Rather scary issue regarding evil.com’s ability to rewrite javascript constructs such as the fundamental Object. This means that evil.com can change the AJAX/JSON behavior of scripts run through good.com.
http://www.fortifysoftware.com/advisory.jsp
ScottGu from Microsoft responds as to why ASP.NET AJAX is not so vulnerable to this issue. Doesn’t look like the best solution (basically the server requires an HTTP header Content-Type: application/json or it ignores the request).
