A friend recently passed a long an article found on slashdot regarding XSS, and for more information I visited the Mozilla Blog that discusses this concept in greater detail.  In an effort to save time I will summarize the articles as this, you will not be able to use in-line javascript, inline event handlers, or load javascript from unapproved domains.  Basically, you will need to have all your javascript loaded in external js files, and then create a policy that allows the js to be loaded by a domain. Now after reading these articles, and mulling the concept over for a few minutes, a few things came to mind.

The amount of legacy code that produces inline javascript, or inline event handlers, etc..

The amount of time to refactor this code, and I am referring to enterprise applications not your Mom’s blog.

A way to move developers towards unobtrusive javascript, i.e. adding event handlers through script and not putting them directly into the html markup.  This is a positive as markup is markup.

With this approach would the need for Javascript micro-architectures arise?  Think PureMVC and Cairongorm for Flex.  After all we are already using javascript application frameworks, shouldn’t we have some architectural frameworks for html/css/javascript clients?

Overall I am not to0 concerned with the implications of the concept presented by Mozilla.  I feel that in the end it will make developers realize that there are some fundamental shifts needed in the client side development arena that go beyond creating the next cool javascript widget or library.

XSS is a real threat and by attempting to solve this issue we may all have to create a better architecture for our clients.