Toronto's Brent Ashley has an article at IBM Developer Works about "Shaping the future of secure Ajax mashups" which covers the vulnerabilities of various AJAX techniques and most interestingly, discusses proposals for overcoming them properly:

• JSONRequest proposal: Browsers implement a new object that acts much like the existing XMLHttp object with several modifications:
  • JSONRequest would be exempt from the Same Origin Policy.
  • A minimal set of HTTP headers would be used, reducing the overall size of requests.
  • No cookies would be transferred, ensuring that cross-site cookie issues are avoided.
  • JSONRequest would accept only valid JSON text, which would ensure that raw executable code could not be sent for execution.
  • After a communication failure, random delays are introduced before retry to frustrate certain classes of attacks.
  • Each request would return a sequence identifier, allowing asynchronous responses to be associated easily with their original requests.
  • Specific support for duplex connections would enable the server to asynchronously initiate communications through an open communications channel.
• <module> tag proposal: A new HTML tag partitions a page into a collection of modules that are secure from each other but can communicate safely:
  • The <module> tag would be able to access third-party resources, exempt from Same Origin Policy.
  • Cooperative communication between page and module would be available only through specific interfaces. Modules would not be able to communicate with each other -- only with the page. A page can choose to facilitate communication between modules.
  • Communication would be restricted to valid JSON text, in contrast to communicating JavaScript objects, which could possibly cause security leakage through attached code.
  • Restrictions are proposed to ensure that modules and pages cannot interfere with one another's display, causing security issues.
• Content restrictions header: Gervase Markham proposes a content restrictions header specification that would allow authors to express their full intent on how their content should interact with content from other sites. A compliant implementation would submit a content restrictions header containing a policy string.
• W3C Access Control List (ACL) System: The W3C ACL System could be used as a model for an ACL-based system to govern access to HTTP-served resources in Ajax mashups.
• Cross-domain.xml: Flash objects look for a file called cross-domain.xml on the server before they attempt to access their specified URL. This file specifies which sites can host applications that access the services provided on that server. Many Web service providers already implement this file.

I'm just blown away by the stuff Jack Slocum is doing with the Yahoo UI javascript library.

Via Ajaxian, Dojo 0.4 (cross browser AJAX/Javascript libraries) has been released. I'll steal some of Ajaxian's point form list of updates:

• dojo.charting: A charting engine to implement a variety of chart types using vector graphics
• dojo.gfx: a 2D vector graphics API which renders natively to browsers as SVG or VML
• dojo.i18n: a follow on to the translation support in 0.3.1, there is now build support for collecting localized resources in a single file as well as support for localized date and time formatting. More formatting types and more localization to come in 0.5.
• dojo.widget: new widgets like Clock, FilteringTable, ProgressBar, plus enhancements to Editor2 and the AccordionContainer. Also localization of some widgets, such as DatePicker.

The charting and 2D stuff look really neat and useful.