HTTP Working Group J. Reschke
Internet-Draft greenbytes
Intended status: Standards Track A. Malhotra
Expires: March 18, 2025
J.M. Snell
M. Bishop
Akamai
September 14, 2024
The HTTP QUERY Method
draft-ietf-httpbis-safe-method-w-body-05
Abstract
This specification defines a new HTTP method, QUERY, as a safe,
idempotent request method that can carry request content.
Editorial Note
This note is to be removed before publishing as an RFC.
Discussion of this draft takes place on the HTTP working group
mailing list (ietf-http-wg@w3.org), which is archived at
.
Working Group information can be found at ;
source code and issues list for this draft can be found at
.
The changes in this draft are summarized in Appendix A.3.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Reschke, et al. Expires March 18, 2025 [Page 1]
Internet-Draft The HTTP QUERY Method September 2024
This Internet-Draft will expire on March 18, 2025.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. QUERY . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Caching . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. The "Accept-Query" Header Field . . . . . . . . . . . . . . . 5
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. Simple QUERY with a Direct Response . . . . . . . . . . . 6
4.2. Simple QUERY with a Direct Response and Location
fields . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.3. Simple QUERY with indirect response (303 See Other) . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
7. Normative References . . . . . . . . . . . . . . . . . . . . 9
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 9
A.1. Since draft-ietf-httpbis-safe-method-w-body-00 . . . . . 9
A.2. Since draft-ietf-httpbis-safe-method-w-body-01 . . . . . 10
A.3. Since draft-ietf-httpbis-safe-method-w-body-02 . . . . . 10
A.4. Since draft-ietf-httpbis-safe-method-w-body-03 . . . . . 10
A.5. Since draft-ietf-httpbis-safe-method-w-body-04 . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
This specification defines the HTTP QUERY request method as a means
of making a safe, idempotent request that contains content.
Most often, this is desirable when the data conveyed in a request is
too voluminous to be encoded into the request's URI. For example,
while this is an common and interoperable query:
Reschke, et al. Expires March 18, 2025 [Page 2]
Internet-Draft The HTTP QUERY Method September 2024
GET /feed?q=foo&limit=10&sort=-published HTTP/1.1
Host: example.org
if the query parameters extend to several kilobytes or more of data
it may not be, because many implementations place limits on their
size. Often these limits are not known or discoverable ahead of
time, because a request can pass through many uncoordinated systems.
Additionally, expressing some data in the target URI is inefficient,
because it needs to be encoded to be a valid URI.
Encoding query parameters directly into the request URI also
effectively casts every possible combination of query inputs as
distinct resources. Depending on the application, that may not be
desirable.
As an alternative to using GET, many implementations make use of the
HTTP POST method to perform queries, as illustrated in the example
below. In this case, the input parameters to the query operation are
passed along within the request content as opposed to using the
request URI.
A typical use of HTTP POST for requesting a query:
POST /feed HTTP/1.1
Host: example.org
Content-Type: application/x-www-form-urlencoded
q=foo&limit=10&sort=-published
This variation, however, suffers from the same basic limitation as
GET in that it is not readily apparent -- absent specific knowledge
of the resource and server to which the request is being sent -- that
a safe, idempotent query is being performed.
The QUERY method provides a solution that spans the gap between the
use of GET and POST. As with POST, the input to the query operation
is passed along within the content of the request rather than as part
of the request URI. Unlike POST, however, the method is explicitly
safe and idempotent, allowing functions like caching and automatic
retries to operate.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Reschke, et al. Expires March 18, 2025 [Page 3]
Internet-Draft The HTTP QUERY Method September 2024
2. QUERY
The QUERY method is used to initiate a server-side query. Unlike the
HTTP GET method, which requests that a server return a representation
of the resource identified by the target URI (as defined by
Section 7.1 of [HTTP]), the QUERY method is used to ask the server to
perform a query operation (described by the request content) over
some set of data scoped to the target URI. The content returned in
response to a QUERY cannot be assumed to be a representation of the
resource identified by the target URI.
The content of the request defines the query. Implementations MAY
use a request content of any media type with the QUERY method,
provided that it has appropriate query semantics.
QUERY requests are both safe and idempotent with regards to the
resource identified by the request URI. That is, QUERY requests do
not alter the state of the targeted resource. However, while
processing a QUERY request, a server can be expected to allocate
computing and memory resources or even create additional HTTP
resources through which the response can be retrieved.
A successful response to a QUERY request is expected to provide some
indication as to the final disposition of the operation. For
instance, a successful query that yields no results can be
represented by a 204 No Content response. If the response includes
content, it is expected to describe the results of the operation. In
some cases, the server may choose to respond indirectly to the QUERY
request by returning a 3xx Redirection with a Location header field
specifying an alternate Request URI from which the results can be
retrieved using an HTTP GET request. Various non-normative examples
of successful QUERY responses are illustrated in Section 4.
A successful response to a QUERY request can include a Content-
Location header field (see Section 8.7 of [HTTP]) containing an
identifier for a resource corresponding to the results of the
operation. This represents a claim from the server that a client can
send a GET request for the indicated URI to retrieve the results of
the query operation just performed. The indicated resource might be
temporary.
Reschke, et al. Expires March 18, 2025 [Page 4]
Internet-Draft The HTTP QUERY Method September 2024
A server MAY create or locate a resource that identifies the query
operation for future use. If the server does so, the URI of the
resource can be included in the Location header field of the response
(see Section 10.2.2 of [HTTP]). This represents a claim that a
client can send a GET request to the indicated URI to repeat the
query operation just performed without resending the query
parameters. This resource might be temporary; if a future request
fails, the client can retry using the original QUERY resource and the
previously submitted parameters again.
The semantics of the QUERY method change to a "conditional QUERY" if
the request message includes an If-Modified-Since, If-Unmodified-
Since, If-Match, If-None-Match, or If-Range header field ([HTTP],
Section 13). A conditional QUERY requests that the query be
performed only under the circumstances described by the conditional
header field(s). It is important to note, however, that such
conditions are evaluated against the state of the target resource
itself as opposed to the collected results of the query operation.
2.1. Caching
The response to a QUERY method is cacheable; a cache MAY use it to
satisfy subsequent QUERY requests as per Section 4 of
[HTTP-CACHING]).
The cache key for a query (see Section 2 of [HTTP-CACHING]) MUST
incorporate the request content. When doing so, caches SHOULD first
normalize request content to remove semantically insignificant
differences, thereby improving cache efficiency, by:
o Removing content encoding(s)
o Normalizing based upon knowledge of format conventions, as
indicated by the any media type suffix in the request's Content-
Type field (e.g., "+json")
o Normalizing based upon knowledge of the semantics of the content
itself, as indicated by the request's Content-Type field.
Note that any such normalization is performed solely for the purpose
of generating a cache key; it does not change the request itself.
3. The "Accept-Query" Header Field
The "Accept-Query" response header field MAY be used by a resource to
directly signal support for the QUERY method while identifying the
specific query format media type(s) that may be used.
Reschke, et al. Expires March 18, 2025 [Page 5]
Internet-Draft The HTTP QUERY Method September 2024
Accept-Query = 1#media-type
The Accept-Query header field specifies a comma-separated listing of
media types (with optional parameters) as defined by Section 8.3.1 of
[HTTP].
The order of types listed by the Accept-Query header field is not
significant.
Accept-Query's value applies to every URI on the server that shares
the same path; in other words, the query component is ignored. If
requests to the same resource return different Accept-Query values,
the most recently received fresh (per Section 4.2 of [HTTP-CACHING])
value is used.
4. Examples
The non-normative examples in this section make use of a simple,
hypothetical plain-text based query syntax based on SQL with results
returned as comma-separated values. This is done for illustration
purposes only. Implementations are free to use any format they wish
on both the request and response.
4.1. Simple QUERY with a Direct Response
A simple query with a direct response:
QUERY /contacts HTTP/1.1
Host: example.org
Content-Type: example/query
Accept: text/csv
select surname, givenname, email limit 10
Response:
HTTP/1.1 200 OK
Content-Type: text/csv
surname, givenname, email
Smith, John, john.smith@example.org
Jones, Sally, sally.jones@example.com
Dubois, Camille, camille.dubois@example.net
4.2. Simple QUERY with a Direct Response and Location fields
A simple query with a direct response:
Reschke, et al. Expires March 18, 2025 [Page 6]
Internet-Draft The HTTP QUERY Method September 2024
QUERY /contacts HTTP/1.1
Host: example.org
Content-Type: example/query
Accept: text/csv
select surname, givenname, email limit 10
Response:
HTTP/1.1 200 OK
Content-Type: text/csv
Content-Location: /contacts/responses/42
Location: /contacts/queries/17
surname, givenname, email
Smith, John, john.smith@example.org
Jones, Sally, sally.jones@example.com
Dubois, Camille, camille.dubois@example.net
A subsequent GET request on /contacts/responses/42 would return the
same response, until the server decides to remove that resource.
A GET request on /contacts/queries/17 however would execute the same
query again, and return a fresh result for that query:
GET /contacts/queries/17 HTTP/1.1
Host: example.org
Accept: text/csv
Response:
HTTP/1.1 200 OK
Content-Type: text/csv
Content-Location: /contacts/responses/43
surname, givenname, email
Jones, Sally, sally.jones@example.com
Dubois, Camille, camille.dubois@example.net
4.3. Simple QUERY with indirect response (303 See Other)
A simple query with an Indirect Response (303 See Other):
Reschke, et al. Expires March 18, 2025 [Page 7]
Internet-Draft The HTTP QUERY Method September 2024
QUERY /contacts HTTP/1.1
Host: example.org
Content-Type: example/query
Accept: text/csv
select surname, givenname, email limit 10
Response:
HTTP/1.1 303 See Other
Location: http://example.org/contacts/query123
Fetch Query Response:
GET /contacts/query123 HTTP/1.1
Host: example.org
Response:
HTTP/1.1 200 OK
Content-Type: text/csv
surname, givenname, email
Smith, John, john.smith@example.org
Jones, Sally, sally.jones@example.com
Dubois, Camille, camille.dubois@example.net
5. Security Considerations
The QUERY method is subject to the same general security
considerations as all HTTP methods as described in [HTTP].
The QUERY method can be used as an alternative to passing query
information in the query portion of a URI. This is preferred in some
cases, as the URI is more likely to be logged than the request
content. If a server creates a temporary resource to represent the
results of a QUERY request (e.g., for use in the Location or Content-
Location field), the URI of this resource SHOULD NOT expose the
original request content in plaintext.
6. IANA Considerations
IANA is requested to add QUERY method in the permanent registry at
(see Section 16.1.1 of
[HTTP]).
Reschke, et al. Expires March 18, 2025 [Page 8]
Internet-Draft The HTTP QUERY Method September 2024
+-------------+------+------------+---------------+
| Method Name | Safe | Idempotent | Specification |
+-------------+------+------------+---------------+
| QUERY | Yes | Yes | Section 2 |
+-------------+------+------------+---------------+
Table 1
7. Normative References
[HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", STD 97, RFC 9110,
DOI 10.17487/RFC9110, June 2022,
.
[HTTP-CACHING]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Caching", STD 98, RFC 9111,
DOI 10.17487/RFC9111, June 2022,
.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, .
Appendix A. Change Log
This section is to be removed before publishing as an RFC.
A.1. Since draft-ietf-httpbis-safe-method-w-body-00
o Use "example/query" media type instead of undefined "text/query"
()
o In Section 3, adjust the grammar to just define the field value
()
o Update to latest HTTP core spec, and adjust terminology
accordingly ()
o Reference RFC 8174 and markup bcp14 terms
()
Reschke, et al. Expires March 18, 2025 [Page 9]
Internet-Draft The HTTP QUERY Method September 2024
o Update HTTP reference ()
o Relax restriction of generic XML media type in request content
()
A.2. Since draft-ietf-httpbis-safe-method-w-body-01
o Add minimal description of cacheability
()
o Use "QUERY" as method name ()
o Update HTTP reference ()
A.3. Since draft-ietf-httpbis-safe-method-w-body-02
o In Section 3, slightly rephrase statement about significance of
ordering ()
o Throughout: use "content" instead of "payload" or "body"
()
o Updated references ()
A.4. Since draft-ietf-httpbis-safe-method-w-body-03
o In Section 3, clarify scope ()
A.5. Since draft-ietf-httpbis-safe-method-w-body-04
o Describe role of Content-Location and Location fields
()
o Added Mike Bishop as author ()
o Use "target URI" instead of "effective request URI"
()
Authors' Addresses
Reschke, et al. Expires March 18, 2025 [Page 10]
Internet-Draft The HTTP QUERY Method September 2024
Julian Reschke
greenbytes GmbH
Hafenweg 16
48155 Münster
Germany
Email: julian.reschke@greenbytes.de
URI: https://greenbytes.de/tech/webdav/
Ashok Malhotra
Email: malhotrasahib@gmail.com
James M Snell
Email: jasnell@gmail.com
Mike Bishop
Akamai
Email: mbishop@evequefou.be
Reschke, et al. Expires March 18, 2025 [Page 11]