should exempt asp.net ajax
I don't know about pre-release versions of ASP.NET Ajax, but - pace Chess et al - the security on the release version would seem to avoid this problem. In this framework requests made by the XmlHttpRequest object set the content-type header to 'application/json', and this is verified by the server. Since there doesn't seem to be a way of forcing a script block to result in a request with such a header, Javascript Hijacking is blocked. (See http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx)
Biting the hand that feeds IT
