draft-ietf-httpbis-messaging-19.txt | draft-ietf-httpbis-messaging-latest.txt | |||
---|---|---|---|---|
HTTP Working Group R. Fielding, Ed. | HTTP Working Group R. Fielding, Ed. | |||
Internet-Draft Adobe | Internet-Draft Adobe | |||
Obsoletes: 7230 (if approved) M. Nottingham, Ed. | Obsoletes: 7230 (if approved) M. Nottingham, Ed. | |||
Intended status: Standards Track Fastly | Intended status: Standards Track Fastly | |||
Expires: March 14, 2022 J. Reschke, Ed. | Expires: January 7, 2025 J. Reschke, Ed. | |||
greenbytes | greenbytes | |||
September 10, 2021 | July 6, 2024 | |||
HTTP/1.1 | HTTP/1.1 | |||
draft-ietf-httpbis-messaging-19 | draft-ietf-httpbis-messaging-latest | |||
Abstract | Abstract | |||
The Hypertext Transfer Protocol (HTTP) is a stateless application- | The Hypertext Transfer Protocol (HTTP) is a stateless application- | |||
level protocol for distributed, collaborative, hypertext information | level protocol for distributed, collaborative, hypertext information | |||
systems. This document specifies the HTTP/1.1 message syntax, | systems. This document specifies the HTTP/1.1 message syntax, | |||
message parsing, connection management, and related security | message parsing, connection management, and related security | |||
concerns. | concerns. | |||
This document obsoletes portions of RFC 7230. | This document obsoletes portions of RFC 7230. | |||
skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
This note is to be removed before publishing as an RFC. | This note is to be removed before publishing as an RFC. | |||
Discussion of this draft takes place on the HTTP working group | Discussion of this draft takes place on the HTTP working group | |||
mailing list (ietf-http-wg@w3.org), which is archived at | mailing list (ietf-http-wg@w3.org), which is archived at | |||
<https://lists.w3.org/Archives/Public/ietf-http-wg/>. | <https://lists.w3.org/Archives/Public/ietf-http-wg/>. | |||
Working Group information can be found at <https://httpwg.org/>; | Working Group information can be found at <https://httpwg.org/>; | |||
source code and issues list for this draft can be found at | source code and issues list for this draft can be found at | |||
<https://github.com/httpwg/http-core>. | <https://github.com/httpwg/http-core>. | |||
The changes in this draft are summarized in Appendix D.20. | The changes in this draft are summarized in Appendix D.1. | |||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on March 14, 2022. | This Internet-Draft will expire on January 7, 2025. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
extracted from this document must include Revised BSD License text as | extracted from this document must include Revised BSD License text as | |||
described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
provided without warranty as described in the Revised BSD License. | provided without warranty as described in the Revised BSD License. | |||
skipping to change at page 3, line 51 ¶ | skipping to change at page 3, line 51 ¶ | |||
11.4. Message Confidentiality . . . . . . . . . . . . . . . . 40 | 11.4. Message Confidentiality . . . . . . . . . . . . . . . . 40 | |||
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 | 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 | |||
12.1. Field Name Registration . . . . . . . . . . . . . . . . 41 | 12.1. Field Name Registration . . . . . . . . . . . . . . . . 41 | |||
12.2. Media Type Registration . . . . . . . . . . . . . . . . 41 | 12.2. Media Type Registration . . . . . . . . . . . . . . . . 41 | |||
12.3. Transfer Coding Registration . . . . . . . . . . . . . . 41 | 12.3. Transfer Coding Registration . . . . . . . . . . . . . . 41 | |||
12.4. ALPN Protocol ID Registration . . . . . . . . . . . . . 42 | 12.4. ALPN Protocol ID Registration . . . . . . . . . . . . . 42 | |||
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 | 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 | |||
13.1. Normative References . . . . . . . . . . . . . . . . . . 42 | 13.1. Normative References . . . . . . . . . . . . . . . . . . 42 | |||
13.2. Informative References . . . . . . . . . . . . . . . . . 44 | 13.2. Informative References . . . . . . . . . . . . . . . . . 44 | |||
Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 45 | Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 45 | |||
Appendix B. Differences between HTTP and MIME . . . . . . . . . 47 | Appendix B. Differences between HTTP and MIME . . . . . . . . . 46 | |||
B.1. MIME-Version . . . . . . . . . . . . . . . . . . . . . . 47 | B.1. MIME-Version . . . . . . . . . . . . . . . . . . . . . . 47 | |||
B.2. Conversion to Canonical Form . . . . . . . . . . . . . . 47 | B.2. Conversion to Canonical Form . . . . . . . . . . . . . . 47 | |||
B.3. Conversion of Date Formats . . . . . . . . . . . . . . . 48 | B.3. Conversion of Date Formats . . . . . . . . . . . . . . . 47 | |||
B.4. Conversion of Content-Encoding . . . . . . . . . . . . . 48 | B.4. Conversion of Content-Encoding . . . . . . . . . . . . . 48 | |||
B.5. Conversion of Content-Transfer-Encoding . . . . . . . . . 48 | B.5. Conversion of Content-Transfer-Encoding . . . . . . . . . 48 | |||
B.6. MHTML and Line Length Limitations . . . . . . . . . . . . 48 | B.6. MHTML and Line Length Limitations . . . . . . . . . . . . 48 | |||
Appendix C. Changes from previous RFCs . . . . . . . . . . . . . 49 | Appendix C. Changes from Previous RFCs . . . . . . . . . . . . . 48 | |||
C.1. Changes from HTTP/0.9 . . . . . . . . . . . . . . . . . . 49 | C.1. Changes from HTTP/0.9 . . . . . . . . . . . . . . . . . . 49 | |||
C.2. Changes from HTTP/1.0 . . . . . . . . . . . . . . . . . . 49 | C.2. Changes from HTTP/1.0 . . . . . . . . . . . . . . . . . . 49 | |||
C.2.1. Multihomed Web Servers . . . . . . . . . . . . . . . 49 | C.2.1. Multihomed Web Servers . . . . . . . . . . . . . . . 49 | |||
C.2.2. Keep-Alive Connections . . . . . . . . . . . . . . . 49 | C.2.2. Keep-Alive Connections . . . . . . . . . . . . . . . 49 | |||
C.2.3. Introduction of Transfer-Encoding . . . . . . . . . . 50 | C.2.3. Introduction of Transfer-Encoding . . . . . . . . . . 50 | |||
C.3. Changes from RFC 7230 . . . . . . . . . . . . . . . . . . 50 | C.3. Changes from RFC 7230 . . . . . . . . . . . . . . . . . . 50 | |||
Appendix D. Change Log . . . . . . . . . . . . . . . . . . . . . 51 | Appendix D. Change Log . . . . . . . . . . . . . . . . . . . . . 51 | |||
D.1. Between RFC7230 and draft 00 . . . . . . . . . . . . . . 51 | D.1. Since draft-ietf-httpbis-messaging-19 . . . . . . . . . . 51 | |||
D.2. Since draft-ietf-httpbis-messaging-00 . . . . . . . . . . 51 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 51 | |||
D.3. Since draft-ietf-httpbis-messaging-01 . . . . . . . . . . 52 | Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 | |||
D.4. Since draft-ietf-httpbis-messaging-02 . . . . . . . . . . 52 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 | |||
D.5. Since draft-ietf-httpbis-messaging-03 . . . . . . . . . . 53 | ||||
D.6. Since draft-ietf-httpbis-messaging-04 . . . . . . . . . . 53 | ||||
D.7. Since draft-ietf-httpbis-messaging-05 . . . . . . . . . . 53 | ||||
D.8. Since draft-ietf-httpbis-messaging-06 . . . . . . . . . . 54 | ||||
D.9. Since draft-ietf-httpbis-messaging-07 . . . . . . . . . . 54 | ||||
D.10. Since draft-ietf-httpbis-messaging-08 . . . . . . . . . . 54 | ||||
D.11. Since draft-ietf-httpbis-messaging-09 . . . . . . . . . . 55 | ||||
D.12. Since draft-ietf-httpbis-messaging-10 . . . . . . . . . . 55 | ||||
D.13. Since draft-ietf-httpbis-messaging-11 . . . . . . . . . . 55 | ||||
D.14. Since draft-ietf-httpbis-messaging-12 . . . . . . . . . . 55 | ||||
D.15. Since draft-ietf-httpbis-messaging-13 . . . . . . . . . . 56 | ||||
D.16. Since draft-ietf-httpbis-messaging-14 . . . . . . . . . . 56 | ||||
D.17. Since draft-ietf-httpbis-messaging-15 . . . . . . . . . . 57 | ||||
D.18. Since draft-ietf-httpbis-messaging-16 . . . . . . . . . . 57 | ||||
D.19. Since draft-ietf-httpbis-messaging-17 . . . . . . . . . . 57 | ||||
D.20. Since draft-ietf-httpbis-messaging-18 . . . . . . . . . . 57 | ||||
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 58 | ||||
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 | ||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60 | ||||
1. Introduction | 1. Introduction | |||
The Hypertext Transfer Protocol (HTTP) is a stateless application- | The Hypertext Transfer Protocol (HTTP) is a stateless application- | |||
level request/response protocol that uses extensible semantics and | level request/response protocol that uses extensible semantics and | |||
self-descriptive messages for flexible interaction with network-based | self-descriptive messages for flexible interaction with network-based | |||
hypertext information systems. HTTP/1.1 is defined by: | hypertext information systems. HTTP/1.1 is defined by: | |||
o This document | o This document | |||
skipping to change at page 5, line 4 ¶ | skipping to change at page 4, line 33 ¶ | |||
1. Introduction | 1. Introduction | |||
The Hypertext Transfer Protocol (HTTP) is a stateless application- | The Hypertext Transfer Protocol (HTTP) is a stateless application- | |||
level request/response protocol that uses extensible semantics and | level request/response protocol that uses extensible semantics and | |||
self-descriptive messages for flexible interaction with network-based | self-descriptive messages for flexible interaction with network-based | |||
hypertext information systems. HTTP/1.1 is defined by: | hypertext information systems. HTTP/1.1 is defined by: | |||
o This document | o This document | |||
o "HTTP Semantics" [HTTP] | o "HTTP Semantics" [HTTP] | |||
o "HTTP Caching" [CACHING] | o "HTTP Caching" [CACHING] | |||
This document specifies how HTTP semantics are conveyed using the | This document specifies how HTTP semantics are conveyed using the | |||
HTTP/1.1 message syntax, framing and connection management | HTTP/1.1 message syntax, framing, and connection management | |||
mechanisms. Its goal is to define the complete set of requirements | mechanisms. Its goal is to define the complete set of requirements | |||
for HTTP/1.1 message parsers and message-forwarding intermediaries. | for HTTP/1.1 message parsers and message-forwarding intermediaries. | |||
This document obsoletes the portions of RFC 7230 related to HTTP/1.1 | This document obsoletes the portions of RFC 7230 related to HTTP/1.1 | |||
messaging and connection management, with the changes being | messaging and connection management, with the changes being | |||
summarized in Appendix C.3. The other parts of RFC 7230 are | summarized in Appendix C.3. The other parts of RFC 7230 are | |||
obsoleted by "HTTP Semantics" [HTTP]. | obsoleted by "HTTP Semantics" [HTTP]. | |||
1.1. Requirements Notation | 1.1. Requirements Notation | |||
skipping to change at page 5, line 35 ¶ | skipping to change at page 5, line 24 ¶ | |||
defined in Section 2 of [HTTP]. | defined in Section 2 of [HTTP]. | |||
1.2. Syntax Notation | 1.2. Syntax Notation | |||
This specification uses the Augmented Backus-Naur Form (ABNF) | This specification uses the Augmented Backus-Naur Form (ABNF) | |||
notation of [RFC5234], extended with the notation for case- | notation of [RFC5234], extended with the notation for case- | |||
sensitivity in strings defined in [RFC7405]. | sensitivity in strings defined in [RFC7405]. | |||
It also uses a list extension, defined in Section 5.6.1 of [HTTP], | It also uses a list extension, defined in Section 5.6.1 of [HTTP], | |||
that allows for compact definition of comma-separated lists using a | that allows for compact definition of comma-separated lists using a | |||
'#' operator (similar to how the '*' operator indicates repetition). | "#" operator (similar to how the "*" operator indicates repetition). | |||
Appendix A shows the collected grammar with all list operators | Appendix A shows the collected grammar with all list operators | |||
expanded to standard ABNF notation. | expanded to standard ABNF notation. | |||
As a convention, ABNF rule names prefixed with "obs-" denote | As a convention, ABNF rule names prefixed with "obs-" denote obsolete | |||
"obsolete" grammar rules that appear for historical reasons. | grammar rules that appear for historical reasons. | |||
The following core rules are included by reference, as defined in | The following core rules are included by reference, as defined in | |||
[RFC5234], Appendix B.1: ALPHA (letters), CR (carriage return), CRLF | [RFC5234], Appendix B.1: ALPHA (letters), CR (carriage return), CRLF | |||
(CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double quote), | (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double quote), | |||
HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF (line | HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF (line | |||
feed), OCTET (any 8-bit sequence of data), SP (space), and VCHAR (any | feed), OCTET (any 8-bit sequence of data), SP (space), and VCHAR (any | |||
visible [USASCII] character). | visible [USASCII] character). | |||
The rules below are defined in [HTTP]: | The rules below are defined in [HTTP]: | |||
skipping to change at page 6, line 45 ¶ | skipping to change at page 6, line 31 ¶ | |||
[RFC5322]: zero or more header field lines (collectively referred to | [RFC5322]: zero or more header field lines (collectively referred to | |||
as the "headers" or the "header section"), an empty line indicating | as the "headers" or the "header section"), an empty line indicating | |||
the end of the header section, and an optional message body. | the end of the header section, and an optional message body. | |||
HTTP-message = start-line CRLF | HTTP-message = start-line CRLF | |||
*( field-line CRLF ) | *( field-line CRLF ) | |||
CRLF | CRLF | |||
[ message-body ] | [ message-body ] | |||
A message can be either a request from client to server or a response | A message can be either a request from client to server or a response | |||
from server to client. Syntactically, the two types of message | from server to client. Syntactically, the two types of messages | |||
differ only in the start-line, which is either a request-line (for | differ only in the start-line, which is either a request-line (for | |||
requests) or a status-line (for responses), and in the algorithm for | requests) or a status-line (for responses), and in the algorithm for | |||
determining the length of the message body (Section 6). | determining the length of the message body (Section 6). | |||
start-line = request-line / status-line | start-line = request-line / status-line | |||
In theory, a client could receive requests and a server could receive | In theory, a client could receive requests and a server could receive | |||
responses, distinguishing them by their different start-line formats. | responses, distinguishing them by their different start-line formats. | |||
In practice, servers are implemented to only expect a request (a | In practice, servers are implemented to only expect a request (a | |||
response is interpreted as an unknown or invalid request method) and | response is interpreted as an unknown or invalid request method), and | |||
clients are implemented to only expect a response. | clients are implemented to only expect a response. | |||
HTTP makes use of some protocol elements similar to the Multipurpose | HTTP makes use of some protocol elements similar to the Multipurpose | |||
Internet Mail Extensions (MIME) [RFC2045]. See Appendix B for the | Internet Mail Extensions (MIME) [RFC2045]. See Appendix B for the | |||
differences between HTTP and MIME messages. | differences between HTTP and MIME messages. | |||
2.2. Message Parsing | 2.2. Message Parsing | |||
The normal procedure for parsing an HTTP message is to read the | The normal procedure for parsing an HTTP message is to read the | |||
start-line into a structure, read each header field line into a hash | start-line into a structure, read each header field line into a hash | |||
skipping to change at page 9, line 31 ¶ | skipping to change at page 9, line 22 ¶ | |||
correctly or when an intermediary is known to blindly forward the | correctly or when an intermediary is known to blindly forward the | |||
HTTP-version even when it doesn't conform to the given minor version | HTTP-version even when it doesn't conform to the given minor version | |||
of the protocol. Such protocol downgrades SHOULD NOT be performed | of the protocol. Such protocol downgrades SHOULD NOT be performed | |||
unless triggered by specific client attributes, such as when one or | unless triggered by specific client attributes, such as when one or | |||
more of the request header fields (e.g., User-Agent) uniquely match | more of the request header fields (e.g., User-Agent) uniquely match | |||
the values sent by a client known to be in error. | the values sent by a client known to be in error. | |||
3. Request Line | 3. Request Line | |||
A request-line begins with a method token, followed by a single space | A request-line begins with a method token, followed by a single space | |||
(SP), the request-target, another single space (SP), and ends with | (SP), the request-target, and another single space (SP), and ends | |||
the protocol version. | with the protocol version. | |||
request-line = method SP request-target SP HTTP-version | request-line = method SP request-target SP HTTP-version | |||
Although the request-line grammar rule requires that each of the | Although the request-line grammar rule requires that each of the | |||
component elements be separated by a single SP octet, recipients MAY | component elements be separated by a single SP octet, recipients MAY | |||
instead parse on whitespace-delimited word boundaries and, aside from | instead parse on whitespace-delimited word boundaries and, aside from | |||
the CRLF terminator, treat any form of whitespace as the SP separator | the CRLF terminator, treat any form of whitespace as the SP separator | |||
while ignoring preceding or trailing whitespace; such whitespace | while ignoring preceding or trailing whitespace; such whitespace | |||
includes one or more of the following octets: SP, HTAB, VT (%x0B), FF | includes one or more of the following octets: SP, HTAB, VT (%x0B), FF | |||
(%x0C), or bare CR. However, lenient parsing can result in request | (%x0C), or bare CR. However, lenient parsing can result in request | |||
skipping to change at page 10, line 49 ¶ | skipping to change at page 10, line 45 ¶ | |||
400 (Bad Request) error or a 301 (Moved Permanently) redirect with | 400 (Bad Request) error or a 301 (Moved Permanently) redirect with | |||
the request-target properly encoded. A recipient SHOULD NOT attempt | the request-target properly encoded. A recipient SHOULD NOT attempt | |||
to autocorrect and then process the request without a redirect, since | to autocorrect and then process the request without a redirect, since | |||
the invalid request-line might be deliberately crafted to bypass | the invalid request-line might be deliberately crafted to bypass | |||
security filters along the request chain. | security filters along the request chain. | |||
A client MUST send a Host header field (Section 7.2 of [HTTP]) in all | A client MUST send a Host header field (Section 7.2 of [HTTP]) in all | |||
HTTP/1.1 request messages. If the target URI includes an authority | HTTP/1.1 request messages. If the target URI includes an authority | |||
component, then a client MUST send a field value for Host that is | component, then a client MUST send a field value for Host that is | |||
identical to that authority component, excluding any userinfo | identical to that authority component, excluding any userinfo | |||
subcomponent and its "@" delimiter (Section 4.2.1 of [HTTP]). If the | subcomponent and its "@" delimiter (Section 4.2 of [HTTP]). If the | |||
authority component is missing or undefined for the target URI, then | authority component is missing or undefined for the target URI, then | |||
a client MUST send a Host header field with an empty field value. | a client MUST send a Host header field with an empty field value. | |||
A server MUST respond with a 400 (Bad Request) status code to any | A server MUST respond with a 400 (Bad Request) status code to any | |||
HTTP/1.1 request message that lacks a Host header field and to any | HTTP/1.1 request message that lacks a Host header field and to any | |||
request message that contains more than one Host header field line or | request message that contains more than one Host header field line or | |||
a Host header field with an invalid field value. | a Host header field with an invalid field value. | |||
3.2.1. origin-form | 3.2.1. origin-form | |||
The most common form of request-target is the _origin-form_. | The most common form of request-target is the "origin-form". | |||
origin-form = absolute-path [ "?" query ] | origin-form = absolute-path [ "?" query ] | |||
When making a request directly to an origin server, other than a | When making a request directly to an origin server, other than a | |||
CONNECT or server-wide OPTIONS request (as detailed below), a client | CONNECT or server-wide OPTIONS request (as detailed below), a client | |||
MUST send only the absolute path and query components of the target | MUST send only the absolute path and query components of the target | |||
URI as the request-target. If the target URI's path component is | URI as the request-target. If the target URI's path component is | |||
empty, the client MUST send "/" as the path within the origin-form of | empty, the client MUST send "/" as the path within the origin-form of | |||
request-target. A Host header field is also sent, as defined in | request-target. A Host header field is also sent, as defined in | |||
Section 7.2 of [HTTP]. | Section 7.2 of [HTTP]. | |||
skipping to change at page 11, line 42 ¶ | skipping to change at page 11, line 37 ¶ | |||
GET /where?q=now HTTP/1.1 | GET /where?q=now HTTP/1.1 | |||
Host: www.example.org | Host: www.example.org | |||
followed by the remainder of the request message. | followed by the remainder of the request message. | |||
3.2.2. absolute-form | 3.2.2. absolute-form | |||
When making a request to a proxy, other than a CONNECT or server-wide | When making a request to a proxy, other than a CONNECT or server-wide | |||
OPTIONS request (as detailed below), a client MUST send the target | OPTIONS request (as detailed below), a client MUST send the target | |||
URI in _absolute-form_ as the request-target. | URI in "absolute-form" as the request-target. | |||
absolute-form = absolute-URI | absolute-form = absolute-URI | |||
The proxy is requested to either service that request from a valid | The proxy is requested to either service that request from a valid | |||
cache, if possible, or make the same request on the client's behalf | cache, if possible, or make the same request on the client's behalf | |||
to either the next inbound proxy server or directly to the origin | either to the next inbound proxy server or directly to the origin | |||
server indicated by the request-target. Requirements on such | server indicated by the request-target. Requirements on such | |||
"forwarding" of messages are defined in Section 7.6 of [HTTP]. | "forwarding" of messages are defined in Section 7.6 of [HTTP]. | |||
An example absolute-form of request-line would be: | An example absolute-form of request-line would be: | |||
GET http://www.example.org/pub/WWW/TheProject.html HTTP/1.1 | GET http://www.example.org/pub/WWW/TheProject.html HTTP/1.1 | |||
A client MUST send a Host header field in an HTTP/1.1 request even if | A client MUST send a Host header field in an HTTP/1.1 request even if | |||
the request-target is in the absolute-form, since this allows the | the request-target is in the absolute-form, since this allows the | |||
Host information to be forwarded through ancient HTTP/1.0 proxies | Host information to be forwarded through ancient HTTP/1.0 proxies | |||
that might not have implemented Host. | that might not have implemented Host. | |||
When a proxy receives a request with an absolute-form of request- | When a proxy receives a request with an absolute-form of request- | |||
target, the proxy MUST ignore the received Host header field (if any) | target, the proxy MUST ignore the received Host header field (if any) | |||
and instead replace it with the host information of the request- | and instead replace it with the host information of the request- | |||
target. A proxy that forwards such a request MUST generate a new | target. A proxy that forwards such a request MUST generate a new | |||
Host field value based on the received request-target rather than | Host field value based on the received request-target rather than | |||
skipping to change at page 12, line 31 ¶ | skipping to change at page 12, line 28 ¶ | |||
header field (if any) and instead use the host information of the | header field (if any) and instead use the host information of the | |||
request-target. Note that if the request-target does not have an | request-target. Note that if the request-target does not have an | |||
authority component, an empty Host header field will be sent in this | authority component, an empty Host header field will be sent in this | |||
case. | case. | |||
A server MUST accept the absolute-form in requests even though most | A server MUST accept the absolute-form in requests even though most | |||
HTTP/1.1 clients will only send the absolute-form to a proxy. | HTTP/1.1 clients will only send the absolute-form to a proxy. | |||
3.2.3. authority-form | 3.2.3. authority-form | |||
The _authority-form_ of request-target is only used for CONNECT | The "authority-form" of request-target is only used for CONNECT | |||
requests (Section 9.3.6 of [HTTP]). It consists of only the uri-host | requests (Section 9.3.6 of [HTTP]). It consists of only the uri-host | |||
and port number of the tunnel destination, separated by a colon | and port number of the tunnel destination, separated by a colon | |||
(":"). | (":"). | |||
authority-form = uri-host ":" port | authority-form = uri-host ":" port | |||
When making a CONNECT request to establish a tunnel through one or | When making a CONNECT request to establish a tunnel through one or | |||
more proxies, a client MUST send only the host and port of the tunnel | more proxies, a client MUST send only the host and port of the tunnel | |||
destination as the request-target. The client obtains the host and | destination as the request-target. The client obtains the host and | |||
port from the target URI's authority component, except that it sends | port from the target URI's authority component, except that it sends | |||
the scheme's default port if the target URI elides the port. For | the scheme's default port if the target URI elides the port. For | |||
example, a CONNECT request to "http://www.example.com" looks like | example, a CONNECT request to "http://www.example.com" looks like the | |||
following: | ||||
CONNECT www.example.com:80 HTTP/1.1 | CONNECT www.example.com:80 HTTP/1.1 | |||
Host: www.example.com | Host: www.example.com | |||
3.2.4. asterisk-form | 3.2.4. asterisk-form | |||
The _asterisk-form_ of request-target is only used for a server-wide | The "asterisk-form" of request-target is only used for a server-wide | |||
OPTIONS request (Section 9.3.7 of [HTTP]). | OPTIONS request (Section 9.3.7 of [HTTP]). | |||
asterisk-form = "*" | asterisk-form = "*" | |||
When a client wishes to request OPTIONS for the server as a whole, as | When a client wishes to request OPTIONS for the server as a whole, as | |||
opposed to a specific named resource of that server, the client MUST | opposed to a specific named resource of that server, the client MUST | |||
send only "*" (%x2A) as the request-target. For example, | send only "*" (%x2A) as the request-target. For example, | |||
OPTIONS * HTTP/1.1 | OPTIONS * HTTP/1.1 | |||
skipping to change at page 14, line 21 ¶ | skipping to change at page 14, line 15 ¶ | |||
o If the request-target is in authority-form or asterisk-form, the | o If the request-target is in authority-form or asterisk-form, the | |||
target URI's combined path and query component is empty. | target URI's combined path and query component is empty. | |||
Otherwise, the target URI's combined path and query component is | Otherwise, the target URI's combined path and query component is | |||
the request-target. | the request-target. | |||
o The components of a reconstructed target URI, once determined as | o The components of a reconstructed target URI, once determined as | |||
above, can be recombined into absolute-URI form by concatenating | above, can be recombined into absolute-URI form by concatenating | |||
the scheme, "://", authority, and combined path and query | the scheme, "://", authority, and combined path and query | |||
component. | component. | |||
Example 1: the following message received over a secure connection | Example 1: The following message received over a secure connection | |||
GET /pub/WWW/TheProject.html HTTP/1.1 | GET /pub/WWW/TheProject.html HTTP/1.1 | |||
Host: www.example.org | Host: www.example.org | |||
has a target URI of | has a target URI of | |||
https://www.example.org/pub/WWW/TheProject.html | https://www.example.org/pub/WWW/TheProject.html | |||
Example 2: the following message received over an insecure connection | Example 2: The following message received over an insecure connection | |||
OPTIONS * HTTP/1.1 | OPTIONS * HTTP/1.1 | |||
Host: www.example.org:8080 | Host: www.example.org:8080 | |||
has a target URI of | has a target URI of | |||
http://www.example.org:8080 | http://www.example.org:8080 | |||
If the target URI's authority component is empty and its URI scheme | If the target URI's authority component is empty and its URI scheme | |||
requires a non-empty authority (as is the case for "http" and | requires a non-empty authority (as is the case for "http" and | |||
"https"), the server can reject the request or determine whether a | "https"), the server can reject the request or determine whether a | |||
configured default applies that is consistent with the incoming | configured default applies that is consistent with the incoming | |||
connection's context. Context might include connection details like | connection's context. Context might include connection details like | |||
address and port, what security has been applied, and locally-defined | address and port, what security has been applied, and locally defined | |||
information specific to that server's configuration. An empty | information specific to that server's configuration. An empty | |||
authority is replaced with the configured default before further | authority is replaced with the configured default before further | |||
processing of the request. | processing of the request. | |||
Supplying a default name for authority within the context of a | Supplying a default name for authority within the context of a | |||
secured connection is inherently unsafe if there is any chance that | secured connection is inherently unsafe if there is any chance that | |||
the user agent's intended authority might differ from the default. A | the user agent's intended authority might differ from the default. A | |||
server that can uniquely identify an authority from the request | server that can uniquely identify an authority from the request | |||
context MAY use that identity as a default without this risk. | context MAY use that identity as a default without this risk. | |||
Alternatively, it might be better to redirect the request to a safe | Alternatively, it might be better to redirect the request to a safe | |||
skipping to change at page 15, line 17 ¶ | skipping to change at page 15, line 14 ¶ | |||
Note that reconstructing the client's target URI is only half of the | Note that reconstructing the client's target URI is only half of the | |||
process for identifying a target resource. The other half is | process for identifying a target resource. The other half is | |||
determining whether that target URI identifies a resource for which | determining whether that target URI identifies a resource for which | |||
the server is willing and able to send a response, as defined in | the server is willing and able to send a response, as defined in | |||
Section 7.4 of [HTTP]. | Section 7.4 of [HTTP]. | |||
4. Status Line | 4. Status Line | |||
The first line of a response message is the status-line, consisting | The first line of a response message is the status-line, consisting | |||
of the protocol version, a space (SP), the status code, another | of the protocol version, a space (SP), the status code, and another | |||
space, and ending with an OPTIONAL textual phrase describing the | space and ending with an OPTIONAL textual phrase describing the | |||
status code. | status code. | |||
status-line = HTTP-version SP status-code SP [reason-phrase] | status-line = HTTP-version SP status-code SP [ reason-phrase ] | |||
Although the status-line grammar rule requires that each of the | Although the status-line grammar rule requires that each of the | |||
component elements be separated by a single SP octet, recipients MAY | component elements be separated by a single SP octet, recipients MAY | |||
instead parse on whitespace-delimited word boundaries and, aside from | instead parse on whitespace-delimited word boundaries and, aside from | |||
the line terminator, treat any form of whitespace as the SP separator | the line terminator, treat any form of whitespace as the SP separator | |||
while ignoring preceding or trailing whitespace; such whitespace | while ignoring preceding or trailing whitespace; such whitespace | |||
includes one or more of the following octets: SP, HTAB, VT (%x0B), FF | includes one or more of the following octets: SP, HTAB, VT (%x0B), FF | |||
(%x0C), or bare CR. However, lenient parsing can result in response | (%x0C), or bare CR. However, lenient parsing can result in response | |||
splitting security vulnerabilities if there are multiple recipients | splitting security vulnerabilities if there are multiple recipients | |||
of the message and each has its own unique interpretation of | of the message and each has its own unique interpretation of | |||
skipping to change at page 16, line 16 ¶ | skipping to change at page 16, line 9 ¶ | |||
textual description associated with the numeric status code, mostly | textual description associated with the numeric status code, mostly | |||
out of deference to earlier Internet application protocols that were | out of deference to earlier Internet application protocols that were | |||
more frequently used with interactive text clients. | more frequently used with interactive text clients. | |||
reason-phrase = 1*( HTAB / SP / VCHAR / obs-text ) | reason-phrase = 1*( HTAB / SP / VCHAR / obs-text ) | |||
A client SHOULD ignore the reason-phrase content because it is not a | A client SHOULD ignore the reason-phrase content because it is not a | |||
reliable channel for information (it might be translated for a given | reliable channel for information (it might be translated for a given | |||
locale, overwritten by intermediaries, or discarded when the message | locale, overwritten by intermediaries, or discarded when the message | |||
is forwarded via other versions of HTTP). A server MUST send the | is forwarded via other versions of HTTP). A server MUST send the | |||
space that separates status-code from the reason-phrase even when the | space that separates the status-code from the reason-phrase even when | |||
reason-phrase is absent (i.e., the status-line would end with the | the reason-phrase is absent (i.e., the status-line would end with the | |||
three octets SP CR LF). | space). | |||
5. Field Syntax | 5. Field Syntax | |||
Each field line consists of a case-insensitive field name followed by | Each field line consists of a case-insensitive field name followed by | |||
a colon (":"), optional leading whitespace, the field line value, and | a colon (":"), optional leading whitespace, the field line value, and | |||
optional trailing whitespace. | optional trailing whitespace. | |||
field-line = field-name ":" OWS field-value OWS | field-line = field-name ":" OWS field-value OWS | |||
Most HTTP field names and the rules for parsing within field values | Rules for parsing within field values are defined in Section 5.5 of | |||
are defined in Section 6.3 of [HTTP]. This section covers the | [HTTP]. This section covers the generic syntax for header field | |||
generic syntax for header field inclusion within, and extraction | inclusion within, and extraction from, HTTP/1.1 messages. | |||
from, HTTP/1.1 messages. | ||||
5.1. Field Line Parsing | 5.1. Field Line Parsing | |||
Messages are parsed using a generic algorithm, independent of the | Messages are parsed using a generic algorithm, independent of the | |||
individual field names. The contents within a given field line value | individual field names. The contents within a given field line value | |||
are not parsed until a later stage of message interpretation (usually | are not parsed until a later stage of message interpretation (usually | |||
after the message's entire field section has been processed). | after the message's entire field section has been processed). | |||
No whitespace is allowed between the field name and colon. In the | No whitespace is allowed between the field name and colon. In the | |||
past, differences in the handling of such whitespace have led to | past, differences in the handling of such whitespace have led to | |||
skipping to change at page 17, line 13 ¶ | skipping to change at page 17, line 10 ¶ | |||
before the first non-whitespace octet of the field line value, or | before the first non-whitespace octet of the field line value, or | |||
after the last non-whitespace octet of the field line value, is | after the last non-whitespace octet of the field line value, is | |||
excluded by parsers when extracting the field line value from a field | excluded by parsers when extracting the field line value from a field | |||
line. | line. | |||
5.2. Obsolete Line Folding | 5.2. Obsolete Line Folding | |||
Historically, HTTP/1.x field values could be extended over multiple | Historically, HTTP/1.x field values could be extended over multiple | |||
