My point is that these type of solutions create a lot more overhead, inconsistency and variation compared to a HTTP request; granted, less security.

I'm sure that's why they went with HTTP -- it is universal and will work the same way everywhere.

I still think they should just disable it by default, so you have to "opt-in" to the potential security risk and plan accordingly.