draft-ietf-httpbis-content-disp-09.txt | draft-ietf-httpbis-content-disp-latest.txt | |||
---|---|---|---|---|
HTTPbis Working Group J. Reschke | HTTPbis Working Group J. Reschke | |||
Internet-Draft greenbytes | Internet-Draft greenbytes | |||
Updates: 2616 (if approved) March 28, 2011 | Updates: 2616 (if approved) June 2011 | |||
Intended status: Standards Track | Intended status: Standards Track | |||
Expires: September 29, 2011 | Expires: December 3, 2011 | |||
Use of the Content-Disposition Header Field in the | Use of the Content-Disposition Header Field in the | |||
Hypertext Transfer Protocol (HTTP) | Hypertext Transfer Protocol (HTTP) | |||
draft-ietf-httpbis-content-disp-09 | draft-ietf-httpbis-content-disp-latest | |||
Abstract | Abstract | |||
RFC 2616 defines the Content-Disposition response header field, but | RFC 2616 defines the Content-Disposition response header field, but | |||
points out that it is not part of the HTTP/1.1 Standard. This | points out that it is not part of the HTTP/1.1 Standard. This | |||
specification takes over the definition and registration of Content- | specification takes over the definition and registration of Content- | |||
Disposition, as used in HTTP, and clarifies internationalization | Disposition, as used in HTTP, and clarifies internationalization | |||
aspects. | aspects. | |||
Editorial Note (To be removed by RFC Editor before publication) | ||||
This specification is expected to replace the definition of Content- | ||||
Disposition in the HTTP/1.1 specification, as currently revised by | ||||
the IETF HTTPbis working group. See also | ||||
<http://trac.tools.ietf.org/wg/httpbis/trac/ticket/123>. | ||||
Discussion of this draft should take place on the HTTPBIS working | ||||
group mailing list (ietf-http-wg@w3.org). The current issues list is | ||||
at <http://trac.tools.ietf.org/wg/httpbis/trac/ | ||||
query?component=content-disp> and related documents (including fancy | ||||
diffs) can be found at <http://tools.ietf.org/wg/httpbis/>. | ||||
The changes in this draft are summarized in Appendix E.13. | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on September 29, 2011. | ||||
This Internet-Draft will expire on December 3, 2011. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
described in the Simplified BSD License. | described in the Simplified BSD License. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 4 | 2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 3 | |||
3. Conformance and Error Handling . . . . . . . . . . . . . . . . 4 | 3. Conformance and Error Handling . . . . . . . . . . . . . . . . 3 | |||
4. Header Field Definition . . . . . . . . . . . . . . . . . . . 5 | 4. Header Field Definition . . . . . . . . . . . . . . . . . . . 4 | |||
4.1. Grammar . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 4.1. Grammar . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
4.2. Disposition Type . . . . . . . . . . . . . . . . . . . . . 6 | 4.2. Disposition Type . . . . . . . . . . . . . . . . . . . . . 5 | |||
4.3. Disposition Parameter: 'Filename' . . . . . . . . . . . . 6 | 4.3. Disposition Parameter: 'Filename' . . . . . . . . . . . . 5 | |||
4.4. Disposition Parameter: Extensions . . . . . . . . . . . . 7 | 4.4. Disposition Parameter: Extensions . . . . . . . . . . . . 6 | |||
4.5. Extensibility . . . . . . . . . . . . . . . . . . . . . . 7 | 4.5. Extensibility . . . . . . . . . . . . . . . . . . . . . . 6 | |||
5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
6. Internationalization Considerations . . . . . . . . . . . . . 8 | 6. Internationalization Considerations . . . . . . . . . . . . . 7 | |||
7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
8.1. Registry for Disposition Values and Parameter . . . . . . 9 | 8.1. Registry for Disposition Values and Parameters . . . . . . 8 | |||
8.2. Header Field Registration . . . . . . . . . . . . . . . . 9 | 8.2. Header Field Registration . . . . . . . . . . . . . . . . 8 | |||
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
10.1. Normative References . . . . . . . . . . . . . . . . . . . 9 | 10.1. Normative References . . . . . . . . . . . . . . . . . . . 8 | |||
10.2. Informative References . . . . . . . . . . . . . . . . . . 10 | 10.2. Informative References . . . . . . . . . . . . . . . . . . 9 | |||
Appendix A. Changes from the RFC 2616 Definition . . . . . . . . 11 | Appendix A. Changes from the RFC 2616 Definition . . . . . . . . 10 | |||
Appendix B. Differences compared to RFC 2183 . . . . . . . . . . 11 | Appendix B. Differences Compared to RFC 2183 . . . . . . . . . . 10 | |||
Appendix C. Alternative Approaches to Internationalization . . . 11 | Appendix C. Alternative Approaches to Internationalization . . . 10 | |||
C.1. RFC 2047 Encoding . . . . . . . . . . . . . . . . . . . . 12 | C.1. RFC 2047 Encoding . . . . . . . . . . . . . . . . . . . . 11 | |||
C.2. Percent Encoding . . . . . . . . . . . . . . . . . . . . . 12 | C.2. Percent Encoding . . . . . . . . . . . . . . . . . . . . . 11 | |||
C.3. Encoding Sniffing . . . . . . . . . . . . . . . . . . . . 12 | C.3. Encoding Sniffing . . . . . . . . . . . . . . . . . . . . 11 | |||
C.4. Implementations (to be removed by RFC Editor before | ||||
publication) . . . . . . . . . . . . . . . . . . . . . . . 12 | ||||
Appendix D. Advice on Generating Content-Disposition Header | Appendix D. Advice on Generating Content-Disposition Header | |||
Fields . . . . . . . . . . . . . . . . . . . . . . . 13 | Fields . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
Appendix E. Change Log (to be removed by RFC Editor before | ||||
publication) . . . . . . . . . . . . . . . . . . . . 14 | ||||
E.1. Since draft-reschke-rfc2183-in-http-00 . . . . . . . . . . 14 | ||||
E.2. Since draft-reschke-rfc2183-in-http-01 . . . . . . . . . . 14 | ||||
E.3. Since draft-reschke-rfc2183-in-http-02 . . . . . . . . . . 15 | ||||
E.4. Since draft-reschke-rfc2183-in-http-03 . . . . . . . . . . 15 | ||||
E.5. Since draft-ietf-httpbis-content-disp-00 . . . . . . . . . 15 | ||||
E.6. Since draft-ietf-httpbis-content-disp-01 . . . . . . . . . 15 | ||||
E.7. Since draft-ietf-httpbis-content-disp-02 . . . . . . . . . 15 | ||||
E.8. Since draft-ietf-httpbis-content-disp-03 . . . . . . . . . 15 | ||||
E.9. Since draft-ietf-httpbis-content-disp-04 . . . . . . . . . 16 | ||||
E.10. Since draft-ietf-httpbis-content-disp-05 . . . . . . . . . 16 | ||||
E.11. Since draft-ietf-httpbis-content-disp-06 . . . . . . . . . 16 | ||||
E.12. Since draft-ietf-httpbis-content-disp-07 . . . . . . . . . 17 | ||||
E.13. Since draft-ietf-httpbis-content-disp-08 . . . . . . . . . 17 | ||||
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 | ||||
1. Introduction | 1. Introduction | |||
RFC 2616 defines the Content-Disposition response header field in | RFC 2616 defines the Content-Disposition response header field | |||
Section 19.5.1 of [RFC2616], but points out that it is not part of | (Section 19.5.1 of [RFC2616]) but points out that it is not part of | |||
the HTTP/1.1 Standard (Section 15.5): | the HTTP/1.1 Standard (Section 15.5): | |||
Content-Disposition is not part of the HTTP standard, but since it | Content-Disposition is not part of the HTTP standard, but since it | |||
is widely implemented, we are documenting its use and risks for | is widely implemented, we are documenting its use and risks for | |||
implementers. | implementers. | |||
This specification takes over the definition and registration of | This specification takes over the definition and registration of | |||
Content-Disposition, as used in HTTP. Based on interoperability | Content-Disposition, as used in HTTP. Based on interoperability | |||
testing with existing User Agents, it fully defines a profile of the | testing with existing user agents (UAs), it fully defines a profile | |||
features defined in the Multipurpose Internet Mail Extensions (MIME) | of the features defined in the Multipurpose Internet Mail Extensions | |||
variant ([RFC2183]) of the header field, and also clarifies | (MIME) variant ([RFC2183]) of the header field, and also clarifies | |||
internationalization aspects. | internationalization aspects. | |||
Note: this document does not apply to Content-Disposition header | Note: This document does not apply to Content-Disposition header | |||
fields appearing in payload bodies transmitted over HTTP, such as | fields appearing in payload bodies transmitted over HTTP, such as | |||
when using the media type "multipart/form-data" ([RFC2388]). | when using the media type "multipart/form-data" ([RFC2388]). | |||
2. Notational Conventions | 2. Notational Conventions | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
This specification uses the augmented BNF (ABNF) notation defined in | This specification uses the augmented BNF (ABNF) notation defined in | |||
skipping to change at page 4, line 44 ¶ | skipping to change at page 3, line 44 ¶ | |||
whitespace (LWS). | whitespace (LWS). | |||
3. Conformance and Error Handling | 3. Conformance and Error Handling | |||
This specification defines conformance criteria for both senders | This specification defines conformance criteria for both senders | |||
(usually, HTTP origin servers) and recipients (usually, HTTP user | (usually, HTTP origin servers) and recipients (usually, HTTP user | |||
agents) of the Content-Disposition header field. An implementation | agents) of the Content-Disposition header field. An implementation | |||
is considered conformant if it complies with all of the requirements | is considered conformant if it complies with all of the requirements | |||
associated with its role. | associated with its role. | |||
This specification also defines certain forms of the header field- | This specification also defines certain forms of the header field | |||
value to be invalid, using both ABNF and prose requirements | value to be invalid, using both ABNF and prose requirements | |||
(Section 4), but it does not define special handling of these invalid | (Section 4), but it does not define special handling of these invalid | |||
field-values. | field values. | |||
Senders MUST NOT generate Content-Disposition header fields that are | Senders MUST NOT generate Content-Disposition header fields that are | |||
invalid. | invalid. | |||
Recipients MAY take steps to recover a usable field-value from an | Recipients MAY take steps to recover a usable field value from an | |||
invalid header field, but SHOULD NOT reject the message outright, | invalid header field, but SHOULD NOT reject the message outright, | |||
unless this is explicitly desirable behaviour (e.g., the | unless this is explicitly desirable behavior (e.g., the | |||
implementation is a validator). As such, the default handling of | implementation is a validator). As such, the default handling of | |||
invalid fields is to ignore them. | invalid fields is to ignore them. | |||
4. Header Field Definition | 4. Header Field Definition | |||
The Content-Disposition response header field is used to convey | The Content-Disposition response header field is used to convey | |||
