[YuriNiyazov]

I do not mean submitting an HTTPS login form, which works just fine, but forces a full page refresh. I mean capturing a submit and sending the credentials via AJAX, but to HTTPS, which is forbidden by the security sandbox. You end up doing various unkosher things like bringing up the login form over HTTPS in an iframe while the site itself is brought up over HTTP.

Yes, this is fundamentally insecure, and I am aware that this is not a problem with Backbone specifically, but a general problem with the approach of building browser apps without page refreshes over HTTP for everything except for the login screen.

[waratuman]

Have you looked into cross-origin resource sharing? It doesn't support all browsers, but it may be a great solution for browsers that support it. http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing

[cmer]

It would be very interesting if you could write a blog post and an example project illustrating how to do this. I think many could benefit from this knowledge.

[YuriNiyazov]

I'm afraid that the end conclusion of that blog post would be the same that jashkenas mentioned in the GP: serve your whole site over HTTPS.