Hacker News new | past | comments | ask | show | jobs | submit login

The security of the application should never rely on the client-side. If you're using Javascript or similar for authentication, you're doing it wrong.



Not strictly true, most sites rely on the client's cross-domain policy for security. Without it, this site would be able to read your Gmail & facebook pages. If a useragent came out that had a major x-domain hole, I'd expect data-sensitive sites to block it.

Not that IE fails in this way (and blocking IE in this case it wrong).


+1. Valid point but this is a bit different to what I was referring to and is an insecurity in the browser rather than the application. Still, fair point. I was mainly referring to people validating input only on the client-side, redirecting people away from private parts of the site using JS or meta redirect (last year I had to maintain a site that used this), etc.


The user might get the wrong impression that he's being supported when he's not, and go ahead and buy some service that's not going to get support.

At least a big warning is justified.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: