Sam Ruby says Sajax is still unsafe
While I haven't looked at the safety aspects of it, I have to ask if it's needed at all?
When Gmail launched I'd already been interested in this approach for a while, after seeing stuff like Netwindows.
It took me - with fairly basic Javascript skills - just a couple of hours to put together a fairly advanced test application.
A small javascript function library and you have a fairly solid base on the client side.
On the server side I hardly saw much need to add any special code - it was no different than writing any other PHP code in my case, with proper request handling, except that I was returning XML instead of a complete webpage.
For me, the main revelation was that I could make truly clean web apps by cleanly separating visal presentation and logic by wrapping all the latter, and providing the former as a CSS stylesheet and a set of XSL transformation that I could easily apply server side for "old style" clients.
Combined with href's to PHP scripts to fall back on for actions that supported browsers with javascript on would do client side it's actually quite easy to write these kind of apps in a way that allows them to work on any browser.
But that's a digression. What I want to point out is that Sajax isn't really solving much for me - the disadvantage of being pushed into a certain processing model outweighs the trivial advantages over what I get from the 50-100 lines of javascript I cobbled together for my tests last year together with "business as usual" on the server side.