Usare l'oggetto XMLHttpRequest per sottoporre informazioni al server crea sicuramente un altra strada da valutare dal punto di vista della sicurezza.
In Asp.net per esempio si esce dal modello del postback a cui ci siamo dovuti abituare.
In una intervista, Eric Pascarello (autore di "Ajax in Action") disserta sui problemi ancora non risolti della vulnerabilità del javascript:
People say this is so horrible that someone can take over this request so easily. But these people need to realize that the XMLHttpRequest is nothing more than a normal form submission. You can picture it as a form being submitted in another frame. Act like there are form tags and hidden text fields on the page. With a view source of any normal HTML form, we can grab the element names and see the parameters being sent to the server. We can look at the action attribute and see where we are submitting the data. So just like how we can see the XMLHttpRequest object, we can see the same thing on any Web page.
Pascarello: Ajax does bring in a new threat to security that a developer may not realize
Pascarello's Rules of Thumb for Ajax Security:
- If you use user authentication, make sure you check for it on the request page!
- Check for SQL injections.
- Check for JavaScript injections.
- Keep the business logic on the server!
- Don't assume every request is real!
- Check the data with validation!
- Look at the request's header information and make sure it is correct.
Se poi aggiungiamo che creare siti con Ajax creaiamo siti non accessibili..