Ajax pioneer Brent Ashley has written a Developerworks article about making Ajax mashup secure. It looks at where it’s at today and where it’s all headed.

He begins by surveying current techniques for calling external servers, such as the popular On-Demand Javascript technique. This has well-known security issues.

The scalability benefit of the <script> tag comes at the cost of sidestepping the Same Origin Policy security model, introducing potential attack vulnerabilities:

• Cross-site cookie access becomes possible: Scripts from one site can access cookies from another site.
• There is no opportunity to inspect the retrieved code for safety issues before running it: The code runs immediately upon loading.

One short-term solution is the following IFrame fragment identifier hack.

A more recently developed content-retrieval technique employs communication between a page’s script and a hidden iframe through its src URL’s fragment identifier (the part of the URL that comes after the # sign). Scripts in the parent page and embedded iframe can set each other’s fragment identifiers despite coming from different origins. An agreed-upon communication protocol is maintained between the scripts, driven by JavaScript timers that periodically fire routines to check for changes in the fragment identifier.

We’ll hopefully see more flexible, purpose-built, solutions in the future, and Brent’s article summarizes the proposals under discussion - JSONRequest, <module> tag, content restrictions header, W3C Access Control List (ACL) System, Cross-browser.xml.

With all these facilities potentially in the pipeline, one can only hope there will be a clear winner that works in all major browsers, or at least enough overlap that the Ajax libs can provide a straightforward abstraction!!!