Its easy to say but I guess we already new that Certain AJAX techniques were vunerable to attack. I mean I even published an article on bypassing the “same origin policy” see WebParts and Ajax I refer to the sites that use this bypass technique, hell I even call it a security by-pass and there’s your biggest clue.
This document talks about the various techniques in trying to prevent this and comes down hard on JSON. I haven’t had chance to explore this, I reckon with a lot of jiggery pokery it might be possible to get xml data as well, depends on how that data is retrieved, the document suggests means in which bad script could try to circumvent certain security tactics in json, those same techniques could work for xml data I reckon.
But take a look the bits about session cookies sound good.