HTTP Working Group | M. Nottingham |
Internet-Draft | Fastly |
Intended status: Standards Track | P-H. Kamp |
Expires: January 9, 2020 | The Varnish Cache Project |
July 8, 2019 |
This document describes a set of data types and associated algorithms that are intended to make it easier and safer to define and handle HTTP header fields. It is intended for use by specifications of new HTTP header fields that wish to use a common syntax that is more restrictive than traditional HTTP field values.¶
RFC EDITOR: please remove this section before publication ¶
Discussion of this draft takes place on the HTTP working group mailing list (ietf-http-wg@w3.org), which is archived at https://lists.w3.org/Archives/Public/ietf-http-wg/.¶
Working Group information can be found at https://httpwg.github.io/; source code and issues list for this draft can be found at https://github.com/httpwg/http-extensions/labels/header-structure.¶
Tests for implementations are collected at https://github.com/httpwg/structured-header-tests.¶
Implementations are tracked at https://github.com/httpwg/wiki/wiki/Structured-Headers.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress”.¶
This Internet-Draft will expire on January 9, 2020.¶
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
Specifying the syntax of new HTTP header fields is an onerous task; even with the guidance in [RFC7231], Section 8.3.1, there are many decisions – and pitfalls – for a prospective HTTP header field author.¶
Once a header field is defined, bespoke parsers and serializers often need to be written, because each header has slightly different handling of what looks like common syntax.¶
This document introduces a set of common data structures for use in definitions of new HTTP header field values to address these problems. In particular, it defines a generic, abstract model for header field values, along with a concrete serialisation for expressing that model in textual HTTP [RFC7230] header fields.¶
HTTP headers that are defined as “Structured Headers” use the types defined in this specification to define their syntax and basic handling rules, thereby simplifying both their definition by specification writers and handling by implementations.¶
Additionally, future versions of HTTP can define alternative serialisations of the abstract model of these structures, allowing headers that use it to be transmitted more efficiently without being redefined.¶
Note that it is not a goal of this document to redefine the syntax of existing HTTP headers; the mechanisms described herein are only intended to be used with headers that explicitly opt into them.¶
Section 3 defines a number of abstract data types that can be used in Structured Headers. Those abstract types can be serialized into and parsed from textual HTTP headers using the algorithms described in Section 4.¶
This specification intentionally defines strict parsing and serialisation behaviours using step-by-step algorithms; the only error handling defined is to fail the operation altogether.¶
It is designed to encourage faithful implementation and therefore good interoperability. Therefore, an implementation that tried to be “helpful” by being more tolerant of input would make interoperability worse, since that would create pressure on other implementations to implement similar (but likely subtly different) workarounds.¶
In other words, strict processing is an intentional feature of this specification; it allows non-conformant input to be discovered and corrected by the producer early, and avoids both interoperability and security issues that might otherwise result.¶
Note that as a result of this strictness, if a header field is appended to by multiple parties (e.g., intermediaries, or different components in the sender), an error in one party’s value is likely to cause the entire header field to fail parsing.¶
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document uses algorithms to specify parsing and serialisation behaviours, and the Augmented Backus-Naur Form (ABNF) notation of [RFC5234] to illustrate expected syntax in textual HTTP header fields. In doing so, uses the VCHAR, SP, DIGIT, ALPHA and DQUOTE rules from [RFC5234]. It also includes the OWS rule from [RFC7230].¶
When parsing from textual HTTP header fields, implementations MUST follow the algorithms, but MAY vary in implementation so as the behaviours are indistinguishable from specified behaviour. If there is disagreement between the parsing algorithms and ABNF, the specified algorithms take precedence. In some places, the algorithms are “greedy” with whitespace, but this should not affect conformance.¶
For serialisation to textual header fields, the ABNF illustrates the range of acceptable wire representations with as much fidelity as possible, and the algorithms define the recommended way to produce them. Implementations MAY vary from the specified behaviour so long as the output still matches the ABNF.¶
To define a HTTP header as a structured header, its specification needs to:¶
Note that a header field definition cannot relax the requirements of this specification because doing so would preclude handling by generic software; they can only add additional constraints (for example, on the numeric range of integers and floats, the format of strings and tokens, or the number of items in a list). Likewise, header field definitions should use Structured Headers for the entire header field value, not a portion thereof.¶
This specification defines minimums for the length or number of various structures supported by Structured Headers implementations. It does not specify maximum sizes in most cases, but header authors should be aware that HTTP implementations do impose various limits on the size of individual header fields, the total number of fields, and/or the size of the entire header block.¶
For example,¶
42. Foo-Example Header The Foo-Example HTTP header field conveys information about how much Foo the message has. Foo-Example is a Structured Header [RFCxxxx]. Its value MUST be a dictionary ([RFCxxxx], Section Y.Y). Its ABNF is: Foo-Example = sh-dictionary The dictionary MUST contain: * Exactly one member whose name is "foo", and whose value is an integer ([RFCxxxx], Section Y.Y), indicating the number of foos in the message. * Exactly one member whose name is "barUrl", and whose value is a string ([RFCxxxx], Section Y.Y), conveying the Bar URL for the message. See below for processing requirements. If the parsed header field does not contain both, it MUST be ignored. "foo" MUST be between 0 and 10, inclusive; other values MUST cause the header to be ignored. "barUrl" contains a URI-reference ([RFC3986], Section 4.1). If barURL is not a valid URI-reference, it MUST be ignored. If barURL is a relative reference ([RFC3986], Section 4.2), it MUST be resolved ([RFC3986], Section 5) before being used.
This section defines the abstract value types that can be composed into Structured Headers. The ABNF provided represents the on-wire format in HTTP.¶
Lists are arrays of zero or more members, each of which can be an item (Section 3.3) or an inner list (an array of zero or more items).¶
Each member of the top-level list can also have associated parameters – an ordered map of key-value pairs where the keys are short, textual strings and the values are items (Section 3.3). There can be zero or more parameters on a member, and their keys are required to be unique within that scope.¶
The ABNF for lists is:¶
sh-list = list-member *( OWS "," OWS list-member ) list-member = ( sh-item / inner-list ) *parameter inner-list = "(" OWS [ sh-item *( SP sh-item ) OWS ] ")" parameter = OWS ";" OWS param-name [ "=" param-value ] param-name = key key = lcalpha *( lcalpha / DIGIT / "_" / "-" ) lcalpha = %x61-7A ; a-z param-value = sh-item
In textual HTTP headers, each member is separated by a comma and optional whitespace. For example, a header field whose value is defined as a list of strings could look like:¶
Example-StrListHeader: "foo", "bar", "It was the best of times."
In textual HTTP headers, inner lists are denoted by surrounding parenthesis, and have their values delimited by a single space. A header field whose value is defined as a list of lists of strings could look like:¶
Example-StrListListHeader: ("foo" "bar"), ("baz"), ("bat" "one"), ()
Note that the last member in this example is an empty inner list.¶
In textual HTTP headers, members’ parameters are separated from the member and each other by semicolons. For example:¶
Example-ParamListHeader: abc_123;a=1;b=2; cdef_456, (ghi jkl);q="9";r="w"
Parsers MUST support lists containing at least 1024 members, support members with at least 256 parameters, support inner-lists containing at least 256 members, and support parameter keys with at least 64 characters.¶
Header specifications can constrain the types of individual list values (including that of individual inner-list members and parameters) if necessary.¶
Dictionaries are ordered maps of name-value pairs, where the names are short, textual strings and the values are items (Section 3.3) or arrays of items. There can be zero or more members, and their names are required to be unique within the scope of the dictionary they occur within.¶
