The tus protocol specify [0] that the X-Http-Method-Override request header can be used by clients to override the actual request's method. This is useful for clients in an environnement where PATCH or DELETE methods are not supported (e.g. OpenJDK). This contribution however sets a few constraints: it's only possible to override request's method to and from POST, PATCH, PUT and DELETE methods. Methods like GET, OPTIONS and HEAD are voluntarily excluded because cross origin policies for those are more lax. They also do not benefit of the protection of the SameSite cookie attribute so they are more exposed to cross-site request forgery attacks. Methods like CONNECT, TRACE or LOCK are less common and it's very unlikely for a client to be able to use those but not POST or PATCH. To test you can use a tus client in a broken environnent (e.g. a Java one with OpenJDK) or directly simulate the protocol using curl: curl 'https://tuleap.example.com/uploads/myfile' \ -H 'X-Auth-AccessKey: tlp.k1.1026...' \ -H 'Tus-Resumable: 1.0.0' \ -H 'Upload-Offset: 0' \ -H 'Content-Type: application/offset+octet-stream' \ -H 'Content-Length: <filesize>' \ -H 'X-Http-Method-Override: PATCH' \ --data-binary "@/path/to/my/file" [0] https://tus.io/protocols/resumable-upload.html#x-http-method-override Change-Id: I85eda788709fd61fbe3388ec2f9d1399ffbde7f4

+166 −6

Author

Thomas Gerbet (tgerbet) 2019-06-21 18:15

Committer

Thomas Gerbet (tgerbet) 2019-06-21 18:44

Hash 36981ab17eb577033830c593ff2ef2a23098b7ff

Parent 2b0b7e5ebad83667081ec44eb140cee3cdada67f

Reference git #tuleap/stable/36981ab17eb577033830c593ff2ef2a23098b7ff