On Oct 25, 2012, at 9:20 AM, Gary McGath wrote: > On 10/25/12 7:37 AM, Joe Hourcle wrote: > >> You didn't answer the question -- why would you not have some sort of >> check on the AJAX application (or any application, web or otherwise) >> to do at least minimal sanity checking on the result of an external >> call? > > Because putting the onus of sanity checking on the web page isn't the > best solution in this case. Of course, it should be set up to handle > unexpected results sensibly in any case. I view it like using JavaScript for form validation -- don't trust it, and still re-do the validation in the backend. If the costs to check tainted inputs are minimal, *do* *it*. Even when the back-end is well designed, there are enough other things out there that are outside your control. ... like when IE decided to start re-writing 404 and other status pages unless they happened to be at least 1k ... so even when we *were* giving informative messages about what was going on, links to report the problem, etc ... it never made it back to the user. (and yes, I know, I've officially hit old fogey status by complaining about changes that IE made more than 10 years ago ... I'm also not a fan of the <br> tag ... one of the worst mistakes of HTML+) But for more recent situations ... mobile browsers w/ spotty reception. Man-in-the-middle attacks ... deep-packet filtering (the firewall doesn't like some phrase used in the response, so replaces the content with a 'blocked' message ... they may not be common, but they *do* happen. -Joe