Most realtime applications work by pushing data to the client for it to act on. Assuming the data can be trusted by the client, this is a good setup: the client’s behaviour is somewhat constrained. It can only do what its code allows it to do, with the caveat that some crafted inputs may lead to unexpected behaviour.
However some realtime applications directly script the client by pushing
eval(). This is extremely
dangerous unless you make sure that nobody but your own private servers can
publish to your Faye server. I recommend that realtime apps operate by
exchanging data, not sending code. If anyone but your own server-side
problem that can allow an attacker to easily steal the user’s session and
other private data.