perform type-checking on submitted data, as 
malicious users or rogue user agents might submit data intended to 
bypass this client-side type-checking. Validation done via script may 
also be easily bypassed if the user has disabled scripting. 
Additionally, legacy user agents do not support the validation features 
described in this specification and will therefore submit data that has 
not been checked."

Your point is valid, but client-side checking is a valuable tool. A 
properly coded app will work fine despite malicious users, but users who 
do play by the rules and have a compliant user agent will see a huge 
boost in application responsiveness, as the amount of HTTP requests 
required for a complex form will be reduced dramatically.


PS. New to the list. Hi everyone :)

Max Romantschuk

More information about the whatwg mailing list