CSRF protection is the right way to solve this. Switching to POST doesn't provide any real protection; an attacker can simply put up a form that autosubmits to the endpoint with POST.
I think you misunderstand what CSRF protection does. It doesn't have anything to do with same-origin security, but rather preventing request forgery attacks in general. If a CSRF token was present on requests and was tied to a user's session (as is standard), then that would absolutely defend against this attack.
> Or we could just avoid doing this to each other.
Hacker News has grown dramatically. The "Hacker News effect" is now significant and often considered valuable. If there is an exploit that makes it possible, people will use it.
I don't think anyone would contest that good behavior would be good for society. But, it's not a practical expectation, because the probability of everyone exhibiting good behavior is vanishingly small.
That is exactly security through obscurity. If you're relying on people being nice enough to not exploit you (no matter how difficult it is), you have no security at all.
Let's say everyone on HN was nice enough to not use exploits. Might be possible. But then one person does a drive-by exploit, and BAM. Everyone but one person is nice enough to not exploit people.
Just because you wish people were nice doesn't make them nice.
