Even in a single browser world, things like popup blockers and other ad blocking can wreck havok on javascript.

Too true, we have been patch Intranet apps recently to make them work with WinXP SP2.

It also is all client side, meaning you trust the clients not to tamper with the code to do some weird things. Is the server side trusting what comes back 100%? It shouldn't.

This is no different though to the position with a tradition forms based postback app though. In both cases unless you can trust the users (which you can in some Intranet apps) you have to validate the data on the server side.

It can be very difficult to convince customers that server side checking is needed and to be honest I have yet to come across a malcious user of any of the Intranet apps I have been involved with.

I do remember those early days of Internet commerce, where lots of websites' shopping baskets trusted the data coming back from the client. I often found sites where you could chose what price you paid for goods. I sent a few friendly emails to website owners pointing this out, rarely got a response. Good job I'm honest...