diff --git a/core/modules/rest/lib/Drupal/rest/Tests/DeleteTest.php b/core/modules/rest/lib/Drupal/rest/Tests/DeleteTest.php
index 66f85c4..b4b9367 100644
--- a/core/modules/rest/lib/Drupal/rest/Tests/DeleteTest.php
+++ b/core/modules/rest/lib/Drupal/rest/Tests/DeleteTest.php
@@ -83,4 +83,47 @@ public function testDelete() {
     $this->assertEqual($account->id(), $user->id(), 'User still exists in the database.');
     $this->assertResponse(404);
   }
+
+  /**
+   * Simulate a CSRF attack where the HTTP request method is changed.
+   *
+   * Symfony has the possibility to override the HTTP request method from URL
+   * query parameters or the request body (both disabled by default). That
+   * override must never be enabled when using the DELETE operation of REST
+   * module.
+   *
+   * @see \Symfony\Component\HttpFoundation\Request::getMethod()
+   */
+  public function testCSRF() {
+    $this->enableService('entity:entity_test');
+    // Create a user account that has the required permissions to delete
+    // resources via the web API.
+    $account = $this->drupalCreateUser(array('restful delete entity:entity_test'));
+    $this->drupalLogin($account);
+
+    $entity = $this->entityCreate('entity_test');
+    $entity->save();
+
+    // Simulate a CSRF attack: a POST request that should not be mapped to
+    // DELETE by Symfony having a _method query parameter.
+    $this->curlExec(array(
+      CURLOPT_HTTPGET => FALSE,
+      CURLOPT_POST => TRUE,
+      CURLOPT_URL => url('entity/entity_test/' . $entity->id(), array('absolute' => TRUE, 'query' => array('_method' => 'DELETE'))),
+      CURLOPT_NOBODY => FALSE,
+    ));
+    $this->assertResponse(405);
+    $this->assertNotIdentical(FALSE, entity_load('entity_test', $entity->id(), TRUE), 'The entity is still in the database.');
+
+    // Do the same with a _method parameter in the request body.
+    $this->curlExec(array(
+      CURLOPT_HTTPGET => FALSE,
+      CURLOPT_POST => TRUE,
+      CURLOPT_POSTFIELDS => array('_method' => 'DELETE'),
+      CURLOPT_URL => url('entity/entity_test/' . $entity->id(), array('absolute' => TRUE)),
+      CURLOPT_NOBODY => FALSE,
+    ));
+    $this->assertResponse(405);
+    $this->assertNotIdentical(FALSE, entity_load('entity_test', $entity->id(), TRUE), 'The entity is still in the database.');
+  }
 }
