There doesn't seem to be a way to securely transfer data over the last leg from Yahoo to the actual client. The client portion of my application needs to transfer data securely either from the YAP directly (doesn't seem possible) or from an external site.
Caja seems to prevent the most common workarounds.
Has anyone else encountered this? More importantly, solved this?
The problem here is that even if there is a secure data connection set up, there is one leg of the process back to your server that would be insecure. If you maintain a secure connection from an application, the data request from an application to Yahoo! servers (which makes the calls out to your server) will always be transmitted via cleartext, so it is not recommended that you transmit encrypted data.
What many of our partners have done to bypass this is to build their applications in a way as to not expose specific details about a person. Mint does an excellent job of this and should be one of the apps to model your application around: http://apps.yahoo.com/-yqRaUQ7k/
Jonathan LeBlanc Technology Evangelist Yahoo! Developer Network Twitter: @jcleblanc