Maybe a workaround:<p>1. Ad server signs the text of the javascript code with an HMAC-style digest with a shared (private) key. Maybe the first line of the text is the hash of the rest of it. (Possibly also an advertiser-id jammed in there so the site knows which key to check).<p>2. Client pulls the javascript as plain text via XMLHttpRequest. (May require hacks or flash to do cross-domain on some browsers. :-( )<p>3. Client sends the whole thing via a POST XMLHttpRequest to the site's server. (Remember, that only the advertiser and the site can have the same key; if the client can get it, the attacking site can, too).<p>4. Site's server returns some OK message with the hash to the client.<p>5. Client javascript calls eval on the text of the javascript.<p>That should keep anyone from injecting malicious javascript by stealing the advertiser's domain. It does NOT protect against an attacker who has managed to get ahold of the secret key, but that's a lot trickier for them to do.