In this rather lengthy article Amit Klein continues his original discussion about injecting additional requests into the XMLHTTPRequest object.
"The attack idea is simple: the user visits the malicious website, and it, using an XHR object, injects 2 requests (where the browser thinks only one request is present) through the proxy server, to the malicious website. The proxy sends back 2 responses, the browser consumes one for the XHR object, and then the malicious Javascript code forces the browser to send another request (to the target website). This request is then matched to the 2nd response (queued at the browser response queue), and thus we have the XSS condition and the browser cache poisoning condition (which is effectively a "local defacement", at the browser level).
http://www.cgisecurity.com/lib/XmlHTTPRequestPart2.shtml