additional information about how to process the response payload, and | additional information about how to process the response payload, and | |||
also can be used to attach additional metadata, such as the filename | also can be used to attach additional metadata, such as the filename | |||
to use when saving the response payload locally. | to use when saving the response payload locally. | |||
skipping to change at page 6, line 5 ¶ | skipping to change at page 5, line 5 ¶ | |||
ext-value = <ext-value, defined in [RFC5987], Section 3.2> | ext-value = <ext-value, defined in [RFC5987], Section 3.2> | |||
Content-Disposition header field values with multiple instances of | Content-Disposition header field values with multiple instances of | |||
the same parameter name are invalid. | the same parameter name are invalid. | |||
Note that due to the rules for implied linear whitespace (Section 2.1 | Note that due to the rules for implied linear whitespace (Section 2.1 | |||
of [RFC2616]), OPTIONAL whitespace can appear between words (token or | of [RFC2616]), OPTIONAL whitespace can appear between words (token or | |||
quoted-string) and separator characters. | quoted-string) and separator characters. | |||
Furthermore note that the format used for ext-value allows specifying | Furthermore, note that the format used for ext-value allows | |||
a natural language (e.g., "en"); this is of limited use for filenames | specifying a natural language (e.g., "en"); this is of limited use | |||
and is likely to be ignored by recipients. | for filenames and is likely to be ignored by recipients. | |||
4.2. Disposition Type | 4.2. Disposition Type | |||
If the disposition type matches "attachment" (case-insensitively), | If the disposition type matches "attachment" (case-insensitively), | |||
this indicates that the recipient should prompt the user to save the | this indicates that the recipient should prompt the user to save the | |||
response locally, rather than process it normally (as per its media | response locally, rather than process it normally (as per its media | |||
type). | type). | |||
On the other hand, if it matches "inline" (case-insensitively), this | On the other hand, if it matches "inline" (case-insensitively), this | |||
implies default processing. Therefore, the disposition type "inline" | implies default processing. Therefore, the disposition type "inline" | |||
skipping to change at page 6, line 52 ¶ | skipping to change at page 5, line 52 ¶ | |||
Many user agent implementations predating this specification do not | Many user agent implementations predating this specification do not | |||
understand the "filename*" parameter. Therefore, when both | understand the "filename*" parameter. Therefore, when both | |||
"filename" and "filename*" are present in a single header field | "filename" and "filename*" are present in a single header field | |||
value, recipients SHOULD pick "filename*" and ignore "filename". | value, recipients SHOULD pick "filename*" and ignore "filename". | |||
This way, senders can avoid special-casing specific user agents by | This way, senders can avoid special-casing specific user agents by | |||
sending both the more expressive "filename*" parameter, and the | sending both the more expressive "filename*" parameter, and the | |||
"filename" parameter as fallback for legacy recipients (see Section 5 | "filename" parameter as fallback for legacy recipients (see Section 5 | |||
for an example). | for an example). | |||
It is essential that recipients treat the specified filename as | It is essential that recipients treat the specified filename as | |||
advisory only, thus be very careful in extracting the desired | advisory only, and thus be very careful in extracting the desired | |||
information. In particular: | information. In particular: | |||
o Recipients MUST NOT be able to write into any location other than | o Recipients MUST NOT be able to write into any location other than | |||
one to which they are specifically entitled. To illustrate the | one to which they are specifically entitled. To illustrate the | |||
problem consider the consequences of being able to overwrite well- | problem, consider the consequences of being able to overwrite | |||
known system locations (such as "/etc/passwd"). One strategy to | well-known system locations (such as "/etc/passwd"). One strategy | |||
achieve this is to never trust folder name information in the | to achieve this is to never trust folder name information in the | |||
filename parameter, for instance by stripping all but the last | filename parameter, for instance by stripping all but the last | |||
path segment and only consider the actual filename (where 'path | path segment and only considering the actual filename (where 'path | |||
segment' are the components of the field value delimited by the | segments' are the components of the field value delimited by the | |||
path separator characters "\" and "/"). | path separator characters "\" and "/"). | |||
o Many platforms do not use Internet Media Types ([RFC2046]) to hold | o Many platforms do not use Internet Media Types ([RFC2046]) to hold | |||
type information in the file system, but rely on filename | type information in the file system, but rely on filename | |||
extensions instead. Trusting the server-provided file extension | extensions instead. Trusting the server-provided file extension | |||
could introduce a privilege escalation when the saved file is | could introduce a privilege escalation when the saved file is | |||
later opened (consider ".exe"). Thus, recipients which make use | later opened (consider ".exe"). Thus, recipients that make use of | |||
