We had to deal with this in reverse: we had a form that depending on what you fill in and the settings doesn't show some options.
The browser was submitting the form with auto-fill details that failed the validation checks for those fields. Hard to show an error message for fields the user can't see.
Yes, it is more robust to have code on the server side discard input that isn't expected rather than validate it, but it annoying extra work when those fields have no security impact.
The alternative is to tell the browser not to auto-fill those fields, but doing that feels broken too.
Just pretty difficult to ensure a field really is visible to the user, the problem is it'll always have some weaknesses and those who would abuse it will find those weaknesses
The browser was submitting the form with auto-fill details that failed the validation checks for those fields. Hard to show an error message for fields the user can't see.
Yes, it is more robust to have code on the server side discard input that isn't expected rather than validate it, but it annoying extra work when those fields have no security impact.
The alternative is to tell the browser not to auto-fill those fields, but doing that feels broken too.