The whole AJAX thing is based on a what I remember being, at first, a proprietary Microsoft extension; XMLHttpRequest(). This certainly has inherent security issues (e.g. http://en.wikipedia.org/wiki/XMLHttpRequest#Security) that need to be addressed more closely by the browser manufacturers who implemented this extension without first extensively testing it’s security implications. Microsoft has always been prone to commit “oopsy!” style programming mistakes (or rather not always seeing things from the “dark side” when necessary) so this would have been where I would have focused my own R&D before adding this new functionality to my browser’s code base. I have to agree with GateKeeper’s comment regarding “Security by obscurity” in that ignoring things won’t make them better. We need to be really aware of the pitfalls any time we do things online; no-brainer. But we all love how these zippy new sites function; catch-22.

What I feel needs to be discussed is that the average user needs to be made aware of the issues and/or the browser companies need to re-think how we are trying to use their products today. Or…we could all just ask W3C to re-write HTTP as a stateful protocol using encrypted keys. Nah, it would never work, right? ;-)

I’m looking for a South American travel partner, for a very short trip in the very near future. Interested?

I doubt most developers would be able to securely handle a DOM in their chosen language (C++, Python, or whatever it might be) without a good dose of training and sensitisation to the issues.

Good web developers learn the parameters of their craft and learn how to handle their tools skilfully. JavaScript is not a trojan, it’s the equivalent of a carpenter’s electric saw: an indispensable tool in the hands of a professional, but quite capable of amputating careless amateurs.

Initially Javascript (or Live Script, for us old-timers) was quite innocuous and powerless: “wow, rollover!”. IE 3, and the connection to the Windows OCXs and the like were a wake up call, probably only now dealt with in successful manner with myriad security settings on the browser. AJAX itself also relies heavily on using making HTTP requests — loading data, holding state, etc, all necessary for application-like functionality. The potential for abuse is, in theory, there — but not readily available, in my mind. Yes, I’ve tried. For research. Just for research.

The real threats end up being stupid people falling to stupid tricks out of greed — installing zombie software that promises of free anything that sends data back to a central server, or SPAMs the internet. And Sony distributing rootkits in the name of DRM and marketing. So, yeah, stupid corporations, too….hmm. Maybe we are doomed.

Personally, I like javascript and I enjoy the power that it has over browser and form objects, etc. I’ve done a lot of projects that just couldn’t have been done feasibly without client-side scripting. I push the limits of it a lot and I’m still impressed with what others are able to do with it.

So my stance on it is, if you’re going to surf the web, you’re going to run the risk of coming across something you don’t want. So if you’re scared of a virus, a naked boob or Nigerian Princes needing your financial help, then log out.

Sure, javascript could be looked at as some kind of ‘Trojan Horse’ or malicious programming language. One may say to excercise caution when visiting sites that you’re really not sure about - but then no one would go anywhere on the web. Most browsers incorporate security features which do not allow javascript to directly access your machine. Example - you can not show an image preview to any user who is uploading an image, before they upload it. This is because (at least in FF) the browser does not allow javascript access to things on the local machine like that. So, like you would with your anti-virus clients, keep your web browsers up to date to protect yourself from a malicious security hole which exists.

Enough of my rambling, the world is going to come to an end.