of file extensions to determine the media type MUST ensure that a | file extensions to determine the media type MUST ensure that a | |||
file extension is used that is safe, optimally matching the media | file extension is used that is safe, optimally matching the media | |||
type of the received payload. | type of the received payload. | |||
o Recipients SHOULD strip or replace character sequences that are | o Recipients SHOULD strip or replace character sequences that are | |||
known to cause confusion both in user interfaces and in filenames, | known to cause confusion both in user interfaces and in filenames, | |||
such as control characters and leading and trailing whitespace. | such as control characters and leading and trailing whitespace. | |||
o Other aspects recipients need to be aware of are names that have a | o Other aspects recipients need to be aware of are names that have a | |||
special meaning in the file system or in shell commands, such as | special meaning in the file system or in shell commands, such as | |||
"." and "..", "~", "|", and also device names. Recipients SHOULD | "." and "..", "~", "|", and also device names. Recipients SHOULD | |||
skipping to change at page 8, line 7 ¶ | skipping to change at page 7, line 7 ¶ | |||
4.5. Extensibility | 4.5. Extensibility | |||
Note that Section 9 of [RFC2183] defines IANA registries both for | Note that Section 9 of [RFC2183] defines IANA registries both for | |||
disposition types and disposition parameters. This registry is | disposition types and disposition parameters. This registry is | |||
shared by different protocols using Content-Disposition, such as MIME | shared by different protocols using Content-Disposition, such as MIME | |||
and HTTP. Therefore, not all registered values may make sense in the | and HTTP. Therefore, not all registered values may make sense in the | |||
context of HTTP. | context of HTTP. | |||
5. Examples | 5. Examples | |||
Direct UA to show "save as" dialog, with a filename of | Direct the UA to show "save as" dialog, with a filename of | |||
"example.html": | "example.html": | |||
Content-Disposition: Attachment; filename=example.html | Content-Disposition: Attachment; filename=example.html | |||
Direct UA to behave as if the Content-Disposition header field wasn't | Direct the UA to behave as if the Content-Disposition header field | |||
present, but to remember the filename "an example.html" for a | wasn't present, but to remember the filename "an example.html" for a | |||
subsequent save operation: | subsequent save operation: | |||
Content-Disposition: INLINE; FILENAME= "an example.html" | Content-Disposition: INLINE; FILENAME= "an example.html" | |||
Note: this uses the quoted-string form so that the space character | Note: This uses the quoted-string form so that the space character | |||
can be included. | can be included. | |||
Direct UA to show "save as" dialog, with a filename containing the | Direct the UA to show "save as" dialog, with a filename containing | |||
Unicode character U+20AC (EURO SIGN): | the Unicode character U+20AC (EURO SIGN): | |||
Content-Disposition: attachment; | Content-Disposition: attachment; | |||
filename*= UTF-8''%e2%82%ac%20rates | filename*= UTF-8''%e2%82%ac%20rates | |||
Here, the encoding defined in [RFC5987] is also used to encode the | Here, the encoding defined in [RFC5987] is also used to encode the | |||
non-ISO-8859-1 character. | non-ISO-8859-1 character. | |||
Same as above, but adding the "filename" parameter for compatibility | This example is the same as the one above, but adding the "filename" | |||
with user agents not implementing RFC 5987: | parameter for compatibility with user agents not implementing | |||
RFC 5987: | ||||
Content-Disposition: attachment; | Content-Disposition: attachment; | |||
filename="EURO rates"; | filename="EURO rates"; | |||
filename*=utf-8''%e2%82%ac%20rates | filename*=utf-8''%e2%82%ac%20rates | |||
Note: those user agents that do not support the RFC 5987 encoding | Note: Those user agents that do not support the RFC 5987 encoding | |||
ignore "filename*" when it occurs after "filename". | ignore "filename*" when it occurs after "filename". | |||
6. Internationalization Considerations | 6. Internationalization Considerations | |||
The "filename*" parameter (Section 4.3), using the encoding defined | The "filename*" parameter (Section 4.3), using the encoding defined | |||
in [RFC5987], allows the server to transmit characters outside the | in [RFC5987], allows the server to transmit characters outside the | |||
ISO-8859-1 character set, and also to optionally specify the language | ISO-8859-1 character set, and also to optionally specify the language | |||
in use. | in use. | |||
Future parameters might also require internationalization, in which | Future parameters might also require internationalization, in which | |||
case the same encoding can be used. | case the same encoding can be used. | |||
7. Security Considerations | 7. Security Considerations | |||
Using server-supplied information for constructing local filenames | Using server-supplied information for constructing local filenames | |||
introduces many risks. These are summarized in Section 4.3. | introduces many risks. These are summarized in Section 4.3. | |||
Furthermore, implementers also ought to be aware of the Security | Furthermore, implementers ought to be aware of the security | |||
Considerations applying to HTTP (see Section 15 of [RFC2616]), and | considerations applying to HTTP (see Section 15 of [RFC2616]), and | |||
also the parameter encoding defined in [RFC5987] (see Section 5). | also the parameter encoding defined in [RFC5987] (see Section 5). | |||
8. IANA Considerations | 8. IANA Considerations | |||
8.1. Registry for Disposition Values and Parameter | 8.1. Registry for Disposition Values and Parameters | |||
This specification does not introduce any changes to the registration | This specification does not introduce any changes to the registration | |||
procedures for disposition values and parameters that are defined in | procedures for disposition values and parameters that are defined in | |||
Section 9 of [RFC2183]. | Section 9 of [RFC2183]. | |||
8.2. Header Field Registration | 8.2. Header Field Registration | |||
This document updates the definition of the Content-Disposition HTTP | This document updates the definition of the Content-Disposition HTTP | |||
header field in the permanent HTTP header field registry (see | header field in the permanent HTTP header field registry (see | |||
[RFC3864]). | [RFC3864]). | |||
skipping to change at page 9, line 52 ¶ | skipping to change at page 8, line 52 ¶ | |||
Thanks to Adam Barth, Rolf Eike Beer, Stewart Bryant, Bjoern | Thanks to Adam Barth, Rolf Eike Beer, Stewart Bryant, Bjoern | |||
Hoehrmann, Alfred Hoenes, Roar Lauritzsen, Alexey Melnikov, Henrik | Hoehrmann, Alfred Hoenes, Roar Lauritzsen, Alexey Melnikov, Henrik | |||
Nordstrom, and Mark Nottingham for their valuable feedback. | Nordstrom, and Mark Nottingham for their valuable feedback. | |||
10. References | 10. References | |||
10.1. Normative References | 10.1. Normative References | |||
[ISO-8859-1] International Organization for Standardization, | [ISO-8859-1] International Organization for Standardization, | |||
"Information technology -- 8-bit single-byte coded | "Information technology -- 8-bit single-byte coded | |||
graphic character sets -- Part 1: Latin alphabet No. | graphic character sets -- Part 1: Latin alphabet | |||
No. 1", ISO/IEC 8859-1:1998, 1998. | ||||
1", ISO/IEC 8859-1:1998, 1998. | ||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | |||
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | |||
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. | Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. | |||
[RFC5987] Reschke, J., "Character Set and Language Encoding for | [RFC5987] Reschke, J., "Character Set and Language Encoding for | |||
Hypertext Transfer Protocol (HTTP) Header Field | Hypertext Transfer Protocol (HTTP) Header Field | |||
skipping to change at page 10, line 28 ¶ | skipping to change at page 9, line 27 ¶ | |||
10.2. Informative References | 10.2. Informative References | |||
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet | [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet | |||
Mail Extensions (MIME) Part Two: Media Types", | Mail Extensions (MIME) Part Two: Media Types", | |||
RFC 2046, November 1996. | RFC 2046, November 1996. | |||
[RFC2047] Moore, K., "MIME (Multipurpose Internet Mail | [RFC2047] Moore, K., "MIME (Multipurpose Internet Mail | |||
Extensions) Part Three: Message Header Extensions for | Extensions) Part Three: Message Header Extensions for | |||
Non-ASCII Text", RFC 2047, November 1996. | Non-ASCII Text", RFC 2047, November 1996. | |||
[RFC2183] Troost, R., Dorner, S., and K. Moore, "Communicating | [RFC2183] Troost, R., Dorner, S., and K. Moore, Ed., | |||
Presentation Information in Internet Messages: The | "Communicating Presentation Information in Internet | |||
Content-Disposition Header Field", RFC 2183, | Messages: The Content-Disposition Header Field", | |||
August 1997. | RFC 2183, August 1997. | |||
[RFC2231] Freed, N. and K. Moore, "MIME Parameter Value and | [RFC2231] Freed, N. and K. Moore, "MIME Parameter Value and | |||
Encoded Word Extensions: Character Sets, Languages, and | Encoded Word Extensions: Character Sets, Languages, and | |||
Continuations", RFC 2231, November 1997. | Continuations", RFC 2231, November 1997. | |||
[RFC2388] Masinter, L., "Returning Values from Forms: multipart/ | [RFC2388] Masinter, L., "Returning Values from Forms: multipart/ | |||
form-data", RFC 2388, August 1998. | form-data", RFC 2388, August 1998. | |||
[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration | [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration | |||
Procedures for Message Header Fields", BCP 90, | Procedures for Message Header Fields", BCP 90, | |||
skipping to change at page 11, line 27 ¶ | skipping to change at page 10, line 27 ¶ | |||
This would be an exceptional parameter syntax, and also doesn't | This would be an exceptional parameter syntax, and also doesn't | |||
reflect actual use. | reflect actual use. | |||
o The definition for the disposition type "inline" ([RFC2183], | o The definition for the disposition type "inline" ([RFC2183], | |||
Section 2.1) has been re-added with a suggestion for its | Section 2.1) has been re-added with a suggestion for its | |||
processing. | processing. | |||
o This specification requires support for the extended parameter | o This specification requires support for the extended parameter | |||
encoding defined in [RFC5987]. | encoding defined in [RFC5987]. | |||
Appendix B. Differences compared to RFC 2183 | Appendix B. Differences Compared to RFC 2183 | |||
Section 2 of [RFC2183] defines several additional disposition | Section 2 of [RFC2183] defines several additional disposition | |||
parameters: "creation-date", "modification-date", "quoted-date-time", | parameters: "creation-date", "modification-date", "quoted-date-time", | |||
and "size". The majority of user agents does not implement these, | and "size". The majority of user agents do not implement these; | |||
thus they have been omitted from this specification. | thus, they have been omitted from this specification. | |||
Appendix C. Alternative Approaches to Internationalization | Appendix C. Alternative Approaches to Internationalization | |||
By default, HTTP header field parameters cannot carry characters | By default, HTTP header field parameters cannot carry characters | |||
outside the ISO-8859-1 ([ISO-8859-1]) character encoding (see | outside the ISO-8859-1 ([ISO-8859-1]) character encoding (see | |||
[RFC2616], Section 2.2). For the "filename" parameter, this of | [RFC2616], Section 2.2). For the "filename" parameter, this of | |||
course is an unacceptable restriction. | course is an unacceptable restriction. | |||
Unfortunately, user agent implementers have not managed to come up | Unfortunately, user agent implementers have not managed to come up | |||
with an interoperable approach, although the IETF Standards Track | with an interoperable approach, although the IETF Standards Track | |||
specifies exactly one solution ([RFC2231], clarified and profiled for | specifies exactly one solution ([RFC2231], clarified and profiled for | |||
HTTP in [RFC5987]). | HTTP in [RFC5987]). | |||
For completeness, the sections below describe the various approaches | For completeness, the sections below describe the various approaches | |||
that have been tried, and explains how they are inferior to the RFC | that have been tried, and explain how they are inferior to the | |||
5987 encoding used in this specification. | RFC 5987 encoding used in this specification. | |||
C.1. RFC 2047 Encoding | C.1. RFC 2047 Encoding | |||
RFC 2047 defines an encoding mechanism for header fields, but this | RFC 2047 defines an encoding mechanism for header fields, but this | |||
encoding is not supposed to be used for header field parameters - see | encoding is not supposed to be used for header field parameters -- | |||
Section 5 of [RFC2047]: | see Section 5 of [RFC2047]: | |||
An 'encoded-word' MUST NOT appear within a 'quoted-string'. | An 'encoded-word' MUST NOT appear within a 'quoted-string'. | |||
... | ... | |||
An 'encoded-word' MUST NOT be used in parameter of a MIME Content- | An 'encoded-word' MUST NOT be used in parameter of a MIME Content- | |||
Type or Content-Disposition field, or in any structured field body | Type or Content-Disposition field, or in any structured field body | |||
except within a 'comment' or 'phrase'. | except within a 'comment' or 'phrase'. | |||
In practice, some user agents implement the encoding, some do not | In practice, some user agents implement the encoding, some do not | |||
(exposing the encoded string to the user), and some get confused by | (exposing the encoded string to the user), and some get confused by | |||
it. | it. | |||
C.2. Percent Encoding | C.2. Percent Encoding | |||
Some user agents accept percent encoded ([RFC3986], Section 2.1) | Some user agents accept percent-encoded ([RFC3986], Section 2.1) | |||
sequences of characters. The character encoding being used for | sequences of characters. The character encoding being used for | |||
decoding depends on various factors, including the encoding of the | decoding depends on various factors, including the encoding of the | |||
referring page, the user agent's locale, its configuration, and also | referring page, the user agent's locale, its configuration, and also | |||
the actual value of the parameter. | the actual value of the parameter. | |||
In practice, this is hard to use because those user agents that do | In practice, this is hard to use because those user agents that do | |||
not support it will display the escaped character sequence to the | not support it will display the escaped character sequence to the | |||
user. For those user agents that do implement this it is difficult | user. For those user agents that do implement this, it is difficult | |||
to predict what character encoding they actually expect. | to predict what character encoding they actually expect. | |||
C.3. Encoding Sniffing | C.3. Encoding Sniffing | |||
Some user agents inspect the value (which defaults to ISO-8859-1 for | Some user agents inspect the value (which defaults to ISO-8859-1 for | |||
the quoted-string form) and switch to UTF-8 when it seems to be more | the quoted-string form) and switch to UTF-8 when it seems to be more | |||
likely to be the correct interpretation. | likely to be the correct interpretation. | |||
As with the approaches above, this is not interoperable and | As with the approaches above, this is not interoperable and, | |||
furthermore risks misinterpreting the actual value. | furthermore, risks misinterpreting the actual value. | |||
C.4. Implementations (to be removed by RFC Editor before publication) | ||||
Unfortunately, as of March 2011, neither the encoding defined in RFCs | ||||
2231 and 5987, nor any of the alternate approaches discussed above | ||||
was implemented interoperably. Thus, this specification recommends | ||||
the approach defined in RFC 5987, which at least has the advantage of | ||||
actually being specified properly. | ||||
The table below shows the support for the various approaches in the | ||||
current implementations: | ||||
+---------------+------------+--------+--------------+--------------+ | ||||
| User Agent | RFC | RFC | Percent | Encoding | | ||||
| | 2231/5987 | 2047 | Encoding | Sniffing | | ||||
