They mention changing your password with a POST request, but at least what I have seen require the old password to be included in the request too.
Nevertheless, this is also problem of web apps in general. In many cases there are better protocols and better programs anyways.
In the case of the cookies, there can be user settings; if the user defines a cookie manually they can define if it is sent with cross site requests or not, and if the server sends the cookie to you then by default it won't be sent with cross requests. Cookies would always be sent for <a> links outside of frames, though, unless the user configures otherwise (such as to disallow it if there are query strings, for example).
Another thing I thought is a "Web-Option" request header. This is similar to cookies but cannot be set by the HTTP response nor by document scripts; the only way to set it is for the user to set it by themself. The response can include a "Web-Option-Schema" header, which is a link to a file specifying what options are valid; the user can use this or can specify their own options which might or might not conform to the schema. (This is not meant for authentication. For doing authentication, use basic/digest auth instead.)
Nevertheless, this is also problem of web apps in general. In many cases there are better protocols and better programs anyways.
In the case of the cookies, there can be user settings; if the user defines a cookie manually they can define if it is sent with cross site requests or not, and if the server sends the cookie to you then by default it won't be sent with cross requests. Cookies would always be sent for <a> links outside of frames, though, unless the user configures otherwise (such as to disallow it if there are query strings, for example).
Another thing I thought is a "Web-Option" request header. This is similar to cookies but cannot be set by the HTTP response nor by document scripts; the only way to set it is for the user to set it by themself. The response can include a "Web-Option-Schema" header, which is a link to a file specifying what options are valid; the user can use this or can specify their own options which might or might not conform to the schema. (This is not meant for authentication. For doing authentication, use basic/digest auth instead.)