@imojito This is not a privacy issue (then we'd just get rid of HTTP altogether). It's a trust issue on when to update the URL callback.

That POST->GET thing I have no idea how you concluded that it performs and I don't think it does that. It just drops dead on POST failure (note that the GET requests get 200 OK, but POST get 404 - and since our error message in the logs is 404 it has never gotten to the stage of a 200 - and the GET requests are more likely subscription sub/resub/unsub requests à la the PuSH v0.4 specification https://pubsubhubbub.googlecode.com/git/pubsubhubbub-core-0.4.html )