+---------------+------------+--------+--------------+--------------+ | ||||
| Chrome | yes | yes | yes | yes | | ||||
| Firefox | yes (*) | yes | no | yes | | ||||
| Internet | yes (**) | no | yes | no | | ||||
| Explorer | | | | | | ||||
| Konqueror | yes | no | no | no | | ||||
| Opera | yes | no | no | no | | ||||
| Safari | no | no | no | yes | | ||||
+---------------+------------+--------+--------------+--------------+ | ||||
(*) Does not implement the fallback behavior to "filename" described | ||||
in Section 4.3; a fix is planned for Firefox 5. | ||||
(**) Starting with Internet Explorer 9, but only implements UTF-8. | ||||
Appendix D. Advice on Generating Content-Disposition Header Fields | Appendix D. Advice on Generating Content-Disposition Header Fields | |||
To successfully interoperate with existing and future user agents, | To successfully interoperate with existing and future user agents, | |||
senders of the Content-Disposition header field are advised to: | senders of the Content-Disposition header field are advised to: | |||
o Include a "filename" parameter when US-ASCII ([US-ASCII]) is | o Include a "filename" parameter when US-ASCII ([US-ASCII]) is | |||
sufficiently expressive. | sufficiently expressive. | |||
o Use the 'token' form of the filename parameter only when it does | o Use the 'token' form of the filename parameter only when it does | |||
not contain disallowed characters (e.g., spaces); in such cases, | not contain disallowed characters (e.g., spaces); in such cases, | |||
the quoted-string form should be used. | the quoted-string form should be used. | |||
o Avoid including the percent character followed by two hexadecimal | o Avoid including the percent character followed by two hexadecimal | |||
characters (e.g., %A9) in the filename parameter, since some | characters (e.g., %A9) in the filename parameter, since some | |||
existing implementations consider it to be an escape character, | existing implementations consider it to be an escape character, | |||
while others will pass it through unchanged. | while others will pass it through unchanged. | |||
o Avoid including the "\" character in the quoted-string form of the | o Avoid including the "\" character in the quoted-string form of the | |||
filename parameter, as escaping is not implemented by some user | filename parameter, as escaping is not implemented by some user | |||
agents, and can be considered as an illegal path character. | agents, and "\" can be considered an illegal path character. | |||
o Avoid using non-ASCII characters in the filename parameter. | o Avoid using non-ASCII characters in the filename parameter. | |||
Although most existing implementations will decode them as ISO- | Although most existing implementations will decode them as | |||
8859-1, some will apply heuristics to detect UTF-8, and thus might | ISO-8859-1, some will apply heuristics to detect UTF-8, and thus | |||
fail on certain names. | might fail on certain names. | |||
o Include a "filename*" parameter where the desired filename cannot | o Include a "filename*" parameter where the desired filename cannot | |||
be expressed faithfully using the "filename" form. Note that | be expressed faithfully using the "filename" form. Note that | |||
legacy user agents will not process this, and will fall back to | legacy user agents will not process this, and will fall back to | |||
using the "filename" parameter's content. | using the "filename" parameter's content. | |||
o When a "filename*" parameter is sent, to also generate a | o When a "filename*" parameter is sent, to also generate a | |||
"filename" parameter as a fallback for user agents that do not | "filename" parameter as a fallback for user agents that do not | |||
support the "filename*" form, if possible. This can be done by | support the "filename*" form, if possible. This can be done by | |||
substituting characters with US-ASCII sequences (e.g., Unicode | substituting characters with US-ASCII sequences (e.g., Unicode | |||
character point U+00E4 (LATIN SMALL LETTER A WITH DIARESIS) by | character point U+00E4 (LATIN SMALL LETTER A WITH DIARESIS) by | |||
"ae"). Note that this may not be possible in some locales. | "ae"). Note that this may not be possible in some locales. | |||
o When a "filename" parameter is included as a fallback (as per | o When a "filename" parameter is included as a fallback (as per | |||
above), "filename" should occur first, due to parsing problems in | above), "filename" should occur first, due to parsing problems in | |||
some existing implementations. [[fallbackbug: Firefox is known to | some existing implementations. | |||
pick the wrong parameter; a bug fix is scheduled for Firefox 5. | ||||
--jre]] [[NOTE-TO-RFC-EDITOR: PLEASE REMOVE THIS AND THE PRECEDING | ||||
COMMENT BEFORE PUBLICATION AS RFC. --jre]] | ||||
o Use UTF-8 as the encoding of the "filename*" parameter, when | o Use UTF-8 as the encoding of the "filename*" parameter, when | |||
present, because at least one existing implementation only | present, because at least one existing implementation only | |||
implements that encoding. | implements that encoding. | |||
Note that this advice is based upon UA behaviour at the time of | Note that this advice is based upon UA behavior at the time of | |||
writing, and might be superseded. At the time of publication of this | writing, and might be superseded. At the time of publication of this | |||
document, <http://purl.org/NET/http/content-disposition-tests> | document, <http://purl.org/NET/http/content-disposition-tests> | |||
