To say 'To prevent malicious code you can only use Ajax on and within your own website' is incorrect. Of the browsers I use to develop for there are different methods that allow XSS to occur.
In IE, not sure about 7, if a website is listed in the 'Trusted Sites' the javascript is allowed to perform XSS without user interaction.
In Firefox there is no such 'Trusted Sites' area to allow XSS to occur. You are however able to sign the javascript and zip it up with the file extension '.jar'. You do need a CA to do this though. Once this is done AJAX calls to other servers are allowed.
For an example of the signed javascript check out the DWA 6/7 mail templates in Domino these allow XSS. Also the Mozilla site has an article from the good old Netscape DevEdge with more information
To say 'To prevent malicious code you can only use Ajax on and within your own website' is incorrect. Of the browsers I use to develop for there are different methods that allow XSS to occur.
In IE, not sure about 7, if a website is listed in the 'Trusted Sites' the javascript is allowed to perform XSS without user interaction.
In Firefox there is no such 'Trusted Sites' area to allow XSS to occur. You are however able to sign the javascript and zip it up with the file extension '.jar'. You do need a CA to do this though. Once this is done AJAX calls to other servers are allowed.
For an example of the signed javascript check out the DWA 6/7 mail templates in Domino these allow XSS. Also the Mozilla site has an article from the good old Netscape DevEdge with more information
{Link}
In relation to other browsers I do not use them so I can't comment.
Regards,
Anthony