Michal Zalewski is maintaining an incredible document, the Browser Security Handbook. It catalogs and describes all the browser behaviors related to security concerns in web applications. Everything is covered in astounding detail, with tables of browser beaviors, descriptions of the issues involved, links to vendor-specific information, code for test cases, etc. It isn’t very long, but it’s got the highest signal-to-noise ratio of anything else covering these issues.
It’s a fascinating read on a number of levels. First, as a web application developer, you need to understand the wide variety of possible threats. Second, as a software developer, it’s interesting to see the differences in implementation at the far edges of a spec. Remarkable through and through.