provides an overview of current levels of support in various | provides an overview of current levels of support in various | |||
implementations. | implementations. | |||
Appendix E. Change Log (to be removed by RFC Editor before publication) | ||||
Note: the issues names in the change log entries for | ||||
draft-reschke-rfc2183-in-http refer to <http://greenbytes.de/tech/ | ||||
webdav/draft-reschke-rfc2183-in-http-issues.html>. | ||||
E.1. Since draft-reschke-rfc2183-in-http-00 | ||||
Adjust terminology ("header" -> "header field"). Update rfc2231-in- | ||||
http reference. | ||||
E.2. Since draft-reschke-rfc2183-in-http-01 | ||||
Update rfc2231-in-http reference. Actually define the "filename" | ||||
parameter. Add internationalization considerations. Add examples | ||||
using the RFC 5987 encoding. Add overview over other approaches, | ||||
plus a table reporting implementation status. Add and resolve issue | ||||
"nodep2183". Add issues "asciivsiso", "deplboth", "quoted", and | ||||
"registry". | ||||
E.3. Since draft-reschke-rfc2183-in-http-02 | ||||
Add and close issue "docfallback". Close issues "asciivsiso", | ||||
"deplboth", "quoted", and "registry". | ||||
E.4. Since draft-reschke-rfc2183-in-http-03 | ||||
Updated to be a Working Draft of the IETF HTTPbis Working Group. | ||||
E.5. Since draft-ietf-httpbis-content-disp-00 | ||||
Closed issues: | ||||
o <http://tools.ietf.org/wg/httpbis/trac/ticket/242>: "handling of | ||||
unknown disposition types" | ||||
Slightly updated the notes about the proposed fallback behavior. | ||||
E.6. Since draft-ietf-httpbis-content-disp-01 | ||||
Various editorial improvements. | ||||
E.7. Since draft-ietf-httpbis-content-disp-02 | ||||
Closed issues: | ||||
o <http://tools.ietf.org/wg/httpbis/trac/ticket/244>: "state that | ||||
repeating parameters are invalid" | ||||
o <http://tools.ietf.org/wg/httpbis/trac/ticket/245>: "warn about | ||||
%xx in filenames being misinterpreted" | ||||
o <http://tools.ietf.org/wg/httpbis/trac/ticket/246>: "mention | ||||
control chars when talking about postprecessing the filename | ||||
parameter" | ||||
Update Appendix C.4; Opera 10.63 RC implements the recommended | ||||
fallback behavior. | ||||
E.8. Since draft-ietf-httpbis-content-disp-03 | ||||
Closed issues: | ||||
o <http://tools.ietf.org/wg/httpbis/trac/ticket/252>: | ||||
"'modification-date' *is* implemented in Konq 4.5" | ||||
o <http://tools.ietf.org/wg/httpbis/trac/ticket/253>: "clarify what | ||||
LWS means for the Content-Disp grammar" | ||||
o <http://tools.ietf.org/wg/httpbis/trac/ticket/258>: "Avoid passive | ||||
voice in message requirements" | ||||
o <http://tools.ietf.org/wg/httpbis/trac/ticket/263>: "text about | ||||
historical percent-decoding unclear" | ||||
o <http://tools.ietf.org/wg/httpbis/trac/ticket/264>: "add | ||||
explanation of language tagging" | ||||
o <http://tools.ietf.org/wg/httpbis/trac/ticket/265>: "Clarify that | ||||
C-D spec does not apply to multipart upload" | ||||
E.9. Since draft-ietf-httpbis-content-disp-04 | ||||
Updated implementation information (Chrome 9 implements RFC 5987, IE | ||||
9 RC implements it for UTF-8 only). | ||||
Clarify who requirements are on, add a section discussing conformance | ||||
and handling of invalid field values in general. | ||||
Closed issues: | ||||
o <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/243>: "avoid | ||||
stating ISO-8859-1 default for header param" (the default is still | ||||
mentioned, but it was clarified what it applies to). | ||||
o <http://tools.ietf.org/wg/httpbis/trac/ticket/272>: "Path | ||||
Separator Characters" | ||||
E.10. Since draft-ietf-httpbis-content-disp-05 | ||||
Editorial changes: Fixed two typos where the new Conformance section | ||||
said "Content-Location" instead of "Content-Disposition". Cleaned up | ||||
terminology ("user agent", "recipient", "sender", "message body", | ||||
...). Stated what the escape character for quoted-string is. | ||||
Explained a use case for "inline" disposition type. Updated | ||||
implementation notes with respect to the fallback behavior. | ||||
Added appendix "Advice on Generating Content-Disposition Header | ||||
Fields". | ||||
E.11. Since draft-ietf-httpbis-content-disp-06 | ||||
Closed issues: | ||||
o <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/278>: | ||||
"conformance language" | ||||
E.12. Since draft-ietf-httpbis-content-disp-07 | ||||
Rephrase the requirement about well-known file system locations, and | ||||
also clarify that by "last path segment" we mean the actual filename. | ||||
Added a forward reference from "invalid" to the section that defines | ||||
a valid header field. | ||||
E.13. Since draft-ietf-httpbis-content-disp-08 | ||||
Update: Internet Explorer 9 is released. Various editorial | ||||
improvements. Add US-ASCII reference. Strengthen file extension | ||||
handling requirement to MUST for those recipients that actually use | ||||
file extensions to map media types. | ||||
Index | ||||
C | ||||
Content-Disposition header field 5 | ||||
H | ||||
Header Fields | ||||
Content-Disposition 5 | ||||
Author's Address | Author's Address | |||
Julian F. Reschke | Julian F. Reschke | |||
greenbytes GmbH | greenbytes GmbH | |||
Hafenweg 16 | Hafenweg 16 | |||
Muenster, NW 48155 | Muenster, NW 48155 | |||
Germany | Germany | |||
EMail: julian.reschke@greenbytes.de | EMail: julian.reschke@greenbytes.de | |||
URI: http://greenbytes.de/tech/webdav/ | URI: http://greenbytes.de/tech/webdav/ | |||
End of changes. 42 change blocks. | ||||
293 lines changed or deleted | 89 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |