This book has a clever approach to explaining what's at stake regarding web app security, in particular the browser security model. That's how I would have structured my book if I had written some regarding web app security.