[aloneinkyoto]

This solution is utterly stupid. Why do they pay their engineers millions of dollars if they don't even know the basic semantics of the HTTP protocol?

Per RFC 2616, the POST method should be used for any context in which a request is non-idempotent: that is, it causes a change in server state each time it is performed, such as submitting a comment to a blog post or voting in an online poll.

The solution to the security problem is to not pass the authentication data in the query string which is intended for specifying parameters that vary the result of the performed query. Instead the authentication data should be passed as custom HTTP headers. E.g. "X-Fb-Sig-User: 218471".

I am very amazed that this is not common knowledge. This is a 20 years old protocol that might possibly be the most widely used and implemented high level communication protocol in human history. Get your shit together people. Seriously!

edit: I guess I was a bit quick to judge. Didn't realize that the request originates from an iframe in a browser where you can't easily set custom HTTP headers. Maybe it is possible to do with some XMLHttpRequest magic, but I can't think of a solution that would work of the top of my head.

[thezilch]

Not to mention application developers -- big or small -- are going to have a much simpler time changing (or not at all) their applications to receive on POST kwargs (or REQUEST). You have reason to be dogmatic about HTTP, but this hardly a cause to lash out against engineers as stupid or over-paid.

[statictype]

How does one submit custom headers along with a form?

Seems like a POST is a perfectly valid way to handle it.