| ▲ | chr15m 3 days ago | |
> the code which implements a client-side web application is distributed by the given website Incorrect, and trivially falsifiable. Examples: - Self hosting, where you control both client and server. - Loading a web app from file:/// - Loading a web app from localhost. The author's "no exceptions" is simply wrong. The author also seems to assume the same server is required to both serve the code and store/transmit encrypted messages which obviously isn't the case. In addition the statements about service workers are ignorant. The rest of the analysis is largely correct and the threat outlined (where somebody can replace your client) is a serious one that many underestimate. In particular the proprietary native mobile app model is vulnerable to this, as mentioned. | ||