Comment by zzbzq

Craftsmen should understand the tools they use.

We expect it in every other industry.

Why do people like you always want to suggest that web developers shouldn't have to learn the basics of the tools they use every day? This is page one HTTP stuff.

This is the anti-intellectualism in our field. Where people are so used to finding a YouTube video tutorial for the exact thing they want to do that anything that's inherently hard (like client development) or requires some extra knowledge to do correctly is somehow shitty and needs to be reworked. More and more often it's somehow everything's fault but the craftman's.

It's that mentality that's coasting parts of our field into code monkey cost center positions. Go somewhere like /r/webdev and watch how unresourceful the beginners are and how bad the advice is.

I'm not seeing how this is an issue with the browser as much as the server handling the request. Safari provides a feature that shows thumbnails of frequently visited sites; these thumbnails are loaded with a header specifying its for a preview. It's on the server to understand that a GET request _by definition_ should not have side effects (like toggling the open/closed state of a door), and optionally to perform special handling when seeing the preview header.

I don't see why the browser or HTTP is to blame here? GET is supposed to be safe, so what the browser is doing seem perfectly fine to me.

CORS is to _allow_ cross-origin requests, not to restrict them. Most such requests are restricted by default.

Postel's law: "an implementation should be conservative in its sending behavior, and liberal in its receiving behavior"

Hope for the best but expect the worst.

>"The real problem here, as usual, is web browsers, the worst class of software ever written."

Can you elaborate? What class of software is this specifically? And why is it the worst?

Nay. TFA correctly identifies the problem.