Ajax is a powerful approach.
But, a programmer can implement a very harmful code, I think.
To test my idea, I've coded "mouse poistion tracker" with Ajax.

Consder the following example code.

<html>
<body>
<script>
// Note: this code only works in Microsoft Internet Explorer.
function mouse()
{
    x = event.x + document.body.scrollLeft;
    y = event.y + document.body.scrollTop;

    //alert('x = ' + x + ', y = ' + y);

    http = new ActiveXObject("Microsoft.XMLHTTP");
    http.open('get', 'mouse.php?x' + x + '&y=' + y);
    http.send(null);
}
document.onmousemove = mouse;
</script>
</body>
</html>

The code above can be used to track the mouse movement of a site visitor.
Tracking is performed with realtime!
The visitor will NOT notice what is performed in this site.
What a terrible thing to do!

The administrator of the site can check the access log.

# tail -f /usr/local/apache2/logs/access_log
[...]
[18/Jun/2005:15:33:05 +0900] "GET .../test/mouse.php?x197&y=153 HTTP/1.1" 200 1
[18/Jun/2005:15:33:05 +0900] "GET .../test/mouse.php?x286&y=145 HTTP/1.1" 200 1
[18/Jun/2005:15:33:06 +0900] "GET .../test/mouse.php?x282&y=144 HTTP/1.1" 200 1
[18/Jun/2005:15:33:06 +0900] "GET .../test/mouse.php?x268&y=143 HTTP/1.1" 200 1
[18/Jun/2005:15:33:06 +0900] "GET .../test/mouse.php?x250&y=140 HTTP/1.1" 200 1
[18/Jun/2005:15:33:06 +0900] "GET .../test/mouse.php?x232&y=137 HTTP/1.1" 200 1

I have a question.
When an attacker injects the JavaScript code to a XSS vulnerable site, what will happen?