Recently I've been working on some Google Web Toolkit (GWT) libraries that involve JSON and JSONP. While working on this project, I've been reminded just how tricky AJAX can be. It's no secret that there are a lot of people out there who spend huge portions of their lives thinking up ways to steal your data (or worse). Unfortunately, the same cool tricks that let you build AJAX sites and mashups also make it easy to build unsafe web applications. Some of the attacks evildoers have come up with are downright devious!
To help get the word out, I've put together an article on my experiences. Eventually we'll merge its contents into the GWT Developer Documentation, but we thought that it was important to get this out to GWT developers rather than wait for the next documentation update.