[e] (0) Mention that client-side validation is not secure.

git-svn-id: http://svn.whatwg.org/webapps@2375 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Oct 28, 2008 · 5ec85b8 · 5ec85b8
1 parent f687e5c
commit 5ec85b8
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 11 deletions.
diff --git a/index b/index
@@ -555,7 +555,8 @@
       <ol>
        <li><a href=#definitions><span class=secno>4.10.14.1 </span>Definitions</a></li>
        <li><a href=#constraint-validation><span class=secno>4.10.14.2 </span>Constraint validation</a></li>
-       <li><a href=#the-constraint-validation-api><span class=secno>4.10.14.3 </span>The constraint validation API</a></ol></li>
+       <li><a href=#the-constraint-validation-api><span class=secno>4.10.14.3 </span>The constraint validation API</a></li>
+       <li><a href=#security-0><span class=secno>4.10.14.4 </span>Security</a></ol></li>
      <li><a href=#form-submission-0><span class=secno>4.10.15 </span>Form submission</a>
       <ol>
        <li><a href=#url-encoded-form-data><span class=secno>4.10.15.1 </span>URL-encoded form data</a></li>
@@ -616,12 +617,12 @@
       <ol>
        <li><a href=#navigating-auxiliary-browsing-contexts-in-the-dom><span class=secno>5.1.2.1 </span>Navigating auxiliary browsing contexts in the DOM</a></ol></li>
      <li><a href=#secondary-browsing-contexts><span class=secno>5.1.3 </span>Secondary browsing contexts</a></li>
-     <li><a href=#security-0><span class=secno>5.1.4 </span>Security</a></li>
+     <li><a href=#security-1><span class=secno>5.1.4 </span>Security</a></li>
      <li><a href=#groupings-of-browsing-contexts><span class=secno>5.1.5 </span>Groupings of browsing contexts</a></li>
      <li><a href=#browsing-context-names><span class=secno>5.1.6 </span>Browsing context names</a></ol></li>
    <li><a href=#the-default-view><span class=secno>5.2 </span>The default view</a>
     <ol>
-     <li><a href=#security-1><span class=secno>5.2.1 </span>Security</a></li>
+     <li><a href=#security-2><span class=secno>5.2.1 </span>Security</a></li>
      <li><a href=#apis-for-creating-and-navigating-browsing-contexts-by-name><span class=secno>5.2.2 </span>APIs for creating and navigating browsing contexts by name</a></li>
      <li><a href=#accessing-other-browsing-contexts><span class=secno>5.2.3 </span>Accessing other browsing contexts</a></ol></li>
    <li><a href=#origin><span class=secno>5.3 </span>Origin</a>
@@ -677,7 +678,7 @@
      <li><a href=#activating-state-object-entries><span class=secno>5.8.3 </span>Activating state object entries</a></li>
      <li><a href=#the-location-interface><span class=secno>5.8.4 </span>The <code>Location</code> interface</a>
       <ol>
-       <li><a href=#security-2><span class=secno>5.8.4.1 </span>Security</a></ol></li>
+       <li><a href=#security-3><span class=secno>5.8.4.1 </span>Security</a></ol></li>
      <li><a href=#history-notes><span class=secno>5.8.5 </span>Implementation notes for session history</a></ol></li>
    <li><a href=#browsing-the-web><span class=secno>5.9 </span>Browsing the Web</a>
     <ol>
@@ -716,7 +717,7 @@
       <ol>
        <li><a href=#user-tracking><span class=secno>5.10.4.1 </span>User tracking</a></li>
        <li><a href=#cookie-resurrection><span class=secno>5.10.4.2 </span>Cookie resurrection</a></ol></li>
-     <li><a href=#security-3><span class=secno>5.10.5 </span>Security</a>
+     <li><a href=#security-4><span class=secno>5.10.5 </span>Security</a>
       <ol>
        <li><a href=#dns-spoofing-attacks><span class=secno>5.10.5.1 </span>DNS spoofing attacks</a></li>
        <li><a href=#cross-directory-attacks><span class=secno>5.10.5.2 </span>Cross-directory attacks</a></li>
@@ -836,7 +837,7 @@
    <li><a href=#crossDocumentMessages><span class=secno>7.4 </span>Cross-document messaging</a>
     <ol>
      <li><a href=#introduction-4><span class=secno>7.4.1 </span>Introduction</a></li>
-     <li><a href=#security-4><span class=secno>7.4.2 </span>Security</a>
+     <li><a href=#security-5><span class=secno>7.4.2 </span>Security</a>
       <ol>
        <li><a href=#authors><span class=secno>7.4.2.1 </span>Authors</a></li>
        <li><a href=#user-agents><span class=secno>7.4.2.2 </span>User agents</a></ol></li>
@@ -27796,6 +27797,18 @@ interface <dfn id=htmloptionelement>HTMLOptionElement</dfn> : <a href=#htmleleme
 
