Description
RFC 2616 is super vague about whether a GET request with a body is valid, or what to do about it.
We should decide, document, enforce, and test.
I vote reject them.
RFC 2616 says:
The rules for when a message-body is allowed in a message differ for
requests and responses.The presence of a message-body in a request is signaled by the
inclusion of a Content-Length or Transfer-Encoding header field in
the request's message-headers. A message-body MUST NOT be included in
a request if the specification of the request method (section 5.1.1)
does not allow sending an entity-body in requests. A server SHOULD
read and forward a message-body on any request; if the request method
does not include defined semantics for an entity-body, then the
message-body SHOULD be ignored when handling the request.
But the nothing (even in 5.1.1) about which methods have defined semantics for a body. At least GET and HEAD are not explicitly defined, so maybe that means reject them.
I recall somebody (from CloudFlare?) telling me they'd seen GET+body in the wild, though?
I still vote to reject them.