According to RFC 2616 section 9.1.1, GET requests are intended for retrieving information from the server and should not cause any changes to occur:
"In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered 'safe'."
If a site allows posting through a GET request, it goes against this convention and exposes potential security risks. The same-origin policy is not enough to prevent unauthorized actions.
The reason XMLHttpRequest (XHR) is treated differently is due to its ability to return HTTP responses directly to JavaScript code, which can lead to information leakage. For instance, allowing cross-domain XHR GET requests could enable malicious scripts to access sensitive data, such as bank account balances.
Other methods of executing GET requests, like using <script> or <img> tags, do not pose the same risk of information disclosure. Scripts included in the response must adhere to specific conventions, while images loaded from external sources cannot be accessed programmatically.