Extension Method Spoofing

Method Spoofing

↖All extensions

The service allows users to use the HTTP/1.1 POST method instead of all other HTTP/1.1 methods, by specifying a _method query parameter in the request URI. Method spoofing is commonly used in the following cases:

1. To perform HTTP/1.1 GET requests where the total length of all query parameters is too long to fit into a URI. Although there are no theoretical limits to the length of a URI, in practice many clients and servers have practical limits, often as small as 64k bytes.
2. To perform any method, other than GET or POST, from within a browser. Unfortunately, most modern browsers only support the HTTP/1.1 GET and POST methods. So in order to DELETE a resource from within a browser (which is a perfectly reasonable use case), the request will have to be spoofed.
3. To perform any method, other than GET or POST, from behind a firewall that only allows GET and POST requests.

Examples

The following two HTTP/1.1 requests are semantically identical:

DELETE /some_resource HTTP/1.1
Host: handle.sara.nl
Date: Mon, 09 Sep 2008 08:17:35 GMT

POST /some_resource?_method=DELETE HTTP/1.1
Host: handle.sara.nl
Date: Mon, 09 Sep 2008 08:17:35 GMT
Content-Length: 0

In XHTML, this request could be interfaced with a “delete button”, like this:

<form action="/some_resource?_method=DELETE" method="post">
    <input type="submit" value="Delete some_resource"/> 
</form>

If you spoof an HTTP/1.1 GET method, and the MIME type of the request body is application/x-www-form-urlencoded, then query parameters of the request body are treated as if they are “GET parameters”. For example, the following two HTTP/1.1 requests are semantically identical:

GET /some_resource?param=value HTTP/1.1
Host: topos.grid.sara.nl
Date: Mon, 09 Sep 2008 08:17:35 GMT

POST /some_resource?_method=GET HTTP/1.1
Host: topos.grid.sara.nl
Date: Mon, 09 Sep 2008 08:17:35 GMT
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

param=value