I’ve only wrote for game development, so I can only understand the basic client-server model.
To prevent hackers from causing damage or giving themselves an unfair advantage, the server should assume that any data sent from the client is intentionally malicious, and should perform validity checks everywhere. There should be some input/logic checks on the client, but validity checks aren’t necessary an exploiter would have full control of their client anyways.
In web design, I heard that eval() would run the code in a local scope (on the client) as the webpage is deployed on the client, not on the server.
Thus, is my understanding that eval() can be freely (ignoring logic checks/input processing) used on web pages correct? (I haven’t gotten to the backend development challenges)
I wouldn’t say it can be “freely used on web pages”.
It can be used when you have 100% control of the code it runs, you have a good reason to use it, and you do not have better alternatives.
I’m not sure what you mean by this. A web page runs on a web server. Sure it serves the code to the client and it may not have any server-side code, but it is still served from a server. But if it only has client-side code and doesn’t interact with anything external then whatever security vulnerability the code might have are not likely to affect the user, other users, or the service provider.
The word deploy is used to describe the initial deployment to the service that will serve the client. You deploy to a server/backend/service and you serve it to the client. Sure you might say the service deploys it to the client but that is usually not how it is worded.
But yes, client-side code runs on the client as the name suggests.
