Skip CSRF protection and persistence for "safe" request methods
By definition, GET / HEAD requests should be considered "safe", that is, they should only be used for retrieval and not have any state side effects on the server side (http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html).
We should support and enforce this principle by turning off the automatic persistAll() call and skip CSRF protection for GET requests.
In later versions we can further optimize Flow to take advantage of the knowledge that a request is considered to be read-only (possibly speeding up persistence, security etc.).