@drymer I just pushed a fix to !GNUsocial so POSTs against the API require an HTTP_REFERER value with the same domain as the site is served on (unless using OAuth) so forms on third party websites can't POST to an authenticated session.
@0@quitter.is pointed out that this could be done (since !Qvitter changes require API access without OAuth using an ordinary session).

(XHR is unaffected due to CORS regulations and ordinary forms were already protected with a nonce token, but the API happily accepted just an ordinary POST request from a browser with a logged in session cookie)