For AsYouWish (or older version at AMO languishing in loneliness awaiting preliminary approval), while it opens up a lot of fun, it is also a bit scary given the number of ways in which its power could be exploited by the malicious.
Here are some entry points which require proper awareness if not sanitizing by AsYouWish websites (though they also may invite ideas for proper usage):
|URL parameters||User in URL bar, user clicking third-party link, or user visiting third-party website (with hidden XSRF potential)|
|regular postMessage||Third-party developer|
|privileged postMessage (as from WebAppFind invocation from OS desktop and potentially in the future from AtYourCommand)||User|
|registerProtocolHandler||User in URL bar, user clicking third-party link, or user visiting third-party website (with hidden XSRF potential)|
|bookmarklet||Third-party site (potentially coming from other users if XSS is an issue)|
|local data store||Potentially other users|
|remote data store||Potentially other users|
A very important principle is to make all GET-able URL-accessible parameters (URL parameters or custom protocols) idempotent, while allowing for pseudo-POST (via postMessage) to, if proper checks are in place, provide safe code with side effects (bearing in mind that a "null" origin may not differentiate between file:// URLs, etc.). Where the context does not allow for POST-like behavior, one can still allow bookmarkable non-idempotent behaviors upon user confirmation (ideally after they are provided with source code of exactly what will be changed/added).