The first service available is Google Calendar, and we can hope for more to come.
This cross-domain, secure, access seems similar to Subspace, but it is actually live right now. Having a service such as Google Calendar using this is a great step forward, as you know it has been through a thorough security review.
When google.accounts.user.login(..) occurs, it will send you to Google to authenticate. A best practice is to provide a login button or other user input mechanism to prompt the user to start the login process manually. If, instead, you call google.accounts.user.login() immediately after loading, without waiting for user interaction, then the first thing the user sees on arrival at your page is a Google login page. If the user decides not to log in, then Google does not direct them back to your page; so from the user's point of view, they tried to visit your page but were sent away and never sent back. This scenario may be confusing and frustrating to users. Note that the example code above does call google.accounts.user.login() immediately after loading, to keep the example simple, but we don't recommend this approach for real-world client applications.
I am excited about this, as it means that you can write a rich Ajax client that doesn't need server-side proxies to do these things, which traditional was the only solution. Now the server-less model can grow even more.
I got to sit down with Jun Yang, who worked on this code, and got his take: