IMO apps that do this have a bug, and possibly a security one. This causes issues with prefetching, bot traffic, caching, CSRF, and just plain violates HTTP standards.

One click to perform an action and store data? Have you heard of HTML forms with method="post"?

> Those methods should be treated as idempotent

Idempotency still implies it can change state on the initial call, which to me feels wrong in the context of GET/HEAD/OPTIONS.

Indeed, the correct term here is nullipotent.

Those apps are beyond helping already. They need to fix theselves.

This is on the server side, on the app. If your supposedly-safe methods aren't safe, then CSRF may not be your biggest problem.

That’s bad because visiting an evil site can easily trick your browser into performing one of those requests using your own credentials. CORS doesn’t stop the backend state effect from happening.

That's exactly why I don't agree that GETs should be broadly exempted from CSRF protections. I'm not talking about CORS at all.

> Plenty of apps violate this assumption and do allow GET requests to alter state.

Yeah, that's not a justification. From a RESTful API design perspective, this just means plenty of apps are buggy/critical design problems. A bug in a random app does not mean HTTP verb lose their semantics.

The entire WordPress ecosystem says hello