Picture this scenario: A "cloud" filesharing service, backed by some well-known investors and in the business for a few years, provides a service that allows clients to share files and folders with others.
UserA sends a folder to UserB with no password security (default setting). The link arrives in an email as:
UserB visits the link. The parameters for the POST following the GET for that link look like:
POST /publicPage.json HTTP/1.1