[whatwg] including <output> in form submissions

On Feb 24, 2012, at 12:18 AM, Michael Gratton wrote:

>> But in general, I recommend against this. Anything that can be  
>> computed
>> should be computed on the server to obtain the canonical value,  
>> otherwise
>> you open yourself up to attackers sending you inconsistent data.
>
> While for applications where trust is an issue one clearly needs to
> check calculations server-side. When it is not however, this would  
> be a
> welcome addition.
The principle of least authority applies. In general, neither the  
client nor the link he communicates over should not be trusted  
unnecessarily.

Received on Friday, 24 February 2012 01:30:21 UTC