Allow request body in DELETE method

[fpradas]

Even if it is not the recommended approach for REST APIs, the HTTP RFC explicitly allows payloads in DELETE requests, even though their semantics are not defined and may be ignored by some servers.

We need this change because one of the internal service endpoints requires a body with DELETE.

Reference: RFC 9110 - Section 9.3.5 DELETE

[Dropaq]

@aivus! @diego1auto, did you guys actually look into the RFC referenced above, or just agreed with OP interpretation?

let me:

Although request message framing is independent of the method used, content received in a DELETE request has no generally defined semantics, cannot alter the meaning or target of the request, and might lead some implementations to reject the request and close the connection because of its potential as a request smuggling attack (Section 11.2 of [HTTP/1.1]).

which effectively means, any proxy-server, WAF, etc. will clear the body for you or simply fail the request, and will be absolutely right.

Also, DELETE is deleting whatever is specified in the request, while GET is getting you the same exact thing.
Am I correct to assume you are using GETs with bodies as well?

it's not even about this PR, the approach from your usecase is just wrong.

[aivus]

Hello @Dropaq

Thank you for your feedback. We have thoroughly reviewed the RFC, and our interpretation differs from yours.

which effectively means, any proxy-server, WAF, etc. will clear the body for you or simply fail the request, and will be absolutely right.

The RFC indicates that there is no standardized approach for handling bodies in DELETE requests, and this behaviour is left to the server’s implementation.

has no generally defined semantics

might lead some implementations to reject the request

Therefore, as a library, our package should not restrict users from including a body in DELETE requests—even if RFC 9110 does not recommend it. This provides users with the flexibility to accommodate various server implementations.