Sorry for the delay on this. Why do we need post here?

This is for completeness. There might be complex widgets that might require to submit data from the frontend to the backend for an update of the state/data of the widget after the initial render. Adding a POST will provide a more REST friendly way of getting the data.

This is for completeness...

We don't seem to be passing the body or query params to the partial. That seems super risky to do so, because we don't know them up front and so can't filter them. I have to admit that scares me a bit.

Well, there is no need to pass them and this is not adding something that is not already possible. The body and query params are available in any template through the params object.

This is a valid and working widget template (tested locally to confirm)
/pun/sys/dashboard?parameter=Aday

# /pun/sys/dashboard?parameter=Aday 
# widget template
<%
  value = params[:parameter]
%>
<%= "Query Param Value: #{value}" %>

Doing this with a POST will be more REST friendly

To mitigate the security concerns, we could make this a experimental feature for now to give us time to try and discover any issues.

# Experimental Feature
# Allows widget partials to be rendered without any page furniture.
# It can be use to extend OOD functionality.
  if Configuration.widget_partials_enabled?
     match '/widgets/*widget_path', to: 'widgets#show', via: [:get, :post], as: 'widgets'
  end

To mitigate the security concerns, we could make this a experimental feature

Yes please. I just tagged 4.0.0 but this can make it into 4.0.1.

Changes completed