undefined | Better HN

0 pointskaolinite14y ago0 comments

The security of the application should never rely on the client-side. If you're using Javascript or similar for authentication, you're doing it wrong.

0 comments

3 comments · 2 top-level

jaffathecake14y ago· 1 in thread

Not strictly true, most sites rely on the client's cross-domain policy for security. Without it, this site would be able to read your Gmail & facebook pages. If a useragent came out that had a major x-domain hole, I'd expect data-sensitive sites to block it.

Not that IE fails in this way (and blocking IE in this case it wrong).

kaoliniteOP14y ago

+1. Valid point but this is a bit different to what I was referring to and is an insecurity in the browser rather than the application. Still, fair point. I was mainly referring to people validating input only on the client-side, redirecting people away from private parts of the site using JS or meta redirect (last year I had to maintain a site that used this), etc.

muyuu14y ago

The user might get the wrong impression that he's being supported when he's not, and go ahead and buy some service that's not going to get support.

At least a big warning is justified.

j / k navigate · click thread line to collapse