This is what happens when you use a HTTP GET to perform an "unsafe" action. HTTP GET links should always be safe to crawl... Always... It's in the spec for a reason.
Seen people make mistakes like this before... Even using a POST when it should be a GET can cause funny behavior. Funny, but not dangerous behavior like using GET instead of POST.
Whenever I bring a new web dev aboard this is my first lesson to them, and I say "all sorts of clients are going to crawl your webapp, so make sure your webapp is coded correctly for it." Browsers are coded with this assumption, bots/crawlers, email clients, etc...
Also, junior devs don't use HTTP error codes and it always ends up biting them at some point. A 200 response with a body that says "server error" isn't going to bubble up through your JS properly.
Seen people make mistakes like this before... Even using a POST when it should be a GET can cause funny behavior. Funny, but not dangerous behavior like using GET instead of POST.
Whenever I bring a new web dev aboard this is my first lesson to them, and I say "all sorts of clients are going to crawl your webapp, so make sure your webapp is coded correctly for it." Browsers are coded with this assumption, bots/crawlers, email clients, etc...