I’m not a big fan of Google’s engineers in general, but this one is an excellent example of Google just being stupid:
Apparently, the Google engineering genius decided that it wasn’t important to ensure the request coming in VIA an AJAX request had the correct user session cookie and that the users session was still valid on the server. No…. Instead they just decided that this and probably hundreds of other AJAX requests didn’t need any security and just worked no matter who the requesting client was. This is web programming 101 folks. Since the browser (user-agent) must provide the same cookies for an AJAX request as it does a normal request, there is NO reason a web application shouldn’t secure AJAX requests as it does normal requests using the in-memory session cookie.