A GET request for an embedded resource exposes the user's cookies for that domain and associates a user of one site as a user of another. This is fine when it is at the user's explicitly intended request, but when paired with certain sites known not to delete all cookies on logout, this is nefarious and should not be done.