On Feb 24, 2012, at 12:18 AM, Michael Gratton wrote:
But in general, I recommend against this. Anything that can be
computed
should be computed on the server to obtain the canonical value,
otherwise
you open yourself up to attackers sending you inconsistent data.
While for applications where trust is an issue one clearly needs to
check calculations server-side. When it is not however, this would
be a
welcome addition.
The principle of least authority applies. In general, neither the
client nor the link he communicates over should not be trusted
unnecessarily.
