Julia Evans@sunil totally! i think what's tricky is the definition of "simple request" seems extremely arbitrary (probably because it's more of a historical accident more than something that was intentionally designed) and not all of the things that are "simple requests" are actually "simple" or "safe"
nelhage@b0rk @sunil This is not exactly correct but I tend to think of "simple request" as being defined approximately as "a request it was possible to generate using the set of APIs available in IE 7 or so."
It's *not* a natural concept at all, it's a backwards-compatibility hack, the idea being that anything that was already possible isn't making the security landscape worse, but anything that adds *new* capabilities needs to be more careful.