lazr.restful is too zealous in validating the X-HTTP-Method-Override header. Our rule is that you're only allowed to use it in a POST request, and if you use it in any other kind of request, it's an error.
Chromium is making a POST request with X-HTTP-Method-Override set to PATCH. The response is a 301 redirect. (It should be 303, but that doesn't change this analysis.) Chromium makes a follow-up GET request, and *propagates* the X-HTTP-Method-Override header in the second request. So, Launchpad interprets the second request as someone trying to turn a GET request into a POST request by setting X-HTTP-Method-Override.
In the interests of being liberal what we accept, we will ignore X-HTTP-Method-Override unless the request is a POST request.
lazr.restful is too zealous in validating the X-HTTP- Method- Override header. Our rule is that you're only allowed to use it in a POST request, and if you use it in any other kind of request, it's an error.
Chromium is making a POST request with X-HTTP- Method- Override set to PATCH. The response is a 301 redirect. (It should be 303, but that doesn't change this analysis.) Chromium makes a follow-up GET request, and *propagates* the X-HTTP- Method- Override header in the second request. So, Launchpad interprets the second request as someone trying to turn a GET request into a POST request by setting X-HTTP- Method- Override.
In the interests of being liberal what we accept, we will ignore X-HTTP- Method- Override unless the request is a POST request.