I have a coding whiz as a colleague on some freelance assignments and he not only codes well, but also plays great badminton and sometimes seems ultra cautious(and here is someone who would agree). The other day we were discussing the use of AJAX for some local web page activities, and Paulo would have none of it. I said to Paulo –” you use GMail and JotSpot and really like both. And you and I know that both use AJAX big time in their implementations – so how can you now think of rejecting AJAX for our small app which will not even be external customer facing ?”. Paulos reply was that AJAX was security immature and that unless you get AJAX code from a trusted source like Google or Jotspot (now a part of Google) – then you run a security risk.
In general, this problem is also present in AJAXs RIA competitor Flash because ActionScript versions 1,2, and 3 where the prototype semantics have been borrowed and retained throughout. Now some may argue that Flash is less vulnerable to prototype contamination as the Flash .swf container is “compiled code” with container hashes for added protection. However ghosting and dynamic loading of Flash .swf do present opportunities for “exact substitution” by malevolent hackers.
Now just as an aside for Java-based RIA aficionados like Droplets and Nexaweb, Java does not have this same problem. And as for Paulo, he was doubly right. Other freelancers came in recently on “our” project and they have implemented external, server-based routines using AJAX.