So according to the first Google linked site, "sea surf" csrf avoids even the use of javascript, by simply having the image src attribute set to the url you want executed. The actual problem then is an error in the use of the http protocol. The GET method was initially intended to be a method without side effects. The current standard mentions this as well. However we have querys appended to the end because of the convenience of this method over handling POSTed data.
It might be nice to tag all variables as either 'safe' for GET, or 'unsafe'. If these were system wide, it might be easy to add a filter to barf on an attempt to use GET with sensitive variables, but this really seems more like a job for ad_page_contract to handle, or a simple proc at the top of other non-contract pages that takes a list of unsafe querystring variables.
