From 903fd3dfa6d1835ee9a0a54f4acb322e67a93b47 Mon Sep 17 00:00:00 2001
From: Adrien CABARBAYE <adrien.cabarbaye@arm.com>
Date: Mon, 6 Oct 2025 15:22:55 +0100
Subject: [PATCH] :sparkles: `[headers]` Support headers for verb tunnelling

---
 changes/20251006152230.feature |  1 +
 utils/http/headers/headers.go  | 23 +++++++++++++++++------
 2 files changed, 18 insertions(+), 6 deletions(-)
 create mode 100644 changes/20251006152230.feature

diff --git a/changes/20251006152230.feature b/changes/20251006152230.feature
new file mode 100644
index 0000000000..f0f3bd344e
--- /dev/null
+++ b/changes/20251006152230.feature
@@ -0,0 +1 @@
+:sparkles: `[headers]` Support headers for [verb tunnelling](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-odata/bdbabfa6-8c4a-4741-85a9-8d93ffd66c41)
diff --git a/utils/http/headers/headers.go b/utils/http/headers/headers.go
index 2a18f14120..19d20acb61 100644
--- a/utils/http/headers/headers.go
+++ b/utils/http/headers/headers.go
@@ -31,13 +31,19 @@ const (
 	HeaderDeprecation = "Deprecation" // https://datatracker.ietf.org/doc/html/draft-ietf-httpapi-deprecation-header-02
 	HeaderLink        = headers.Link  // https://datatracker.ietf.org/doc/html/rfc8288
 	// TUS Headers https://tus.io/protocols/resumable-upload#headers
-	HeaderUploadOffset        = "Upload-Offset"
-	HeaderTusVersion          = "Tus-Version"
-	HeaderUploadLength        = "Upload-Length"
-	HeaderTusResumable        = "Tus-Resumable"
-	HeaderTusExtension        = "Tus-Extension"
-	HeaderTusMaxSize          = "Tus-Max-Size"
+	HeaderUploadOffset = "Upload-Offset"
+	HeaderTusVersion   = "Tus-Version"
+	HeaderUploadLength = "Upload-Length"
+	HeaderTusResumable = "Tus-Resumable"
+	HeaderTusExtension = "Tus-Extension"
+	HeaderTusMaxSize   = "Tus-Max-Size"
+	// Verb tunnelling  (see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-odata/bdbabfa6-8c4a-4741-85a9-8d93ffd66c41)
+	// CAUTION see the security risk of supporting such headers https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it/
 	HeaderXHTTPMethodOverride = "X-HTTP-Method-Override"
+	HeaderXHTTPMethod         = "X-HTTP-Method"
+	HeaderXMethodOverride     = "X-Method-Override"
+	HeaderXOverrideMethod     = "X-Override-Method"
+
 	// TUS extensions Headers
 	HeaderUploadMetadata    = "Upload-Metadata"        // See https://tus.io/protocols/resumable-upload#upload-metadata
 	HeaderUploadDeferLength = "Upload-Defer-Length"    // See https://tus.io/protocols/resumable-upload#upload-defer-length
@@ -51,6 +57,8 @@ const (
 )
 
 var (
+	// VerbTunnellingHeaders defines the non-standard headers which can be used for Verb tunnelling  (see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-odata/bdbabfa6-8c4a-4741-85a9-8d93ffd66c41)
+	VerbTunnellingHeaders = []string{HeaderXHTTPMethodOverride, HeaderXHTTPMethod, HeaderXMethodOverride, HeaderXOverrideMethod}
 	// SafeHeaders corresponds to headers which do not store personal data.
 	SafeHeaders = []string{
 		HeaderVersion,
@@ -76,6 +84,9 @@ var (
 		HeaderChecksumAlgorithm,
 		HeaderChecksum,
 		HeaderUploadConcat,
+		HeaderXHTTPMethod,
+		HeaderXMethodOverride,
+		HeaderXOverrideMethod,
 		headers.Accept,
 		headers.AcceptCharset,
 		headers.AcceptEncoding,