|
|
|
|
|
|
by Nextgrid
1569 days ago
|
|
|
This is irrelevant in practice because the SPA's code is also loaded from the server - if the server is malicious it'll just serve you backdoored JS, unless you load from a separate domain and have the main server allow cross-origin requests. If you want to defend against a malicious server you need to make sure your client doesn't load & execute code from said server - it needs to be distributed as a stand-alone application instead of in a browser. |
|
|
Which is the case... app.element.io doesn't host a Matrix server. Servers are completely independent of that.