One thought I had this morning was that something we're exploring for a future version is a way for you to use de-serializer objects, sort of the opposite of representation classes. (The idea was Barney Boisvert's) So that if you're expecting XML input to look a specific way, your de-serializer class would be able to transform the request body into native CF objects that we could then pass to resources.
Each of these classes would define the mime types / extensions it could handle, so I was thinking/hoping that we could use this to create a whitelist of extensions to look for in the URI. If something's there that's not on the whitelist, the idea would be to assume it's part of the token.
Just speculation at this point, though.
Adam