Since none of the authors answered this yet, I thought that I would say something since this is a rather big topic.
People think Ajax is this new big security threat. When you stand back and look at an Ajax application, you have a form submission to the server. The server has no clue what in the world it is interacting with. There is no special "Hey I am Ajax boolean" (unless you coded one in the header!)
The last is my business logic is ou in the open. WHY did YOU put it there than? Do you put your business logic for the post back model on the client too. So what in the world changed? If security is a BIG deal, than use the client as the "visual rendering" part of the application.
I am working on a large article that covers these topics in detail. We will see if it ever reaches the light of day since I am busy as can be lately.
As Eric stated in the previous post, there are no new security threats introduced by Ajax. As the XMLHttpRequest object (the core of AJAX) exists since 1999, we can say that the security has been around since 7 years now. And nobody has really complained about it. Some of us have used OWA (Outlook Web Access) and didn't complained about security threats. Well, OWA is using the XMLHttpRequest object and thus AJAX since the beginning.
Here is an exercpt from the book about this topic:
I hope that this answer along with Eric's answer give you an idea on how AJAX is handled in security scenarios.
Thanks for the responses! The mozilla script information was very interesting.
It makes sense that the familiar web security issues apply to AJAX since all it is doing is sending more HTTP requests. Since there are more, there could be more targets that are potentially vulnerable to the same old issues, but not more issues.
My final question is: The mozilla information you linked to about script security made me wonder if Ajax apps will ask the end user to be more and more trusting... from that page, it looks like there could be more steps of asking the end user to allow scripts to do this and that. Do you guys see a slide here into asking the end user to agree to ease up too much? Perhaps the answer is yes, but not from Ajax apps.