Implementations MUST provide access to dictionaries both by index and by name. Specifications MAY use either means of accessing the members.¶
The ABNF for dictionaries in textual HTTP headers is:¶
sh-dictionary = dict-member *( OWS "," OWS dict-member ) dict-member = member-name "=" member-value member-name = key member-value = sh-item / inner-list
In textual HTTP headers, members are separated by a comma with optional whitespace, while names and values are separated by “=” (without whitespace). For example:¶
Example-DictHeader: en="Applepie", da=*w4ZibGV0w6ZydGU=*
A dictionary with a member whose value is an inner-list of tokens:¶
Example-DictListHeader: rating=1.5, feelings=(joy sadness)
Typically, a header field specification will define the semantics of individual member names, as well as whether their presence is required or optional. Recipients MUST ignore names that are undefined or unknown, unless the header field’s specification specifically disallows them.¶
Parsers MUST support dictionaries containing at least 1024 name/value pairs, and names with at least 64 characters.¶
An item is can be a integer (Section 3.4), float (Section 3.5), string (Section 3.6), token (Section 3.7), byte sequence (Section 3.8), or Boolean (Section 3.9).¶
The ABNF for items in textual HTTP headers is:¶
sh-item = sh-integer / sh-float / sh-string / sh-token / sh-binary / sh-boolean
Integers have a range of −999,999,999,999,999 to 999,999,999,999,999 inclusive (i.e., up to fifteen digits, signed), for IEEE 754 compatibility ([IEEE754]).¶
The ABNF for integers in textual HTTP headers is:¶
sh-integer = ["-"] 1*15DIGIT
For example:¶
Example-IntegerHeader: 42
Note that commas in integers are used in this section’s prose only for readability; they are not valid in the wire format.¶
Floats are integers with a fractional part, that can be stored as IEEE 754 double precision numbers (binary64) ([IEEE754]).¶
The ABNF for floats in textual HTTP headers is:¶
sh-float = ["-"] ( DIGIT "." 1*14DIGIT / 2DIGIT "." 1*13DIGIT / 3DIGIT "." 1*12DIGIT / 4DIGIT "." 1*11DIGIT / 5DIGIT "." 1*10DIGIT / 6DIGIT "." 1*9DIGIT / 7DIGIT "." 1*8DIGIT / 8DIGIT "." 1*7DIGIT / 9DIGIT "." 1*6DIGIT / 10DIGIT "." 1*5DIGIT / 11DIGIT "." 1*4DIGIT / 12DIGIT "." 1*3DIGIT / 13DIGIT "." 1*2DIGIT / 14DIGIT "." 1DIGIT )
For example, a header whose value is defined as a float could look like:¶
Example-FloatHeader: 4.5
Strings are zero or more printable ASCII [RFC0020] characters (i.e., the range 0x20 to 0x7E). Note that this excludes tabs, newlines, carriage returns, etc.¶
The ABNF for strings in textual HTTP headers is:¶
sh-string = DQUOTE *(chr) DQUOTE chr = unescaped / escaped unescaped = %x20-21 / %x23-5B / %x5D-7E escaped = "\" ( DQUOTE / "\" )
In textual HTTP headers, strings are delimited with double quotes, using a backslash (“\”) to escape double quotes and backslashes. For example:¶
Example-StringHeader: "hello world"
Note that strings only use DQUOTE as a delimiter; single quotes do not delimit strings. Furthermore, only DQUOTE and “\” can be escaped; other sequences MUST cause parsing to fail.¶
Unicode is not directly supported in this document, because it causes a number of interoperability issues, and – with few exceptions – header values do not require it.¶
When it is necessary for a field value to convey non-ASCII string content, a byte sequence (Section 3.8) SHOULD be specified, along with a character encoding (preferably UTF-8).¶
Parsers MUST support strings with at least 1024 characters.¶
Tokens are short textual words; their abstract model is identical to their expression in the textual HTTP serialisation.¶
The ABNF for tokens in textual HTTP headers is:¶
sh-token = ALPHA *( ALPHA / DIGIT / "_" / "-" / "." / ":" / "%" / "*" / "/" )
Parsers MUST support tokens with at least 512 characters.¶
Byte sequences can be conveyed in Structured Headers.¶
The ABNF for a byte sequence in textual HTTP headers is:¶
sh-binary = "*" *(base64) "*" base64 = ALPHA / DIGIT / "+" / "/" / "="
In textual HTTP headers, a byte sequence is delimited with asterisks and encoded using base64 ([RFC4648], Section 4). For example:¶
Example-BinaryHdr: *cHJldGVuZCB0aGlzIGlzIGJpbmFyeSBjb250ZW50Lg==*
Parsers MUST support byte sequences with at least 16384 octets after decoding.¶
Boolean values can be conveyed in Structured Headers.¶
The ABNF for a Boolean in textual HTTP headers is:¶
sh-boolean = "?" boolean boolean = "0" / "1"
In textual HTTP headers, a boolean is indicated with a leading “?” character. For example:¶
Example-BoolHdr: ?1
This section defines how to serialize and parse Structured Headers in textual header fields, and protocols compatible with them (e.g., in HTTP/2 [RFC7540] before HPACK [RFC7541] is applied).¶
Given a structure defined in this specification:¶
Given a list of (member, parameters) as input_list:¶
Given an array inner_list:¶
Given a key as input_key:¶
Given a dictionary as input_dictionary:¶
Given an item as input_item:¶
Given an integer as input_integer:¶
Given a float as input_float:¶
Given a string as input_string:¶
Given a token as input_token:¶
Given a byte sequence as input_bytes:¶
The encoded data is required to be padded with “=”, as per [RFC4648], Section 3.2.¶
Likewise, encoded data SHOULD have pad bits set to zero, as per [RFC4648], Section 3.5, unless it is not possible to do so due to implementation constraints.¶
Given a Boolean as input_boolean:¶
When a receiving implementation parses textual HTTP header fields that are known to be Structured Headers, it is important that care be taken, as there are a number of edge cases that can cause interoperability or even security problems. This section specifies the algorithm for doing so.¶
Given an array of bytes input_bytes that represents the chosen header’s field-value (which is an empty string if that header is not present), and header_type (one of “dictionary”, “list”, or “item”), return the parsed header value.¶
When generating input_bytes, parsers MUST combine all instances of the target header field into one comma-separated field-value, as per [RFC7230], Section 3.2.2; this assures that the header is processed correctly.¶
For Lists and Dictionaries, this has the effect of correctly concatenating all instances of the header field, as long as individual individual members of the top-level data structure are not split across multiple header instances.¶
Strings split across multiple header instances will have unpredictable results, because comma(s) and whitespace inserted upon combination will become part of the string output by the parser. Since concatenation might be done by an upstream intermediary, the results are not under the control of the serializer or the parser.¶
Tokens, Integers, Floats and Byte Sequences cannot be split across multiple headers because the inserted commas will cause parsing to fail.¶
If parsing fails – including when calling another algorithm – the entire header field’s value MUST be discarded. This is intentionally strict, to improve interoperability and safety, and specifications referencing this document are not allowed to loosen this requirement.¶
Given an ASCII string input_string, return an array of (member, parameters). input_string is modified to remove the parsed value.¶
Given an ASCII string input_string, return an token with an ordered map of parameters. input_string is modified to remove the parsed value.¶
Given an ASCII string input_string, return an array of items. input_string is modified to remove the parsed value.¶
Given an ASCII string input_string, return an ordered map of (key, item). input_string is modified to remove the parsed value.¶
Given an ASCII string input_string, return a key. input_string is modified to remove the parsed value.¶
Given an ASCII string input_string, return an item. input_string is modified to remove the parsed value.¶
Given an ASCII string input_string, return a number. input_string is modified to remove the parsed value.¶
NOTE: This algorithm parses both Integers Section 3.4 and Floats Section 3.5, and returns the corresponding structure.¶
Given an ASCII string input_string, return an unquoted string. input_string is modified to remove the parsed value.¶
Given an ASCII string input_string, return a token. input_string is modified to remove the parsed value.¶
Given an ASCII string input_string, return a byte sequence. input_string is modified to remove the parsed value.¶
Because some implementations of base64 do not allow reject of encoded data that is not properly “=” padded (see [RFC4648], Section 3.2), parsers SHOULD NOT fail when it is not present, unless they cannot be configured to do so.¶
Because some implementations of base64 do not allow rejection of encoded data that has non-zero pad bits (see [RFC4648], Section 3.5), parsers SHOULD NOT fail when it is present, unless they cannot be configured to do so.¶
Given an ASCII string input_string, return a Boolean. input_string is modified to remove the parsed value.¶
This draft has no actions for IANA.¶
The size of most types defined by Structured Headers is not limited; as a result, extremely large header fields could be an attack vector (e.g., for resource consumption). Most HTTP implementations limit the sizes of individual header fields as well as the overall header block size to mitigate such attacks.¶
It is possible for parties with the ability to inject new HTTP header fields to change the meaning of a Structured Header. In some circumstances, this will cause parsing to fail, but it is not possible to reliably fail in all such circumstances.¶
Many thanks to Matthew Kerwin for his detailed feedback and careful consideration during the development of this specification.¶
Earlier proposals for structured headers were based upon JSON [RFC8259]. However, constraining its use to make it suitable for HTTP header fields required senders and recipients to implement specific additional handling.¶
For example, JSON has specification issues around large numbers and objects with duplicate members. Although advice for avoiding these issues is available (e.g., [RFC7493]), it cannot be relied upon.¶
Likewise, JSON strings are by default Unicode strings, which have a number of potential interoperability issues (e.g., in comparison). Although implementers can be advised to avoid non-ASCII content where unnecessary, this is difficult to enforce.¶
Another example is JSON’s ability to nest content to arbitrary depths. Since the resulting memory commitment might be unsuitable (e.g., in embedded and other limited server deployments), it’s necessary to limit it in some fashion; however, existing JSON implementations have no such limits, and even if a limit is specified, it’s likely that some header field definition will find a need to violate it.¶
Because of JSON’s broad adoption and implementation, it is difficult to impose such additional constraints across all implementations; some deployments would fail to enforce them, thereby harming interoperability. In short, if it looks like JSON, people will be tempted to use a JSON parser / serialiser on header fields.¶
Since a major goal for Structured Headers is to improve interoperability and simplify implementation, these concerns led to a format that requires a dedicated parser and serializer.¶
Additionally, there were widely shared feelings that JSON doesn’t “look right” in HTTP headers.¶
Structured headers intentionally limits the complexity of data structures, to assure that it can be processed in a performant manner with little overhead. This means that work is necessary to fit some data types into them.¶
Sometimes, this can be achieved by creating limited substructures in values, and/or using more than one header. For example, consider:¶
Example-Thing: name="Widget", cost=89.2, descriptions=(foo bar) Example-Description: foo; url="https://example.net"; context=123, bar; url="https://example.org"; context=456
Since the description contains an array of key/value pairs, we use a List to represent them, with the token for each item in the array used to identify it in the “descriptions” member of the Example-Thing header.¶
When specifying more than one header, it’s important to remember to describe what a processor’s behaviour should be when one of the headers is missing.¶
If you need to fit arbitrarily complex data into a header, Structured Headers is probably a poor fit for your use case.¶
A generic implementation of this specification should expose the top-level parse (Section 4.2) and serialize (Section 4.1) functions. They need not be functions; for example, it could be implemented as an object, with methods for each of the different top-level types.¶
For interoperability, it’s important that generic implementations be complete and follow the algorithms closely; see Section 1.1. To aid this, a common test suite is being maintained by the community; see https://github.com/httpwg/structured-header-tests.¶
Implementers should note that dictionaries and parameters are order-preserving maps. Some headers may not convey meaning in the ordering of these data types, but it should still be exposed so that applications which need to use it will have it available.¶
Likewise, implementations should note that it’s important to preserve the distinction between tokens and strings. While most programming languages have native types that map to the other types well, it may be necessary to create a wrapper “token” object or use a parameter on functions to assure that these types remain separate.¶
RFC Editor: Please remove this section before publication. ¶