[aeorgnoieang]

Sure!

I'm guessing we have different 'threat models' in mind.

From my perspective, I know _I_ am a moral and ethical person and therefore won't "execute an action against the user's will".

But, also from my perspective, even if "that action is allowed according to the user's credentials", I can't tell, and thus my server-side code can't tell, that a 'user' is a real person or even a legitimate user of my site or app.

The comment I was replying to claimed that "The user agent is ... is not enemy territory.".

But what came to my mind on reading that was user agent's also (commonly) perform 'card testing' and 'credential stuffing' and, even if I trust that I can securely give them access to my front-end/client-side code, I have no way to know whether they're running that code. And, even if they're running my code, there's _still_ room for malicious or nefarious action on their part.

I was NOT disagreeing with this (in the comment to which I was replying):

> Yes, the server must assume that enemy agents also exist. But it should better not deliver one to all users.

[rendall]

I tried to get either of these two to be clear about how precisely this attack works but they reply only with word salad and non-sequiturs (true but irrelevant statements like "one should not deliver enemy agents to users"). I think neither can offer actual code that demonstrates the problem. Given their assertion that "the user agent is not enemy territory because it runs code from your server" I think they're maybe very young or new coders.