[rberdeen]

Agreed. I can't imagine that any meaningful percentage of Facebook users care about the HTTP spec.

JavaScript in modern web apps has made the distinction between GET and other HTTP methods irrelevant to users. Simply changing these "frictionless sharing" apps to use POST instead of GET doesn't address anyone's concerns.

[dcosson]

Using POST would probably make non-geeks even more uneasy about this - i.e. if you try to reload an article you're reading and chrome gives you the ('are you sure you want to resend this content?') pop-up that you're used to seeing when you submit a form, I think any frequent web user would find that strange. Using GET instead (breaking HTTP protocol) lets them slip this by people unnoticed, and I agree with the OP that this is at least worth thinking about.

That said, at least FB requires you to approve this. Ads have been doing this kind of thing for a while now, and i'm not sure how I feel about it (I recently was browsing for pictures on art.com and didn't end up buying anything, but for the next month everywhere I went on the web was showing me the exact pictures I had been browsing).

[cousin_it]

Implementing "frictionless sharing" with POST doesn't look trivial to me, because browsers treat cross-domain POST requests more strictly than GET.

[fleitz]

The javascript would just have to create a form and submit it. Not a big problem at all. Alternatively, create an iframe in which the form is autosubmitted via javascript.

[cousin_it]

Doesn't that break the back button, making it no longer "frictionless"?

[wycats]

What makes you think that? CSRF vulnerabilities are possible precisely because cross-domain POST requests can be created without violating the cross-domain policy.