[sadpluto]

What is the standard reference for DOM mastery?

[wglb]

Another document worthy of some study is http://lcamtuf.coredump.cx/postxss/

[tptacek]

Yes! This is a great paper which made surprisingly little noise given how important it is.

The idea is: stipulate that no attacker can ever inject Javascript into a browser. Assume we solve that problem completely. Now, how secure are DOM-based applications? Turns out: not that much more secure. Lots of very clever examples.

[yan]

This is a very good starting document: http://code.google.com/p/browsersec/

(Also, anything icamtuf touches is probably going to be good.)

[tptacek]

I'd start with _The Tangled Web_ by Zalewski.