 
 
+  <h5 id=security-0><span class=secno>4.10.14.4 </span>Security</h5>
+
+  <p>Servers should not rely on client-side validation. Client-side
+  validation can be intentionally bypassed by hostile users, and
+  unintentionally bypassed by users of older user agents or automated
+  tools that do not implement these features. The constraint
+  validation features are only intended to improve the user
+  experience, not to provide any kind of security mechanism.</p>
+
+
+
+
 
   <h4 id=form-submission-0><span class=secno>4.10.15 </span>Form submission</h4>
 
@@ -28484,6 +28497,7 @@ interface <dfn id=htmloptionelement>HTMLOptionElement</dfn> : <a href=#htmleleme
 
 
 
+
   <h3 id=interactive-elements><span class=secno>4.11 </span>Interactive elements</h3>
 
   <h4 id=the-details-element><span class=secno>4.11.1 </span>The <dfn><code>details</code></dfn> element</h4>
@@ -31509,7 +31523,7 @@ menu li:not(:first-child)::before { content: ' | '; }</pre>
   the user agent's interface, apart from the main content area.</p>
 
 
-  <h4 id=security-0><span class=secno>5.1.4 </span>Security</h4>
+  <h4 id=security-1><span class=secno>5.1.4 </span>Security</h4>
 
   <p>A <a href=#browsing-context>browsing context</a> <var title="">A</var> is
   <dfn id=allowed-to-navigate>allowed to navigate</dfn> a second <a href=#browsing-context>browsing
@@ -31791,7 +31805,7 @@ menu li:not(:first-child)::before { content: ' | '; }</pre>
 
 
 
-  <h4 id=security-1><span class=secno>5.2.1 </span>Security</h4>
+  <h4 id=security-2><span class=secno>5.2.1 </span>Security</h4>
 
   <p>User agents must raise a <a href=#security-exception>security exception</a> whenever
   any of the members of a <code><a href=#window>Window</a></code> object are accessed by
@@ -35831,7 +35845,7 @@ reload on shared Document updates all of them
 user reload must be equivalent to .reload()
 -->
 
-  <h5 id=security-2><span class=secno>5.8.4.1 </span>Security</h5>
+  <h5 id=security-3><span class=secno>5.8.4.1 </span>Security</h5>
 
   <p>User agents must raise a <a href=#security-exception>security exception</a> whenever
   any of the members of a <code><a href=#location>Location</a></code> object are accessed by
@@ -37630,7 +37644,7 @@ interface <dfn id=sqlstatementerrorcallback>SQLStatementErrorCallback</dfn> {
   privacy.</p>
 
 
-  <h4 id=security-3><span class=secno>5.10.5 </span>Security</h4>
+  <h4 id=security-4><span class=secno>5.10.5 </span>Security</h4>
 
   <h5 id=dns-spoofing-attacks><span class=secno>5.10.5.1 </span>DNS spoofing attacks</h5>
 
@@ -42717,7 +42731,7 @@ function receiver(e) {
   </div>
 
 
-  <h4 id=security-4><span class=secno>7.4.2 </span>Security</h4>
+  <h4 id=security-5><span class=secno>7.4.2 </span>Security</h4>
 
   <h5 id=authors><span class=secno>7.4.2.1 </span>Authors</h5>
 

diff --git a/source b/source
@@ -31272,6 +31272,18 @@ interface <dfn>HTMLOptionElement</dfn> : <span>HTMLElement</span> {
 
 
 
+  <h5>Security</h5>
+
+  <p>Servers should not rely on client-side validation. Client-side
+  validation can be intentionally bypassed by hostile users, and
+  unintentionally bypassed by users of older user agents or automated
+  tools that do not implement these features. The constraint
+  validation features are only intended to improve the user
+  experience, not to provide any kind of security mechanism.</p>
+
+
+
+
 
   <h4>Form submission</h4>
 
@@ -32150,6 +32162,7 @@ interface <dfn>HTMLOptionElement</dfn> : <span>HTMLElement</span> {
 
 
 
+
   <h3 id="interactive-elements">Interactive elements</h3>
 
   <h4>The <dfn><code>details</code></dfn> element</h4>