lines by preceding each extra line with at least one space or | lines by preceding each extra line with at least one space or | |||
horizontal tab (obs-fold). This specification deprecates such line | horizontal tab (obs-fold). This specification deprecates such line | |||
folding except within the message/http media type (Section 10.1). | folding except within the "message/http" media type (Section 10.1). | |||
obs-fold = OWS CRLF RWS | obs-fold = OWS CRLF RWS | |||
; obsolete line folding | ; obsolete line folding | |||
A sender MUST NOT generate a message that includes line folding | A sender MUST NOT generate a message that includes line folding | |||
(i.e., that has any field line value that contains a match to the | (i.e., that has any field line value that contains a match to the | |||
obs-fold rule) unless the message is intended for packaging within | obs-fold rule) unless the message is intended for packaging within | |||
the message/http media type. | the "message/http" media type. | |||
A server that receives an obs-fold in a request message that is not | A server that receives an obs-fold in a request message that is not | |||
within a message/http container MUST either reject the message by | within a "message/http" container MUST either reject the message by | |||
sending a 400 (Bad Request), preferably with a representation | sending a 400 (Bad Request), preferably with a representation | |||
explaining that obsolete line folding is unacceptable, or replace | explaining that obsolete line folding is unacceptable, or replace | |||
each received obs-fold with one or more SP octets prior to | each received obs-fold with one or more SP octets prior to | |||
interpreting the field value or forwarding the message downstream. | interpreting the field value or forwarding the message downstream. | |||
A proxy or gateway that receives an obs-fold in a response message | A proxy or gateway that receives an obs-fold in a response message | |||
that is not within a message/http container MUST either discard the | that is not within a "message/http" container MUST either discard the | |||
message and replace it with a 502 (Bad Gateway) response, preferably | message and replace it with a 502 (Bad Gateway) response, preferably | |||
with a representation explaining that unacceptable line folding was | with a representation explaining that unacceptable line folding was | |||
received, or replace each received obs-fold with one or more SP | received, or replace each received obs-fold with one or more SP | |||
octets prior to interpreting the field value or forwarding the | octets prior to interpreting the field value or forwarding the | |||
message downstream. | message downstream. | |||
A user agent that receives an obs-fold in a response message that is | A user agent that receives an obs-fold in a response message that is | |||
not within a message/http container MUST replace each received | not within a "message/http" container MUST replace each received | |||
obs-fold with one or more SP octets prior to interpreting the field | obs-fold with one or more SP octets prior to interpreting the field | |||
value. | value. | |||
6. Message Body | 6. Message Body | |||
The message body (if any) of an HTTP/1.1 message is used to carry | The message body (if any) of an HTTP/1.1 message is used to carry | |||
content (Section 6.4 of [HTTP]) for the request or response. The | content (Section 6.4 of [HTTP]) for the request or response. The | |||
message body is identical to the content unless a transfer coding has | message body is identical to the content unless a transfer coding has | |||
been applied, as described in Section 6.1. | been applied, as described in Section 6.1. | |||
message-body = *OCTET | message-body = *OCTET | |||
The rules for determining when a message body is present in an | The rules for determining when a message body is present in an | |||
HTTP/1.1 message differ for requests and responses. | HTTP/1.1 message differ for requests and responses. | |||
The presence of a message body in a request is signaled by a | The presence of a message body in a request is signaled by a | |||
Content-Length or Transfer-Encoding header field. Request message | Content-Length or Transfer-Encoding header field. Request message | |||
framing is independent of method semantics. | framing is independent of method semantics. | |||
The presence of a message body in a response depends on both the | The presence of a message body in a response, as detailed in | |||
request method to which it is responding and the response status code | Section 6.3, depends on both the request method to which it is | |||
(Section 4), and corresponds to when content is allowed; see | responding and the response status code. This corresponds to when | |||
Section 6.4 of [HTTP]. | response content is allowed by HTTP semantics (Section 6.4.1 of | |||
[HTTP]). | ||||
6.1. Transfer-Encoding | 6.1. Transfer-Encoding | |||
The Transfer-Encoding header field lists the transfer coding names | The Transfer-Encoding header field lists the transfer coding names | |||
corresponding to the sequence of transfer codings that have been (or | corresponding to the sequence of transfer codings that have been (or | |||
will be) applied to the content in order to form the message body. | will be) applied to the content in order to form the message body. | |||
Transfer codings are defined in Section 7. | Transfer codings are defined in Section 7. | |||
Transfer-Encoding = #transfer-coding | Transfer-Encoding = #transfer-coding | |||
; defined in [HTTP], Section 10.1.4 | ; defined in [HTTP], Section 10.1.4 | |||
skipping to change at page 19, line 4 ¶ | skipping to change at page 18, line 49 ¶ | |||
transfer coding other than chunked is applied to a request's content, | transfer coding other than chunked is applied to a request's content, | |||
the sender MUST apply chunked as the final transfer coding to ensure | the sender MUST apply chunked as the final transfer coding to ensure | |||
that the message is properly framed. If any transfer coding other | that the message is properly framed. If any transfer coding other | |||
than chunked is applied to a response's content, the sender MUST | than chunked is applied to a response's content, the sender MUST | |||
either apply chunked as the final transfer coding or terminate the | either apply chunked as the final transfer coding or terminate the | |||
message by closing the connection. | message by closing the connection. | |||
For example, | For example, | |||
Transfer-Encoding: gzip, chunked | Transfer-Encoding: gzip, chunked | |||
indicates that the content has been compressed using the gzip coding | indicates that the content has been compressed using the gzip coding | |||
and then chunked using the chunked coding while forming the message | and then chunked using the chunked coding while forming the message | |||
body. | body. | |||
Unlike Content-Encoding (Section 8.4.1 of [HTTP]), Transfer-Encoding | Unlike Content-Encoding (Section 8.4.1 of [HTTP]), Transfer-Encoding | |||
is a property of the message, not of the representation, and any | is a property of the message, not of the representation. Any | |||
recipient along the request/response chain MAY decode the received | recipient along the request/response chain MAY decode the received | |||
transfer coding(s) or apply additional transfer coding(s) to the | transfer coding(s) or apply additional transfer coding(s) to the | |||
message body, assuming that corresponding changes are made to the | message body, assuming that corresponding changes are made to the | |||
Transfer-Encoding field value. Additional information about the | Transfer-Encoding field value. Additional information about the | |||
encoding parameters can be provided by other header fields not | encoding parameters can be provided by other header fields not | |||
defined by this specification. | defined by this specification. | |||
Transfer-Encoding MAY be sent in a response to a HEAD request or in a | Transfer-Encoding MAY be sent in a response to a HEAD request or in a | |||
304 (Not Modified) response (Section 15.4.5 of [HTTP]) to a GET | 304 (Not Modified) response (Section 15.4.5 of [HTTP]) to a GET | |||
request, neither of which includes a message body, to indicate that | request, neither of which includes a message body, to indicate that | |||
skipping to change at page 19, line 39 ¶ | skipping to change at page 19, line 36 ¶ | |||
any 2xx (Successful) response to a CONNECT request (Section 9.3.6 of | any 2xx (Successful) response to a CONNECT request (Section 9.3.6 of | |||
[HTTP]). | [HTTP]). | |||
A server that receives a request message with a transfer coding it | A server that receives a request message with a transfer coding it | |||
does not understand SHOULD respond with 501 (Not Implemented). | does not understand SHOULD respond with 501 (Not Implemented). | |||
Transfer-Encoding was added in HTTP/1.1. It is generally assumed | Transfer-Encoding was added in HTTP/1.1. It is generally assumed | |||
that implementations advertising only HTTP/1.0 support will not | that implementations advertising only HTTP/1.0 support will not | |||
understand how to process transfer-encoded content, and that an | understand how to process transfer-encoded content, and that an | |||
HTTP/1.0 message received with a Transfer-Encoding is likely to have | HTTP/1.0 message received with a Transfer-Encoding is likely to have | |||
been forwarded without proper handling of the chunked encoding in | been forwarded without proper handling of the chunked transfer coding | |||
transit. | in transit. | |||
A client MUST NOT send a request containing Transfer-Encoding unless | A client MUST NOT send a request containing Transfer-Encoding unless | |||
it knows the server will handle HTTP/1.1 requests (or later minor | it knows the server will handle HTTP/1.1 requests (or later minor | |||
revisions); such knowledge might be in the form of specific user | revisions); such knowledge might be in the form of specific user | |||
configuration or by remembering the version of a prior received | configuration or by remembering the version of a prior received | |||
response. A server MUST NOT send a response containing Transfer- | response. A server MUST NOT send a response containing Transfer- | |||
Encoding unless the corresponding request indicates HTTP/1.1 (or | Encoding unless the corresponding request indicates HTTP/1.1 (or | |||
later minor revisions). | later minor revisions). | |||
Early implementations of Transfer-Encoding would occasionally send | Early implementations of Transfer-Encoding would occasionally send | |||
both a chunked encoding for message framing and an estimated Content- | both a chunked transfer coding for message framing and an estimated | |||
Length header field for use by progress bars. This is why Transfer- | Content-Length header field for use by progress bars. This is why | |||
Encoding is defined as overriding Content-Length, as opposed to them | Transfer-Encoding is defined as overriding Content-Length, as opposed | |||
being mutually incompatible. Unfortunately, forwarding such a | to them being mutually incompatible. Unfortunately, forwarding such | |||
message can lead to vulnerabilities regarding request smuggling | a message can lead to vulnerabilities regarding request smuggling | |||
(Section 11.2) or response splitting (Section 11.1) attacks if any | (Section 11.2) or response splitting (Section 11.1) attacks if any | |||
downstream recipient fails to parse the message according to this | downstream recipient fails to parse the message according to this | |||
specification, particularly when a downstream recipient only | specification, particularly when a downstream recipient only | |||
implements HTTP/1.0. | implements HTTP/1.0. | |||
A server MAY reject a request that contains both Content-Length and | A server MAY reject a request that contains both Content-Length and | |||
Transfer-Encoding or process such a request in accordance with the | Transfer-Encoding or process such a request in accordance with the | |||
Transfer-Encoding alone. Regardless, the server MUST close the | Transfer-Encoding alone. Regardless, the server MUST close the | |||
connection after responding to such a request to avoid the potential | connection after responding to such a request to avoid the potential | |||
attacks. | attacks. | |||
skipping to change at page 21, line 50 ¶ | skipping to change at page 21, line 43 ¶ | |||
message body length cannot be determined reliably; the server | message body length cannot be determined reliably; the server | |||
MUST respond with the 400 (Bad Request) status code and then | MUST respond with the 400 (Bad Request) status code and then | |||
close the connection. | close the connection. | |||
5. If a message is received without Transfer-Encoding and with an | 5. If a message is received without Transfer-Encoding and with an | |||
invalid Content-Length header field, then the message framing is | invalid Content-Length header field, then the message framing is | |||
invalid and the recipient MUST treat it as an unrecoverable | invalid and the recipient MUST treat it as an unrecoverable | |||
error, unless the field value can be successfully parsed as a | error, unless the field value can be successfully parsed as a | |||
comma-separated list (Section 5.6.1 of [HTTP]), all values in the | comma-separated list (Section 5.6.1 of [HTTP]), all values in the | |||
list are valid, and all values in the list are the same (in which | list are valid, and all values in the list are the same (in which | |||
case the message is processed with that single value used as the | case, the message is processed with that single value used as the | |||
Content-Length field value). If the unrecoverable error is in a | Content-Length field value). If the unrecoverable error is in a | |||
request message, the server MUST respond with a 400 (Bad Request) | request message, the server MUST respond with a 400 (Bad Request) | |||
status code and then close the connection. If it is in a | status code and then close the connection. If it is in a | |||
response message received by a proxy, the proxy MUST close the | response message received by a proxy, the proxy MUST close the | |||
connection to the server, discard the received response, and send | connection to the server, discard the received response, and send | |||
a 502 (Bad Gateway) response to the client. If it is in a | a 502 (Bad Gateway) response to the client. If it is in a | |||
response message received by a user agent, the user agent MUST | response message received by a user agent, the user agent MUST | |||
close the connection to the server and discard the received | close the connection to the server and discard the received | |||
response. | response. | |||
skipping to change at page 22, line 48 ¶ | skipping to change at page 22, line 41 ¶ | |||
A server MAY reject a request that contains a message body but not a | A server MAY reject a request that contains a message body but not a | |||
Content-Length by responding with 411 (Length Required). | Content-Length by responding with 411 (Length Required). | |||
Unless a transfer coding other than chunked has been applied, a | Unless a transfer coding other than chunked has been applied, a | |||
client that sends a request containing a message body SHOULD use a | client that sends a request containing a message body SHOULD use a | |||
valid Content-Length header field if the message body length is known | valid Content-Length header field if the message body length is known | |||
in advance, rather than the chunked transfer coding, since some | in advance, rather than the chunked transfer coding, since some | |||
existing services respond to chunked with a 411 (Length Required) | existing services respond to chunked with a 411 (Length Required) | |||
status code even though they understand the chunked transfer coding. | status code even though they understand the chunked transfer coding. | |||
This is typically because such services are implemented via a gateway | This is typically because such services are implemented via a gateway | |||
that requires a content-length in advance of being called and the | that requires a content length in advance of being called, and the | |||
server is unable or unwilling to buffer the entire request before | server is unable or unwilling to buffer the entire request before | |||
processing. | processing. | |||
A user agent that sends a request that contains a message body MUST | A user agent that sends a request that contains a message body MUST | |||
send either a valid Content-Length header field or use the chunked | send either a valid Content-Length header field or use the chunked | |||
transfer coding. A client MUST NOT use the chunked transfer encoding | transfer coding. A client MUST NOT use the chunked transfer coding | |||
unless it knows the server will handle HTTP/1.1 (or later) requests; | unless it knows the server will handle HTTP/1.1 (or later) requests; | |||
such knowledge can be in the form of specific user configuration or | such knowledge can be in the form of specific user configuration or | |||
by remembering the version of a prior received response. | by remembering the version of a prior received response. | |||
If the final response to the last request on a connection has been | If the final response to the last request on a connection has been | |||
completely received and there remains additional data to read, a user | completely received and there remains additional data to read, a user | |||
agent MAY discard the remaining data or attempt to determine if that | agent MAY discard the remaining data or attempt to determine if that | |||
data belongs as part of the prior message body, which might be the | data belongs as part of the prior message body, which might be the | |||
case if the prior message's Content-Length value is incorrect. A | case if the prior message's Content-Length value is incorrect. A | |||
client MUST NOT process, cache, or forward such extra data as a | client MUST NOT process, cache, or forward such extra data as a | |||
skipping to change at page 24, line 34 ¶ | skipping to change at page 24, line 22 ¶ | |||
HTTP/1.1 does not define any means to limit the size of a chunked | HTTP/1.1 does not define any means to limit the size of a chunked | |||
response such that an intermediary can be assured of buffering the | response such that an intermediary can be assured of buffering the | |||
entire response. Additionally, very large chunk sizes may cause | entire response. Additionally, very large chunk sizes may cause | |||
overflows or loss of precision if their values are not represented | overflows or loss of precision if their values are not represented | |||
accurately in a receiving implementation. Therefore, recipients MUST | accurately in a receiving implementation. Therefore, recipients MUST | |||
anticipate potentially large hexadecimal numerals and prevent parsing | anticipate potentially large hexadecimal numerals and prevent parsing | |||
errors due to integer conversion overflows or precision loss due to | errors due to integer conversion overflows or precision loss due to | |||
integer representation. | integer representation. | |||
The chunked encoding does not define any parameters. Their presence | The chunked coding does not define any parameters. Their presence | |||
SHOULD be treated as an error. | SHOULD be treated as an error. | |||
7.1.1. Chunk Extensions | 7.1.1. Chunk Extensions | |||
The chunked encoding allows each chunk to include zero or more chunk | The chunked coding allows each chunk to include zero or more chunk | |||
extensions, immediately following the chunk-size, for the sake of | extensions, immediately following the chunk-size, for the sake of | |||
supplying per-chunk metadata (such as a signature or hash), mid- | supplying per-chunk metadata (such as a signature or hash), mid- | |||
message control information, or randomization of message body size. | message control information, or randomization of message body size. | |||
chunk-ext = *( BWS ";" BWS chunk-ext-name | chunk-ext = *( BWS ";" BWS chunk-ext-name | |||
[ BWS "=" BWS chunk-ext-val ] ) | [ BWS "=" BWS chunk-ext-val ] ) | |||
chunk-ext-name = token | chunk-ext-name = token | |||
chunk-ext-val = token / quoted-string | chunk-ext-val = token / quoted-string | |||
The chunked encoding is specific to each connection and is likely to | The chunked coding is specific to each connection and is likely to be | |||
be removed or recoded by each recipient (including intermediaries) | removed or recoded by each recipient (including intermediaries) | |||
before any higher-level application would have a chance to inspect | before any higher-level application would have a chance to inspect | |||
the extensions. Hence, use of chunk extensions is generally limited | the extensions. Hence, the use of chunk extensions is generally | |||
to specialized HTTP services such as "long polling" (where client and | limited to specialized HTTP services such as "long polling" (where | |||
server can have shared expectations regarding the use of chunk | client and server can have shared expectations regarding the use of | |||
extensions) or for padding within an end-to-end secured connection. | chunk extensions) or for padding within an end-to-end secured | |||
connection. | ||||
A recipient MUST ignore unrecognized chunk extensions. A server | A recipient MUST ignore unrecognized chunk extensions. A server | |||
ought to limit the total length of chunk extensions received in a | ought to limit the total length of chunk extensions received in a | |||
request to an amount reasonable for the services provided, in the | request to an amount reasonable for the services provided, in the | |||
same way that it applies length limitations and timeouts for other | same way that it applies length limitations and timeouts for other | |||
parts of a message, and generate an appropriate 4xx (Client Error) | parts of a message, and generate an appropriate 4xx (Client Error) | |||
response if that amount is exceeded. | response if that amount is exceeded. | |||
7.1.2. Chunked Trailer Section | 7.1.2. Chunked Trailer Section | |||
A trailer section allows the sender to include additional fields at | A trailer section allows the sender to include additional fields at | |||
the end of a chunked message in order to supply metadata that might | the end of a chunked message in order to supply metadata that might | |||
be dynamically generated while the content is sent, such as a message | be dynamically generated while the content is sent, such as a message | |||
integrity check, digital signature, or post-processing status. The | integrity check, digital signature, or post-processing status. The | |||
proper use and limitations of trailer fields are defined in | proper use and limitations of trailer fields are defined in | |||
Section 6.5 of [HTTP]. | Section 6.5 of [HTTP]. | |||
trailer-section = *( field-line CRLF ) | trailer-section = *( field-line CRLF ) | |||
A recipient that removes the chunked encoding from a message MAY | A recipient that removes the chunked coding from a message MAY | |||
selectively retain or discard the received trailer fields. A | selectively retain or discard the received trailer fields. A | |||
recipient that retains a received trailer field MUST either store/ | recipient that retains a received trailer field MUST either store/ | |||
forward the trailer field separately from the received header fields | forward the trailer field separately from the received header fields | |||
or merge the received trailer field into the header section. A | or merge the received trailer field into the header section. A | |||
recipient MUST NOT merge a received trailer field into the header | recipient MUST NOT merge a received trailer field into the header | |||
section unless its corresponding header field definition explicitly | section unless its corresponding header field definition explicitly | |||
permits and instructs how the trailer field value can be safely | permits and instructs how the trailer field value can be safely | |||
merged. | merged. | |||
7.1.3. Decoding Chunked | 7.1.3. Decoding Chunked | |||
skipping to change at page 27, line 18 ¶ | skipping to change at page 27, line 18 ¶ | |||
o Description | o Description | |||
o Pointer to specification text | o Pointer to specification text | |||
Names of transfer codings MUST NOT overlap with names of content | Names of transfer codings MUST NOT overlap with names of content | |||
codings (Section 8.4.1 of [HTTP]) unless the encoding transformation | codings (Section 8.4.1 of [HTTP]) unless the encoding transformation | |||
is identical, as is the case for the compression codings defined in | is identical, as is the case for the compression codings defined in | |||
Section 7.2. | Section 7.2. | |||
The TE header field (Section 10.1.4 of [HTTP]) uses a pseudo | The TE header field (Section 10.1.4 of [HTTP]) uses a pseudo- | |||
parameter named "q" as rank value when multiple transfer codings are | parameter named "q" as the rank value when multiple transfer codings | |||
acceptable. Future registrations of transfer codings SHOULD NOT | are acceptable. Future registrations of transfer codings SHOULD NOT | |||
define parameters called "q" (case-insensitively) in order to avoid | define parameters called "q" (case-insensitively) in order to avoid | |||
ambiguities. | ambiguities. | |||
Values to be added to this namespace require IETF Review (see | Values to be added to this namespace require IETF Review (see | |||
Section 4.8 of [RFC8126]), and MUST conform to the purpose of | Section 4.8 of [RFC8126]) and MUST conform to the purpose of transfer | |||
transfer coding defined in this specification. | coding defined in this specification. | |||
Use of program names for the identification of encoding formats is | Use of program names for the identification of encoding formats is | |||
not desirable and is discouraged for future encodings. | not desirable and is discouraged for future encodings. | |||
7.4. Negotiating Transfer Codings | 7.4. Negotiating Transfer Codings | |||
The TE field (Section 10.1.4 of [HTTP]) is used in HTTP/1.1 to | The TE field (Section 10.1.4 of [HTTP]) is used in HTTP/1.1 to | |||
indicate what transfer-codings, besides chunked, the client is | indicate what transfer codings, besides chunked, the client is | |||
willing to accept in the response, and whether the client is willing | willing to accept in the response and whether the client is willing | |||
to preserve trailer fields in a chunked transfer coding. | to preserve trailer fields in a chunked transfer coding. | |||
A client MUST NOT send the chunked transfer coding name in TE; | A client MUST NOT send the chunked transfer coding name in TE; | |||
chunked is always acceptable for HTTP/1.1 recipients. | chunked is always acceptable for HTTP/1.1 recipients. | |||
Three examples of TE use are below. | Three examples of TE use are below. | |||
TE: deflate | TE: deflate | |||
TE: | TE: | |||
TE: trailers, deflate;q=0.5 | TE: trailers, deflate;q=0.5 | |||
When multiple transfer codings are acceptable, the client MAY rank | When multiple transfer codings are acceptable, the client MAY rank | |||
the codings by preference using a case-insensitive "q" parameter | the codings by preference using a case-insensitive "q" parameter | |||
(similar to the qvalues used in content negotiation fields, | (similar to the qvalues used in content negotiation fields; see | |||
Section 12.4.2 of [HTTP]). The rank value is a real number in the | Section 12.4.2 of [HTTP]). The rank value is a real number in the | |||
range 0 through 1, where 0.001 is the least preferred and 1 is the | range 0 through 1, where 0.001 is the least preferred and 1 is the | |||
most preferred; a value of 0 means "not acceptable". | most preferred; a value of 0 means "not acceptable". | |||
If the TE field value is empty or if no TE field is present, the only | If the TE field value is empty or if no TE field is present, the only | |||
acceptable transfer coding is chunked. A message with no transfer | acceptable transfer coding is chunked. A message with no transfer | |||
coding is always acceptable. | coding is always acceptable. | |||
The keyword "trailers" indicates that the sender will not discard | The keyword "trailers" indicates that the sender will not discard | |||
trailer fields, as described in Section 6.5 of [HTTP]. | trailer fields, as described in Section 6.5 of [HTTP]. | |||
skipping to change at page 28, line 28 ¶ | skipping to change at page 28, line 28 ¶ | |||
8. Handling Incomplete Messages | 8. Handling Incomplete Messages | |||
A server that receives an incomplete request message, usually due to | A server that receives an incomplete request message, usually due to | |||
a canceled request or a triggered timeout exception, MAY send an | a canceled request or a triggered timeout exception, MAY send an | |||
error response prior to closing the connection. | error response prior to closing the connection. | |||
A client that receives an incomplete response message, which can | A client that receives an incomplete response message, which can | |||
occur when a connection is closed prematurely or when decoding a | occur when a connection is closed prematurely or when decoding a | |||
supposedly chunked transfer coding fails, MUST record the message as | supposedly chunked transfer coding fails, MUST record the message as | |||
incomplete. Cache requirements for incomplete responses are defined | incomplete. Cache requirements for incomplete responses are defined | |||
in Section 3 of [CACHING]. | in Section 3.3 of [CACHING]. | |||
If a response terminates in the middle of the header section (before | If a response terminates in the middle of the header section (before | |||
the empty line is received) and the status code might rely on header | the empty line is received) and the status code might rely on header | |||
fields to convey the full meaning of the response, then the client | fields to convey the full meaning of the response, then the client | |||
cannot assume that meaning has been conveyed; the client might need | cannot assume that meaning has been conveyed; the client might need | |||
to repeat the request in order to determine what action to take next. | to repeat the request in order to determine what action to take next. | |||
A message body that uses the chunked transfer coding is incomplete if | A message body that uses the chunked transfer coding is incomplete if | |||
the zero-sized chunk that terminates the encoding has not been | the zero-sized chunk that terminates the encoding has not been | |||
received. A message that uses a valid Content-Length is incomplete | received. A message that uses a valid Content-Length is incomplete | |||
skipping to change at page 29, line 45 ¶ | skipping to change at page 29, line 45 ¶ | |||
protocols. Each HTTP connection maps to one underlying transport | protocols. Each HTTP connection maps to one underlying transport | |||
connection. | connection. | |||
9.2. Associating a Response to a Request | 9.2. Associating a Response to a Request | |||
HTTP/1.1 does not include a request identifier for associating a | HTTP/1.1 does not include a request identifier for associating a | |||
given request message with its corresponding one or more response | given request message with its corresponding one or more response | |||
messages. Hence, it relies on the order of response arrival to | messages. Hence, it relies on the order of response arrival to | |||
correspond exactly to the order in which requests are made on the | correspond exactly to the order in which requests are made on the | |||
same connection. More than one response message per request only | same connection. More than one response message per request only | |||
occurs when one or more informational responses (1xx, see | occurs when one or more informational responses (1xx; see | |||
Section 15.2 of [HTTP]) precede a final response to the same request. | Section 15.2 of [HTTP]) precede a final response to the same request. | |||
A client that has more than one outstanding request on a connection | A client that has more than one outstanding request on a connection | |||
MUST maintain a list of outstanding requests in the order sent and | MUST maintain a list of outstanding requests in the order sent and | |||
MUST associate each received response message on that connection to | MUST associate each received response message on that connection to | |||
the first outstanding request that has not yet received a final (non- | the first outstanding request that has not yet received a final (non- | |||
1xx) response. | 1xx) response. | |||
If a client receives data on a connection that doesn't have | If a client receives data on a connection that doesn't have | |||
outstanding requests, the client MUST NOT consider that data to be a | outstanding requests, the client MUST NOT consider that data to be a | |||
valid response; the client SHOULD close the connection, since message | valid response; the client SHOULD close the connection, since message | |||
delimitation is now ambiguous, unless the data consists only of one | delimitation is now ambiguous, unless the data consists only of one | |||
or more CRLF (which can be discarded, as per Section 2.2). | or more CRLF (which can be discarded per Section 2.2). | |||
9.3. Persistence | 9.3. Persistence | |||
HTTP/1.1 defaults to the use of _persistent connections_, allowing | HTTP/1.1 defaults to the use of "persistent connections", allowing | |||
multiple requests and responses to be carried over a single | multiple requests and responses to be carried over a single | |||
connection. HTTP implementations SHOULD support persistent | connection. HTTP implementations SHOULD support persistent | |||
connections. | connections. | |||
A recipient determines whether a connection is persistent or not | A recipient determines whether a connection is persistent or not | |||
based on the protocol version and Connection header field | based on the protocol version and Connection header field | |||
(Section 7.6.1 of [HTTP]) in the most recently received message, if | (Section 7.6.1 of [HTTP]) in the most recently received message, if | |||
any: | any: | |||
o If the close connection option is present (Section 9.6), the | o If the "close" connection option is present (Section 9.6), the | |||
connection will not persist after the current response; else, | connection will not persist after the current response; else, | |||
o If the received protocol is HTTP/1.1 (or later), the connection | o If the received protocol is HTTP/1.1 (or later), the connection | |||
will persist after the current response; else, | will persist after the current response; else, | |||
o If the received protocol is HTTP/1.0, the "keep-alive" connection | o If the received protocol is HTTP/1.0, the "keep-alive" connection | |||
option is present, either the recipient is not a proxy or the | option is present, either the recipient is not a proxy or the | |||
message is a response, and the recipient wishes to honor the | message is a response, and the recipient wishes to honor the | |||
HTTP/1.0 "keep-alive" mechanism, the connection will persist after | HTTP/1.0 "keep-alive" mechanism, the connection will persist after | |||
the current response; otherwise, | the current response; otherwise, | |||
o The connection will close after the current response. | o The connection will close after the current response. | |||
A client that does not support persistent connections MUST send the | A client that does not support persistent connections MUST send the | |||
close connection option in every request message. | "close" connection option in every request message. | |||
A server that does not support persistent connections MUST send the | A server that does not support persistent connections MUST send the | |||
close connection option in every response message that does not have | "close" connection option in every response message that does not | |||
a 1xx (Informational) status code. | have a 1xx (Informational) status code. | |||
A client MAY send additional requests on a persistent connection | A client MAY send additional requests on a persistent connection | |||
until it sends or receives a close connection option or receives an | until it sends or receives a "close" connection option or receives an | |||
HTTP/1.0 response without a "keep-alive" connection option. | HTTP/1.0 response without a "keep-alive" connection option. | |||
In order to remain persistent, all messages on a connection need to | In order to remain persistent, all messages on a connection need to | |||
have a self-defined message length (i.e., one not defined by closure | have a self-defined message length (i.e., one not defined by closure | |||
of the connection), as described in Section 6. A server MUST read | of the connection), as described in Section 6. A server MUST read | |||
the entire request message body or close the connection after sending | the entire request message body or close the connection after sending | |||
its response, since otherwise the remaining data on a persistent | its response; otherwise, the remaining data on a persistent | |||
connection would be misinterpreted as the next request. Likewise, a | connection would be misinterpreted as the next request. Likewise, a | |||
client MUST read the entire response message body if it intends to | client MUST read the entire response message body if it intends to | |||
reuse the same connection for a subsequent request. | reuse the same connection for a subsequent request. | |||
A proxy server MUST NOT maintain a persistent connection with an | A proxy server MUST NOT maintain a persistent connection with an | |||
HTTP/1.0 client (see Section 19.7.1 of [RFC2068] for information and | HTTP/1.0 client (see Appendix C.2.2 for information and discussion of | |||
discussion of the problems with the Keep-Alive header field | the problems with the Keep-Alive header field implemented by many | |||
implemented by many HTTP/1.0 clients). | HTTP/1.0 clients). | |||
See Appendix C.2.2 for more information on backwards compatibility | See Appendix C.2.2 for more information on backwards compatibility | |||
with HTTP/1.0 clients. | with HTTP/1.0 clients. | |||
9.3.1. Retrying Requests | 9.3.1. Retrying Requests | |||
Connections can be closed at any time, with or without intention. | Connections can be closed at any time, with or without intention. | |||
Implementations ought to anticipate the need to recover from | Implementations ought to anticipate the need to recover from | |||
asynchronous close events. The conditions under which a client can | asynchronous close events. The conditions under which a client can | |||
automatically retry a sequence of outstanding requests are defined in | automatically retry a sequence of outstanding requests are defined in | |||
Section 9.2.2 of [HTTP]. | Section 9.2.2 of [HTTP]. | |||
9.3.2. Pipelining | 9.3.2. Pipelining | |||
A client that supports persistent connections MAY _pipeline_ its | A client that supports persistent connections MAY "pipeline" its | |||
requests (i.e., send multiple requests without waiting for each | requests (i.e., send multiple requests without waiting for each | |||
response). A server MAY process a sequence of pipelined requests in | response). A server MAY process a sequence of pipelined requests in | |||
parallel if they all have safe methods (Section 9.2.1 of [HTTP]), but | parallel if they all have safe methods (Section 9.2.1 of [HTTP]), but | |||
it MUST send the corresponding responses in the same order that the | it MUST send the corresponding responses in the same order that the | |||
requests were received. | requests were received. | |||
A client that pipelines requests SHOULD retry unanswered requests if | A client that pipelines requests SHOULD retry unanswered requests if | |||
the connection closes before it receives all of the corresponding | the connection closes before it receives all of the corresponding | |||
responses. When retrying pipelined requests after a failed | responses. When retrying pipelined requests after a failed | |||
connection (a connection not explicitly closed by the server in its | connection (a connection not explicitly closed by the server in its | |||
skipping to change at page 33, line 20 ¶ | skipping to change at page 33, line 20 ¶ | |||
A client, server, or proxy MAY close the transport connection at any | A client, server, or proxy MAY close the transport connection at any | |||
time. For example, a client might have started to send a new request | time. For example, a client might have started to send a new request | |||
at the same time that the server has decided to close the "idle" | at the same time that the server has decided to close the "idle" | |||
connection. From the server's point of view, the connection is being | connection. From the server's point of view, the connection is being | |||
closed while it was idle, but from the client's point of view, a | closed while it was idle, but from the client's point of view, a | |||
request is in progress. | request is in progress. | |||
A server SHOULD sustain persistent connections, when possible, and | A server SHOULD sustain persistent connections, when possible, and | |||
allow the underlying transport's flow-control mechanisms to resolve | allow the underlying transport's flow-control mechanisms to resolve | |||
temporary overloads, rather than terminate connections with the | temporary overloads rather than terminate connections with the | |||
expectation that clients will retry. The latter technique can | expectation that clients will retry. The latter technique can | |||
exacerbate network congestion or server load. | exacerbate network congestion or server load. | |||
A client sending a message body SHOULD monitor the network connection | A client sending a message body SHOULD monitor the network connection | |||
for an error response while it is transmitting the request. If the | for an error response while it is transmitting the request. If the | |||
client sees a response that indicates the server does not wish to | client sees a response that indicates the server does not wish to | |||
receive the message body and is closing the connection, the client | receive the message body and is closing the connection, the client | |||
SHOULD immediately cease transmitting the body and close its side of | SHOULD immediately cease transmitting the body and close its side of | |||
the connection. | the connection. | |||
9.6. Tear-down | 9.6. Tear-down | |||
The "close" connection option is defined as a signal that the sender | The "close" connection option is defined as a signal that the sender | |||
will close this connection after completion of the response. A | will close this connection after completion of the response. A | |||
sender SHOULD send a Connection header field (Section 7.6.1 of | sender SHOULD send a Connection header field (Section 7.6.1 of | |||
[HTTP]) containing the close connection option when it intends to | [HTTP]) containing the "close" connection option when it intends to | |||
close a connection. For example, | close a connection. For example, | |||
Connection: close | Connection: close | |||
as a request header field indicates that this is the last request | as a request header field indicates that this is the last request | |||
that the client will send on this connection, while in a response the | that the client will send on this connection, while in a response, | |||
same field indicates that the server is going to close this | the same field indicates that the server is going to close this | |||
connection after the response message is complete. | connection after the response message is complete. | |||
Note that the field name "Close" is reserved, since using that name | Note that the field name "Close" is reserved, since using that name | |||
as a header field might conflict with the close connection option. | as a header field might conflict with the "close" connection option. | |||
A client that sends a close connection option MUST NOT send further | A client that sends a "close" connection option MUST NOT send further | |||
requests on that connection (after the one containing the close) and | requests on that connection (after the one containing the "close") | |||
MUST close the connection after reading the final response message | and MUST close the connection after reading the final response | |||
corresponding to this request. | message corresponding to this request. | |||
A server that receives a close connection option MUST initiate | A server that receives a "close" connection option MUST initiate | |||
closure of the connection (see below) after it sends the final | closure of the connection (see below) after it sends the final | |||
response to the request that contained the close connection option. | response to the request that contained the "close" connection option. | |||
The server SHOULD send a close connection option in its final | The server SHOULD send a "close" connection option in its final | |||
response on that connection. The server MUST NOT process any further | response on that connection. The server MUST NOT process any further | |||
requests received on that connection. | requests received on that connection. | |||
A server that sends a close connection option MUST initiate closure | A server that sends a "close" connection option MUST initiate closure | |||
of the connection (see below) after it sends the response containing | of the connection (see below) after it sends the response containing | |||
the close connection option. The server MUST NOT process any further | the "close" connection option. The server MUST NOT process any | |||
requests received on that connection. | further requests received on that connection. | |||
A client that receives a close connection option MUST cease sending | A client that receives a "close" connection option MUST cease sending | |||
requests on that connection and close the connection after reading | requests on that connection and close the connection after reading | |||
the response message containing the close connection option; if | the response message containing the "close" connection option; if | |||
additional pipelined requests had been sent on the connection, the | additional pipelined requests had been sent on the connection, the | |||
client SHOULD NOT assume that they will be processed by the server. | client SHOULD NOT assume that they will be processed by the server. | |||
If a server performs an immediate close of a TCP connection, there is | If a server performs an immediate close of a TCP connection, there is | |||
a significant risk that the client will not be able to read the last | a significant risk that the client will not be able to read the last | |||
HTTP response. If the server receives additional data from the | HTTP response. If the server receives additional data from the | |||
client on a fully closed connection, such as another request sent by | client on a fully closed connection, such as another request sent by | |||
the client before receiving the server's response, the server's TCP | the client before receiving the server's response, the server's TCP | |||
stack will send a reset packet to the client; unfortunately, the | stack will send a reset packet to the client; unfortunately, the | |||
reset packet might erase the client's unacknowledged input buffers | reset packet might erase the client's unacknowledged input buffers | |||
skipping to change at page 35, line 14 ¶ | skipping to change at page 35, line 14 ¶ | |||
9.7. TLS Connection Initiation | 9.7. TLS Connection Initiation | |||
Conceptually, HTTP/TLS is simply sending HTTP messages over a | Conceptually, HTTP/TLS is simply sending HTTP messages over a | |||
connection secured via TLS [TLS13]. | connection secured via TLS [TLS13]. | |||
The HTTP client also acts as the TLS client. It initiates a | The HTTP client also acts as the TLS client. It initiates a | |||
connection to the server on the appropriate port and sends the TLS | connection to the server on the appropriate port and sends the TLS | |||
ClientHello to begin the TLS handshake. When the TLS handshake has | ClientHello to begin the TLS handshake. When the TLS handshake has | |||
finished, the client may then initiate the first HTTP request. All | finished, the client may then initiate the first HTTP request. All | |||
HTTP data MUST be sent as TLS "application data", but is otherwise | HTTP data MUST be sent as TLS "application data" but is otherwise | |||
treated like a normal connection for HTTP (including potential reuse | treated like a normal connection for HTTP (including potential reuse | |||
as a persistent connection). | as a persistent connection). | |||
9.8. TLS Connection Closure | 9.8. TLS Connection Closure | |||
TLS uses an exchange of closure alerts prior to (non-error) | TLS uses an exchange of closure alerts prior to (non-error) | |||
connection closure to provide secure connection closure; see | connection closure to provide secure connection closure; see | |||
Section 6.1 of [TLS13]. When a valid closure alert is received, an | Section 6.1 of [TLS13]. When a valid closure alert is received, an | |||
implementation can be assured that no further data will be received | implementation can be assured that no further data will be received | |||
on that connection. | on that connection. | |||
skipping to change at page 35, line 36 ¶ | skipping to change at page 35, line 36 ¶ | |||
When an implementation knows that it has sent or received all the | When an implementation knows that it has sent or received all the | |||
message data that it cares about, typically by detecting HTTP message | message data that it cares about, typically by detecting HTTP message | |||
boundaries, it might generate an "incomplete close" by sending a | boundaries, it might generate an "incomplete close" by sending a | |||
closure alert and then closing the connection without waiting to | closure alert and then closing the connection without waiting to | |||
receive the corresponding closure alert from its peer. | receive the corresponding closure alert from its peer. | |||
An incomplete close does not call into question the security of the | An incomplete close does not call into question the security of the | |||
data already received, but it could indicate that subsequent data | data already received, but it could indicate that subsequent data | |||
might have been truncated. As TLS is not directly aware of HTTP | might have been truncated. As TLS is not directly aware of HTTP | |||
message framing, it is necessary to examine the HTTP data itself to | message framing, it is necessary to examine the HTTP data itself to | |||
determine whether messages were complete. Handling of incomplete | determine whether messages are complete. Handling of incomplete | |||
messages is defined in Section 8. | messages is defined in Section 8. | |||
When encountering an incomplete close, a client SHOULD treat as | When encountering an incomplete close, a client SHOULD treat as | |||
completed all requests for which it has received as much data as | completed all requests for which it has received either | |||
specified in the Content-Length header or, when a Transfer-Encoding | ||||
of chunked is used, for which the terminal zero-length chunk has been | 1. as much data as specified in the Content-Length header field or | |||
received. A response that has neither chunked transfer coding nor | ||||
Content-Length is complete only if a valid closure alert has been | 2. the terminal zero-length chunk (when Transfer-Encoding of chunked | |||
received. Treating an incomplete message as complete could expose | is used). | |||
A response that has neither chunked transfer coding nor Content- | ||||
Length is complete only if a valid closure alert has been received. | ||||
Treating an incomplete message as complete could expose | ||||
implementations to attack. | implementations to attack. | |||
A client detecting an incomplete close SHOULD recover gracefully. | A client detecting an incomplete close SHOULD recover gracefully. | |||
Clients MUST send a closure alert before closing the connection. | Clients MUST send a closure alert before closing the connection. | |||
Clients that do not expect to receive any more data MAY choose not to | Clients that do not expect to receive any more data MAY choose not to | |||
wait for the server's closure alert and simply close the connection, | wait for the server's closure alert and simply close the connection, | |||
thus generating an incomplete close on the server side. | thus generating an incomplete close on the server side. | |||
Servers SHOULD be prepared to receive an incomplete close from the | Servers SHOULD be prepared to receive an incomplete close from the | |||
client, since the client can often determine when the end of server | client, since the client can often locate the end of server data. | |||
data is. | ||||
Servers MUST attempt to initiate an exchange of closure alerts with | Servers MUST attempt to initiate an exchange of closure alerts with | |||
the client before closing the connection. Servers MAY close the | the client before closing the connection. Servers MAY close the | |||
connection after sending the closure alert, thus generating an | connection after sending the closure alert, thus generating an | |||
incomplete close on the client side. | incomplete close on the client side. | |||
10. Enclosing Messages as Data | 10. Enclosing Messages as Data | |||
10.1. Media Type message/http | 10.1. Media Type message/http | |||
The message/http media type can be used to enclose a single HTTP | The "message/http" media type can be used to enclose a single HTTP | |||
request or response message, provided that it obeys the MIME | request or response message, provided that it obeys the MIME | |||
restrictions for all "message" types regarding line length and | restrictions for all "message" types regarding line length and | |||
encodings. Because of the line length limitations, field values | encodings. Because of the line length limitations, field values | |||
within message/http are allowed to use line folding (obs-fold), as | within "message/http" are allowed to use line folding (obs-fold), as | |||
described in Section 5.2, to convey the field value over multiple | described in Section 5.2, to convey the field value over multiple | |||
lines. A recipient of message/http data MUST replace any obsolete | lines. A recipient of "message/http" data MUST replace any obsolete | |||
line folding with one or more SP characters when the message is | line folding with one or more SP characters when the message is | |||
consumed. | consumed. | |||
Type name: message | Type name: message | |||
Subtype name: http | Subtype name: http | |||
Required parameters: N/A | Required parameters: N/A | |||
Optional parameters: version, msgtype | Optional parameters: version, msgtype | |||
skipping to change at page 37, line 6 ¶ | skipping to change at page 37, line 6 ¶ | |||
msgtype: The message type -- "request" or "response". If not | msgtype: The message type -- "request" or "response". If not | |||
present, the type can be determined from the first line of the | present, the type can be determined from the first line of the | |||
body. | body. | |||
Encoding considerations: only "7bit", "8bit", or "binary" are | Encoding considerations: only "7bit", "8bit", or "binary" are | |||
permitted | permitted | |||
Security considerations: see Section 11 | Security considerations: see Section 11 | |||
Interoperability considerations: N/A | Interoperability considerations: N/A | |||
Published specification: This specification (see Section 10.1). | Published specification: RFC 9112 (see Section 10.1). | |||
Applications that use this media type: N/A | Applications that use this media type: N/A | |||
Fragment identifier considerations: N/A | Fragment identifier considerations: N/A | |||
Additional information: Magic number(s): N/A | Additional information: Magic number(s): N/A | |||
Deprecated alias names for this type: N/A | Deprecated alias names for this type: N/A | |||
File extension(s): N/A | File extension(s): N/A | |||
skipping to change at page 37, line 33 ¶ | skipping to change at page 37, line 33 ¶ | |||
Intended usage: COMMON | Intended usage: COMMON | |||
Restrictions on usage: N/A | Restrictions on usage: N/A | |||
Author: See Authors' Addresses section. | Author: See Authors' Addresses section. | |||
Change controller: IESG | Change controller: IESG | |||
10.2. Media Type application/http | 10.2. Media Type application/http | |||
The application/http media type can be used to enclose a pipeline of | The "application/http" media type can be used to enclose a pipeline | |||
one or more HTTP request or response messages (not intermixed). | of one or more HTTP request or response messages (not intermixed). | |||
Type name: application | Type name: application | |||
Subtype name: http | Subtype name: http | |||
Required parameters: N/A | Required parameters: N/A | |||
Optional parameters: version, msgtype | Optional parameters: version, msgtype | |||
version: The HTTP-version number of the enclosed messages (e.g., | version: The HTTP-version number of the enclosed messages (e.g., | |||
skipping to change at page 38, line 13 ¶ | skipping to change at page 38, line 13 ¶ | |||
body. | body. | |||
Encoding considerations: HTTP messages enclosed by this type are in | Encoding considerations: HTTP messages enclosed by this type are in | |||
"binary" format; use of an appropriate Content-Transfer-Encoding | "binary" format; use of an appropriate Content-Transfer-Encoding | |||
is required when transmitted via email. | is required when transmitted via email. | |||
Security considerations: see Section 11 | Security considerations: see Section 11 | |||
Interoperability considerations: N/A | Interoperability considerations: N/A | |||
Published specification: This specification (see Section 10.2). | Published specification: RFC 9112 (see Section 10.2). | |||
Applications that use this media type: N/A | Applications that use this media type: N/A | |||
Fragment identifier considerations: N/A | Fragment identifier considerations: N/A | |||
Additional information: Deprecated alias names for this type: N/A | Additional information: Deprecated alias names for this type: N/A | |||
Magic number(s): N/A | Magic number(s): N/A | |||
File extension(s): N/A | File extension(s): N/A | |||
skipping to change at page 38, line 47 ¶ | skipping to change at page 38, line 47 ¶ | |||
11. Security Considerations | 11. Security Considerations | |||
This section is meant to inform developers, information providers, | This section is meant to inform developers, information providers, | |||
and users about known security considerations relevant to HTTP | and users about known security considerations relevant to HTTP | |||
message syntax and parsing. Security considerations about HTTP | message syntax and parsing. Security considerations about HTTP | |||
semantics, content, and routing are addressed in [HTTP]. | semantics, content, and routing are addressed in [HTTP]. | |||
11.1. Response Splitting | 11.1. Response Splitting | |||
Response splitting (a.k.a., CRLF injection) is a common technique, | Response splitting (a.k.a. CRLF injection) is a common technique, | |||
used in various attacks on Web usage, that exploits the line-based | used in various attacks on Web usage, that exploits the line-based | |||
nature of HTTP message framing and the ordered association of | nature of HTTP message framing and the ordered association of | |||
requests to responses on persistent connections [Klein]. This | requests to responses on persistent connections [Klein]. This | |||
technique can be particularly damaging when the requests pass through | technique can be particularly damaging when the requests pass through | |||
a shared cache. | a shared cache. | |||
Response splitting exploits a vulnerability in servers (usually | Response splitting exploits a vulnerability in servers (usually | |||
within an application server) where an attacker can send encoded data | within an application server) where an attacker can send encoded data | |||
within some parameter of the request that is later decoded and echoed | within some parameter of the request that is later decoded and echoed | |||
within any of the response header fields of the response. If the | within any of the response header fields of the response. If the | |||
decoded data is crafted to look like the response has ended and a | decoded data is crafted to look like the response has ended and a | |||
subsequent response has begun, the response has been split and the | subsequent response has begun, the response has been split, and the | |||
content within the apparent second response is controlled by the | content within the apparent second response is controlled by the | |||
attacker. The attacker can then make any other request on the same | attacker. The attacker can then make any other request on the same | |||
persistent connection and trick the recipients (including | persistent connection and trick the recipients (including | |||
intermediaries) into believing that the second half of the split is | intermediaries) into believing that the second half of the split is | |||
an authoritative answer to the second request. | an authoritative answer to the second request. | |||
For example, a parameter within the request-target might be read by | For example, a parameter within the request-target might be read by | |||
an application server and reused within a redirect, resulting in the | an application server and reused within a redirect, resulting in the | |||
same parameter being echoed in the Location header field of the | same parameter being echoed in the Location header field of the | |||
response. If the parameter is decoded by the application and not | response. If the parameter is decoded by the application and not | |||
properly encoded when placed in the response field, the attacker can | properly encoded when placed in the response field, the attacker can | |||
send encoded CRLF octets and other content that will make the | send encoded CRLF octets and other content that will make the | |||
application's single response look like two or more responses. | application's single response look like two or more responses. | |||
A common defense against response splitting is to filter requests for | A common defense against response splitting is to filter requests for | |||
data that looks like encoded CR and LF (e.g., "%0D" and "%0A"). | data that looks like encoded CR and LF (e.g., "%0D" and "%0A"). | |||
However, that assumes the application server is only performing URI | However, that assumes the application server is only performing URI | |||
decoding, rather than more obscure data transformations like charset | decoding rather than more obscure data transformations like charset | |||
transcoding, XML entity translation, base64 decoding, sprintf | transcoding, XML entity translation, base64 decoding, sprintf | |||
reformatting, etc. A more effective mitigation is to prevent | reformatting, etc. A more effective mitigation is to prevent | |||
anything other than the server's core protocol libraries from sending | anything other than the server's core protocol libraries from sending | |||
a CR or LF within the header section, which means restricting the | a CR or LF within the header section, which means restricting the | |||
output of header fields to APIs that filter for bad octets and not | output of header fields to APIs that filter for bad octets and not | |||
allowing application servers to write directly to the protocol | allowing application servers to write directly to the protocol | |||
stream. | stream. | |||
11.2. Request Smuggling | 11.2. Request Smuggling | |||
skipping to change at page 40, line 19 ¶ | skipping to change at page 40, line 19 ¶ | |||
underlying transport protocols and the use of length or chunk- | underlying transport protocols and the use of length or chunk- | |||
delimited framing to detect completeness. Historically, the lack of | delimited framing to detect completeness. Historically, the lack of | |||
a single integrity mechanism has been justified by the informal | a single integrity mechanism has been justified by the informal | |||
nature of most HTTP communication. However, the prevalence of HTTP | nature of most HTTP communication. However, the prevalence of HTTP | |||
as an information access mechanism has resulted in its increasing use | as an information access mechanism has resulted in its increasing use | |||
within environments where verification of message integrity is | within environments where verification of message integrity is | |||
crucial. | crucial. | |||
The mechanisms provided with the "https" scheme, such as | The mechanisms provided with the "https" scheme, such as | |||
authenticated encryption, provide protection against modification of | authenticated encryption, provide protection against modification of | |||
messages. Care is needed however to ensure that connection closure | messages. Care is needed, however, to ensure that connection closure | |||
cannot be used to truncate messages (see Section 9.8). User agents | cannot be used to truncate messages (see Section 9.8). User agents | |||
might refuse to accept incomplete messages or treat them specially. | might refuse to accept incomplete messages or treat them specially. | |||
For example, a browser being used to view medical history or drug | For example, a browser being used to view medical history or drug | |||
interaction information needs to indicate to the user when such | interaction information needs to indicate to the user when such | |||
information is detected by the protocol to be incomplete, expired, or | information is detected by the protocol to be incomplete, expired, or | |||
corrupted during transfer. Such mechanisms might be selectively | corrupted during transfer. Such mechanisms might be selectively | |||
enabled via user agent extensions or the presence of message | enabled via user agent extensions or the presence of message | |||
integrity metadata in a response. | integrity metadata in a response. | |||
The "http" scheme provides no protection against accidental or | The "http" scheme provides no protection against accidental or | |||
skipping to change at page 41, line 12 ¶ | skipping to change at page 41, line 12 ¶ | |||
The "https" scheme can be used to identify resources that require a | The "https" scheme can be used to identify resources that require a | |||
confidential connection, as described in Section 4.2.2 of [HTTP]. | confidential connection, as described in Section 4.2.2 of [HTTP]. | |||
12. IANA Considerations | 12. IANA Considerations | |||
The change controller for the following registrations is: "IETF | The change controller for the following registrations is: "IETF | |||
(iesg@ietf.org) - Internet Engineering Task Force". | (iesg@ietf.org) - Internet Engineering Task Force". | |||
12.1. Field Name Registration | 12.1. Field Name Registration | |||
First, introduce the new "Hypertext Transfer Protocol (HTTP) Field | IANA has added the following field names to the "Hypertext Transfer | |||
Name Registry" at <https://www.iana.org/assignments/http-fields> as | Protocol (HTTP) Field Name Registry" at | |||
described in Section 18.4 of [HTTP]. | <https://www.iana.org/assignments/http-fields>, as described in | |||
Section 18.4 of [HTTP]. | ||||
Then, please update the registry with the field names listed in the | ||||
table below: | ||||
+-------------------+----------+------+------------+ | +-------------------+-----------+---------+------------+ | |||
| Field Name | Status | Ref. | Comments | | | Field Name | Status | Section | Comments | | |||
+-------------------+----------+------+------------+ | +-------------------+-----------+---------+------------+ | |||
| Close | standard | 9.6 | (reserved) | | | Close | permanent | 9.6 | (reserved) | | |||
| MIME-Version | standard | B.1 | | | | MIME-Version | permanent | B.1 | | | |||
| Transfer-Encoding | standard | 6.1 | | | | Transfer-Encoding | permanent | 6.1 | | | |||
+-------------------+----------+------+------------+ | +-------------------+-----------+---------+------------+ | |||
Table 1 | Table 1 | |||
12.2. Media Type Registration | 12.2. Media Type Registration | |||
Please update the "Media Types" registry at | IANA has updated the "Media Types" registry at | |||
<https://www.iana.org/assignments/media-types> with the registration | <https://www.iana.org/assignments/media-types> with the registration | |||
information in Section 10.1 and Section 10.2 for the media types | information in Sections 10.1 and 10.2 for the media types "message/ | |||
"message/http" and "application/http", respectively. | http" and "application/http", respectively. | |||
12.3. Transfer Coding Registration | 12.3. Transfer Coding Registration | |||
Please update the "HTTP Transfer Coding Registry" at | IANA has updated the "HTTP Transfer Coding Registry" at | |||
<https://www.iana.org/assignments/http-parameters/> with the | <https://www.iana.org/assignments/http-parameters/> with the | |||
registration procedure of Section 7.3 and the content coding names | registration procedure of Section 7.3 and the content coding names | |||
summarized in the table below. | summarized in the table below. | |||
+------------+-------------------------------+-----------+ | +------------+-------------------------------------------+---------+ | |||
| Name | Description | Reference | | | Name | Description | Section | | |||
+------------+-------------------------------+-----------+ | +------------+-------------------------------------------+---------+ | |||
| chunked | Transfer in a series of | Section | | | chunked | Transfer in a series of chunks | 7.1 | | |||
| | chunks | 7.1 | | | compress | UNIX "compress" data format [Welch] | 7.2 | | |||
| compress | UNIX "compress" data format | Section | | | deflate | "deflate" compressed data ([RFC1951]) | 7.2 | | |||
| | [Welch] | 7.2 | | | | inside the "zlib" data format ([RFC1950]) | | | |||
| deflate | "deflate" compressed data | Section | | | gzip | GZIP file format [RFC1952] | 7.2 | | |||
| | ([RFC1951]) inside the "zlib" | 7.2 | | | trailers | (reserved) | 12.3 | | |||
| | data format ([RFC1950]) | | | | x-compress | Deprecated (alias for compress) | 7.2 | | |||
| gzip | GZIP file format [RFC1952] | Section | | | x-gzip | Deprecated (alias for gzip) | 7.2 | | |||
| | | 7.2 | | +------------+-------------------------------------------+---------+ | |||
| trailers | (reserved) | Section | | ||||
| | | 12.3 | | ||||
| x-compress | Deprecated (alias for | Section | | ||||
| | compress) | 7.2 | | ||||
| x-gzip | Deprecated (alias for gzip) | Section | | ||||
| | | 7.2 | | ||||
+------------+-------------------------------+-----------+ | ||||
Table 2 | Table 2 | |||
| *Note:* the coding name "trailers" is reserved because its use | | *Note:* the coding name "trailers" is reserved because its use | |||
| would conflict with the keyword "trailers" in the TE header | | would conflict with the keyword "trailers" in the TE header | |||
| field (Section 10.1.4 of [HTTP]). | | field (Section 10.1.4 of [HTTP]). | |||
12.4. ALPN Protocol ID Registration | 12.4. ALPN Protocol ID Registration | |||
Please update the "TLS Application-Layer Protocol Negotiation (ALPN) | IANA has updated the "TLS Application-Layer Protocol Negotiation | |||
Protocol IDs" registry at <https://www.iana.org/assignments/tls- | (ALPN) Protocol IDs" registry at <https://www.iana.org/assignments/ | |||
extensiontype-values/tls-extensiontype-values.xhtml> with the | tls-extensiontype-values/> with the registration below: | |||
registration below: | ||||
+----------+-----------------------------+----------------+ | +----------+-----------------------------+-----------+ | |||
| Protocol | Identification Sequence | Reference | | | Protocol | Identification Sequence | Reference | | |||
+----------+-----------------------------+----------------+ | +----------+-----------------------------+-----------+ | |||
| HTTP/1.1 | 0x68 0x74 0x74 0x70 0x2f | (this | | | HTTP/1.1 | 0x68 0x74 0x74 0x70 0x2f | RFC 9112 | | |||
| | 0x31 0x2e 0x31 ("http/1.1") | specification) | | | | 0x31 0x2e 0x31 ("http/1.1") | | | |||
+----------+-----------------------------+----------------+ | +----------+-----------------------------+-----------+ | |||
Table 3 | Table 3 | |||
13. References | 13. References | |||
13.1. Normative References | 13.1. Normative References | |||
[CACHING] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | [CACHING] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | |||
Ed., "HTTP Caching", Work in Progress, Internet-Draft, | Ed., "HTTP Caching", Work in Progress, Internet-Draft, | |||
draft-ietf-httpbis-cache-latest, September 2021, | draft-ietf-httpbis-cache-latest, July 2024, | |||
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- | <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- | |||
cache-latest>. | cache-latest>. | |||
[HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | [HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | |||
Ed., "HTTP Semantics", Work in Progress, Internet-Draft, | Ed., "HTTP Semantics", Work in Progress, Internet-Draft, | |||
draft-ietf-httpbis-semantics-latest, September 2021, | draft-ietf-httpbis-semantics-latest, July 2024, | |||
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- | <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- | |||
semantics-latest>. | semantics-latest>. | |||
[RFC1950] Deutsch, L.P. and J-L. Gailly, "ZLIB Compressed Data | [RFC1950] Deutsch, P. and J-L. Gailly, "ZLIB Compressed Data Format | |||
Format Specification version 3.3", RFC 1950, | Specification version 3.3", RFC 1950, | |||
DOI 10.17487/RFC1950, May 1996, | DOI 10.17487/RFC1950, May 1996, | |||
<https://www.rfc-editor.org/info/rfc1950>. | <https://www.rfc-editor.org/info/rfc1950>. | |||
[RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification | [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification | |||
version 1.3", RFC 1951, DOI 10.17487/RFC1951, May 1996, | version 1.3", RFC 1951, DOI 10.17487/RFC1951, May 1996, | |||
<https://www.rfc-editor.org/info/rfc1951>. | <https://www.rfc-editor.org/info/rfc1951>. | |||
[RFC1952] Deutsch, P., Gailly, J-L., Adler, M., Deutsch, L.P., and | [RFC1952] Deutsch, P., "GZIP file format specification version 4.3", | |||
G. Randers-Pehrson, "GZIP file format specification | RFC 1952, DOI 10.17487/RFC1952, May 1996, | |||
version 4.3", RFC 1952, DOI 10.17487/RFC1952, May 1996, | ||||
<https://www.rfc-editor.org/info/rfc1952>. | <https://www.rfc-editor.org/info/rfc1952>. | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax | [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax | |||
Specifications: ABNF", STD 68, RFC 5234, | Specifications: ABNF", STD 68, RFC 5234, | |||
DOI 10.17487/RFC5234, January 2008, | DOI 10.17487/RFC5234, January 2008, | |||
skipping to change at page 44, line 14 ¶ | skipping to change at page 44, line 9 ¶ | |||
[URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
Resource Identifier (URI): Generic Syntax", STD 66, | Resource Identifier (URI): Generic Syntax", STD 66, | |||
RFC 3986, DOI 10.17487/RFC3986, January 2005, | RFC 3986, DOI 10.17487/RFC3986, January 2005, | |||
<https://www.rfc-editor.org/info/rfc3986>. | <https://www.rfc-editor.org/info/rfc3986>. | |||
[USASCII] American National Standards Institute, "Coded Character | [USASCII] American National Standards Institute, "Coded Character | |||
Set -- 7-bit American Standard Code for Information | Set -- 7-bit American Standard Code for Information | |||
Interchange", ANSI X3.4, 1986. | Interchange", ANSI X3.4, 1986. | |||
[Welch] Welch, T. A., "A Technique for High-Performance Data | [Welch] Welch, T., "A Technique for High-Performance Data | |||
Compression", IEEE Computer 17(6), June 1984. | Compression", IEEE Computer 17(6), | |||
DOI 10.1109/MC.1984.1659158, June 1984, | ||||
<https://ieeexplore.ieee.org/document/1659158/>. | ||||
13.2. Informative References | 13.2. Informative References | |||
[Err4667] RFC Errata, Erratum ID 4667, RFC 7230, | [HTTP/1.0] Berners-Lee, T., Fielding, R., and H. Frystyk, "Hypertext | |||
<https://www.rfc-editor.org/errata/eid4667>. | Transfer Protocol -- HTTP/1.0", RFC 1945, | |||
[HTTP/1.0] Berners-Lee, T., Fielding, R.T., and H.F. Nielsen, | ||||
"Hypertext Transfer Protocol -- HTTP/1.0", RFC 1945, | ||||
DOI 10.17487/RFC1945, May 1996, | DOI 10.17487/RFC1945, May 1996, | |||
<https://www.rfc-editor.org/info/rfc1945>. | <https://www.rfc-editor.org/info/rfc1945>. | |||
[Klein] Klein, A., "Divide and Conquer - HTTP Response Splitting, | [Klein] Klein, A., "Divide and Conquer - HTTP Response Splitting, | |||
Web Cache Poisoning Attacks, and Related Topics", March | Web Cache Poisoning Attacks, and Related Topics", March | |||
2004, <https://packetstormsecurity.com/papers/general/ | 2004, <https://packetstormsecurity.com/papers/general/ | |||
whitepaper_httpresponse.pdf>. | whitepaper_httpresponse.pdf>. | |||
[Linhart] Linhart, C., Klein, A., Heled, R., and S. Orrin, "HTTP | [Linhart] Linhart, C., Klein, A., Heled, R., and S. Orrin, "HTTP | |||
Request Smuggling", June 2005, | Request Smuggling", June 2005, | |||
<https://www.cgisecurity.com/lib/HTTP-Request- | <https://www.cgisecurity.com/lib/HTTP-Request- | |||
Smuggling.pdf>. | Smuggling.pdf>. | |||
[RFC2045] Freed, N. and N.S. Borenstein, "Multipurpose Internet Mail | [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
Extensions (MIME) Part One: Format of Internet Message | Extensions (MIME) Part One: Format of Internet Message | |||
Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, | Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, | |||
<https://www.rfc-editor.org/info/rfc2045>. | <https://www.rfc-editor.org/info/rfc2045>. | |||
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
Extensions (MIME) Part Two: Media Types", RFC 2046, | Extensions (MIME) Part Two: Media Types", RFC 2046, | |||
DOI 10.17487/RFC2046, November 1996, | DOI 10.17487/RFC2046, November 1996, | |||
<https://www.rfc-editor.org/info/rfc2046>. | <https://www.rfc-editor.org/info/rfc2046>. | |||
[RFC2049] Freed, N. and N.S. Borenstein, "Multipurpose Internet Mail | [RFC2049] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
Extensions (MIME) Part Five: Conformance Criteria and | Extensions (MIME) Part Five: Conformance Criteria and | |||
Examples", RFC 2049, DOI 10.17487/RFC2049, November 1996, | Examples", RFC 2049, DOI 10.17487/RFC2049, November 1996, | |||
<https://www.rfc-editor.org/info/rfc2049>. | <https://www.rfc-editor.org/info/rfc2049>. | |||
[RFC2068] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and T. | [RFC2068] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., and T. | |||
Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", | Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", | |||
RFC 2068, DOI 10.17487/RFC2068, January 1997, | RFC 2068, DOI 10.17487/RFC2068, January 1997, | |||
<https://www.rfc-editor.org/info/rfc2068>. | <https://www.rfc-editor.org/info/rfc2068>. | |||
[RFC2557] Palme, F., Hopmann, A., Shelness, N., and E. Stefferud, | [RFC2557] Palme, J., Hopmann, A., and N. Shelness, "MIME | |||
"MIME Encapsulation of Aggregate Documents, such as HTML | Encapsulation of Aggregate Documents, such as HTML | |||
(MHTML)", RFC 2557, DOI 10.17487/RFC2557, March 1999, | (MHTML)", RFC 2557, DOI 10.17487/RFC2557, March 1999, | |||
<https://www.rfc-editor.org/info/rfc2557>. | <https://www.rfc-editor.org/info/rfc2557>. | |||
[RFC5322] Resnick, P., "Internet Message Format", RFC 5322, | [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, | |||
DOI 10.17487/RFC5322, October 2008, | DOI 10.17487/RFC5322, October 2008, | |||
<https://www.rfc-editor.org/info/rfc5322>. | <https://www.rfc-editor.org/info/rfc5322>. | |||
[RFC7230] Fielding, R., Ed. and J. F. Reschke, Ed., "Hypertext | [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | |||
Transfer Protocol (HTTP/1.1): Message Syntax and Routing", | Protocol (HTTP/1.1): Message Syntax and Routing", | |||
RFC 7230, DOI 10.17487/RFC7230, June 2014, | RFC 7230, DOI 10.17487/RFC7230, June 2014, | |||
<https://www.rfc-editor.org/info/rfc7230>. | <https://www.rfc-editor.org/info/rfc7230>. | |||
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | |||
Writing an IANA Considerations Section in RFCs", BCP 26, | Writing an IANA Considerations Section in RFCs", BCP 26, | |||
RFC 8126, DOI 10.17487/RFC8126, June 2017, | RFC 8126, DOI 10.17487/RFC8126, June 2017, | |||
<https://www.rfc-editor.org/info/rfc8126>. | <https://www.rfc-editor.org/info/rfc8126>. | |||
Appendix A. Collected ABNF | Appendix A. Collected ABNF | |||
In the collected ABNF below, list rules are expanded as per | In the collected ABNF below, list rules are expanded per | |||
Section 5.6.1 of [HTTP]. | Section 5.6.1 of [HTTP]. | |||
BWS = <BWS, see [HTTP], Section 5.6.3> | BWS = <BWS, see [HTTP], Section 5.6.3> | |||
HTTP-message = start-line CRLF *( field-line CRLF ) CRLF [ | HTTP-message = start-line CRLF *( field-line CRLF ) CRLF [ | |||
message-body ] | message-body ] | |||
HTTP-name = %x48.54.54.50 ; HTTP | HTTP-name = %x48.54.54.50 ; HTTP | |||
HTTP-version = HTTP-name "/" DIGIT "." DIGIT | HTTP-version = HTTP-name "/" DIGIT "." DIGIT | |||
OWS = <OWS, see [HTTP], Section 5.6.3> | OWS = <OWS, see [HTTP], Section 5.6.3> | |||
skipping to change at page 47, line 8 ¶ | skipping to change at page 46, line 46 ¶ | |||
token = <token, see [HTTP], Section 5.6.2> | token = <token, see [HTTP], Section 5.6.2> | |||
trailer-section = *( field-line CRLF ) | trailer-section = *( field-line CRLF ) | |||
transfer-coding = <transfer-coding, see [HTTP], Section 10.1.4> | transfer-coding = <transfer-coding, see [HTTP], Section 10.1.4> | |||
uri-host = <host, see [URI], Section 3.2.2> | uri-host = <host, see [URI], Section 3.2.2> | |||
Appendix B. Differences between HTTP and MIME | Appendix B. Differences between HTTP and MIME | |||
HTTP/1.1 uses many of the constructs defined for the Internet Message | HTTP/1.1 uses many of the constructs defined for the Internet Message | |||
Format [RFC5322] and the Multipurpose Internet Mail Extensions (MIME) | Format [RFC5322] and Multipurpose Internet Mail Extensions (MIME) | |||
[RFC2045] to allow a message body to be transmitted in an open | [RFC2045] to allow a message body to be transmitted in an open | |||
variety of representations and with extensible fields. However, RFC | variety of representations and with extensible fields. However, some | |||
2045 is focused only on email; applications of HTTP have many | of these constructs have been reinterpreted to better fit the needs | |||
characteristics that differ from email; hence, HTTP has features that | of interactive communication, leading to some differences in how MIME | |||
differ from MIME. These differences were carefully chosen to | constructs are used within HTTP. These differences were carefully | |||
optimize performance over binary connections, to allow greater | chosen to optimize performance over binary connections, allow greater | |||
freedom in the use of new media types, to make date comparisons | freedom in the use of new media types, ease date comparisons, and | |||
easier, and to acknowledge the practice of some early HTTP servers | accommodate common implementations. | |||
and clients. | ||||
This appendix describes specific areas where HTTP differs from MIME. | This appendix describes specific areas where HTTP differs from MIME. | |||
Proxies and gateways to and from strict MIME environments need to be | Proxies and gateways to and from strict MIME environments need to be | |||
aware of these differences and provide the appropriate conversions | aware of these differences and provide the appropriate conversions | |||
where necessary. | where necessary. | |||
B.1. MIME-Version | B.1. MIME-Version | |||
HTTP is not a MIME-compliant protocol. However, messages can include | HTTP is not a MIME-compliant protocol. However, messages can include | |||
a single MIME-Version header field to indicate what version of the | a single MIME-Version header field to indicate what version of the | |||
MIME protocol was used to construct the message. Use of the MIME- | MIME protocol was used to construct the message. Use of the MIME- | |||
Version header field indicates that the message is in full | Version header field indicates that the message is in full | |||
conformance with the MIME protocol (as defined in [RFC2045]). | conformance with the MIME protocol (as defined in [RFC2045]). | |||
Senders are responsible for ensuring full conformance (where | Senders are responsible for ensuring full conformance (where | |||
possible) when exporting HTTP messages to strict MIME environments. | possible) when exporting HTTP messages to strict MIME environments. | |||
B.2. Conversion to Canonical Form | B.2. Conversion to Canonical Form | |||
MIME requires that an Internet mail body part be converted to | MIME requires that an Internet mail body part be converted to | |||
canonical form prior to being transferred, as described in Section 4 | canonical form prior to being transferred, as described in Section 4 | |||
of [RFC2049], and that content with a type of "text" represent line | of [RFC2049], and that content with a type of "text" represents line | |||
breaks as CRLF, forbidding the use of CR or LF outside of line break | breaks as CRLF, forbidding the use of CR or LF outside of line break | |||
sequences [RFC2046]. In contrast, HTTP does not care whether CRLF, | sequences [RFC2046]. In contrast, HTTP does not care whether CRLF, | |||
bare CR, or bare LF are used to indicate a line break within content. | bare CR, or bare LF are used to indicate a line break within content. | |||
A proxy or gateway from HTTP to a strict MIME environment ought to | A proxy or gateway from HTTP to a strict MIME environment ought to | |||
translate all line breaks within text media types to the RFC 2049 | translate all line breaks within text media types to the RFC 2049 | |||
canonical form of CRLF. Note, however, this might be complicated by | canonical form of CRLF. Note, however, this might be complicated by | |||
the presence of a Content-Encoding and by the fact that HTTP allows | the presence of a Content-Encoding and by the fact that HTTP allows | |||
the use of some charsets that do not use octets 13 and 10 to | the use of some charsets that do not use octets 13 and 10 to | |||
represent CR and LF, respectively. | represent CR and LF, respectively. | |||
skipping to change at page 48, line 20 ¶ | skipping to change at page 48, line 7 ¶ | |||
B.3. Conversion of Date Formats | B.3. Conversion of Date Formats | |||
HTTP/1.1 uses a restricted set of date formats (Section 5.6.7 of | HTTP/1.1 uses a restricted set of date formats (Section 5.6.7 of | |||
[HTTP]) to simplify the process of date comparison. Proxies and | [HTTP]) to simplify the process of date comparison. Proxies and | |||
gateways from other protocols ought to ensure that any Date header | gateways from other protocols ought to ensure that any Date header | |||
field present in a message conforms to one of the HTTP/1.1 formats | field present in a message conforms to one of the HTTP/1.1 formats | |||
and rewrite the date if necessary. | and rewrite the date if necessary. | |||
B.4. Conversion of Content-Encoding | B.4. Conversion of Content-Encoding | |||
MIME does not include any concept equivalent to HTTP/1.1's Content- | MIME does not include any concept equivalent to HTTP's Content- | |||
Encoding header field. Since this acts as a modifier on the media | Encoding header field. Since this acts as a modifier on the media | |||
type, proxies and gateways from HTTP to MIME-compliant protocols | type, proxies and gateways from HTTP to MIME-compliant protocols | |||
ought to either change the value of the Content-Type header field or | ought to either change the value of the Content-Type header field or | |||
decode the representation before forwarding the message. (Some | decode the representation before forwarding the message. (Some | |||
experimental applications of Content-Type for Internet mail have used | experimental applications of Content-Type for Internet mail have used | |||
a media-type parameter of ";conversions=<content-coding>" to perform | a media-type parameter of ";conversions=<content-coding>" to perform | |||
a function equivalent to Content-Encoding. However, this parameter | a function equivalent to Content-Encoding. However, this parameter | |||
is not part of the MIME standards). | is not part of the MIME standards.) | |||
B.5. Conversion of Content-Transfer-Encoding | B.5. Conversion of Content-Transfer-Encoding | |||
HTTP does not use the Content-Transfer-Encoding field of MIME. | HTTP does not use the Content-Transfer-Encoding field of MIME. | |||
Proxies and gateways from MIME-compliant protocols to HTTP need to | Proxies and gateways from MIME-compliant protocols to HTTP need to | |||
remove any Content-Transfer-Encoding prior to delivering the response | remove any Content-Transfer-Encoding prior to delivering the response | |||
message to an HTTP client. | message to an HTTP client. | |||
Proxies and gateways from HTTP to MIME-compliant protocols are | Proxies and gateways from HTTP to MIME-compliant protocols are | |||
responsible for ensuring that the message is in the correct format | responsible for ensuring that the message is in the correct format | |||
skipping to change at page 49, line 8 ¶ | skipping to change at page 48, line 44 ¶ | |||
HTTP implementations that share code with MHTML [RFC2557] | HTTP implementations that share code with MHTML [RFC2557] | |||
implementations need to be aware of MIME line length limitations. | implementations need to be aware of MIME line length limitations. | |||
Since HTTP does not have this limitation, HTTP does not fold long | Since HTTP does not have this limitation, HTTP does not fold long | |||
lines. MHTML messages being transported by HTTP follow all | lines. MHTML messages being transported by HTTP follow all | |||
conventions of MHTML, including line length limitations and folding, | conventions of MHTML, including line length limitations and folding, | |||
canonicalization, etc., since HTTP transfers message-bodies without | canonicalization, etc., since HTTP transfers message-bodies without | |||
modification and, aside from the "multipart/byteranges" type | modification and, aside from the "multipart/byteranges" type | |||
(Section 14.6 of [HTTP]), does not interpret the content or any MIME | (Section 14.6 of [HTTP]), does not interpret the content or any MIME | |||
header lines that might be contained therein. | header lines that might be contained therein. | |||
Appendix C. Changes from previous RFCs | Appendix C. Changes from Previous RFCs | |||
C.1. Changes from HTTP/0.9 | C.1. Changes from HTTP/0.9 | |||
Since HTTP/0.9 did not support header fields in a request, there is | Since HTTP/0.9 did not support header fields in a request, there is | |||
no mechanism for it to support name-based virtual hosts (selection of | no mechanism for it to support name-based virtual hosts (selection of | |||
resource by inspection of the Host header field). Any server that | resource by inspection of the Host header field). Any server that | |||
implements name-based virtual hosts ought to disable support for | implements name-based virtual hosts ought to disable support for | |||
HTTP/0.9. Most requests that appear to be HTTP/0.9 are, in fact, | HTTP/0.9. Most requests that appear to be HTTP/0.9 are, in fact, | |||
badly constructed HTTP/1.x requests caused by a client failing to | badly constructed HTTP/1.x requests caused by a client failing to | |||
properly encode the request-target. | properly encode the request-target. | |||
C.2. Changes from HTTP/1.0 | C.2. Changes from HTTP/1.0 | |||
C.2.1. Multihomed Web Servers | C.2.1. Multihomed Web Servers | |||
The requirements that clients and servers support the Host header | The requirements that clients and servers support the Host header | |||
field (Section 7.2 of [HTTP]), report an error if it is missing from | field (Section 7.2 of [HTTP]), report an error if it is missing from | |||
an HTTP/1.1 request, and accept absolute URIs (Section 3.2) are among | an HTTP/1.1 request, and accept absolute URIs (Section 3.2) are among | |||
the most important changes defined by HTTP/1.1. | the most important changes defined by HTTP/1.1. | |||
Older HTTP/1.0 clients assumed a one-to-one relationship of IP | Older HTTP/1.0 clients assumed a one-to-one relationship of IP | |||
addresses and servers; there was no other established mechanism for | addresses and servers; there was no established mechanism for | |||
distinguishing the intended server of a request than the IP address | distinguishing the intended server of a request other than the IP | |||
to which that request was directed. The Host header field was | address to which that request was directed. The Host header field | |||
introduced during the development of HTTP/1.1 and, though it was | was introduced during the development of HTTP/1.1 and, though it was | |||
quickly implemented by most HTTP/1.0 browsers, additional | quickly implemented by most HTTP/1.0 browsers, additional | |||
requirements were placed on all HTTP/1.1 requests in order to ensure | requirements were placed on all HTTP/1.1 requests in order to ensure | |||
complete adoption. At the time of this writing, most HTTP-based | complete adoption. At the time of this writing, most HTTP-based | |||
services are dependent upon the Host header field for targeting | services are dependent upon the Host header field for targeting | |||
requests. | requests. | |||
C.2.2. Keep-Alive Connections | C.2.2. Keep-Alive Connections | |||
In HTTP/1.0, each connection is established by the client prior to | In HTTP/1.0, each connection is established by the client prior to | |||
the request and closed by the server after sending the response. | the request and closed by the server after sending the response. | |||
skipping to change at page 50, line 17 ¶ | skipping to change at page 50, line 13 ¶ | |||
hung connection. | hung connection. | |||
One attempted solution was the introduction of a Proxy-Connection | One attempted solution was the introduction of a Proxy-Connection | |||
header field, targeted specifically at proxies. In practice, this | header field, targeted specifically at proxies. In practice, this | |||
was also unworkable, because proxies are often deployed in multiple | was also unworkable, because proxies are often deployed in multiple | |||
layers, bringing about the same problem discussed above. | layers, bringing about the same problem discussed above. | |||
As a result, clients are encouraged not to send the Proxy-Connection | As a result, clients are encouraged not to send the Proxy-Connection | |||
header field in any requests. | header field in any requests. | |||
Clients are also encouraged to consider the use of Connection: keep- | Clients are also encouraged to consider the use of "Connection: keep- | |||
alive in requests carefully; while they can enable persistent | alive" in requests carefully; while they can enable persistent | |||
connections with HTTP/1.0 servers, clients using them will need to | connections with HTTP/1.0 servers, clients using them will need to | |||
monitor the connection for "hung" requests (which indicate that the | monitor the connection for "hung" requests (which indicate that the | |||
client ought to stop sending the header field), and this mechanism | client ought to stop sending the header field), and this mechanism | |||
ought not be used by clients at all when a proxy is being used. | ought not be used by clients at all when a proxy is being used. | |||
C.2.3. Introduction of Transfer-Encoding | C.2.3. Introduction of Transfer-Encoding | |||
HTTP/1.1 introduces the Transfer-Encoding header field (Section 6.1). | HTTP/1.1 introduces the Transfer-Encoding header field (Section 6.1). | |||
Transfer codings need to be decoded prior to forwarding an HTTP | Transfer codings need to be decoded prior to forwarding an HTTP | |||
message over a MIME-compliant protocol. | message over a MIME-compliant protocol. | |||
skipping to change at page 50, line 45 ¶ | skipping to change at page 50, line 41 ¶ | |||
document has been reduced to just the messaging syntax and connection | document has been reduced to just the messaging syntax and connection | |||
management requirements specific to HTTP/1.1. | management requirements specific to HTTP/1.1. | |||
Bare CRs have been prohibited outside of content. (Section 2.2) | Bare CRs have been prohibited outside of content. (Section 2.2) | |||
The ABNF definition of authority-form has changed from the more | The ABNF definition of authority-form has changed from the more | |||
general authority component of a URI (in which port is optional) to | general authority component of a URI (in which port is optional) to | |||
the specific host:port format that is required by CONNECT. | the specific host:port format that is required by CONNECT. | |||
(Section 3.2.3) | (Section 3.2.3) | |||
Required recipients to avoid smuggling/splitting attacks when | Recipients are required to avoid smuggling/splitting attacks when | |||
processing an ambiguous message framing. (Section 6.1) | processing an ambiguous message framing. (Section 6.1) | |||
In the ABNF for chunked extensions, re-introduced (bad) whitespace | In the ABNF for chunked extensions, (bad) whitespace around ";" and | |||
around ";" and "=". Whitespace was removed in [RFC7230], but that | "=" has been reintroduced. Whitespace was removed in [RFC7230], but | |||
change was found to break existing implementations (see [Err4667]). | that change was found to break existing implementations. | |||
(Section 7.1.1) | (Section 7.1.1) | |||
Trailer field semantics now transcend the specifics of chunked | Trailer field semantics now transcend the specifics of chunked | |||
encoding. The decoding algorithm for chunked (Section 7.1.3) has | transfer coding. The decoding algorithm for chunked (Section 7.1.3) | |||
been updated to encourage storage/forwarding of trailer fields | has been updated to encourage storage/forwarding of trailer fields | |||
separately from the header section, to only allow merging into the | separately from the header section, to only allow merging into the | |||
header section if the recipient knows the corresponding field | header section if the recipient knows the corresponding field | |||
definition permits and defines how to merge, and otherwise to discard | definition permits and defines how to merge, and otherwise to discard | |||
the trailer fields instead of merging. The trailer part is now | the trailer fields instead of merging. The trailer part is now | |||
called the trailer section to be more consistent with the header | called the trailer section to be more consistent with the header | |||
section and more distinct from a body part. (Section 7.1.2) | section and more distinct from a body part. (Section 7.1.2) | |||
Disallowed transfer coding parameters called "q" in order to avoid | Transfer coding parameters called "q" are disallowed in order to | |||
conflicts with the use of ranks in the TE header field. | avoid conflicts with the use of ranks in the TE header field. | |||
(Section 7.3) | (Section 7.3) | |||
Appendix D. Change Log | Appendix D. Change Log | |||
This section is to be removed before publishing as an RFC. | This section is to be removed before publishing as an RFC. | |||
D.1. Between RFC7230 and draft 00 | See <https://www.ietf.org/archive/id/draft-ietf-httpbis-messaging- | |||
19.html#appendix-D> for changes up to version 19 of this document. | ||||
The changes were purely editorial: | ||||
o Change boilerplate and abstract to indicate the "draft" status, | ||||
and update references to ancestor specifications. | ||||
o Adjust historical notes. | ||||
o Update links to sibling specifications. | ||||
o Replace sections listing changes from RFC 2616 by new empty | ||||
sections referring to RFC 723x. | ||||
o Remove acknowledgements specific to RFC 723x. | ||||
o Move "Acknowledgements" to the very end and make them unnumbered. | ||||
D.2. Since draft-ietf-httpbis-messaging-00 | ||||
The changes in this draft are editorial, with respect to HTTP as a | ||||
whole, to move all core HTTP semantics into [HTTP]: | ||||
o Moved introduction, architecture, conformance, and ABNF extensions | ||||
from RFC 7230 (Messaging) to semantics [HTTP]. | ||||
o Moved discussion of MIME differences from RFC 7231 (Semantics) to | ||||
Appendix B since they mostly cover transforming 1.1 messages. | ||||
o Moved all extensibility tips, registration procedures, and | ||||
registry tables from the IANA considerations to normative | ||||
sections, reducing the IANA considerations to just instructions | ||||
that will be removed prior to publication as an RFC. | ||||
D.3. Since draft-ietf-httpbis-messaging-01 | ||||
o Cite RFC 8126 instead of RFC 5226 (<https://github.com/httpwg/ | ||||
http-core/issues/75>) | ||||
o Resolved erratum 4779, no change needed here | ||||
(<https://github.com/httpwg/http-core/issues/87>, | ||||
<https://www.rfc-editor.org/errata/eid4779>) | ||||
o In Section 7, fixed prose claiming transfer parameters allow bare | ||||
names (<https://github.com/httpwg/http-core/issues/88>, | ||||
<https://www.rfc-editor.org/errata/eid4839>) | ||||
o Resolved erratum 4225, no change needed here | ||||
(<https://github.com/httpwg/http-core/issues/90>, | ||||
<https://www.rfc-editor.org/errata/eid4225>) | ||||
o Replace "response code" with "response status code" | ||||
(<https://github.com/httpwg/http-core/issues/94>, | ||||
<https://www.rfc-editor.org/errata/eid4050>) | ||||
o In Section 9.3, clarify statement about HTTP/1.0 keep-alive | ||||
(<https://github.com/httpwg/http-core/issues/96>, | ||||
<https://www.rfc-editor.org/errata/eid4205>) | ||||
o In Section 7.1.1, re-introduce (bad) whitespace around ";" and "=" | ||||
(<https://github.com/httpwg/http-core/issues/101>, | ||||
<https://www.rfc-editor.org/errata/eid4667>, <https://www.rfc- | ||||
editor.org/errata/eid4825>) | ||||
o In Section 7.3, state that transfer codings should not use | ||||
parameters named "q" (<https://github.com/httpwg/http-core/ | ||||
issues/15>, <https://www.rfc-editor.org/errata/eid4683>) | ||||
o In Section 7, mark coding name "trailers" as reserved in the IANA | ||||
registry (<https://github.com/httpwg/http-core/issues/108>) | ||||
D.4. Since draft-ietf-httpbis-messaging-02 | ||||
o In Section 4, explain why the reason phrase should be ignored by | ||||
clients (<https://github.com/httpwg/http-core/issues/60>). | ||||
o Add Section 9.2 to explain how request/response correlation is | ||||
performed (<https://github.com/httpwg/http-core/issues/145>) | ||||
D.5. Since draft-ietf-httpbis-messaging-03 | ||||
o In Section 9.2, caution against treating data on a connection as | ||||
part of a not-yet-issued request (<https://github.com/httpwg/http- | ||||
core/issues/26>) | ||||
o In Section 7, remove the predefined codings from the ABNF and make | ||||
it generic instead (<https://github.com/httpwg/http-core/ | ||||
issues/66>) | ||||
o Use RFC 7405 ABNF notation for case-sensitive string constants | ||||
(<https://github.com/httpwg/http-core/issues/133>) | ||||
D.6. Since draft-ietf-httpbis-messaging-04 | ||||
o In Section 7.8 of [HTTP], clarify that protocol-name is to be | ||||
matched case-insensitively (<https://github.com/httpwg/http-core/ | ||||
issues/8>) | ||||
o In Section 5.2, add leading optional whitespace to obs-fold ABNF | ||||
(<https://github.com/httpwg/http-core/issues/19>, | ||||
<https://www.rfc-editor.org/errata/eid4189>) | ||||
o In Section 4, add clarifications about empty reason phrases | ||||
(<https://github.com/httpwg/http-core/issues/197>) | ||||
o Move discussion of retries from Section 9.3.1 into [HTTP] | ||||
(<https://github.com/httpwg/http-core/issues/230>) | ||||
D.7. Since draft-ietf-httpbis-messaging-05 | ||||
o In Section 7.1.2, the trailer part has been renamed the trailer | ||||
section (for consistency with the header section) and trailers are | ||||
no longer merged as header fields by default, but rather can be | ||||
discarded, kept separate from header fields, or merged with header | ||||
fields only if understood and defined as being mergeable | ||||
(<https://github.com/httpwg/http-core/issues/16>) | ||||
o In Section 2.1 and related Sections, move the trailing CRLF from | ||||
the line grammars into the message format | ||||
(<https://github.com/httpwg/http-core/issues/62>) | ||||
o Moved Section 2.3 down (<https://github.com/httpwg/http-core/ | ||||
issues/68>) | ||||
o In Section 7.8 of [HTTP], use 'websocket' instead of 'HTTP/2.0' in | ||||
examples (<https://github.com/httpwg/http-core/issues/112>) | ||||
o Move version non-specific text from Section 6 into semantics as | ||||
"payload" (<https://github.com/httpwg/http-core/issues/159>) | ||||
o In Section 9.8, add text from RFC 2818 | ||||
(<https://github.com/httpwg/http-core/issues/236>) | ||||
D.8. Since draft-ietf-httpbis-messaging-06 | ||||
o In Section 12.4, update the ALPN protocol ID for HTTP/1.1 | ||||
(<https://github.com/httpwg/http-core/issues/49>) | ||||
o In Section 5, align with updates to field terminology in semantics | ||||
(<https://github.com/httpwg/http-core/issues/111>) | ||||
o In Section 7.6.1 of [HTTP], clarify that new connection options | ||||
indeed need to be registered (<https://github.com/httpwg/http- | ||||
core/issues/285>) | ||||
o In Section 1.1, reference RFC 8174 as well | ||||
(<https://github.com/httpwg/http-core/issues/303>) | ||||
D.9. Since draft-ietf-httpbis-messaging-07 | ||||
o Move TE: trailers into [HTTP] (<https://github.com/httpwg/http- | ||||
core/issues/18>) | ||||
o In Section 6.3, adjust requirements for handling multiple content- | ||||
length values (<https://github.com/httpwg/http-core/issues/59>) | ||||
o Throughout, replace "effective request URI" with "target URI" | ||||
(<https://github.com/httpwg/http-core/issues/259>) | ||||
o In Section 6.1, don't claim Transfer-Encoding is supported by | ||||
HTTP/2 or later (<https://github.com/httpwg/http-core/issues/297>) | ||||
D.10. Since draft-ietf-httpbis-messaging-08 | ||||
o In Section 2.2, disallow bare CRs (<https://github.com/httpwg/ | ||||
http-core/issues/31>) | ||||
o Appendix A now uses the sender variant of the "#" list expansion | ||||
(<https://github.com/httpwg/http-core/issues/192>) | ||||
o In Section 5, adjust IANA "Close" entry for new registry format | ||||
(<https://github.com/httpwg/http-core/issues/273>) | ||||
D.11. Since draft-ietf-httpbis-messaging-09 | ||||
o Switch to xml2rfc v3 mode for draft generation | ||||
(<https://github.com/httpwg/http-core/issues/394>) | ||||
D.12. Since draft-ietf-httpbis-messaging-10 | ||||
o In Section 6.3, note that TCP half-close does not delimit a | ||||
request; talk about corresponding server-side behaviour in | ||||
Section 9.6 (<https://github.com/httpwg/http-core/issues/22>) | ||||
o Moved requirements specific to HTTP/1.1 from [HTTP] into | ||||
Section 3.2 (<https://github.com/httpwg/http-core/issues/182>) | ||||
o In Section 6.1 (Transfer-Encoding), adjust ABNF to allow empty | ||||
lists (<https://github.com/httpwg/http-core/issues/210>) | ||||
o In Section 9.7, add text from RFC 2818 | ||||
(<https://github.com/httpwg/http-core/issues/236>) | ||||
o Moved definitions of "TE" and "Upgrade" into [HTTP] | ||||
(<https://github.com/httpwg/http-core/issues/392>) | ||||
o Moved definition of "Connection" into [HTTP] | ||||
(<https://github.com/httpwg/http-core/issues/407>) | ||||
D.13. Since draft-ietf-httpbis-messaging-11 | ||||
o Move IANA Upgrade Token Registry instructions to [HTTP] | ||||
(<https://github.com/httpwg/http-core/issues/450>) | ||||
D.14. Since draft-ietf-httpbis-messaging-12 | ||||
o Moved content of history appendix to Semantics | ||||
(<https://github.com/httpwg/http-core/issues/451>) | ||||
o Moved note about "close" being reserved as field name to | ||||
Section 9.3 (<https://github.com/httpwg/http-core/issues/500>) | ||||
o Moved table of transfer codings into Section 12.3 | ||||
(<https://github.com/httpwg/http-core/issues/506>) | ||||
o In Section 13.2, updated the URI for the [Linhart] paper | ||||
(<https://github.com/httpwg/http-core/issues/517>) | ||||
o Changed document title to just "HTTP/1.1" | ||||
(<https://github.com/httpwg/http-core/issues/524>) | ||||
o In Section 7, moved transfer-coding ABNF to Section 10.1.4 of | ||||
[HTTP] (<https://github.com/httpwg/http-core/issues/531>) | ||||
o Changed to using "payload data" when defining requirements about | ||||
the data being conveyed within a message, instead of the terms | ||||
"payload body" or "response body" or "representation body", since | ||||
they often get confused with the HTTP/1.1 message body (which | ||||
includes transfer coding) (<https://github.com/httpwg/http-core/ | ||||
issues/553>) | ||||
D.15. Since draft-ietf-httpbis-messaging-13 | ||||
o In Section 6.3, clarify that a message needs to be checked for | ||||
both Content-Length and Transfer-Encoding, before processing | ||||
Transfer-Encoding, and that ought to be treated as an error, but | ||||
an intermediary can choose to forward the message downstream after | ||||
removing the Content-Length and processing the Transfer-Encoding | ||||
(<https://github.com/httpwg/http-core/issues/617>) | ||||
o Changed to using "content" instead of "payload" or "payload data" | ||||
to avoid confusion with the payload of version-specific messaging | ||||
frames (<https://github.com/httpwg/http-core/issues/654>) | ||||
D.16. Since draft-ietf-httpbis-messaging-14 | ||||
o In Section 9.6, define the close connection option, since its | ||||
definition was removed from the Connection header field for being | ||||
specific to 1.1 (<https://github.com/httpwg/http-core/issues/678>) | ||||
o In Section 3.3, clarify how the target URI is reconstructed when | ||||
the request-target is not in absolute-form and highlight risk in | ||||
selecting a default host (<https://github.com/httpwg/http-core/ | ||||
issues/722>) | ||||
o In Section 7.1, clarify large chunk handling issues | ||||
(<https://github.com/httpwg/http-core/issues/749>) | ||||
o In Section 2.2, explicitly close the connection after sending a | ||||
400 (<https://github.com/httpwg/http-core/issues/750>) | ||||
o In Section 2.3, refine version requirements for intermediaries | ||||
(<https://github.com/httpwg/http-core/issues/751>) | ||||
o In Section 7.1.3, don't remove the Trailer header field | ||||
(<https://github.com/httpwg/http-core/issues/793>) | ||||
o In Section 3.2.3, changed the ABNF definition of authority-form | ||||
from the authority component (in which port is optional) to the | ||||
host:port format that has always been required by CONNECT | ||||
(<https://github.com/httpwg/http-core/issues/806>) | ||||
D.17. Since draft-ietf-httpbis-messaging-15 | ||||
o None. | ||||
D.18. Since draft-ietf-httpbis-messaging-16 | ||||
This draft addresses mostly editorial issues raised during or past | D.1. Since draft-ietf-httpbis-messaging-19 | |||
IETF Last Call; see <https://github.com/httpwg/http-core/ | ||||
issues?q=label%3Ah1-messaging+created%3A%3E2021-05-26> for a summary. | ||||
This (unpublished) draft contains changes that were made after draft | ||||
19 was approved by the IESG. Most changes are editorial only. | ||||
Furthermore: | Furthermore: | |||
o In Section 6.1, require recipients to avoid smuggling/splitting | o In Section 12.1, change status 'standard' to 'permanent' | |||
attacks when processing an ambiguous message framing | (<https://github.com/httpwg/http-core/issues/978>) | |||
(<https://github.com/httpwg/http-core/issues/879>) | ||||
D.19. Since draft-ietf-httpbis-messaging-17 | ||||
o In Section 4, rephrase text about status code definitions in | ||||
[HTTP] (<https://github.com/httpwg/http-core/issues/915>) | ||||
o In Section 9.2, clarify how to match responses to requests | ||||
(<https://github.com/httpwg/http-core/issues/915>) | ||||
o Made reference to [RFC5322] normative, as it is referenced from | ||||
the ABNF (for "From" header field) (<https://github.com/httpwg/ | ||||
http-core/issues/915>) | ||||
o In Section 5.2, include text about message/http that previously | ||||
was in [HTTP] (<https://github.com/httpwg/http-core/issues/923>) | ||||
o Throughout, disambiguate "selected representation" and "selected | ||||
response" (now "chosen response") (<https://github.com/httpwg/ | ||||
http-core/issues/958>) | ||||
D.20. Since draft-ietf-httpbis-messaging-18 | ||||
o Improve a few crossrefs into [HTTP] (<https://github.com/httpwg/ | ||||
http-core/issues/966>) | ||||
o In Section 7.1.2, improve readability of formerly overlong | ||||
sentence (<https://github.com/httpwg/http-core/issues/966>) | ||||
o Slightly rephrase Section 9.8 (<https://github.com/httpwg/http- | o In Section 4, align the prose about empty reason phrases with the | |||
core/pull/972>) | current ABNF (<https://github.com/httpwg/http-core/issues/1005>) | |||
Acknowledgements | Acknowledgements | |||
See Appendix "Acknowledgements" of [HTTP]. | See Appendix "Acknowledgements" of [HTTP], which applies to this | |||
document as well. | ||||
Index | Index | |||
A C D F G H M O R T X | A C D F G H M O R T X | |||
A | A | |||
absolute-form (of request-target) Section 3.2.2 | absolute-form (of request-target) Section 3.2.2 | |||
application/http Media Type *_Section 10.2_* | application/http Media Type *_Section 10.2_* | |||
asterisk-form (of request-target) Section 3.2.4 | asterisk-form (of request-target) Section 3.2.4 | |||
skipping to change at page 60, line 17 ¶ | skipping to change at page 53, line 44 ¶ | |||
Roy T. Fielding (editor) | Roy T. Fielding (editor) | |||
Adobe | Adobe | |||
345 Park Ave | 345 Park Ave | |||
San Jose, CA 95110 | San Jose, CA 95110 | |||
United States of America | United States of America | |||
Email: fielding@gbiv.com | Email: fielding@gbiv.com | |||
URI: https://roy.gbiv.com/ | URI: https://roy.gbiv.com/ | |||
Mark Nottingham (editor) | Mark Nottingham (editor) | |||
Fastly | Fastly | |||
Prahran VIC | Prahran | |||
Australia | Australia | |||
Email: mnot@mnot.net | Email: mnot@mnot.net | |||
URI: https://www.mnot.net/ | URI: https://www.mnot.net/ | |||
Julian Reschke (editor) | Julian Reschke (editor) | |||
greenbytes GmbH | greenbytes GmbH | |||
Hafenweg 16 | Hafenweg 16 | |||
48155 Münster | 48155 Münster | |||
Germany | Germany | |||
Email: julian.reschke@greenbytes.de | Email: julian.reschke@greenbytes.de | |||
URI: https://greenbytes.de/tech/webdav/ | URI: https://greenbytes.de/tech/webdav/ | |||
End of changes. 135 change blocks. | ||||
565 lines changed or deleted | 236 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |