[whatwg] including <output> in form submissions

Bjartur Thorlacius svartman95 at gmail.com
Fri Feb 24 01:30:21 PST 2012


On Feb 24, 2012, at 12:18 AM, Michael Gratton wrote:

>> But in general, I recommend against this. Anything that can be  
>> computed
>> should be computed on the server to obtain the canonical value,  
>> otherwise
>> you open yourself up to attackers sending you inconsistent data.
>
> While for applications where trust is an issue one clearly needs to
> check calculations server-side. When it is not however, this would  
> be a
> welcome addition.
The principle of least authority applies. In general, neither the  
client nor the link he communicates over should not be trusted  
unnecessarily.


More information about the whatwg mailing list