Can this be used to access code/database queries without permissions checks? Since the universal url has to be readble but the public in case unregistered users can submit some form, if a validation did a database query lookup it could expose some data or at least the existance of the data, if not the data itself.
Maybe doing a permission check on the ad_conn url based on the key would be good. I am trying to think if there is a more secure way to manage the key. Probably an sha1 hash with of the key and a server secret could not hurt. This way the url of the key could not be edited.
Overall i like the idea. It piggybacks on the server side validation specification which is the right thing to do.
Sometime in the future i'd like to deprecate ajaxhelper, and have a standard JS library based on Yahoo UI, but since I haven't written that yet, I certainly can't complain. It looks like this will gracefully degrade if you don't have javascript enabled it just does the after submit validation.
