[mmmm]

Thanks a lot for the excellent explanation. I tend to do my Ajax requests with post just to get the token in. Is there a reason not doing so, like savings in bandwidth or something like that? Might that be a gain Facebook is trying to achieve?

[rimantas]

  > Is there a reason not doing so, like savings in bandwidth or something
  > like that?

GETs may perform slightly better, see http://developer.yahoo.com/performance/rules.html#ajax_get

[squeed]

Yours is a good solution, and effectively blocks the attack mentioned in this article. From a REST purity standpoint, it's "unclean" to require all API calls to be POSTS, but, hey, life is short.