Which breaks HTTP DELETE since HTML5 doesn't have support for it..

I dont care about brokenness - allowing arbitrary sites to run javascript / store cookies has begun to feel like running windows without a password in the 90s. When things break, I now stop using the website. In rare cases I add it to a whitelist.

How so?

  <form method="post" action="...">
    <input type="hidden" name="_method" value="DELETE"/>
  </form>

has been the standard workaround since like… 2005, if not earlier, and works quite fine without JavaScript (assuming your server-side supports it, and most or all common frameworks do).

That's a workaround only if the server forges the value of '_method' into method via. Middleware

> assuming your server-side supports it, and most or all common frameworks do

Seriously, who cares? POST /deleteThing. Done.