Sam Ruby says Sajax is still unsafe
While I haven't looked at the safety aspects of it, I have to ask if it's needed at all?
When Gmail launched I'd already been interested in this approach for a while, after seeing stuff like Netwindows.
On the server side I hardly saw much need to add any special code - it was no different than writing any other PHP code in my case, with proper request handling, except that I was returning XML instead of a complete webpage.
For me, the main revelation was that I could make truly clean web apps by cleanly separating visal presentation and logic by wrapping all the latter, and providing the former as a CSS stylesheet and a set of XSL transformation that I could easily apply server side for "old style" clients.