Yes. Imagine if everyone put the following code on their sites:

    <iframe src="https://accounts.google.com/Logout" width="0" height="0" ></iframe>

You could do the same with a POST by just running the following in a hidden iframe on your site:

  <form id="form" method="post" action="https://accounts.google.com/Logout"></form>
  <script>$('#form').submit()</script>

The correct way of dealing with this issue is to rely on CSRF tokens.

I believe that would be the point of <meta http-equiv="X-Frame-Options" content="deny">

That's like trying to duct tape your arm back on after losing a fight with a chainsaw.

<img src="https://accounts.google.com/Logout" style="display:none">

"X-Frame-Options" is used to defend against click-jacking attacks, not to defend against CSRF.

Yes.

What's your point? Google must be incapable of poor design? Everything a big company does is good?

I wanted to know what HN consensus was on this sort of thing, because it seems to me this is not something that inexperienced programmers do (like SQL injection).

Also, full disclosure: I work for Google.