On Tuesday, October 25, 2016 at 8:08:11 AM UTC+1, Peter Damoc wrote: > > Browsers can provide a trusted environment through the use of https. This > is what Gmail and Facebook and all other webapps are doing. >
What I mean is, there is nothing to stop whoever is running your application from subverting it. In the browser, there are even a lot of things you can do with the javascript console. If your 'persistence API' requires the application to behave correctly in order to not store invalid or maliciously altered data, you cannot guarantee that. This is one very good reason why business logic is typically implemented on the server behind an API that only provides the specific operations that a user is allowed to perform, whether they perform them through your application or otherwise. You can use secure cookies with HTTPS. There is nothing to stop someone using a hacked version of the browser that lets them get the secure cookie in order to make malicious calls to your API. -- You received this message because you are subscribed to the Google Groups "Elm Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
