frankenRFC723x_sem.txt | draft-ietf-httpbis-semantics-07.txt | |||
---|---|---|---|---|
Internet Engineering Task Force (IETF) R. Fielding, Ed. | HTTP Working Group R. Fielding, Ed. | |||
Request for Comments: 7231 Adobe | Internet-Draft Adobe | |||
Obsoletes: 2616 J. Reschke, Ed. | Obsoletes: M. Nottingham, Ed. | |||
Updates: 2817 greenbytes | 2818,7230,7231,7232,7233,7235 Fastly | |||
Category: Standards Track June 2014 | ,7538,7615 (if approved) J. Reschke, Ed. | |||
ISSN: 2070-1721 | Intended status: Standards Track greenbytes | |||
Expires: September 8, 2020 March 7, 2020 | ||||
Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content | HTTP Semantics | |||
draft-ietf-httpbis-semantics-07 | ||||
Abstract | Abstract | |||
The Hypertext Transfer Protocol (HTTP) is a stateless application- | The Hypertext Transfer Protocol (HTTP) is a stateless application- | |||
level protocol for distributed, collaborative, hypertext information | level protocol for distributed, collaborative, hypertext information | |||
systems. This document defines the semantics of HTTP/1.1 messages, | systems. This document defines the semantics of HTTP: its | |||
as expressed by request methods, request header fields, response | architecture, terminology, the "http" and "https" Uniform Resource | |||
status codes, and response header fields, along with the payload of | Identifier (URI) schemes, core request methods, request header | |||
messages (metadata and body content) and mechanisms for content | fields, response status codes, response header fields, and content | |||
negotiation. | negotiation. | |||
This document obsoletes RFC 2818, RFC 7231, RFC 7232, RFC 7233, RFC | ||||
7235, RFC 7538, RFC 7615, and portions of RFC 7230. | ||||
Editorial Note | Editorial Note | |||
This note is not in the original RFC. | This note is to be removed before publishing as an RFC. | |||
The purpose of this document is to produce diffs that show just the | Discussion of this draft takes place on the HTTP working group | |||
changes from text in the original RFCs that were input for http-core. | mailing list (ietf-http-wg@w3.org), which is archived at | |||
Hence, the frankenRFC documents show all of the original text (including | <https://lists.w3.org/Archives/Public/ietf-http-wg/>. | |||
stuff that has been deleted) plus some new text [in brackets] to anchor | ||||
context, rearranged to minimize the resulting diffs when compared to the | ||||
most recently published version of draft-ietf-httpbis-semantics. | ||||
After this document is updated to match any reorg changes in the latest | Working Group information can be found at <https://httpwg.org/>; | |||
version, the franken diffs are saved and published in this directory as | source code and issues list for this draft can be found at | |||
diff_semantics_frfc_to_NN.html (where NN is the I-D draft revision) | <https://github.com/httpwg/http-core>. | |||
The changes in this draft are summarized in Appendix C.8. | ||||
Status of This Memo | Status of This Memo | |||
This is an Internet Standards Track document. | This Internet-Draft is submitted in full conformance with the | |||
provisions of BCP 78 and BCP 79. | ||||
This document is a product of the Internet Engineering Task Force | Internet-Drafts are working documents of the Internet Engineering | |||
(IETF). It represents the consensus of the IETF community. It has | Task Force (IETF). Note that other groups may also distribute | |||
received public review and has been approved for publication by the | working documents as Internet-Drafts. The list of current Internet- | |||
Internet Engineering Steering Group (IESG). Further information on | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet Standards is available in Section 2 of RFC 5741. | ||||
Information about the current status of this document, any errata, | Internet-Drafts are draft documents valid for a maximum of six months | |||
and how to provide feedback on it may be obtained at | and may be updated, replaced, or obsoleted by other documents at any | |||
http://www.rfc-editor.org/info/rfc7231. | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | ||||
This Internet-Draft will expire on September 8, 2020. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(http://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
described in the Simplified BSD License. | described in the Simplified BSD License. | |||
This document may contain material from IETF Documents or IETF | This document may contain material from IETF Documents or IETF | |||
Contributions published or made publicly available before November | Contributions published or made publicly available before November | |||
10, 2008. The person(s) controlling the copyright in some of this | 10, 2008. The person(s) controlling the copyright in some of this | |||
skipping to change at line 79 ¶ | skipping to change at page 2, line 41 ¶ | |||
modifications of such material outside the IETF Standards Process. | modifications of such material outside the IETF Standards Process. | |||
Without obtaining an adequate license from the person(s) controlling | Without obtaining an adequate license from the person(s) controlling | |||
the copyright in such materials, this document may not be modified | the copyright in such materials, this document may not be modified | |||
outside the IETF Standards Process, and derivative works of it may | outside the IETF Standards Process, and derivative works of it may | |||
not be created outside the IETF Standards Process, except to format | not be created outside the IETF Standards Process, except to format | |||
it for publication as an RFC or to translate it into languages other | it for publication as an RFC or to translate it into languages other | |||
than English. | than English. | |||
Table of Contents | Table of Contents | |||
1. Introduction ....................................................6 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
1.1. Conformance and Error Handling .............................6 | 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 9 | |||
1.2. Syntax Notation ............................................6 | 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 10 | |||
2. Resources .......................................................7 | 1.2.1. Whitespace . . . . . . . . . . . . . . . . . . . . . 10 | |||
3. Representations .................................................7 | 2. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
3.1. Representation Metadata ....................................8 | 2.1. Client/Server Messaging . . . . . . . . . . . . . . . . . 11 | |||
3.1.1. Processing Representation Data ......................8 | 2.2. Intermediaries . . . . . . . . . . . . . . . . . . . . . 13 | |||
3.1.2. Encoding for Compression or Integrity ..............11 | 2.3. Caches . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
3.1.3. Audience Language ..................................13 | 2.4. Uniform Resource Identifiers . . . . . . . . . . . . . . 16 | |||
3.1.4. Identification .....................................14 | 2.5. Resources . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
3.2. Representation Data .......................................17 | 2.5.1. http URI Scheme . . . . . . . . . . . . . . . . . . . 17 | |||
3.3. Payload Semantics .........................................17 | 2.5.2. https URI Scheme . . . . . . . . . . . . . . . . . . 18 | |||
3.4. Content Negotiation .......................................18 | 2.5.3. http and https URI Normalization and Comparison . . . 19 | |||
3.4.1. Proactive Negotiation ..............................19 | 2.5.4. Deprecated userinfo . . . . . . . . . . . . . . . . . 19 | |||
3.4.2. Reactive Negotiation ...............................20 | 2.5.5. Fragment Identifiers on http(s) URI References . . . 20 | |||
4. Request Methods ................................................21 | 3. Conformance . . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
4.1. Overview ..................................................21 | 3.1. Implementation Diversity . . . . . . . . . . . . . . . . 20 | |||
4.2. Common Method Properties ..................................22 | 3.2. Role-based Requirements . . . . . . . . . . . . . . . . . 21 | |||
4.2.1. Safe Methods .......................................22 | 3.3. Parsing Elements . . . . . . . . . . . . . . . . . . . . 21 | |||
4.2.2. Idempotent Methods .................................23 | 3.4. Error Handling . . . . . . . . . . . . . . . . . . . . . 22 | |||
4.2.3. Cacheable Methods ..................................24 | 3.5. Protocol Versioning . . . . . . . . . . . . . . . . . . . 22 | |||
4.3. Method Definitions ........................................24 | 4. Header and Trailer Fields . . . . . . . . . . . . . . . . . . 24 | |||
4.3.1. GET ................................................24 | 4.1. Field Ordering and Combination . . . . . . . . . . . . . 25 | |||
4.3.2. HEAD ...............................................25 | 4.2. Field Limits . . . . . . . . . . . . . . . . . . . . . . 26 | |||
4.3.3. POST ...............................................25 | 4.3. Field Names . . . . . . . . . . . . . . . . . . . . . . . 26 | |||
4.3.4. PUT ................................................26 | 4.3.1. Field Extensibility . . . . . . . . . . . . . . . . . 27 | |||
4.3.5. DELETE .............................................29 | 4.3.2. Field Name Registry . . . . . . . . . . . . . . . . . 27 | |||
4.3.6. CONNECT ............................................30 | 4.4. Field Values . . . . . . . . . . . . . . . . . . . . . . 28 | |||
4.3.7. OPTIONS ............................................31 | 4.4.1. Common Field Value Components . . . . . . . . . . . . 30 | |||
4.3.8. TRACE ..............................................32 | 4.5. ABNF List Extension: #rule . . . . . . . . . . . . . . . 31 | |||
5. Request Header Fields ..........................................33 | 4.5.1. Sender Requirements . . . . . . . . . . . . . . . . . 31 | |||
5.1. Controls ..................................................33 | 4.5.2. Recipient Requirements . . . . . . . . . . . . . . . 32 | |||
5.1.1. Expect .............................................34 | 4.6. Trailer Fields . . . . . . . . . . . . . . . . . . . . . 32 | |||
5.1.2. Max-Forwards .......................................36 | 4.6.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . 33 | |||
5.2. Conditionals ..............................................36 | 4.6.2. Limitations . . . . . . . . . . . . . . . . . . . . . 33 | |||
5.3. Content Negotiation .......................................37 | 4.6.3. Trailer . . . . . . . . . . . . . . . . . . . . . . . 34 | |||
5.3.1. Quality Values .....................................37 | 4.7. Considerations for New HTTP Fields . . . . . . . . . . . 34 | |||
5.3.2. Accept .............................................38 | 4.8. Fields Defined In This Document . . . . . . . . . . . . . 35 | |||
5.3.3. Accept-Charset .....................................40 | 5. Message Routing . . . . . . . . . . . . . . . . . . . . . . . 37 | |||
5.3.4. Accept-Encoding ....................................41 | 5.1. Identifying a Target Resource . . . . . . . . . . . . . . 37 | |||
5.3.5. Accept-Language ....................................42 | 5.2. Determining Origin . . . . . . . . . . . . . . . . . . . 37 | |||
5.4. Authentication Credentials ................................44 | 5.3. Routing Inbound . . . . . . . . . . . . . . . . . . . . . 38 | |||
5.5. Request Context ...........................................44 | 5.4. Direct Authoritative Access . . . . . . . . . . . . . . . 38 | |||
5.5.1. From ...............................................44 | 5.4.1. http origins . . . . . . . . . . . . . . . . . . . . 38 | |||
5.5.2. Referer ............................................45 | 5.4.2. https origins . . . . . . . . . . . . . . . . . . . . 39 | |||
5.5.3. User-Agent .........................................46 | 5.4.3. Initiating HTTP Over TLS . . . . . . . . . . . . . . 41 | |||
6. Response Status Codes ..........................................47 | 5.5. Effective Request URI . . . . . . . . . . . . . . . . . . 43 | |||
6.1. Overview of Status Codes ..................................48 | 5.6. Host . . . . . . . . . . . . . . . . . . . . . . . . . . 43 | |||
6.2. Informational 1xx .........................................50 | 5.7. Message Forwarding . . . . . . . . . . . . . . . . . . . 44 | |||
6.2.1. 100 Continue .......................................50 | 5.7.1. Via . . . . . . . . . . . . . . . . . . . . . . . . . 45 | |||
6.2.2. 101 Switching Protocols ............................50 | 5.7.2. Transformations . . . . . . . . . . . . . . . . . . . 47 | |||
6.3. Successful 2xx ............................................51 | 6. Representations . . . . . . . . . . . . . . . . . . . . . . . 48 | |||
6.3.1. 200 OK .............................................51 | 6.1. Representation Data . . . . . . . . . . . . . . . . . . . 48 | |||
6.3.2. 201 Created ........................................52 | 6.1.1. Media Type . . . . . . . . . . . . . . . . . . . . . 49 | |||
6.3.3. 202 Accepted .......................................52 | 6.1.2. Content Codings . . . . . . . . . . . . . . . . . . . 51 | |||
6.3.4. 203 Non-Authoritative Information ..................52 | 6.1.3. Language Tags . . . . . . . . . . . . . . . . . . . . 53 | |||
6.3.5. 204 No Content .....................................53 | 6.1.4. Range Units . . . . . . . . . . . . . . . . . . . . . 54 | |||
6.3.6. 205 Reset Content ..................................53 | 6.2. Representation Metadata . . . . . . . . . . . . . . . . . 58 | |||
6.4. Redirection 3xx ...........................................54 | 6.2.1. Content-Type . . . . . . . . . . . . . . . . . . . . 58 | |||
6.4.1. 300 Multiple Choices ...............................55 | 6.2.2. Content-Encoding . . . . . . . . . . . . . . . . . . 59 | |||
6.4.2. 301 Moved Permanently ..............................56 | 6.2.3. Content-Language . . . . . . . . . . . . . . . . . . 60 | |||
6.4.3. 302 Found ..........................................56 | 6.2.4. Content-Length . . . . . . . . . . . . . . . . . . . 61 | |||
6.4.4. 303 See Other ......................................57 | 6.2.5. Content-Location . . . . . . . . . . . . . . . . . . 62 | |||
6.4.5. 305 Use Proxy ......................................58 | 6.3. Payload . . . . . . . . . . . . . . . . . . . . . . . . . 64 | |||
6.4.6. 306 (Unused) .......................................58 | 6.3.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . 64 | |||
6.4.7. 307 Temporary Redirect .............................58 | 6.3.2. Identification . . . . . . . . . . . . . . . . . . . 65 | |||
6.5. Client Error 4xx ..........................................58 | 6.3.3. Payload Body . . . . . . . . . . . . . . . . . . . . 66 | |||
6.5.1. 400 Bad Request ....................................58 | 6.3.4. Content-Range . . . . . . . . . . . . . . . . . . . . 66 | |||
6.5.2. 402 Payment Required ...............................59 | 6.3.5. Media Type multipart/byteranges . . . . . . . . . . . 68 | |||
6.5.3. 403 Forbidden ......................................59 | 6.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 70 | |||
6.5.4. 404 Not Found ......................................59 | 6.4.1. Proactive Negotiation . . . . . . . . . . . . . . . . 71 | |||
6.5.5. 405 Method Not Allowed .............................59 | 6.4.2. Reactive Negotiation . . . . . . . . . . . . . . . . 72 | |||
6.5.6. 406 Not Acceptable .................................60 | 7. Request Methods . . . . . . . . . . . . . . . . . . . . . . . 73 | |||
6.5.7. 408 Request Timeout ................................60 | 7.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 73 | |||
6.5.8. 409 Conflict .......................................60 | 7.2. Common Method Properties . . . . . . . . . . . . . . . . 74 | |||
6.5.9. 410 Gone ...........................................60 | 7.2.1. Safe Methods . . . . . . . . . . . . . . . . . . . . 75 | |||
6.5.10. 411 Length Required ...............................61 | 7.2.2. Idempotent Methods . . . . . . . . . . . . . . . . . 76 | |||
6.5.11. 413 Payload Too Large .............................61 | 7.2.3. Methods and Caching . . . . . . . . . . . . . . . . . 77 | |||
6.5.12. 414 URI Too Long ..................................61 | 7.3. Method Definitions . . . . . . . . . . . . . . . . . . . 77 | |||
6.5.13. 415 Unsupported Media Type ........................62 | 7.3.1. GET . . . . . . . . . . . . . . . . . . . . . . . . . 77 | |||
6.5.14. 417 Expectation Failed ............................62 | 7.3.2. HEAD . . . . . . . . . . . . . . . . . . . . . . . . 78 | |||
6.5.15. 426 Upgrade Required ..............................62 | 7.3.3. POST . . . . . . . . . . . . . . . . . . . . . . . . 79 | |||
6.6. Server Error 5xx ..........................................62 | 7.3.4. PUT . . . . . . . . . . . . . . . . . . . . . . . . . 80 | |||
6.6.1. 500 Internal Server Error ..........................63 | 7.3.5. DELETE . . . . . . . . . . . . . . . . . . . . . . . 82 | |||
6.6.2. 501 Not Implemented ................................63 | 7.3.6. CONNECT . . . . . . . . . . . . . . . . . . . . . . . 83 | |||
6.6.3. 502 Bad Gateway ....................................63 | 7.3.7. OPTIONS . . . . . . . . . . . . . . . . . . . . . . . 85 | |||
6.6.4. 503 Service Unavailable ............................63 | 7.3.8. TRACE . . . . . . . . . . . . . . . . . . . . . . . . 86 | |||
6.6.5. 504 Gateway Timeout ................................63 | 7.4. Method Extensibility . . . . . . . . . . . . . . . . . . 86 | |||
6.6.6. 505 HTTP Version Not Supported .....................64 | 7.4.1. Method Registry . . . . . . . . . . . . . . . . . . . 86 | |||
7. Response Header Fields .........................................64 | 7.4.2. Considerations for New Methods . . . . . . . . . . . 87 | |||
7.1. Control Data ..............................................64 | 8. Request Header Fields . . . . . . . . . . . . . . . . . . . . 87 | |||
7.1.1. Origination Date ...................................65 | 8.1. Controls . . . . . . . . . . . . . . . . . . . . . . . . 88 | |||
7.1.2. Location ...........................................68 | 8.1.1. Expect . . . . . . . . . . . . . . . . . . . . . . . 88 | |||
7.1.3. Retry-After ........................................69 | 8.1.2. Max-Forwards . . . . . . . . . . . . . . . . . . . . 90 | |||
7.1.4. Vary ...............................................70 | 8.2. Preconditions . . . . . . . . . . . . . . . . . . . . . . 91 | |||
7.2. Validator Header Fields ...................................71 | 8.2.1. Evaluation . . . . . . . . . . . . . . . . . . . . . 92 | |||
7.3. Authentication Challenges .................................72 | 8.2.2. Precedence . . . . . . . . . . . . . . . . . . . . . 93 | |||
7.4. Response Context ..........................................72 | 8.2.3. If-Match . . . . . . . . . . . . . . . . . . . . . . 95 | |||
7.4.1. Allow ..............................................72 | 8.2.4. If-None-Match . . . . . . . . . . . . . . . . . . . . 96 | |||
7.4.2. Server .............................................73 | 8.2.5. If-Modified-Since . . . . . . . . . . . . . . . . . . 97 | |||
8. IANA Considerations ............................................73 | 8.2.6. If-Unmodified-Since . . . . . . . . . . . . . . . . . 98 | |||
8.1. Method Registry ...........................................73 | 8.2.7. If-Range . . . . . . . . . . . . . . . . . . . . . . 100 | |||
8.1.1. Procedure ..........................................74 | 8.3. Range . . . . . . . . . . . . . . . . . . . . . . . . . . 101 | |||
8.1.2. Considerations for New Methods .....................74 | 8.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 102 | |||
8.1.3. Registrations ......................................75 | 8.4.1. Quality Values . . . . . . . . . . . . . . . . . . . 103 | |||
8.2. Status Code Registry ......................................75 | 8.4.2. Accept . . . . . . . . . . . . . . . . . . . . . . . 104 | |||
8.2.1. Procedure ..........................................75 | 8.4.3. Accept-Charset . . . . . . . . . . . . . . . . . . . 106 | |||
8.2.2. Considerations for New Status Codes ................76 | 8.4.4. Accept-Encoding . . . . . . . . . . . . . . . . . . . 107 | |||
8.2.3. Registrations ......................................76 | 8.4.5. Accept-Language . . . . . . . . . . . . . . . . . . . 108 | |||
8.3. Header Field Registry .....................................77 | 8.5. Authentication Credentials . . . . . . . . . . . . . . . 109 | |||
8.3.1. Considerations for New Header Fields ...............78 | 8.5.1. Challenge and Response . . . . . . . . . . . . . . . 109 | |||
8.3.2. Registrations ......................................80 | 8.5.2. Protection Space (Realm) . . . . . . . . . . . . . . 111 | |||
8.4. Content Coding Registry ...................................81 | 8.5.3. Authorization . . . . . . . . . . . . . . . . . . . . 112 | |||
8.4.1. Procedure ..........................................81 | 8.5.4. Proxy-Authorization . . . . . . . . . . . . . . . . . 112 | |||
8.4.2. Registrations ......................................81 | 8.5.5. Authentication Scheme Extensibility . . . . . . . . . 113 | |||
9. Security Considerations ........................................81 | 8.6. Request Context . . . . . . . . . . . . . . . . . . . . . 115 | |||
9.1. Attacks Based on File and Path Names ......................82 | 8.6.1. From . . . . . . . . . . . . . . . . . . . . . . . . 115 | |||
9.2. Attacks Based on Command, Code, or Query Injection ........82 | 8.6.2. Referer . . . . . . . . . . . . . . . . . . . . . . . 116 | |||
9.3. Disclosure of Personal Information ........................83 | 8.6.3. User-Agent . . . . . . . . . . . . . . . . . . . . . 117 | |||
9.4. Disclosure of Sensitive Information in URIs ...............83 | 9. Response Status Codes . . . . . . . . . . . . . . . . . . . . 118 | |||
9.5. Disclosure of Fragment after Redirects ....................84 | 9.1. Overview of Status Codes . . . . . . . . . . . . . . . . 119 | |||
9.6. Disclosure of Product Information .........................84 | 9.2. Informational 1xx . . . . . . . . . . . . . . . . . . . . 120 | |||
9.7. Browser Fingerprinting ....................................84 | 9.2.1. 100 Continue . . . . . . . . . . . . . . . . . . . . 121 | |||
10. Acknowledgments ...............................................85 | 9.2.2. 101 Switching Protocols . . . . . . . . . . . . . . . 121 | |||
11. References ....................................................85 | 9.3. Successful 2xx . . . . . . . . . . . . . . . . . . . . . 121 | |||
11.1. Normative References .....................................85 | 9.3.1. 200 OK . . . . . . . . . . . . . . . . . . . . . . . 121 | |||
11.2. Informative References ...................................86 | 9.3.2. 201 Created . . . . . . . . . . . . . . . . . . . . . 122 | |||
Appendix A. Differences between HTTP and MIME .....................89 | 9.3.3. 202 Accepted . . . . . . . . . . . . . . . . . . . . 122 | |||
A.1. MIME-Version ..............................................89 | 9.3.4. 203 Non-Authoritative Information . . . . . . . . . . 123 | |||
A.2. Conversion to Canonical Form ..............................89 | 9.3.5. 204 No Content . . . . . . . . . . . . . . . . . . . 123 | |||
A.3. Conversion of Date Formats ................................90 | 9.3.6. 205 Reset Content . . . . . . . . . . . . . . . . . . 124 | |||
A.4. Conversion of Content-Encoding ..........................90 | 9.3.7. 206 Partial Content . . . . . . . . . . . . . . . . . 124 | |||
A.5. Conversion of Content-Transfer-Encoding .................90 | 9.4. Redirection 3xx . . . . . . . . . . . . . . . . . . . . . 127 | |||
A.6. MHTML and Line Length Limitations .........................90 | 9.4.1. 300 Multiple Choices . . . . . . . . . . . . . . . . 129 | |||
Appendix B. Changes from RFC 2616 .................................91 | 9.4.2. 301 Moved Permanently . . . . . . . . . . . . . . . . 130 | |||
Appendix C. Imported ABNF .........................................93 | 9.4.3. 302 Found . . . . . . . . . . . . . . . . . . . . . . 130 | |||
Appendix D. Collected ABNF ........................................94 | 9.4.4. 303 See Other . . . . . . . . . . . . . . . . . . . . 131 | |||
Index .............................................................97 | 9.4.5. 304 Not Modified . . . . . . . . . . . . . . . . . . 131 | |||
9.4.6. 305 Use Proxy . . . . . . . . . . . . . . . . . . . . 132 | ||||
9.4.7. 306 (Unused) . . . . . . . . . . . . . . . . . . . . 132 | ||||
9.4.8. 307 Temporary Redirect . . . . . . . . . . . . . . . 132 | ||||
9.4.9. 308 Permanent Redirect . . . . . . . . . . . . . . . 133 | ||||
9.5. Client Error 4xx . . . . . . . . . . . . . . . . . . . . 133 | ||||
9.5.1. 400 Bad Request . . . . . . . . . . . . . . . . . . . 133 | ||||
9.5.2. 401 Unauthorized . . . . . . . . . . . . . . . . . . 133 | ||||
9.5.3. 402 Payment Required . . . . . . . . . . . . . . . . 134 | ||||
9.5.4. 403 Forbidden . . . . . . . . . . . . . . . . . . . . 134 | ||||
9.5.5. 404 Not Found . . . . . . . . . . . . . . . . . . . . 134 | ||||
9.5.6. 405 Method Not Allowed . . . . . . . . . . . . . . . 135 | ||||
9.5.7. 406 Not Acceptable . . . . . . . . . . . . . . . . . 135 | ||||
9.5.8. 407 Proxy Authentication Required . . . . . . . . . . 135 | ||||
9.5.9. 408 Request Timeout . . . . . . . . . . . . . . . . . 135 | ||||
9.5.10. 409 Conflict . . . . . . . . . . . . . . . . . . . . 136 | ||||
9.5.11. 410 Gone . . . . . . . . . . . . . . . . . . . . . . 136 | ||||
9.5.12. 411 Length Required . . . . . . . . . . . . . . . . . 136 | ||||
9.5.13. 412 Precondition Failed . . . . . . . . . . . . . . . 137 | ||||
9.5.14. 413 Payload Too Large . . . . . . . . . . . . . . . . 137 | ||||
9.5.15. 414 URI Too Long . . . . . . . . . . . . . . . . . . 137 | ||||
9.5.16. 415 Unsupported Media Type . . . . . . . . . . . . . 137 | ||||
9.5.17. 416 Range Not Satisfiable . . . . . . . . . . . . . . 138 | ||||
9.5.18. 417 Expectation Failed . . . . . . . . . . . . . . . 138 | ||||
9.5.19. 418 (Unused) . . . . . . . . . . . . . . . . . . . . 138 | ||||
9.5.20. 422 Unprocessable Payload . . . . . . . . . . . . . . 139 | ||||
9.5.21. 426 Upgrade Required . . . . . . . . . . . . . . . . 139 | ||||
9.6. Server Error 5xx . . . . . . . . . . . . . . . . . . . . 139 | ||||
9.6.1. 500 Internal Server Error . . . . . . . . . . . . . . 140 | ||||
9.6.2. 501 Not Implemented . . . . . . . . . . . . . . . . . 140 | ||||
9.6.3. 502 Bad Gateway . . . . . . . . . . . . . . . . . . . 140 | ||||
9.6.4. 503 Service Unavailable . . . . . . . . . . . . . . . 140 | ||||
9.6.5. 504 Gateway Timeout . . . . . . . . . . . . . . . . . 140 | ||||
9.6.6. 505 HTTP Version Not Supported . . . . . . . . . . . 140 | ||||
9.7. Status Code Extensibility . . . . . . . . . . . . . . . . 141 | ||||
9.7.1. Status Code Registry . . . . . . . . . . . . . . . . 141 | ||||
9.7.2. Considerations for New Status Codes . . . . . . . . . 141 | ||||
10. Response Header Fields . . . . . . . . . . . . . . . . . . . 142 | ||||
10.1. Control Data . . . . . . . . . . . . . . . . . . . . . . 142 | ||||
10.1.1. Origination Date . . . . . . . . . . . . . . . . . . 143 | ||||
10.1.2. Location . . . . . . . . . . . . . . . . . . . . . . 146 | ||||
10.1.3. Retry-After . . . . . . . . . . . . . . . . . . . . 147 | ||||
10.1.4. Vary . . . . . . . . . . . . . . . . . . . . . . . . 147 | ||||
10.2. Validators . . . . . . . . . . . . . . . . . . . . . . . 149 | ||||
10.2.1. Weak versus Strong . . . . . . . . . . . . . . . . . 150 | ||||
10.2.2. Last-Modified . . . . . . . . . . . . . . . . . . . 151 | ||||
10.2.3. ETag . . . . . . . . . . . . . . . . . . . . . . . . 153 | ||||
10.2.4. When to Use Entity-Tags and Last-Modified Dates . . 157 | ||||
10.3. Authentication Challenges . . . . . . . . . . . . . . . 157 | ||||
10.3.1. WWW-Authenticate . . . . . . . . . . . . . . . . . . 158 | ||||
10.3.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . 159 | ||||
10.3.3. Authentication-Info . . . . . . . . . . . . . . . . 159 | ||||
10.3.4. Proxy-Authentication-Info . . . . . . . . . . . . . 160 | ||||
10.4. Response Context . . . . . . . . . . . . . . . . . . . . 161 | ||||
10.4.1. Accept-Ranges . . . . . . . . . . . . . . . . . . . 161 | ||||
10.4.2. Allow . . . . . . . . . . . . . . . . . . . . . . . 161 | ||||
10.4.3. Server . . . . . . . . . . . . . . . . . . . . . . . 162 | ||||
11. Security Considerations . . . . . . . . . . . . . . . . . . . 163 | ||||
11.1. Establishing Authority . . . . . . . . . . . . . . . . . 163 | ||||
11.2. Risks of Intermediaries . . . . . . . . . . . . . . . . 164 | ||||
11.3. Attacks Based on File and Path Names . . . . . . . . . . 165 | ||||
11.4. Attacks Based on Command, Code, or Query Injection . . . 165 | ||||
11.5. Attacks via Protocol Element Length . . . . . . . . . . 166 | ||||
11.6. Disclosure of Personal Information . . . . . . . . . . . 166 | ||||
11.7. Privacy of Server Log Information . . . . . . . . . . . 166 | ||||
11.8. Disclosure of Sensitive Information in URIs . . . . . . 167 | ||||
11.9. Disclosure of Fragment after Redirects . . . . . . . . . 167 | ||||
11.10. Disclosure of Product Information . . . . . . . . . . . 168 | ||||
11.11. Browser Fingerprinting . . . . . . . . . . . . . . . . . 168 | ||||
11.12. Validator Retention . . . . . . . . . . . . . . . . . . 169 | ||||
11.13. Denial-of-Service Attacks Using Range . . . . . . . . . 170 | ||||
11.14. Authentication Considerations . . . . . . . . . . . . . 170 | ||||
11.14.1. Confidentiality of Credentials . . . . . . . . . . 170 | ||||
11.14.2. Credentials and Idle Clients . . . . . . . . . . . 171 | ||||
11.14.3. Protection Spaces . . . . . . . . . . . . . . . . . 171 | ||||
11.14.4. Additional Response Fields . . . . . . . . . . . . 172 | ||||
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 172 | ||||
12.1. URI Scheme Registration . . . . . . . . . . . . . . . . 172 | ||||
12.2. Method Registration . . . . . . . . . . . . . . . . . . 172 | ||||
12.3. Status Code Registration . . . . . . . . . . . . . . . . 172 | ||||
12.4. HTTP Field Name Registration . . . . . . . . . . . . . . 173 | ||||
12.5. Authentication Scheme Registration . . . . . . . . . . . 173 | ||||
12.6. Content Coding Registration . . . . . . . . . . . . . . 173 | ||||
12.7. Range Unit Registration . . . . . . . . . . . . . . . . 174 | ||||
12.8. Media Type Registration . . . . . . . . . . . . . . . . 174 | ||||
12.9. Port Registration . . . . . . . . . . . . . . . . . . . 174 | ||||
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 174 | ||||
13.1. Normative References . . . . . . . . . . . . . . . . . . 174 | ||||
13.2. Informative References . . . . . . . . . . . . . . . . . 176 | ||||
Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 182 | ||||
Appendix B. Changes from previous RFCs . . . . . . . . . . . . . 186 | ||||
B.1. Changes from RFC 2818 . . . . . . . . . . . . . . . . . . 186 | ||||
B.2. Changes from RFC 7230 . . . . . . . . . . . . . . . . . . 186 | ||||
B.3. Changes from RFC 7231 . . . . . . . . . . . . . . . . . . 187 | ||||
B.4. Changes from RFC 7232 . . . . . . . . . . . . . . . . . . 188 | ||||
B.5. Changes from RFC 7233 . . . . . . . . . . . . . . . . . . 188 | ||||
B.6. Changes from RFC 7235 . . . . . . . . . . . . . . . . . . 188 | ||||
B.7. Changes from RFC 7538 . . . . . . . . . . . . . . . . . . 188 | ||||
B.8. Changes from RFC 7615 . . . . . . . . . . . . . . . . . . 188 | ||||
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 188 | ||||
C.1. Between RFC723x and draft 00 . . . . . . . . . . . . . . 188 | ||||
C.2. Since draft-ietf-httpbis-semantics-00 . . . . . . . . . . 189 | ||||
C.3. Since draft-ietf-httpbis-semantics-01 . . . . . . . . . . 189 | ||||
C.4. Since draft-ietf-httpbis-semantics-02 . . . . . . . . . . 191 | ||||
C.5. Since draft-ietf-httpbis-semantics-03 . . . . . . . . . . 192 | ||||
C.6. Since draft-ietf-httpbis-semantics-04 . . . . . . . . . . 192 | ||||
C.7. Since draft-ietf-httpbis-semantics-05 . . . . . . . . . . 193 | ||||
C.8. Since draft-ietf-httpbis-semantics-06 . . . . . . . . . . 194 | ||||
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 | ||||
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 205 | ||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 206 | ||||
1. Introduction | 1. Introduction | |||
The Hypertext Transfer Protocol (HTTP) is a stateless application- | ||||
level request/response protocol that uses extensible semantics and | ||||
self-descriptive messages for flexible interaction with network-based | ||||
hypertext information systems. HTTP is defined by a series of | ||||
documents that collectively form the HTTP/1.1 specification: | ||||
o "HTTP Semantics" (this document) | ||||
o "HTTP Caching" [Caching] | ||||
o "HTTP/1.1 Messaging" [Messaging] | ||||
HTTP is a generic interface protocol for information systems. It is | HTTP is a generic interface protocol for information systems. It is | |||
designed to hide the details of how a service is implemented by | designed to hide the details of how a service is implemented by | |||
presenting a uniform interface to clients that is independent of the | presenting a uniform interface to clients that is independent of the | |||
types of resources provided. Likewise, servers do not need to be | types of resources provided. Likewise, servers do not need to be | |||
aware of each client's purpose: an HTTP request can be considered in | aware of each client's purpose: an HTTP request can be considered in | |||
isolation rather than being associated with a specific type of client | isolation rather than being associated with a specific type of client | |||
or a predetermined sequence of application steps. The result is a | or a predetermined sequence of application steps. The result is a | |||
protocol that can be used effectively in many different contexts and | protocol that can be used effectively in many different contexts and | |||
for which implementations can evolve independently over time. | for which implementations can evolve independently over time. | |||
skipping to change at line 247 ¶ | skipping to change at page 8, line 46 ¶ | |||
One consequence of this flexibility is that the protocol cannot be | One consequence of this flexibility is that the protocol cannot be | |||
defined in terms of what occurs behind the interface. Instead, we | defined in terms of what occurs behind the interface. Instead, we | |||
are limited to defining the syntax of communication, the intent of | are limited to defining the syntax of communication, the intent of | |||
received communication, and the expected behavior of recipients. If | received communication, and the expected behavior of recipients. If | |||
the communication is considered in isolation, then successful actions | the communication is considered in isolation, then successful actions | |||
ought to be reflected in corresponding changes to the observable | ought to be reflected in corresponding changes to the observable | |||
interface provided by servers. However, since multiple clients might | interface provided by servers. However, since multiple clients might | |||
act in parallel and perhaps at cross-purposes, we cannot require that | act in parallel and perhaps at cross-purposes, we cannot require that | |||
such changes be observable beyond the scope of a single response. | such changes be observable beyond the scope of a single response. | |||
Each Hypertext Transfer Protocol (HTTP) message is either a request | Each HTTP message is either a request or a response. A server | |||
or a response. A server listens on a connection for a request, | listens on a connection for a request, parses each message received, | |||
parses each message received, interprets the message semantics in | interprets the message semantics in relation to the identified | |||
relation to the identified request target, and responds to that | request target, and responds to that request with one or more | |||
request with one or more response messages. A client constructs | response messages. A client constructs request messages to | |||
request messages to communicate specific intentions, examines | communicate specific intentions, examines received responses to see | |||
received responses to see if the intentions were carried out, and | if the intentions were carried out, and determines how to interpret | |||
determines how to interpret the results. This document defines | the results. | |||
HTTP/1.1 request and response semantics in terms of the architecture | ||||
defined in [RFC7230]. | ||||
HTTP provides a uniform interface for interacting with a resource | HTTP provides a uniform interface for interacting with a resource | |||
(Section 2), regardless of its type, nature, or implementation, via | (Section 2.5), regardless of its type, nature, or implementation, via | |||
the manipulation and transfer of representations (Section 3). | the manipulation and transfer of representations (Section 6). | |||
HTTP semantics include the intentions defined by each request method | This document defines semantics that are common to all versions of | |||
(Section 4), extensions to those semantics that might be described in | HTTP. HTTP semantics include the intentions defined by each request | |||
request header fields (Section 5), the meaning of status codes to | method (Section 7), extensions to those semantics that might be | |||
indicate a machine-readable response (Section 6), and the meaning of | described in request header fields (Section 8), the meaning of status | |||
other control data and resource metadata that might be given in | codes to indicate a machine-readable response (Section 9), and the | |||
response header fields (Section 7). | meaning of other control data and resource metadata that might be | |||
given in response header fields (Section 10). | ||||
This document also defines representation metadata that describe how | This document also defines representation metadata that describe how | |||
a payload is intended to be interpreted by a recipient, the request | a payload is intended to be interpreted by a recipient, the request | |||
header fields that might influence content selection, and the various | header fields that might influence content selection, and the various | |||
selection algorithms that are collectively referred to as "content | selection algorithms that are collectively referred to as "content | |||
negotiation" (Section 3.4). | negotiation" (Section 6.4). | |||
This document defines HTTP/1.1 range requests, partial responses, and | This document defines HTTP range requests, partial responses, and the | |||
the multipart/byteranges media type. | multipart/byteranges media type. | |||
1.1. Conformance and Error Handling | This document obsoletes the portions of RFC 7230 that are independent | |||
of the HTTP/1.1 messaging syntax and connection management, with the | ||||
changes being summarized in Appendix B.2. The other parts of RFC | ||||
7230 are obsoleted by "HTTP/1.1 Messaging" [Messaging]. This | ||||
document also obsoletes RFC 2818 (see Appendix B.1), RFC 7231 (see | ||||
Appendix B.3), RFC 7232 (see Appendix B.4), RFC 7233 (see | ||||
Appendix B.5), RFC 7235 (see Appendix B.6), RFC 7538 (see | ||||
Appendix B.7), and RFC 7615 (see Appendix B.8). | ||||
1.1. Requirements Notation | ||||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
document are to be interpreted as described in [RFC2119]. | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
14 [RFC2119] [RFC8174] when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
Conformance criteria and considerations regarding error handling are | Conformance criteria and considerations regarding error handling are | |||
defined in Section 2.5 of [RFC7230]. | defined in Section 3. | |||
1.2. Syntax Notation | 1.2. Syntax Notation | |||
This specification uses the Augmented Backus-Naur Form (ABNF) | This specification uses the Augmented Backus-Naur Form (ABNF) | |||
notation of [RFC5234] with a list extension, defined in Section 7 of | notation of [RFC5234], extended with the notation for case- | |||
[RFC7230], that allows for compact definition of comma-separated | sensitivity in strings defined in [RFC7405]. | |||
lists using a '#' operator (similar to how the '*' operator indicates | ||||
repetition). Appendix C describes rules imported from other | It also uses a list extension, defined in Section 4.5, that allows | |||
documents. Appendix D shows the collected grammar with all list | for compact definition of comma-separated lists using a '#' operator | |||
operators expanded to standard ABNF notation. | (similar to how the '*' operator indicates repetition). Appendix A | |||
shows the collected grammar with all list operators expanded to | ||||
standard ABNF notation. | ||||
As a convention, ABNF rule names prefixed with "obs-" denote | As a convention, ABNF rule names prefixed with "obs-" denote | |||
"obsolete" grammar rules that appear for historical reasons. | "obsolete" grammar rules that appear for historical reasons. | |||
The following core rules are included by reference, as defined in | The following core rules are included by reference, as defined in | |||
Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return), | Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return), | |||
CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double | CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double | |||
quote), HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF | quote), HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF | |||
(line feed), OCTET (any 8-bit sequence of data), SP (space), and | (line feed), OCTET (any 8-bit sequence of data), SP (space), and | |||
VCHAR (any visible US-ASCII character). | VCHAR (any visible US-ASCII character). | |||
Section 4.4.1 defines some generic syntactic components for field | ||||
values. | ||||
The rules below are defined in [Messaging]: | ||||
obs-fold = <obs-fold, see [Messaging], Section 5.2> | ||||
protocol-name = <protocol-name, see [Messaging], Section 9.9> | ||||
protocol-version = <protocol-version, see [Messaging], Section 9.9> | ||||
request-target = <request-target, see [Messaging], Section 3.2> | ||||
This specification uses the terms "character", "character encoding | This specification uses the terms "character", "character encoding | |||
scheme", "charset", and "protocol element" as they are defined in | scheme", "charset", and "protocol element" as they are defined in | |||
[RFC6365]. | [RFC6365]. | |||
3.2.3. Whitespace | 1.2.1. Whitespace | |||
This specification uses three rules to denote the use of linear | This specification uses three rules to denote the use of linear | |||
whitespace: OWS (optional whitespace), RWS (required whitespace), and | whitespace: OWS (optional whitespace), RWS (required whitespace), and | |||
BWS ("bad" whitespace). | BWS ("bad" whitespace). | |||
The OWS rule is used where zero or more linear whitespace octets | The OWS rule is used where zero or more linear whitespace octets | |||
might appear. For protocol elements where optional whitespace is | might appear. For protocol elements where optional whitespace is | |||
preferred to improve readability, a sender SHOULD generate the | preferred to improve readability, a sender SHOULD generate the | |||
optional whitespace as a single SP; otherwise, a sender SHOULD NOT | optional whitespace as a single SP; otherwise, a sender SHOULD NOT | |||
generate optional whitespace except as needed to white out invalid or | generate optional whitespace except as needed to white out invalid or | |||
unwanted protocol elements during in-place message filtering. | unwanted protocol elements during in-place message filtering. | |||
The RWS rule is used when at least one linear whitespace octet is | The RWS rule is used when at least one linear whitespace octet is | |||
required to separate field tokens. A sender SHOULD generate RWS as a | required to separate field tokens. A sender SHOULD generate RWS as a | |||
single SP. | single SP. | |||
OWS and RWS have the same semantics as a single SP. Any content | ||||
known to be defined as OWS or RWS MAY be replaced with a single SP | ||||
before interpreting it or forwarding the message downstream. | ||||
The BWS rule is used where the grammar allows optional whitespace | The BWS rule is used where the grammar allows optional whitespace | |||
only for historical reasons. A sender MUST NOT generate BWS in | only for historical reasons. A sender MUST NOT generate BWS in | |||
messages. A recipient MUST parse for such bad whitespace and remove | messages. A recipient MUST parse for such bad whitespace and remove | |||
it before interpreting the protocol element. | it before interpreting the protocol element. | |||
BWS has no semantics. Any content known to be defined as BWS MAY be | ||||
removed before interpreting it or forwarding the message downstream. | ||||
OWS = *( SP / HTAB ) | OWS = *( SP / HTAB ) | |||
; optional whitespace | ; optional whitespace | |||
RWS = 1*( SP / HTAB ) | RWS = 1*( SP / HTAB ) | |||
; required whitespace | ; required whitespace | |||
BWS = OWS | BWS = OWS | |||
; "bad" whitespace | ; "bad" whitespace | |||
2. Architecture | 2. Architecture | |||
HTTP was created for the World Wide Web (WWW) architecture and has | HTTP was created for the World Wide Web (WWW) architecture and has | |||
evolved over time to support the scalability needs of a worldwide | evolved over time to support the scalability needs of a worldwide | |||
hypertext system. Much of that architecture is reflected in the | hypertext system. Much of that architecture is reflected in the | |||
terminology and syntax productions used to define HTTP. | terminology and syntax productions used to define HTTP. | |||
2.1. Client/Server Messaging | 2.1. Client/Server Messaging | |||
HTTP is a stateless request/response protocol that operates by | HTTP is a stateless request/response protocol that operates by | |||
exchanging messages (Section 3) across a reliable transport- or | exchanging messages (Section 2 of [Messaging]) across a reliable | |||
session-layer "connection" (Section 6). An HTTP "client" is a | transport- or session-layer "connection" (Section 9 of [Messaging]). | |||
program that establishes a connection to a server for the purpose of | An HTTP "client" is a program that establishes a connection to a | |||
sending one or more HTTP requests. An HTTP "server" is a program | server for the purpose of sending one or more HTTP requests. An HTTP | |||
that accepts connections in order to service HTTP requests by sending | "server" is a program that accepts connections in order to service | |||
HTTP responses. | HTTP requests by sending HTTP responses. | |||
The terms "client" and "server" refer only to the roles that these | The terms "client" and "server" refer only to the roles that these | |||
programs perform for a particular connection. The same program might | programs perform for a particular connection. The same program might | |||
act as a client on some connections and a server on others. The term | act as a client on some connections and a server on others. The term | |||
"user agent" refers to any of the various client programs that | "user agent" refers to any of the various client programs that | |||
initiate a request, including (but not limited to) browsers, spiders | initiate a request, including (but not limited to) browsers, spiders | |||
(web-based robots), command-line tools, custom applications, and | (web-based robots), command-line tools, custom applications, and | |||
mobile apps. The term "origin server" refers to the program that can | mobile apps. The term "origin server" refers to the program that can | |||
originate authoritative responses for a given target resource. The | originate authoritative responses for a given target resource. The | |||
terms "sender" and "recipient" refer to any implementation that sends | terms "sender" and "recipient" refer to any implementation that sends | |||
or receives a given message, respectively. | or receives a given message, respectively. | |||
HTTP relies upon the Uniform Resource Identifier (URI) standard | HTTP relies upon the Uniform Resource Identifier (URI) standard | |||
[RFC3986] to indicate the target resource (Section 5.1) and | [RFC3986] to indicate the target resource (Section 5.1) and | |||
relationships between resources. Messages are passed in a format | relationships between resources. | |||
similar to that used by Internet mail [RFC5322] and the Multipurpose | ||||
Internet Mail Extensions (MIME) [RFC2045] (see Appendix A of | ||||
[RFC7231] for the differences between HTTP and MIME messages). | ||||
Most HTTP communication consists of a retrieval request (GET) for a | Most HTTP communication consists of a retrieval request (GET) for a | |||
representation of some resource identified by a URI. In the simplest | representation of some resource identified by a URI. In the simplest | |||
case, this might be accomplished via a single bidirectional | case, this might be accomplished via a single bidirectional | |||
connection (===) between the user agent (UA) and the origin | connection (===) between the user agent (UA) and the origin server | |||
server (O). | (O). | |||
request > | request > | |||
UA ======================================= O | UA ======================================= O | |||
< response | < response | |||
Each major version of HTTP defines its own syntax for the inclusion | ||||
of information in messages. Nevertheless, a common abstraction is | ||||
that a message includes some form of envelope/framing, a potential | ||||
set of named fields up front (a header section), a potential body, | ||||
and a potential following set of named fields (a trailer section). | ||||
A client sends an HTTP request to a server in the form of a request | A client sends an HTTP request to a server in the form of a request | |||
message, beginning with a request-line that includes a method, URI, | message, beginning with a method (Section 7) and URI, followed by | |||
and protocol version (Section 3.1.1), followed by header fields | header fields containing request modifiers, client information, and | |||
containing request modifiers, client information, and representation | representation metadata (Section 4), and finally a payload body (if | |||
metadata (Section 3.2), an empty line to indicate the end of the | any, Section 6.3.3). | |||
header section, and finally a message body containing the payload | ||||
body (if any, Section 3.3). | ||||
A server responds to a client's request by sending one or more HTTP | A server responds to a client's request by sending one or more HTTP | |||
response messages, each beginning with a status line that includes | response messages, each beginning with a success or error code | |||
the protocol version, a success or error code, and textual reason | (Section 9), possibly followed by header fields containing server | |||
phrase (Section 3.1.2), possibly followed by header fields containing | information, resource metadata, and representation metadata | |||
server information, resource metadata, and representation metadata | (Section 4), and finally a payload body (if any, Section 6.3.3). | |||
(Section 3.2), an empty line to indicate the end of the header | ||||
section, and finally a message body containing the payload body (if | ||||
any, Section 3.3). | ||||
A connection might be used for multiple request/response exchanges, | A connection might be used for multiple request/response exchanges. | |||
as defined in Section 6.3. | The mechanism used to correlate between request and response messages | |||
is version dependent; some versions of HTTP use implicit ordering of | ||||
messages, while others use an explicit identifier. | ||||
Responses (both final and interim) can be sent at any time after a | ||||
request is received, even if it is not yet complete. However, | ||||
clients (including intermediaries) might abandon a request if the | ||||
response is not forthcoming within a reasonable period of time. | ||||
The following example illustrates a typical message exchange for a | The following example illustrates a typical message exchange for a | |||
GET request (Section 4.3.1 of [RFC7231]) on the URI | GET request (Section 7.3.1) on the URI "http://www.example.com/ | |||
"http://www.example.com/hello.txt": | hello.txt": | |||
Client request: | Client request: | |||
GET /hello.txt HTTP/1.1 | GET /hello.txt HTTP/1.1 | |||
User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3 | User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3 | |||
Host: www.example.com | Host: www.example.com | |||
Accept-Language: en, mi | Accept-Language: en, mi | |||
Server response: | Server response: | |||
skipping to change at line 430 ¶ | skipping to change at page 13, line 26 ¶ | |||
Server: Apache | Server: Apache | |||
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT | Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT | |||
ETag: "34aa387-d-1568eb00" | ETag: "34aa387-d-1568eb00" | |||
Accept-Ranges: bytes | Accept-Ranges: bytes | |||
Content-Length: 51 | Content-Length: 51 | |||
Vary: Accept-Encoding | Vary: Accept-Encoding | |||
Content-Type: text/plain | Content-Type: text/plain | |||
Hello World! My payload includes a trailing CRLF. | Hello World! My payload includes a trailing CRLF. | |||
2.3. Intermediaries | 2.2. Intermediaries | |||
HTTP enables the use of intermediaries to satisfy requests through a | HTTP enables the use of intermediaries to satisfy requests through a | |||
chain of connections. There are three common forms of HTTP | chain of connections. There are three common forms of HTTP | |||
intermediary: proxy, gateway, and tunnel. In some cases, a single | intermediary: proxy, gateway, and tunnel. In some cases, a single | |||
intermediary might act as an origin server, proxy, gateway, or | intermediary might act as an origin server, proxy, gateway, or | |||
tunnel, switching behavior based on the nature of each request. | tunnel, switching behavior based on the nature of each request. | |||
> > > > | > > > > | |||
UA =========== A =========== B =========== C =========== O | UA =========== A =========== B =========== C =========== O | |||
< < < < | < < < < | |||
skipping to change at line 498 ¶ | skipping to change at page 14, line 47 ¶ | |||
However, an HTTP-to-HTTP gateway that wishes to interoperate with | However, an HTTP-to-HTTP gateway that wishes to interoperate with | |||
third-party HTTP servers ought to conform to user agent requirements | third-party HTTP servers ought to conform to user agent requirements | |||
on the gateway's inbound connection. | on the gateway's inbound connection. | |||
A "tunnel" acts as a blind relay between two connections without | A "tunnel" acts as a blind relay between two connections without | |||
changing the messages. Once active, a tunnel is not considered a | changing the messages. Once active, a tunnel is not considered a | |||
party to the HTTP communication, though the tunnel might have been | party to the HTTP communication, though the tunnel might have been | |||
initiated by an HTTP request. A tunnel ceases to exist when both | initiated by an HTTP request. A tunnel ceases to exist when both | |||
ends of the relayed connection are closed. Tunnels are used to | ends of the relayed connection are closed. Tunnels are used to | |||
extend a virtual connection through an intermediary, such as when | extend a virtual connection through an intermediary, such as when | |||
Transport Layer Security (TLS, [RFC5246]) is used to establish | Transport Layer Security (TLS, [RFC8446]) is used to establish | |||
confidential communication through a shared firewall proxy. | confidential communication through a shared firewall proxy. | |||
The above categories for intermediary only consider those acting as | The above categories for intermediary only consider those acting as | |||
participants in the HTTP communication. There are also | participants in the HTTP communication. There are also | |||
intermediaries that can act on lower layers of the network protocol | intermediaries that can act on lower layers of the network protocol | |||
stack, filtering or redirecting HTTP traffic without the knowledge or | stack, filtering or redirecting HTTP traffic without the knowledge or | |||
permission of message senders. Network intermediaries are | permission of message senders. Network intermediaries are | |||
indistinguishable (at a protocol level) from a man-in-the-middle | indistinguishable (at a protocol level) from a man-in-the-middle | |||
attack, often introducing security flaws or interoperability problems | attack, often introducing security flaws or interoperability problems | |||
due to mistakenly violating HTTP semantics. | due to mistakenly violating HTTP semantics. | |||
skipping to change at line 530 ¶ | skipping to change at page 15, line 30 ¶ | |||
HTTP is defined as a stateless protocol, meaning that each request | HTTP is defined as a stateless protocol, meaning that each request | |||
message can be understood in isolation. Many implementations depend | message can be understood in isolation. Many implementations depend | |||
on HTTP's stateless design in order to reuse proxied connections or | on HTTP's stateless design in order to reuse proxied connections or | |||
dynamically load balance requests across multiple servers. Hence, a | dynamically load balance requests across multiple servers. Hence, a | |||
server MUST NOT assume that two requests on the same connection are | server MUST NOT assume that two requests on the same connection are | |||
from the same user agent unless the connection is secured and | from the same user agent unless the connection is secured and | |||
specific to that agent. Some non-standard HTTP extensions (e.g., | specific to that agent. Some non-standard HTTP extensions (e.g., | |||
[RFC4559]) have been known to violate this requirement, resulting in | [RFC4559]) have been known to violate this requirement, resulting in | |||
security and interoperability problems. | security and interoperability problems. | |||
2.4. Caches | 2.3. Caches | |||
A "cache" is a local store of previous response messages and the | A "cache" is a local store of previous response messages and the | |||
subsystem that controls its message storage, retrieval, and deletion. | subsystem that controls its message storage, retrieval, and deletion. | |||
A cache stores cacheable responses in order to reduce the response | A cache stores cacheable responses in order to reduce the response | |||
time and network bandwidth consumption on future, equivalent | time and network bandwidth consumption on future, equivalent | |||
requests. Any client or server MAY employ a cache, though a cache | requests. Any client or server MAY employ a cache, though a cache | |||
cannot be used by a server while it is acting as a tunnel. | cannot be used by a server while it is acting as a tunnel. | |||
The effect of a cache is that the request/response chain is shortened | The effect of a cache is that the request/response chain is shortened | |||
if one of the participants along the chain has a cached response | if one of the participants along the chain has a cached response | |||
skipping to change at line 555 ¶ | skipping to change at page 16, line 7 ¶ | |||
> > | > > | |||
UA =========== A =========== B - - - - - - C - - - - - - O | UA =========== A =========== B - - - - - - C - - - - - - O | |||
< < | < < | |||
A response is "cacheable" if a cache is allowed to store a copy of | A response is "cacheable" if a cache is allowed to store a copy of | |||
the response message for use in answering subsequent requests. Even | the response message for use in answering subsequent requests. Even | |||
when a response is cacheable, there might be additional constraints | when a response is cacheable, there might be additional constraints | |||
placed by the client or by the origin server on when that cached | placed by the client or by the origin server on when that cached | |||
response can be used for a particular request. HTTP requirements for | response can be used for a particular request. HTTP requirements for | |||
cache behavior and cacheable responses are defined in Section 2 of | cache behavior and cacheable responses are defined in Section 2 of | |||
[RFC7234]. | [Caching]. | |||
There is a wide variety of architectures and configurations of caches | There is a wide variety of architectures and configurations of caches | |||
deployed across the World Wide Web and inside large organizations. | deployed across the World Wide Web and inside large organizations. | |||
These include national hierarchies of proxy caches to save | These include national hierarchies of proxy caches to save | |||
transoceanic bandwidth, collaborative systems that broadcast or | transoceanic bandwidth, collaborative systems that broadcast or | |||
multicast cache entries, archives of pre-fetched cache entries for | multicast cache entries, archives of pre-fetched cache entries for | |||
use in off-line or high-latency environments, and so on. | use in off-line or high-latency environments, and so on. | |||
2.7. Uniform Resource Identifiers | 2.4. Uniform Resource Identifiers | |||
Uniform Resource Identifiers (URIs) [RFC3986] are used throughout | Uniform Resource Identifiers (URIs) [RFC3986] are used throughout | |||
HTTP as the means for identifying resources (Section 2 of [RFC7231]). | HTTP as the means for identifying resources (Section 2.5). URI | |||
URI references are used to target requests, indicate redirects, and | references are used to target requests, indicate redirects, and | |||
define relationships. | define relationships. | |||
The definitions of "URI-reference", "absolute-URI", "relative-part", | The definitions of "URI-reference", "absolute-URI", "relative-part", | |||
"scheme", "authority", "port", "host", "path-abempty", "segment", | "authority", "port", "host", "path-abempty", "segment", and "query" | |||
"query", and "fragment" are adopted from the URI generic syntax. An | are adopted from the URI generic syntax. An "absolute-path" rule is | |||
"absolute-path" rule is defined for protocol elements that can | defined for protocol elements that can contain a non-empty path | |||
contain a non-empty path component. (This rule differs slightly from | component. (This rule differs slightly from the path-abempty rule of | |||
the path-abempty rule of RFC 3986, which allows for an empty path to | RFC 3986, which allows for an empty path to be used in references, | |||
be used in references, and path-absolute rule, which does not allow | and path-absolute rule, which does not allow paths that begin with | |||
paths that begin with "//".) A "partial-URI" rule is defined for | "//".) A "partial-URI" rule is defined for protocol elements that | |||
protocol elements that can contain a relative URI but not a fragment | can contain a relative URI but not a fragment component. | |||
component. | ||||
URI-reference = <URI-reference, see [RFC3986], Section 4.1> | URI-reference = <URI-reference, see [RFC3986], Section 4.1> | |||
absolute-URI = <absolute-URI, see [RFC3986], Section 4.3> | absolute-URI = <absolute-URI, see [RFC3986], Section 4.3> | |||
relative-part = <relative-part, see [RFC3986], Section 4.2> | relative-part = <relative-part, see [RFC3986], Section 4.2> | |||
scheme = <scheme, see [RFC3986], Section 3.1> | ||||
authority = <authority, see [RFC3986], Section 3.2> | authority = <authority, see [RFC3986], Section 3.2> | |||
uri-host = <host, see [RFC3986], Section 3.2.2> | uri-host = <host, see [RFC3986], Section 3.2.2> | |||
port = <port, see [RFC3986], Section 3.2.3> | port = <port, see [RFC3986], Section 3.2.3> | |||
path-abempty = <path-abempty, see [RFC3986], Section 3.3> | path-abempty = <path-abempty, see [RFC3986], Section 3.3> | |||
segment = <segment, see [RFC3986], Section 3.3> | segment = <segment, see [RFC3986], Section 3.3> | |||
query = <query, see [RFC3986], Section 3.4> | query = <query, see [RFC3986], Section 3.4> | |||
fragment = <fragment, see [RFC3986], Section 3.5> | ||||
absolute-path = 1*( "/" segment ) | absolute-path = 1*( "/" segment ) | |||
partial-URI = relative-part [ "?" query ] | partial-URI = relative-part [ "?" query ] | |||
Each protocol element in HTTP that allows a URI reference will | Each protocol element in HTTP that allows a URI reference will | |||
indicate in its ABNF production whether the element allows any form | indicate in its ABNF production whether the element allows any form | |||
of reference (URI-reference), only a URI in absolute form | of reference (URI-reference), only a URI in absolute form (absolute- | |||
(absolute-URI), only the path and optional query components, or some | URI), only the path and optional query components, or some | |||
combination of the above. Unless otherwise indicated, URI references | combination of the above. Unless otherwise indicated, URI references | |||
are parsed relative to the effective request URI (Section 5.5). | are parsed relative to the effective request URI (Section 5.5). | |||
2. Resources | It is RECOMMENDED that all senders and recipients support, at a | |||
minimum, URIs with lengths of 8000 octets in protocol elements. Note | ||||
that this implies some structures and on-wire representations (for | ||||
example, the request line in HTTP/1.1) will necessarily be larger in | ||||
some cases. | ||||
2.5. Resources | ||||
The target of an HTTP request is called a "resource". HTTP does not | The target of an HTTP request is called a "resource". HTTP does not | |||
limit the nature of a resource; it merely defines an interface that | limit the nature of a resource; it merely defines an interface that | |||
might be used to interact with resources. Each resource is | might be used to interact with resources. Each resource is | |||
identified by a Uniform Resource Identifier (URI), as described in | identified by a Uniform Resource Identifier (URI), as described in | |||
Section 2.7 of [RFC7230]. | Section 2.4. | |||
When a client constructs an HTTP/1.1 request message, it sends the | ||||
target URI in one of various forms, as defined in (Section 5.3 of | ||||
[RFC7230]). When a request is received, the server reconstructs an | ||||
effective request URI for the target resource (Section 5.5 of | ||||
[RFC7230]). | ||||
One design goal of HTTP is to separate resource identification from | One design goal of HTTP is to separate resource identification from | |||
request semantics, which is made possible by vesting the request | request semantics, which is made possible by vesting the request | |||
semantics in the request method (Section 4) and a few | semantics in the request method (Section 7) and a few request- | |||
request-modifying header fields (Section 5). If there is a conflict | modifying header fields (Section 8). If there is a conflict between | |||
between the method semantics and any semantic implied by the URI | the method semantics and any semantic implied by the URI itself, as | |||
itself, as described in Section 4.2.1, the method semantics take | described in Section 7.2.1, the method semantics take precedence. | |||
precedence. | ||||
IANA maintains the registry of URI Schemes [BCP115] at | ||||
<http://www.iana.org/assignments/uri-schemes/>. | ||||
This document defines the following URI schemes. | IANA maintains the registry of URI Schemes [BCP35] at | |||
<https://www.iana.org/assignments/uri-schemes/>. Although requests | ||||
might target any URI scheme, the following schemes are inherent to | ||||
HTTP servers: | ||||
+------------+------------------------------------+---------------+ | +------------+------------------------------------+---------------+ | |||
| URI Scheme | Description | Reference | | | URI Scheme | Description | Reference | | |||
+------------+------------------------------------+---------------+ | +------------+------------------------------------+---------------+ | |||
| http | Hypertext Transfer Protocol | Section 2.7.1 | | | http | Hypertext Transfer Protocol | Section 2.5.1 | | |||
| https | Hypertext Transfer Protocol Secure | Section 2.7.2 | | | https | Hypertext Transfer Protocol Secure | Section 2.5.2 | | |||
+------------+------------------------------------+---------------+ | +------------+------------------------------------+---------------+ | |||
Note that the presence of a URI with a given authority component does | Note that the presence of an "http" or "https" URI does not imply | |||
not imply that there is always an HTTP server listening for | that there is always an HTTP server at the identified origin | |||
connections on that host and port. Anyone can mint a URI. What the | listening for connections. Anyone can mint a URI, whether or not a | |||
authority component determines is who has the right to respond | server exists and whether or not that server currently maps that | |||
authoritatively to requests that target the identified resource. The | identifier to a resource. The delegated nature of registered names | |||
delegated nature of registered names and IP addresses creates a | and IP addresses creates a federated namespace whether or not an HTTP | |||
federated namespace, based on control over the indicated host and | server is present. | |||
port, whether or not an HTTP server is present. | ||||
2.7.1. http URI Scheme | 2.5.1. http URI Scheme | |||
The "http" URI scheme is hereby defined for the purpose of minting | The "http" URI scheme is hereby defined for minting identifiers | |||
identifiers according to their association with the hierarchical | within the hierarchical namespace governed by a potential HTTP origin | |||
namespace governed by a potential HTTP origin server listening for | server listening for TCP ([RFC0793]) connections on a given port. | |||
TCP ([RFC0793]) connections on a given port. | ||||
http-URI = "http:" "//" authority path-abempty [ "?" query ] | http-URI = "http" "://" authority path-abempty [ "?" query ] | |||
[ "#" fragment ] | ||||
The origin server for an "http" URI is identified by the authority | The origin server for an "http" URI is identified by the authority | |||
component, which includes a host identifier and optional TCP port | component, which includes a host identifier and optional port number | |||
([RFC3986], Section 3.2.2). If the port subcomponent is empty or not | ([RFC3986], Section 3.2.2). If the port subcomponent is empty or not | |||
given, TCP port 80 (the reserved port for WWW services) is the | given, TCP port 80 (the reserved port for WWW services) is the | |||
default. | default. The origin determines who has the right to respond | |||
authoritatively to requests that target the identified resource, as | ||||
defined in Section 5.4.1. | ||||
A sender MUST NOT generate an "http" URI with an empty host | A sender MUST NOT generate an "http" URI with an empty host | |||
identifier. A recipient that processes such a URI reference MUST | identifier. A recipient that processes such a URI reference MUST | |||
reject it as invalid. | reject it as invalid. | |||
The hierarchical path component and optional query component serve | The hierarchical path component and optional query component identify | |||
as an identifier for a potential target resource within that | the target resource within that origin server's name space. | |||
origin server's name space. | ||||
2.7.2. https URI Scheme | 2.5.2. https URI Scheme | |||
The "https" URI scheme is hereby defined for the purpose of minting | The "https" URI scheme is hereby defined for minting identifiers | |||
identifiers according to their association with the hierarchical | within the hierarchical namespace governed by a potential origin | |||
namespace governed by a potential HTTP origin server listening to a | server listening for TCP connections on a given port and capable of | |||
given TCP port for TLS-secured connections ([RFC5246]). | establishing a TLS ([RFC8446]) connection that has been secured for | |||
HTTP communication. In this context, "secured" specifically means | ||||
that the server has been authenticated as acting on behalf of the | ||||
identified authority and all HTTP communication with that server has | ||||
been protected for confidentiality and integrity through the use of | ||||
strong encryption. | ||||
https-URI = "https:" "//" authority path-abempty [ "?" query ] | https-URI = "https" "://" authority path-abempty [ "?" query ] | |||
[ "#" fragment ] | ||||
All of the requirements listed above for the "http" scheme are also | The origin server for an "https" URI is identified by the authority | |||
requirements for the "https" scheme, except that TCP port 443 is the | component, which includes a host identifier and optional port number | |||
default if the port subcomponent is empty or not given, and the user | ([RFC3986], Section 3.2.2). If the port subcomponent is empty or not | |||
agent MUST ensure that its connection to the origin server is secured | given, TCP port 443 (the reserved port for HTTP over TLS) is the | |||
through the use of strong encryption, end-to-end, prior to sending | default. The origin determines who has the right to respond | |||
the first HTTP request. | authoritatively to requests that target the identified resource, as | |||
defined in Section 5.4.2. | ||||
Note that the "https" URI scheme depends on both TLS and TCP for | A sender MUST NOT generate an "https" URI with an empty host | |||
establishing authority. | identifier. A recipient that processes such a URI reference MUST | |||
reject it as invalid. | ||||
The process for authoritative access to an "https" identified | The hierarchical path component and optional query component identify | |||
resource is defined in [RFC2818]. | the target resource within that origin server's name space. | |||
A client MUST ensure that its HTTP requests for an "https" resource | ||||
are secured, prior to being communicated, and that it only accepts | ||||
secured responses to those requests. | ||||
Resources made available via the "https" scheme have no shared | Resources made available via the "https" scheme have no shared | |||
identity with the "http" scheme even if their resource identifiers | identity with the "http" scheme. They are distinct origins with | |||
indicate the same authority (the same host listening to the same TCP | separate namespaces. However, an extension to HTTP that is defined | |||
port). They are distinct namespaces and are considered to be distinct | to apply to all origins with the same host, such as the Cookie | |||
origin servers. However, an extension to HTTP that is defined | ||||
to apply to entire host domains, such as the Cookie | ||||
protocol [RFC6265], can allow information set by one service to | protocol [RFC6265], can allow information set by one service to | |||
impact communication with other services within a matching group of | impact communication with other services within a matching group of | |||
host domains. | host domains. | |||
2.5.4. http and https URI Normalization and Comparison | 2.5.3. http and https URI Normalization and Comparison | |||
Since the "http" and "https" schemes conform to the URI generic | Since the "http" and "https" schemes conform to the URI generic | |||
syntax, such URIs are normalized and compared according to the | syntax, such URIs are normalized and compared according to the | |||
algorithm defined in Section 6 of [RFC3986], using the defaults | algorithm defined in Section 6 of [RFC3986], using the defaults | |||
described above for each scheme. | described above for each scheme. | |||
If the port is equal to the default port for a scheme, the normal | If the port is equal to the default port for a scheme, the normal | |||
form is to omit the port subcomponent. When not being used in | form is to omit the port subcomponent. When not being used in | |||
absolute form as the request target of an OPTIONS request, an empty | absolute form as the request target of an OPTIONS request, an empty | |||
path component is equivalent to an absolute path of "/", so the | path component is equivalent to an absolute path of "/", so the | |||
normal form is to provide a path of "/" instead. The scheme and host | normal form is to provide a path of "/" instead. The scheme and host | |||
are case-insensitive and normally provided in lowercase; all other | are case-insensitive and normally provided in lowercase; all other | |||
components are compared in a case-sensitive manner. Characters other | components are compared in a case-sensitive manner. Characters other | |||
than those in the "reserved" set are equivalent to their | than those in the "reserved" set are equivalent to their percent- | |||
percent-encoded octets: the normal form is to not encode them (see | encoded octets: the normal form is to not encode them (see Sections | |||
Sections 2.1 and 2.2 of [RFC3986]). | 2.1 and 2.2 of [RFC3986]). | |||
For example, the following three URIs are equivalent: | For example, the following three URIs are equivalent: | |||
http://example.com:80/~smith/home.html | http://example.com:80/~smith/home.html | |||
http://EXAMPLE.com/%7Esmith/home.html | http://EXAMPLE.com/%7Esmith/home.html | |||
http://EXAMPLE.com:/%7esmith/home.html | http://EXAMPLE.com:/%7esmith/home.html | |||
X.X.X. Deprecated userinfo | 2.5.4. Deprecated userinfo | |||
The URI generic syntax for authority also includes a deprecated | The URI generic syntax for authority also includes a userinfo | |||
userinfo subcomponent ([RFC3986], Section 3.2.1) for including user | subcomponent ([RFC3986], Section 3.2.1) for including user | |||
authentication information in the URI. | authentication information in the URI. In that subcomponent, the use | |||
of the format "user:password" is deprecated. | ||||
Some implementations make use of the userinfo component for internal | Some implementations make use of the userinfo component for internal | |||
configuration of authentication information, such as within command | configuration of authentication information, such as within command | |||
invocation options, configuration files, or bookmark lists, even | invocation options, configuration files, or bookmark lists, even | |||
though such usage might expose a user identifier or password. | though such usage might expose a user identifier or password. | |||
A sender MUST NOT generate the userinfo subcomponent (and its "@" | A sender MUST NOT generate the userinfo subcomponent (and its "@" | |||
delimiter) when an "http" URI reference is generated | delimiter) when an "http" or "https" URI reference is generated | |||
within a message as a request target or header field value. | within a message as a request target or field value. | |||
Before making use of an "http" URI reference received from | Before making use of an "http" or "https" URI reference received from | |||
an untrusted source, a recipient SHOULD parse for userinfo and treat | an untrusted source, a recipient SHOULD parse for userinfo and treat | |||
its presence as an error; it is likely being used to obscure the | its presence as an error; it is likely being used to obscure the | |||
authority for the sake of phishing attacks. | authority for the sake of phishing attacks. | |||
2.5.3. Fragment Identifiers on http(s) URI References | 2.5.5. Fragment Identifiers on http(s) URI References | |||
The optional fragment component allows for indirect identification of a | Fragment identifiers allow for indirect identification of a secondary | |||
secondary resource, independent of the URI scheme, as defined in Section | resource, independent of the URI scheme, as defined in Section 3.5 of | |||
3.5 of [RFC3986]. | [RFC3986]. Some protocol elements that refer to a URI allow | |||
inclusion of a fragment, while others do not. They are distinguished | ||||
by use of the ABNF rule for elements where fragment is allowed; | ||||
otherwise, a specific rule that excludes fragments is used (see | ||||
Section 5.1). | ||||
Note: the fragment identifier component is not part of the actual | ||||
scheme definition for a URI scheme (see Section 4.3 of [RFC3986]), | ||||
thus does not appear in the ABNF definitions for the "http" and | ||||
"https" URI schemes above. | ||||
3. Conformance | 3. Conformance | |||
2.2. Implementation Diversity | 3.1. Implementation Diversity | |||
When considering the design of HTTP, it is easy to fall into a trap | When considering the design of HTTP, it is easy to fall into a trap | |||
of thinking that all user agents are general-purpose browsers and all | of thinking that all user agents are general-purpose browsers and all | |||
origin servers are large public websites. That is not the case in | origin servers are large public websites. That is not the case in | |||
practice. Common HTTP user agents include household appliances, | practice. Common HTTP user agents include household appliances, | |||
stereos, scales, firmware update scripts, command-line programs, | stereos, scales, firmware update scripts, command-line programs, | |||
mobile apps, and communication devices in a multitude of shapes and | mobile apps, and communication devices in a multitude of shapes and | |||
sizes. Likewise, common HTTP origin servers include home automation | sizes. Likewise, common HTTP origin servers include home automation | |||
units, configurable networking components, office machines, | units, configurable networking components, office machines, | |||
autonomous robots, news feeds, traffic cameras, ad selectors, and | autonomous robots, news feeds, traffic cameras, ad selectors, and | |||
skipping to change at line 790 ¶ | skipping to change at page 21, line 12 ¶ | |||
warning for security or privacy concerns. In the few cases where | warning for security or privacy concerns. In the few cases where | |||
this specification requires reporting of errors to the user, it is | this specification requires reporting of errors to the user, it is | |||
acceptable for such reporting to only be observable in an error | acceptable for such reporting to only be observable in an error | |||
console or log file. Likewise, requirements that an automated action | console or log file. Likewise, requirements that an automated action | |||
be confirmed by the user before proceeding might be met via advance | be confirmed by the user before proceeding might be met via advance | |||
configuration choices, run-time options, or simple avoidance of the | configuration choices, run-time options, or simple avoidance of the | |||
unsafe action; confirmation does not imply any specific user | unsafe action; confirmation does not imply any specific user | |||
interface or interruption of normal processing if the user has | interface or interruption of normal processing if the user has | |||
already made that choice. | already made that choice. | |||
2.5. Conformance and Error Handling | 3.2. Role-based Requirements | |||
This specification targets conformance criteria according to the role | This specification targets conformance criteria according to the role | |||
of a participant in HTTP communication. Hence, HTTP requirements are | of a participant in HTTP communication. Hence, HTTP requirements are | |||
placed on senders, recipients, clients, servers, user agents, | placed on senders, recipients, clients, servers, user agents, | |||
intermediaries, origin servers, proxies, gateways, or caches, | intermediaries, origin servers, proxies, gateways, or caches, | |||
depending on what behavior is being constrained by the requirement. | depending on what behavior is being constrained by the requirement. | |||
Additional (social) requirements are placed on implementations, | Additional (social) requirements are placed on implementations, | |||
resource owners, and protocol element registrations when they apply | resource owners, and protocol element registrations when they apply | |||
beyond the scope of a single communication. | beyond the scope of a single communication. | |||
skipping to change at line 817 ¶ | skipping to change at page 21, line 39 ¶ | |||
Conformance includes both the syntax and semantics of protocol | Conformance includes both the syntax and semantics of protocol | |||
elements. A sender MUST NOT generate protocol elements that convey a | elements. A sender MUST NOT generate protocol elements that convey a | |||
meaning that is known by that sender to be false. A sender MUST NOT | meaning that is known by that sender to be false. A sender MUST NOT | |||
generate protocol elements that do not match the grammar defined by | generate protocol elements that do not match the grammar defined by | |||
the corresponding ABNF rules. Within a given message, a sender MUST | the corresponding ABNF rules. Within a given message, a sender MUST | |||
NOT generate protocol elements or syntax alternatives that are only | NOT generate protocol elements or syntax alternatives that are only | |||
allowed to be generated by participants in other roles (i.e., a role | allowed to be generated by participants in other roles (i.e., a role | |||
that the sender does not have for that message). | that the sender does not have for that message). | |||
3.3. Parsing Elements | ||||
When a received protocol element is parsed, the recipient MUST be | When a received protocol element is parsed, the recipient MUST be | |||
able to parse any value of reasonable length that is applicable to | able to parse any value of reasonable length that is applicable to | |||
the recipient's role and that matches the grammar defined by the | the recipient's role and that matches the grammar defined by the | |||
corresponding ABNF rules. Note, however, that some received protocol | corresponding ABNF rules. Note, however, that some received protocol | |||
elements might not be parsed. For example, an intermediary | elements might not be parsed. For example, an intermediary | |||
forwarding a message might parse a header-field into generic | forwarding a message might parse a field into generic field name and | |||
field-name and field-value components, but then forward the header | field value components, but then forward the field without further | |||
field without further parsing inside the field-value. | parsing inside the field value. | |||
HTTP does not have specific length limitations for many of its | HTTP does not have specific length limitations for many of its | |||
protocol elements because the lengths that might be appropriate will | protocol elements because the lengths that might be appropriate will | |||
vary widely, depending on the deployment context and purpose of the | vary widely, depending on the deployment context and purpose of the | |||
implementation. Hence, interoperability between senders and | implementation. Hence, interoperability between senders and | |||
recipients depends on shared expectations regarding what is a | recipients depends on shared expectations regarding what is a | |||
reasonable length for each protocol element. Furthermore, what is | reasonable length for each protocol element. Furthermore, what is | |||
commonly understood to be a reasonable length for some protocol | commonly understood to be a reasonable length for some protocol | |||
elements has changed over the course of the past two decades of HTTP | elements has changed over the course of the past two decades of HTTP | |||
use and is expected to continue changing in the future. | use and is expected to continue changing in the future. | |||
At a minimum, a recipient MUST be able to parse and process protocol | At a minimum, a recipient MUST be able to parse and process protocol | |||
element lengths that are at least as long as the values that it | element lengths that are at least as long as the values that it | |||
generates for those same protocol elements in other messages. For | generates for those same protocol elements in other messages. For | |||
example, an origin server that publishes very long URI references to | example, an origin server that publishes very long URI references to | |||
its own resources needs to be able to parse and process those same | its own resources needs to be able to parse and process those same | |||
references when received as a request target. | references when received as a request target. | |||
3.4. Error Handling | ||||
A recipient MUST interpret a received protocol element according to | A recipient MUST interpret a received protocol element according to | |||
the semantics defined for it by this specification, including | the semantics defined for it by this specification, including | |||
extensions to this specification, unless the recipient has determined | extensions to this specification, unless the recipient has determined | |||
(through experience or configuration) that the sender incorrectly | (through experience or configuration) that the sender incorrectly | |||
implements what is implied by those semantics. For example, an | implements what is implied by those semantics. For example, an | |||
origin server might disregard the contents of a received | origin server might disregard the contents of a received Accept- | |||
Accept-Encoding header field if inspection of the User-Agent header | Encoding header field if inspection of the User-Agent header field | |||
field indicates a specific implementation version that is known to | indicates a specific implementation version that is known to fail on | |||
fail on receipt of certain content codings. | receipt of certain content codings. | |||
Unless noted otherwise, a recipient MAY attempt to recover a usable | Unless noted otherwise, a recipient MAY attempt to recover a usable | |||
protocol element from an invalid construct. HTTP does not define | protocol element from an invalid construct. HTTP does not define | |||
specific error handling mechanisms except when they have a direct | specific error handling mechanisms except when they have a direct | |||
impact on security, since different applications of the protocol | impact on security, since different applications of the protocol | |||
require different error handling strategies. For example, a Web | require different error handling strategies. For example, a Web | |||
browser might wish to transparently recover from a response where the | browser might wish to transparently recover from a response where the | |||
Location header field doesn't parse according to the ABNF, whereas a | Location header field doesn't parse according to the ABNF, whereas a | |||
systems control client might consider any form of error recovery to | systems control client might consider any form of error recovery to | |||
be dangerous. | be dangerous. | |||
2.6. Protocol Versioning | Some requests can be automatically retried by a client in the event | |||
of an underlying connection failure, as described in Section 7.2.2. | ||||
3.5. Protocol Versioning | ||||
The HTTP version number consists of two decimal digits separated by a | The HTTP version number consists of two decimal digits separated by a | |||
"." (period or decimal point). The first digit ("major version") | "." (period or decimal point). The first digit ("major version") | |||
indicates the HTTP messaging syntax, whereas the second digit ("minor | indicates the HTTP messaging syntax, whereas the second digit ("minor | |||
version") indicates the highest minor version within that major | version") indicates the highest minor version within that major | |||
version to which the sender is conformant and able to understand for | version to which the sender is conformant and able to understand for | |||
future communication. | future communication. | |||
The protocol version as a whole indicates the sender's conformance with | The protocol version as a whole indicates the sender's conformance | |||
the set of requirements laid out in that version's corresponding | with the set of requirements laid out in that version's corresponding | |||
specification of HTTP. | specification of HTTP. For example, the version "HTTP/1.1" is | |||
defined by the combined specifications of this document, "HTTP | ||||
Caching" [Caching], and "HTTP/1.1 Messaging" [Messaging]. | ||||
The minor version advertises the sender's | The minor version advertises the sender's communication capabilities | |||
communication capabilities even when the sender is only using a | even when the sender is only using a backwards-compatible subset of | |||
backwards-compatible subset of the protocol, thereby letting the | the protocol, thereby letting the recipient know that more advanced | |||
recipient know that more advanced features can be used in response | features can be used in response (by servers) or in future requests | |||
(by servers) or in future requests (by clients). | (by clients). | |||
A client SHOULD send a request version equal to the highest version | A client SHOULD send a request version equal to the highest version | |||
to which the client is conformant and whose major version is no | to which the client is conformant and whose major version is no | |||
higher than the highest version supported by the server, if this is | higher than the highest version supported by the server, if this is | |||
known. A client MUST NOT send a version to which it is not | known. A client MUST NOT send a version to which it is not | |||
conformant. | conformant. | |||
A client MAY send a lower request version if it is known that the | A client MAY send a lower request version if it is known that the | |||
server incorrectly implements the HTTP specification, but only after | server incorrectly implements the HTTP specification, but only after | |||
the client has attempted at least one normal request and determined | the client has attempted at least one normal request and determined | |||
from the response status code or header fields (e.g., Server) that | from the response status code or header fields (e.g., Server) that | |||
the server improperly handles higher request versions. | the server improperly handles higher request versions. | |||
A server SHOULD send a response version equal to the highest version | A server SHOULD send a response version equal to the highest version | |||
to which the server is conformant that has a major version less than | to which the server is conformant that has a major version less than | |||
or equal to the one received in the request. A server MUST NOT send | or equal to the one received in the request. A server MUST NOT send | |||
a version to which it is not conformant. A server can send a 505 | a version to which it is not conformant. A server can send a 505 | |||
(HTTP Version Not Supported) response if it wishes, for any reason, | (HTTP Version Not Supported) response if it wishes, for any reason, | |||
to refuse service of the client's major protocol version. | to refuse service of the client's major protocol version. | |||
The intention of HTTP's versioning design is that the major number | HTTP's major version number is incremented when an incompatible | |||
will only be incremented if an incompatible message syntax is | message syntax is introduced. The minor number is incremented when | |||
introduced, and that the minor number will only be incremented when | ||||
changes made to the protocol have the effect of adding to the message | changes made to the protocol have the effect of adding to the message | |||
semantics or implying additional capabilities of the sender. | semantics or implying additional capabilities of the sender. | |||
However, the minor version was not incremented for the changes | ||||
introduced between [RFC2068] and [RFC2616], and this revision has | ||||
specifically avoided any such changes to the protocol. | ||||
When an HTTP message is received with a major version number that the | When an HTTP message is received with a major version number that the | |||
recipient implements, but a higher minor version number than what the | recipient implements, but a higher minor version number than what the | |||
recipient implements, the recipient SHOULD process the message as if | recipient implements, the recipient SHOULD process the message as if | |||
it were in the highest minor version within that major version to | it were in the highest minor version within that major version to | |||
which the recipient is conformant. A recipient can assume that a | which the recipient is conformant. A recipient can assume that a | |||
message with a higher minor version, when sent to a recipient that | message with a higher minor version, when sent to a recipient that | |||
has not yet indicated support for that higher version, is | has not yet indicated support for that higher version, is | |||
sufficiently backwards-compatible to be safely processed by any | sufficiently backwards-compatible to be safely processed by any | |||
implementation of the same major version. | implementation of the same major version. | |||
[When a major version ...] | When a major version of HTTP does not define any minor versions, the | |||
minor version "0" is implied and is used when referring to that | ||||
protocol within a protocol element that requires sending a minor | ||||
version. | ||||
4. Header Fields | 4. Header and Trailer Fields | |||
Header fields are key:value pairs that can be used to communicate | HTTP messages use key/value pairs to convey data about the message, | |||
data about the message, its payload, the target resource, or the | its payload, the target resource, or the connection (i.e., control | |||
connection (i.e., control data). See Section 3.2 of [RFC7230] for a | data). They are called "HTTP fields" or just "fields". | |||
general definition of header field syntax in HTTP messages. | ||||
The interpretation of a header field does not change between minor | Every message can have two separate areas that such fields can occur | |||
versions of the same major HTTP version, though the default behavior | within; the "header field section" (or just "header section") | |||
of a recipient in the absence of such a field can change. Unless | preceding the message body and containing "header fields" (or just | |||
specified otherwise, header fields defined in HTTP/1.1 are defined | "headers", colloquially) and the "trailer field section" (or just | |||
for all versions of HTTP/1.x. In particular, the Host and Connection | "trailer section") after the message body containing "trailer fields" | |||
header fields ought to be implemented by all HTTP/1.x implementations | (or just "trailers" colloquially). Header fields are more common; | |||
whether or not they advertise conformance with HTTP/1.1. | see Section 4.6 for discussion of the applicability and limitations | |||
of trailer fields. | ||||
New header fields can be introduced without changing the protocol | Both sections are composed of any number of "field lines", each with | |||
version if their defined semantics allow them to be safely ignored by | a "field name" (see Section 4.3) identifying the field, and a "field | |||
recipients that do not recognize them. Header field extensibility is | line value" that conveys data for the field. | |||
discussed in Section 3.2.1. | ||||
Each field name present in a section has a corresponding "field | ||||
value" for that section, composed from all field line values with | ||||
that given field name in that section, concatenated together and | ||||
separated with commas. See Section 4.1 for further discussion of the | ||||
semantics of field ordering and combination in messages, and | ||||
Section 4.4 for more discussion of field values. | ||||
For example, this section: | ||||
Example-Field: Foo, Bar | ||||
Example-Field: Baz | ||||
contains two field lines, both with the field name "Example-Field". | ||||
The first field line has a field line value of "Foo, Bar", while the | ||||
second field line value is "Baz". The field value for "Example- | ||||
Field" is a list with three members: "Foo", "Bar", and "Baz". | ||||
The interpretation of a field does not change between minor versions | ||||
of the same major HTTP version, though the default behavior of a | ||||
recipient in the absence of such a field can change. Unless | ||||
specified otherwise, fields are defined for all versions of HTTP. In | ||||
particular, the Host and Connection fields ought to be implemented by | ||||
all HTTP/1.x implementations whether or not they advertise | ||||
conformance with HTTP/1.1. | ||||
New fields can be introduced without changing the protocol version if | ||||
their defined semantics allow them to be safely ignored by recipients | ||||
that do not recognize them; see Section 4.3.1. | ||||
4.1. Field Ordering and Combination | 4.1. Field Ordering and Combination | |||
The order in which header fields with differing field names are | The order in which field lines with differing names are received in a | |||
received is not significant. However, it is good practice to send | message is not significant. However, it is good practice to send | |||
header fields that contain control data first, such as Host on | header fields that contain control data first, such as Host on | |||
requests and Date on responses, so that implementations can decide | requests and Date on responses, so that implementations can decide | |||
when not to handle a message as early as possible. A server MUST NOT | when not to handle a message as early as possible. A server MUST NOT | |||
apply a request to the target resource until the entire request | apply a request to the target resource until the entire request | |||
header section is received, since later header fields might include | header section is received, since later header field lines might | |||
conditionals, authentication credentials, or deliberately misleading | include conditionals, authentication credentials, or deliberately | |||
duplicate header fields that would impact request processing. | misleading duplicate header fields that would impact request | |||
processing. | ||||
A recipient MAY combine multiple header fields with the same field | A recipient MAY combine multiple field lines with the same field name | |||
name into one "field-name: field-value" pair, without changing the | into one field line, without changing the semantics of the message, | |||
semantics of the message, by appending each subsequent field value to | by appending each subsequent field line value to the initial field | |||
the combined field value in order, separated by a comma. | line value in order, separated by a comma and optional whitespace. | |||
For consistency, use comma SP. | ||||
The order in which header fields with the same field name are received is | The order in which field lines with the same name are received is | |||
therefore significant to the interpretation of the combined field value; a | therefore significant to the interpretation of the field value; a | |||
proxy MUST NOT change the order of these field values when | proxy MUST NOT change the order of these field line values when | |||
forwarding a message. | forwarding a message. | |||
A sender MUST NOT generate multiple header fields with the same field | This means that, aside from the well-known exception noted below, a | |||
name in a message unless either the entire field value for that | sender MUST NOT generate multiple field lines with the same name in a | |||
header field is defined as a comma-separated list [i.e., #(values)] | message (whether in the headers or trailers), or append a field line | |||
or the header field is a well-known exception (as noted below). | when a field line of the same name already exists in the message, | |||
unless that field's definition allows multiple field line values to | ||||
be recombined as a comma-separated list [i.e., at least one | ||||
alternative of the field's definition allows a comma-separated list, | ||||
such as an ABNF rule of #(values) defined in Section 4.5]. | ||||
Note: In practice, the "Set-Cookie" header field ([RFC6265]) often | Note: In practice, the "Set-Cookie" header field ([RFC6265]) often | |||
appears multiple times in a response message and does not use the | appears in a response message across multiple field and does not | |||
list syntax, violating the above requirements on multiple header | use the list syntax, violating the above requirements on multiple | |||
fields with the same name. Since it cannot be combined into a | field lines with the same field name. Since it cannot be combined | |||
single field-value, recipients ought to handle "Set-Cookie" as a | into a single field value, recipients ought to handle "Set-Cookie" | |||
special case while processing header fields. (See Appendix A.2.3 | as a special case while processing fields. (See Appendix A.2.3 of | |||
of [Kri2001] for details.) | [Kri2001] for details.) | |||
3.2.5. Field Limits | 4.2. Field Limits | |||
HTTP does not place a predefined limit on the length of each header | HTTP does not place a predefined limit on the length of each field | |||
field or on the length of the header section as a whole, as described | line, field value, or on the length of the header or trailer section | |||
in Section 2.5. Various ad hoc limitations on individual header | as a whole, as described in Section 3. Various ad hoc limitations on | |||
field length are found in practice, often depending on the specific | individual lengths are found in practice, often depending on the | |||
field semantics. | specific field's semantics. | |||
A server that receives a request header field, or set of fields, | A server that receives a request header field line, field value, or | |||
larger than it wishes to process MUST respond with an appropriate 4xx | set of fields larger than it wishes to process MUST respond with an | |||
(Client Error) status code. Ignoring such header fields would | appropriate 4xx (Client Error) status code. Ignoring such header | |||
increase the server's vulnerability to request smuggling attacks | fields would increase the server's vulnerability to request smuggling | |||
(Section 9.5). | attacks (Section 11.2 of [Messaging]). | |||
A client MAY discard or truncate received header fields that are | A client MAY discard or truncate received field lines that are larger | |||
larger than the client wishes to process if the field semantics are | than the client wishes to process if the field semantics are such | |||
such that the dropped value(s) can be safely ignored without changing | that the dropped value(s) can be safely ignored without changing the | |||
the message framing or response semantics. | message framing or response semantics. | |||
4.1. Header Field Names | 4.3. Field Names | |||
The field-name token labels the corresponding field-value as having | The field-name token labels the corresponding field value as having | |||
the semantics defined by that header field. For example, the Date | the semantics defined by that field. For example, the Date header | |||
header field is defined in Section 7.1.1.2 of [RFC7231] as containing | field is defined in Section 10.1.1.2 as containing the origination | |||
the origination timestamp for the message in which it appears. | timestamp for the message in which it appears. | |||
field-name = token | field-name = token | |||
The requirements for header field names are defined in [BCP90]. | Field names are case-insensitive and ought to be registered within | |||
the "Hypertext Transfer Protocol (HTTP) Field Name Registry"; see | ||||
Section 4.3.2. | ||||
Authors of specifications defining new fields are advised to keep the | Authors of specifications defining new fields are advised to choose a | |||
name as short as practical and not to prefix the name with "X-" | short but descriptive field name. Short names avoid needless data | |||
unless the header field will never be used on the Internet. (The | transmission; descriptive names avoid confusion and "squatting" on | |||
"X-" prefix idiom has been extensively misused in practice; it was | names that might have broader uses. | |||
intended to only be used as a mechanism for avoiding name collisions | ||||
inside proprietary software or intranet processing, since the prefix | To that end, limited-use fields (such as a header confined to a | |||
would ensure that private names never collide with a newly registered | single application or use case) are encouraged to use a name that | |||
Internet name; see [BCP178] for further information). | includes its name (or an abbreviation) as a prefix; for example, if | |||
the Foo Application needs a Description field, it might use "Foo- | ||||
Desc"; "Description" is too generic, and "Foo-Description" is | ||||
needlessly long. | ||||
While the field-name syntax is defined to allow any token character, | ||||
in practice some implementations place limits on the characters they | ||||
accept in field-names. To be interoperable, new field names SHOULD | ||||
constrain themselves to alphanumeric characters, "-", and ".", and | ||||
SHOULD begin with an alphanumeric character. | ||||
Field names ought not be prefixed with "X-"; see [BCP178] for further | ||||
information. | ||||
[ | ||||
Other prefixes are sometimes used in HTTP field names; for example, | Other prefixes are sometimes used in HTTP field names; for example, | |||
"Accept-" is used in many content negotiation headers. These | "Accept-" is used in many content negotiation headers. These | |||
prefixes are only an aid to recognizing the purpose of a field, and | prefixes are only an aid to recognizing the purpose of a field, and | |||
do not trigger automatic processing. | do not trigger automatic processing. | |||
] | ||||
4.3.1. Field Extensibility | 4.3.1. Field Extensibility | |||
Header fields are fully extensible: there is no limit on the | There is no limit on the introduction of new field names, each | |||
introduction of new field names, each presumably defining new | presumably defining new semantics. | |||
semantics, nor on the number of header fields used in a given | ||||
message. Existing fields are defined in each part of this | ||||
specification and in many other specifications outside this document | ||||
set. | ||||
New header fields can be defined such that, when they are understood | New fields can be defined such that, when they are understood by a | |||
by a recipient, they might override or enhance the interpretation of | recipient, they might override or enhance the interpretation of | |||
previously defined header fields, define preconditions on request | previously defined fields, define preconditions on request | |||
evaluation, or refine the meaning of responses. | evaluation, or refine the meaning of responses. | |||
A proxy MUST forward unrecognized header fields unless the field-name | A proxy MUST forward unrecognized header fields unless the field name | |||
is listed in the Connection header field (Section 6.1) or the proxy | is listed in the Connection header field (Section 9.1 of [Messaging]) | |||
is specifically configured to block, or otherwise transform, such | or the proxy is specifically configured to block, or otherwise | |||
fields. Other recipients SHOULD ignore unrecognized header fields. | transform, such fields. Other recipients SHOULD ignore unrecognized | |||
These requirements allow HTTP's functionality to be enhanced without | header and trailer fields. These requirements allow HTTP's | |||
requiring prior update of deployed intermediaries. | functionality to be enhanced without requiring prior update of | |||
deployed intermediaries. | ||||
4.3.2. Field Name Registry | 4.3.2. Field Name Registry | |||
HTTP header fields are registered within the "Message Headers" | The "Hypertext Transfer Protocol (HTTP) Field Name Registry" defines | |||
registry located at | the namespace for HTTP field names. | |||
<http://www.iana.org/assignments/message-headers>, as defined by | ||||
[BCP90]. | ||||
All defined header fields ought to be registered with IANA in the | Any party can request registration of a HTTP field. See Section 4.7 | |||
"Message Headers" registry, as described in Section 8.3 of [RFC7231]. | for considerations to take into account when creating a new HTTP | |||
field. | ||||
The "Hypertext Transfer Protocol (HTTP) Field Name Registry" is | ||||
located at "https://www.iana.org/assignments/http-fields/". | ||||
Registration requests can be made by following the instructions | ||||
located there or by sending an email to the "ietf-http-wg@ietf.org" | ||||
mailing list. | ||||
Field names are registered on the advice of a Designated Expert | ||||
(appointed by the IESG or their delegate). Fields with the status | ||||
'permanent' are Specification Required (using terminology from | ||||
[RFC8126]). | ||||
Registration requests consist of at least the following information: | ||||
o Field name: The requested field name. It MUST conform to the | ||||
field-name syntax defined in Section 4.3, and SHOULD be restricted | ||||
to just letters, digits, hyphen ('-') and underscore ('_') | ||||
characters, with the first character being a letter. | ||||
o Status: "permanent" or "provisional" | ||||
o Specification document(s): Reference to the document that | ||||
specifies the field, preferably including a URI that can be used | ||||
to retrieve a copy of the document. An indication of the relevant | ||||
section(s) can also be included, but is not required. | ||||
The Expert(s) can define additional fields to be collected in the | ||||
registry, in consultation with the community. | ||||
Standards-defined names have a status of "permanent". Other names | ||||
can also be registered as permanent, if the Expert(s) find that they | ||||
are in use, in consultation with the community. Other names should | ||||
be registered as "provisional". | ||||
Provisional entries can be removed by the Expert(s) if -- in | ||||
consultation with the community -- the Expert(s) find that they are | ||||
not in use. The Experts can change a provisional entry's status to | ||||
permanent at any time. | ||||
Note that names can be registered by third parties (including the | ||||
Expert(s)), if the Expert(s) determines that an unregistered name is | ||||
widely deployed and not likely to be registered in a timely manner | ||||
otherwise. | ||||
4.4. Field Values | 4.4. Field Values | |||
New header field values typically have their syntax defined using | HTTP field values typically have their syntax defined using ABNF | |||
ABNF ([RFC5234]), using the extension defined in Section 7 of | ([RFC5234]), using the extension defined in Section 4.5 as necessary, | |||
[RFC7230] as necessary, and are usually constrained to the range of | and are usually constrained to the range of US-ASCII characters. | |||
US-ASCII characters. Header fields needing a greater range of | Fields needing a greater range of characters can use an encoding such | |||
characters can use an encoding such as the one defined in [RFC5987]. | as the one defined in [RFC8187]. | |||
field-value = *( field-content / obs-fold ) | field-value = *( field-content / obs-fold ) | |||
field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] | field-content = field-vchar | |||
[ 1*( SP / HTAB / field-vchar ) field-vchar ] | ||||
field-vchar = VCHAR / obs-text | field-vchar = VCHAR / obs-text | |||
Historically, HTTP has allowed field content with text in the | Historically, HTTP allowed field content with text in the ISO-8859-1 | |||
ISO-8859-1 charset [ISO-8859-1], supporting other charsets only | charset [ISO-8859-1], supporting other charsets only through use of | |||
through use of [RFC2047] encoding. In practice, most HTTP header | [RFC2047] encoding. In practice, most HTTP field values use only a | |||
field values use only a subset of the US-ASCII charset [USASCII]. | subset of the US-ASCII charset [USASCII]. Newly defined fields | |||
Newly defined header fields SHOULD limit their field values to | SHOULD limit their values to US-ASCII octets. A recipient SHOULD | |||
US-ASCII octets. A recipient SHOULD treat other octets in field | treat other octets in field content (obs-text) as opaque data. | |||
content (obs-text) as opaque data. | ||||
Leading and trailing whitespace in raw field values is removed upon | Leading and trailing whitespace in raw field values is removed upon | |||
field parsing (Section 3.2.4 of [RFC7230]). Field definitions where | field parsing (Section 5.1 of [Messaging]). Field definitions where | |||
leading or trailing whitespace in values is significant will have to | leading or trailing whitespace in values is significant will have to | |||
use a container syntax such as quoted-string (Section 3.2.6 of | use a container syntax such as quoted-string (Section 4.4.1.2). | |||
[RFC7230]). | ||||
Because commas (",") are used as a generic delimiter between | Because commas (",") are used as a generic delimiter between members | |||
field-values, they need to be treated with care if they are allowed | of a list-based field value, they need to be treated with care if | |||
in the field-value. Typically, components that might contain a comma | they are allowed as data within those members. Typically, list | |||
are protected with double-quotes using the quoted-string ABNF | members that might contain a comma are enclosed in a quoted-string. | |||
production. | ||||
For example, a textual date and a URI (either of which might contain | For example, a textual date and a URI (either of which might contain | |||
a comma) could be safely carried in field-values like these: | a comma) could be safely carried in list-based field values like | |||
these: | ||||
Example-URI-Field: "http://example.com/a.html,foo", | Example-URI-Field: "http://example.com/a.html,foo", | |||
"http://without-a-comma.example.com/" | "http://without-a-comma.example.com/" | |||
Example-Date-Field: "Sat, 04 May 1996", "Wed, 14 Sep 2005" | Example-Date-Field: "Sat, 04 May 1996", "Wed, 14 Sep 2005" | |||
Note that double-quote delimiters almost always are used with the | Note that double-quote delimiters almost always are used with the | |||
quoted-string production; using a different syntax inside | quoted-string production; using a different syntax inside double- | |||
double-quotes will likely cause unnecessary confusion. | quotes will likely cause unnecessary confusion. | |||
Many header fields use a format including (case-insensitively) named | Many fields (such as Content-Type, defined in Section 6.2.1) use a | |||
parameters (for instance, Content-Type, defined in Section 3.1.1.5). | common syntax for parameters that allows both unquoted (token) and | |||
Allowing both unquoted (token) and quoted (quoted-string) syntax for | quoted (quoted-string) syntax for a parameter value | |||
the parameter value enables recipients to use existing parser | (Section 4.4.1.4). Use of common syntax allows recipients to reuse | |||
components. When allowing both forms, the meaning of a parameter | existing parser components. When allowing both forms, the meaning of | |||
value ought to be independent of the syntax used for it (for an | a parameter value ought to be the same whether it was received as a | |||
example, see the notes on parameter handling for media types in | token or a quoted string. | |||
Section 3.1.1.1). | ||||
Historically, HTTP header field values could be extended over | Historically, HTTP field values could be extended over multiple lines | |||
multiple lines by preceding each extra line with at least one space | by preceding each extra line with at least one space or horizontal | |||
or horizontal tab (obs-fold). | tab (obs-fold). [[CREF1: This document assumes that any such obs- | |||
fold has been replaced with one or more SP octets prior to | ||||
interpreting the field value, as described in Section 5.2 of | ||||
[Messaging].]] | ||||
Consequently, this specification does not use ABNF rules | This specification does not use ABNF rules to define each "Field | |||
to define each "Field-Name: Field Value" pair, as was done in | Name: Field Value" pair, as was done in earlier editions. | |||
previous editions. Instead, this specification uses ABNF rules that | Instead, this specification uses ABNF rules that are named | |||
are named according to each registered field name, wherein the rule | according to each registered field name, wherein the rule defines | |||
defines the valid grammar for that field's corresponding field values | the valid grammar for that field's corresponding field values | |||
(i.e., after the field-value has been extracted from the header | (i.e., after the field value has been extracted by a generic field | |||
section by a generic field parser). | parser). | |||
3.2.6. Field Value Components | 4.4.1. Common Field Value Components | |||
Most HTTP header field values are defined using common syntax | Many HTTP field values are defined using common syntax components, | |||
components (token, quoted-string, and comment) separated by | separated by whitespace or specific delimiting characters. | |||
whitespace or specific delimiting characters. Delimiters are chosen | Delimiters are chosen from the set of US-ASCII visual characters not | |||
from the set of US-ASCII visual characters not allowed in a token | allowed in a token (DQUOTE and "(),/:;<=>?@[\]{}"). | |||
(DQUOTE and "(),/:;<=>?@[\]{}"). | ||||
4.4.1.1. Tokens | ||||
Tokens are short textual identifiers that do not include whitespace | ||||
or delimiters. | ||||
token = 1*tchar | token = 1*tchar | |||
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" | tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" | |||
/ "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" | / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" | |||
/ DIGIT / ALPHA | / DIGIT / ALPHA | |||
; any VCHAR, except delimiters | ; any VCHAR, except delimiters | |||
4.4.1.2. Quoted Strings | ||||
A string of text is parsed as a single value if it is quoted using | A string of text is parsed as a single value if it is quoted using | |||
double-quote marks. | double-quote marks. | |||
quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE | quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE | |||
qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text | qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text | |||
obs-text = %x80-FF | obs-text = %x80-FF | |||
The backslash octet ("\") can be used as a single-octet quoting | The backslash octet ("\") can be used as a single-octet quoting | |||
mechanism within quoted-string and comment constructs. Recipients | mechanism within quoted-string and comment constructs. Recipients | |||
that process the value of a quoted-string MUST handle a quoted-pair | that process the value of a quoted-string MUST handle a quoted-pair | |||
as if it were replaced by the octet following the backslash. | as if it were replaced by the octet following the backslash. | |||
quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) | quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) | |||
A sender SHOULD NOT generate a quoted-pair in a quoted-string except | A sender SHOULD NOT generate a quoted-pair in a quoted-string except | |||
where necessary to quote DQUOTE and backslash octets occurring within | where necessary to quote DQUOTE and backslash octets occurring within | |||
that string. A sender SHOULD NOT generate a quoted-pair in a comment | that string. A sender SHOULD NOT generate a quoted-pair in a comment | |||
except where necessary to quote parentheses ["(" and ")"] and | except where necessary to quote parentheses ["(" and ")"] and | |||
backslash octets occurring within that comment. | backslash octets occurring within that comment. | |||
Comments can be included in some HTTP header fields by surrounding | 4.4.1.3. Comments | |||
the comment text with parentheses. Comments are only allowed in | ||||
fields containing "comment" as part of their field value definition. | Comments can be included in some HTTP fields by surrounding the | |||
comment text with parentheses. Comments are only allowed in fields | ||||
containing "comment" as part of their field value definition. | ||||
comment = "(" *( ctext / quoted-pair / comment ) ")" | comment = "(" *( ctext / quoted-pair / comment ) ")" | |||
ctext = HTAB / SP / %x21-27 / %x2A-5B / %x5D-7E / obs-text | ctext = HTAB / SP / %x21-27 / %x2A-5B / %x5D-7E / obs-text | |||
parameter = token "=" ( token / quoted-string ) | 4.4.1.4. Parameters | |||
The parameter name tokens are case-insensitive. | A parameter is a name=value pair that is often defined within field | |||
Parameter values might or might not be case-sensitive, depending on | values as a common syntax for appending auxiliary information to an | |||
the semantics of the parameter name. | item. Each parameter is usually delimited by an immediately | |||
preceding semicolon. | ||||
parameter = parameter-name "=" parameter-value | ||||
parameter-name = token | ||||
parameter-value = ( token / quoted-string ) | ||||
Parameter names are case-insensitive. Parameter values might or | ||||
might not be case-sensitive, depending on the semantics of the | ||||
parameter name. Examples of parameters and some equivalent forms can | ||||
be seen in media types (Section 6.1.1) and the Accept header field | ||||
(Section 8.4.2). | ||||
A parameter value that matches the token production can be | A parameter value that matches the token production can be | |||
transmitted either as a token or within a quoted-string. The quoted | transmitted either as a token or within a quoted-string. The quoted | |||
and unquoted values are equivalent. | and unquoted values are equivalent. | |||
Note: Unlike some similar constructs in other header fields, media | Note: Parameters do not allow whitespace (not even "bad" | |||
type parameters do not allow whitespace (even "bad" whitespace) | whitespace) around the "=" character. | |||
around the "=" character. | ||||
7. ABNF List Extension: #rule | 4.5. ABNF List Extension: #rule | |||
A #rule extension to the ABNF rules of [RFC5234] is used to improve | A #rule extension to the ABNF rules of [RFC5234] is used to improve | |||
readability in the definitions of some header field values. | readability in the definitions of some list-based field values. | |||
A construct "#" is defined, similar to "*", for defining | A construct "#" is defined, similar to "*", for defining comma- | |||
comma-delimited lists of elements. The full form is "<n>#<m>element" | delimited lists of elements. The full form is "<n>#<m>element" | |||
indicating at least <n> and at most <m> elements, each separated by a | indicating at least <n> and at most <m> elements, each separated by a | |||
single comma (",") and optional whitespace (OWS). | single comma (",") and optional whitespace (OWS). | |||
4.5.1. Sender Requirements | ||||
In any production that uses the list construct, a sender MUST NOT | In any production that uses the list construct, a sender MUST NOT | |||
generate empty list elements. In other words, a sender MUST generate | generate empty list elements. In other words, a sender MUST generate | |||
lists that satisfy the following syntax: | lists that satisfy the following syntax: | |||
1#element => element *( OWS "," OWS element ) | 1#element => element *( OWS "," OWS element ) | |||
and: | and: | |||
#element => [ 1#element ] | #element => [ 1#element ] | |||
and for n >= 1 and m > 1: | and for n >= 1 and m > 1: | |||
<n>#<m>element => element <n-1>*<m-1>( OWS "," OWS element ) | <n>#<m>element => element <n-1>*<m-1>( OWS "," OWS element ) | |||
4.5.2. [Recipient Requirements] | 4.5.2. Recipient Requirements | |||
For compatibility with legacy list rules, a recipient MUST parse and | Empty elements do not contribute to the count of elements present. A | |||
ignore a reasonable number of empty list elements: enough to handle | recipient MUST parse and ignore a reasonable number of empty list | |||
common mistakes by senders that merge values, but not so much that | elements: enough to handle common mistakes by senders that merge | |||
they could be used as a denial-of-service mechanism. In other words, | values, but not so much that they could be used as a denial-of- | |||
a recipient MUST accept lists that satisfy the following syntax: | service mechanism. In other words, a recipient MUST accept lists | |||
that satisfy the following syntax: | ||||
#element => [ ( "," / element ) *( OWS "," [ OWS element ] ) ] | #element => [ element ] *( OWS "," OWS [ element ] ) | |||
1#element => *( "," OWS ) element *( OWS "," [ OWS element ] ) | Note that because of the potential presence of empty list elements, | |||
the RFC 5234 ABNF cannot enforce the cardinality of list elements, | ||||
and consequently all cases are mapped is if there was no cardinality | ||||
specified. | ||||
Empty elements do not contribute to the count of elements present. | ||||
For example, given these ABNF productions: | For example, given these ABNF productions: | |||
example-list = 1#example-list-elmt | example-list = 1#example-list-elmt | |||
example-list-elmt = token ; see Section 3.2.6 | example-list-elmt = token ; see Section 4.4.1.1 | |||
Then the following are valid values for example-list (not including | Then the following are valid values for example-list (not including | |||
the double quotes, which are present for delimitation only): | the double quotes, which are present for delimitation only): | |||
"foo,bar" | "foo,bar" | |||
"foo ,bar," | "foo ,bar," | |||
"foo , ,bar,charlie " | "foo , ,bar,charlie" | |||
In contrast, the following values would be invalid, since at least | In contrast, the following values would be invalid, since at least | |||
one non-empty element is required by the example-list production: | one non-empty element is required by the example-list production: | |||
"" | "" | |||
"," | "," | |||
", ," | ", ," | |||
Appendix B shows the collected ABNF for recipients after the list | Appendix A shows the collected ABNF for recipients after the list | |||
constructs have been expanded. | constructs have been expanded. | |||
4.6. [Trailer Fields] | 4.6. Trailer Fields | |||
4.6.1. Purpose | ||||
A trailer allows the sender to include additional fields at the end | In some HTTP versions, additional metadata can be sent after the | |||
of a chunked message in order to supply metadata that might be | initial header section has been completed (during or after | |||
dynamically generated while the message body is sent, such as a | transmission of the payload body), such as a message integrity check, | |||
message integrity check, digital signature, or post-processing | digital signature, or post-processing status. For example, the | |||
status. The trailer fields are identical to header fields, except | chunked coding in HTTP/1.1 allows a trailer section after the payload | |||
they are sent in a chunked trailer instead of the message's header | body (Section 7.1.2 of [Messaging]) which can contain trailer fields: | |||
section. | field names and values that share the same syntax and namespace as | |||
header fields but that are received after the header section. | ||||
Trailer fields ought to be processed and stored separately from the | ||||
fields in the header section to avoid contradicting message semantics | ||||
known at the time the header section was complete. The presence or | ||||
absence of certain header fields might impact choices made for the | ||||
routing or processing of the message as a whole before the trailers | ||||
are received; those choices cannot be unmade by the later discovery | ||||
of trailer fields. | ||||
4.6.2. Limitations | 4.6.2. Limitations | |||
A sender MUST NOT generate a trailer that contains a field necessary | Many fields cannot be processed outside the header section because | |||
for message framing (e.g., Transfer-Encoding and Content-Length), | their evaluation is necessary prior to receiving the message body, | |||
routing (e.g., Host), request modifiers (e.g., controls and | such as those that describe message framing, routing, authentication, | |||
conditionals in Section 5 of [RFC7231]), authentication (e.g., see | request modifiers, response controls, or payload format. A sender | |||
[RFC7235] and [RFC6265]), response control data (e.g., see Section | MUST NOT generate a trailer field unless the sender knows the | |||
7.1 of [RFC7231]), or determining how to process the payload (e.g., | corresponding header field name's definition permits the field to be | |||
Content-Encoding, Content-Type, Content-Range, and Trailer). | sent in trailers. | |||
When a chunked message containing a non-empty trailer is received, | Trailer fields can be difficult to process by intermediaries that | |||
the recipient MAY process the fields (aside from those forbidden | forward messages from one protocol version to another. If the entire | |||
above) as if they were appended to the message's header section. A | message can be buffered in transit, some intermediaries could merge | |||
recipient MUST ignore (or consider as an error) any fields that are | trailer fields into the header section (as appropriate) before it is | |||
forbidden to be sent in a trailer, since processing them as if they | forwarded. However, in most cases, the trailers are simply | |||
were present in the header section might bypass external security | discarded. A recipient MUST NOT merge a trailer field into a header | |||
filters. | section unless the recipient understands the corresponding header | |||
field definition and that definition explicitly permits and defines | ||||
how trailer field values can be safely merged. | ||||
Unless the request includes a TE header field indicating "trailers" | A client can send a TE header field indicating "trailers" is | |||
is acceptable, as described in Section 4.3, a server SHOULD NOT | acceptable, as described in Section 7.4 of [Messaging], to inform the | |||
generate trailer fields that it believes are necessary for the user | server that it will not discard trailer fields. | |||
agent to receive. Without a TE containing "trailers", the server | ||||
ought to assume that the trailer fields might be silently discarded | Because of the potential for trailer fields to be discarded in | |||
along the path to the user agent. This requirement allows | transit, a server SHOULD NOT generate trailer fields that it believes | |||
intermediaries to forward a de-chunked message to an HTTP/1.0 | are necessary for the user agent to receive. | |||
recipient without buffering the entire response. | ||||
4.6.3. Trailer | 4.6.3. Trailer | |||
The "Trailer" header field provides a list of field names that the | ||||
sender anticipates sending as trailer fields within that message. | ||||
This allows a recipient to prepare for receipt of the indicated | ||||
metadata before it starts processing the body. | ||||
Trailer = 1#field-name | Trailer = 1#field-name | |||
When a message includes a message body encoded with the chunked | For example, a sender might indicate that a message integrity check | |||
transfer coding and the sender desires to send metadata in the form | will be computed as the payload is being streamed and provide the | |||
of trailer fields at the end of the message, the sender SHOULD | final signature as a trailer field. This allows a recipient to | |||
generate a Trailer header field before the message body to indicate | perform the same check on the fly as the payload data is received. | |||
which fields will be present in the trailers. This allows the | ||||
recipient to prepare for receipt of that metadata before it starts | A sender that intends to generate one or more trailer fields in a | |||
processing the body, which is useful if the message is being streamed | message SHOULD generate a Trailer header field in the header section | |||
and the recipient wishes to confirm an integrity check on the fly. | of that message to indicate which fields might be present in the | |||
trailers. | ||||
4.7. Considerations for New HTTP Fields | 4.7. Considerations for New HTTP Fields | |||
Authors of specifications defining new header fields are advised to | See Section 4.3 for a general requirements for field names, and | |||
consider documenting: | Section 4.4 for a discussion of field values. | |||
Authors of specifications defining new fields are advised to consider | ||||
documenting: | ||||
o Whether the field is a single value or whether it can be a list | o Whether the field is a single value or whether it can be a list | |||
(delimited by commas; see Section 3.2 of [RFC7230]). | (delimited by commas; see Section 4.4). | |||
If it does not use the list syntax, document how to treat messages | If it is not a list, document how to treat messages where the | |||
where the field occurs multiple times (a sensible default would be | field occurs multiple times (a sensible default would be to ignore | |||
to ignore the field, but this might not always be the right | the field, but this might not always be the right choice). | |||
choice). | ||||
Note that intermediaries and software libraries might combine | Note that intermediaries and software libraries might combine | |||
multiple header field instances into a single one, despite the | multiple field instances into a single one, despite the field's | |||
field's definition not allowing the list syntax. A robust format | definition not allowing the list syntax. A robust format enables | |||
enables recipients to discover these situations (good example: | recipients to discover these situations (good example: "Content- | |||
"Content-Type", as the comma can only appear inside quoted | Type", as the comma can only appear inside quoted strings; bad | |||
strings; bad example: "Location", as a comma can occur inside a | example: "Location", as a comma can occur inside a URI). | |||
URI). | ||||
o Under what conditions the header field can be used; e.g., only in | o Under what conditions the field can be used; e.g., only in | |||
responses or requests, in all messages, only on responses to a | responses or requests, in all messages, only on responses to a | |||
particular request method, etc. | particular request method, etc. | |||
o Whether the field should be stored by origin servers that | o Whether the field should be stored by origin servers that | |||
understand it upon a PUT request. | understand it upon a PUT request. | |||
o Whether the field semantics are further refined by the context, | o Whether the field semantics are further refined by the context, | |||
such as by existing request methods or status codes. | such as by existing request methods or status codes. | |||
o Whether it is appropriate to list the field-name in the Connection | o Whether it is appropriate to list the field name in the Connection | |||
header field (i.e., if the header field is to be hop-by-hop; see | header field (i.e., if the field is to be hop-by-hop; see | |||
Section 6.1 of [RFC7230]). | Section 9.1 of [Messaging]). | |||
o Under what conditions intermediaries are allowed to insert, | o Under what conditions intermediaries are allowed to insert, | |||
delete, or modify the field's value. | delete, or modify the field's value. | |||
o Whether it is appropriate to list the field-name in a Vary | o Whether it is appropriate to list the field name in a Vary | |||
response header field (e.g., when the request header field is used | response header field (e.g., when the request header field is used | |||
by an origin server's content selection algorithm; see | by an origin server's content selection algorithm; see | |||
Section 7.1.4). | Section 10.1.4). | |||
o Whether the header field is useful or allowable in trailers (see | o Whether the field is allowable in trailers (see Section 4.6). | |||
Section 4.1 of [RFC7230]). | ||||
o Whether the header field ought to be preserved across redirects. | o Whether the field ought to be preserved across redirects. | |||
o Whether it introduces any additional security considerations, such | o Whether it introduces any additional security considerations, such | |||
as disclosure of privacy-related data. | as disclosure of privacy-related data. | |||
4.8. Fields Defined In This Document | 4.8. Fields Defined In This Document | |||
The "Message Headers" registry has been updated with the following | The following fields are defined by this document: | |||
permanent registrations: | ||||
+-------------------+----------+----------+-----------------+ | +---------------------------+------------+-------------------+ | |||
| Header Field Name | Protocol | Status | Reference | | | Field Name | Status | Reference | | |||
+-------------------+----------+----------+-----------------+ | +---------------------------+------------+-------------------+ | |||
| Accept | http | standard | Section 5.3.2 | | | Accept | standard | Section 8.4.2 | | |||
| Accept-Charset | http | standard | Section 5.3.3 | | | Accept-Charset | deprecated | Section 8.4.3 | | |||
| Accept-Encoding | http | standard | Section 5.3.4 | | | Accept-Encoding | standard | Section 8.4.4 | | |||
| Accept-Language | http | standard | Section 5.3.5 | | | Accept-Language | standard | Section 8.4.5 | | |||
| Accept-Ranges | http | standard | Section 2.3 | | | Accept-Ranges | standard | Section 10.4.1 | | |||
| Allow | http | standard | Section 7.4.1 | | | Allow | standard | Section 10.4.2 | | |||
| Authorization | http | standard | Section 4.2 | | | Authentication-Info | standard | Section 10.3.3 | | |||
| Content-Encoding | http | standard | Section 3.1.2.2 | | | Authorization | standard | Section 8.5.3 | | |||
| Content-Language | http | standard | Section 3.1.3.2 | | | Content-Encoding | standard | Section 6.2.2 | | |||
| Content-Length | http | standard | Section 3.3.2 | | | Content-Language | standard | Section 6.2.3 | | |||
| Content-Location | http | standard | Section 3.1.4.2 | | | Content-Length | standard | Section 6.2.4 | | |||
| Content-Range | http | standard | Section 4.2 | | | Content-Location | standard | Section 6.2.5 | | |||
| Content-Type | http | standard | Section 3.1.1.5 | | | Content-Range | standard | Section 6.3.4 | | |||
| Date | http | standard | Section 7.1.1.2 | | | Content-Type | standard | Section 6.2.1 | | |||
| ETag | http | standard | Section 2.3 | | | Date | standard | Section 10.1.1.2 | | |||
| Expect | http | standard | Section 5.1.1 | | | ETag | standard | Section 10.2.3 | | |||
| From | http | standard | Section 5.5.1 | | | Expect | standard | Section 8.1.1 | | |||
| Host | http | standard | Section 5.4 | | | From | standard | Section 8.6.1 | | |||
| If-Match | http | standard | Section 3.1 | | | Host | standard | Section 5.6 | | |||
| If-Modified-Since | http | standard | Section 3.3 | | | If-Match | standard | Section 8.2.3 | | |||
| If-None-Match | http | standard | Section 3.2 | | | If-Modified-Since | standard | Section 8.2.5 | | |||
| If-Range | http | standard | Section 3.2 | | | If-None-Match | standard | Section 8.2.4 | | |||
| If-Unmodified-Since | http | standard | Section 3.4 | | | If-Range | standard | Section 8.2.7 | | |||
| Last-Modified | http | standard | Section 2.2 | | | If-Unmodified-Since | standard | Section 8.2.6 | | |||
| Location | http | standard | Section 7.1.2 | | | Last-Modified | standard | Section 10.2.2 | | |||
| Max-Forwards | http | standard | Section 5.1.2 | | | Location | standard | Section 10.1.2 | | |||
| Proxy-Authenticate | http | standard | Section 4.3 | | | Max-Forwards | standard | Section 8.1.2 | | |||
| Proxy-Authorization | http | standard | Section 4.4 | | | Proxy-Authenticate | standard | Section 10.3.2 | | |||
| Range | http | standard | Section 3.1 | | | Proxy-Authentication-Info | standard | Section 10.3.4 | | |||
| Referer | http | standard | Section 5.5.2 | | | Proxy-Authorization | standard | Section 8.5.4 | | |||
| Retry-After | http | standard | Section 7.1.3 | | | Range | standard | Section 8.3 | | |||
| Server | http | standard | Section 7.4.2 | | | Referer | standard | Section 8.6.2 | | |||
| Trailer | http | standard | Section 4.4 | | | Retry-After | standard | Section 10.1.3 | | |||
| User-Agent | http | standard | Section 5.5.3 | | | Server | standard | Section 10.4.3 | | |||
| Vary | http | standard | Section 7.1.4 | | | Trailer | standard | Section 4.6.3 | | |||
| Via | http | standard | Section 5.7.1 | | | User-Agent | standard | Section 8.6.3 | | |||
| WWW-Authenticate | http | standard | Section 4.1 | | | Vary | standard | Section 10.1.4 | | |||
+-------------------+----------+----------+-----------------+ | | Via | standard | Section 5.7.1 | | |||
| WWW-Authenticate | standard | Section 10.3.1 | | ||||
+---------------------------+------------+-------------------+ | ||||
Table 1 | ||||
5. Message Routing | 5. Message Routing | |||
HTTP request message routing is determined by each client based on | HTTP request message routing is determined by each client based on | |||
the target resource, the client's proxy configuration, and | the target resource, the client's proxy configuration, and | |||
establishment or reuse of an inbound connection. The corresponding | establishment or reuse of an inbound connection. The corresponding | |||
response routing follows the same connection chain back to the | response routing follows the same connection chain back to the | |||
client. | client. | |||
5.1. Identifying a Target Resource | 5.1. Identifying a Target Resource | |||
HTTP is used in a wide variety of applications, ranging from | HTTP is used in a wide variety of applications, ranging from general- | |||
general-purpose computers to home appliances. In some cases, | purpose computers to home appliances. In some cases, communication | |||
communication options are hard-coded in a client's configuration. | options are hard-coded in a client's configuration. However, most | |||
However, most HTTP clients rely on the same resource identification | HTTP clients rely on the same resource identification mechanism and | |||
mechanism and configuration techniques as general-purpose Web | configuration techniques as general-purpose Web browsers. | |||
browsers. | ||||
HTTP communication is initiated by a user agent for some purpose. | HTTP communication is initiated by a user agent for some purpose. | |||
The purpose is a combination of request semantics, which are defined | The purpose is a combination of request semantics and a target | |||
in [RFC7231], and a target resource upon which to apply those | resource upon which to apply those semantics. A URI reference | |||
semantics. A URI reference (Section 2.7) is typically used as an | (Section 2.4) is typically used as an identifier for the "target | |||
identifier for the "target resource", which a user agent would | resource", which a user agent would resolve to its absolute form in | |||
resolve to its absolute form in order to obtain the "target URI". | order to obtain the "target URI". The target URI excludes the | |||
The target URI excludes the reference's fragment component, if any, | reference's fragment component, if any, since fragment identifiers | |||
since fragment identifiers are reserved for client-side processing | are reserved for client-side processing ([RFC3986], Section 3.5). | |||
([RFC3986], Section 3.5). | ||||
5.2. Determining Origin | ||||
The "origin" for a given URI is the triple of scheme, host, and port | ||||
after normalizing the scheme and host to lowercase and normalizing | ||||
the port to remove any leading zeros. If port is elided from the | ||||
URI, the default port for that scheme is used. For example, the URI | ||||
https://Example.Com/happy.js | ||||
would have the origin | ||||
{ "https", "example.com", "443" } | ||||
which can also be described as the normalized URI prefix with port | ||||
always present: | ||||
https://example.com:443 | ||||
Each origin defines its own namespace and controls how identifiers | ||||
within that namespace are mapped to resources. In turn, how the | ||||
origin responds to valid requests, consistently over time, determines | ||||
the semantics that users will associate with a URI, and the | ||||
usefulness of those semantics is what ultimately transforms these | ||||
mechanisms into a "resource" for users to reference and access in the | ||||
future. | ||||
Two origins are distinct if they differ in scheme, host, or port. | ||||
Even when it can be verified that the same entity controls two | ||||
distinct origins, the two namespaces under those origins are distinct | ||||
unless explicitly aliased by a server authoritative for that origin. | ||||
Origin is also used within HTML and related Web protocols, beyond the | ||||
scope of this document, as described in [RFC6454]. | ||||
5.3. Routing Inbound | 5.3. Routing Inbound | |||
Once the target URI is determined, a client needs to decide whether a | Once the target URI and its origin are determined, a client decides | |||
network request is necessary to accomplish the desired semantics and, | whether a network request is necessary to accomplish the desired | |||
if so, where that request is to be directed. | semantics and, if so, where that request is to be directed. | |||
If the client has a cache [RFC7234] and the request can be satisfied | If the client has a cache [Caching] and the request can be satisfied | |||
by it, then the request is usually directed there first. | by it, then the request is usually directed there first. | |||
If the request is not satisfied by a cache, then a typical client | If the request is not satisfied by a cache, then a typical client | |||
will check its configuration to determine whether a proxy is to be | will check its configuration to determine whether a proxy is to be | |||
used to satisfy the request. Proxy configuration is implementation- | used to satisfy the request. Proxy configuration is implementation- | |||
dependent, but is often based on URI prefix matching, selective | dependent, but is often based on URI prefix matching, selective | |||
authority matching, or both, and the proxy itself is usually | authority matching, or both, and the proxy itself is usually | |||
identified by an "http" or "https" URI. If a proxy is applicable, | identified by an "http" or "https" URI. If a proxy is applicable, | |||
the client connects inbound by establishing (or reusing) a connection | the client connects inbound by establishing (or reusing) a connection | |||
to that proxy. | to that proxy. | |||
If no proxy is applicable, a typical client will invoke a handler | If no proxy is applicable, a typical client will invoke a handler | |||
routine, usually specific to the target URI's scheme, to connect | routine, usually specific to the target URI's scheme, to connect | |||
directly to an authority for the target resource. How that is | directly to an origin for the target resource. How that is | |||
accomplished is dependent on the target URI scheme and defined by its | accomplished is dependent on the target URI scheme and defined by its | |||
associated specification, similar to how this specification defines | associated specification, similar to how this specification defines | |||
origin server access for resolution of the "http" (Section 2.7.1) and | origin server access for resolution of the "http" (Section 2.5.1) and | |||
"https" (Section 2.7.2) schemes. | "https" (Section 2.5.2) schemes. | |||
HTTP requirements regarding connection management are defined in | HTTP requirements regarding connection management are defined in | |||
Section 6. | Section 9 of [Messaging]. | |||
X.X. [Direct Authoritative Access] | 5.4. Direct Authoritative Access | |||
5.4.1. http origins | 5.4.1. http origins | |||
Although HTTP is independent of the transport protocol, the "http" | Although HTTP is independent of the transport protocol, the "http" | |||
scheme is specific to TCP-based services because the name delegation | scheme is specific to associating authority with whomever controls | |||
process depends on TCP for establishing authority. An HTTP service | the origin server listening for TCP connections on the indicated port | |||
based on some other underlying connection protocol would presumably | of whatever host is identified within the authority component. This | |||
be identified using a different URI scheme, just as the "https" | is a very weak sense of authority because it depends on both client- | |||
scheme (below) is used for resources that require an end-to-end | specific name resolution mechanisms and communication that might not | |||
secured connection. Other protocols might also be used to provide | be secured from man-in-the-middle attacks. Nevertheless, it is a | |||
access to "http" identified resources -- it is only the authoritative | sufficient minimum for binding "http" identifiers to an origin server | |||
interface that is specific to TCP. | for consistent resolution within a trusted environment. | |||
If the host identifier is provided as an IP address, the origin | If the host identifier is provided as an IP address, the origin | |||
server is the listener (if any) on the indicated TCP port at that IP | server is the listener (if any) on the indicated TCP port at that IP | |||
address. If host is a registered name, the registered name is an | address. If host is a registered name, the registered name is an | |||
indirect identifier for use with a name resolution service, such as | indirect identifier for use with a name resolution service, such as | |||
DNS, to find an address for that origin server. | DNS, to find an address for an appropriate origin server. | |||
When an "http" URI is used within a context that calls for access to | When an "http" URI is used within a context that calls for access to | |||
the indicated resource, a client MAY attempt access by resolving the | the indicated resource, a client MAY attempt access by resolving the | |||
host to an IP address, establishing a TCP connection to that address | host identifier to an IP address, establishing a TCP connection to | |||
on the indicated port, and sending an HTTP request message | that address on the indicated port, and sending an HTTP request | |||
(Section 3) containing the URI's identifying data (Section 5) to the | message to the server containing the URI's identifying data | |||
server. If the server responds to that request with a non-interim | (Section 2 of [Messaging]). | |||
HTTP response message, as described in Section 6 of [RFC7231], then | ||||
that response is considered an authoritative answer to the client's | ||||
request. | ||||
See Section 9.1 for security considerations related to establishing | If the server responds to such a request with a non-interim HTTP | |||
response message, as described in Section 9, then that response is | ||||
considered an authoritative answer to the client's request. | ||||
Note, however, that the above is not the only means for obtaining an | ||||
authoritative response, nor does it imply that an authoritative | ||||
response is always necessary (see [Caching]). For example, the Alt- | ||||
Svc header field [RFC7838] allows an origin server to identify other | ||||
services that are also authoritative for that origin. Access to | ||||
"http" identified resources might also be provided by protocols | ||||
outside the scope of this document. | ||||
See Section 11.1 for security considerations related to establishing | ||||
authority. | authority. | |||
5.4.2. https origins | 5.4.2. https origins | |||
[new section] | The "https" scheme associates authority based on the ability of a | |||
server to use a private key associated with a certificate that the | ||||
client considers to be trustworthy for the identified host. If a | ||||
server presents a certificate that verifiably applies to the host, | ||||
along with proof that it controls the corresponding private key, then | ||||
a client will accept a secured connection to that server as being | ||||
authoritative for all origins with the same scheme and host. | ||||
A client is therefore relying upon a chain of trust, conveyed from | ||||
some trust anchor (which is usually prearranged or configured), | ||||
through a chain of certificates (e.g., [RFC5280]) to a final | ||||
certificate that binds a private key to the host name of the origin. | ||||
The handshake and certificate validation in Section 5.4.3 describe | ||||
how that final certificate can be used to initiate a secured | ||||
connection. | ||||
Note that the "https" scheme does not rely on TCP and the connected | ||||
port number for associating authority, since both are outside the | ||||
secured communication and thus cannot be trusted as definitive. | ||||
Hence, the HTTP communication might take place over any channel that | ||||
has been secured, as defined in Section 2.5.2, including protocols | ||||
that don't use TCP. It is the origin's responsibility to ensure that | ||||
any services provided with control over its certificate's private key | ||||
are equally responsible for managing the corresponding "https" | ||||
namespaces, or at least prepared to reject requests that appear to | ||||
have been misdirected. Regardless, the origin's host and port value | ||||
are passed within each HTTP request, identifying the target resource | ||||
and distinguishing it from other namespaces that might be controlled | ||||
by the same server. | ||||
In HTTP/1.1 and earlier, the only URIs for which a client will | ||||
attribute authority to a server are those for which a TLS connection | ||||
was specifically established toward the origin's host. Only the | ||||
characteristics of the connection establishment and certificate are | ||||
used. For a host that is a domain name, the client MUST include that | ||||
name in the TLS server_name extension (if used) and MUST verify that | ||||
the name also appears as either the CN field of the certificate | ||||
subject or as a dNSName in the subjectAltName field of the | ||||
certificate (see [RFC6125]). For a host that is an IP address, the | ||||
client MUST verify that the address appears in the subjectAltName of | ||||
the certificate. | ||||
In HTTP/2, a client will associate authority to all names that are | ||||
present in the certificate. However, a client will only do that if | ||||
it concludes that it could open a connection to the origin for that | ||||
URI. In practice, a client will make a DNS query and see that it | ||||
contains the same server IP address. A server sending the ORIGIN | ||||
frame removes this restriction [RFC8336]. | ||||
In addition to the client's verification, an origin server is | ||||
responsible for verifying that requests it receives over a connection | ||||
correspond to resources for which it actually wants to be the origin. | ||||
If a network attacker causes connections for port N to be received at | ||||
port Q, checking the effective request URI is necessary to ensure | ||||
that the attacker can't cause "https://example.com:N/foo" to be | ||||
replaced by "https://example.com:Q/foo" without consent. Likewise, a | ||||
server might be unwilling to serve as the origin for some hosts even | ||||
when they have the authority to do so. | ||||
When an "https" URI is used within a context that calls for access to | ||||
the indicated resource, a client MAY attempt access by resolving the | ||||
host identifier to an IP address, establishing a TCP connection to | ||||
that address on the indicated port, securing the connection end-to- | ||||
end by successfully initiating TLS over TCP with confidentiality and | ||||
integrity protection, and sending an HTTP request message to the | ||||
server over that secured connection containing the URI's identifying | ||||
data (Section 2 of [Messaging]). | ||||
If the server responds to such a request with a non-interim HTTP | ||||
response message, as described in Section 9, then that response is | ||||
considered an authoritative answer to the client's request. | ||||
Note, however, that the above is not the only means for obtaining an | ||||
authoritative response, nor does it imply that an authoritative | ||||
response is always necessary (see [Caching]). | ||||
5.4.3. Initiating HTTP Over TLS | 5.4.3. Initiating HTTP Over TLS | |||
Conceptually, HTTP/TLS is very simple. Simply use HTTP over TLS | Conceptually, HTTP/TLS is very simple. Simply use HTTP over TLS | |||
precisely as you would use HTTP over TCP. | precisely as you would use HTTP over TCP. | |||
2.1. Connection Initiation | ||||
The agent acting as the HTTP client should also act as the TLS | The agent acting as the HTTP client should also act as the TLS | |||
client. It should initiate a connection to the server on the | client. It should initiate a connection to the server on the | |||
appropriate port and then send the TLS ClientHello to begin the TLS | appropriate port and then send the TLS ClientHello to begin the TLS | |||
handshake. When the TLS handshake has finished. The client may then | handshake. When the TLS handshake has finished. The client may then | |||
initiate the first HTTP request. All HTTP data MUST be sent as TLS | initiate the first HTTP request. All HTTP data MUST be sent as TLS | |||
"application data". Normal HTTP behavior, including retained | "application data". Normal HTTP behavior, including retained | |||
connections should be followed. | connections should be followed. | |||
3.1. Server Identity | 5.4.3.1. Identifying HTTPS Servers | |||
In general, HTTP/TLS requests are generated by dereferencing a URI. | In general, HTTP/TLS requests are generated by dereferencing a URI. | |||
As a consequence, the hostname for the server is known to the client. | As a consequence, the hostname for the server is known to the client. | |||
If the hostname is available, the client MUST check it against the | If the hostname is available, the client MUST check it against the | |||
server's identity as presented in the server's Certificate message, | server's identity as presented in the server's Certificate message, | |||
in order to prevent man-in-the-middle attacks. | in order to prevent man-in-the-middle attacks. | |||
If the client has external information as to the expected identity of | If the client has external information as to the expected identity of | |||
the server, the hostname check MAY be omitted. (For instance, a | the server, the hostname check MAY be omitted. (For instance, a | |||
client may be connecting to a machine whose address and hostname are | client may be connecting to a machine whose address and hostname are | |||
dynamic but the client knows the certificate that the server will | dynamic but the client knows the certificate that the server will | |||
present.) In such cases, it is important to narrow the scope of | present.) In such cases, it is important to narrow the scope of | |||
acceptable certificates as much as possible in order to prevent man | acceptable certificates as much as possible in order to prevent man | |||
in the middle attacks. In special cases, it may be appropriate for | in the middle attacks. In special cases, it may be appropriate for | |||
the client to simply ignore the server's identity, but it must be | the client to simply ignore the server's identity, but it must be | |||
understood that this leaves the connection open to active attack. | understood that this leaves the connection open to active attack. | |||
If a subjectAltName extension of type dNSName is present, that MUST | If a subjectAltName extension of type dNSName is present, that MUST | |||
be used as the identity. Otherwise, the (most specific) Common Name | be used as the identity. Otherwise, the (most specific) Common Name | |||
field in the Subject field of the certificate MUST be used. Although | field in the Subject field of the certificate MUST be used. Although | |||
the use of the Common Name is existing practice, it is deprecated and | the use of the Common Name is existing practice, it is deprecated and | |||
Certification Authorities are encouraged to use the dNSName instead. | Certification Authorities are encouraged to use the dNSName instead. | |||
Matching is performed using the matching rules specified by | Matching is performed using the matching rules specified by | |||
[RFC2459]. If more than one identity of a given type is present in | [RFC5280]. If more than one identity of a given type is present in | |||
the certificate (e.g., more than one dNSName name, a match in any one | the certificate (e.g., more than one dNSName name, a match in any one | |||
of the set is considered acceptable.) Names may contain the wildcard | of the set is considered acceptable.) Names may contain the wildcard | |||
character * which is considered to match any single domain name | character * which is considered to match any single domain name | |||
component or component fragment. E.g., *.a.com matches foo.a.com but | component or component fragment. E.g., *.a.com matches foo.a.com but | |||
not bar.foo.a.com. f*.com matches foo.com but not bar.com. | not bar.foo.a.com. f*.com matches foo.com but not bar.com. | |||
In some cases, the URI is specified as an IP address rather than a | In some cases, the URI is specified as an IP address rather than a | |||
hostname. In this case, the iPAddress subjectAltName must be present | hostname. In this case, the iPAddress subjectAltName must be present | |||
in the certificate and must exactly match the IP in the URI. | in the certificate and must exactly match the IP in the URI. | |||
If the hostname does not match the identity in the certificate, user | If the hostname does not match the identity in the certificate, user | |||
oriented clients MUST either notify the user (clients MAY give the | oriented clients MUST either notify the user (clients MAY give the | |||
user the opportunity to continue with the connection in any case) or | user the opportunity to continue with the connection in any case) or | |||
terminate the connection with a bad certificate error. Automated | terminate the connection with a bad certificate error. Automated | |||
clients MUST log the error to an appropriate audit log (if available) | clients MUST log the error to an appropriate audit log (if available) | |||
and SHOULD terminate the connection (with a bad certificate error). | and SHOULD terminate the connection (with a bad certificate error). | |||
Automated clients MAY provide a configuration setting that disables | Automated clients MAY provide a configuration setting that disables | |||
this check, but MUST provide a setting which enables it. | this check, but MUST provide a setting which enables it. | |||
Note that in many cases the URI itself comes from an untrusted | Note that in many cases the URI itself comes from an untrusted | |||
source. The above-described check provides no protection against | source. The above-described check provides no protection against | |||
attacks where this source is compromised. For example, if the URI was | attacks where this source is compromised. For example, if the URI | |||
obtained by clicking on an HTML page which was itself obtained | was obtained by clicking on an HTML page which was itself obtained | |||
without using HTTP/TLS, a man in the middle could have replaced the | without using HTTP/TLS, a man in the middle could have replaced the | |||
URI. In order to prevent this form of attack, users should carefully | URI. In order to prevent this form of attack, users should carefully | |||
examine the certificate presented by the server to determine if it | examine the certificate presented by the server to determine if it | |||
meets their expectations. | meets their expectations. | |||
3.2. Client Identity | 5.4.3.2. Identifying HTTPS Clients | |||
Typically, the server has no external knowledge of what the client's | Typically, the server has no external knowledge of what the client's | |||
identity ought to be and so checks (other than that the client has a | identity ought to be and so checks (other than that the client has a | |||
certificate chain rooted in an appropriate CA) are not possible. If a | certificate chain rooted in an appropriate CA) are not possible. If | |||
server has such knowledge (typically from some source external to | a server has such knowledge (typically from some source external to | |||
HTTP or TLS) it SHOULD check the identity as described above. | HTTP or TLS) it SHOULD check the identity as described above. | |||
5.5. Effective Request URI | 5.5. Effective Request URI | |||
Once an inbound connection is obtained, the client sends an HTTP | Once an inbound connection is obtained, the client sends an HTTP | |||
request message (Section 3) with a request-target derived from the | request message (Section 2 of [Messaging]). | |||
target URI. | ||||
Since the request-target often contains only part of the user agent's | Depending on the nature of the request, the client's target URI might | |||
target URI, a server reconstructs the intended target as an | be split into components and transmitted (or implied) within various | |||
"effective request URI" to properly service the request. This | parts of a request message. These parts are recombined by each | |||
reconstruction involves both the server's local configuration and | recipient, in accordance with their local configuration and incoming | |||
information communicated in the request-target, Host header field, | connection context, to form an "effective request URI" for | |||
and connection context. | identifying the intended target resource with respect to that server. | |||
Section 3.3 of [Messaging] defines how a server determines the | ||||
effective request URI for an HTTP/1.1 request. | ||||
For a user agent, the effective request URI is the target URI. | For a user agent, the effective request URI is the target URI. | |||
Once the effective request URI has been constructed, an origin server | Once the effective request URI has been constructed, an origin server | |||
needs to decide whether or not to provide service for that URI via | needs to decide whether or not to provide service for that URI via | |||
the connection in which the request was received. For example, the | the connection in which the request was received. For example, the | |||
request might have been misdirected, deliberately or accidentally, | request might have been misdirected, deliberately or accidentally, | |||
such that the information within a received request-target or Host | such that the information within a received request-target or Host | |||
header field differs from the host or port upon which the connection | header field differs from the host or port upon which the connection | |||
has been made. If the connection is from a trusted gateway, that | has been made. If the connection is from a trusted gateway, that | |||
inconsistency might be expected; otherwise, it might indicate an | inconsistency might be expected; otherwise, it might indicate an | |||
attempt to bypass security filters, trick the server into delivering | attempt to bypass security filters, trick the server into delivering | |||
non-public content, or poison a cache. See Section 9 for security | non-public content, or poison a cache. See Section 11 for security | |||
considerations regarding message routing. | considerations regarding message routing. | |||
5.4. Host | 5.6. Host | |||
The "Host" header field in a request provides the host and port | The "Host" header field in a request provides the host and port | |||
information from the target URI, enabling the origin server to | information from the target URI, enabling the origin server to | |||
distinguish among resources while servicing requests for multiple | distinguish among resources while servicing requests for multiple | |||
host names on a single IP address. | host names on a single IP address. | |||
Host = uri-host [ ":" port ] ; Section 2.7.1 | Host = uri-host [ ":" port ] ; Section 2.4 | |||
A client MUST send a Host header field in all HTTP/1.1 request | A client MUST send a Host header field in all HTTP/1.1 request | |||
messages. If the target URI includes an authority component, then a | messages. If the target URI includes an authority component, then a | |||
client MUST send a field-value for Host that is identical to that | client MUST send a field value for Host that is identical to that | |||
authority component, excluding any userinfo subcomponent and its "@" | authority component, excluding any userinfo subcomponent and its "@" | |||
delimiter (Section 2.7.1). If the authority component is missing or | delimiter (Section 2.5.1). If the authority component is missing or | |||
undefined for the target URI, then a client MUST send a Host header | undefined for the target URI, then a client MUST send a Host header | |||
field with an empty field-value. | field with an empty field value. | |||
Since the Host field-value is critical information for handling a | Since the Host field value is critical information for handling a | |||
request, a user agent SHOULD generate Host as the first header field | request, a user agent SHOULD generate Host as the first header field | |||
following the request-line. | following the request-line. | |||
For example, a GET request to the origin server for | For example, a GET request to the origin server for | |||
<http://www.example.org/pub/WWW/> would begin with: | <http://www.example.org/pub/WWW/> would begin with: | |||
GET /pub/WWW/ HTTP/1.1 | GET /pub/WWW/ HTTP/1.1 | |||
Host: www.example.org | Host: www.example.org | |||
A client MUST send a Host header field in an HTTP/1.1 request even if | A client MUST send a Host header field in an HTTP/1.1 request even if | |||
the request-target is in the absolute-form, since this allows the | the request-target is in the absolute-form, since this allows the | |||
Host information to be forwarded through ancient HTTP/1.0 proxies | Host information to be forwarded through ancient HTTP/1.0 proxies | |||
that might not have implemented Host. | that might not have implemented Host. | |||
When a proxy receives a request with an absolute-form of | When a proxy receives a request with an absolute-form of request- | |||
request-target, the proxy MUST ignore the received Host header field | target, the proxy MUST ignore the received Host header field (if any) | |||
(if any) and instead replace it with the host information of the | and instead replace it with the host information of the request- | |||
request-target. A proxy that forwards such a request MUST generate a | target. A proxy that forwards such a request MUST generate a new | |||
new Host field-value based on the received request-target rather than | Host field value based on the received request-target rather than | |||
forward the received Host field-value. | forward the received Host field value. | |||
When an origin server receives a request with an absolute-form of | ||||
request-target, the origin server MUST ignore the received Host | ||||
header field (if any) and instead use the host information of the | ||||
request-target. Note that if the request-target does not have an | ||||
authority component, an empty Host header field will be sent in this | ||||
case. | ||||
Since the Host header field acts as an application-level routing | Since the Host header field acts as an application-level routing | |||
mechanism, it is a frequent target for malware seeking to poison a | mechanism, it is a frequent target for malware seeking to poison a | |||
shared cache or redirect a request to an unintended server. An | shared cache or redirect a request to an unintended server. An | |||
interception proxy is particularly vulnerable if it relies on the | interception proxy is particularly vulnerable if it relies on the | |||
Host field-value for redirecting requests to internal servers, or for | Host field value for redirecting requests to internal servers, or for | |||
use as a cache key in a shared cache, without first verifying that | use as a cache key in a shared cache, without first verifying that | |||
the intercepted connection is targeting a valid IP address for that | the intercepted connection is targeting a valid IP address for that | |||
host. | host. | |||
A server MUST respond with a 400 (Bad Request) status code to any | A server MUST respond with a 400 (Bad Request) status code to any | |||
HTTP/1.1 request message that lacks a Host header field and to any | HTTP/1.1 request message that lacks a Host header field and to any | |||
request message that contains more than one Host header field or a | request message that contains more than one Host header field or a | |||
Host header field with an invalid field-value. | Host header field with an invalid field value. | |||
5.7. Message Forwarding | 5.7. Message Forwarding | |||
As described in Section 2.3, intermediaries can serve a variety of | As described in Section 2.2, intermediaries can serve a variety of | |||
roles in the processing of HTTP requests and responses. Some | roles in the processing of HTTP requests and responses. Some | |||
intermediaries are used to improve performance or availability. | intermediaries are used to improve performance or availability. | |||
Others are used for access control or to filter content. Since an | Others are used for access control or to filter content. Since an | |||
HTTP stream has characteristics similar to a pipe-and-filter | HTTP stream has characteristics similar to a pipe-and-filter | |||
architecture, there are no inherent limits to the extent an | architecture, there are no inherent limits to the extent an | |||
intermediary can enhance (or interfere) with either direction of the | intermediary can enhance (or interfere) with either direction of the | |||
stream. | stream. | |||
An intermediary not acting as a tunnel MUST implement the Connection | An intermediary not acting as a tunnel MUST implement the Connection | |||
header field, as specified in Section 6.1, and exclude fields from | header field, as specified in Section 9.1 of [Messaging], and exclude | |||
being forwarded that are only intended for the incoming connection. | fields from being forwarded that are only intended for the incoming | |||
connection. | ||||
An intermediary MUST NOT forward a message to itself unless it is | An intermediary MUST NOT forward a message to itself unless it is | |||
protected from an infinite request loop. In general, an intermediary | protected from an infinite request loop. In general, an intermediary | |||
ought to recognize its own server names, including any aliases, local | ought to recognize its own server names, including any aliases, local | |||
variations, or literal IP addresses, and respond to such requests | variations, or literal IP addresses, and respond to such requests | |||
directly. | directly. | |||
An HTTP message can be parsed as a stream for incremental processing | An HTTP message can be parsed as a stream for incremental processing | |||
or forwarding downstream. However, recipients cannot rely on | or forwarding downstream. However, recipients cannot rely on | |||
incremental delivery of partial messages, since some implementations | incremental delivery of partial messages, since some implementations | |||
skipping to change at line 1671 ¶ | skipping to change at page 45, line 37 ¶ | |||
protocols and recipients between the user agent and the server (on | protocols and recipients between the user agent and the server (on | |||
requests) or between the origin server and the client (on responses), | requests) or between the origin server and the client (on responses), | |||
similar to the "Received" header field in email (Section 3.6.7 of | similar to the "Received" header field in email (Section 3.6.7 of | |||
[RFC5322]). Via can be used for tracking message forwards, avoiding | [RFC5322]). Via can be used for tracking message forwards, avoiding | |||
request loops, and identifying the protocol capabilities of senders | request loops, and identifying the protocol capabilities of senders | |||
along the request/response chain. | along the request/response chain. | |||
Via = 1#( received-protocol RWS received-by [ RWS comment ] ) | Via = 1#( received-protocol RWS received-by [ RWS comment ] ) | |||
received-protocol = [ protocol-name "/" ] protocol-version | received-protocol = [ protocol-name "/" ] protocol-version | |||
; see Section 6.7 | ; see [Messaging], Section 9.9 | |||
received-by = ( uri-host [ ":" port ] ) / pseudonym | received-by = pseudonym [ ":" port ] | |||
pseudonym = token | pseudonym = token | |||
Multiple Via field values represent each proxy or gateway that has | Each member of the Via field value represents a proxy or gateway that | |||
forwarded the message. Each intermediary appends its own information | has forwarded the message. Each intermediary appends its own | |||
about how the message was received, such that the end result is | information about how the message was received, such that the end | |||
ordered according to the sequence of forwarding recipients. | result is ordered according to the sequence of forwarding recipients. | |||
A proxy MUST send an appropriate Via header field, as described | A proxy MUST send an appropriate Via header field, as described | |||
below, in each message that it forwards. An HTTP-to-HTTP gateway | below, in each message that it forwards. An HTTP-to-HTTP gateway | |||
MUST send an appropriate Via header field in each inbound request | MUST send an appropriate Via header field in each inbound request | |||
message and MAY send a Via header field in forwarded response | message and MAY send a Via header field in forwarded response | |||
messages. | messages. | |||
For each intermediary, the received-protocol indicates the protocol | For each intermediary, the received-protocol indicates the protocol | |||
and protocol version used by the upstream sender of the message. | and protocol version used by the upstream sender of the message. | |||
Hence, the Via field value records the advertised protocol | Hence, the Via field value records the advertised protocol | |||
capabilities of the request/response chain such that they remain | capabilities of the request/response chain such that they remain | |||
visible to downstream recipients; this can be useful for determining | visible to downstream recipients; this can be useful for determining | |||
what backwards-incompatible features might be safe to use in | what backwards-incompatible features might be safe to use in | |||
response, or within a later request, as described in Section 2.6. | response, or within a later request, as described in Section 3.5. | |||
For brevity, the protocol-name is omitted when the received protocol | For brevity, the protocol-name is omitted when the received protocol | |||
is HTTP. | is HTTP. | |||
The received-by portion of the field value is normally the host and | The received-by portion is normally the host and optional port number | |||
optional port number of a recipient server or client that | of a recipient server or client that subsequently forwarded the | |||
subsequently forwarded the message. However, if the real host is | message. However, if the real host is considered to be sensitive | |||
considered to be sensitive information, a sender MAY replace it with | information, a sender MAY replace it with a pseudonym. If a port is | |||
a pseudonym. If a port is not provided, a recipient MAY interpret | not provided, a recipient MAY interpret that as meaning it was | |||
that as meaning it was received on the default TCP port, if any, for | received on the default TCP port, if any, for the received-protocol. | |||
the received-protocol. | ||||
A sender MAY generate comments in the Via header field to identify | A sender MAY generate comments to identify the software of each | |||
the software of each recipient, analogous to the User-Agent and | recipient, analogous to the User-Agent and Server header fields. | |||
Server header fields. However, all comments in the Via field are | However, comments in Via are optional, and a recipient MAY remove | |||
optional, and a recipient MAY remove them prior to forwarding the | them prior to forwarding the message. | |||
message. | ||||
For example, a request message could be sent from an HTTP/1.0 user | For example, a request message could be sent from an HTTP/1.0 user | |||
agent to an internal proxy code-named "fred", which uses HTTP/1.1 to | agent to an internal proxy code-named "fred", which uses HTTP/1.1 to | |||
forward the request to a public proxy at p.example.net, which | forward the request to a public proxy at p.example.net, which | |||
completes the request by forwarding it to the origin server at | completes the request by forwarding it to the origin server at | |||
www.example.com. The request received by www.example.com would then | www.example.com. The request received by www.example.com would then | |||
have the following Via header field: | have the following Via header field: | |||
Via: 1.0 fred, 1.1 p.example.net | Via: 1.0 fred, 1.1 p.example.net | |||
An intermediary used as a portal through a network firewall SHOULD | An intermediary used as a portal through a network firewall SHOULD | |||
NOT forward the names and ports of hosts within the firewall region | NOT forward the names and ports of hosts within the firewall region | |||
unless it is explicitly enabled to do so. If not enabled, such an | unless it is explicitly enabled to do so. If not enabled, such an | |||
intermediary SHOULD replace each received-by host of any host behind | intermediary SHOULD replace each received-by host of any host behind | |||
the firewall by an appropriate pseudonym for that host. | the firewall by an appropriate pseudonym for that host. | |||
An intermediary MAY combine an ordered subsequence of Via header | An intermediary MAY combine an ordered subsequence of Via header | |||
field entries into a single such entry if the entries have identical | field list members into a single member if the entries have identical | |||
received-protocol values. For example, | received-protocol values. For example, | |||
Via: 1.0 ricky, 1.1 ethel, 1.1 fred, 1.0 lucy | Via: 1.0 ricky, 1.1 ethel, 1.1 fred, 1.0 lucy | |||
could be collapsed to | could be collapsed to | |||
Via: 1.0 ricky, 1.1 mertz, 1.0 lucy | Via: 1.0 ricky, 1.1 mertz, 1.0 lucy | |||
A sender SHOULD NOT combine multiple entries unless they are all | A sender SHOULD NOT combine multiple list members unless they are all | |||
under the same organizational control and the hosts have already been | under the same organizational control and the hosts have already been | |||
replaced by pseudonyms. A sender MUST NOT combine entries that have | replaced by pseudonyms. A sender MUST NOT combine members that have | |||
different received-protocol values. | different received-protocol values. | |||
5.7.2. Transformations | 5.7.2. Transformations | |||
Some intermediaries include features for transforming messages and | Some intermediaries include features for transforming messages and | |||
their payloads. A proxy might, for example, convert between image | their payloads. A proxy might, for example, convert between image | |||
formats in order to save cache space or to reduce the amount of | formats in order to save cache space or to reduce the amount of | |||
traffic on a slow link. However, operational problems might occur | traffic on a slow link. However, operational problems might occur | |||
when these transformations are applied to payloads intended for | when these transformations are applied to payloads intended for | |||
critical applications, such as medical imaging or scientific data | critical applications, such as medical imaging or scientific data | |||
skipping to change at line 1776 ¶ | skipping to change at page 47, line 46 ¶ | |||
name it received when forwarding the request. A proxy MUST NOT | name it received when forwarding the request. A proxy MUST NOT | |||
change the host name if the request-target contains a fully qualified | change the host name if the request-target contains a fully qualified | |||
domain name. | domain name. | |||
A proxy MUST NOT modify the "absolute-path" and "query" parts of the | A proxy MUST NOT modify the "absolute-path" and "query" parts of the | |||
received request-target when forwarding it to the next inbound | received request-target when forwarding it to the next inbound | |||
server, except as noted above to replace an empty path with "/" or | server, except as noted above to replace an empty path with "/" or | |||
"*". | "*". | |||
A proxy MAY modify the message body through application or removal of | A proxy MAY modify the message body through application or removal of | |||
a transfer coding (Section 4). | a transfer coding (Section 7 of [Messaging]). | |||
A proxy MUST NOT transform the payload (Section 3.3 of [RFC7231]) of | A proxy MUST NOT transform the payload (Section 6.3) of a message | |||
a message that contains a no-transform cache-control directive | that contains a no-transform cache-control response directive | |||
(Section 5.2 of [RFC7234]). | (Section 5.2 of [Caching]). | |||
A proxy MAY transform the payload of a message that does not contain | A proxy MAY transform the payload of a message that does not contain | |||
a no-transform cache-control directive. A proxy that transforms a | a no-transform cache-control directive. A proxy that transforms the | |||
payload MUST add a Warning header field with the warn-code of 214 | payload of a 200 (OK) response can inform downstream recipients that | |||
("Transformation Applied") if one is not already in the message (see | a transformation has been applied by changing the response status | |||
Section 5.5 of [RFC7234]). A proxy that transforms the payload of a | code to 203 (Non-Authoritative Information) (Section 9.3.4). | |||
200 (OK) response can further inform downstream recipients that a | ||||
transformation has been applied by changing the response status code | ||||
to 203 (Non-Authoritative Information) (Section 6.3.4 of [RFC7231]). | ||||
A proxy SHOULD NOT modify header fields that provide information | A proxy SHOULD NOT modify header fields that provide information | |||
about the endpoints of the communication chain, the resource state, | about the endpoints of the communication chain, the resource state, | |||
or the selected representation (other than the payload) unless the | or the selected representation (other than the payload) unless the | |||
field's definition specifically allows such modification or the | field's definition specifically allows such modification or the | |||
modification is deemed necessary for privacy or security. | modification is deemed necessary for privacy or security. | |||
3. Representations | 6. Representations | |||
Considering that a resource could be anything, and that the uniform | Considering that a resource could be anything, and that the uniform | |||
interface provided by HTTP is similar to a window through which one | interface provided by HTTP is similar to a window through which one | |||
can observe and act upon such a thing only through the communication | can observe and act upon such a thing only through the communication | |||
of messages to some independent actor on the other side, an | of messages to some independent actor on the other side, an | |||
abstraction is needed to represent ("take the place of") the current | abstraction is needed to represent ("take the place of") the current | |||
or desired state of that thing in our communications. That | or desired state of that thing in our communications. That | |||
abstraction is called a representation [REST]. | abstraction is called a representation [REST]. | |||
For the purposes of HTTP, a "representation" is information that is | For the purposes of HTTP, a "representation" is information that is | |||
skipping to change at line 1819 ¶ | skipping to change at page 48, line 39 ¶ | |||
resource, in a format that can be readily communicated via the | resource, in a format that can be readily communicated via the | |||
protocol, and that consists of a set of representation metadata and a | protocol, and that consists of a set of representation metadata and a | |||
potentially unbounded stream of representation data. | potentially unbounded stream of representation data. | |||
An origin server might be provided with, or be capable of generating, | An origin server might be provided with, or be capable of generating, | |||
multiple representations that are each intended to reflect the | multiple representations that are each intended to reflect the | |||
current state of a target resource. In such cases, some algorithm is | current state of a target resource. In such cases, some algorithm is | |||
used by the origin server to select one of those representations as | used by the origin server to select one of those representations as | |||
most applicable to a given request, usually based on content | most applicable to a given request, usually based on content | |||
negotiation. This "selected representation" is used to provide the | negotiation. This "selected representation" is used to provide the | |||
data and metadata for evaluating conditional requests [RFC7232] and | data and metadata for evaluating conditional requests (Section 8.2) | |||
constructing the payload for 200 (OK) and 304 (Not Modified) | and constructing the payload for 200 (OK) and 304 (Not Modified) | |||
responses to GET (Section 4.3.1). | responses to GET (Section 7.3.1). | |||
3.2. Representation Data | 6.1. Representation Data | |||
The representation data associated with an HTTP message is either | The representation data associated with an HTTP message is either | |||
provided as the payload body of the message or referred to by the | provided as the payload body of the message or referred to by the | |||
message semantics and the effective request URI. The representation | message semantics and the effective request URI. The representation | |||
data is in a format and encoding defined by the representation | data is in a format and encoding defined by the representation | |||
metadata header fields. | metadata header fields. | |||
The data type of the representation data is determined via the header | The data type of the representation data is determined via the header | |||
fields Content-Type and Content-Encoding. These define a two-layer, | fields Content-Type and Content-Encoding. These define a two-layer, | |||
ordered encoding model: | ordered encoding model: | |||
representation-data := Content-Encoding( Content-Type( bits ) ) | representation-data := Content-Encoding( Content-Type( bits ) ) | |||
3.1.1.1. Media Type | 6.1.1. Media Type | |||
HTTP uses Internet media types [RFC2046] in the Content-Type | HTTP uses media types [RFC2046] in the Content-Type (Section 6.2.1) | |||
(Section 3.1.1.5) and Accept (Section 5.3.2) header fields in order | and Accept (Section 8.4.2) header fields in order to provide open and | |||
to provide open and extensible data typing and type negotiation. | extensible data typing and type negotiation. Media types define both | |||
Media types define both a data format and various processing models: | a data format and various processing models: how to process that data | |||
how to process that data in accordance with each context in which it | in accordance with each context in which it is received. | |||
is received. | ||||
media-type = type "/" subtype *( OWS ";" OWS parameter ) | media-type = type "/" subtype *( OWS ";" OWS parameter ) | |||
type = token | type = token | |||
subtype = token | subtype = token | |||
The type/subtype MAY be followed by parameters in the form of | The type and subtype tokens are case-insensitive. | |||
name=value pairs. | ||||
The type, subtype, and parameter name tokens are case-insensitive. | The type/subtype MAY be followed by semicolon-delimited parameters | |||
Parameter values might or might not be case-sensitive, depending on | (Section 4.4.1.4) in the form of name=value pairs. The presence or | |||
the semantics of the parameter name. The presence or absence of a | absence of a parameter might be significant to the processing of a | |||
parameter might be significant to the processing of a media-type, | media type, depending on its definition within the media type | |||
depending on its definition within the media type registry. | registry. Parameter values might or might not be case-sensitive, | |||
depending on the semantics of the parameter name. | ||||
For example, the following | For example, the following media types are equivalent in describing | |||
examples are all equivalent, but the first is preferred for | HTML text data encoded in the UTF-8 character encoding scheme, but | |||
consistency: | the first is preferred for consistency (the "charset" parameter value | |||
is defined as being case-insensitive in [RFC2046], Section 4.1.2): | ||||
text/html;charset=utf-8 | text/html;charset=utf-8 | |||
text/html;charset=UTF-8 | ||||
Text/HTML;Charset="utf-8" | Text/HTML;Charset="utf-8" | |||
text/html; charset="utf-8" | text/html; charset="utf-8" | |||
text/html;charset=UTF-8 | ||||
Internet media types ought to be registered with IANA according to | Media types ought to be registered with IANA according to the | |||
the procedures defined in [BCP13]. | procedures defined in [BCP13]. | |||
3.1.1.2. Charset | 6.1.1.1. Charset | |||
HTTP uses charset names to indicate or negotiate the character | HTTP uses charset names to indicate or negotiate the character | |||
encoding scheme of a textual representation [RFC6365]. A charset is | encoding scheme of a textual representation [RFC6365]. A charset is | |||
identified by a case-insensitive token. | identified by a case-insensitive token. | |||
charset = token | charset = token | |||
Charset names ought to be registered in the IANA "Character Sets" | Charset names ought to be registered in the IANA "Character Sets" | |||
registry (<http://www.iana.org/assignments/character-sets>) according | registry (<https://www.iana.org/assignments/character-sets>) | |||
to the procedures defined in [RFC2978]. | according to the procedures defined in Section 2 of [RFC2978]. | |||
3.1.1.3. Canonicalization and Text Defaults | Note: In theory, charset names are defined by the "mime-charset" | |||
ABNF rule defined in Section 2.3 of [RFC2978] (as corrected in | ||||
[Err1912]). That rule allows two characters that are not included | ||||
in "token" ("{" and "}"), but no charset name registered at the | ||||
time of this writing includes braces (see [Err5433]). | ||||
Internet media types are registered with a canonical form in order to | 6.1.1.2. Canonicalization and Text Defaults | |||
be interoperable among systems with varying native encoding formats. | ||||
Media types are registered with a canonical form in order to be | ||||
interoperable among systems with varying native encoding formats. | ||||
Representations selected or transferred via HTTP ought to be in | Representations selected or transferred via HTTP ought to be in | |||
canonical form, for many of the same reasons described by the | canonical form, for many of the same reasons described by the | |||
Multipurpose Internet Mail Extensions (MIME) [RFC2045]. However, the | Multipurpose Internet Mail Extensions (MIME) [RFC2045]. However, the | |||
performance characteristics of email deployments (i.e., store and | performance characteristics of email deployments (i.e., store and | |||
forward messages to peers) are significantly different from those | forward messages to peers) are significantly different from those | |||
common to HTTP and the Web (server-based information services). | common to HTTP and the Web (server-based information services). | |||
Furthermore, MIME's constraints for the sake of compatibility with | Furthermore, MIME's constraints for the sake of compatibility with | |||
older mail transfer protocols do not apply to HTTP (see Appendix A). | older mail transfer protocols do not apply to HTTP (see Appendix B of | |||
[Messaging]). | ||||
MIME's canonical form requires that media subtypes of the "text" type | MIME's canonical form requires that media subtypes of the "text" type | |||
use CRLF as the text line break. HTTP allows the transfer of text | use CRLF as the text line break. HTTP allows the transfer of text | |||
media with plain CR or LF alone representing a line break, when such | media with plain CR or LF alone representing a line break, when such | |||
line breaks are consistent for an entire representation. An HTTP | line breaks are consistent for an entire representation. An HTTP | |||
sender MAY generate, and a recipient MUST be able to parse, line | sender MAY generate, and a recipient MUST be able to parse, line | |||
breaks in text media that consist of CRLF, bare CR, or bare LF. In | breaks in text media that consist of CRLF, bare CR, or bare LF. In | |||
addition, text media in HTTP is not limited to charsets that use | addition, text media in HTTP is not limited to charsets that use | |||
octets 13 and 10 for CR and LF, respectively. This flexibility | octets 13 and 10 for CR and LF, respectively. This flexibility | |||
regarding line breaks applies only to text within a representation | regarding line breaks applies only to text within a representation | |||
that has been assigned a "text" media type; it does not apply to | that has been assigned a "text" media type; it does not apply to | |||
"multipart" types or HTTP elements outside the payload body (e.g., | "multipart" types or HTTP elements outside the payload body (e.g., | |||
header fields). | header fields). | |||
If a representation is encoded with a content-coding, the underlying | If a representation is encoded with a content-coding, the underlying | |||
data ought to be in a form defined above prior to being encoded. | data ought to be in a form defined above prior to being encoded. | |||
3.1.1.4. Multipart Types | 6.1.1.3. Multipart Types | |||
MIME provides for a number of "multipart" types -- encapsulations of | MIME provides for a number of "multipart" types -- encapsulations of | |||
one or more representations within a single message body. All | one or more representations within a single message body. All | |||
multipart types share a common syntax, as defined in Section 5.1.1 of | multipart types share a common syntax, as defined in Section 5.1.1 of | |||
[RFC2046], and include a boundary parameter as part of the media type | [RFC2046], and include a boundary parameter as part of the media type | |||
value. The message body is itself a protocol element; a sender MUST | value. The message body is itself a protocol element; a sender MUST | |||
generate only CRLF to represent line breaks between body parts. | generate only CRLF to represent line breaks between body parts. | |||
HTTP message framing does not use the multipart boundary as an | HTTP message framing does not use the multipart boundary as an | |||
indicator of message body length, though it might be used by | indicator of message body length, though it might be used by | |||
implementations that generate or process the payload. For example, | implementations that generate or process the payload. For example, | |||
the "multipart/form-data" type is often used for carrying form data | the "multipart/form-data" type is often used for carrying form data | |||
in a request, as described in [RFC2388], and the "multipart/ | in a request, as described in [RFC7578], and the "multipart/ | |||
byteranges" type is defined by this specification for use in some 206 | byteranges" type is defined by this specification for use in some 206 | |||
(Partial Content) responses [RFC7233]. | (Partial Content) responses (see Section 9.3.7). | |||
3.1.2.1. Content Codings | 6.1.2. Content Codings | |||
Content coding values indicate an encoding transformation that has | Content coding values indicate an encoding transformation that has | |||
been or can be applied to a representation. Content codings are | been or can be applied to a representation. Content codings are | |||
primarily used to allow a representation to be compressed or | primarily used to allow a representation to be compressed or | |||
otherwise usefully transformed without losing the identity of its | otherwise usefully transformed without losing the identity of its | |||
underlying media type and without loss of information. Frequently, | underlying media type and without loss of information. Frequently, | |||
the representation is stored in coded form, transmitted directly, and | the representation is stored in coded form, transmitted directly, and | |||
only decoded by the final recipient. | only decoded by the final recipient. | |||
content-coding = token | content-coding = token | |||
All content-coding values are case-insensitive and ought to be | All content codings are case-insensitive and ought to be registered | |||
registered within the "HTTP Content Coding Registry", as defined in | within the "HTTP Content Coding Registry", as defined in | |||
Section 8.4. They are used in the Accept-Encoding (Section 5.3.4) | Section 6.1.2.4 | |||
and Content-Encoding (Section 3.1.2.2) header fields. | ||||
Content-coding values are used in the Accept-Encoding (Section 8.4.4) | ||||
and Content-Encoding (Section 6.2.2) header fields. | ||||
The following content-coding values are defined by this | The following content-coding values are defined by this | |||
specification: | specification: | |||
compress (and x-compress): See Section 4.2.1 of [RFC7230]. | +------------+------------------------------------------+-----------+ | |||
| Name | Description | Reference | | ||||
deflate: See Section 4.2.2 of [RFC7230]. | +------------+------------------------------------------+-----------+ | |||
| compress | UNIX "compress" data format [Welch] | Section 6 | | ||||
gzip (and x-gzip): See Section 4.2.3 of [RFC7230]. | | | | .1.2.1 | | |||
| deflate | "deflate" compressed data ([RFC1951]) | Section 6 | | ||||
+------------+--------------------------------------+---------------+ | | | inside the "zlib" data format | .1.2.2 | | |||
| Name | Description | Reference | | | | ([RFC1950]) | | | |||
+------------+--------------------------------------+---------------+ | | gzip | GZIP file format [RFC1952] | Section 6 | | |||
| compress | UNIX "compress" data format [Welch] | Section 4.2.1 | | | | | .1.2.3 | | |||
| deflate | "deflate" compressed data | Section 4.2.2 | | | identity | Reserved (synonym for "no encoding" in | Section 8 | | |||
| | ([RFC1951]) inside the "zlib" data | | | | | Accept-Encoding) | .4.4 | | |||
| | format ([RFC1950]) | | | | x-compress | Deprecated (alias for compress) | Section 6 | | |||
| gzip | GZIP file format [RFC1952] | Section 4.2.3 | | | | | .1.2.1 | | |||
| identity | Reserved (synonym for "no encoding" in | Section 5.3.4 | | | x-gzip | Deprecated (alias for gzip) | Section 6 | | |||
| | Accept-Encoding) | | | | | | .1.2.3 | | |||
| x-compress | Deprecated (alias for compress) | Section 4.2.1 | | +------------+------------------------------------------+-----------+ | |||
| x-gzip | Deprecated (alias for gzip) | Section 4.2.3 | | ||||
+------------+--------------------------------------+---------------+ | ||||
4.2. Compression Codings | ||||
The codings defined below can be used to compress the payload of a | Table 2 | |||
message. | ||||
4.2.1. Compress Coding | 6.1.2.1. Compress Coding | |||
The "compress" coding is an adaptive Lempel-Ziv-Welch (LZW) coding | The "compress" coding is an adaptive Lempel-Ziv-Welch (LZW) coding | |||
[Welch] that is commonly produced by the UNIX file compression | [Welch] that is commonly produced by the UNIX file compression | |||
program "compress". A recipient SHOULD consider "x-compress" to be | program "compress". A recipient SHOULD consider "x-compress" to be | |||
equivalent to "compress". | equivalent to "compress". | |||
4.2.2. Deflate Coding | 6.1.2.2. Deflate Coding | |||
The "deflate" coding is a "zlib" data format [RFC1950] containing a | The "deflate" coding is a "zlib" data format [RFC1950] containing a | |||
"deflate" compressed data stream [RFC1951] that uses a combination of | "deflate" compressed data stream [RFC1951] that uses a combination of | |||
the Lempel-Ziv (LZ77) compression algorithm and Huffman coding. | the Lempel-Ziv (LZ77) compression algorithm and Huffman coding. | |||
Note: Some non-conformant implementations send the "deflate" | Note: Some non-conformant implementations send the "deflate" | |||
compressed data without the zlib wrapper. | compressed data without the zlib wrapper. | |||
4.2.3. Gzip Coding | 6.1.2.3. Gzip Coding | |||
The "gzip" coding is an LZ77 coding with a 32-bit Cyclic Redundancy | The "gzip" coding is an LZ77 coding with a 32-bit Cyclic Redundancy | |||
Check (CRC) that is commonly produced by the gzip file compression | Check (CRC) that is commonly produced by the gzip file compression | |||
program [RFC1952]. A recipient SHOULD consider "x-gzip" to be | program [RFC1952]. A recipient SHOULD consider "x-gzip" to be | |||
equivalent to "gzip". | equivalent to "gzip". | |||
8.4. Content Coding Registry | 6.1.2.4. Content Coding Registry | |||
The "HTTP Content Coding Registry" defines the namespace for content | ||||
coding names (Section 4.2 of [RFC7230]). The content coding registry | ||||
is maintained at <http://www.iana.org/assignments/http-parameters>. | ||||
8.4.1. Procedure | The "HTTP Content Coding Registry", maintained by IANA at | |||
<https://www.iana.org/assignments/http-parameters/>, registers | ||||
content-coding names. | ||||
Content coding registrations MUST include the following fields: | Content coding registrations MUST include the following fields: | |||
o Name | o Name | |||
o Description | o Description | |||
o Pointer to specification text | o Pointer to specification text | |||
Names of content codings MUST NOT overlap with names of transfer | Names of content codings MUST NOT overlap with names of transfer | |||
codings (Section 4 of [RFC7230]), unless the encoding transformation | codings (Section 7 of [Messaging]), unless the encoding | |||
is identical (as is the case for the compression codings defined in | transformation is identical (as is the case for the compression | |||
Section 4.2 of [RFC7230]). | codings defined in Section 6.1.2). | |||
Values to be added to this namespace require IETF Review (see Section | Values to be added to this namespace require IETF Review (see | |||
4.1 of [RFC5226]) and MUST conform to the purpose of content coding | Section 4.8 of [RFC8126]) and MUST conform to the purpose of content | |||
defined in this section. | coding defined in Section 6.1.2. | |||
3.1.3.1. Language Tags | 6.1.3. Language Tags | |||
A language tag, as defined in [RFC5646], identifies a natural | A language tag, as defined in [RFC5646], identifies a natural | |||
language spoken, written, or otherwise conveyed by human beings for | language spoken, written, or otherwise conveyed by human beings for | |||
communication of information to other human beings. Computer | communication of information to other human beings. Computer | |||
languages are explicitly excluded. | languages are explicitly excluded. | |||
HTTP uses language tags within the Accept-Language and | HTTP uses language tags within the Accept-Language and Content- | |||
Content-Language header fields. Accept-Language uses the broader | Language header fields. Accept-Language uses the broader language- | |||
language-range production defined in Section 5.3.5, whereas | range production defined in Section 8.4.5, whereas Content-Language | |||
Content-Language uses the language-tag production defined below. | uses the language-tag production defined below. | |||
language-tag = <Language-Tag, see [RFC5646], Section 2.1> | language-tag = <Language-Tag, see [RFC5646], Section 2.1> | |||
A language tag is a sequence of one or more case-insensitive subtags, | A language tag is a sequence of one or more case-insensitive subtags, | |||
each separated by a hyphen character ("-", %x2D). In most cases, a | each separated by a hyphen character ("-", %x2D). In most cases, a | |||
language tag consists of a primary language subtag that identifies a | language tag consists of a primary language subtag that identifies a | |||
broad family of related languages (e.g., "en" = English), which is | broad family of related languages (e.g., "en" = English), which is | |||
optionally followed by a series of subtags that refine or narrow that | optionally followed by a series of subtags that refine or narrow that | |||
language's range (e.g., "en-CA" = the variety of English as | language's range (e.g., "en-CA" = the variety of English as | |||
communicated in Canada). Whitespace is not allowed within a language | communicated in Canada). Whitespace is not allowed within a language | |||
tag. Example tags include: | tag. Example tags include: | |||
fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN | fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN | |||
See [RFC5646] for further information. | See [RFC5646] for further information. | |||
2. Range Units | 6.1.4. Range Units | |||
A representation can be partitioned into subranges according to | Representation data can be partitioned into subranges when there are | |||
various structural units, depending on the structure inherent in the | addressable structural units inherent to that data's content coding | |||
representation's media type. This "range unit" is used in the | or media type. For example, octet (a.k.a., byte) boundaries are a | |||
Accept-Ranges (Section 2.3) response header field to advertise | structural unit common to all representation data, allowing | |||
support for range requests, the Range (Section 3.1) request header | partitions of the data to be identified as a range of bytes at some | |||
field to delineate the parts of a representation that are requested, | offset from the start or end of that data. | |||
and the Content-Range (Section 4.2) payload header field to describe | ||||
which part of a representation is being transferred. | ||||
range-unit = bytes-unit / other-range-unit | This general notion of a "range unit" is used in the Accept-Ranges | |||
(Section 10.4.1) response header field to advertise support for range | ||||
requests, the Range (Section 8.3) request header field to delineate | ||||
the parts of a representation that are requested, and the Content- | ||||
Range (Section 6.3.4) payload header field to describe which part of | ||||
a representation is being transferred. | ||||
range-unit = token | ||||
All range unit names are case-insensitive and ought to be registered | ||||
within the "HTTP Range Unit Registry", as defined in Section 6.1.4.4 | ||||
The following range unit names are defined by this document: | ||||
+------------+-----------------------------------------+------------+ | +------------+-----------------------------------------+------------+ | |||
| Range Unit | Description | Reference | | | Range Unit | Description | Reference | | |||
| Name | | | | | Name | | | | |||
+------------+-----------------------------------------+------------+ | +------------+-----------------------------------------+------------+ | |||
| bytes | a range of octets | Section 2.1 | | | bytes | a range of octets | Section 6. | | |||
| none | reserved as keyword, indicating no | Section 2.3 | | | | | 1.4.2 | | |||
| | ranges are supported | | | | none | reserved as keyword to indicate range | Section 10 | | |||
| | requests are not supported | .4.1 | | ||||
+------------+-----------------------------------------+------------+ | +------------+-----------------------------------------+------------+ | |||
2.1. Byte Ranges | Table 3 | |||
Since representation data is transferred in payloads as a sequence of | 6.1.4.1. Range Specifiers | |||
octets, a byte range is a meaningful substructure for any | ||||
representation transferable over HTTP (Section 3 of [RFC7231]). The | ||||
"bytes" range unit is defined for expressing subranges of the data's | ||||
octet sequence. | ||||
bytes-unit = "bytes" | Ranges are expressed in terms of a range unit paired with a set of | |||
range specifiers. The range unit name determines what kinds of | ||||
range-spec are applicable to its own specifiers. Hence, the | ||||
following gramar is generic: each range unit is expected to specify | ||||
requirements on when int-range, suffix-range, and other-range are | ||||
allowed. | ||||
A byte-range request can specify a single range of bytes or a set of | A range request can specify a single range or a set of ranges within | |||
ranges within a single representation. | a single representation. | |||
byte-ranges-specifier = bytes-unit "=" byte-range-set | ranges-specifier = range-unit "=" range-set | |||
byte-range-set = 1#( byte-range-spec / suffix-byte-range-spec ) | range-set = 1#range-spec | |||
byte-range-spec = first-byte-pos "-" [ last-byte-pos ] | range-spec = int-range | |||
first-byte-pos = 1*DIGIT | / suffix-range | |||
last-byte-pos = 1*DIGIT | / other-range | |||
The first-byte-pos value in a byte-range-spec gives the byte-offset | An int-range is a range expressed as two non-negative integers or as | |||
of the first byte in a range. The last-byte-pos value gives the | one non-negative integer through to the end of the representation | |||
byte-offset of the last byte in the range; that is, the byte | data. The range unit specifies what the integers mean (e.g., they | |||
positions specified are inclusive. Byte offsets start at zero. | might indicate unit offsets from the beginning, inclusive numbered | |||
parts, etc.). | ||||
Examples of byte-ranges-specifier values: | int-range = first-pos "-" [ last-pos ] | |||
first-pos = 1*DIGIT | ||||
last-pos = 1*DIGIT | ||||
An int-range is invalid if the last-pos value is present and less | ||||
than the first-pos. | ||||
A suffix-range is a range expressed as a suffix of the representation | ||||
data with the provided non-negative integer maximum length (in range | ||||
units). In other words, the last N units of the representation data. | ||||
suffix-range = "-" suffix-length | ||||
suffix-length = 1*DIGIT | ||||
To provide for extensibility, the other-range rule is a mostly | ||||
unconstrained grammar that allows application-specific or future | ||||
range units to define additional range specifiers. | ||||
other-range = 1*( %x21-2B / %x2D-7E ) | ||||
; 1*(VCHAR excluding comma) | ||||
6.1.4.2. Byte Ranges | ||||
The "bytes" range unit is used to express subranges of a | ||||
representation data's octet sequence. Each byte range is expressed | ||||
as an integer range at some offset, relative to either the beginning | ||||
(int-range) or end (suffix-range) of the representation data. Byte | ||||
ranges do not use the other-range specifier. | ||||
The first-pos value in a bytes int-range gives the offset of the | ||||
first byte in a range. The last-pos value gives the offset of the | ||||
last byte in the range; that is, the byte positions specified are | ||||
inclusive. Byte offsets start at zero. | ||||
If the representation data has a content coding applied, each byte | ||||
range is calculated with respect to the encoded sequence of bytes, | ||||
not the sequence of underlying bytes that would be obtained after | ||||
decoding. | ||||
Examples of bytes range specifiers: | ||||
o The first 500 bytes (byte offsets 0-499, inclusive): | o The first 500 bytes (byte offsets 0-499, inclusive): | |||
bytes=0-499 | bytes=0-499 | |||
o The second 500 bytes (byte offsets 500-999, inclusive): | o The second 500 bytes (byte offsets 500-999, inclusive): | |||
bytes=500-999 | bytes=500-999 | |||
A byte-range-spec is invalid if the last-byte-pos value is present | ||||
and less than the first-byte-pos. | ||||
A client can limit the number of bytes requested without knowing the | A client can limit the number of bytes requested without knowing the | |||
size of the selected representation. If the last-byte-pos value is | size of the selected representation. If the last-pos value is | |||
absent, or if the value is greater than or equal to the current | absent, or if the value is greater than or equal to the current | |||
length of the representation data, the byte range is interpreted as | length of the representation data, the byte range is interpreted as | |||
the remainder of the representation (i.e., the server replaces the | the remainder of the representation (i.e., the server replaces the | |||
value of last-byte-pos with a value that is one less than the current | value of last-pos with a value that is one less than the current | |||
length of the selected representation). | length of the selected representation). | |||
A client can request the last N bytes of the selected representation | A client can request the last N bytes of the selected representation | |||
using a suffix-byte-range-spec. | using a suffix-range. If the selected representation is shorter than | |||
the specified suffix-length, the entire representation is used. | ||||
suffix-byte-range-spec = "-" suffix-length | ||||
suffix-length = 1*DIGIT | ||||
If the selected representation is shorter than the specified | ||||
suffix-length, the entire representation is used. | ||||
Additional examples, assuming a representation of length 10000: | Additional examples, assuming a representation of length 10000: | |||
o The final 500 bytes (byte offsets 9500-9999, inclusive): | o The final 500 bytes (byte offsets 9500-9999, inclusive): | |||
bytes=-500 | bytes=-500 | |||
Or: | Or: | |||
bytes=9500- | bytes=9500- | |||
o The first and last bytes only (bytes 0 and 9999): | o The first and last bytes only (bytes 0 and 9999): | |||
bytes=0-0,-1 | bytes=0-0,-1 | |||
o The first, middle, and last 1000 bytes: | ||||
bytes= 0-999, 4500-5499, -1000 | ||||
o Other valid (but not canonical) specifications of the second 500 | o Other valid (but not canonical) specifications of the second 500 | |||
bytes (byte offsets 500-999, inclusive): | bytes (byte offsets 500-999, inclusive): | |||
bytes=500-600,601-999 | bytes=500-600,601-999 | |||
bytes=500-700,601-999 | bytes=500-700,601-999 | |||
If a valid byte-range-set includes at least one byte-range-spec with | If a valid bytes range-set includes at least one range-spec with a | |||
a first-byte-pos that is less than the current length of the | first-pos that is less than the current length of the representation, | |||
representation, or at least one suffix-byte-range-spec with a | or at least one suffix-range with a non-zero suffix-length, then the | |||
non-zero suffix-length, then the byte-range-set is satisfiable. | bytes range-set is satisfiable. Otherwise, the bytes range-set is | |||
Otherwise, the byte-range-set is unsatisfiable. | unsatisfiable. | |||
In the byte-range syntax, first-byte-pos, last-byte-pos, and | In the byte-range syntax, first-pos, last-pos, and suffix-length are | |||
suffix-length are expressed as decimal number of octets. Since there | expressed as decimal number of octets. Since there is no predefined | |||
is no predefined limit to the length of a payload, recipients MUST | limit to the length of a payload, recipients MUST anticipate | |||
anticipate potentially large decimal numerals and prevent parsing | potentially large decimal numerals and prevent parsing errors due to | |||
errors due to integer conversion overflows. | integer conversion overflows. | |||
2.2. Other Range Units | 6.1.4.3. Other Range Units | |||
Range units are intended to be extensible. New range units ought to | Other range units, such as format-specific boundaries like pages, | |||
be registered with IANA, as defined in Section 5.1. | sections, records, rows, or time, are potentially usable in HTTP for | |||
application-specific purposes, but are not commonly used in practice. | ||||
Implementors of alternative range units ought to consider how they | ||||
would work with content codings and general-purpose intermediaries. | ||||
other-range-unit = token | Range units are intended to be extensible. New range units ought to | |||
be registered with IANA, as defined in Section 6.1.4.4. | ||||
5.1. Range Unit Registry | 6.1.4.4. Range Unit Registry | |||
The "HTTP Range Unit Registry" defines the namespace for the range | The "HTTP Range Unit Registry" defines the namespace for the range | |||
unit names and refers to their corresponding specifications. The | unit names and refers to their corresponding specifications. It is | |||
registry has been created and is now maintained at | maintained at <https://www.iana.org/assignments/http-parameters>. | |||
<http://www.iana.org/assignments/http-parameters>. | ||||
5.1.1. Procedure | ||||
Registration of an HTTP Range Unit MUST include the following fields: | Registration of an HTTP Range Unit MUST include the following fields: | |||
o Name | o Name | |||
o Description | o Description | |||
o Pointer to specification text | o Pointer to specification text | |||
Values to be added to this namespace require IETF Review (see | Values to be added to this namespace require IETF Review (see | |||
[RFC5226], Section 4.1). | [RFC8126], Section 4.8). | |||
3.1. Representation Metadata | 6.2. Representation Metadata | |||
Representation header fields provide metadata about the | Representation header fields provide metadata about the | |||
representation. When a message includes a payload body, the | representation. When a message includes a payload body, the | |||
representation header fields describe how to interpret the | representation header fields describe how to interpret the | |||
representation data enclosed in the payload body. In a response to a | representation data enclosed in the payload body. In a response to a | |||
HEAD request, the representation header fields describe the | HEAD request, the representation header fields describe the | |||
representation data that would have been enclosed in the payload body | representation data that would have been enclosed in the payload body | |||
if the same request had been a GET. | if the same request had been a GET. | |||
The following header fields convey representation metadata: | The following header fields convey representation metadata: | |||
+-------------------+-----------------+ | +------------------+---------------+ | |||
| Header Field Name | Defined in... | | | Field Name | Defined in... | | |||
+-------------------+-----------------+ | +------------------+---------------+ | |||
| Content-Type | Section 3.1.1.5 | | | Content-Type | Section 6.2.1 | | |||
| Content-Encoding | Section 3.1.2.2 | | | Content-Encoding | Section 6.2.2 | | |||
| Content-Language | Section 3.1.3.2 | | | Content-Language | Section 6.2.3 | | |||
| Content-Location | Section 3.1.4.2 | | | Content-Length | Section 6.2.4 | | |||
+-------------------+-----------------+ | | Content-Location | Section 6.2.5 | | |||
+------------------+---------------+ | ||||
3.1.1. Processing Representation Data | ||||
3.1.1.5. Content-Type | 6.2.1. Content-Type | |||
The "Content-Type" header field indicates the media type of the | The "Content-Type" header field indicates the media type of the | |||
associated representation: either the representation enclosed in the | associated representation: either the representation enclosed in the | |||
message payload or the selected representation, as determined by the | message payload or the selected representation, as determined by the | |||
message semantics. The indicated media type defines both the data | message semantics. The indicated media type defines both the data | |||
format and how that data is intended to be processed by a recipient, | format and how that data is intended to be processed by a recipient, | |||
within the scope of the received message semantics, after any content | within the scope of the received message semantics, after any content | |||
codings indicated by Content-Encoding are decoded. | codings indicated by Content-Encoding are decoded. | |||
Content-Type = media-type | Content-Type = media-type | |||
Media types are defined in Section 3.1.1.1. An example of the field | Media types are defined in Section 6.1.1. An example of the field is | |||
is | ||||
Content-Type: text/html; charset=ISO-8859-4 | Content-Type: text/html; charset=ISO-8859-4 | |||
A sender that generates a message containing a payload body SHOULD | A sender that generates a message containing a payload body SHOULD | |||
generate a Content-Type header field in that message unless the | generate a Content-Type header field in that message unless the | |||
intended media type of the enclosed representation is unknown to the | intended media type of the enclosed representation is unknown to the | |||
sender. If a Content-Type header field is not present, the recipient | sender. If a Content-Type header field is not present, the recipient | |||
MAY either assume a media type of "application/octet-stream" | MAY either assume a media type of "application/octet-stream" | |||
([RFC2046], Section 4.5.1) or examine the data to determine its type. | ([RFC2046], Section 4.5.1) or examine the data to determine its type. | |||
In practice, resource owners do not always properly configure their | In practice, resource owners do not always properly configure their | |||
origin server to provide the correct Content-Type for a given | origin server to provide the correct Content-Type for a given | |||
representation, with the result that some clients will examine a | representation. Some user agents examine a payload's content and, in | |||
payload's content and override the specified type. Clients that do | certain cases, override the received type (for example, see | |||
so risk drawing incorrect conclusions, which might expose additional | [Sniffing]). This "MIME sniffing" risks drawing incorrect | |||
conclusions about the data, which might expose the user to additional | ||||
security risks (e.g., "privilege escalation"). Furthermore, it is | security risks (e.g., "privilege escalation"). Furthermore, it is | |||
impossible to determine the sender's intent by examining the data | impossible to determine the sender's intended processing model by | |||
format: many data formats match multiple media types that differ only | examining the data format: many data formats match multiple media | |||
in processing semantics. Implementers are encouraged to provide a | types that differ only in processing semantics. Implementers are | |||
means of disabling such "content sniffing" when it is used. | encouraged to provide a means to disable such sniffing. | |||
3.1.2. Encoding for Compression or Integrity | ||||
3.1.2.2. Content-Encoding | 6.2.2. Content-Encoding | |||
The "Content-Encoding" header field indicates what content codings | The "Content-Encoding" header field indicates what content codings | |||
have been applied to the representation, beyond those inherent in the | have been applied to the representation, beyond those inherent in the | |||
media type, and thus what decoding mechanisms have to be applied in | media type, and thus what decoding mechanisms have to be applied in | |||
order to obtain data in the media type referenced by the Content-Type | order to obtain data in the media type referenced by the Content-Type | |||
header field. Content-Encoding is primarily used to allow a | header field. Content-Encoding is primarily used to allow a | |||
representation's data to be compressed without losing the identity of | representation's data to be compressed without losing the identity of | |||
its underlying media type. | its underlying media type. | |||
Content-Encoding = 1#content-coding | Content-Encoding = 1#content-coding | |||
skipping to change at line 2267 ¶ | skipping to change at page 59, line 42 ¶ | |||
Content-Encoding: gzip | Content-Encoding: gzip | |||
If one or more encodings have been applied to a representation, the | If one or more encodings have been applied to a representation, the | |||
sender that applied the encodings MUST generate a Content-Encoding | sender that applied the encodings MUST generate a Content-Encoding | |||
header field that lists the content codings in the order in which | header field that lists the content codings in the order in which | |||
they were applied. Additional information about the encoding | they were applied. Additional information about the encoding | |||
parameters can be provided by other header fields not defined by this | parameters can be provided by other header fields not defined by this | |||
specification. | specification. | |||
Unlike Transfer-Encoding (Section 3.3.1 of [RFC7230]), the codings | Unlike Transfer-Encoding (Section 6.1 of [Messaging]), the codings | |||
listed in Content-Encoding are a characteristic of the | listed in Content-Encoding are a characteristic of the | |||
representation; the representation is defined in terms of the coded | representation; the representation is defined in terms of the coded | |||
form, and all other metadata about the representation is about the | form, and all other metadata about the representation is about the | |||
coded form unless otherwise noted in the metadata definition. | coded form unless otherwise noted in the metadata definition. | |||
Typically, the representation is only decoded just prior to rendering | Typically, the representation is only decoded just prior to rendering | |||
or analogous usage. | or analogous usage. | |||
If the media type includes an inherent encoding, such as a data | If the media type includes an inherent encoding, such as a data | |||
format that is always compressed, then that encoding would not be | format that is always compressed, then that encoding would not be | |||
restated in Content-Encoding even if it happens to be the same | restated in Content-Encoding even if it happens to be the same | |||
skipping to change at line 2291 ¶ | skipping to change at page 60, line 18 ¶ | |||
choose to publish the same data as multiple representations that | choose to publish the same data as multiple representations that | |||
differ only in whether the coding is defined as part of Content-Type | differ only in whether the coding is defined as part of Content-Type | |||
or Content-Encoding, since some user agents will behave differently | or Content-Encoding, since some user agents will behave differently | |||
in their handling of each response (e.g., open a "Save as ..." dialog | in their handling of each response (e.g., open a "Save as ..." dialog | |||
instead of automatic decompression and rendering of content). | instead of automatic decompression and rendering of content). | |||
An origin server MAY respond with a status code of 415 (Unsupported | An origin server MAY respond with a status code of 415 (Unsupported | |||
Media Type) if a representation in the request message has a content | Media Type) if a representation in the request message has a content | |||
coding that is not acceptable. | coding that is not acceptable. | |||
3.1.3. Audience Language | 6.2.3. Content-Language | |||
3.1.3.2. Content-Language | ||||
The "Content-Language" header field describes the natural language(s) | The "Content-Language" header field describes the natural language(s) | |||
of the intended audience for the representation. Note that this | of the intended audience for the representation. Note that this | |||
might not be equivalent to all the languages used within the | might not be equivalent to all the languages used within the | |||
representation. | representation. | |||
Content-Language = 1#language-tag | Content-Language = 1#language-tag | |||
Language tags are defined in Section 3.1.3.1. The primary purpose of | Language tags are defined in Section 6.1.3. The primary purpose of | |||
Content-Language is to allow a user to identify and differentiate | Content-Language is to allow a user to identify and differentiate | |||
representations according to the users' own preferred language. | representations according to the users' own preferred language. | |||
Thus, if the content is intended only for a Danish-literate audience, | Thus, if the content is intended only for a Danish-literate audience, | |||
the appropriate field is | the appropriate field is | |||
Content-Language: da | Content-Language: da | |||
If no Content-Language is specified, the default is that the content | If no Content-Language is specified, the default is that the content | |||
is intended for all language audiences. This might mean that the | is intended for all language audiences. This might mean that the | |||
sender does not consider it to be specific to any natural language, | sender does not consider it to be specific to any natural language, | |||
skipping to change at line 2332 ¶ | skipping to change at page 61, line 10 ¶ | |||
However, just because multiple languages are present within a | However, just because multiple languages are present within a | |||
representation does not mean that it is intended for multiple | representation does not mean that it is intended for multiple | |||
linguistic audiences. An example would be a beginner's language | linguistic audiences. An example would be a beginner's language | |||
primer, such as "A First Lesson in Latin", which is clearly intended | primer, such as "A First Lesson in Latin", which is clearly intended | |||
to be used by an English-literate audience. In this case, the | to be used by an English-literate audience. In this case, the | |||
Content-Language would properly only include "en". | Content-Language would properly only include "en". | |||
Content-Language MAY be applied to any media type -- it is not | Content-Language MAY be applied to any media type -- it is not | |||
limited to textual documents. | limited to textual documents. | |||
3.3.2. Content-Length | 6.2.4. Content-Length | |||
[[CREF2: The "Content-Length" header field indicates the number of | ||||
data octets (body length) for the representation. In some cases, | ||||
Content-Length is used to define or estimate message framing. ]] | ||||
Content-Length = 1*DIGIT | Content-Length = 1*DIGIT | |||
An example is | An example is | |||
Content-Length: 3495 | Content-Length: 3495 | |||
A sender MUST NOT send a Content-Length header field in any message | A sender MUST NOT send a Content-Length header field in any message | |||
that contains a Transfer-Encoding header field. | that contains a Transfer-Encoding header field. | |||
A user agent SHOULD send a Content-Length in a request message when | A user agent SHOULD send a Content-Length in a request message when | |||
no Transfer-Encoding is sent and the request method defines a meaning | no Transfer-Encoding is sent and the request method defines a meaning | |||
for an enclosed payload body. For example, a Content-Length header | for an enclosed payload body. For example, a Content-Length header | |||
field is normally sent in a POST request even when the value is 0 | field is normally sent in a POST request even when the value is 0 | |||
(indicating an empty payload body). A user agent SHOULD NOT send a | (indicating an empty payload body). A user agent SHOULD NOT send a | |||
Content-Length header field when the request message does not contain | Content-Length header field when the request message does not contain | |||
a payload body and the method semantics do not anticipate such a | a payload body and the method semantics do not anticipate such a | |||
body. | body. | |||
A server MAY send a Content-Length header field in a response to a | A server MAY send a Content-Length header field in a response to a | |||
HEAD request (Section 4.3.2 of [RFC7231]); a server MUST NOT send | HEAD request (Section 7.3.2); a server MUST NOT send Content-Length | |||
Content-Length in such a response unless its field-value equals the | in such a response unless its field value equals the decimal number | |||
decimal number of octets that would have been sent in the payload | of octets that would have been sent in the payload body of a response | |||
body of a response if the same request had used the GET method. | if the same request had used the GET method. | |||
A server MAY send a Content-Length header field in a 304 (Not | A server MAY send a Content-Length header field in a 304 (Not | |||
Modified) response to a conditional GET request (Section 4.1 of | Modified) response to a conditional GET request (Section 9.4.5); a | |||
[RFC7232]); a server MUST NOT send Content-Length in such a response | server MUST NOT send Content-Length in such a response unless its | |||
unless its field-value equals the decimal number of octets that would | field value equals the decimal number of octets that would have been | |||
have been sent in the payload body of a 200 (OK) response to the same | sent in the payload body of a 200 (OK) response to the same request. | |||
request. | ||||
A server MUST NOT send a Content-Length header field in any response | A server MUST NOT send a Content-Length header field in any response | |||
with a status code of 1xx (Informational) or 204 (No Content). A | with a status code of 1xx (Informational) or 204 (No Content). A | |||
server MUST NOT send a Content-Length header field in any 2xx | server MUST NOT send a Content-Length header field in any 2xx | |||
(Successful) response to a CONNECT request (Section 4.3.6 of | (Successful) response to a CONNECT request (Section 7.3.6). | |||
[RFC7231]). | ||||
Aside from the cases defined above, in the absence of | Aside from the cases defined above, in the absence of Transfer- | |||
Transfer-Encoding, an origin server SHOULD send a Content-Length | Encoding, an origin server SHOULD send a Content-Length header field | |||
header field when the payload body size is known prior to sending the | when the payload body size is known prior to sending the complete | |||
complete header section. This will allow downstream recipients to | header section. This will allow downstream recipients to measure | |||
measure transfer progress, know when a received message is complete, | transfer progress, know when a received message is complete, and | |||
and potentially reuse the connection for additional requests. | potentially reuse the connection for additional requests. | |||
Any Content-Length field value greater than or equal to zero is | Any Content-Length field value greater than or equal to zero is | |||
valid. Since there is no predefined limit to the length of a | valid. Since there is no predefined limit to the length of a | |||
payload, a recipient MUST anticipate potentially large decimal | payload, a recipient MUST anticipate potentially large decimal | |||
numerals and prevent parsing errors due to integer conversion | numerals and prevent parsing errors due to integer conversion | |||
overflows (Section 9.3). | overflows (Section 11.5). | |||
If a message is received that has multiple Content-Length header | If a message is received that has multiple Content-Length header | |||
fields with field-values consisting of the same decimal value, or a | fields with field values consisting of the same decimal value, or a | |||
single Content-Length header field with a field value containing a | single Content-Length header field with a field value containing a | |||
list of identical decimal values (e.g., "Content-Length: 42, 42"), | list of identical decimal values (e.g., "Content-Length: 42, 42"), | |||
indicating that duplicate Content-Length header fields have been | indicating that duplicate Content-Length header fields have been | |||
generated or combined by an upstream message processor, then the | generated or combined by an upstream message processor, then the | |||
recipient MUST either reject the message as invalid or replace the | recipient MUST either reject the message as invalid or replace the | |||
duplicated field-values with a single valid Content-Length field | duplicated field values with a single valid Content-Length field | |||
containing that decimal value prior to determining the message body | containing that decimal value prior to determining the message body | |||
length or forwarding the message. | length or forwarding the message. | |||
3.1.4. Identification | 6.2.5. Content-Location | |||
3.1.4.2. Content-Location | ||||
The "Content-Location" header field references a URI that can be used | The "Content-Location" header field references a URI that can be used | |||
as an identifier for a specific resource corresponding to the | as an identifier for a specific resource corresponding to the | |||
representation in this message's payload. In other words, if one | representation in this message's payload. In other words, if one | |||
were to perform a GET request on this URI at the time of this | were to perform a GET request on this URI at the time of this | |||
message's generation, then a 200 (OK) response would contain the same | message's generation, then a 200 (OK) response would contain the same | |||
representation that is enclosed as payload in this message. | representation that is enclosed as payload in this message. | |||
Content-Location = absolute-URI / partial-URI | Content-Location = absolute-URI / partial-URI | |||
The Content-Location value is not a replacement for the effective | The Content-Location value is not a replacement for the effective | |||
Request URI (Section 5.5 of [RFC7230]). It is representation | Request URI (Section 5.5). It is representation metadata. It has | |||
metadata. It has the same syntax and semantics as the header field | the same syntax and semantics as the header field of the same name | |||
of the same name defined for MIME body parts in Section 4 of | defined for MIME body parts in Section 4 of [RFC2557]. However, its | |||
[RFC2557]. However, its appearance in an HTTP message has some | appearance in an HTTP message has some special implications for HTTP | |||
special implications for HTTP recipients. | recipients. | |||
If Content-Location is included in a 2xx (Successful) response | If Content-Location is included in a 2xx (Successful) response | |||
message and its value refers (after conversion to absolute form) to a | message and its value refers (after conversion to absolute form) to a | |||
URI that is the same as the effective request URI, then the recipient | URI that is the same as the effective request URI, then the recipient | |||
MAY consider the payload to be a current representation of that | MAY consider the payload to be a current representation of that | |||
resource at the time indicated by the message origination date. For | resource at the time indicated by the message origination date. For | |||
a GET (Section 4.3.1) or HEAD (Section 4.3.2) request, this is the | a GET (Section 7.3.1) or HEAD (Section 7.3.2) request, this is the | |||
same as the default semantics when no Content-Location is provided by | same as the default semantics when no Content-Location is provided by | |||
the server. For a state-changing request like PUT (Section 4.3.4) or | the server. For a state-changing request like PUT (Section 7.3.4) or | |||
POST (Section 4.3.3), it implies that the server's response contains | POST (Section 7.3.3), it implies that the server's response contains | |||
the new representation of that resource, thereby distinguishing it | the new representation of that resource, thereby distinguishing it | |||
from representations that might only report about the action (e.g., | from representations that might only report about the action (e.g., | |||
"It worked!"). This allows authoring applications to update their | "It worked!"). This allows authoring applications to update their | |||
local copies without the need for a subsequent GET request. | local copies without the need for a subsequent GET request. | |||
If Content-Location is included in a 2xx (Successful) response | If Content-Location is included in a 2xx (Successful) response | |||
message and its field-value refers to a URI that differs from the | message and its field value refers to a URI that differs from the | |||
effective request URI, then the origin server claims that the URI is | effective request URI, then the origin server claims that the URI is | |||
an identifier for a different resource corresponding to the enclosed | an identifier for a different resource corresponding to the enclosed | |||
representation. Such a claim can only be trusted if both identifiers | representation. Such a claim can only be trusted if both identifiers | |||
share the same resource owner, which cannot be programmatically | share the same resource owner, which cannot be programmatically | |||
determined via HTTP. | determined via HTTP. | |||
o For a response to a GET or HEAD request, this is an indication | o For a response to a GET or HEAD request, this is an indication | |||
that the effective request URI refers to a resource that is | that the effective request URI refers to a resource that is | |||
subject to content negotiation and the Content-Location | subject to content negotiation and the Content-Location field | |||
field-value is a more specific identifier for the selected | value is a more specific identifier for the selected | |||
representation. | representation. | |||
o For a 201 (Created) response to a state-changing method, a | o For a 201 (Created) response to a state-changing method, a | |||
Content-Location field-value that is identical to the Location | Content-Location field value that is identical to the Location | |||
field-value indicates that this payload is a current | field value indicates that this payload is a current | |||
representation of the newly created resource. | representation of the newly created resource. | |||
o Otherwise, such a Content-Location indicates that this payload is | o Otherwise, such a Content-Location indicates that this payload is | |||
a representation reporting on the requested action's status and | a representation reporting on the requested action's status and | |||
that the same report is available (for future access with GET) at | that the same report is available (for future access with GET) at | |||
the given URI. For example, a purchase transaction made via a | the given URI. For example, a purchase transaction made via a | |||
POST request might include a receipt document as the payload of | POST request might include a receipt document as the payload of | |||
the 200 (OK) response; the Content-Location field-value provides | the 200 (OK) response; the Content-Location field value provides | |||
an identifier for retrieving a copy of that same receipt in the | an identifier for retrieving a copy of that same receipt in the | |||
future. | future. | |||
A user agent that sends Content-Location in a request message is | A user agent that sends Content-Location in a request message is | |||
stating that its value refers to where the user agent originally | stating that its value refers to where the user agent originally | |||
obtained the content of the enclosed representation (prior to any | obtained the content of the enclosed representation (prior to any | |||
modifications made by that user agent). In other words, the user | modifications made by that user agent). In other words, the user | |||
agent is providing a back link to the source of the original | agent is providing a back link to the source of the original | |||
representation. | representation. | |||
skipping to change at line 2481 ¶ | skipping to change at page 64, line 16 ¶ | |||
For example, if a client makes a PUT request on a negotiated resource | For example, if a client makes a PUT request on a negotiated resource | |||
and the origin server accepts that PUT (without redirection), then | and the origin server accepts that PUT (without redirection), then | |||
the new state of that resource is expected to be consistent with the | the new state of that resource is expected to be consistent with the | |||
one representation supplied in that PUT; the Content-Location cannot | one representation supplied in that PUT; the Content-Location cannot | |||
be used as a form of reverse content selection identifier to update | be used as a form of reverse content selection identifier to update | |||
only one of the negotiated representations. If the user agent had | only one of the negotiated representations. If the user agent had | |||
wanted the latter semantics, it would have applied the PUT directly | wanted the latter semantics, it would have applied the PUT directly | |||
to the Content-Location URI. | to the Content-Location URI. | |||
3.3. Payload Semantics | 6.3. Payload | |||
Some HTTP messages transfer a complete or partial representation as | Some HTTP messages transfer a complete or partial representation as | |||
the message "payload". In some cases, a payload might contain only | the message "payload". In some cases, a payload might contain only | |||
the associated representation's header fields (e.g., responses to | the associated representation's header fields (e.g., responses to | |||
HEAD) or only some part(s) of the representation data (e.g., the 206 | HEAD) or only some part(s) of the representation data (e.g., the 206 | |||
(Partial Content) status code). | (Partial Content) status code). | |||
Header fields that specifically describe the payload, rather than the | Header fields that specifically describe the payload, rather than the | |||
associated representation, are referred to as "payload header | associated representation, are referred to as "payload header | |||
fields". Payload header fields are defined in other parts of this | fields". Payload header fields are defined in other parts of this | |||
specification, due to their impact on message parsing. | specification, due to their impact on message parsing. | |||
+-------------------+----------------------------+ | +-------------------+----------------------------+ | |||
| Header Field Name | Defined in... | | | Field Name | Defined in... | | |||
+-------------------+----------------------------+ | +-------------------+----------------------------+ | |||
| Content-Length | Section 3.3.2 of [RFC7230] | | | Content-Range | Section 6.3.4 | | |||
| Content-Range | Section 4.2 of [RFC7233] | | | Trailer | Section 4.6.3 | | |||
| Trailer | Section 4.4 of [RFC7230] | | | Transfer-Encoding | Section 6.1 of [Messaging] | | |||
| Transfer-Encoding | Section 3.3.1 of [RFC7230] | | ||||
+-------------------+----------------------------+ | +-------------------+----------------------------+ | |||
X.X.X. [Purpose] | 6.3.1. Purpose | |||
The purpose of a payload in a request is defined by the method | The purpose of a payload in a request is defined by the method | |||
semantics. For example, a representation in the payload of a PUT | semantics. For example, a representation in the payload of a PUT | |||
request (Section 4.3.4) represents the desired state of the target | request (Section 7.3.4) represents the desired state of the target | |||
resource if the request is successfully applied, whereas a | resource if the request is successfully applied, whereas a | |||
representation in the payload of a POST request (Section 4.3.3) | representation in the payload of a POST request (Section 7.3.3) | |||
represents information to be processed by the target resource. | represents information to be processed by the target resource. | |||
In a response, the payload's purpose is defined by both the request | In a response, the payload's purpose is defined by both the request | |||
method and the response status code. For example, the payload of a | method and the response status code. For example, the payload of a | |||
200 (OK) response to GET (Section 4.3.1) represents the current state | 200 (OK) response to GET (Section 7.3.1) represents the current state | |||
of the target resource, as observed at the time of the message | of the target resource, as observed at the time of the message | |||
origination date (Section 7.1.1.2), whereas the payload of the same | origination date (Section 10.1.1.2), whereas the payload of the same | |||
status code in a response to POST might represent either the | status code in a response to POST might represent either the | |||
processing result or the new state of the target resource after | processing result or the new state of the target resource after | |||
applying the processing. Response messages with an error status code | applying the processing. Response messages with an error status code | |||
usually contain a payload that represents the error condition, such | usually contain a payload that represents the error condition, such | |||
that it describes the error state and what next steps are suggested | that it describes the error state and what next steps are suggested | |||
for resolving it. | for resolving it. | |||
3.1.4.1. Identifying a Representation | 6.3.2. Identification | |||
When a complete or partial representation is transferred in a message | When a complete or partial representation is transferred in a message | |||
payload, it is often desirable for the sender to supply, or the | payload, it is often desirable for the sender to supply, or the | |||
recipient to determine, an identifier for a resource corresponding to | recipient to determine, an identifier for a resource corresponding to | |||
that representation. | that representation. | |||
For a request message: | For a request message: | |||
o If the request has a Content-Location header field, then the | o If the request has a Content-Location header field, then the | |||
sender asserts that the payload is a representation of the | sender asserts that the payload is a representation of the | |||
resource identified by the Content-Location field-value. However, | resource identified by the Content-Location field value. However, | |||
such an assertion cannot be trusted unless it can be verified by | such an assertion cannot be trusted unless it can be verified by | |||
other means (not defined by this specification). The information | other means (not defined by this specification). The information | |||
might still be useful for revision history links. | might still be useful for revision history links. | |||
o Otherwise, the payload is unidentified. | o Otherwise, the payload is unidentified. | |||
For a response message, the following rules are applied in order | For a response message, the following rules are applied in order | |||
until a match is found: | until a match is found: | |||
1. If the request method is GET or HEAD and the response status code | 1. If the request method is GET or HEAD and the response status code | |||
is 200 (OK), 204 (No Content), 206 (Partial Content), or 304 (Not | is 200 (OK), 204 (No Content), 206 (Partial Content), or 304 (Not | |||
Modified), the payload is a representation of the resource | Modified), the payload is a representation of the resource | |||
identified by the effective request URI (Section 5.5 of | identified by the effective request URI (Section 5.5). | |||
[RFC7230]). | ||||
2. If the request method is GET or HEAD and the response status code | 2. If the request method is GET or HEAD and the response status code | |||
is 203 (Non-Authoritative Information), the payload is a | is 203 (Non-Authoritative Information), the payload is a | |||
potentially modified or enhanced representation of the target | potentially modified or enhanced representation of the target | |||
resource as provided by an intermediary. | resource as provided by an intermediary. | |||
3. If the response has a Content-Location header field and its | 3. If the response has a Content-Location header field and its field | |||
field-value is a reference to the same URI as the effective | value is a reference to the same URI as the effective request | |||
request URI, the payload is a representation of the resource | URI, the payload is a representation of the resource identified | |||
identified by the effective request URI. | by the effective request URI. | |||
4. If the response has a Content-Location header field and its | 4. If the response has a Content-Location header field and its field | |||
field-value is a reference to a URI different from the effective | value is a reference to a URI different from the effective | |||
request URI, then the sender asserts that the payload is a | request URI, then the sender asserts that the payload is a | |||
representation of the resource identified by the Content-Location | representation of the resource identified by the Content-Location | |||
field-value. However, such an assertion cannot be trusted unless | field value. However, such an assertion cannot be trusted unless | |||
it can be verified by other means (not defined by this | it can be verified by other means (not defined by this | |||
specification). | specification). | |||
5. Otherwise, the payload is unidentified. | 5. Otherwise, the payload is unidentified. | |||
6.3.3. Payload Body | 6.3.3. Payload Body | |||
Responses to the HEAD request method (Section 4.3.2 | The payload body contains the data of a request or response. This is | |||
of [RFC7231]) never include a message body because the associated | distinct from the message body (e.g., Section 6 of [Messaging]), | |||
response header fields (e.g., Transfer-Encoding, Content-Length, | which is how the payload body is transferred "on the wire", and might | |||
etc.), if present, indicate only what their values would have been if | be encoded, depending on the HTTP version in use. | |||
the request method had been GET (Section 4.3.1 of [RFC7231]). | ||||
It is also distinct from a request or response's representation data | ||||
(Section 6.1), which can be inferred from protocol operation, rather | ||||
than necessarily appearing "on the wire." | ||||
The presence of a payload body in a request depends on whether the | ||||
request method used defines semantics for it. | ||||
The presence of a payload body in a response depends on both the | ||||
request method to which it is responding and the response status code | ||||
(Section 9). | ||||
Responses to the HEAD request method (Section 7.3.2) never include a | ||||
payload body because the associated response header fields indicate | ||||
only what their values would have been if the request method had been | ||||
GET (Section 7.3.1). | ||||
2xx (Successful) responses to a CONNECT request method | 2xx (Successful) responses to a CONNECT request method | |||
(Section 4.3.6 of [RFC7231]) switch to tunnel mode instead of | (Section 7.3.6) switch the connection to tunnel mode instead of | |||
having a message body. | having a payload body. | |||
All 1xx (Informational), 204 (No Content), and 304 (Not Modified) | All 1xx (Informational), 204 (No Content), and 304 (Not Modified) | |||
responses do not include a message body. | responses do not include a payload body. | |||
All other responses do include a message body, although the body | All other responses do include a payload body, although that body | |||
might be of zero length. | might be of zero length. | |||
4.2. Content-Range | 6.3.4. Content-Range | |||
The "Content-Range" header field is sent in a single part 206 | The "Content-Range" header field is sent in a single part 206 | |||
(Partial Content) response to indicate the partial range of the | (Partial Content) response to indicate the partial range of the | |||
selected representation enclosed as the message payload, sent in each | selected representation enclosed as the message payload, sent in each | |||
part of a multipart 206 response to indicate the range enclosed | part of a multipart 206 response to indicate the range enclosed | |||
within each body part, and sent in 416 (Range Not Satisfiable) | within each body part, and sent in 416 (Range Not Satisfiable) | |||
responses to provide information about the selected representation. | responses to provide information about the selected representation. | |||
Content-Range = byte-content-range | Content-Range = range-unit SP | |||
/ other-content-range | ( range-resp / unsatisfied-range ) | |||
byte-content-range = bytes-unit SP | ||||
( byte-range-resp / unsatisfied-range ) | ||||
byte-range-resp = byte-range "/" ( complete-length / "*" ) | range-resp = incl-range "/" ( complete-length / "*" ) | |||
byte-range = first-byte-pos "-" last-byte-pos | incl-range = first-pos "-" last-pos | |||
unsatisfied-range = "*/" complete-length | unsatisfied-range = "*/" complete-length | |||
complete-length = 1*DIGIT | complete-length = 1*DIGIT | |||
other-content-range = other-range-unit SP other-range-resp | ||||
other-range-resp = *CHAR | ||||
If a 206 (Partial Content) response contains a Content-Range header | If a 206 (Partial Content) response contains a Content-Range header | |||
field with a range unit (Section 2) that the recipient does not | field with a range unit (Section 6.1.4) that the recipient does not | |||
understand, the recipient MUST NOT attempt to recombine it with a | understand, the recipient MUST NOT attempt to recombine it with a | |||
stored representation. A proxy that receives such a message SHOULD | stored representation. A proxy that receives such a message SHOULD | |||
forward it downstream. | forward it downstream. | |||
For byte ranges, a sender SHOULD indicate the complete length of the | For byte ranges, a sender SHOULD indicate the complete length of the | |||
representation from which the range has been extracted, unless the | representation from which the range has been extracted, unless the | |||
complete length is unknown or difficult to determine. An asterisk | complete length is unknown or difficult to determine. An asterisk | |||
character ("*") in place of the complete-length indicates that the | character ("*") in place of the complete-length indicates that the | |||
representation length was unknown when the header field was | representation length was unknown when the header field was | |||
generated. | generated. | |||
skipping to change at line 2636 ¶ | skipping to change at page 67, line 37 ¶ | |||
The following example illustrates when the complete length of the | The following example illustrates when the complete length of the | |||
selected representation is known by the sender to be 1234 bytes: | selected representation is known by the sender to be 1234 bytes: | |||
Content-Range: bytes 42-1233/1234 | Content-Range: bytes 42-1233/1234 | |||
and this second example illustrates when the complete length is | and this second example illustrates when the complete length is | |||
unknown: | unknown: | |||
Content-Range: bytes 42-1233/* | Content-Range: bytes 42-1233/* | |||
A Content-Range field value is invalid if it contains a | A Content-Range field value is invalid if it contains a range-resp | |||
byte-range-resp that has a last-byte-pos value less than its | that has a last-pos value less than its first-pos value, or a | |||
first-byte-pos value, or a complete-length value less than or equal | complete-length value less than or equal to its last-pos value. The | |||
to its last-byte-pos value. The recipient of an invalid | recipient of an invalid Content-Range MUST NOT attempt to recombine | |||
Content-Range MUST NOT attempt to recombine the received content with | the received content with a stored representation. | |||
a stored representation. | ||||
A server generating a 416 (Range Not Satisfiable) response to a | A server generating a 416 (Range Not Satisfiable) response to a byte- | |||
byte-range request SHOULD send a Content-Range header field with an | range request SHOULD send a Content-Range header field with an | |||
unsatisfied-range value, as in the following example: | unsatisfied-range value, as in the following example: | |||
Content-Range: bytes */1234 | Content-Range: bytes */1234 | |||
The complete-length in a 416 response indicates the current length of | The complete-length in a 416 response indicates the current length of | |||
the selected representation. | the selected representation. | |||
The Content-Range header field has no meaning for status codes that | The Content-Range header field has no meaning for status codes that | |||
do not explicitly describe its semantic. For this specification, | do not explicitly describe its semantic. For this specification, | |||
only the 206 (Partial Content) and 416 (Range Not Satisfiable) status | only the 206 (Partial Content) and 416 (Range Not Satisfiable) status | |||
skipping to change at line 2676 ¶ | skipping to change at page 68, line 29 ¶ | |||
Content-Range: bytes 500-999/1234 | Content-Range: bytes 500-999/1234 | |||
o All except for the first 500 bytes: | o All except for the first 500 bytes: | |||
Content-Range: bytes 500-1233/1234 | Content-Range: bytes 500-1233/1234 | |||
o The last 500 bytes: | o The last 500 bytes: | |||
Content-Range: bytes 734-1233/1234 | Content-Range: bytes 734-1233/1234 | |||
Appendix A. Internet Media Type multipart/byteranges | 6.3.5. Media Type multipart/byteranges | |||
When a 206 (Partial Content) response message includes the content of | When a 206 (Partial Content) response message includes the content of | |||
multiple ranges, they are transmitted as body parts in a multipart | multiple ranges, they are transmitted as body parts in a multipart | |||
message body ([RFC2046], Section 5.1) with the media type of | message body ([RFC2046], Section 5.1) with the media type of | |||
"multipart/byteranges". | "multipart/byteranges". | |||
The multipart/byteranges media type includes one or more body parts, | The multipart/byteranges media type includes one or more body parts, | |||
each with its own Content-Type and Content-Range fields. The | each with its own Content-Type and Content-Range fields. The | |||
required boundary parameter specifies the boundary string used to | required boundary parameter specifies the boundary string used to | |||
separate each body part. | separate each body part. | |||
skipping to change at line 2724 ¶ | skipping to change at page 69, line 36 ¶ | |||
Content-Range: exampleunit 1.2-4.3/25 | Content-Range: exampleunit 1.2-4.3/25 | |||
...the first range... | ...the first range... | |||
--THIS_STRING_SEPARATES | --THIS_STRING_SEPARATES | |||
Content-Type: video/example | Content-Type: video/example | |||
Content-Range: exampleunit 11.2-14.3/25 | Content-Range: exampleunit 11.2-14.3/25 | |||
...the second range | ...the second range | |||
--THIS_STRING_SEPARATES-- | --THIS_STRING_SEPARATES-- | |||
5.4.1. Internet Media Type multipart/byteranges | The following information serves as the registration form for the | |||
multipart/byteranges media type. | ||||
This document serves as the specification for the Internet media type | ||||
"multipart/byteranges". The following has been registered with IANA. | ||||
Type name: multipart | Type name: multipart | |||
Subtype name: byteranges | Subtype name: byteranges | |||
Required parameters: boundary | Required parameters: boundary | |||
Optional parameters: N/A | Optional parameters: N/A | |||
Encoding considerations: only "7bit", "8bit", or "binary" are | Encoding considerations: only "7bit", "8bit", or "binary" are | |||
permitted | permitted | |||
Security considerations: see Section 6 | Security considerations: see Section 11 | |||
Interoperability considerations: N/A | Interoperability considerations: N/A | |||
Published specification: This specification (see Section 6.3.5). | ||||
Published specification: This specification (see Appendix A). | ||||
Applications that use this media type: HTTP components supporting | Applications that use this media type: HTTP components supporting | |||
multiple ranges in a single request. | multiple ranges in a single request. | |||
Fragment identifier considerations: N/A | Fragment identifier considerations: N/A | |||
Additional information: | Additional information: | |||
Deprecated alias names for this type: N/A | Deprecated alias names for this type: N/A | |||
Magic number(s): N/A | Magic number(s): N/A | |||
File extension(s): N/A | File extension(s): N/A | |||
Macintosh file type code(s): N/A | Macintosh file type code(s): N/A | |||
Person and email address to contact for further information: See | Person and email address to contact for further information: See Aut | |||
Authors' Addresses section. | hors' Addresses section. | |||
Intended usage: COMMON | Intended usage: COMMON | |||
Restrictions on usage: N/A | Restrictions on usage: N/A | |||
Author: See Authors' Addresses section. | Author: See Authors' Addresses section. | |||
Change controller: IESG | Change controller: IESG | |||
3.4. Content Negotiation | 6.4. Content Negotiation | |||
When responses convey payload information, whether indicating a | When responses convey payload information, whether indicating a | |||
success or an error, the origin server often has different ways of | success or an error, the origin server often has different ways of | |||
representing that information; for example, in different formats, | representing that information; for example, in different formats, | |||
languages, or encodings. Likewise, different users or user agents | languages, or encodings. Likewise, different users or user agents | |||
might have differing capabilities, characteristics, or preferences | might have differing capabilities, characteristics, or preferences | |||
that could influence which representation, among those available, | that could influence which representation, among those available, | |||
would be best to deliver. For this reason, HTTP provides mechanisms | would be best to deliver. For this reason, HTTP provides mechanisms | |||
for content negotiation. | for content negotiation. | |||
skipping to change at line 2805 ¶ | skipping to change at page 71, line 18 ¶ | |||
practicality. | practicality. | |||
Note that, in all cases, HTTP is not aware of the resource semantics. | Note that, in all cases, HTTP is not aware of the resource semantics. | |||
The consistency with which an origin server responds to requests, | The consistency with which an origin server responds to requests, | |||
over time and over the varying dimensions of content negotiation, and | over time and over the varying dimensions of content negotiation, and | |||
thus the "sameness" of a resource's observed representations over | thus the "sameness" of a resource's observed representations over | |||
time, is determined entirely by whatever entity or algorithm selects | time, is determined entirely by whatever entity or algorithm selects | |||
or generates those responses. HTTP pays no attention to the man | or generates those responses. HTTP pays no attention to the man | |||
behind the curtain. | behind the curtain. | |||
3.4.1. Proactive Negotiation | 6.4.1. Proactive Negotiation | |||
When content negotiation preferences are sent by the user agent in a | When content negotiation preferences are sent by the user agent in a | |||
request to encourage an algorithm located at the server to select the | request to encourage an algorithm located at the server to select the | |||
preferred representation, it is called proactive negotiation (a.k.a., | preferred representation, it is called proactive negotiation (a.k.a., | |||
server-driven negotiation). Selection is based on the available | server-driven negotiation). Selection is based on the available | |||
representations for a response (the dimensions over which it might | representations for a response (the dimensions over which it might | |||
vary, such as language, content-coding, etc.) compared to various | vary, such as language, content-coding, etc.) compared to various | |||
information supplied in the request, including both the explicit | information supplied in the request, including both the explicit | |||
negotiation fields of Section 5.3 and implicit characteristics, such | negotiation fields of Section 8.4 and implicit characteristics, such | |||
as the client's network address or parts of the User-Agent field. | as the client's network address or parts of the User-Agent field. | |||
Proactive negotiation is advantageous when the algorithm for | Proactive negotiation is advantageous when the algorithm for | |||
selecting from among the available representations is difficult to | selecting from among the available representations is difficult to | |||
describe to a user agent, or when the server desires to send its | describe to a user agent, or when the server desires to send its | |||
"best guess" to the user agent along with the first response (hoping | "best guess" to the user agent along with the first response (hoping | |||
to avoid the round trip delay of a subsequent request if the "best | to avoid the round trip delay of a subsequent request if the "best | |||
guess" is good enough for the user). In order to improve the | guess" is good enough for the user). In order to improve the | |||
server's guess, a user agent MAY send request header fields that | server's guess, a user agent MAY send request header fields that | |||
describe its preferences. | describe its preferences. | |||
skipping to change at line 2850 ¶ | skipping to change at page 72, line 16 ¶ | |||
algorithms for generating responses to a request; and, | algorithms for generating responses to a request; and, | |||
o It limits the reusability of responses for shared caching. | o It limits the reusability of responses for shared caching. | |||
A user agent cannot rely on proactive negotiation preferences being | A user agent cannot rely on proactive negotiation preferences being | |||
consistently honored, since the origin server might not implement | consistently honored, since the origin server might not implement | |||
proactive negotiation for the requested resource or might decide that | proactive negotiation for the requested resource or might decide that | |||
sending a response that doesn't conform to the user agent's | sending a response that doesn't conform to the user agent's | |||
preferences is better than sending a 406 (Not Acceptable) response. | preferences is better than sending a 406 (Not Acceptable) response. | |||
A Vary header field (Section 7.1.4) is often sent in a response | A Vary header field (Section 10.1.4) is often sent in a response | |||
subject to proactive negotiation to indicate what parts of the | subject to proactive negotiation to indicate what parts of the | |||
request information were used in the selection algorithm. | request information were used in the selection algorithm. | |||
3.4.2. Reactive Negotiation | 6.4.2. Reactive Negotiation | |||
With reactive negotiation (a.k.a., agent-driven negotiation), | With reactive negotiation (a.k.a., agent-driven negotiation), | |||
selection of the best response representation (regardless of the | selection of the best response representation (regardless of the | |||
status code) is performed by the user agent after receiving an | status code) is performed by the user agent after receiving an | |||
initial response from the origin server that contains a list of | initial response from the origin server that contains a list of | |||
resources for alternative representations. If the user agent is not | resources for alternative representations. If the user agent is not | |||
satisfied by the initial response representation, it can perform a | satisfied by the initial response representation, it can perform a | |||
GET request on one or more of the alternative resources, selected | GET request on one or more of the alternative resources, selected | |||
based on metadata included in the list, to obtain a different form of | based on metadata included in the list, to obtain a different form of | |||
representation for that response. Selection of alternatives might be | representation for that response. Selection of alternatives might be | |||
skipping to change at line 2899 ¶ | skipping to change at page 73, line 16 ¶ | |||
caches are used to distribute server load and reduce network usage. | caches are used to distribute server load and reduce network usage. | |||
Reactive negotiation suffers from the disadvantages of transmitting a | Reactive negotiation suffers from the disadvantages of transmitting a | |||
list of alternatives to the user agent, which degrades user-perceived | list of alternatives to the user agent, which degrades user-perceived | |||
latency if transmitted in the header section, and needing a second | latency if transmitted in the header section, and needing a second | |||
request to obtain an alternate representation. Furthermore, this | request to obtain an alternate representation. Furthermore, this | |||
specification does not define a mechanism for supporting automatic | specification does not define a mechanism for supporting automatic | |||
selection, though it does not prevent such a mechanism from being | selection, though it does not prevent such a mechanism from being | |||
developed as an extension. | developed as an extension. | |||
4. Request Methods | 7. Request Methods | |||
4.1. Overview | 7.1. Overview | |||
The request method token is the primary source of request semantics; | The request method token is the primary source of request semantics; | |||
it indicates the purpose for which the client has made this request | it indicates the purpose for which the client has made this request | |||
and what is expected by the client as a successful result. | and what is expected by the client as a successful result. | |||
The request method's semantics might be further specialized by the | The request method's semantics might be further specialized by the | |||
semantics of some header fields when present in a request (Section 5) | semantics of some header fields when present in a request (Section 8) | |||
if those additional semantics do not conflict with the method. For | if those additional semantics do not conflict with the method. For | |||
example, a client can send conditional request header fields | example, a client can send conditional request header fields | |||
(Section 5.2) to make the requested action conditional on the current | (Section 8.2) to make the requested action conditional on the current | |||
state of the target resource ([RFC7232]). | state of the target resource. | |||
method = token | method = token | |||
HTTP was originally designed to be usable as an interface to | HTTP was originally designed to be usable as an interface to | |||
distributed object systems. The request method was envisioned as | distributed object systems. The request method was envisioned as | |||
applying semantics to a target resource in much the same way as | applying semantics to a target resource in much the same way as | |||
invoking a defined method on an identified object would apply | invoking a defined method on an identified object would apply | |||
semantics. The method token is case-sensitive because it might be | semantics. | |||
used as a gateway to object-based systems with case-sensitive method | ||||
names. | The method token is case-sensitive because it might be used as a | |||
gateway to object-based systems with case-sensitive method names. By | ||||
convention, standardized methods are defined in all-uppercase US- | ||||
ASCII letters. | ||||
Unlike distributed objects, the standardized request methods in HTTP | Unlike distributed objects, the standardized request methods in HTTP | |||
are not resource-specific, since uniform interfaces provide for | are not resource-specific, since uniform interfaces provide for | |||
better visibility and reuse in network-based systems [REST]. Once | better visibility and reuse in network-based systems [REST]. Once | |||
defined, a standardized method ought to have the same semantics when | defined, a standardized method ought to have the same semantics when | |||
applied to any resource, though each resource determines for itself | applied to any resource, though each resource determines for itself | |||
whether those semantics are implemented or allowed. | whether those semantics are implemented or allowed. | |||
This specification defines a number of standardized methods that are | This specification defines a number of standardized methods that are | |||
commonly used in HTTP, as outlined by the following table. By | commonly used in HTTP, as outlined by the following table. | |||
convention, standardized methods are defined in all-uppercase | ||||
US-ASCII letters. | ||||
+---------+-------------------------------------------------+-------+ | +---------+-------------------------------------------------+-------+ | |||
| Method | Description | Sec. | | | Method | Description | Sec. | | |||
+---------+-------------------------------------------------+-------+ | +---------+-------------------------------------------------+-------+ | |||
| GET | Transfer a current representation of the target | 4.3.1 | | | GET | Transfer a current representation of the target | 7.3.1 | | |||
| | resource. | | | | | resource. | | | |||
| HEAD | Same as GET, but only transfer the status line | 4.3.2 | | | HEAD | Same as GET, but only transfer the status line | 7.3.2 | | |||
| | and header section. | | | | | and header section. | | | |||
| POST | Perform resource-specific processing on the | 4.3.3 | | | POST | Perform resource-specific processing on the | 7.3.3 | | |||
| | request payload. | | | | | request payload. | | | |||
| PUT | Replace all current representations of the | 4.3.4 | | | PUT | Replace all current representations of the | 7.3.4 | | |||
| | target resource with the request payload. | | | | | target resource with the request payload. | | | |||
| DELETE | Remove all current representations of the | 4.3.5 | | | DELETE | Remove all current representations of the | 7.3.5 | | |||
| | target resource. | | | | | target resource. | | | |||
| CONNECT | Establish a tunnel to the server identified by | 4.3.6 | | | CONNECT | Establish a tunnel to the server identified by | 7.3.6 | | |||
| | the target resource. | | | | | the target resource. | | | |||
| OPTIONS | Describe the communication options for the | 4.3.7 | | | OPTIONS | Describe the communication options for the | 7.3.7 | | |||
| | target resource. | | | | | target resource. | | | |||
| TRACE | Perform a message loop-back test along the path | 4.3.8 | | | TRACE | Perform a message loop-back test along the path | 7.3.8 | | |||
| | to the target resource. | | | | | to the target resource. | | | |||
+---------+-------------------------------------------------+-------+ | +---------+-------------------------------------------------+-------+ | |||
Table 4 | ||||
All general-purpose servers MUST support the methods GET and HEAD. | All general-purpose servers MUST support the methods GET and HEAD. | |||
All other methods are OPTIONAL. | All other methods are OPTIONAL. | |||
The set of methods allowed by a target resource can be listed in an | The set of methods allowed by a target resource can be listed in an | |||
Allow header field (Section 7.4.1). However, the set of allowed | Allow header field (Section 10.4.2). However, the set of allowed | |||
methods can change dynamically. When a request method is received | methods can change dynamically. When a request method is received | |||
that is unrecognized or not implemented by an origin server, the | that is unrecognized or not implemented by an origin server, the | |||
origin server SHOULD respond with the 501 (Not Implemented) status | origin server SHOULD respond with the 501 (Not Implemented) status | |||
code. When a request method is received that is known by an origin | code. When a request method is received that is known by an origin | |||
server but not allowed for the target resource, the origin server | server but not allowed for the target resource, the origin server | |||
SHOULD respond with the 405 (Method Not Allowed) status code. | SHOULD respond with the 405 (Method Not Allowed) status code. | |||
4.2. Common Method Properties | 7.2. Common Method Properties | |||
+---------+------+------------+----------------+ | +---------+------+------------+----------------+ | |||
| Method | Safe | Idempotent | Reference | | | Method | Safe | Idempotent | Reference | | |||
+---------+------+------------+----------------+ | +---------+------+------------+----------------+ | |||
| CONNECT | no | no | Section 4.3.6 | | | CONNECT | no | no | Section 7.3.6 | | |||
| DELETE | no | yes | Section 4.3.5 | | | DELETE | no | yes | Section 7.3.5 | | |||
| GET | yes | yes | Section 4.3.1 | | | GET | yes | yes | Section 7.3.1 | | |||
| HEAD | yes | yes | Section 4.3.2 | | | HEAD | yes | yes | Section 7.3.2 | | |||
| OPTIONS | yes | yes | Section 4.3.7 | | | OPTIONS | yes | yes | Section 7.3.7 | | |||
| POST | no | no | Section 4.3.3 | | | POST | no | no | Section 7.3.3 | | |||
| PUT | no | yes | Section 4.3.4 | | | PUT | no | yes | Section 7.3.4 | | |||
| TRACE | yes | yes | Section 4.3.8 | | | TRACE | yes | yes | Section 7.3.8 | | |||
+---------+------+------------+----------------+ | +---------+------+------------+----------------+ | |||
4.2.1. Safe Methods | Table 5 | |||
7.2.1. Safe Methods | ||||
Request methods are considered "safe" if their defined semantics are | Request methods are considered "safe" if their defined semantics are | |||
essentially read-only; i.e., the client does not request, and does | essentially read-only; i.e., the client does not request, and does | |||
not expect, any state change on the origin server as a result of | not expect, any state change on the origin server as a result of | |||
applying a safe method to a target resource. Likewise, reasonable | applying a safe method to a target resource. Likewise, reasonable | |||
use of a safe method is not expected to cause any harm, loss of | use of a safe method is not expected to cause any harm, loss of | |||
property, or unusual burden on the origin server. | property, or unusual burden on the origin server. | |||
This definition of safe methods does not prevent an implementation | This definition of safe methods does not prevent an implementation | |||
from including behavior that is potentially harmful, that is not | from including behavior that is potentially harmful, that is not | |||
skipping to change at line 3032 ¶ | skipping to change at page 76, line 22 ¶ | |||
consistent with the request method semantics. For example, it is | consistent with the request method semantics. For example, it is | |||
common for Web-based content editing software to use actions within | common for Web-based content editing software to use actions within | |||
query parameters, such as "page?do=delete". If the purpose of such a | query parameters, such as "page?do=delete". If the purpose of such a | |||
resource is to perform an unsafe action, then the resource owner MUST | resource is to perform an unsafe action, then the resource owner MUST | |||
disable or disallow that action when it is accessed using a safe | disable or disallow that action when it is accessed using a safe | |||
request method. Failure to do so will result in unfortunate side | request method. Failure to do so will result in unfortunate side | |||
effects when automated processes perform a GET on every URI reference | effects when automated processes perform a GET on every URI reference | |||
for the sake of link maintenance, pre-fetching, building a search | for the sake of link maintenance, pre-fetching, building a search | |||
index, etc. | index, etc. | |||
4.2.2. Idempotent Methods | 7.2.2. Idempotent Methods | |||
A request method is considered "idempotent" if the intended effect on | A request method is considered "idempotent" if the intended effect on | |||
the server of multiple identical requests with that method is the | the server of multiple identical requests with that method is the | |||
same as the effect for a single such request. Of the request methods | same as the effect for a single such request. Of the request methods | |||
defined by this specification, PUT, DELETE, and safe request methods | defined by this specification, PUT, DELETE, and safe request methods | |||
are idempotent. | are idempotent. | |||
Like the definition of safe, the idempotent property only applies to | Like the definition of safe, the idempotent property only applies to | |||
what has been requested by the user; a server is free to log each | what has been requested by the user; a server is free to log each | |||
request separately, retain a revision control history, or implement | request separately, retain a revision control history, or implement | |||
skipping to change at line 3054 ¶ | skipping to change at page 76, line 44 ¶ | |||
Idempotent methods are distinguished because the request can be | Idempotent methods are distinguished because the request can be | |||
repeated automatically if a communication failure occurs before the | repeated automatically if a communication failure occurs before the | |||
client is able to read the server's response. For example, if a | client is able to read the server's response. For example, if a | |||
client sends a PUT request and the underlying connection is closed | client sends a PUT request and the underlying connection is closed | |||
before any response is received, then the client can establish a new | before any response is received, then the client can establish a new | |||
connection and retry the idempotent request. It knows that repeating | connection and retry the idempotent request. It knows that repeating | |||
the request will have the same intended effect, even if the original | the request will have the same intended effect, even if the original | |||
request succeeded, though the response might differ. | request succeeded, though the response might differ. | |||
A user agent MUST NOT automatically retry a request with a non- | A client SHOULD NOT automatically retry a request with a non- | |||
idempotent method unless it has some means to know that the request | idempotent method unless it has some means to know that the request | |||
semantics are actually idempotent, regardless of the method, or some | semantics are actually idempotent, regardless of the method, or some | |||
means to detect that the original request was never applied. | means to detect that the original request was never applied. | |||
For example, a user agent that knows (through design or | For example, a user agent that knows (through design or | |||
configuration) that a POST request to a given resource is safe can | configuration) that a POST request to a given resource is safe can | |||
repeat that request automatically. Likewise, a user agent designed | repeat that request automatically. Likewise, a user agent designed | |||
specifically to operate on a version control repository might be able | specifically to operate on a version control repository might be able | |||
to recover from partial failure conditions by checking the target | to recover from partial failure conditions by checking the target | |||
resource revision(s) after a failed connection, reverting or fixing | resource revision(s) after a failed connection, reverting or fixing | |||
any changes that were partially applied, and then automatically | any changes that were partially applied, and then automatically | |||
retrying the requests that failed. | retrying the requests that failed. | |||
Some clients use weaker signals to initiate automatic retries. For | ||||
example, when a POST request is sent, but the underlying transport | ||||
connection is closed before any part of the response is received. | ||||
Although this is commonly implemented, it is not recommended. | ||||
A proxy MUST NOT automatically retry non-idempotent requests. A | A proxy MUST NOT automatically retry non-idempotent requests. A | |||
client SHOULD NOT automatically retry a failed automatic retry. | client SHOULD NOT automatically retry a failed automatic retry. | |||
7.2.3. Methods and Caching | 7.2.3. Methods and Caching | |||
Request methods can be defined as "cacheable" to indicate that | For a cache to store and use a response, the associated method needs | |||
responses to them are allowed to be stored for future reuse; for | to explicitly allow caching, and detail under what conditions a | |||
specific requirements see [RFC7234]. In general, safe methods that | response can be used to satisfy subsequent requests; a method | |||
do not depend on a current or authoritative response are defined as | definition which does not do so cannot be cached. For additional | |||
cacheable; this specification defines GET, HEAD, and POST as | requirements see [Caching]. | |||
cacheable, although the overwhelming majority of cache | ||||
implementations only support GET and HEAD. | ||||
4.3. Method Definitions | This specification defines caching semantics for GET, HEAD, and POST, | |||
although the overwhelming majority of cache implementations only | ||||
support GET and HEAD. | ||||
4.3.1. GET | 7.3. Method Definitions | |||
7.3.1. GET | ||||
The GET method requests transfer of a current selected representation | The GET method requests transfer of a current selected representation | |||
for the target resource. GET is the primary mechanism of information | for the target resource. GET is the primary mechanism of information | |||
retrieval and the focus of almost all performance optimizations. | retrieval and the focus of almost all performance optimizations. | |||
Hence, when people speak of retrieving some identifiable information | Hence, when people speak of retrieving some identifiable information | |||
via HTTP, they are generally referring to making a GET request. | via HTTP, they are generally referring to making a GET request. | |||
The GET method is specifically intended to reflect the quality of | ||||
"sameness" identified by the request URI as if it were referenced as | ||||
an ordinary hypertext link. | ||||
It is tempting to think of resource identifiers as remote file system | It is tempting to think of resource identifiers as remote file system | |||
pathnames and of representations as being a copy of the contents of | pathnames and of representations as being a copy of the contents of | |||
such files. In fact, that is how many resources are implemented (see | such files. In fact, that is how many resources are implemented (see | |||
Section 9.1 for related security considerations). However, there are | Section 11.3 for related security considerations). However, there | |||
no such limitations in practice. The HTTP interface for a resource | are no such limitations in practice. The HTTP interface for a | |||
is just as likely to be implemented as a tree of content objects, a | resource is just as likely to be implemented as a tree of content | |||
programmatic view on various database records, or a gateway to other | objects, a programmatic view on various database records, or a | |||
information systems. Even when the URI mapping mechanism is tied to | gateway to other information systems. Even when the URI mapping | |||
a file system, an origin server might be configured to execute the | mechanism is tied to a file system, an origin server might be | |||
files with the request as input and send the output as the | configured to execute the files with the request as input and send | |||
representation rather than transfer the files directly. Regardless, | the output as the representation rather than transfer the files | |||
only the origin server needs to know how each of its resource | directly. Regardless, only the origin server needs to know how each | |||
identifiers corresponds to an implementation and how each | of its resource identifiers corresponds to an implementation and how | |||
implementation manages to select and send a current representation of | each implementation manages to select and send a current | |||
the target resource in a response to GET. | representation of the target resource in a response to GET. | |||
A client can alter the semantics of GET to be a "range request", | A client can alter the semantics of GET to be a "range request", | |||
requesting transfer of only some part(s) of the selected | requesting transfer of only some part(s) of the selected | |||
representation, by sending a Range header field in the request | representation, by sending a Range header field in the request | |||
([RFC7233]). | (Section 8.3). | |||
A payload within a GET request message has no defined semantics; | A client SHOULD NOT generate a body in a GET request. A payload | |||
sending a payload body on a GET request might cause some existing | received in a GET request has no defined semantics, cannot alter the | |||
implementations to reject the request. | meaning or target of the request, and might lead some implementations | |||
to reject the request and close the connection because of its | ||||
potential as a request smuggling attack (Section 11.2 of | ||||
[Messaging]). | ||||
The response to a GET request is cacheable; a cache MAY use it to | The response to a GET request is cacheable; a cache MAY use it to | |||
satisfy subsequent GET and HEAD requests unless otherwise indicated | satisfy subsequent GET and HEAD requests unless otherwise indicated | |||
by the Cache-Control header field (Section 5.2 of [RFC7234]). | by the Cache-Control header field (Section 5.2 of [Caching]). A | |||
cache that receives a payload in a GET request is likely to ignore | ||||
that payload and cache regardless of the payload contents. | ||||
4.3.2. HEAD | 7.3.2. HEAD | |||
The HEAD method is identical to GET except that the server MUST NOT | The HEAD method is identical to GET except that the server MUST NOT | |||
send a message body in the response (i.e., the response terminates at | send a message body in the response (i.e., the response terminates at | |||
the end of the header section). The server SHOULD send the same | the end of the header section). The server SHOULD send the same | |||
header fields in response to a HEAD request as it would have sent if | header fields in response to a HEAD request as it would have sent if | |||
the request had been a GET, except that the payload header fields | the request had been a GET, except that the payload header fields | |||
(Section 3.3) MAY be omitted. This method can be used for obtaining | (Section 6.3) MAY be omitted. This method can be used for obtaining | |||
metadata about the selected representation without transferring the | metadata about the selected representation without transferring the | |||
representation data and is often used for testing hypertext links for | representation data and is often used for testing hypertext links for | |||
validity, accessibility, and recent modification. | validity, accessibility, and recent modification. | |||
A payload within a HEAD request message has no defined semantics; | A payload within a HEAD request message has no defined semantics; | |||
sending a payload body on a HEAD request might cause some existing | sending a payload body on a HEAD request might cause some existing | |||
implementations to reject the request. | implementations to reject the request. | |||
The response to a HEAD request is cacheable; a cache MAY use it to | The response to a HEAD request is cacheable; a cache MAY use it to | |||
satisfy subsequent HEAD requests unless otherwise indicated by the | satisfy subsequent HEAD requests unless otherwise indicated by the | |||
Cache-Control header field (Section 5.2 of [RFC7234]). A HEAD | Cache-Control header field (Section 5.2 of [Caching]). A HEAD | |||
response might also have an effect on previously cached responses to | response might also have an effect on previously cached responses to | |||
GET; see Section 4.3.5 of [RFC7234]. | GET; see Section 4.3.5 of [Caching]. | |||
4.3.3. POST | 7.3.3. POST | |||
The POST method requests that the target resource process the | The POST method requests that the target resource process the | |||
representation enclosed in the request according to the resource's | representation enclosed in the request according to the resource's | |||
own specific semantics. For example, POST is used for the following | own specific semantics. For example, POST is used for the following | |||
functions (among others): | functions (among others): | |||
o Providing a block of data, such as the fields entered into an HTML | o Providing a block of data, such as the fields entered into an HTML | |||
form, to a data-handling process; | form, to a data-handling process; | |||
o Posting a message to a bulletin board, newsgroup, mailing list, | o Posting a message to a bulletin board, newsgroup, mailing list, | |||
skipping to change at line 3171 ¶ | skipping to change at page 79, line 34 ¶ | |||
appropriate status code depending on the result of processing the | appropriate status code depending on the result of processing the | |||
POST request; almost all of the status codes defined by this | POST request; almost all of the status codes defined by this | |||
specification might be received in a response to POST (the exceptions | specification might be received in a response to POST (the exceptions | |||
being 206 (Partial Content), 304 (Not Modified), and 416 (Range Not | being 206 (Partial Content), 304 (Not Modified), and 416 (Range Not | |||
Satisfiable)). | Satisfiable)). | |||
If one or more resources has been created on the origin server as a | If one or more resources has been created on the origin server as a | |||
result of successfully processing a POST request, the origin server | result of successfully processing a POST request, the origin server | |||
SHOULD send a 201 (Created) response containing a Location header | SHOULD send a 201 (Created) response containing a Location header | |||
field that provides an identifier for the primary resource created | field that provides an identifier for the primary resource created | |||
(Section 7.1.2) and a representation that describes the status of the | (Section 10.1.2) and a representation that describes the status of | |||
request while referring to the new resource(s). | the request while referring to the new resource(s). | |||
Responses to POST requests are only cacheable when they include | Responses to POST requests are only cacheable when they include | |||
explicit freshness information (see Section 4.2.1 of [RFC7234]). | explicit freshness information (see Section 4.2.1 of [Caching]) and a | |||
However, POST caching is not widely implemented. For cases where an | ||||
origin server wishes the client to be able to cache the result of a | ||||
POST in a way that can be reused by a later GET, the origin server | ||||
MAY send a 200 (OK) response containing the result and a | ||||
Content-Location header field that has the same value as the POST's | Content-Location header field that has the same value as the POST's | |||
effective request URI (Section 3.1.4.2). | effective request URI (Section 6.2.5). A cached POST response can be | |||
reused to satisfy a later GET or HEAD request, but not a POST | ||||
request, since POST is required to be written through to the origin | ||||
server, because it is unsafe; see Section 4 of [Caching]. | ||||
If the result of processing a POST would be equivalent to a | If the result of processing a POST would be equivalent to a | |||
representation of an existing resource, an origin server MAY redirect | representation of an existing resource, an origin server MAY redirect | |||
the user agent to that resource by sending a 303 (See Other) response | the user agent to that resource by sending a 303 (See Other) response | |||
with the existing resource's identifier in the Location field. This | with the existing resource's identifier in the Location field. This | |||
has the benefits of providing the user agent a resource identifier | has the benefits of providing the user agent a resource identifier | |||
and transferring the representation via a method more amenable to | and transferring the representation via a method more amenable to | |||
shared caching, though at the cost of an extra request if the user | shared caching, though at the cost of an extra request if the user | |||
agent does not already have the representation cached. | agent does not already have the representation cached. | |||
4.3.4. PUT | 7.3.4. PUT | |||
The PUT method requests that the state of the target resource be | The PUT method requests that the state of the target resource be | |||
created or replaced with the state defined by the representation | created or replaced with the state defined by the representation | |||
enclosed in the request message payload. A successful PUT of a given | enclosed in the request message payload. A successful PUT of a given | |||
representation would suggest that a subsequent GET on that same | representation would suggest that a subsequent GET on that same | |||
target resource will result in an equivalent representation being | target resource will result in an equivalent representation being | |||
sent in a 200 (OK) response. However, there is no guarantee that | sent in a 200 (OK) response. However, there is no guarantee that | |||
such a state change will be observable, since the target resource | such a state change will be observable, since the target resource | |||
might be acted upon by other user agents in parallel, or might be | might be acted upon by other user agents in parallel, or might be | |||
subject to dynamic processing by the origin server, before any | subject to dynamic processing by the origin server, before any | |||
skipping to change at line 3216 ¶ | skipping to change at page 80, line 29 ¶ | |||
If the target resource does not have a current representation and the | If the target resource does not have a current representation and the | |||
PUT successfully creates one, then the origin server MUST inform the | PUT successfully creates one, then the origin server MUST inform the | |||
user agent by sending a 201 (Created) response. If the target | user agent by sending a 201 (Created) response. If the target | |||
resource does have a current representation and that representation | resource does have a current representation and that representation | |||
is successfully modified in accordance with the state of the enclosed | is successfully modified in accordance with the state of the enclosed | |||
representation, then the origin server MUST send either a 200 (OK) or | representation, then the origin server MUST send either a 200 (OK) or | |||
a 204 (No Content) response to indicate successful completion of the | a 204 (No Content) response to indicate successful completion of the | |||
request. | request. | |||
An origin server SHOULD ignore unrecognized header fields received in | An origin server SHOULD ignore unrecognized header and trailer fields | |||
a PUT request (i.e., do not save them as part of the resource state). | received in a PUT request (i.e., do not save them as part of the | |||
resource state). | ||||
An origin server SHOULD verify that the PUT representation is | An origin server SHOULD verify that the PUT representation is | |||
consistent with any constraints the server has for the target | consistent with any constraints the server has for the target | |||
resource that cannot or will not be changed by the PUT. This is | resource that cannot or will not be changed by the PUT. This is | |||
particularly important when the origin server uses internal | particularly important when the origin server uses internal | |||
configuration information related to the URI in order to set the | configuration information related to the URI in order to set the | |||
values for representation metadata on GET responses. When a PUT | values for representation metadata on GET responses. When a PUT | |||
representation is inconsistent with the target resource, the origin | representation is inconsistent with the target resource, the origin | |||
server SHOULD either make them consistent, by transforming the | server SHOULD either make them consistent, by transforming the | |||
representation or changing the resource configuration, or respond | representation or changing the resource configuration, or respond | |||
skipping to change at line 3259 ¶ | skipping to change at page 81, line 24 ¶ | |||
agent request and the semantics of the origin server response. It | agent request and the semantics of the origin server response. It | |||
does not define what a resource might be, in any sense of that word, | does not define what a resource might be, in any sense of that word, | |||
beyond the interface provided via HTTP. It does not define how | beyond the interface provided via HTTP. It does not define how | |||
resource state is "stored", nor how such storage might change as a | resource state is "stored", nor how such storage might change as a | |||
result of a change in resource state, nor how the origin server | result of a change in resource state, nor how the origin server | |||
translates resource state into representations. Generally speaking, | translates resource state into representations. Generally speaking, | |||
all implementation details behind the resource interface are | all implementation details behind the resource interface are | |||
intentionally hidden by the server. | intentionally hidden by the server. | |||
An origin server MUST NOT send a validator header field | An origin server MUST NOT send a validator header field | |||
(Section 7.2), such as an ETag or Last-Modified field, in a | (Section 10.2), such as an ETag or Last-Modified field, in a | |||
successful response to PUT unless the request's representation data | successful response to PUT unless the request's representation data | |||
was saved without any transformation applied to the body (i.e., the | was saved without any transformation applied to the body (i.e., the | |||
resource's new representation data is identical to the representation | resource's new representation data is identical to the representation | |||
data received in the PUT request) and the validator field value | data received in the PUT request) and the validator field value | |||
reflects the new representation. This requirement allows a user | reflects the new representation. This requirement allows a user | |||
agent to know when the representation body it has in memory remains | agent to know when the representation body it has in memory remains | |||
current as a result of the PUT, thus not in need of being retrieved | current as a result of the PUT, thus not in need of being retrieved | |||
again from the origin server, and that the new validator(s) received | again from the origin server, and that the new validator(s) received | |||
in the response can be used for future conditional requests in order | in the response can be used for future conditional requests in order | |||
to prevent accidental overwrites (Section 5.2). | to prevent accidental overwrites (Section 8.2). | |||
The fundamental difference between the POST and PUT methods is | The fundamental difference between the POST and PUT methods is | |||
highlighted by the different intent for the enclosed representation. | highlighted by the different intent for the enclosed representation. | |||
The target resource in a POST request is intended to handle the | The target resource in a POST request is intended to handle the | |||
enclosed representation according to the resource's own semantics, | enclosed representation according to the resource's own semantics, | |||
whereas the enclosed representation in a PUT request is defined as | whereas the enclosed representation in a PUT request is defined as | |||
replacing the state of the target resource. Hence, the intent of PUT | replacing the state of the target resource. Hence, the intent of PUT | |||
is idempotent and visible to intermediaries, even though the exact | is idempotent and visible to intermediaries, even though the exact | |||
effect is only known by the origin server. | effect is only known by the origin server. | |||
skipping to change at line 3303 ¶ | skipping to change at page 82, line 20 ¶ | |||
identifying "the current version" (a resource) that is separate from | identifying "the current version" (a resource) that is separate from | |||
the URIs identifying each particular version (different resources | the URIs identifying each particular version (different resources | |||
that at one point shared the same state as the current version | that at one point shared the same state as the current version | |||
resource). A successful PUT request on "the current version" URI | resource). A successful PUT request on "the current version" URI | |||
might therefore create a new version resource in addition to changing | might therefore create a new version resource in addition to changing | |||
the state of the target resource, and might also cause links to be | the state of the target resource, and might also cause links to be | |||
added between the related resources. | added between the related resources. | |||
An origin server that allows PUT on a given target resource MUST send | An origin server that allows PUT on a given target resource MUST send | |||
a 400 (Bad Request) response to a PUT request that contains a | a 400 (Bad Request) response to a PUT request that contains a | |||
Content-Range header field (Section 4.2 of [RFC7233]), since the | Content-Range header field (Section 6.3.4), since the payload is | |||
payload is likely to be partial content that has been mistakenly PUT | likely to be partial content that has been mistakenly PUT as a full | |||
as a full representation. Partial content updates are possible by | representation. Partial content updates are possible by targeting a | |||
targeting a separately identified resource with state that overlaps a | separately identified resource with state that overlaps a portion of | |||
portion of the larger resource, or by using a different method that | the larger resource, or by using a different method that has been | |||
has been specifically defined for partial updates (for example, the | specifically defined for partial updates (for example, the PATCH | |||
PATCH method defined in [RFC5789]). | method defined in [RFC5789]). | |||
Responses to the PUT method are not cacheable. If a successful PUT | Responses to the PUT method are not cacheable. If a successful PUT | |||
request passes through a cache that has one or more stored responses | request passes through a cache that has one or more stored responses | |||
for the effective request URI, those stored responses will be | for the effective request URI, those stored responses will be | |||
invalidated (see Section 4.4 of [RFC7234]). | invalidated (see Section 4.4 of [Caching]). | |||
4.3.5. DELETE | 7.3.5. DELETE | |||
The DELETE method requests that the origin server remove the | The DELETE method requests that the origin server remove the | |||
association between the target resource and its current | association between the target resource and its current | |||
functionality. In effect, this method is similar to the rm command | functionality. In effect, this method is similar to the rm command | |||
in UNIX: it expresses a deletion operation on the URI mapping of the | in UNIX: it expresses a deletion operation on the URI mapping of the | |||
origin server rather than an expectation that the previously | origin server rather than an expectation that the previously | |||
associated information be deleted. | associated information be deleted. | |||
If the target resource has one or more current representations, they | If the target resource has one or more current representations, they | |||
might or might not be destroyed by the origin server, and the | might or might not be destroyed by the origin server, and the | |||
skipping to change at line 3349 ¶ | skipping to change at page 83, line 18 ¶ | |||
previously created using a PUT request, or identified via the | previously created using a PUT request, or identified via the | |||
Location header field after a 201 (Created) response to a POST | Location header field after a 201 (Created) response to a POST | |||
request, might allow a corresponding DELETE request to undo those | request, might allow a corresponding DELETE request to undo those | |||
actions. Similarly, custom user agent implementations that implement | actions. Similarly, custom user agent implementations that implement | |||
an authoring function, such as revision control clients using HTTP | an authoring function, such as revision control clients using HTTP | |||
for remote operations, might use DELETE based on an assumption that | for remote operations, might use DELETE based on an assumption that | |||
the server's URI space has been crafted to correspond to a version | the server's URI space has been crafted to correspond to a version | |||
repository. | repository. | |||
If a DELETE method is successfully applied, the origin server SHOULD | If a DELETE method is successfully applied, the origin server SHOULD | |||
send a 202 (Accepted) status code if the action will likely succeed | send | |||
but has not yet been enacted, a 204 (No Content) status code if the | ||||
action has been enacted and no further information is to be supplied, | ||||
or a 200 (OK) status code if the action has been enacted and the | ||||
response message includes a representation describing the status. | ||||
A payload within a DELETE request message has no defined semantics; | o a 202 (Accepted) status code if the action will likely succeed but | |||
sending a payload body on a DELETE request might cause some existing | has not yet been enacted, | |||
o a 204 (No Content) status code if the action has been enacted and | ||||
no further information is to be supplied, or | ||||
o a 200 (OK) status code if the action has been enacted and the | ||||
response message includes a representation describing the status. | ||||
A client SHOULD NOT generate a body in a DELETE request. A payload | ||||
received in a DELETE request has no defined semantics, cannot alter | ||||
the meaning or target of the request, and might lead some | ||||
implementations to reject the request. | implementations to reject the request. | |||
Responses to the DELETE method are not cacheable. If a DELETE | Responses to the DELETE method are not cacheable. If a successful | |||
request passes through a cache that has one or more stored responses | DELETE request passes through a cache that has one or more stored | |||
for the effective request URI, those stored responses will be | responses for the effective request URI, those stored responses will | |||
invalidated (see Section 4.4 of [RFC7234]). | be invalidated (see Section 4.4 of [Caching]). | |||
4.3.6. CONNECT | 7.3.6. CONNECT | |||
The CONNECT method requests that the recipient establish a tunnel to | The CONNECT method requests that the recipient establish a tunnel to | |||
the destination origin server identified by the request-target and, | the destination origin server identified by the request-target and, | |||
if successful, thereafter restrict its behavior to blind forwarding | if successful, thereafter restrict its behavior to blind forwarding | |||
of packets, in both directions, until the tunnel is closed. Tunnels | of packets, in both directions, until the tunnel is closed. Tunnels | |||
are commonly used to create an end-to-end virtual connection, through | are commonly used to create an end-to-end virtual connection, through | |||
one or more proxies, which can then be secured using TLS (Transport | one or more proxies, which can then be secured using TLS (Transport | |||
Layer Security, [RFC5246]). | Layer Security, [RFC8446]). | |||
CONNECT is intended only for use in requests to a proxy. An origin | CONNECT is intended only for use in requests to a proxy. An origin | |||
server that receives a CONNECT request for itself MAY respond with a | server that receives a CONNECT request for itself MAY respond with a | |||
2xx (Successful) status code to indicate that a connection is | 2xx (Successful) status code to indicate that a connection is | |||
established. However, most origin servers do not implement CONNECT. | established. However, most origin servers do not implement CONNECT. | |||
A client sending a CONNECT request MUST send the authority form of | A client sending a CONNECT request MUST send the authority form of | |||
request-target (Section 5.3 of [RFC7230]); i.e., the request-target | request-target (Section 3.2 of [Messaging]); i.e., the request-target | |||
consists of only the host name and port number of the tunnel | consists of only the host name and port number of the tunnel | |||
destination, separated by a colon. For example, | destination, separated by a colon. For example, | |||
CONNECT server.example.com:80 HTTP/1.1 | CONNECT server.example.com:80 HTTP/1.1 | |||
Host: server.example.com:80 | Host: server.example.com:80 | |||
The recipient proxy can establish a tunnel either by directly | The recipient proxy can establish a tunnel either by directly | |||
connecting to the request-target or, if configured to use another | connecting to the request-target or, if configured to use another | |||
proxy, by forwarding the CONNECT request to the next inbound proxy. | proxy, by forwarding the CONNECT request to the next inbound proxy. | |||
Any 2xx (Successful) response indicates that the sender (and all | Any 2xx (Successful) response indicates that the sender (and all | |||
skipping to change at line 3431 ¶ | skipping to change at page 85, line 11 ¶ | |||
fields in a 2xx (Successful) response to CONNECT. A client MUST | fields in a 2xx (Successful) response to CONNECT. A client MUST | |||
ignore any Content-Length or Transfer-Encoding header fields received | ignore any Content-Length or Transfer-Encoding header fields received | |||
in a successful response to CONNECT. | in a successful response to CONNECT. | |||
A payload within a CONNECT request message has no defined semantics; | A payload within a CONNECT request message has no defined semantics; | |||
sending a payload body on a CONNECT request might cause some existing | sending a payload body on a CONNECT request might cause some existing | |||
implementations to reject the request. | implementations to reject the request. | |||
Responses to the CONNECT method are not cacheable. | Responses to the CONNECT method are not cacheable. | |||
4.3.7. OPTIONS | 7.3.7. OPTIONS | |||
The OPTIONS method requests information about the communication | The OPTIONS method requests information about the communication | |||
options available for the target resource, at either the origin | options available for the target resource, at either the origin | |||
server or an intervening intermediary. This method allows a client | server or an intervening intermediary. This method allows a client | |||
to determine the options and/or requirements associated with a | to determine the options and/or requirements associated with a | |||
resource, or the capabilities of a server, without implying a | resource, or the capabilities of a server, without implying a | |||
resource action. | resource action. | |||
An OPTIONS request with an asterisk ("*") as the request-target | An OPTIONS request with an asterisk ("*") as the request-target | |||
(Section 5.3 of [RFC7230]) applies to the server in general rather | (Section 3.2 of [Messaging]) applies to the server in general rather | |||
than to a specific resource. Since a server's communication options | than to a specific resource. Since a server's communication options | |||
typically depend on the resource, the "*" request is only useful as a | typically depend on the resource, the "*" request is only useful as a | |||
"ping" or "no-op" type of method; it does nothing beyond allowing the | "ping" or "no-op" type of method; it does nothing beyond allowing the | |||
client to test the capabilities of the server. For example, this can | client to test the capabilities of the server. For example, this can | |||
be used to test a proxy for HTTP/1.1 conformance (or lack thereof). | be used to test a proxy for HTTP/1.1 conformance (or lack thereof). | |||
If the request-target is not an asterisk, the OPTIONS request applies | If the request-target is not an asterisk, the OPTIONS request applies | |||
to the options that are available when communicating with the target | to the options that are available when communicating with the target | |||
resource. | resource. | |||
A server generating a successful response to OPTIONS SHOULD send any | A server generating a successful response to OPTIONS SHOULD send any | |||
header fields that might indicate optional features implemented by | header that might indicate optional features implemented by the | |||
the server and applicable to the target resource (e.g., Allow), | server and applicable to the target resource (e.g., Allow), including | |||
including potential extensions not defined by this specification. | potential extensions not defined by this specification. The response | |||
The response payload, if any, might also describe the communication | payload, if any, might also describe the communication options in a | |||
options in a machine or human-readable representation. A standard | machine or human-readable representation. A standard format for such | |||
format for such a representation is not defined by this | a representation is not defined by this specification, but might be | |||
specification, but might be defined by future extensions to HTTP. A | defined by future extensions to HTTP. | |||
server MUST generate a Content-Length field with a value of "0" if no | ||||
payload body is to be sent in the response. | ||||
A client MAY send a Max-Forwards header field in an OPTIONS request | A client MAY send a Max-Forwards header field in an OPTIONS request | |||
to target a specific recipient in the request chain (see | to target a specific recipient in the request chain (see | |||
Section 5.1.2). A proxy MUST NOT generate a Max-Forwards header | Section 8.1.2). A proxy MUST NOT generate a Max-Forwards header | |||
field while forwarding a request unless that request was received | field while forwarding a request unless that request was received | |||
with a Max-Forwards field. | with a Max-Forwards field. | |||
A client that generates an OPTIONS request containing a payload body | A client that generates an OPTIONS request containing a payload body | |||
MUST send a valid Content-Type header field describing the | MUST send a valid Content-Type header field describing the | |||
representation media type. Although this specification does not | representation media type. Note that this specification does not | |||
define any use for such a payload, future extensions to HTTP might | define any use for such a payload. | |||
use the OPTIONS body to make more detailed queries about the target | ||||
resource. | ||||
Responses to the OPTIONS method are not cacheable. | Responses to the OPTIONS method are not cacheable. | |||
4.3.8. TRACE | 7.3.8. TRACE | |||
The TRACE method requests a remote, application-level loop-back of | The TRACE method requests a remote, application-level loop-back of | |||
the request message. The final recipient of the request SHOULD | the request message. The final recipient of the request SHOULD | |||
reflect the message received, excluding some fields described below, | reflect the message received, excluding some fields described below, | |||
back to the client as the message body of a 200 (OK) response with a | back to the client as the message body of a 200 (OK) response with a | |||
Content-Type of "message/http" (Section 8.3.1 of [RFC7230]). The | Content-Type of "message/http" (Section 10.1 of [Messaging]). The | |||
final recipient is either the origin server or the first server to | final recipient is either the origin server or the first server to | |||
receive a Max-Forwards value of zero (0) in the request | receive a Max-Forwards value of zero (0) in the request | |||
(Section 5.1.2). | (Section 8.1.2). | |||
A client MUST NOT generate header fields in a TRACE request | A client MUST NOT generate fields in a TRACE request containing | |||
containing sensitive data that might be disclosed by the response. | sensitive data that might be disclosed by the response. For example, | |||
For example, it would be foolish for a user agent to send stored user | it would be foolish for a user agent to send stored user credentials | |||
credentials [RFC7235] or cookies [RFC6265] in a TRACE request. The | Section 8.5 or cookies [RFC6265] in a TRACE request. The final | |||
final recipient of the request SHOULD exclude any request header | recipient of the request SHOULD exclude any request fields that are | |||
fields that are likely to contain sensitive data when that recipient | likely to contain sensitive data when that recipient generates the | |||
generates the response body. | response body. | |||
TRACE allows the client to see what is being received at the other | TRACE allows the client to see what is being received at the other | |||
end of the request chain and use that data for testing or diagnostic | end of the request chain and use that data for testing or diagnostic | |||
information. The value of the Via header field (Section 5.7.1 of | information. The value of the Via header field (Section 5.7.1) is of | |||
[RFC7230]) is of particular interest, since it acts as a trace of the | particular interest, since it acts as a trace of the request chain. | |||
request chain. Use of the Max-Forwards header field allows the | Use of the Max-Forwards header field allows the client to limit the | |||
client to limit the length of the request chain, which is useful for | length of the request chain, which is useful for testing a chain of | |||
testing a chain of proxies forwarding messages in an infinite loop. | proxies forwarding messages in an infinite loop. | |||
A client MUST NOT send a message body in a TRACE request. | A client MUST NOT send a message body in a TRACE request. | |||
Responses to the TRACE method are not cacheable. | Responses to the TRACE method are not cacheable. | |||
X.X. [Method Extensibility] | 7.4. Method Extensibility | |||
Additional methods, outside the scope of this specification, have | Additional methods, outside the scope of this specification, have | |||
been standardized for use in HTTP. All such methods ought to be | been specified for use in HTTP. All such methods ought to be | |||
registered within the "Hypertext Transfer Protocol (HTTP) Method | registered within the "Hypertext Transfer Protocol (HTTP) Method | |||
Registry" maintained by IANA, as defined in Section 8.1. | Registry". | |||
8.1. Method Registry | ||||
The "Hypertext Transfer Protocol (HTTP) Method Registry" defines the | 7.4.1. Method Registry | |||
namespace for the request method token (Section 4). The method | ||||
registry has been created and is now maintained at | ||||
<http://www.iana.org/assignments/http-methods>. | ||||
8.1.1. Procedure | The "Hypertext Transfer Protocol (HTTP) Method Registry", maintained | |||
by IANA at <https://www.iana.org/assignments/http-methods>, registers | ||||
method names. | ||||
HTTP method registrations MUST include the following fields: | HTTP method registrations MUST include the following fields: | |||
o Method Name (see Section 4) | o Method Name (see Section 7) | |||
o Safe ("yes" or "no", see Section 7.2.1) | ||||
o Safe ("yes" or "no", see Section 4.2.1) | ||||
o Idempotent ("yes" or "no", see Section 4.2.2) | o Idempotent ("yes" or "no", see Section 7.2.2) | |||
o Pointer to specification text | o Pointer to specification text | |||
Values to be added to this namespace require IETF Review (see | Values to be added to this namespace require IETF Review (see | |||
[RFC5226], Section 4.1). | [RFC8126], Section 4.8). | |||
8.1.2. Considerations for New Methods | 7.4.2. Considerations for New Methods | |||
Standardized methods are generic; that is, they are potentially | Standardized methods are generic; that is, they are potentially | |||
applicable to any resource, not just one particular media type, kind | applicable to any resource, not just one particular media type, kind | |||
of resource, or application. As such, it is preferred that new | of resource, or application. As such, it is preferred that new | |||
methods be registered in a document that isn't specific to a single | methods be registered in a document that isn't specific to a single | |||
application or data format, since orthogonal technologies deserve | application or data format, since orthogonal technologies deserve | |||
orthogonal specification. | orthogonal specification. | |||
Since message parsing (Section 3.3 of [RFC7230]) needs to be | Since message parsing (Section 6 of [Messaging]) needs to be | |||
independent of method semantics (aside from responses to HEAD), | independent of method semantics (aside from responses to HEAD), | |||
definitions of new methods cannot change the parsing algorithm or | definitions of new methods cannot change the parsing algorithm or | |||
prohibit the presence of a message body on either the request or the | prohibit the presence of a message body on either the request or the | |||
response message. Definitions of new methods can specify that only a | response message. Definitions of new methods can specify that only a | |||
zero-length message body is allowed by requiring a Content-Length | zero-length message body is allowed by requiring a Content-Length | |||
header field with a value of "0". | header field with a value of "0". | |||
A new method definition needs to indicate whether it is safe | A new method definition needs to indicate whether it is safe | |||
(Section 4.2.1), idempotent (Section 4.2.2), cacheable | (Section 7.2.1), idempotent (Section 7.2.2), cacheable | |||
(Section 4.2.3), what semantics are to be associated with the payload | (Section 7.2.3), what semantics are to be associated with the payload | |||
body if any is present in the request and what refinements the method | body if any is present in the request and what refinements the method | |||
makes to header field or status code semantics. If the new method is | makes to header field or status code semantics. If the new method is | |||
cacheable, its definition ought to describe how, and under what | cacheable, its definition ought to describe how, and under what | |||
conditions, a cache can store a response and use it to satisfy a | conditions, a cache can store a response and use it to satisfy a | |||
subsequent request. The new method ought to describe whether it can | subsequent request. The new method ought to describe whether it can | |||
be made conditional (Section 5.2) and, if so, how a server responds | be made conditional (Section 8.2) and, if so, how a server responds | |||
when the condition is false. Likewise, if the new method might have | when the condition is false. Likewise, if the new method might have | |||
some use for partial response semantics ([RFC7233]), it ought to | some use for partial response semantics (Section 8.3), it ought to | |||
document this, too. | document this, too. | |||
Note: Avoid defining a method name that starts with "M-", since | Note: Avoid defining a method name that starts with "M-", since | |||
that prefix might be misinterpreted as having the semantics | that prefix might be misinterpreted as having the semantics | |||
assigned to it by [RFC2774]. | assigned to it by [RFC2774]. | |||
5. Request Header Fields | 8. Request Header Fields | |||
A client sends request header fields to provide more information | A client sends request header fields to provide more information | |||
about the request context, make the request conditional based on the | about the request context, make the request conditional based on the | |||
target resource state, suggest preferred formats for the response, | target resource state, suggest preferred formats for the response, | |||
supply authentication credentials, or modify the expected request | supply authentication credentials, or modify the expected request | |||
processing. These fields act as request modifiers, similar to the | processing. These fields act as request modifiers, similar to the | |||
parameters on a programming language method invocation. | parameters on a programming language method invocation. | |||
5.1. Controls | 8.1. Controls | |||
Controls are request header fields that direct specific handling of | Controls are request header fields that direct specific handling of | |||
the request. | the request. | |||
+-------------------+--------------------------+ | +---------------+----------------------------+ | |||
| Header Field Name | Defined in... | | | Field Name | Defined in... | | |||
+-------------------+--------------------------+ | +---------------+----------------------------+ | |||
| Cache-Control | Section 5.2 of [RFC7234] | | | Cache-Control | Section 5.2 of [Caching] | | |||
| Expect | Section 5.1.1 | | | Expect | Section 8.1.1 | | |||
| Host | Section 5.4 of [RFC7230] | | | Host | Section 5.6 | | |||
| Max-Forwards | Section 5.1.2 | | | Max-Forwards | Section 8.1.2 | | |||
| Pragma | Section 5.4 of [RFC7234] | | | Pragma | Section 5.4 of [Caching] | | |||
| Range | Section 3.1 of [RFC7233] | | | TE | Section 7.4 of [Messaging] | | |||
| TE | Section 4.3 of [RFC7230] | | +---------------+----------------------------+ | |||
+-------------------+--------------------------+ | ||||
5.1.1. Expect | 8.1.1. Expect | |||
The "Expect" header field in a request indicates a certain set of | The "Expect" header field in a request indicates a certain set of | |||
behaviors (expectations) that need to be supported by the server in | behaviors (expectations) that need to be supported by the server in | |||
order to properly handle this request. The only such expectation | order to properly handle this request. The only such expectation | |||
defined by this specification is 100-continue. | defined by this specification is 100-continue. | |||
Expect = "100-continue" | Expect = "100-continue" | |||
The Expect field-value is case-insensitive. | The Expect field value is case-insensitive. | |||
A server that receives an Expect field-value other than 100-continue | A server that receives an Expect field value other than 100-continue | |||
MAY respond with a 417 (Expectation Failed) status code to indicate | MAY respond with a 417 (Expectation Failed) status code to indicate | |||
that the unexpected expectation cannot be met. | that the unexpected expectation cannot be met. | |||
A 100-continue expectation informs recipients that the client is | A 100-continue expectation informs recipients that the client is | |||
about to send a (presumably large) message body in this request and | about to send a (presumably large) message body in this request and | |||
wishes to receive a 100 (Continue) interim response if the | wishes to receive a 100 (Continue) interim response if the request- | |||
request-line and header fields are not sufficient to cause an | line and header fields are not sufficient to cause an immediate | |||
immediate success, redirect, or error response. This allows the | success, redirect, or error response. This allows the client to wait | |||
client to wait for an indication that it is worthwhile to send the | for an indication that it is worthwhile to send the message body | |||
message body before actually doing so, which can improve efficiency | before actually doing so, which can improve efficiency when the | |||
when the message body is huge or when the client anticipates that an | message body is huge or when the client anticipates that an error is | |||
error is likely (e.g., when sending a state-changing method, for the | likely (e.g., when sending a state-changing method, for the first | |||
first time, without previously verified authentication credentials). | time, without previously verified authentication credentials). | |||
For example, a request that begins with | For example, a request that begins with | |||
PUT /somewhere/fun HTTP/1.1 | PUT /somewhere/fun HTTP/1.1 | |||
Host: origin.example.com | Host: origin.example.com | |||
Content-Type: video/h264 | Content-Type: video/h264 | |||
Content-Length: 1234567890987 | Content-Length: 1234567890987 | |||
Expect: 100-continue | Expect: 100-continue | |||
allows the origin server to immediately respond with an error | allows the origin server to immediately respond with an error | |||
message, such as 401 (Unauthorized) or 405 (Method Not Allowed), | message, such as 401 (Unauthorized) or 405 (Method Not Allowed), | |||
before the client starts filling the pipes with an unnecessary data | before the client starts filling the pipes with an unnecessary data | |||
transfer. | transfer. | |||
skipping to change at line 3674 ¶ | skipping to change at page 90, line 6 ¶ | |||
o A server MAY omit sending a 100 (Continue) response if it has | o A server MAY omit sending a 100 (Continue) response if it has | |||
already received some or all of the message body for the | already received some or all of the message body for the | |||
corresponding request, or if the framing indicates that there is | corresponding request, or if the framing indicates that there is | |||
no message body. | no message body. | |||
o A server that sends a 100 (Continue) response MUST ultimately send | o A server that sends a 100 (Continue) response MUST ultimately send | |||
a final status code, once the message body is received and | a final status code, once the message body is received and | |||
processed, unless the connection is closed prematurely. | processed, unless the connection is closed prematurely. | |||
o A server that responds with a final status code before reading the | o A server that responds with a final status code before reading the | |||
entire message body SHOULD indicate in that response whether it | entire request payload body SHOULD indicate whether it intends to | |||
intends to close the connection or continue reading and discarding | close the connection (see Section 9.7 of [Messaging]) or continue | |||
the request message (see Section 6.6 of [RFC7230]). | reading the payload body. | |||
An origin server MUST, upon receiving an HTTP/1.1 (or later) | An origin server MUST, upon receiving an HTTP/1.1 (or later) request- | |||
request-line and a complete header section that contains a | line and a complete header section that contains a 100-continue | |||
100-continue expectation and indicates a request message body will | expectation and indicates a request message body will follow, either | |||
follow, either send an immediate response with a final status code, | send an immediate response with a final status code, if that status | |||
if that status can be determined by examining just the request-line | can be determined by examining just the request-line and header | |||
and header fields, or send an immediate 100 (Continue) response to | fields, or send an immediate 100 (Continue) response to encourage the | |||
encourage the client to send the request's message body. The origin | client to send the request's message body. The origin server MUST | |||
server MUST NOT wait for the message body before sending the 100 | NOT wait for the message body before sending the 100 (Continue) | |||
(Continue) response. | response. | |||
A proxy MUST, upon receiving an HTTP/1.1 (or later) request-line and | A proxy MUST, upon receiving an HTTP/1.1 (or later) request-line and | |||
a complete header section that contains a 100-continue expectation | a complete header section that contains a 100-continue expectation | |||
and indicates a request message body will follow, either send an | and indicates a request message body will follow, either send an | |||
immediate response with a final status code, if that status can be | immediate response with a final status code, if that status can be | |||
determined by examining just the request-line and header fields, or | determined by examining just the request-line and header fields, or | |||
begin forwarding the request toward the origin server by sending a | begin forwarding the request toward the origin server by sending a | |||
corresponding request-line and header section to the next inbound | corresponding request-line and header section to the next inbound | |||
server. If the proxy believes (from configuration or past | server. If the proxy believes (from configuration or past | |||
interaction) that the next inbound server only supports HTTP/1.0, the | interaction) that the next inbound server only supports HTTP/1.0, the | |||
skipping to change at line 3710 ¶ | skipping to change at page 90, line 42 ¶ | |||
Note: The Expect header field was added after the original | Note: The Expect header field was added after the original | |||
publication of HTTP/1.1 [RFC2068] as both the means to request an | publication of HTTP/1.1 [RFC2068] as both the means to request an | |||
interim 100 (Continue) response and the general mechanism for | interim 100 (Continue) response and the general mechanism for | |||
indicating must-understand extensions. However, the extension | indicating must-understand extensions. However, the extension | |||
mechanism has not been used by clients and the must-understand | mechanism has not been used by clients and the must-understand | |||
requirements have not been implemented by many servers, rendering | requirements have not been implemented by many servers, rendering | |||
the extension mechanism useless. This specification has removed | the extension mechanism useless. This specification has removed | |||
the extension mechanism in order to simplify the definition and | the extension mechanism in order to simplify the definition and | |||
processing of 100-continue. | processing of 100-continue. | |||
5.1.2. Max-Forwards | 8.1.2. Max-Forwards | |||
The "Max-Forwards" header field provides a mechanism with the TRACE | The "Max-Forwards" header field provides a mechanism with the TRACE | |||
(Section 4.3.8) and OPTIONS (Section 4.3.7) request methods to limit | (Section 7.3.8) and OPTIONS (Section 7.3.7) request methods to limit | |||
the number of times that the request is forwarded by proxies. This | the number of times that the request is forwarded by proxies. This | |||
can be useful when the client is attempting to trace a request that | can be useful when the client is attempting to trace a request that | |||
appears to be failing or looping mid-chain. | appears to be failing or looping mid-chain. | |||
Max-Forwards = 1*DIGIT | Max-Forwards = 1*DIGIT | |||
The Max-Forwards value is a decimal integer indicating the remaining | The Max-Forwards value is a decimal integer indicating the remaining | |||
number of times this request message can be forwarded. | number of times this request message can be forwarded. | |||
Each intermediary that receives a TRACE or OPTIONS request containing | Each intermediary that receives a TRACE or OPTIONS request containing | |||
a Max-Forwards header field MUST check and update its value prior to | a Max-Forwards header field MUST check and update its value prior to | |||
forwarding the request. If the received value is zero (0), the | forwarding the request. If the received value is zero (0), the | |||
intermediary MUST NOT forward the request; instead, the intermediary | intermediary MUST NOT forward the request; instead, the intermediary | |||
MUST respond as the final recipient. If the received Max-Forwards | MUST respond as the final recipient. If the received Max-Forwards | |||
value is greater than zero, the intermediary MUST generate an updated | value is greater than zero, the intermediary MUST generate an updated | |||
Max-Forwards field in the forwarded message with a field-value that | Max-Forwards field in the forwarded message with a field value that | |||
is the lesser of a) the received value decremented by one (1) or b) | is the lesser of a) the received value decremented by one (1) or b) | |||
the recipient's maximum supported value for Max-Forwards. | the recipient's maximum supported value for Max-Forwards. | |||
A recipient MAY ignore a Max-Forwards header field received with any | A recipient MAY ignore a Max-Forwards header field received with any | |||
other request methods. | other request methods. | |||
5.2. Conditionals | 8.2. Preconditions | |||
Conditional requests are HTTP requests [RFC7231] that include one or | ||||
more header fields indicating a precondition to be tested before | ||||
applying the method semantics to the target resource. This document | ||||
defines the HTTP/1.1 conditional request mechanisms in terms of the | ||||
architecture, syntax notation, and conformance criteria defined in | ||||
[RFC7230]. | ||||
3. Precondition Header Fields | ||||
This section defines the syntax and semantics of HTTP/1.1 header | A conditional request is an HTTP request with one or more request | |||
fields for applying preconditions on requests. Section 5 defines | header fields that indicate a precondition to be tested before | |||
when the preconditions are applied. Section 6 defines the order of | applying the request method to the target resource. Section 8.2.1 | |||
evaluation when more than one precondition is present. | defines when preconditions are applied. Section 8.2.2 defines the | |||
order of evaluation when more than one precondition is present. | ||||
Conditional GET requests are the most efficient mechanism for HTTP | Conditional GET requests are the most efficient mechanism for HTTP | |||
cache updates [RFC7234]. Conditionals can also be applied to | cache updates [Caching]. Conditionals can also be applied to state- | |||
state-changing methods, such as PUT and DELETE, to prevent the "lost | changing methods, such as PUT and DELETE, to prevent the "lost | |||
update" problem: one client accidentally overwriting the work of | update" problem: one client accidentally overwriting the work of | |||
another client that has been acting in parallel. | another client that has been acting in parallel. | |||
Conditional request preconditions are based on the state of the | Conditional request preconditions are based on the state of the | |||
target resource as a whole (its current value set) or the state as | target resource as a whole (its current value set) or the state as | |||
observed in a previously obtained representation (one value in that | observed in a previously obtained representation (one value in that | |||
set). A resource might have multiple current representations, each | set). A resource might have multiple current representations, each | |||
with its own observable state. The conditional request mechanisms | with its own observable state. The conditional request mechanisms | |||
assume that the mapping of requests to a "selected representation" | assume that the mapping of requests to a "selected representation" | |||
(Section 3 of [RFC7231]) will be consistent over time if the server | (Section 6) will be consistent over time if the server intends to | |||
intends to take advantage of conditionals. Regardless, if the | take advantage of conditionals. Regardless, if the mapping is | |||
mapping is inconsistent and the server is unable to select the | inconsistent and the server is unable to select the appropriate | |||
appropriate representation, then no harm will result when the | representation, then no harm will result when the precondition | |||
precondition evaluates to false. | evaluates to false. | |||
The conditional request preconditions defined by this specification | ||||
(Section 3) are evaluated when applicable to the recipient | ||||
(Section 5) according to their order of precedence (Section 6). | ||||
The HTTP conditional request header fields [RFC7232] allow a client | The following request header fields allow a client to place a | |||
to place a precondition on the state of the target resource, so that | precondition on the state of the target resource, so that the action | |||
the action corresponding to the method semantics will not be applied | corresponding to the method semantics will not be applied if the | |||
if the precondition evaluates to false. Each precondition defined by | precondition evaluates to false. Each precondition defined by this | |||
this specification consists of a comparison between a set of | specification consists of a comparison between a set of validators | |||
validators obtained from prior representations of the target resource | obtained from prior representations of the target resource to the | |||
to the current state of validators for the selected representation | current state of validators for the selected representation | |||
(Section 7.2). Hence, these preconditions evaluate whether the state | (Section 10.2). Hence, these preconditions evaluate whether the | |||
of the target resource has changed since a given state known by the | state of the target resource has changed since a given state known by | |||
client. The effect of such an evaluation depends on the method | the client. The effect of such an evaluation depends on the method | |||
semantics and choice of conditional, as defined in Section 5 of | semantics and choice of conditional, as defined in Section 8.2.1. | |||
[RFC7232]. | ||||
+---------------------+--------------------------+ | +---------------------+---------------+ | |||
| Header Field Name | Defined in... | | | Field Name | Defined in... | | |||
+---------------------+--------------------------+ | +---------------------+---------------+ | |||
| If-Match | Section 3.1 of [RFC7232] | | | If-Match | Section 8.2.3 | | |||
| If-None-Match | Section 3.2 of [RFC7232] | | | If-None-Match | Section 8.2.4 | | |||
| If-Modified-Since | Section 3.3 of [RFC7232] | | | If-Modified-Since | Section 8.2.5 | | |||
| If-Unmodified-Since | Section 3.4 of [RFC7232] | | | If-Unmodified-Since | Section 8.2.6 | | |||
| If-Range | Section 3.2 of [RFC7233] | | | If-Range | Section 8.2.7 | | |||
+---------------------+--------------------------+ | +---------------------+---------------+ | |||
5. Evaluation | 8.2.1. Evaluation | |||
Except when excluded below, a recipient cache or origin server MUST | Except when excluded below, a recipient cache or origin server MUST | |||
evaluate received request preconditions after it has successfully | evaluate received request preconditions after it has successfully | |||
performed its normal request checks and just before it would perform | performed its normal request checks and just before it would perform | |||
the action associated with the request method. A server MUST ignore | the action associated with the request method. A server MUST ignore | |||
all received preconditions if its response to the same request | all received preconditions if its response to the same request | |||
without those conditions would have been a status code other than a | without those conditions would have been a status code other than a | |||
2xx (Successful) or 412 (Precondition Failed). In other words, | 2xx (Successful) or 412 (Precondition Failed). In other words, | |||
redirects and failures take precedence over the evaluation of | redirects and failures take precedence over the evaluation of | |||
preconditions in conditional requests. | preconditions in conditional requests. | |||
skipping to change at line 3820 ¶ | skipping to change at page 92, line 43 ¶ | |||
cannot act as a cache for requests on the target resource MUST NOT | cannot act as a cache for requests on the target resource MUST NOT | |||
evaluate the conditional request header fields defined by this | evaluate the conditional request header fields defined by this | |||
specification, and it MUST forward them if the request is forwarded, | specification, and it MUST forward them if the request is forwarded, | |||
since the generating client intends that they be evaluated by a | since the generating client intends that they be evaluated by a | |||
server that can provide a current representation. Likewise, a server | server that can provide a current representation. Likewise, a server | |||
MUST ignore the conditional request header fields defined by this | MUST ignore the conditional request header fields defined by this | |||
specification when received with a request method that does not | specification when received with a request method that does not | |||
involve the selection or modification of a selected representation, | involve the selection or modification of a selected representation, | |||
such as CONNECT, OPTIONS, or TRACE. | such as CONNECT, OPTIONS, or TRACE. | |||
Note that protocol extensions can modify the conditions under which | ||||
revalidation is triggered. For example, the "immutable" cache | ||||
directive (defined by [RFC8246]) instructs caches to forgo | ||||
revalidation of fresh responses even when requested by the client. | ||||
Conditional request header fields that are defined by extensions to | Conditional request header fields that are defined by extensions to | |||
HTTP might place conditions on all recipients, on the state of the | HTTP might place conditions on all recipients, on the state of the | |||
target resource in general, or on a group of resources. For | target resource in general, or on a group of resources. For | |||
instance, the "If" header field in WebDAV can make a request | instance, the "If" header field in WebDAV can make a request | |||
conditional on various aspects of multiple resources, such as locks, | conditional on various aspects of multiple resources, such as locks, | |||
if the recipient understands and implements that field ([RFC4918], | if the recipient understands and implements that field ([RFC4918], | |||
Section 10.4). | Section 10.4). | |||
Although conditional request header fields are defined as being | Although conditional request header fields are defined as being | |||
usable with the HEAD method (to keep HEAD's semantics consistent with | usable with the HEAD method (to keep HEAD's semantics consistent with | |||
those of GET), there is no point in sending a conditional HEAD | those of GET), there is no point in sending a conditional HEAD | |||
because a successful response is around the same size as a 304 (Not | because a successful response is around the same size as a 304 (Not | |||
Modified) response and more useful than a 412 (Precondition Failed) | Modified) response and more useful than a 412 (Precondition Failed) | |||
response. | response. | |||
6. Precedence | 8.2.2. Precedence | |||
When more than one conditional request header field is present in a | When more than one conditional request header field is present in a | |||
request, the order in which the fields are evaluated becomes | request, the order in which the fields are evaluated becomes | |||
important. In practice, the fields defined in this document are | important. In practice, the fields defined in this document are | |||
consistently implemented in a single, logical order, since "lost | consistently implemented in a single, logical order, since "lost | |||
update" preconditions have more strict requirements than cache | update" preconditions have more strict requirements than cache | |||
validation, a validated cache is more efficient than a partial | validation, a validated cache is more efficient than a partial | |||
response, and entity tags are presumed to be more accurate than date | response, and entity tags are presumed to be more accurate than date | |||
validators. | validators. | |||
A recipient cache or origin server MUST evaluate the request | A recipient cache or origin server MUST evaluate the request | |||
preconditions defined by this specification in the following order: | preconditions defined by this specification in the following order: | |||
1. When recipient is the origin server and If-Match is present, | 1. When recipient is the origin server and If-Match is present, | |||
evaluate the If-Match precondition: | evaluate the If-Match precondition: | |||
* if true, continue to step 3 | * if true, continue to step 3 | |||
* if false, respond 412 (Precondition Failed) unless it can be | * if false, respond 412 (Precondition Failed) unless it can be | |||
determined that the state-changing request has already | determined that the state-changing request has already | |||
succeeded (see Section 3.1) | succeeded (see Section 8.2.3) | |||
2. When recipient is the origin server, If-Match is not present, and | 2. When recipient is the origin server, If-Match is not present, and | |||
If-Unmodified-Since is present, evaluate the If-Unmodified-Since | If-Unmodified-Since is present, evaluate the If-Unmodified-Since | |||
precondition: | precondition: | |||
* if true, continue to step 3 | * if true, continue to step 3 | |||
* if false, respond 412 (Precondition Failed) unless it can be | * if false, respond 412 (Precondition Failed) unless it can be | |||
determined that the state-changing request has already | determined that the state-changing request has already | |||
succeeded (see Section 3.4) | succeeded (see Section 8.2.6) | |||
3. When If-None-Match is present, evaluate the If-None-Match | 3. When If-None-Match is present, evaluate the If-None-Match | |||
precondition: | precondition: | |||
* if true, continue to step 5 | * if true, continue to step 5 | |||
* if false for GET/HEAD, respond 304 (Not Modified) | * if false for GET/HEAD, respond 304 (Not Modified) | |||
* if false for other methods, respond 412 (Precondition Failed) | * if false for other methods, respond 412 (Precondition Failed) | |||
skipping to change at line 3890 ¶ | skipping to change at page 94, line 30 ¶ | |||
* if true, continue to step 5 | * if true, continue to step 5 | |||
* if false, respond 304 (Not Modified) | * if false, respond 304 (Not Modified) | |||
5. When the method is GET and both Range and If-Range are present, | 5. When the method is GET and both Range and If-Range are present, | |||
evaluate the If-Range precondition: | evaluate the If-Range precondition: | |||
* if the validator matches and the Range specification is | * if the validator matches and the Range specification is | |||
applicable to the selected representation, respond 206 | applicable to the selected representation, respond 206 | |||
(Partial Content) [RFC7233] | (Partial Content) | |||
6. Otherwise, | 6. Otherwise, | |||
* all conditions are met, so perform the requested action and | * all conditions are met, so perform the requested action and | |||
respond according to its success or failure. | respond according to its success or failure. | |||
Any extension to HTTP/1.1 that defines additional conditional request | Any extension to HTTP/1.1 that defines additional conditional request | |||
header fields ought to define its own expectations regarding the | header fields ought to define its own expectations regarding the | |||
order for evaluating such fields in relation to those defined in this | order for evaluating such fields in relation to those defined in this | |||
document and other conditionals that might be found in practice. | document and other conditionals that might be found in practice. | |||
3.1. If-Match | 8.2.3. If-Match | |||
The "If-Match" header field makes the request method conditional on | The "If-Match" header field makes the request method conditional on | |||
the recipient origin server either having at least one current | the recipient origin server either having at least one current | |||
representation of the target resource, when the field-value is "*", | representation of the target resource, when the field value is "*", | |||
or having a current representation of the target resource that has an | or having a current representation of the target resource that has an | |||
entity-tag matching a member of the list of entity-tags provided in | entity-tag matching a member of the list of entity-tags provided in | |||
the field-value. | the field value. | |||
An origin server MUST use the strong comparison function when | An origin server MUST use the strong comparison function when | |||
comparing entity-tags for If-Match (Section 2.3.2), since the client | comparing entity-tags for If-Match (Section 10.2.3.2), since the | |||
intends this precondition to prevent the method from being applied if | client intends this precondition to prevent the method from being | |||
there have been any changes to the representation data. | applied if there have been any changes to the representation data. | |||
If-Match = "*" / 1#entity-tag | If-Match = "*" / 1#entity-tag | |||
Examples: | Examples: | |||
If-Match: "xyzzy" | If-Match: "xyzzy" | |||
If-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" | If-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" | |||
If-Match: * | If-Match: * | |||
If-Match is most often used with state-changing methods (e.g., POST, | If-Match is most often used with state-changing methods (e.g., POST, | |||
PUT, DELETE) to prevent accidental overwrites when multiple user | PUT, DELETE) to prevent accidental overwrites when multiple user | |||
agents might be acting in parallel on the same resource (i.e., to | agents might be acting in parallel on the same resource (i.e., to | |||
prevent the "lost update" problem). It can also be used with safe | prevent the "lost update" problem). It can also be used with safe | |||
methods to abort a request if the selected representation does not | methods to abort a request if the selected representation does not | |||
match one already stored (or partially stored) from a prior request. | match one already stored (or partially stored) from a prior request. | |||
An origin server that receives an If-Match header field MUST evaluate | An origin server that receives an If-Match header field MUST evaluate | |||
the condition prior to performing the method (Section 5). If the | the condition prior to performing the method (Section 8.2.1). If the | |||
field-value is "*", the condition is false if the origin server does | field value is "*", the condition is false if the origin server does | |||
not have a current representation for the target resource. If the | not have a current representation for the target resource. If the | |||
field-value is a list of entity-tags, the condition is false if none | field value is a list of entity-tags, the condition is false if none | |||
of the listed tags match the entity-tag of the selected | of the listed tags match the entity-tag of the selected | |||
representation. | representation. | |||
An origin server MUST NOT perform the requested method if a received | An origin server MUST NOT perform the requested method if a received | |||
If-Match condition evaluates to false; instead, the origin server | If-Match condition evaluates to false; instead, the origin server | |||
MUST respond with either a) the 412 (Precondition Failed) status code | MUST respond with either a) the 412 (Precondition Failed) status code | |||
or b) one of the 2xx (Successful) status codes if the origin server | or b) one of the 2xx (Successful) status codes if the origin server | |||
has verified that a state change is being requested and the final | has verified that a state change is being requested and the final | |||
state is already reflected in the current state of the target | state is already reflected in the current state of the target | |||
resource (i.e., the change requested by the user agent has already | resource (i.e., the change requested by the user agent has already | |||
succeeded, but the user agent might not be aware of it, perhaps | succeeded, but the user agent might not be aware of it, perhaps | |||
because the prior response was lost or a compatible change was made | because the prior response was lost or a compatible change was made | |||
by some other user agent). In the latter case, the origin server | by some other user agent). In the latter case, the origin server | |||
MUST NOT send a validator header field in the response unless it can | MUST NOT send a validator header field in the response unless it can | |||
verify that the request is a duplicate of an immediately prior change | verify that the request is a duplicate of an immediately prior change | |||
made by the same user agent. | made by the same user agent. | |||
The If-Match header field can be ignored by caches and intermediaries | The If-Match header field can be ignored by caches and intermediaries | |||
because it is not applicable to a stored response. | because it is not applicable to a stored response. | |||
3.2. If-None-Match | 8.2.4. If-None-Match | |||
The "If-None-Match" header field makes the request method conditional | The "If-None-Match" header field makes the request method conditional | |||
on a recipient cache or origin server either not having any current | on a recipient cache or origin server either not having any current | |||
representation of the target resource, when the field-value is "*", | representation of the target resource, when the field value is "*", | |||
or having a selected representation with an entity-tag that does not | or having a selected representation with an entity-tag that does not | |||
match any of those listed in the field-value. | match any of those listed in the field value. | |||
A recipient MUST use the weak comparison function when comparing | A recipient MUST use the weak comparison function when comparing | |||
entity-tags for If-None-Match (Section 2.3.2), since weak entity-tags | entity-tags for If-None-Match (Section 10.2.3.2), since weak entity- | |||
can be used for cache validation even if there have been changes to | tags can be used for cache validation even if there have been changes | |||
the representation data. | to the representation data. | |||
If-None-Match = "*" / 1#entity-tag | If-None-Match = "*" / 1#entity-tag | |||
Examples: | Examples: | |||
If-None-Match: "xyzzy" | If-None-Match: "xyzzy" | |||
If-None-Match: W/"xyzzy" | If-None-Match: W/"xyzzy" | |||
If-None-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" | If-None-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" | |||
If-None-Match: W/"xyzzy", W/"r2d2xxxx", W/"c3piozzzz" | If-None-Match: W/"xyzzy", W/"r2d2xxxx", W/"c3piozzzz" | |||
If-None-Match: * | If-None-Match: * | |||
skipping to change at line 3992 ¶ | skipping to change at page 96, line 51 ¶ | |||
stored responses that have entity-tags, the client SHOULD generate an | stored responses that have entity-tags, the client SHOULD generate an | |||
If-None-Match header field containing a list of those entity-tags | If-None-Match header field containing a list of those entity-tags | |||
when making a GET request; this allows recipient servers to send a | when making a GET request; this allows recipient servers to send a | |||
304 (Not Modified) response to indicate when one of those stored | 304 (Not Modified) response to indicate when one of those stored | |||
responses matches the selected representation. | responses matches the selected representation. | |||
If-None-Match can also be used with a value of "*" to prevent an | If-None-Match can also be used with a value of "*" to prevent an | |||
unsafe request method (e.g., PUT) from inadvertently modifying an | unsafe request method (e.g., PUT) from inadvertently modifying an | |||
existing representation of the target resource when the client | existing representation of the target resource when the client | |||
believes that the resource does not have a current representation | believes that the resource does not have a current representation | |||
(Section 4.2.1 of [RFC7231]). This is a variation on the "lost | (Section 7.2.1). This is a variation on the "lost update" problem | |||
update" problem that might arise if more than one client attempts to | that might arise if more than one client attempts to create an | |||
create an initial representation for the target resource. | initial representation for the target resource. | |||
An origin server that receives an If-None-Match header field MUST | An origin server that receives an If-None-Match header field MUST | |||
evaluate the condition prior to performing the method (Section 5). | evaluate the condition prior to performing the method | |||
If the field-value is "*", the condition is false if the origin | (Section 8.2.1). If the field value is "*", the condition is false | |||
server has a current representation for the target resource. If the | if the origin server has a current representation for the target | |||
field-value is a list of entity-tags, the condition is false if one | resource. If the field value is a list of entity-tags, the condition | |||
of the listed tags match the entity-tag of the selected | is false if one of the listed tags match the entity-tag of the | |||
representation. | selected representation. | |||
An origin server MUST NOT perform the requested method if the | An origin server MUST NOT perform the requested method if the | |||
condition evaluates to false; instead, the origin server MUST respond | condition evaluates to false; instead, the origin server MUST respond | |||
with either a) the 304 (Not Modified) status code if the request | with either a) the 304 (Not Modified) status code if the request | |||
method is GET or HEAD or b) the 412 (Precondition Failed) status code | method is GET or HEAD or b) the 412 (Precondition Failed) status code | |||
for all other request methods. | for all other request methods. | |||
Requirements on cache handling of a received If-None-Match header | Requirements on cache handling of a received If-None-Match header | |||
field are defined in Section 4.3.2 of [RFC7234]. | field are defined in Section 4.3.2 of [Caching]. | |||
3.3. If-Modified-Since | 8.2.5. If-Modified-Since | |||
The "If-Modified-Since" header field makes a GET or HEAD request | The "If-Modified-Since" header field makes a GET or HEAD request | |||
method conditional on the selected representation's modification date | method conditional on the selected representation's modification date | |||
being more recent than the date provided in the field-value. | being more recent than the date provided in the field value. | |||
Transfer of the selected representation's data is avoided if that | Transfer of the selected representation's data is avoided if that | |||
data has not changed. | data has not changed. | |||
If-Modified-Since = HTTP-date | If-Modified-Since = HTTP-date | |||
An example of the field is: | An example of the field is: | |||
If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT | If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT | |||
A recipient MUST ignore If-Modified-Since if the request contains an | A recipient MUST ignore If-Modified-Since if the request contains an | |||
If-None-Match header field; the condition in If-None-Match is | If-None-Match header field; the condition in If-None-Match is | |||
considered to be a more accurate replacement for the condition in | considered to be a more accurate replacement for the condition in If- | |||
If-Modified-Since, and the two are only combined for the sake of | Modified-Since, and the two are only combined for the sake of | |||
interoperating with older intermediaries that might not implement | interoperating with older intermediaries that might not implement If- | |||
If-None-Match. | None-Match. | |||
A recipient MUST ignore the If-Modified-Since header field if the | A recipient MUST ignore the If-Modified-Since header field if the | |||
received field-value is not a valid HTTP-date, or if the request | received field value is not a valid HTTP-date, or if the request | |||
method is neither GET nor HEAD. | method is neither GET nor HEAD. | |||
A recipient MUST interpret an If-Modified-Since field-value's | A recipient MUST interpret an If-Modified-Since field value's | |||
timestamp in terms of the origin server's clock. | timestamp in terms of the origin server's clock. | |||
If-Modified-Since is typically used for two distinct purposes: 1) to | If-Modified-Since is typically used for two distinct purposes: 1) to | |||
allow efficient updates of a cached representation that does not have | allow efficient updates of a cached representation that does not have | |||
an entity-tag and 2) to limit the scope of a web traversal to | an entity-tag and 2) to limit the scope of a web traversal to | |||
resources that have recently changed. | resources that have recently changed. | |||
When used for cache updates, a cache will typically use the value of | When used for cache updates, a cache will typically use the value of | |||
the cached message's Last-Modified field to generate the field value | the cached message's Last-Modified field to generate the field value | |||
of If-Modified-Since. This behavior is most interoperable for cases | of If-Modified-Since. This behavior is most interoperable for cases | |||
where clocks are poorly synchronized or when the server has chosen to | where clocks are poorly synchronized or when the server has chosen to | |||
only honor exact timestamp matches (due to a problem with | only honor exact timestamp matches (due to a problem with Last- | |||
Last-Modified dates that appear to go "back in time" when the origin | Modified dates that appear to go "back in time" when the origin | |||
server's clock is corrected or a representation is restored from an | server's clock is corrected or a representation is restored from an | |||
archived backup). However, caches occasionally generate the field | archived backup). However, caches occasionally generate the field | |||
value based on other data, such as the Date header field of the | value based on other data, such as the Date header field of the | |||
cached message or the local clock time that the message was received, | cached message or the local clock time that the message was received, | |||
particularly when the cached message does not contain a Last-Modified | particularly when the cached message does not contain a Last-Modified | |||
field. | field. | |||
When used for limiting the scope of retrieval to a recent time | When used for limiting the scope of retrieval to a recent time | |||
window, a user agent will generate an If-Modified-Since field value | window, a user agent will generate an If-Modified-Since field value | |||
based on either its own local clock or a Date header field received | based on either its own local clock or a Date header field received | |||
from the server in a prior response. Origin servers that choose an | from the server in a prior response. Origin servers that choose an | |||
exact timestamp match based on the selected representation's | exact timestamp match based on the selected representation's Last- | |||
Last-Modified field will not be able to help the user agent limit its | Modified field will not be able to help the user agent limit its data | |||
data transfers to only those changed during the specified window. | transfers to only those changed during the specified window. | |||
An origin server that receives an If-Modified-Since header field | An origin server that receives an If-Modified-Since header field | |||
SHOULD evaluate the condition prior to performing the method | SHOULD evaluate the condition prior to performing the method | |||
(Section 5). The origin server SHOULD NOT perform the requested | (Section 8.2.1). The origin server SHOULD NOT perform the requested | |||
method if the selected representation's last modification date is | method if the selected representation's last modification date is | |||
earlier than or equal to the date provided in the field-value; | earlier than or equal to the date provided in the field value; | |||
instead, the origin server SHOULD generate a 304 (Not Modified) | instead, the origin server SHOULD generate a 304 (Not Modified) | |||
response, including only those metadata that are useful for | response, including only those metadata that are useful for | |||
identifying or updating a previously cached response. | identifying or updating a previously cached response. | |||
Requirements on cache handling of a received If-Modified-Since header | Requirements on cache handling of a received If-Modified-Since header | |||
field are defined in Section 4.3.2 of [RFC7234]. | field are defined in Section 4.3.2 of [Caching]. | |||
3.4. If-Unmodified-Since | 8.2.6. If-Unmodified-Since | |||
The "If-Unmodified-Since" header field makes the request method | The "If-Unmodified-Since" header field makes the request method | |||
conditional on the selected representation's last modification date | conditional on the selected representation's last modification date | |||
being earlier than or equal to the date provided in the field-value. | being earlier than or equal to the date provided in the field value. | |||
This field accomplishes the same purpose as If-Match for cases where | This field accomplishes the same purpose as If-Match for cases where | |||
the user agent does not have an entity-tag for the representation. | the user agent does not have an entity-tag for the representation. | |||
If-Unmodified-Since = HTTP-date | If-Unmodified-Since = HTTP-date | |||
An example of the field is: | An example of the field is: | |||
If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT | If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT | |||
A recipient MUST ignore If-Unmodified-Since if the request contains | A recipient MUST ignore If-Unmodified-Since if the request contains | |||
an If-Match header field; the condition in If-Match is considered to | an If-Match header field; the condition in If-Match is considered to | |||
be a more accurate replacement for the condition in | be a more accurate replacement for the condition in If-Unmodified- | |||
If-Unmodified-Since, and the two are only combined for the sake of | Since, and the two are only combined for the sake of interoperating | |||
interoperating with older intermediaries that might not implement | with older intermediaries that might not implement If-Match. | |||
If-Match. | ||||
A recipient MUST ignore the If-Unmodified-Since header field if the | A recipient MUST ignore the If-Unmodified-Since header field if the | |||
received field-value is not a valid HTTP-date. | received field value is not a valid HTTP-date. | |||
A recipient MUST interpret an If-Unmodified-Since field-value's | A recipient MUST interpret an If-Unmodified-Since field value's | |||
timestamp in terms of the origin server's clock. | timestamp in terms of the origin server's clock. | |||
If-Unmodified-Since is most often used with state-changing methods | If-Unmodified-Since is most often used with state-changing methods | |||
(e.g., POST, PUT, DELETE) to prevent accidental overwrites when | (e.g., POST, PUT, DELETE) to prevent accidental overwrites when | |||
multiple user agents might be acting in parallel on a resource that | multiple user agents might be acting in parallel on a resource that | |||
does not supply entity-tags with its representations (i.e., to | does not supply entity-tags with its representations (i.e., to | |||
prevent the "lost update" problem). It can also be used with safe | prevent the "lost update" problem). It can also be used with safe | |||
methods to abort a request if the selected representation does not | methods to abort a request if the selected representation does not | |||
match one already stored (or partially stored) from a prior request. | match one already stored (or partially stored) from a prior request. | |||
An origin server that receives an If-Unmodified-Since header field | An origin server that receives an If-Unmodified-Since header field | |||
MUST evaluate the condition prior to performing the method | MUST evaluate the condition prior to performing the method | |||
(Section 5). The origin server MUST NOT perform the requested method | (Section 8.2.1). The origin server MUST NOT perform the requested | |||
if the selected representation's last modification date is more | method if the selected representation's last modification date is | |||
recent than the date provided in the field-value; instead the origin | more recent than the date provided in the field value; instead the | |||
server MUST respond with either a) the 412 (Precondition Failed) | origin server MUST respond with either a) the 412 (Precondition | |||
status code or b) one of the 2xx (Successful) status codes if the | Failed) status code or b) one of the 2xx (Successful) status codes if | |||
origin server has verified that a state change is being requested and | the origin server has verified that a state change is being requested | |||
the final state is already reflected in the current state of the | and the final state is already reflected in the current state of the | |||
target resource (i.e., the change requested by the user agent has | target resource (i.e., the change requested by the user agent has | |||
already succeeded, but the user agent might not be aware of that | already succeeded, but the user agent might not be aware of that | |||
because the prior response message was lost or a compatible change | because the prior response message was lost or a compatible change | |||
was made by some other user agent). In the latter case, the origin | was made by some other user agent). In the latter case, the origin | |||
server MUST NOT send a validator header field in the response unless | server MUST NOT send a validator header field in the response unless | |||
it can verify that the request is a duplicate of an immediately prior | it can verify that the request is a duplicate of an immediately prior | |||
change made by the same user agent. | change made by the same user agent. | |||
The If-Unmodified-Since header field can be ignored by caches and | The If-Unmodified-Since header field can be ignored by caches and | |||
intermediaries because it is not applicable to a stored response. | intermediaries because it is not applicable to a stored response. | |||
3.5. If-Range | 8.2.7. If-Range | |||
The "If-Range" header field provides a special conditional request | The "If-Range" header field provides a special conditional request | |||
mechanism that is similar to the If-Match and If-Unmodified-Since | mechanism that is similar to the If-Match and If-Unmodified-Since | |||
header fields but that instructs the recipient to ignore the Range | header fields but that instructs the recipient to ignore the Range | |||
header field if the validator doesn't match, resulting in transfer of | header field if the validator doesn't match, resulting in transfer of | |||
the new selected representation instead of a 412 (Precondition | the new selected representation instead of a 412 (Precondition | |||
Failed) response. If-Range is defined in Section 3.2 of [RFC7233]. | Failed) response. | |||
If a client has a partial copy of a representation and wishes to have | If a client has a partial copy of a representation and wishes to have | |||
an up-to-date copy of the entire representation, it could use the | an up-to-date copy of the entire representation, it could use the | |||
Range header field with a conditional GET (using either or both of | Range header field with a conditional GET (using either or both of | |||
If-Unmodified-Since and If-Match.) However, if the precondition | If-Unmodified-Since and If-Match.) However, if the precondition | |||
fails because the representation has been modified, the client would | fails because the representation has been modified, the client would | |||
then have to make a second request to obtain the entire current | then have to make a second request to obtain the entire current | |||
representation. | representation. | |||
The "If-Range" header field allows a client to "short-circuit" the | The "If-Range" header field allows a client to "short-circuit" the | |||
second request. Informally, its meaning is as follows: if the | second request. Informally, its meaning is as follows: if the | |||
representation is unchanged, send me the part(s) that I am requesting | representation is unchanged, send me the part(s) that I am requesting | |||
in Range; otherwise, send me the entire representation. | in Range; otherwise, send me the entire representation. | |||
If-Range = entity-tag / HTTP-date | If-Range = entity-tag / HTTP-date | |||
A client MUST NOT generate an If-Range header field in a request that | A client MUST NOT generate an If-Range header field in a request that | |||
does not contain a Range header field. A server MUST ignore an | does not contain a Range header field. A server MUST ignore an If- | |||
If-Range header field received in a request that does not contain a | Range header field received in a request that does not contain a | |||
Range header field. An origin server MUST ignore an If-Range header | Range header field. An origin server MUST ignore an If-Range header | |||
field received in a request for a target resource that does not | field received in a request for a target resource that does not | |||
support Range requests. | support Range requests. | |||
A client MUST NOT generate an If-Range header field containing an | A client MUST NOT generate an If-Range header field containing an | |||
entity-tag that is marked as weak. A client MUST NOT generate an | entity-tag that is marked as weak. A client MUST NOT generate an If- | |||
If-Range header field containing an HTTP-date unless the client has | Range header field containing an HTTP-date unless the client has no | |||
no entity-tag for the corresponding representation and the date is a | entity-tag for the corresponding representation and the date is a | |||
strong validator in the sense defined by Section 2.2.2 of [RFC7232]. | strong validator in the sense defined by Section 10.2.2.2. | |||
A server that evaluates an If-Range precondition MUST use the strong | A server that evaluates an If-Range precondition MUST use the strong | |||
comparison function when comparing entity-tags (Section 2.3.2 of | comparison function when comparing entity-tags (Section 10.2.3.2) and | |||
[RFC7232]) and MUST evaluate the condition as false if an HTTP-date | MUST evaluate the condition as false if an HTTP-date validator is | |||
validator is provided that is not a strong validator in the sense | provided that is not a strong validator in the sense defined by | |||
defined by Section 2.2.2 of [RFC7232]. A valid entity-tag can be | Section 10.2.2.2. A valid entity-tag can be distinguished from a | |||
distinguished from a valid HTTP-date by examining the first two | valid HTTP-date by examining the first two characters for a DQUOTE. | |||
characters for a DQUOTE. | ||||
If the validator given in the If-Range header field matches the | If the validator given in the If-Range header field matches the | |||
current validator for the selected representation of the target | current validator for the selected representation of the target | |||
resource, then the server SHOULD process the Range header field as | resource, then the server SHOULD process the Range header field as | |||
requested. If the validator does not match, the server MUST ignore | requested. If the validator does not match, the server MUST ignore | |||
the Range header field. Note that this comparison by exact match, | the Range header field. Note that this comparison by exact match, | |||
including when the validator is an HTTP-date, differs from the | including when the validator is an HTTP-date, differs from the | |||
"earlier than or equal to" comparison used when evaluating an | "earlier than or equal to" comparison used when evaluating an If- | |||
If-Unmodified-Since conditional. | Unmodified-Since conditional. | |||
3.1. Range | 8.3. Range | |||
The "Range" header field on a GET request modifies the method | The "Range" header field on a GET request modifies the method | |||
semantics to request transfer of only one or more subranges of the | semantics to request transfer of only one or more subranges of the | |||
selected representation data, rather than the entire selected | selected representation data, rather than the entire selected | |||
representation data. | representation data. | |||
Range = byte-ranges-specifier / other-ranges-specifier | Range = ranges-specifier | |||
other-ranges-specifier = other-range-unit "=" other-range-set | ||||
other-range-set = 1*VCHAR | ||||
Hypertext Transfer Protocol (HTTP) clients often encounter | Clients often encounter interrupted data transfers as a result of | |||
interrupted data transfers as a result of canceled requests or | canceled requests or dropped connections. When a client has stored a | |||
dropped connections. When a client has stored a partial | partial representation, it is desirable to request the remainder of | |||
representation, it is desirable to request the remainder of that | that representation in a subsequent request rather than transfer the | |||
representation in a subsequent request rather than transfer the | ||||
entire representation. Likewise, devices with limited local storage | entire representation. Likewise, devices with limited local storage | |||
might benefit from being able to request only a subset of a larger | might benefit from being able to request only a subset of a larger | |||
representation, such as a single page of a very large document, or | representation, such as a single page of a very large document, or | |||
the dimensions of an embedded image. | the dimensions of an embedded image. | |||
Range requests are an OPTIONAL | Range requests are an OPTIONAL feature of HTTP, designed so that | |||
feature of HTTP, designed so that recipients not implementing this | recipients not implementing this feature (or not supporting it for | |||
feature (or not supporting it for the target resource) can respond as | the target resource) can respond as if it is a normal GET request | |||
if it is a normal GET request without impacting interoperability. | without impacting interoperability. Partial responses are indicated | |||
Partial responses are indicated by a distinct status code to not be | by a distinct status code to not be mistaken for full responses by | |||
mistaken for full responses by caches that might not implement the | caches that might not implement the feature. | |||
feature. | ||||
A server MAY ignore the Range header field. However, origin servers | A server MAY ignore the Range header field. However, origin servers | |||
and intermediate caches ought to support byte ranges when possible, | and intermediate caches ought to support byte ranges when possible, | |||
since Range supports efficient recovery from partially failed | since they support efficient recovery from partially failed transfers | |||
transfers and partial retrieval of large representations. A server | and partial retrieval of large representations. A server MUST ignore | |||
MUST ignore a Range header field received with a request method other | a Range header field received with a request method other than GET. | |||
than GET. | ||||
Although the range request mechanism is designed to allow for | Although the range request mechanism is designed to allow for | |||
extensible range types, this specification only defines requests for | extensible range types, this specification only defines requests for | |||
byte ranges. | byte ranges. | |||
An origin server MUST ignore a Range header field that contains a | An origin server MUST ignore a Range header field that contains a | |||
range unit it does not understand. A proxy MAY discard a Range | range unit it does not understand. A proxy MAY discard a Range | |||
header field that contains a range unit it does not understand. | header field that contains a range unit it does not understand. | |||
A server that supports range requests MAY ignore or reject a Range | A server that supports range requests MAY ignore or reject a Range | |||
header field that consists of more than two overlapping ranges, or a | header field that consists of more than two overlapping ranges, or a | |||
set of many small ranges that are not listed in ascending order, | set of many small ranges that are not listed in ascending order, | |||
since both are indications of either a broken client or a deliberate | since both are indications of either a broken client or a deliberate | |||
denial-of-service attack (Section 6.1). A client SHOULD NOT request | denial-of-service attack (Section 11.13). A client SHOULD NOT | |||
multiple ranges that are inherently less efficient to process and | request multiple ranges that are inherently less efficient to process | |||
transfer than a single range that encompasses the same data. | and transfer than a single range that encompasses the same data. | |||
A client that is requesting multiple ranges SHOULD list those ranges | A client that is requesting multiple ranges SHOULD list those ranges | |||
in ascending order (the order in which they would typically be | in ascending order (the order in which they would typically be | |||
received in a complete representation) unless there is a specific | received in a complete representation) unless there is a specific | |||
need to request a later part earlier. For example, a user agent | need to request a later part earlier. For example, a user agent | |||
processing a large representation with an internal catalog of parts | processing a large representation with an internal catalog of parts | |||
might need to request later parts first, particularly if the | might need to request later parts first, particularly if the | |||
representation consists of pages stored in reverse order and the user | representation consists of pages stored in reverse order and the user | |||
agent wishes to transfer one page at a time. | agent wishes to transfer one page at a time. | |||
The Range header field is evaluated after evaluating the precondition | The Range header field is evaluated after evaluating the precondition | |||
header fields defined in [RFC7232], and only if the result in absence | header fields defined in Section 8.2, and only if the result in | |||
of the Range header field would be a 200 (OK) response. In other | absence of the Range header field would be a 200 (OK) response. In | |||
words, Range is ignored when a conditional GET would result in a 304 | other words, Range is ignored when a conditional GET would result in | |||
(Not Modified) response. | a 304 (Not Modified) response. | |||
The If-Range header field (Section 3.2) can be used as a precondition | The If-Range header field (Section 8.2.7) can be used as a | |||
to applying the Range header field. | precondition to applying the Range header field. | |||
If all of the preconditions are true, the server supports the Range | If all of the preconditions are true, the server supports the Range | |||
header field for the target resource, and the specified range(s) are | header field for the target resource, and the specified range(s) are | |||
valid and satisfiable (as defined in Section 2.1), the server SHOULD | valid and satisfiable (as defined in Section 6.1.4.2), the server | |||
send a 206 (Partial Content) response with a payload containing one | SHOULD send a 206 (Partial Content) response with a payload | |||
or more partial representations that correspond to the satisfiable | containing one or more partial representations that correspond to the | |||
ranges requested, as defined in Section 4. | satisfiable ranges requested. | |||
If all of the preconditions are true, the server supports the Range | If all of the preconditions are true, the server supports the Range | |||
header field for the target resource, and the specified range(s) are | header field for the target resource, and the specified range(s) are | |||
invalid or unsatisfiable, the server SHOULD send a 416 (Range Not | invalid or unsatisfiable, the server SHOULD send a 416 (Range Not | |||
Satisfiable) response. | Satisfiable) response. | |||
5.3. Content Negotiation | 8.4. Content Negotiation | |||
The following request header fields are sent by a user agent to | The following request header fields are sent by a user agent to | |||
engage in proactive negotiation of the response content, as defined | engage in proactive negotiation of the response content, as defined | |||
in Section 3.4.1. The preferences sent in these fields apply to any | in Section 6.4.1. The preferences sent in these fields apply to any | |||
content in the response, including representations of the target | content in the response, including representations of the target | |||
resource, representations of error or processing status, and | resource, representations of error or processing status, and | |||
potentially even the miscellaneous text strings that might appear | potentially even the miscellaneous text strings that might appear | |||
within the protocol. | within the protocol. | |||
+-------------------+---------------+ | +-----------------+---------------+ | |||
| Header Field Name | Defined in... | | | Field Name | Defined in... | | |||
+-------------------+---------------+ | +-----------------+---------------+ | |||
| Accept | Section 5.3.2 | | | Accept | Section 8.4.2 | | |||
| Accept-Charset | Section 5.3.3 | | | Accept-Charset | Section 8.4.3 | | |||
| Accept-Encoding | Section 5.3.4 | | | Accept-Encoding | Section 8.4.4 | | |||
| Accept-Language | Section 5.3.5 | | | Accept-Language | Section 8.4.5 | | |||
+-------------------+---------------+ | +-----------------+---------------+ | |||
For each of these header fields, a request that does not contain it | ||||
implies that the user agent has no preference on that axis of | ||||
negotiation. If the header field is present in a request and none of | ||||
the available representations for the response can be considered | ||||
acceptable according to it, the origin server can either honor the | ||||
header field by sending a 406 (Not Acceptable) response or disregard | ||||
the header field by treating the response as if it is not subject to | ||||
content negotiation for that request header field. This does not | ||||
imply, however, that the client will be able to use the | ||||
representation. | ||||
Note: Sending these header fields makes it easier for a server to | ||||
identify an individual by virtue of the user agent's request | ||||
characteristics (Section 11.11). | ||||
Each of these header fields defines a wildcard value (often, "*") to | ||||
select unspecified values. If no wildcard is present, all values not | ||||
explicitly mentioned in the field are considered "not acceptable" to | ||||
the client. | ||||
Note: In practice, using wildcards in content negotiation has limited | ||||
practical value, because it is seldom useful to say, for example, "I | ||||
prefer image/* more or less than (some other specific value)". | ||||
Clients can explicitly request a 406 (Not Acceptable) response if a | ||||
more preferred format is not available by sending Accept: */*;q=0, | ||||
but they still need to be able to handle a different response, since | ||||
the server is allowed to ignore their preference. | ||||
8.4.1. Quality Values | 8.4.1. Quality Values | |||
Many of the request header fields for proactive negotiation use a | Many of the request header fields for proactive negotiation use a | |||
common parameter, named "q" (case-insensitive), to assign a relative | common parameter, named "q" (case-insensitive), to assign a relative | |||
"weight" to the preference for that associated kind of content. This | "weight" to the preference for that associated kind of content. This | |||
weight is referred to as a "quality value" (or "qvalue") because the | weight is referred to as a "quality value" (or "qvalue") because the | |||
same parameter name is often used within server configurations to | same parameter name is often used within server configurations to | |||
assign a weight to the relative quality of the various | assign a weight to the relative quality of the various | |||
representations that can be selected for a resource. | representations that can be selected for a resource. | |||
skipping to change at line 4312 ¶ | skipping to change at page 104, line 18 ¶ | |||
the default weight is 1. | the default weight is 1. | |||
weight = OWS ";" OWS "q=" qvalue | weight = OWS ";" OWS "q=" qvalue | |||
qvalue = ( "0" [ "." 0*3DIGIT ] ) | qvalue = ( "0" [ "." 0*3DIGIT ] ) | |||
/ ( "1" [ "." 0*3("0") ] ) | / ( "1" [ "." 0*3("0") ] ) | |||
A sender of qvalue MUST NOT generate more than three digits after the | A sender of qvalue MUST NOT generate more than three digits after the | |||
decimal point. User configuration of these values ought to be | decimal point. User configuration of these values ought to be | |||
limited in the same fashion. | limited in the same fashion. | |||
5.3.2. Accept | 8.4.2. Accept | |||
The "Accept" header field can be used by user agents to specify | The "Accept" header field can be used by user agents to specify their | |||
response media types that are acceptable. Accept header fields can | preferences regarding response media types. For example, Accept | |||
be used to indicate that the request is specifically limited to a | header fields can be used to indicate that the request is | |||
small set of desired types, as in the case of a request for an | specifically limited to a small set of desired types, as in the case | |||
in-line image. | of a request for an in-line image. | |||
Accept = #( media-range [ accept-params ] ) | Accept = #( media-range [ accept-params ] ) | |||
media-range = ( "*/*" | media-range = ( "*/*" | |||
/ ( type "/" "*" ) | / ( type "/" "*" ) | |||
/ ( type "/" subtype ) | / ( type "/" subtype ) | |||
) *( OWS ";" OWS parameter ) | ) *( OWS ";" OWS parameter ) | |||
accept-params = weight *( accept-ext ) | accept-params = weight *( accept-ext ) | |||
accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] | accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] | |||
The asterisk "*" character is used to group media types into ranges, | The asterisk "*" character is used to group media types into ranges, | |||
with "*/*" indicating all media types and "type/*" indicating all | with "*/*" indicating all media types and "type/*" indicating all | |||
subtypes of that type. The media-range can include media type | subtypes of that type. The media-range can include media type | |||
parameters that are applicable to that range. | parameters that are applicable to that range. | |||
Each media-range might be followed by zero or more applicable media | Each media-range might be followed by zero or more applicable media | |||
type parameters (e.g., charset), an optional "q" parameter for | type parameters (e.g., charset), an optional "q" parameter for | |||
indicating a relative weight (Section 5.3.1), and then zero or more | indicating a relative weight (Section 8.4.1), and then zero or more | |||
extension parameters. The "q" parameter is necessary if any | extension parameters. The "q" parameter is necessary if any | |||
extensions (accept-ext) are present, since it acts as a separator | extensions (accept-ext) are present, since it acts as a separator | |||
between the two parameter sets. | between the two parameter sets. | |||
Note: Use of the "q" parameter name to separate media type | Note: Use of the "q" parameter name to separate media type | |||
parameters from Accept extension parameters is due to historical | parameters from Accept extension parameters is due to historical | |||
practice. Although this prevents any media type parameter named | practice. Although this prevents any media type parameter named | |||
"q" from being used with a media range, such an event is believed | "q" from being used with a media range, such an event is believed | |||
to be unlikely given the lack of any "q" parameters in the IANA | to be unlikely given the lack of any "q" parameters in the IANA | |||
media type registry and the rare usage of any media type | media type registry and the rare usage of any media type | |||
parameters in Accept. Future media types are discouraged from | parameters in Accept. Future media types are discouraged from | |||
registering any parameter named "q". | registering any parameter named "q". | |||
The example | The example | |||
Accept: audio/*; q=0.2, audio/basic | Accept: audio/*; q=0.2, audio/basic | |||
is interpreted as "I prefer audio/basic, but send me any audio type | is interpreted as "I prefer audio/basic, but send me any audio type | |||
if it is the best available after an 80% markdown in quality". | if it is the best available after an 80% markdown in quality". | |||
A request without any Accept header field implies that the user agent | ||||
will accept any media type in response. If the header field is | ||||
present in a request and none of the available representations for | ||||
the response have a media type that is listed as acceptable, the | ||||
origin server can either honor the header field by sending a 406 (Not | ||||
Acceptable) response or disregard the header field by treating the | ||||
response as if it is not subject to content negotiation. | ||||
A more elaborate example is | A more elaborate example is | |||
Accept: text/plain; q=0.5, text/html, | Accept: text/plain; q=0.5, text/html, | |||
text/x-dvi; q=0.8, text/x-c | text/x-dvi; q=0.8, text/x-c | |||
Verbally, this would be interpreted as "text/html and text/x-c are | Verbally, this would be interpreted as "text/html and text/x-c are | |||
the equally preferred media types, but if they do not exist, then | the equally preferred media types, but if they do not exist, then | |||
send the text/x-dvi representation, and if that does not exist, send | send the text/x-dvi representation, and if that does not exist, send | |||
the text/plain representation". | the text/plain representation". | |||
skipping to change at line 4416 ¶ | skipping to change at page 106, line 21 ¶ | |||
| image/jpeg | 0.5 | | | image/jpeg | 0.5 | | |||
| text/html;level=2 | 0.4 | | | text/html;level=2 | 0.4 | | |||
| text/html;level=3 | 0.7 | | | text/html;level=3 | 0.7 | | |||
+-------------------+---------------+ | +-------------------+---------------+ | |||
Note: A user agent might be provided with a default set of quality | Note: A user agent might be provided with a default set of quality | |||
values for certain media ranges. However, unless the user agent is a | values for certain media ranges. However, unless the user agent is a | |||
closed system that cannot interact with other rendering agents, this | closed system that cannot interact with other rendering agents, this | |||
default set ought to be configurable by the user. | default set ought to be configurable by the user. | |||
5.3.3. Accept-Charset | 8.4.3. Accept-Charset | |||
The "Accept-Charset" header field can be sent by a user agent to | The "Accept-Charset" header field can be sent by a user agent to | |||
indicate what charsets are acceptable in textual response content. | indicate its preferences for charsets in textual response content. | |||
This field allows user agents capable of understanding more | For example, this field allows user agents capable of understanding | |||
comprehensive or special-purpose charsets to signal that capability | more comprehensive or special-purpose charsets to signal that | |||
to an origin server that is capable of representing information in | capability to an origin server that is capable of representing | |||
those charsets. | information in those charsets. | |||
Accept-Charset = 1#( ( charset / "*" ) [ weight ] ) | Accept-Charset = 1#( ( charset / "*" ) [ weight ] ) | |||
Charset names are defined in Section 3.1.1.2. A user agent MAY | Charset names are defined in Section 6.1.1.1. A user agent MAY | |||
associate a quality value with each charset to indicate the user's | associate a quality value with each charset to indicate the user's | |||
relative preference for that charset, as defined in Section 5.3.1. | relative preference for that charset, as defined in Section 8.4.1. | |||
An example is | An example is | |||
Accept-Charset: iso-8859-5, unicode-1-1;q=0.8 | Accept-Charset: iso-8859-5, unicode-1-1;q=0.8 | |||
The special value "*", if present in the Accept-Charset field, | The special value "*", if present in the Accept-Charset field, | |||
matches every charset that is not mentioned elsewhere in the | matches every charset that is not mentioned elsewhere in the Accept- | |||
Accept-Charset field. If no "*" is present in an Accept-Charset | Charset field. | |||
field, then any charsets not explicitly mentioned in the field are | ||||
considered "not acceptable" to the client. | ||||
A request without any Accept-Charset header field implies that the | ||||
user agent will accept any charset in response. Most general-purpose | ||||
user agents do not send Accept-Charset, unless specifically | ||||
configured to do so, because a detailed list of supported charsets | ||||
makes it easier for a server to identify an individual by virtue of | ||||
the user agent's request characteristics (Section 9.7). | ||||
If an Accept-Charset header field is present in a request and none of | Note: Accept-Charset is deprecated because UTF-8 has become nearly | |||
the available representations for the response has a charset that is | ubiquitous and sending a detailed list of user-preferred charsets | |||
listed as acceptable, the origin server can either honor the header | wastes bandwidth, increases latency, and makes passive fingerprinting | |||
field, by sending a 406 (Not Acceptable) response, or disregard the | far too easy (Section 11.11). Most general-purpose user agents do | |||
header field by treating the resource as if it is not subject to | not send Accept-Charset, unless specifically configured to do so. | |||
content negotiation. | ||||
5.3.4. Accept-Encoding | 8.4.4. Accept-Encoding | |||
The "Accept-Encoding" header field can be used by user agents to | The "Accept-Encoding" header field can be used by user agents to | |||
indicate what response content-codings (Section 3.1.2.1) are | indicate their preferences regarding response content-codings | |||
acceptable in the response. An "identity" token is used as a synonym | (Section 6.1.2). An "identity" token is used as a synonym for "no | |||
for "no encoding" in order to communicate when no encoding is | encoding" in order to communicate when no encoding is preferred. | |||
preferred. | ||||
Accept-Encoding = #( codings [ weight ] ) | Accept-Encoding = #( codings [ weight ] ) | |||
codings = content-coding / "identity" / "*" | codings = content-coding / "identity" / "*" | |||
Each codings value MAY be given an associated quality value | Each codings value MAY be given an associated quality value | |||
representing the preference for that encoding, as defined in | representing the preference for that encoding, as defined in | |||
Section 5.3.1. The asterisk "*" symbol in an Accept-Encoding field | Section 8.4.1. The asterisk "*" symbol in an Accept-Encoding field | |||
matches any available content-coding not explicitly listed in the | matches any available content-coding not explicitly listed in the | |||
header field. | header field. | |||
For example, | For example, | |||
Accept-Encoding: compress, gzip | Accept-Encoding: compress, gzip | |||
Accept-Encoding: | Accept-Encoding: | |||
Accept-Encoding: * | Accept-Encoding: * | |||
Accept-Encoding: compress;q=0.5, gzip;q=1.0 | Accept-Encoding: compress;q=0.5, gzip;q=1.0 | |||
Accept-Encoding: gzip;q=1.0, identity; q=0.5, *;q=0 | Accept-Encoding: gzip;q=1.0, identity; q=0.5, *;q=0 | |||
A request without an Accept-Encoding header field implies that the | ||||
user agent has no preferences regarding content-codings. Although | ||||
this allows the server to use any content-coding in a response, it | ||||
does not imply that the user agent will be able to correctly process | ||||
all encodings. | ||||
A server tests whether a content-coding for a given representation is | A server tests whether a content-coding for a given representation is | |||
acceptable using these rules: | acceptable using these rules: | |||
1. If no Accept-Encoding field is in the request, any content-coding | 1. If no Accept-Encoding field is in the request, any content-coding | |||
is considered acceptable by the user agent. | is considered acceptable by the user agent. | |||
2. If the representation has no content-coding, then it is | 2. If the representation has no content-coding, then it is | |||
acceptable by default unless specifically excluded by the | acceptable by default unless specifically excluded by the Accept- | |||
Accept-Encoding field stating either "identity;q=0" or "*;q=0" | Encoding field stating either "identity;q=0" or "*;q=0" without a | |||
without a more specific entry for "identity". | more specific entry for "identity". | |||
3. If the representation's content-coding is one of the | 3. If the representation's content-coding is one of the content- | |||
content-codings listed in the Accept-Encoding field, then it is | codings listed in the Accept-Encoding field value, then it is | |||
acceptable unless it is accompanied by a qvalue of 0. (As | acceptable unless it is accompanied by a qvalue of 0. (As | |||
defined in Section 5.3.1, a qvalue of 0 means "not acceptable".) | defined in Section 8.4.1, a qvalue of 0 means "not acceptable".) | |||
4. If multiple content-codings are acceptable, then the acceptable | 4. If multiple content-codings are acceptable, then the acceptable | |||
content-coding with the highest non-zero qvalue is preferred. | content-coding with the highest non-zero qvalue is preferred. | |||
An Accept-Encoding header field with a combined field-value that is | An Accept-Encoding header field with a field value that is empty | |||
empty implies that the user agent does not want any content-coding in | implies that the user agent does not want any content-coding in | |||
response. If an Accept-Encoding header field is present in a request | response. If an Accept-Encoding header field is present in a request | |||
and none of the available representations for the response have a | and none of the available representations for the response have a | |||
content-coding that is listed as acceptable, the origin server SHOULD | content-coding that is listed as acceptable, the origin server SHOULD | |||
send a response without any content-coding. | send a response without any content-coding. | |||
Note: Most HTTP/1.0 applications do not recognize or obey qvalues | Note: Most HTTP/1.0 applications do not recognize or obey qvalues | |||
associated with content-codings. This means that qvalues might | associated with content-codings. This means that qvalues might | |||
not work and are not permitted with x-gzip or x-compress. | not work and are not permitted with x-gzip or x-compress. | |||
5.3.5. Accept-Language | 8.4.5. Accept-Language | |||
The "Accept-Language" header field can be used by user agents to | The "Accept-Language" header field can be used by user agents to | |||
indicate the set of natural languages that are preferred in the | indicate the set of natural languages that are preferred in the | |||
response. Language tags are defined in Section 3.1.3.1. | response. Language tags are defined in Section 6.1.3. | |||
Accept-Language = 1#( language-range [ weight ] ) | Accept-Language = 1#( language-range [ weight ] ) | |||
language-range = | language-range = | |||
<language-range, see [RFC4647], Section 2.1> | <language-range, see [RFC4647], Section 2.1> | |||
Each language-range can be given an associated quality value | Each language-range can be given an associated quality value | |||
representing an estimate of the user's preference for the languages | representing an estimate of the user's preference for the languages | |||
specified by that range, as defined in Section 5.3.1. For example, | specified by that range, as defined in Section 8.4.1. For example, | |||
Accept-Language: da, en-gb;q=0.8, en;q=0.7 | Accept-Language: da, en-gb;q=0.8, en;q=0.7 | |||
would mean: "I prefer Danish, but will accept British English and | would mean: "I prefer Danish, but will accept British English and | |||
other types of English". | other types of English". | |||
A request without any Accept-Language header field implies that the | ||||
user agent will accept any language in response. If the header field | ||||
is present in a request and none of the available representations for | ||||
the response have a matching language tag, the origin server can | ||||
either disregard the header field by treating the response as if it | ||||
is not subject to content negotiation or honor the header field by | ||||
sending a 406 (Not Acceptable) response. However, the latter is not | ||||
encouraged, as doing so can prevent users from accessing content that | ||||
they might be able to use (with translation software, for example). | ||||
Note that some recipients treat the order in which language tags are | Note that some recipients treat the order in which language tags are | |||
listed as an indication of descending priority, particularly for tags | listed as an indication of descending priority, particularly for tags | |||
that are assigned equal quality values (no value is the same as q=1). | that are assigned equal quality values (no value is the same as q=1). | |||
However, this behavior cannot be relied upon. For consistency and to | However, this behavior cannot be relied upon. For consistency and to | |||
maximize interoperability, many user agents assign each language tag | maximize interoperability, many user agents assign each language tag | |||
a unique quality value while also listing them in order of decreasing | a unique quality value while also listing them in order of decreasing | |||
quality. Additional discussion of language priority lists can be | quality. Additional discussion of language priority lists can be | |||
found in Section 2.3 of [RFC4647]. | found in Section 2.3 of [RFC4647]. | |||
For matching, Section 3 of [RFC4647] defines several matching | For matching, Section 3 of [RFC4647] defines several matching | |||
schemes. Implementations can offer the most appropriate matching | schemes. Implementations can offer the most appropriate matching | |||
scheme for their requirements. The "Basic Filtering" scheme | scheme for their requirements. The "Basic Filtering" scheme | |||
([RFC4647], Section 3.3.1) is identical to the matching scheme that | ([RFC4647], Section 3.3.1) is identical to the matching scheme that | |||
was previously defined for HTTP in Section 14.4 of [RFC2616]. | was previously defined for HTTP in Section 14.4 of [RFC2616]. | |||
It might be contrary to the privacy expectations of the user to send | It might be contrary to the privacy expectations of the user to send | |||
an Accept-Language header field with the complete linguistic | an Accept-Language header field with the complete linguistic | |||
preferences of the user in every request (Section 9.7). | preferences of the user in every request (Section 11.11). | |||
Since intelligibility is highly dependent on the individual user, | Since intelligibility is highly dependent on the individual user, | |||
user agents need to allow user control over the linguistic preference | user agents need to allow user control over the linguistic preference | |||
(either through configuration of the user agent itself or by | (either through configuration of the user agent itself or by | |||
defaulting to a user controllable system setting). A user agent that | defaulting to a user controllable system setting). A user agent that | |||
does not provide such control to the user MUST NOT send an | does not provide such control to the user MUST NOT send an Accept- | |||
Accept-Language header field. | Language header field. | |||
Note: User agents ought to provide guidance to users when setting | Note: User agents ought to provide guidance to users when setting | |||
a preference, since users are rarely familiar with the details of | a preference, since users are rarely familiar with the details of | |||
language matching as described above. For example, users might | language matching as described above. For example, users might | |||
assume that on selecting "en-gb", they will be served any kind of | assume that on selecting "en-gb", they will be served any kind of | |||
English document if British English is not available. A user | English document if British English is not available. A user | |||
agent might suggest, in such a case, to add "en" to the list for | agent might suggest, in such a case, to add "en" to the list for | |||
better matching behavior. | better matching behavior. | |||
5.4. Authentication Credentials | 8.5. Authentication Credentials | |||
HTTP provides a general framework for access control and | HTTP provides a general framework for access control and | |||
authentication, via an extensible set of challenge-response | authentication, via an extensible set of challenge-response | |||
authentication schemes, which can be used by a server to challenge a | authentication schemes, which can be used by a server to challenge a | |||
client request and by a client to provide authentication information. | client request and by a client to provide authentication information. | |||
Two header fields are used for carrying authentication credentials, | Two header fields are used for carrying authentication credentials. | |||
as defined in [RFC7235]. Note that various custom mechanisms for | Note that various custom mechanisms for user authentication use the | |||
user authentication use the Cookie header field for this purpose, as | Cookie header field for this purpose, as defined in [RFC6265]. | |||
defined in [RFC6265]. | ||||
+---------------------+--------------------------+ | +---------------------+---------------+ | |||
| Header Field Name | Defined in... | | | Field Name | Defined in... | | |||
+---------------------+--------------------------+ | +---------------------+---------------+ | |||
| Authorization | Section 4.2 of [RFC7235] | | | Authorization | Section 8.5.3 | | |||
| Proxy-Authorization | Section 4.4 of [RFC7235] | | | Proxy-Authorization | Section 8.5.4 | | |||
+---------------------+--------------------------+ | +---------------------+---------------+ | |||
2.1. Challenge and Response | 8.5.1. Challenge and Response | |||
HTTP provides a simple challenge-response authentication framework | HTTP provides a simple challenge-response authentication framework | |||
that can be used by a server to challenge a client request and by a | that can be used by a server to challenge a client request and by a | |||
client to provide authentication information. It uses a case- | client to provide authentication information. It uses a case- | |||
insensitive token as a means to identify the authentication scheme, | insensitive token as a means to identify the authentication scheme, | |||
followed by additional information necessary for achieving | followed by additional information necessary for achieving | |||
authentication via that scheme. The latter can be either a comma- | authentication via that scheme. The latter can be either a comma- | |||
separated list of parameters or a single sequence of characters | separated list of parameters or a single sequence of characters | |||
capable of holding base64-encoded information. | capable of holding base64-encoded information. | |||
skipping to change at line 4626 ¶ | skipping to change at page 110, line 19 ¶ | |||
token68 = 1*( ALPHA / DIGIT / | token68 = 1*( ALPHA / DIGIT / | |||
"-" / "." / "_" / "~" / "+" / "/" ) *"=" | "-" / "." / "_" / "~" / "+" / "/" ) *"=" | |||
The token68 syntax allows the 66 unreserved URI characters | The token68 syntax allows the 66 unreserved URI characters | |||
([RFC3986]), plus a few others, so that it can hold a base64, | ([RFC3986]), plus a few others, so that it can hold a base64, | |||
base64url (URL and filename safe alphabet), base32, or base16 (hex) | base64url (URL and filename safe alphabet), base32, or base16 (hex) | |||
encoding, with or without padding, but excluding whitespace | encoding, with or without padding, but excluding whitespace | |||
([RFC4648]). | ([RFC4648]). | |||
A 401 (Unauthorized) response message is used by an origin server to | A 401 (Unauthorized) response message is used by an origin server to | |||
challenge the authorization of a user agent, including a | challenge the authorization of a user agent, including a WWW- | |||
WWW-Authenticate header field containing at least one challenge | Authenticate header field containing at least one challenge | |||
applicable to the requested resource. | applicable to the requested resource. | |||
A 407 (Proxy Authentication Required) response message is used by a | A 407 (Proxy Authentication Required) response message is used by a | |||
proxy to challenge the authorization of a client, including a | proxy to challenge the authorization of a client, including a Proxy- | |||
Proxy-Authenticate header field containing at least one challenge | Authenticate header field containing at least one challenge | |||
applicable to the proxy for the requested resource. | applicable to the proxy for the requested resource. | |||
challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] | challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] | |||
Note: Many clients fail to parse a challenge that contains an | Note: Many clients fail to parse a challenge that contains an | |||
unknown scheme. A workaround for this problem is to list well- | unknown scheme. A workaround for this problem is to list well- | |||
supported schemes (such as "basic") first. | supported schemes (such as "basic") first. | |||
A user agent that wishes to authenticate itself with an origin server | A user agent that wishes to authenticate itself with an origin server | |||
-- usually, but not necessarily, after receiving a 401 (Unauthorized) | -- usually, but not necessarily, after receiving a 401 (Unauthorized) | |||
skipping to change at line 4660 ¶ | skipping to change at page 111, line 5 ¶ | |||
Both the Authorization field value and the Proxy-Authorization field | Both the Authorization field value and the Proxy-Authorization field | |||
value contain the client's credentials for the realm of the resource | value contain the client's credentials for the realm of the resource | |||
being requested, based upon a challenge received in a response | being requested, based upon a challenge received in a response | |||
(possibly at some point in the past). When creating their values, | (possibly at some point in the past). When creating their values, | |||
the user agent ought to do so by selecting the challenge with what it | the user agent ought to do so by selecting the challenge with what it | |||
considers to be the most secure auth-scheme that it understands, | considers to be the most secure auth-scheme that it understands, | |||
obtaining credentials from the user as appropriate. Transmission of | obtaining credentials from the user as appropriate. Transmission of | |||
credentials within header field values implies significant security | credentials within header field values implies significant security | |||
considerations regarding the confidentiality of the underlying | considerations regarding the confidentiality of the underlying | |||
connection, as described in Section 6.1. | connection, as described in Section 11.14.1. | |||
credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ] | credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ] | |||
Upon receipt of a request for a protected resource that omits | Upon receipt of a request for a protected resource that omits | |||
credentials, contains invalid credentials (e.g., a bad password) or | credentials, contains invalid credentials (e.g., a bad password) or | |||
partial credentials (e.g., when the authentication scheme requires | partial credentials (e.g., when the authentication scheme requires | |||
more than one round trip), an origin server SHOULD send a 401 | more than one round trip), an origin server SHOULD send a 401 | |||
(Unauthorized) response that contains a WWW-Authenticate header field | (Unauthorized) response that contains a WWW-Authenticate header field | |||
with at least one (possibly new) challenge applicable to the | with at least one (possibly new) challenge applicable to the | |||
requested resource. | requested resource. | |||
Likewise, upon receipt of a request that omits proxy credentials or | Likewise, upon receipt of a request that omits proxy credentials or | |||
contains invalid or partial proxy credentials, a proxy that requires | contains invalid or partial proxy credentials, a proxy that requires | |||
authentication SHOULD generate a 407 (Proxy Authentication Required) | authentication SHOULD generate a 407 (Proxy Authentication Required) | |||
response that contains a Proxy-Authenticate header field with at | response that contains a Proxy-Authenticate header field with at | |||
least one (possibly new) challenge applicable to the proxy. | least one (possibly new) challenge applicable to the proxy. | |||
A server that receives valid credentials that are not adequate to | A server that receives valid credentials that are not adequate to | |||
gain access ought to respond with the 403 (Forbidden) status code | gain access ought to respond with the 403 (Forbidden) status code | |||
(Section 6.5.3 of [RFC7231]). | (Section 9.5.4). | |||
HTTP does not restrict applications to this simple challenge-response | HTTP does not restrict applications to this simple challenge-response | |||
framework for access authentication. Additional mechanisms can be | framework for access authentication. Additional mechanisms can be | |||
used, such as authentication at the transport level or via message | used, such as authentication at the transport level or via message | |||
encapsulation, and with additional header fields specifying | encapsulation, and with additional header fields specifying | |||
authentication information. However, such additional mechanisms are | authentication information. However, such additional mechanisms are | |||
not defined by this specification. | not defined by this specification. | |||
2.2. Protection Space (Realm) | 8.5.2. Protection Space (Realm) | |||
The "realm" authentication parameter is reserved for use by | The "realm" authentication parameter is reserved for use by | |||
authentication schemes that wish to indicate a scope of protection. | authentication schemes that wish to indicate a scope of protection. | |||
A protection space is defined by the canonical root URI (the scheme | A protection space is defined by the canonical root URI (the scheme | |||
and authority components of the effective request URI; see Section | and authority components of the effective request URI; see | |||
5.5 of [RFC7230]) of the server being accessed, in combination with | Section 5.5) of the server being accessed, in combination with the | |||
the realm value if present. These realms allow the protected | realm value if present. These realms allow the protected resources | |||
resources on a server to be partitioned into a set of protection | on a server to be partitioned into a set of protection spaces, each | |||
spaces, each with its own authentication scheme and/or authorization | with its own authentication scheme and/or authorization database. | |||
database. The realm value is a string, generally assigned by the | The realm value is a string, generally assigned by the origin server, | |||
origin server, that can have additional semantics specific to the | that can have additional semantics specific to the authentication | |||
authentication scheme. Note that a response can have multiple | scheme. Note that a response can have multiple challenges with the | |||
challenges with the same auth-scheme but with different realms. | same auth-scheme but with different realms. | |||
The protection space determines the domain over which credentials can | The protection space determines the domain over which credentials can | |||
be automatically applied. If a prior request has been authorized, | be automatically applied. If a prior request has been authorized, | |||
the user agent MAY reuse the same credentials for all other requests | the user agent MAY reuse the same credentials for all other requests | |||
within that protection space for a period of time determined by the | within that protection space for a period of time determined by the | |||
authentication scheme, parameters, and/or user preferences (such as a | authentication scheme, parameters, and/or user preferences (such as a | |||
configurable inactivity timeout). Unless specifically allowed by the | configurable inactivity timeout). Unless specifically allowed by the | |||
authentication scheme, a single protection space cannot extend | authentication scheme, a single protection space cannot extend | |||
outside the scope of its server. | outside the scope of its server. | |||
For historical reasons, a sender MUST only generate the quoted-string | For historical reasons, a sender MUST only generate the quoted-string | |||
syntax. Recipients might have to support both token and | syntax. Recipients might have to support both token and quoted- | |||
quoted-string syntax for maximum interoperability with existing | string syntax for maximum interoperability with existing clients that | |||
clients that have been accepting both notations for a long time. | have been accepting both notations for a long time. | |||
4.2. Authorization | 8.5.3. Authorization | |||
The "Authorization" header field allows a user agent to authenticate | The "Authorization" header field allows a user agent to authenticate | |||
itself with an origin server -- usually, but not necessarily, after | itself with an origin server -- usually, but not necessarily, after | |||
receiving a 401 (Unauthorized) response. Its value consists of | receiving a 401 (Unauthorized) response. Its value consists of | |||
credentials containing the authentication information of the user | credentials containing the authentication information of the user | |||
agent for the realm of the resource being requested. | agent for the realm of the resource being requested. | |||
Authorization = credentials | Authorization = credentials | |||
If a request is authenticated and a realm specified, the same | If a request is authenticated and a realm specified, the same | |||
credentials are presumed to be valid for all other requests within | credentials are presumed to be valid for all other requests within | |||
this realm (assuming that the authentication scheme itself does not | this realm (assuming that the authentication scheme itself does not | |||
require otherwise, such as credentials that vary according to a | require otherwise, such as credentials that vary according to a | |||
challenge value or using synchronized clocks). | challenge value or using synchronized clocks). | |||
A proxy forwarding a request MUST NOT modify any Authorization fields | A proxy forwarding a request MUST NOT modify any Authorization fields | |||
in that request. See Section 3.2 of [RFC7234] for details of and | in that request. See Section 3.2 of [Caching] for details of and | |||
requirements pertaining to handling of the Authorization field by | requirements pertaining to handling of the Authorization field by | |||
HTTP caches. | HTTP caches. | |||
4.4. Proxy-Authorization | 8.5.4. Proxy-Authorization | |||
The "Proxy-Authorization" header field allows the client to identify | The "Proxy-Authorization" header field allows the client to identify | |||
itself (or its user) to a proxy that requires authentication. Its | itself (or its user) to a proxy that requires authentication. Its | |||
value consists of credentials containing the authentication | value consists of credentials containing the authentication | |||
information of the client for the proxy and/or realm of the resource | information of the client for the proxy and/or realm of the resource | |||
being requested. | being requested. | |||
Proxy-Authorization = credentials | Proxy-Authorization = credentials | |||
Unlike Authorization, the Proxy-Authorization header field applies | Unlike Authorization, the Proxy-Authorization header field applies | |||
only to the next inbound proxy that demanded authentication using the | only to the next inbound proxy that demanded authentication using the | |||
Proxy-Authenticate field. When multiple proxies are used in a chain, | Proxy-Authenticate field. When multiple proxies are used in a chain, | |||
the Proxy-Authorization header field is consumed by the first inbound | the Proxy-Authorization header field is consumed by the first inbound | |||
proxy that was expecting to receive credentials. A proxy MAY relay | proxy that was expecting to receive credentials. A proxy MAY relay | |||
the credentials from the client request to the next proxy if that is | the credentials from the client request to the next proxy if that is | |||
the mechanism by which the proxies cooperatively authenticate a given | the mechanism by which the proxies cooperatively authenticate a given | |||
request. | request. | |||
X.X. [Authentication Scheme Extensibility] | 8.5.5. Authentication Scheme Extensibility | |||
This document defines HTTP/1.1 authentication in terms of the | ||||
architecture defined in "Hypertext Transfer Protocol (HTTP/1.1): | ||||
Message Syntax and Routing" [RFC7230], including the general | ||||
framework previously described in "HTTP Authentication: Basic and | ||||
Digest Access Authentication" [RFC2617] and the related fields and | ||||
status codes previously defined in "Hypertext Transfer Protocol -- | ||||
HTTP/1.1" [RFC2616]. | ||||
The IANA Authentication Scheme Registry (Section 5.1) lists | Aside from the general framework, this document does not specify any | |||
registered authentication schemes and their corresponding | authentication schemes. New and existing authentication schemes are | |||
specifications, including the "basic" and "digest" authentication | specified independently and ought to be registered within the | |||
schemes previously defined by RFC 2617. | "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry". | |||
For example, the "basic" and "digest" authentication schemes are | ||||
defined by RFC 7617 and RFC 7616, respectively. | ||||
5.1. Authentication Scheme Registry | 8.5.5.1. Authentication Scheme Registry | |||
The "Hypertext Transfer Protocol (HTTP) Authentication Scheme | The "Hypertext Transfer Protocol (HTTP) Authentication Scheme | |||
Registry" defines the namespace for the authentication schemes in | Registry" defines the namespace for the authentication schemes in | |||
challenges and credentials. It has been created and is now | challenges and credentials. It is maintained at | |||
maintained at <http://www.iana.org/assignments/http-authschemes>. | <https://www.iana.org/assignments/http-authschemes>. | |||
5.1.1. Procedure | ||||
Registrations MUST include the following fields: | Registrations MUST include the following fields: | |||
o Authentication Scheme Name | o Authentication Scheme Name | |||
o Pointer to specification text | o Pointer to specification text | |||
o Notes (optional) | o Notes (optional) | |||
Values to be added to this namespace require IETF Review (see | Values to be added to this namespace require IETF Review (see | |||
[RFC5226], Section 4.1). | [RFC8126], Section 4.8). | |||
5.1.2. Considerations for New Authentication Schemes | 8.5.5.2. Considerations for New Authentication Schemes | |||
There are certain aspects of the HTTP Authentication Framework that | There are certain aspects of the HTTP Authentication framework that | |||
put constraints on how new authentication schemes can work: | put constraints on how new authentication schemes can work: | |||
o HTTP authentication is presumed to be stateless: all of the | o HTTP authentication is presumed to be stateless: all of the | |||
information necessary to authenticate a request MUST be provided | information necessary to authenticate a request MUST be provided | |||
in the request, rather than be dependent on the server remembering | in the request, rather than be dependent on the server remembering | |||
prior requests. Authentication based on, or bound to, the | prior requests. Authentication based on, or bound to, the | |||
underlying connection is outside the scope of this specification | underlying connection is outside the scope of this specification | |||
and inherently flawed unless steps are taken to ensure that the | and inherently flawed unless steps are taken to ensure that the | |||
connection cannot be used by any party other than the | connection cannot be used by any party other than the | |||
authenticated user (see Section 2.3 of [RFC7230]). | authenticated user (see Section 2.2). | |||
o The authentication parameter "realm" is reserved for defining | o The authentication parameter "realm" is reserved for defining | |||
protection spaces as described in Section 2.2. New schemes MUST | protection spaces as described in Section 8.5.2. New schemes MUST | |||
NOT use it in a way incompatible with that definition. | NOT use it in a way incompatible with that definition. | |||
o The "token68" notation was introduced for compatibility with | o The "token68" notation was introduced for compatibility with | |||
existing authentication schemes and can only be used once per | existing authentication schemes and can only be used once per | |||
challenge or credential. Thus, new schemes ought to use the | challenge or credential. Thus, new schemes ought to use the auth- | |||
auth-param syntax instead, because otherwise future extensions | param syntax instead, because otherwise future extensions will be | |||
will be impossible. | impossible. | |||
o The parsing of challenges and credentials is defined by this | o The parsing of challenges and credentials is defined by this | |||
specification and cannot be modified by new authentication | specification and cannot be modified by new authentication | |||
schemes. When the auth-param syntax is used, all parameters ought | schemes. When the auth-param syntax is used, all parameters ought | |||
to support both token and quoted-string syntax, and syntactical | to support both token and quoted-string syntax, and syntactical | |||
constraints ought to be defined on the field value after parsing | constraints ought to be defined on the field value after parsing | |||
(i.e., quoted-string processing). This is necessary so that | (i.e., quoted-string processing). This is necessary so that | |||
recipients can use a generic parser that applies to all | recipients can use a generic parser that applies to all | |||
authentication schemes. | authentication schemes. | |||
skipping to change at line 4840 ¶ | skipping to change at page 114, line 37 ¶ | |||
o Definitions of new schemes ought to define the treatment of | o Definitions of new schemes ought to define the treatment of | |||
unknown extension parameters. In general, a "must-ignore" rule is | unknown extension parameters. In general, a "must-ignore" rule is | |||
preferable to a "must-understand" rule, because otherwise it will | preferable to a "must-understand" rule, because otherwise it will | |||
be hard to introduce new parameters in the presence of legacy | be hard to introduce new parameters in the presence of legacy | |||
recipients. Furthermore, it's good to describe the policy for | recipients. Furthermore, it's good to describe the policy for | |||
defining new parameters (such as "update the specification" or | defining new parameters (such as "update the specification" or | |||
"use this registry"). | "use this registry"). | |||
o Authentication schemes need to document whether they are usable in | o Authentication schemes need to document whether they are usable in | |||
origin-server authentication (i.e., using WWW-Authenticate), | origin-server authentication (i.e., using WWW-Authenticate), and/ | |||
and/or proxy authentication (i.e., using Proxy-Authenticate). | or proxy authentication (i.e., using Proxy-Authenticate). | |||
o The credentials carried in an Authorization header field are | o The credentials carried in an Authorization header field are | |||
specific to the user agent and, therefore, have the same effect on | specific to the user agent and, therefore, have the same effect on | |||
HTTP caches as the "private" Cache-Control response directive | HTTP caches as the "private" Cache-Control response directive | |||
(Section 5.2.2.6 of [RFC7234]), within the scope of the request in | (Section 5.2.2.7 of [Caching]), within the scope of the request in | |||
which they appear. | which they appear. | |||
Therefore, new authentication schemes that choose not to carry | Therefore, new authentication schemes that choose not to carry | |||
credentials in the Authorization header field (e.g., using a newly | credentials in the Authorization header field (e.g., using a newly | |||
defined header field) will need to explicitly disallow caching, by | defined header field) will need to explicitly disallow caching, by | |||
mandating the use of either Cache-Control request directives | mandating the use of Cache-Control response directives (e.g., | |||
(e.g., "no-store", Section 5.2.1.5 of [RFC7234]) or response | "private"). | |||
directives (e.g., "private"). | ||||
5.5. Request Context | o Schemes using Authentication-Info, Proxy-Authentication-Info, or | |||
any other authentication related response header field need to | ||||
consider and document the related security considerations (see | ||||
Section 11.14.4). | ||||
8.6. Request Context | ||||
The following request header fields provide additional information | The following request header fields provide additional information | |||
about the request context, including information about the user, user | about the request context, including information about the user, user | |||
agent, and resource behind the request. | agent, and resource behind the request. | |||
+-------------------+---------------+ | +------------+---------------+ | |||
| Header Field Name | Defined in... | | | Field Name | Defined in... | | |||
+-------------------+---------------+ | +------------+---------------+ | |||
| From | Section 5.5.1 | | | From | Section 8.6.1 | | |||
| Referer | Section 5.5.2 | | | Referer | Section 8.6.2 | | |||
| User-Agent | Section 5.5.3 | | | User-Agent | Section 8.6.3 | | |||
+-------------------+---------------+ | +------------+---------------+ | |||
5.5.1. From | 8.6.1. From | |||
The "From" header field contains an Internet email address for a | The "From" header field contains an Internet email address for a | |||
human user who controls the requesting user agent. The address ought | human user who controls the requesting user agent. The address ought | |||
to be machine-usable, as defined by "mailbox" in Section 3.4 of | to be machine-usable, as defined by "mailbox" in Section 3.4 of | |||
[RFC5322]: | [RFC5322]: | |||
From = mailbox | From = mailbox | |||
mailbox = <mailbox, see [RFC5322], Section 3.4> | mailbox = <mailbox, see [RFC5322], Section 3.4> | |||
skipping to change at line 4899 ¶ | skipping to change at page 116, line 19 ¶ | |||
A robotic user agent SHOULD send a valid From header field so that | A robotic user agent SHOULD send a valid From header field so that | |||
the person responsible for running the robot can be contacted if | the person responsible for running the robot can be contacted if | |||
problems occur on servers, such as if the robot is sending excessive, | problems occur on servers, such as if the robot is sending excessive, | |||
unwanted, or invalid requests. | unwanted, or invalid requests. | |||
A server SHOULD NOT use the From header field for access control or | A server SHOULD NOT use the From header field for access control or | |||
authentication, since most recipients will assume that the field | authentication, since most recipients will assume that the field | |||
value is public information. | value is public information. | |||
5.5.2. Referer | 8.6.2. Referer | |||
The "Referer" [sic] header field allows the user agent to specify a | The "Referer" [sic] header field allows the user agent to specify a | |||
URI reference for the resource from which the target URI was obtained | URI reference for the resource from which the target URI was obtained | |||
(i.e., the "referrer", though the field name is misspelled). A user | (i.e., the "referrer", though the field name is misspelled). A user | |||
agent MUST NOT include the fragment and userinfo components of the | agent MUST NOT include the fragment and userinfo components of the | |||
URI reference [RFC3986], if any, when generating the Referer field | URI reference [RFC3986], if any, when generating the Referer field | |||
value. | value. | |||
Referer = absolute-URI / partial-URI | Referer = absolute-URI / partial-URI | |||
skipping to change at line 4936 ¶ | skipping to change at page 117, line 7 ¶ | |||
The Referer field has the potential to reveal information about the | The Referer field has the potential to reveal information about the | |||
request context or browsing history of the user, which is a privacy | request context or browsing history of the user, which is a privacy | |||
concern if the referring resource's identifier reveals personal | concern if the referring resource's identifier reveals personal | |||
information (such as an account name) or a resource that is supposed | information (such as an account name) or a resource that is supposed | |||
to be confidential (such as behind a firewall or internal to a | to be confidential (such as behind a firewall or internal to a | |||
secured service). Most general-purpose user agents do not send the | secured service). Most general-purpose user agents do not send the | |||
Referer header field when the referring resource is a local "file" or | Referer header field when the referring resource is a local "file" or | |||
"data" URI. A user agent MUST NOT send a Referer header field in an | "data" URI. A user agent MUST NOT send a Referer header field in an | |||
unsecured HTTP request if the referring page was received with a | unsecured HTTP request if the referring page was received with a | |||
secure protocol. See Section 9.4 for additional security | secure protocol. See Section 11.8 for additional security | |||
considerations. | considerations. | |||
Some intermediaries have been known to indiscriminately remove | Some intermediaries have been known to indiscriminately remove | |||
Referer header fields from outgoing requests. This has the | Referer header fields from outgoing requests. This has the | |||
unfortunate side effect of interfering with protection against CSRF | unfortunate side effect of interfering with protection against CSRF | |||
attacks, which can be far more harmful to their users. | attacks, which can be far more harmful to their users. | |||
Intermediaries and user agent extensions that wish to limit | Intermediaries and user agent extensions that wish to limit | |||
information disclosure in Referer ought to restrict their changes to | information disclosure in Referer ought to restrict their changes to | |||
specific edits, such as replacing internal domain names with | specific edits, such as replacing internal domain names with | |||
pseudonyms or truncating the query and/or path components. An | pseudonyms or truncating the query and/or path components. An | |||
intermediary SHOULD NOT modify or delete the Referer header field | intermediary SHOULD NOT modify or delete the Referer header field | |||
when the field value shares the same scheme and host as the request | when the field value shares the same scheme and host as the request | |||
target. | target. | |||
5.5.3. User-Agent | 8.6.3. User-Agent | |||
The "User-Agent" header field contains information about the user | The "User-Agent" header field contains information about the user | |||
agent originating the request, which is often used by servers to help | agent originating the request, which is often used by servers to help | |||
identify the scope of reported interoperability problems, to work | identify the scope of reported interoperability problems, to work | |||
around or tailor responses to avoid particular user agent | around or tailor responses to avoid particular user agent | |||
limitations, and for analytics regarding browser or operating system | limitations, and for analytics regarding browser or operating system | |||
use. A user agent SHOULD send a User-Agent field in each request | use. A user agent SHOULD send a User-Agent field in each request | |||
unless specifically configured not to do so. | unless specifically configured not to do so. | |||
User-Agent = product *( RWS ( product / comment ) ) | User-Agent = product *( RWS ( product / comment ) ) | |||
The User-Agent field-value consists of one or more product | The User-Agent field value consists of one or more product | |||
identifiers, each followed by zero or more comments (Section 3.2 of | identifiers, each followed by zero or more comments | |||
[RFC7230]), which together identify the user agent software and its | (Section 4.4.1.3), which together identify the user agent software | |||
significant subproducts. By convention, the product identifiers are | and its significant subproducts. By convention, the product | |||
listed in decreasing order of their significance for identifying the | identifiers are listed in decreasing order of their significance for | |||
user agent software. Each product identifier consists of a name and | identifying the user agent software. Each product identifier | |||
optional version. | consists of a name and optional version. | |||
product = token ["/" product-version] | product = token ["/" product-version] | |||
product-version = token | product-version = token | |||
A sender SHOULD limit generated product identifiers to what is | A sender SHOULD limit generated product identifiers to what is | |||
necessary to identify the product; a sender MUST NOT generate | necessary to identify the product; a sender MUST NOT generate | |||
advertising or other nonessential information within the product | advertising or other nonessential information within the product | |||
identifier. A sender SHOULD NOT generate information in | identifier. A sender SHOULD NOT generate information in product- | |||
product-version that is not a version identifier (i.e., successive | version that is not a version identifier (i.e., successive versions | |||
versions of the same product name ought to differ only in the | of the same product name ought to differ only in the product-version | |||
product-version portion of the product identifier). | portion of the product identifier). | |||
Example: | Example: | |||
User-Agent: CERN-LineMode/2.15 libwww/2.17b3 | User-Agent: CERN-LineMode/2.15 libwww/2.17b3 | |||
A user agent SHOULD NOT generate a User-Agent field containing | A user agent SHOULD NOT generate a User-Agent field containing | |||
needlessly fine-grained detail and SHOULD limit the addition of | needlessly fine-grained detail and SHOULD limit the addition of | |||
subproducts by third parties. Overly long and detailed User-Agent | subproducts by third parties. Overly long and detailed User-Agent | |||
field values increase request latency and the risk of a user being | field values increase request latency and the risk of a user being | |||
identified against their wishes ("fingerprinting"). | identified against their wishes ("fingerprinting"). | |||
skipping to change at line 5002 ¶ | skipping to change at page 118, line 25 ¶ | |||
Likewise, implementations are encouraged not to use the product | Likewise, implementations are encouraged not to use the product | |||
tokens of other implementations in order to declare compatibility | tokens of other implementations in order to declare compatibility | |||
with them, as this circumvents the purpose of the field. If a user | with them, as this circumvents the purpose of the field. If a user | |||
agent masquerades as a different user agent, recipients can assume | agent masquerades as a different user agent, recipients can assume | |||
that the user intentionally desires to see responses tailored for | that the user intentionally desires to see responses tailored for | |||
that identified user agent, even if they might not work as well for | that identified user agent, even if they might not work as well for | |||
the actual user agent being used. | the actual user agent being used. | |||
9. Response Status Codes | 9. Response Status Codes | |||
The status-code element is a three-digit integer code giving the | The (response) status code is a three-digit integer code giving the | |||
result of the attempt to understand and satisfy the request. | result of the attempt to understand and satisfy the request. | |||
HTTP status codes are extensible. HTTP clients are not required to | HTTP status codes are extensible. HTTP clients are not required to | |||
understand the meaning of all registered status codes, though such | understand the meaning of all registered status codes, though such | |||
understanding is obviously desirable. However, a client MUST | understanding is obviously desirable. However, a client MUST | |||
understand the class of any status code, as indicated by the first | understand the class of any status code, as indicated by the first | |||
digit, and treat an unrecognized status code as being equivalent to | digit, and treat an unrecognized status code as being equivalent to | |||
the x00 status code of that class, with the exception that a | the x00 status code of that class. | |||
recipient MUST NOT cache a response with an unrecognized status code. | ||||
For example, if an unrecognized status code of 471 is received by a | For example, if an unrecognized status code of 471 is received by a | |||
client, the client can assume that there was something wrong with its | client, the client can assume that there was something wrong with its | |||
request and treat the response as if it had received a 400 (Bad | request and treat the response as if it had received a 400 (Bad | |||
Request) status code. The response message will usually contain a | Request) status code. The response message will usually contain a | |||
representation that explains the status. | representation that explains the status. | |||
The first digit of the status-code defines the class of response. | The first digit of the status code defines the class of response. | |||
The last two digits do not have any categorization role. There are | The last two digits do not have any categorization role. There are | |||
five values for the first digit: | five values for the first digit: | |||
o 1xx (Informational): The request was received, continuing process | o 1xx (Informational): The request was received, continuing process | |||
o 2xx (Successful): The request was successfully received, | o 2xx (Successful): The request was successfully received, | |||
understood, and accepted | understood, and accepted | |||
o 3xx (Redirection): Further action needs to be taken in order to | o 3xx (Redirection): Further action needs to be taken in order to | |||
complete the request | complete the request | |||
o 4xx (Client Error): The request contains bad syntax or cannot be | o 4xx (Client Error): The request contains bad syntax or cannot be | |||
fulfilled | fulfilled | |||
o 5xx (Server Error): The server failed to fulfill an apparently | o 5xx (Server Error): The server failed to fulfill an apparently | |||
valid request | valid request | |||
A single request can have multiple associated responses: zero or more | ||||
interim (non-final) responses with status codes in the | ||||
"informational" (1xx) range, followed by exactly one final response | ||||
with a status code in one of the other ranges. | ||||
9.1. Overview of Status Codes | 9.1. Overview of Status Codes | |||
The status codes listed below are defined in this specification, | The status codes listed below are defined in this specification. The | |||
Section 4 of [RFC7232], Section 4 of [RFC7233], and Section 3 of | reason phrases listed here are only recommendations -- they can be | |||
[RFC7235]. The reason phrases listed here are only recommendations | replaced by local equivalents without affecting the protocol. | |||
-- they can be replaced by local equivalents without affecting the | ||||
protocol. | ||||
Responses with status codes that are defined as cacheable by default | Responses with status codes that are defined as heuristically | |||
(e.g., 200, 203, 204, 206, 300, 301, 404, 405, 410, 414, and 501 in | cacheable (e.g., 200, 203, 204, 206, 300, 301, 404, 405, 410, 414, | |||
this specification) can be reused by a cache with heuristic | and 501 in this specification) can be reused by a cache with | |||
expiration unless otherwise indicated by the method definition or | heuristic expiration unless otherwise indicated by the method | |||
explicit cache controls [RFC7234]; all other status codes are not | definition or explicit cache controls [Caching]; all other status | |||
cacheable by default. | codes are not heuristically cacheable. | |||
+------+-------------------------------+--------------------------+ | +-------+-------------------------------+-----------------+ | |||
| Code | Reason-Phrase | Defined in... | | | Value | Description | Reference | | |||
+------+-------------------------------+--------------------------+ | +-------+-------------------------------+-----------------+ | |||
| 100 | Continue | Section 6.2.1 | | | 100 | Continue | Section 9.2.1 | | |||
| 101 | Switching Protocols | Section 6.2.2 | | | 101 | Switching Protocols | Section 9.2.2 | | |||
| 200 | OK | Section 6.3.1 | | | 200 | OK | Section 9.3.1 | | |||
| 201 | Created | Section 6.3.2 | | | 201 | Created | Section 9.3.2 | | |||
| 202 | Accepted | Section 6.3.3 | | | 202 | Accepted | Section 9.3.3 | | |||
| 203 | Non-Authoritative Information | Section 6.3.4 | | | 203 | Non-Authoritative Information | Section 9.3.4 | | |||
| 204 | No Content | Section 6.3.5 | | | 204 | No Content | Section 9.3.5 | | |||
| 205 | Reset Content | Section 6.3.6 | | | 205 | Reset Content | Section 9.3.6 | | |||
| 206 | Partial Content | Section 4.1 of [RFC7233] | | | 206 | Partial Content | Section 9.3.7 | | |||
| 300 | Multiple Choices | Section 6.4.1 | | | 300 | Multiple Choices | Section 9.4.1 | | |||
| 301 | Moved Permanently | Section 6.4.2 | | | 301 | Moved Permanently | Section 9.4.2 | | |||
| 302 | Found | Section 6.4.3 | | | 302 | Found | Section 9.4.3 | | |||
| 303 | See Other | Section 6.4.4 | | | 303 | See Other | Section 9.4.4 | | |||
| 304 | Not Modified | Section 4.1 of [RFC7232] | | | 304 | Not Modified | Section 9.4.5 | | |||
| 305 | Use Proxy | Section 6.4.5 | | | 305 | Use Proxy | Section 9.4.6 | | |||
| 307 | Temporary Redirect | Section 6.4.7 | | | 306 | (Unused) | Section 9.4.7 | | |||
| 400 | Bad Request | Section 6.5.1 | | | 307 | Temporary Redirect | Section 9.4.8 | | |||
| 401 | Unauthorized | Section 3.1 of [RFC7235] | | | 308 | Permanent Redirect | Section 9.4.9 | | |||
| 402 | Payment Required | Section 6.5.2 | | | 400 | Bad Request | Section 9.5.1 | | |||
| 403 | Forbidden | Section 6.5.3 | | | 401 | Unauthorized | Section 9.5.2 | | |||
| 404 | Not Found | Section 6.5.4 | | | 402 | Payment Required | Section 9.5.3 | | |||
| 405 | Method Not Allowed | Section 6.5.5 | | | 403 | Forbidden | Section 9.5.4 | | |||
| 406 | Not Acceptable | Section 6.5.6 | | | 404 | Not Found | Section 9.5.5 | | |||
| 407 | Proxy Authentication Required | Section 3.2 of [RFC7235] | | | 405 | Method Not Allowed | Section 9.5.6 | | |||
| 408 | Request Timeout | Section 6.5.7 | | | 406 | Not Acceptable | Section 9.5.7 | | |||
| 409 | Conflict | Section 6.5.8 | | | 407 | Proxy Authentication Required | Section 9.5.8 | | |||
| 410 | Gone | Section 6.5.9 | | | 408 | Request Timeout | Section 9.5.9 | | |||
| 411 | Length Required | Section 6.5.10 | | | 409 | Conflict | Section 9.5.10 | | |||
| 412 | Precondition Failed | Section 4.2 of [RFC7232] | | | 410 | Gone | Section 9.5.11 | | |||
| 413 | Payload Too Large | Section 6.5.11 | | | 411 | Length Required | Section 9.5.12 | | |||
| 414 | URI Too Long | Section 6.5.12 | | | 412 | Precondition Failed | Section 9.5.13 | | |||
| 415 | Unsupported Media Type | Section 6.5.13 | | | 413 | Payload Too Large | Section 9.5.14 | | |||
| 416 | Range Not Satisfiable | Section 4.4 of [RFC7233] | | | 414 | URI Too Long | Section 9.5.15 | | |||
| 417 | Expectation Failed | Section 6.5.14 | | | 415 | Unsupported Media Type | Section 9.5.16 | | |||
| 426 | Upgrade Required | Section 6.5.15 | | | 416 | Range Not Satisfiable | Section 9.5.17 | | |||
| 500 | Internal Server Error | Section 6.6.1 | | | 417 | Expectation Failed | Section 9.5.18 | | |||
| 501 | Not Implemented | Section 6.6.2 | | | 418 | (Unused) | Section 9.5.19 | | |||
| 502 | Bad Gateway | Section 6.6.3 | | | 422 | Unprocessable Payload | Section 9.5.20 | | |||
| 503 | Service Unavailable | Section 6.6.4 | | | 426 | Upgrade Required | Section 9.5.21 | | |||
| 504 | Gateway Timeout | Section 6.6.5 | | | 500 | Internal Server Error | Section 9.6.1 | | |||
| 505 | HTTP Version Not Supported | Section 6.6.6 | | | 501 | Not Implemented | Section 9.6.2 | | |||
+------+-------------------------------+--------------------------+ | | 502 | Bad Gateway | Section 9.6.3 | | |||
| 503 | Service Unavailable | Section 9.6.4 | | ||||
| 504 | Gateway Timeout | Section 9.6.5 | | ||||
| 505 | HTTP Version Not Supported | Section 9.6.6 | | ||||
+-------+-------------------------------+-----------------+ | ||||
Table 6 | ||||
Note that this list is not exhaustive -- it does not include | Note that this list is not exhaustive -- it does not include | |||
extension status codes defined in other specifications. The complete | extension status codes defined in other specifications (Section 9.7). | |||
list of status codes is maintained by IANA. See Section 8.2 for | ||||
details. | ||||
6.2. Informational 1xx | 9.2. Informational 1xx | |||
The 1xx (Informational) class of status code indicates an interim | The 1xx (Informational) class of status code indicates an interim | |||
response for communicating connection status or request progress | response for communicating connection status or request progress | |||
prior to completing the requested action and sending a final | prior to completing the requested action and sending a final | |||
response. 1xx responses are terminated by the first empty line after | response. 1xx responses are terminated by the first empty line after | |||
the status-line (the empty line signaling the end of the header | the status-line (the empty line signaling the end of the header | |||
section). Since HTTP/1.0 did not define any 1xx status codes, a | section). Since HTTP/1.0 did not define any 1xx status codes, a | |||
server MUST NOT send a 1xx response to an HTTP/1.0 client. | server MUST NOT send a 1xx response to an HTTP/1.0 client. | |||
A client MUST be able to parse one or more 1xx responses received | A client MUST be able to parse one or more 1xx responses received | |||
prior to a final response, even if the client does not expect one. A | prior to a final response, even if the client does not expect one. A | |||
user agent MAY ignore unexpected 1xx responses. | user agent MAY ignore unexpected 1xx responses. | |||
A proxy MUST forward 1xx responses unless the proxy itself requested | A proxy MUST forward 1xx responses unless the proxy itself requested | |||
the generation of the 1xx response. For example, if a proxy adds an | the generation of the 1xx response. For example, if a proxy adds an | |||
"Expect: 100-continue" field when it forwards a request, then it need | "Expect: 100-continue" field when it forwards a request, then it need | |||
not forward the corresponding 100 (Continue) response(s). | not forward the corresponding 100 (Continue) response(s). | |||
6.2.1. 100 Continue | 9.2.1. 100 Continue | |||
The 100 (Continue) status code indicates that the initial part of a | The 100 (Continue) status code indicates that the initial part of a | |||
request has been received and has not yet been rejected by the | request has been received and has not yet been rejected by the | |||
server. The server intends to send a final response after the | server. The server intends to send a final response after the | |||
request has been fully received and acted upon. | request has been fully received and acted upon. | |||
When the request contains an Expect header field that includes a | When the request contains an Expect header field that includes a | |||
100-continue expectation, the 100 response indicates that the server | 100-continue expectation, the 100 response indicates that the server | |||
wishes to receive the request payload body, as described in | wishes to receive the request payload body, as described in | |||
Section 5.1.1. The client ought to continue sending the request and | Section 8.1.1. The client ought to continue sending the request and | |||
discard the 100 response. | discard the 100 response. | |||
If the request did not contain an Expect header field containing the | If the request did not contain an Expect header field containing the | |||
100-continue expectation, the client can simply discard this interim | 100-continue expectation, the client can simply discard this interim | |||
response. | response. | |||
6.2.2. 101 Switching Protocols | 9.2.2. 101 Switching Protocols | |||
The 101 (Switching Protocols) status code indicates that the server | The 101 (Switching Protocols) status code indicates that the server | |||
understands and is willing to comply with the client's request, via | understands and is willing to comply with the client's request, via | |||
the Upgrade header field (Section 6.7 of [RFC7230]), for a change in | the Upgrade header field (Section 9.9 of [Messaging]), for a change | |||
the application protocol being used on this connection. The server | in the application protocol being used on this connection. The | |||
MUST generate an Upgrade header field in the response that indicates | server MUST generate an Upgrade header field in the response that | |||
which protocol(s) will be switched to immediately after the empty | indicates which protocol(s) will be switched to immediately after the | |||
line that terminates the 101 response. | empty line that terminates the 101 response. | |||
It is assumed that the server will only agree to switch protocols | It is assumed that the server will only agree to switch protocols | |||
when it is advantageous to do so. For example, switching to a newer | when it is advantageous to do so. For example, switching to a newer | |||
version of HTTP might be advantageous over older versions, and | version of HTTP might be advantageous over older versions, and | |||
switching to a real-time, synchronous protocol might be advantageous | switching to a real-time, synchronous protocol might be advantageous | |||
when delivering resources that use such features. | when delivering resources that use such features. | |||
6.3. Successful 2xx | 9.3. Successful 2xx | |||
The 2xx (Successful) class of status code indicates that the client's | The 2xx (Successful) class of status code indicates that the client's | |||
request was successfully received, understood, and accepted. | request was successfully received, understood, and accepted. | |||
6.3.1. 200 OK | 9.3.1. 200 OK | |||
The 200 (OK) status code indicates that the request has succeeded. | The 200 (OK) status code indicates that the request has succeeded. | |||
The payload sent in a 200 response depends on the request method. | The payload sent in a 200 response depends on the request method. | |||
For the methods defined by this specification, the intended meaning | For the methods defined by this specification, the intended meaning | |||
of the payload can be summarized as: | of the payload can be summarized as: | |||
GET a representation of the target resource; | GET a representation of the target resource; | |||
HEAD the same representation as GET, but without the representation | HEAD the same representation as GET, but without the representation | |||
data; | data; | |||
skipping to change at line 5189 ¶ | skipping to change at page 122, line 27 ¶ | |||
TRACE a representation of the request message as received by the end | TRACE a representation of the request message as received by the end | |||
server. | server. | |||
Aside from responses to CONNECT, a 200 response always has a payload, | Aside from responses to CONNECT, a 200 response always has a payload, | |||
though an origin server MAY generate a payload body of zero length. | though an origin server MAY generate a payload body of zero length. | |||
If no payload is desired, an origin server ought to send 204 (No | If no payload is desired, an origin server ought to send 204 (No | |||
Content) instead. For CONNECT, no payload is allowed because the | Content) instead. For CONNECT, no payload is allowed because the | |||
successful result is a tunnel, which begins immediately after the 200 | successful result is a tunnel, which begins immediately after the 200 | |||
response header section. | response header section. | |||
A 200 response is cacheable by default; i.e., unless otherwise | A 200 response is heuristically cacheable; i.e., unless otherwise | |||
indicated by the method definition or explicit cache controls (see | indicated by the method definition or explicit cache controls (see | |||
Section 4.2.2 of [RFC7234]). | Section 4.2.2 of [Caching]). | |||
6.3.2. 201 Created | 9.3.2. 201 Created | |||
The 201 (Created) status code indicates that the request has been | The 201 (Created) status code indicates that the request has been | |||
fulfilled and has resulted in one or more new resources being | fulfilled and has resulted in one or more new resources being | |||
created. The primary resource created by the request is identified | created. The primary resource created by the request is identified | |||
by either a Location header field in the response or, if no Location | by either a Location header field in the response or, if no Location | |||
field is received, by the effective request URI. | field is received, by the effective request URI. | |||
The 201 response payload typically describes and links to the | The 201 response payload typically describes and links to the | |||
resource(s) created. See Section 7.2 for a discussion of the meaning | resource(s) created. See Section 10.2 for a discussion of the | |||
and purpose of validator header fields, such as ETag and | meaning and purpose of validator header fields, such as ETag and | |||
Last-Modified, in a 201 response. | Last-Modified, in a 201 response. | |||
6.3.3. 202 Accepted | 9.3.3. 202 Accepted | |||
The 202 (Accepted) status code indicates that the request has been | The 202 (Accepted) status code indicates that the request has been | |||
accepted for processing, but the processing has not been completed. | accepted for processing, but the processing has not been completed. | |||
The request might or might not eventually be acted upon, as it might | The request might or might not eventually be acted upon, as it might | |||
be disallowed when processing actually takes place. There is no | be disallowed when processing actually takes place. There is no | |||
facility in HTTP for re-sending a status code from an asynchronous | facility in HTTP for re-sending a status code from an asynchronous | |||
operation. | operation. | |||
The 202 response is intentionally noncommittal. Its purpose is to | The 202 response is intentionally noncommittal. Its purpose is to | |||
allow a server to accept a request for some other process (perhaps a | allow a server to accept a request for some other process (perhaps a | |||
batch-oriented process that is only run once per day) without | batch-oriented process that is only run once per day) without | |||
requiring that the user agent's connection to the server persist | requiring that the user agent's connection to the server persist | |||
until the process is completed. The representation sent with this | until the process is completed. The representation sent with this | |||
response ought to describe the request's current status and point to | response ought to describe the request's current status and point to | |||
(or embed) a status monitor that can provide the user with an | (or embed) a status monitor that can provide the user with an | |||
estimate of when the request will be fulfilled. | estimate of when the request will be fulfilled. | |||
6.3.4. 203 Non-Authoritative Information | 9.3.4. 203 Non-Authoritative Information | |||
The 203 (Non-Authoritative Information) status code indicates that | The 203 (Non-Authoritative Information) status code indicates that | |||
the request was successful but the enclosed payload has been modified | the request was successful but the enclosed payload has been modified | |||
from that of the origin server's 200 (OK) response by a transforming | from that of the origin server's 200 (OK) response by a transforming | |||
proxy (Section 5.7.2 of [RFC7230]). This status code allows the | proxy (Section 5.7.2). This status code allows the proxy to notify | |||
proxy to notify recipients when a transformation has been applied, | recipients when a transformation has been applied, since that | |||
since that knowledge might impact later decisions regarding the | knowledge might impact later decisions regarding the content. For | |||
content. For example, future cache validation requests for the | example, future cache validation requests for the content might only | |||
content might only be applicable along the same request path (through | be applicable along the same request path (through the same proxies). | |||
the same proxies). | ||||
The 203 response is similar to the Warning code of 214 Transformation | The 203 response is similar to the Warning code of 214 Transformation | |||
Applied (Section 5.5 of [RFC7234]), which has the advantage of being | Applied (Section 5.5 of [Caching]), which has the advantage of being | |||
applicable to responses with any status code. | applicable to responses with any status code. | |||
A 203 response is cacheable by default; i.e., unless otherwise | A 203 response is heuristically cacheable; i.e., unless otherwise | |||
indicated by the method definition or explicit cache controls (see | indicated by the method definition or explicit cache controls (see | |||
Section 4.2.2 of [RFC7234]). | Section 4.2.2 of [Caching]). | |||
6.3.5. 204 No Content | 9.3.5. 204 No Content | |||
The 204 (No Content) status code indicates that the server has | The 204 (No Content) status code indicates that the server has | |||
successfully fulfilled the request and that there is no additional | successfully fulfilled the request and that there is no additional | |||
content to send in the response payload body. Metadata in the | content to send in the response payload body. Metadata in the | |||
response header fields refer to the target resource and its selected | response header fields refer to the target resource and its selected | |||
representation after the requested action was applied. | representation after the requested action was applied. | |||
For example, if a 204 status code is received in response to a PUT | For example, if a 204 status code is received in response to a PUT | |||
request and the response contains an ETag header field, then the PUT | request and the response contains an ETag field, then the PUT was | |||
was successful and the ETag field-value contains the entity-tag for | successful and the ETag field value contains the entity-tag for the | |||
the new representation of that target resource. | new representation of that target resource. | |||
The 204 response allows a server to indicate that the action has been | The 204 response allows a server to indicate that the action has been | |||
successfully applied to the target resource, while implying that the | successfully applied to the target resource, while implying that the | |||
user agent does not need to traverse away from its current "document | user agent does not need to traverse away from its current "document | |||
view" (if any). The server assumes that the user agent will provide | view" (if any). The server assumes that the user agent will provide | |||
some indication of the success to its user, in accord with its own | some indication of the success to its user, in accord with its own | |||
interface, and apply any new or updated metadata in the response to | interface, and apply any new or updated metadata in the response to | |||
its active representation. | its active representation. | |||
For example, a 204 status code is commonly used with document editing | For example, a 204 status code is commonly used with document editing | |||
interfaces corresponding to a "save" action, such that the document | interfaces corresponding to a "save" action, such that the document | |||
being saved remains available to the user for editing. It is also | being saved remains available to the user for editing. It is also | |||
frequently used with interfaces that expect automated data transfers | frequently used with interfaces that expect automated data transfers | |||
to be prevalent, such as within distributed version control systems. | to be prevalent, such as within distributed version control systems. | |||
A 204 response is terminated by the first empty line after the header | A 204 response is terminated by the first empty line after the header | |||
fields because it cannot contain a message body. | fields because it cannot contain a message body. | |||
A 204 response is cacheable by default; i.e., unless otherwise | A 204 response is heuristically cacheable; i.e., unless otherwise | |||
indicated by the method definition or explicit cache controls (see | indicated by the method definition or explicit cache controls (see | |||
Section 4.2.2 of [RFC7234]). | Section 4.2.2 of [Caching]). | |||
6.3.6. 205 Reset Content | 9.3.6. 205 Reset Content | |||
The 205 (Reset Content) status code indicates that the server has | The 205 (Reset Content) status code indicates that the server has | |||
fulfilled the request and desires that the user agent reset the | fulfilled the request and desires that the user agent reset the | |||
"document view", which caused the request to be sent, to its original | "document view", which caused the request to be sent, to its original | |||
state as received from the origin server. | state as received from the origin server. | |||
This response is intended to support a common data entry use case | This response is intended to support a common data entry use case | |||
where the user receives content that supports data entry (a form, | where the user receives content that supports data entry (a form, | |||
notepad, canvas, etc.), enters or manipulates data in that space, | notepad, canvas, etc.), enters or manipulates data in that space, | |||
causes the entered data to be submitted in a request, and then the | causes the entered data to be submitted in a request, and then the | |||
skipping to change at line 5303 ¶ | skipping to change at page 124, line 43 ¶ | |||
provided, a server MUST NOT generate a payload in a 205 response. In | provided, a server MUST NOT generate a payload in a 205 response. In | |||
other words, a server MUST do one of the following for a 205 | other words, a server MUST do one of the following for a 205 | |||
response: a) indicate a zero-length body for the response by | response: a) indicate a zero-length body for the response by | |||
including a Content-Length header field with a value of 0; b) | including a Content-Length header field with a value of 0; b) | |||
indicate a zero-length payload for the response by including a | indicate a zero-length payload for the response by including a | |||
Transfer-Encoding header field with a value of chunked and a message | Transfer-Encoding header field with a value of chunked and a message | |||
body consisting of a single chunk of zero-length; or, c) close the | body consisting of a single chunk of zero-length; or, c) close the | |||
connection immediately after sending the blank line terminating the | connection immediately after sending the blank line terminating the | |||
header section. | header section. | |||
4.1. 206 Partial Content | 9.3.7. 206 Partial Content | |||
The 206 (Partial Content) status code indicates that the server is | The 206 (Partial Content) status code indicates that the server is | |||
successfully fulfilling a range request for the target resource by | successfully fulfilling a range request for the target resource by | |||
transferring one or more parts of the selected representation that | transferring one or more parts of the selected representation. | |||
correspond to the satisfiable ranges found in the request's Range | ||||
header field (Section 3.1). | ||||
When a 206 response is generated, the server MUST generate the | When a 206 response is generated, the server MUST generate the | |||
following header fields, in addition to those required above, if the | following header fields, in addition to those required in the | |||
field would have been sent in a 200 (OK) response to the same | subsections below, if the field would have been sent in a 200 (OK) | |||
request: Date, Cache-Control, ETag, Expires, Content-Location, and | response to the same request: Date, Cache-Control, ETag, Expires, | |||
Vary. | Content-Location, and Vary. | |||
If a 206 is generated in response to a request with an If-Range | If a 206 is generated in response to a request with an If-Range | |||
header field, the sender SHOULD NOT generate other representation | header field, the sender SHOULD NOT generate other representation | |||
header fields beyond those required above, because the client is | header fields beyond those required, because the client is understood | |||
understood to already have a prior response containing those header | to already have a prior response containing those header fields. | |||
fields. Otherwise, the sender MUST generate all of the | Otherwise, the sender MUST generate all of the representation header | |||
representation header fields that would have been sent in a 200 (OK) | fields that would have been sent in a 200 (OK) response to the same | |||
response to the same request. | request. | |||
A 206 response is cacheable by default; i.e., unless otherwise | A 206 response is heuristically cacheable; i.e., unless otherwise | |||
indicated by explicit cache controls (see Section 4.2.2 of | indicated by explicit cache controls (see Section 4.2.2 of | |||
[RFC7234]). | [Caching]). | |||
9.3.7.1. Single Part | ||||
If a single part is being transferred, the server generating the 206 | If a single part is being transferred, the server generating the 206 | |||
response MUST generate a Content-Range header field, describing what | response MUST generate a Content-Range header field, describing what | |||
range of the selected representation is enclosed, and a payload | range of the selected representation is enclosed, and a payload | |||
consisting of the range. For example: | consisting of the range. For example: | |||
HTTP/1.1 206 Partial Content | HTTP/1.1 206 Partial Content | |||
Date: Wed, 15 Nov 1995 06:25:24 GMT | Date: Wed, 15 Nov 1995 06:25:24 GMT | |||
Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT | Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT | |||
Content-Range: bytes 21010-47021/47022 | Content-Range: bytes 21010-47021/47022 | |||
Content-Length: 26012 | Content-Length: 26012 | |||
Content-Type: image/gif | Content-Type: image/gif | |||
... 26012 bytes of partial image data ... | ... 26012 bytes of partial image data ... | |||
9.3.7.2. Multiple Parts | ||||
If multiple parts are being transferred, the server generating the | If multiple parts are being transferred, the server generating the | |||
206 response MUST generate a "multipart/byteranges" payload, as | 206 response MUST generate a "multipart/byteranges" payload, as | |||
defined in Appendix A, and a Content-Type header field containing the | defined in Section 6.3.5, and a Content-Type header field containing | |||
multipart/byteranges media type and its required boundary parameter. | the multipart/byteranges media type and its required boundary | |||
To avoid confusion with single-part responses, a server MUST NOT | parameter. To avoid confusion with single-part responses, a server | |||
generate a Content-Range header field in the HTTP header section of a | MUST NOT generate a Content-Range header field in the HTTP header | |||
multiple part response (this field will be sent in each part | section of a multiple part response (this field will be sent in each | |||
instead). | part instead). | |||
Within the header area of each body part in the multipart payload, | Within the header area of each body part in the multipart payload, | |||
the server MUST generate a Content-Range header field corresponding | the server MUST generate a Content-Range header field corresponding | |||
to the range being enclosed in that body part. If the selected | to the range being enclosed in that body part. If the selected | |||
representation would have had a Content-Type header field in a 200 | representation would have had a Content-Type header field in a 200 | |||
(OK) response, the server SHOULD generate that same Content-Type | (OK) response, the server SHOULD generate that same Content-Type | |||
field in the header area of each body part. For example: | field in the header area of each body part. For example: | |||
HTTP/1.1 206 Partial Content | HTTP/1.1 206 Partial Content | |||
Date: Wed, 15 Nov 1995 06:25:24 GMT | Date: Wed, 15 Nov 1995 06:25:24 GMT | |||
skipping to change at line 5380 ¶ | skipping to change at page 126, line 26 ¶ | |||
--THIS_STRING_SEPARATES | --THIS_STRING_SEPARATES | |||
Content-Type: application/pdf | Content-Type: application/pdf | |||
Content-Range: bytes 7000-7999/8000 | Content-Range: bytes 7000-7999/8000 | |||
...the second range | ...the second range | |||
--THIS_STRING_SEPARATES-- | --THIS_STRING_SEPARATES-- | |||
When multiple ranges are requested, a server MAY coalesce any of the | When multiple ranges are requested, a server MAY coalesce any of the | |||
ranges that overlap, or that are separated by a gap that is smaller | ranges that overlap, or that are separated by a gap that is smaller | |||
than the overhead of sending multiple parts, regardless of the order | than the overhead of sending multiple parts, regardless of the order | |||
in which the corresponding byte-range-spec appeared in the received | in which the corresponding range-spec appeared in the received Range | |||
Range header field. Since the typical overhead between parts of a | header field. Since the typical overhead between parts of a | |||
multipart/byteranges payload is around 80 bytes, depending on the | multipart/byteranges payload is around 80 bytes, depending on the | |||
selected representation's media type and the chosen boundary | selected representation's media type and the chosen boundary | |||
parameter length, it can be less efficient to transfer many small | parameter length, it can be less efficient to transfer many small | |||
disjoint parts than it is to transfer the entire selected | disjoint parts than it is to transfer the entire selected | |||
representation. | representation. | |||
A server MUST NOT generate a multipart response to a request for a | A server MUST NOT generate a multipart response to a request for a | |||
single range, since a client that does not request multiple parts | single range, since a client that does not request multiple parts | |||
might not support multipart responses. However, a server MAY | might not support multipart responses. However, a server MAY | |||
generate a multipart/byteranges payload with only a single body part | generate a multipart/byteranges payload with only a single body part | |||
if multiple ranges were requested and only one range was found to be | if multiple ranges were requested and only one range was found to be | |||
satisfiable or only one range remained after coalescing. A client | satisfiable or only one range remained after coalescing. A client | |||
that cannot process a multipart/byteranges response MUST NOT generate | that cannot process a multipart/byteranges response MUST NOT generate | |||
a request that asks for multiple ranges. | a request that asks for multiple ranges. | |||
When a multipart response payload is generated, the server SHOULD | When a multipart response payload is generated, the server SHOULD | |||
send the parts in the same order that the corresponding | send the parts in the same order that the corresponding range-spec | |||
byte-range-spec appeared in the received Range header field, | appeared in the received Range header field, excluding those ranges | |||
excluding those ranges that were deemed unsatisfiable or that were | that were deemed unsatisfiable or that were coalesced into other | |||
coalesced into other ranges. A client that receives a multipart | ranges. A client that receives a multipart response MUST inspect the | |||
response MUST inspect the Content-Range header field present in each | Content-Range header field present in each body part in order to | |||
body part in order to determine which range is contained in that body | determine which range is contained in that body part; a client cannot | |||
part; a client cannot rely on receiving the same ranges that it | rely on receiving the same ranges that it requested, nor the same | |||
requested, nor the same order that it requested. | order that it requested. | |||
4.3. Combining Ranges | 9.3.7.3. Combining Parts | |||
A response might transfer only a subrange of a representation if the | A response might transfer only a subrange of a representation if the | |||
connection closed prematurely or if the request used one or more | connection closed prematurely or if the request used one or more | |||
Range specifications. After several such transfers, a client might | Range specifications. After several such transfers, a client might | |||
have received several ranges of the same representation. These | have received several ranges of the same representation. These | |||
ranges can only be safely combined if they all have in common the | ranges can only be safely combined if they all have in common the | |||
same strong validator (Section 2.1 of [RFC7232]). | same strong validator (Section 10.2.1). | |||
A client that has received multiple partial responses to GET requests | A client that has received multiple partial responses to GET requests | |||
on a target resource MAY combine those responses into a larger | on a target resource MAY combine those responses into a larger | |||
continuous range if they share the same strong validator. | continuous range if they share the same strong validator. | |||
If the most recent response is an incomplete 200 (OK) response, then | If the most recent response is an incomplete 200 (OK) response, then | |||
the header fields of that response are used for any combined response | the header fields of that response are used for any combined response | |||
and replace those of the matching stored responses. | and replace those of the matching stored responses. | |||
If the most recent response is a 206 (Partial Content) response and | If the most recent response is a 206 (Partial Content) response and | |||
skipping to change at line 5448 ¶ | skipping to change at page 127, line 46 ¶ | |||
representation, then the client MUST process the combined response as | representation, then the client MUST process the combined response as | |||
if it were a complete 200 (OK) response, including a Content-Length | if it were a complete 200 (OK) response, including a Content-Length | |||
header field that reflects the complete length. Otherwise, the | header field that reflects the complete length. Otherwise, the | |||
client MUST process the set of continuous ranges as one of the | client MUST process the set of continuous ranges as one of the | |||
following: an incomplete 200 (OK) response if the combined response | following: an incomplete 200 (OK) response if the combined response | |||
is a prefix of the representation, a single 206 (Partial Content) | is a prefix of the representation, a single 206 (Partial Content) | |||
response containing a multipart/byteranges body, or multiple 206 | response containing a multipart/byteranges body, or multiple 206 | |||
(Partial Content) responses, each with one continuous range that is | (Partial Content) responses, each with one continuous range that is | |||
indicated by a Content-Range header field. | indicated by a Content-Range header field. | |||
6.4. Redirection 3xx | 9.4. Redirection 3xx | |||
The 3xx (Redirection) class of status code indicates that further | The 3xx (Redirection) class of status code indicates that further | |||
action needs to be taken by the user agent in order to fulfill the | action needs to be taken by the user agent in order to fulfill the | |||
request. If a Location header field (Section 7.1.2) is provided, the | request. If a Location header field (Section 10.1.2) is provided, | |||
user agent MAY automatically redirect its request to the URI | the user agent MAY automatically redirect its request to the URI | |||
referenced by the Location field value, even if the specific status | referenced by the Location field value, even if the specific status | |||
code is not understood. Automatic redirection needs to done with | code is not understood. Automatic redirection needs to be done with | |||
care for methods not known to be safe, as defined in Section 4.2.1, | care for methods not known to be safe, as defined in Section 7.2.1, | |||
since the user might not wish to redirect an unsafe request. | since the user might not wish to redirect an unsafe request. | |||
There are several types of redirects: | There are several types of redirects: | |||
1. Redirects that indicate the resource might be available at a | 1. Redirects that indicate the resource might be available at a | |||
different URI, as provided by the Location field, as in the | different URI, as provided by the Location field, as in the | |||
status codes 301 (Moved Permanently), 302 (Found), and 307 | status codes 301 (Moved Permanently), 302 (Found), 307 (Temporary | |||
(Temporary Redirect). | Redirect), and 308 (Permanent Redirect). | |||
2. Redirection that offers a choice of matching resources, each | 2. Redirection that offers a choice of matching resources, each | |||
capable of representing the original request target, as in the | capable of representing the original request target, as in the | |||
300 (Multiple Choices) status code. | 300 (Multiple Choices) status code. | |||
3. Redirection to a different resource, identified by the Location | 3. Redirection to a different resource, identified by the Location | |||
field, that can represent an indirect response to the request, as | field, that can represent an indirect response to the request, as | |||
in the 303 (See Other) status code. | in the 303 (See Other) status code. | |||
4. Redirection to a previously cached result, as in the 304 (Not | 4. Redirection to a previously cached result, as in the 304 (Not | |||
skipping to change at line 5487 ¶ | skipping to change at page 128, line 36 ¶ | |||
Note: In HTTP/1.0, the status codes 301 (Moved Permanently) and | Note: In HTTP/1.0, the status codes 301 (Moved Permanently) and | |||
302 (Found) were defined for the first type of redirect | 302 (Found) were defined for the first type of redirect | |||
([RFC1945], Section 9.3). Early user agents split on whether the | ([RFC1945], Section 9.3). Early user agents split on whether the | |||
method applied to the redirect target would be the same as the | method applied to the redirect target would be the same as the | |||
original request or would be rewritten as GET. Although HTTP | original request or would be rewritten as GET. Although HTTP | |||
originally defined the former semantics for 301 and 302 (to match | originally defined the former semantics for 301 and 302 (to match | |||
its original implementation at CERN), and defined 303 (See Other) | its original implementation at CERN), and defined 303 (See Other) | |||
to match the latter semantics, prevailing practice gradually | to match the latter semantics, prevailing practice gradually | |||
converged on the latter semantics for 301 and 302 as well. The | converged on the latter semantics for 301 and 302 as well. The | |||
first revision of HTTP/1.1 added 307 (Temporary Redirect) to | first revision of HTTP/1.1 added 307 (Temporary Redirect) to | |||
indicate the former semantics without being impacted by divergent | indicate the former semantics of 302 without being impacted by | |||
practice. Over 10 years later, most user agents still do method | divergent practice. For the same reason, 308 (Permanent Redirect) | |||
rewriting for 301 and 302; therefore, this specification makes | was later on added in [RFC7538] to match 301. Over 10 years | |||
that behavior conformant when the original request is POST. | later, most user agents still do method rewriting for 301 and 302; | |||
therefore, [RFC7231] made that behavior conformant when the | ||||
original request is POST. | ||||
A client SHOULD detect and intervene in cyclical redirections (i.e., | A client SHOULD detect and intervene in cyclical redirections (i.e., | |||
"infinite" redirection loops). | "infinite" redirection loops). | |||
Note: An earlier version of this specification recommended a | Note: An earlier version of this specification recommended a | |||
maximum of five redirections ([RFC2068], Section 10.3). Content | maximum of five redirections ([RFC2068], Section 10.3). Content | |||
developers need to be aware that some clients might implement such | developers need to be aware that some clients might implement such | |||
a fixed limitation. | a fixed limitation. | |||
6.4.1. 300 Multiple Choices | 9.4.1. 300 Multiple Choices | |||
The 300 (Multiple Choices) status code indicates that the target | The 300 (Multiple Choices) status code indicates that the target | |||
resource has more than one representation, each with its own more | resource has more than one representation, each with its own more | |||
specific identifier, and information about the alternatives is being | specific identifier, and information about the alternatives is being | |||
provided so that the user (or user agent) can select a preferred | provided so that the user (or user agent) can select a preferred | |||
representation by redirecting its request to one or more of those | representation by redirecting its request to one or more of those | |||
identifiers. In other words, the server desires that the user agent | identifiers. In other words, the server desires that the user agent | |||
engage in reactive negotiation to select the most appropriate | engage in reactive negotiation to select the most appropriate | |||
representation(s) for its needs (Section 3.4). | representation(s) for its needs (Section 6.4). | |||
If the server has a preferred choice, the server SHOULD generate a | If the server has a preferred choice, the server SHOULD generate a | |||
Location header field containing a preferred choice's URI reference. | Location header field containing a preferred choice's URI reference. | |||
The user agent MAY use the Location field value for automatic | The user agent MAY use the Location field value for automatic | |||
redirection. | redirection. | |||
For request methods other than HEAD, the server SHOULD generate a | For request methods other than HEAD, the server SHOULD generate a | |||
payload in the 300 response containing a list of representation | payload in the 300 response containing a list of representation | |||
metadata and URI reference(s) from which the user or user agent can | metadata and URI reference(s) from which the user or user agent can | |||
choose the one most preferred. The user agent MAY make a selection | choose the one most preferred. The user agent MAY make a selection | |||
from that list automatically if it understands the provided media | from that list automatically if it understands the provided media | |||
type. A specific format for automatic selection is not defined by | type. A specific format for automatic selection is not defined by | |||
this specification because HTTP tries to remain orthogonal to the | this specification because HTTP tries to remain orthogonal to the | |||
definition of its payloads. In practice, the representation is | definition of its payloads. In practice, the representation is | |||
provided in some easily parsed format believed to be acceptable to | provided in some easily parsed format believed to be acceptable to | |||
the user agent, as determined by shared design or content | the user agent, as determined by shared design or content | |||
negotiation, or in some commonly accepted hypertext format. | negotiation, or in some commonly accepted hypertext format. | |||
A 300 response is cacheable by default; i.e., unless otherwise | A 300 response is heuristically cacheable; i.e., unless otherwise | |||
indicated by the method definition or explicit cache controls (see | indicated by the method definition or explicit cache controls (see | |||
Section 4.2.2 of [RFC7234]). | Section 4.2.2 of [Caching]). | |||
Note: The original proposal for the 300 status code defined the | Note: The original proposal for the 300 status code defined the | |||
URI header field as providing a list of alternative | URI header field as providing a list of alternative | |||
representations, such that it would be usable for 200, 300, and | representations, such that it would be usable for 200, 300, and | |||
406 responses and be transferred in responses to the HEAD method. | 406 responses and be transferred in responses to the HEAD method. | |||
However, lack of deployment and disagreement over syntax led to | However, lack of deployment and disagreement over syntax led to | |||
both URI and Alternates (a subsequent proposal) being dropped from | both URI and Alternates (a subsequent proposal) being dropped from | |||
this specification. It is possible to communicate the list using | this specification. It is possible to communicate the list as a | |||
a set of Link header fields [RFC5988], each with a relationship of | Link header field value [RFC8288] whose members have a | |||
"alternate", though deployment is a chicken-and-egg problem. | relationship of "alternate", though deployment is a chicken-and- | |||
egg problem. | ||||
6.4.2. 301 Moved Permanently | 9.4.2. 301 Moved Permanently | |||
The 301 (Moved Permanently) status code indicates that the target | The 301 (Moved Permanently) status code indicates that the target | |||
resource has been assigned a new permanent URI and any future | resource has been assigned a new permanent URI and any future | |||
references to this resource ought to use one of the enclosed URIs. | references to this resource ought to use one of the enclosed URIs. | |||
Clients with link-editing capabilities ought to automatically re-link | Clients with link-editing capabilities ought to automatically re-link | |||
references to the effective request URI to one or more of the new | references to the effective request URI to one or more of the new | |||
references sent by the server, where possible. | references sent by the server, where possible. | |||
The server SHOULD generate a Location header field in the response | The server SHOULD generate a Location header field in the response | |||
containing a preferred URI reference for the new permanent URI. The | containing a preferred URI reference for the new permanent URI. The | |||
user agent MAY use the Location field value for automatic | user agent MAY use the Location field value for automatic | |||
redirection. The server's response payload usually contains a short | redirection. The server's response payload usually contains a short | |||
hypertext note with a hyperlink to the new URI(s). | hypertext note with a hyperlink to the new URI(s). | |||
Note: For historical reasons, a user agent MAY change the request | Note: For historical reasons, a user agent MAY change the request | |||
method from POST to GET for the subsequent request. If this | method from POST to GET for the subsequent request. If this | |||
behavior is undesired, the 307 (Temporary Redirect) status code | behavior is undesired, the 308 (Permanent Redirect) status code | |||
can be used instead. | can be used instead. | |||
A 301 response is cacheable by default; i.e., unless otherwise | A 301 response is heuristically cacheable; i.e., unless otherwise | |||
indicated by the method definition or explicit cache controls (see | indicated by the method definition or explicit cache controls (see | |||
Section 4.2.2 of [RFC7234]). | Section 4.2.2 of [Caching]). | |||
6.4.3. 302 Found | 9.4.3. 302 Found | |||
The 302 (Found) status code indicates that the target resource | The 302 (Found) status code indicates that the target resource | |||
resides temporarily under a different URI. Since the redirection | resides temporarily under a different URI. Since the redirection | |||
might be altered on occasion, the client ought to continue to use the | might be altered on occasion, the client ought to continue to use the | |||
effective request URI for future requests. | effective request URI for future requests. | |||
The server SHOULD generate a Location header field in the response | The server SHOULD generate a Location header field in the response | |||
containing a URI reference for the different URI. The user agent MAY | containing a URI reference for the different URI. The user agent MAY | |||
use the Location field value for automatic redirection. The server's | use the Location field value for automatic redirection. The server's | |||
response payload usually contains a short hypertext note with a | response payload usually contains a short hypertext note with a | |||
hyperlink to the different URI(s). | hyperlink to the different URI(s). | |||
Note: For historical reasons, a user agent MAY change the request | Note: For historical reasons, a user agent MAY change the request | |||
method from POST to GET for the subsequent request. If this | method from POST to GET for the subsequent request. If this | |||
behavior is undesired, the 307 (Temporary Redirect) status code | behavior is undesired, the 307 (Temporary Redirect) status code | |||
can be used instead. | can be used instead. | |||
6.4.4. 303 See Other | 9.4.4. 303 See Other | |||
The 303 (See Other) status code indicates that the server is | The 303 (See Other) status code indicates that the server is | |||
redirecting the user agent to a different resource, as indicated by a | redirecting the user agent to a different resource, as indicated by a | |||
URI in the Location header field, which is intended to provide an | URI in the Location header field, which is intended to provide an | |||
indirect response to the original request. A user agent can perform | indirect response to the original request. A user agent can perform | |||
a retrieval request targeting that URI (a GET or HEAD request if | a retrieval request targeting that URI (a GET or HEAD request if | |||
using HTTP), which might also be redirected, and present the eventual | using HTTP), which might also be redirected, and present the eventual | |||
result as an answer to the original request. Note that the new URI | result as an answer to the original request. Note that the new URI | |||
in the Location header field is not considered equivalent to the | in the Location header field is not considered equivalent to the | |||
effective request URI. | effective request URI. | |||
skipping to change at line 5618 ¶ | skipping to change at page 131, line 39 ¶ | |||
might result in a representation that is useful to recipients without | might result in a representation that is useful to recipients without | |||
implying that it represents the original target resource. Note that | implying that it represents the original target resource. Note that | |||
answers to the questions of what can be represented, what | answers to the questions of what can be represented, what | |||
representations are adequate, and what might be a useful description | representations are adequate, and what might be a useful description | |||
are outside the scope of HTTP. | are outside the scope of HTTP. | |||
Except for responses to a HEAD request, the representation of a 303 | Except for responses to a HEAD request, the representation of a 303 | |||
response ought to contain a short hypertext note with a hyperlink to | response ought to contain a short hypertext note with a hyperlink to | |||
the same URI reference provided in the Location header field. | the same URI reference provided in the Location header field. | |||
4.1. 304 Not Modified | 9.4.5. 304 Not Modified | |||
The 304 (Not Modified) status code indicates that a conditional GET | The 304 (Not Modified) status code indicates that a conditional GET | |||
or HEAD request has been received and would have resulted in a 200 | or HEAD request has been received and would have resulted in a 200 | |||
(OK) response if it were not for the fact that the condition | (OK) response if it were not for the fact that the condition | |||
evaluated to false. In other words, there is no need for the server | evaluated to false. In other words, there is no need for the server | |||
to transfer a representation of the target resource because the | to transfer a representation of the target resource because the | |||
request indicates that the client, which made the request | request indicates that the client, which made the request | |||
conditional, already has a valid representation; the server is | conditional, already has a valid representation; the server is | |||
therefore redirecting the client to make use of that stored | therefore redirecting the client to make use of that stored | |||
representation as if it were the payload of a 200 (OK) response. | representation as if it were the payload of a 200 (OK) response. | |||
skipping to change at line 5643 ¶ | skipping to change at page 132, line 15 ¶ | |||
ETag, Expires, and Vary. | ETag, Expires, and Vary. | |||
Since the goal of a 304 response is to minimize information transfer | Since the goal of a 304 response is to minimize information transfer | |||
when the recipient already has one or more cached representations, a | when the recipient already has one or more cached representations, a | |||
sender SHOULD NOT generate representation metadata other than the | sender SHOULD NOT generate representation metadata other than the | |||
above listed fields unless said metadata exists for the purpose of | above listed fields unless said metadata exists for the purpose of | |||
guiding cache updates (e.g., Last-Modified might be useful if the | guiding cache updates (e.g., Last-Modified might be useful if the | |||
response does not have an ETag field). | response does not have an ETag field). | |||
Requirements on a cache that receives a 304 response are defined in | Requirements on a cache that receives a 304 response are defined in | |||
Section 4.3.4 of [RFC7234]. If the conditional request originated | Section 4.3.4 of [Caching]. If the conditional request originated | |||
with an outbound client, such as a user agent with its own cache | with an outbound client, such as a user agent with its own cache | |||
sending a conditional GET to a shared proxy, then the proxy SHOULD | sending a conditional GET to a shared proxy, then the proxy SHOULD | |||
forward the 304 response to that client. | forward the 304 response to that client. | |||
A 304 response cannot contain a message-body; it is always terminated | A 304 response cannot contain a message-body; it is always terminated | |||
by the first empty line after the header fields. | by the first empty line after the header fields. | |||
6.4.5. 305 Use Proxy | 9.4.6. 305 Use Proxy | |||
The 305 (Use Proxy) status code was defined in a previous version of | The 305 (Use Proxy) status code was defined in a previous version of | |||
this specification and is now deprecated (Appendix B). | this specification and is now deprecated (Appendix B of [RFC7231]). | |||
6.4.6. 306 (Unused) | 9.4.7. 306 (Unused) | |||
The 306 status code was defined in a previous version of this | The 306 status code was defined in a previous version of this | |||
specification, is no longer used, and the code is reserved. | specification, is no longer used, and the code is reserved. | |||
6.4.7. 307 Temporary Redirect | 9.4.8. 307 Temporary Redirect | |||
The 307 (Temporary Redirect) status code indicates that the target | The 307 (Temporary Redirect) status code indicates that the target | |||
resource resides temporarily under a different URI and the user agent | resource resides temporarily under a different URI and the user agent | |||
MUST NOT change the request method if it performs an automatic | MUST NOT change the request method if it performs an automatic | |||
redirection to that URI. Since the redirection can change over time, | redirection to that URI. Since the redirection can change over time, | |||
the client ought to continue using the original effective request URI | the client ought to continue using the original effective request URI | |||
for future requests. | for future requests. | |||
The server SHOULD generate a Location header field in the response | The server SHOULD generate a Location header field in the response | |||
containing a URI reference for the different URI. The user agent MAY | containing a URI reference for the different URI. The user agent MAY | |||
use the Location field value for automatic redirection. The server's | use the Location field value for automatic redirection. The server's | |||
response payload usually contains a short hypertext note with a | response payload usually contains a short hypertext note with a | |||
hyperlink to the different URI(s). | hyperlink to the different URI(s). | |||
Note: This status code is similar to 302 (Found), except that it | ||||
does not allow changing the request method from POST to GET. This | ||||
specification defines no equivalent counterpart for 301 (Moved | ||||
Permanently) ([RFC7238], however, defines the status code 308 | ||||
(Permanent Redirect) for this purpose). | ||||
9.4.9. 308 Permanent Redirect | 9.4.9. 308 Permanent Redirect | |||
The 308 (Permanent Redirect) status code indicates that the target | The 308 (Permanent Redirect) status code indicates that the target | |||
resource has been assigned a new permanent URI and any future | resource has been assigned a new permanent URI and any future | |||
references to this resource ought to use one of the enclosed URIs. | references to this resource ought to use one of the enclosed URIs. | |||
Clients with link editing capabilities ought to automatically re-link | Clients with link editing capabilities ought to automatically re-link | |||
references to the effective request URI (Section 5.5 of [RFC7230]) to | references to the effective request URI to one or more of the new | |||
one or more of the new references sent by the server, where possible. | references sent by the server, where possible. | |||
The server SHOULD generate a Location header field ([RFC7231], | The server SHOULD generate a Location header field in the response | |||
Section 7.1.2) in the response containing a preferred URI reference | containing a preferred URI reference for the new permanent URI. The | |||
for the new permanent URI. The user agent MAY use the Location field | user agent MAY use the Location field value for automatic | |||
value for automatic redirection. The server's response payload | redirection. The server's response payload usually contains a short | |||
usually contains a short hypertext note with a hyperlink to the new | hypertext note with a hyperlink to the new URI(s). | |||
URI(s). | ||||
A 308 response is cacheable by default; i.e., unless otherwise | A 308 response is heuristically cacheable; i.e., unless otherwise | |||
indicated by the method definition or explicit cache controls (see | indicated by the method definition or explicit cache controls (see | |||
[RFC7234], Section 4.2.2). | Section 4.2.2 of [Caching]). | |||
Note: This status code is similar to 301 (Moved Permanently) | Note: This status code is much younger (June 2014) than its | |||
([RFC7231], Section 6.4.2), except that it does not allow changing | sibling codes, and thus might not be recognized everywhere. See | |||
the request method from POST to GET. | Section 4 of [RFC7538] for deployment considerations. | |||
9.5. Client Error 4xx | 9.5. Client Error 4xx | |||
The 4xx (Client Error) class of status code indicates that the client | The 4xx (Client Error) class of status code indicates that the client | |||
seems to have erred. Except when responding to a HEAD request, the | seems to have erred. Except when responding to a HEAD request, the | |||
server SHOULD send a representation containing an explanation of the | server SHOULD send a representation containing an explanation of the | |||
error situation, and whether it is a temporary or permanent | error situation, and whether it is a temporary or permanent | |||
condition. These status codes are applicable to any request method. | condition. These status codes are applicable to any request method. | |||
User agents SHOULD display any included representation to the user. | User agents SHOULD display any included representation to the user. | |||
6.5.1. 400 Bad Request | 9.5.1. 400 Bad Request | |||
The 400 (Bad Request) status code indicates that the server cannot or | The 400 (Bad Request) status code indicates that the server cannot or | |||
will not process the request due to something that is perceived to be | will not process the request due to something that is perceived to be | |||
a client error (e.g., malformed request syntax, invalid request | a client error (e.g., malformed request syntax, invalid request | |||
message framing, or deceptive request routing). | message framing, or deceptive request routing). | |||
3.1. 401 Unauthorized | 9.5.2. 401 Unauthorized | |||
The 401 (Unauthorized) status code indicates that the request has not | The 401 (Unauthorized) status code indicates that the request has not | |||
been applied because it lacks valid authentication credentials for | been applied because it lacks valid authentication credentials for | |||
the target resource. The server generating a 401 response MUST send | the target resource. The server generating a 401 response MUST send | |||
a WWW-Authenticate header field (Section 4.1) containing at least one | a WWW-Authenticate header field (Section 10.3.1) containing at least | |||
challenge applicable to the target resource. | one challenge applicable to the target resource. | |||
If the request included authentication credentials, then the 401 | If the request included authentication credentials, then the 401 | |||
response indicates that authorization has been refused for those | response indicates that authorization has been refused for those | |||
credentials. The user agent MAY repeat the request with a new or | credentials. The user agent MAY repeat the request with a new or | |||
replaced Authorization header field (Section 4.2). If the 401 | replaced Authorization header field (Section 8.5.3). If the 401 | |||
response contains the same challenge as the prior response, and the | response contains the same challenge as the prior response, and the | |||
user agent has already attempted authentication at least once, then | user agent has already attempted authentication at least once, then | |||
the user agent SHOULD present the enclosed representation to the | the user agent SHOULD present the enclosed representation to the | |||
user, since it usually contains relevant diagnostic information. | user, since it usually contains relevant diagnostic information. | |||
6.5.2. 402 Payment Required | 9.5.3. 402 Payment Required | |||
The 402 (Payment Required) status code is reserved for future use. | The 402 (Payment Required) status code is reserved for future use. | |||
6.5.3. 403 Forbidden | 9.5.4. 403 Forbidden | |||
The 403 (Forbidden) status code indicates that the server understood | The 403 (Forbidden) status code indicates that the server understood | |||
the request but refuses to authorize it. A server that wishes to | the request but refuses to fulfill it. A server that wishes to make | |||
make public why the request has been forbidden can describe that | public why the request has been forbidden can describe that reason in | |||
reason in the response payload (if any). | the response payload (if any). | |||
If authentication credentials were provided in the request, the | If authentication credentials were provided in the request, the | |||
server considers them insufficient to grant access. The client | server considers them insufficient to grant access. The client | |||
SHOULD NOT automatically repeat the request with the same | SHOULD NOT automatically repeat the request with the same | |||
credentials. The client MAY repeat the request with new or different | credentials. The client MAY repeat the request with new or different | |||
credentials. However, a request might be forbidden for reasons | credentials. However, a request might be forbidden for reasons | |||
unrelated to the credentials. | unrelated to the credentials. | |||
An origin server that wishes to "hide" the current existence of a | An origin server that wishes to "hide" the current existence of a | |||
forbidden target resource MAY instead respond with a status code of | forbidden target resource MAY instead respond with a status code of | |||
404 (Not Found). | 404 (Not Found). | |||
6.5.4. 404 Not Found | 9.5.5. 404 Not Found | |||
The 404 (Not Found) status code indicates that the origin server did | The 404 (Not Found) status code indicates that the origin server did | |||
not find a current representation for the target resource or is not | not find a current representation for the target resource or is not | |||
willing to disclose that one exists. A 404 status code does not | willing to disclose that one exists. A 404 status code does not | |||
indicate whether this lack of representation is temporary or | indicate whether this lack of representation is temporary or | |||
permanent; the 410 (Gone) status code is preferred over 404 if the | permanent; the 410 (Gone) status code is preferred over 404 if the | |||
origin server knows, presumably through some configurable means, that | origin server knows, presumably through some configurable means, that | |||
the condition is likely to be permanent. | the condition is likely to be permanent. | |||
A 404 response is cacheable by default; i.e., unless otherwise | A 404 response is heuristically cacheable; i.e., unless otherwise | |||
indicated by the method definition or explicit cache controls (see | indicated by the method definition or explicit cache controls (see | |||
Section 4.2.2 of [RFC7234]). | Section 4.2.2 of [Caching]). | |||
6.5.5. 405 Method Not Allowed | 9.5.6. 405 Method Not Allowed | |||
The 405 (Method Not Allowed) status code indicates that the method | The 405 (Method Not Allowed) status code indicates that the method | |||
received in the request-line is known by the origin server but not | received in the request-line is known by the origin server but not | |||
supported by the target resource. The origin server MUST generate an | supported by the target resource. The origin server MUST generate an | |||
Allow header field in a 405 response containing a list of the target | Allow header field in a 405 response containing a list of the target | |||
resource's currently supported methods. | resource's currently supported methods. | |||
A 405 response is cacheable by default; i.e., unless otherwise | A 405 response is heuristically cacheable; i.e., unless otherwise | |||
indicated by the method definition or explicit cache controls (see | indicated by the method definition or explicit cache controls (see | |||
Section 4.2.2 of [RFC7234]). | Section 4.2.2 of [Caching]). | |||
6.5.6. 406 Not Acceptable | 9.5.7. 406 Not Acceptable | |||
The 406 (Not Acceptable) status code indicates that the target | The 406 (Not Acceptable) status code indicates that the target | |||
resource does not have a current representation that would be | resource does not have a current representation that would be | |||
acceptable to the user agent, according to the proactive negotiation | acceptable to the user agent, according to the proactive negotiation | |||
header fields received in the request (Section 5.3), and the server | header fields received in the request (Section 8.4), and the server | |||
is unwilling to supply a default representation. | is unwilling to supply a default representation. | |||
The server SHOULD generate a payload containing a list of available | The server SHOULD generate a payload containing a list of available | |||
representation characteristics and corresponding resource identifiers | representation characteristics and corresponding resource identifiers | |||
from which the user or user agent can choose the one most | from which the user or user agent can choose the one most | |||
appropriate. A user agent MAY automatically select the most | appropriate. A user agent MAY automatically select the most | |||
appropriate choice from that list. However, this specification does | appropriate choice from that list. However, this specification does | |||
not define any standard for such automatic selection, as described in | not define any standard for such automatic selection, as described in | |||
Section 6.4.1. | Section 9.4.1. | |||
3.2. 407 Proxy Authentication Required | 9.5.8. 407 Proxy Authentication Required | |||
The 407 (Proxy Authentication Required) status code is similar to 401 | The 407 (Proxy Authentication Required) status code is similar to 401 | |||
(Unauthorized), but it indicates that the client needs to | (Unauthorized), but it indicates that the client needs to | |||
authenticate itself in order to use a proxy. The proxy MUST send a | authenticate itself in order to use a proxy. The proxy MUST send a | |||
Proxy-Authenticate header field (Section 4.3) containing a challenge | Proxy-Authenticate header field (Section 10.3.2) containing a | |||
applicable to that proxy for the target resource. The client MAY | challenge applicable to that proxy for the target resource. The | |||
repeat the request with a new or replaced Proxy-Authorization header | client MAY repeat the request with a new or replaced Proxy- | |||
field (Section 4.4). | Authorization header field (Section 8.5.4). | |||
6.5.7. 408 Request Timeout | 9.5.9. 408 Request Timeout | |||
The 408 (Request Timeout) status code indicates that the server did | The 408 (Request Timeout) status code indicates that the server did | |||
not receive a complete request message within the time that it was | not receive a complete request message within the time that it was | |||
prepared to wait. A server SHOULD send the "close" connection option | prepared to wait. A server SHOULD send the "close" connection option | |||
(Section 6.1 of [RFC7230]) in the response, since 408 implies that | (Section 9.1 of [Messaging]) in the response, since 408 implies that | |||
the server has decided to close the connection rather than continue | the server has decided to close the connection rather than continue | |||
waiting. If the client has an outstanding request in transit, the | waiting. If the client has an outstanding request in transit, the | |||
client MAY repeat that request on a new connection. | client MAY repeat that request on a new connection. | |||
6.5.8. 409 Conflict | 9.5.10. 409 Conflict | |||
The 409 (Conflict) status code indicates that the request could not | The 409 (Conflict) status code indicates that the request could not | |||
be completed due to a conflict with the current state of the target | be completed due to a conflict with the current state of the target | |||
resource. This code is used in situations where the user might be | resource. This code is used in situations where the user might be | |||
able to resolve the conflict and resubmit the request. The server | able to resolve the conflict and resubmit the request. The server | |||
SHOULD generate a payload that includes enough information for a user | SHOULD generate a payload that includes enough information for a user | |||
to recognize the source of the conflict. | to recognize the source of the conflict. | |||
Conflicts are most likely to occur in response to a PUT request. For | Conflicts are most likely to occur in response to a PUT request. For | |||
example, if versioning were being used and the representation being | example, if versioning were being used and the representation being | |||
PUT included changes to a resource that conflict with those made by | PUT included changes to a resource that conflict with those made by | |||
an earlier (third-party) request, the origin server might use a 409 | an earlier (third-party) request, the origin server might use a 409 | |||
response to indicate that it can't complete the request. In this | response to indicate that it can't complete the request. In this | |||
case, the response representation would likely contain information | case, the response representation would likely contain information | |||
useful for merging the differences based on the revision history. | useful for merging the differences based on the revision history. | |||
6.5.9. 410 Gone | 9.5.11. 410 Gone | |||
The 410 (Gone) status code indicates that access to the target | The 410 (Gone) status code indicates that access to the target | |||
resource is no longer available at the origin server and that this | resource is no longer available at the origin server and that this | |||
condition is likely to be permanent. If the origin server does not | condition is likely to be permanent. If the origin server does not | |||
know, or has no facility to determine, whether or not the condition | know, or has no facility to determine, whether or not the condition | |||
is permanent, the status code 404 (Not Found) ought to be used | is permanent, the status code 404 (Not Found) ought to be used | |||
instead. | instead. | |||
The 410 response is primarily intended to assist the task of web | The 410 response is primarily intended to assist the task of web | |||
maintenance by notifying the recipient that the resource is | maintenance by notifying the recipient that the resource is | |||
intentionally unavailable and that the server owners desire that | intentionally unavailable and that the server owners desire that | |||
remote links to that resource be removed. Such an event is common | remote links to that resource be removed. Such an event is common | |||
for limited-time, promotional services and for resources belonging to | for limited-time, promotional services and for resources belonging to | |||
individuals no longer associated with the origin server's site. It | individuals no longer associated with the origin server's site. It | |||
is not necessary to mark all permanently unavailable resources as | is not necessary to mark all permanently unavailable resources as | |||
"gone" or to keep the mark for any length of time -- that is left to | "gone" or to keep the mark for any length of time -- that is left to | |||
the discretion of the server owner. | the discretion of the server owner. | |||
A 410 response is cacheable by default; i.e., unless otherwise | A 410 response is heuristically cacheable; i.e., unless otherwise | |||
indicated by the method definition or explicit cache controls (see | indicated by the method definition or explicit cache controls (see | |||
Section 4.2.2 of [RFC7234]). | Section 4.2.2 of [Caching]). | |||
6.5.10. 411 Length Required | 9.5.12. 411 Length Required | |||
The 411 (Length Required) status code indicates that the server | The 411 (Length Required) status code indicates that the server | |||
refuses to accept the request without a defined Content-Length | refuses to accept the request without a defined Content-Length | |||
(Section 3.3.2 of [RFC7230]). The client MAY repeat the request if | (Section 6.2.4). The client MAY repeat the request if it adds a | |||
it adds a valid Content-Length header field containing the length of | valid Content-Length header field containing the length of the | |||
the message body in the request message. | message body in the request message. | |||
4.2. 412 Precondition Failed | 9.5.13. 412 Precondition Failed | |||
The 412 (Precondition Failed) status code indicates that one or more | The 412 (Precondition Failed) status code indicates that one or more | |||
conditions given in the request header fields evaluated to false when | conditions given in the request header fields evaluated to false when | |||
tested on the server. This response code allows the client to place | tested on the server. This response status code allows the client to | |||
preconditions on the current resource state (its current | place preconditions on the current resource state (its current | |||
representations and metadata) and, thus, prevent the request method | representations and metadata) and, thus, prevent the request method | |||
from being applied if the target resource is in an unexpected state. | from being applied if the target resource is in an unexpected state. | |||
6.5.11. 413 Payload Too Large | 9.5.14. 413 Payload Too Large | |||
The 413 (Payload Too Large) status code indicates that the server is | The 413 (Payload Too Large) status code indicates that the server is | |||
refusing to process a request because the request payload is larger | refusing to process a request because the request payload is larger | |||
than the server is willing or able to process. The server MAY close | than the server is willing or able to process. The server MAY close | |||
the connection to prevent the client from continuing the request. | the connection to prevent the client from continuing the request. | |||
If the condition is temporary, the server SHOULD generate a | If the condition is temporary, the server SHOULD generate a Retry- | |||
Retry-After header field to indicate that it is temporary and after | After header field to indicate that it is temporary and after what | |||
what time the client MAY try again. | time the client MAY try again. | |||
6.5.12. 414 URI Too Long | 9.5.15. 414 URI Too Long | |||
The 414 (URI Too Long) status code indicates that the server is | The 414 (URI Too Long) status code indicates that the server is | |||
refusing to service the request because the request-target (Section | refusing to service the request because the request-target | |||
5.3 of [RFC7230]) is longer than the server is willing to interpret. | (Section 3.2 of [Messaging]) is longer than the server is willing to | |||
This rare condition is only likely to occur when a client has | interpret. This rare condition is only likely to occur when a client | |||
improperly converted a POST request to a GET request with long query | has improperly converted a POST request to a GET request with long | |||
information, when the client has descended into a "black hole" of | query information, when the client has descended into a "black hole" | |||
redirection (e.g., a redirected URI prefix that points to a suffix of | of redirection (e.g., a redirected URI prefix that points to a suffix | |||
itself) or when the server is under attack by a client attempting to | of itself) or when the server is under attack by a client attempting | |||
exploit potential security holes. | to exploit potential security holes. | |||
A 414 response is cacheable by default; i.e., unless otherwise | A 414 response is heuristically cacheable; i.e., unless otherwise | |||
indicated by the method definition or explicit cache controls (see | indicated by the method definition or explicit cache controls (see | |||
Section 4.2.2 of [RFC7234]). | Section 4.2.2 of [Caching]). | |||
6.5.13. 415 Unsupported Media Type | 9.5.16. 415 Unsupported Media Type | |||
The 415 (Unsupported Media Type) status code indicates that the | The 415 (Unsupported Media Type) status code indicates that the | |||
origin server is refusing to service the request because the payload | origin server is refusing to service the request because the payload | |||
is in a format not supported by this method on the target resource. | is in a format not supported by this method on the target resource. | |||
The format problem might be due to the request's indicated | The format problem might be due to the request's indicated Content- | |||
Content-Type or Content-Encoding, or as a result of inspecting the | Type or Content-Encoding, or as a result of inspecting the data | |||
data directly. | directly. | |||
4.4. 416 Range Not Satisfiable | 9.5.17. 416 Range Not Satisfiable | |||
The 416 (Range Not Satisfiable) status code indicates that none of | The 416 (Range Not Satisfiable) status code indicates that none of | |||
the ranges in the request's Range header field (Section 3.1) overlap | the ranges in the request's Range header field (Section 8.3) overlap | |||
the current extent of the selected resource or that the set of ranges | the current extent of the selected representation or that the set of | |||
requested has been rejected due to invalid ranges or an excessive | ranges requested has been rejected due to invalid ranges or an | |||
request of small or overlapping ranges. | excessive request of small or overlapping ranges. | |||
For byte ranges, failing to overlap the current extent means that the | For byte ranges, failing to overlap the current extent means that the | |||
first-byte-pos of all of the byte-range-spec values were greater than | first-pos of all of the range-spec values were greater than or equal | |||
the current length of the selected representation. When this status | to the current length of the selected representation. When this | |||
code is generated in response to a byte-range request, the sender | status code is generated in response to a byte-range request, the | |||
SHOULD generate a Content-Range header field specifying the current | sender SHOULD generate a Content-Range header field specifying the | |||
length of the selected representation (Section 4.2). | current length of the selected representation (Section 6.3.4). | |||
For example: | For example: | |||
HTTP/1.1 416 Range Not Satisfiable | HTTP/1.1 416 Range Not Satisfiable | |||
Date: Fri, 20 Jan 2012 15:41:54 GMT | Date: Fri, 20 Jan 2012 15:41:54 GMT | |||
Content-Range: bytes */47022 | Content-Range: bytes */47022 | |||
Note: Because servers are free to ignore Range, many | Note: Because servers are free to ignore Range, many | |||
implementations will simply respond with the entire selected | implementations will simply respond with the entire selected | |||
representation in a 200 (OK) response. That is partly because | representation in a 200 (OK) response. That is partly because | |||
most clients are prepared to receive a 200 (OK) to complete the | most clients are prepared to receive a 200 (OK) to complete the | |||
task (albeit less efficiently) and partly because clients might | task (albeit less efficiently) and partly because clients might | |||
not stop making an invalid partial request until they have | not stop making an invalid partial request until they have | |||
received a complete representation. Thus, clients cannot depend | received a complete representation. Thus, clients cannot depend | |||
on receiving a 416 (Range Not Satisfiable) response even when it | on receiving a 416 (Range Not Satisfiable) response even when it | |||
is most appropriate. | is most appropriate. | |||
6.5.14. 417 Expectation Failed | 9.5.18. 417 Expectation Failed | |||
The 417 (Expectation Failed) status code indicates that the | The 417 (Expectation Failed) status code indicates that the | |||
expectation given in the request's Expect header field | expectation given in the request's Expect header field | |||
(Section 5.1.1) could not be met by at least one of the inbound | (Section 8.1.1) could not be met by at least one of the inbound | |||
servers. | servers. | |||
9.5.19. 418 (Unused) | ||||
[RFC2324] was an April 1 RFC that lampooned the various ways HTTP was | ||||
abused; one such abuse was the definition of an application-specific | ||||
418 status code. In the intervening years, this status code has been | ||||
widely implemented as an "Easter Egg", and therefore is effectively | ||||
consumed by this use. | ||||
Therefore, the 418 status code is reserved in the IANA HTTP Status | ||||
Code Registry. This indicates that the status code cannot be | ||||
assigned to other applications currently. If future circumstances | ||||
require its use (e.g., exhaustion of 4NN status codes), it can be re- | ||||
assigned to another use. | ||||
9.5.20. 422 Unprocessable Payload | ||||
The 422 (Unprocessable Payload) status code indicates that the server | ||||
understands the content type of the request payload (hence a 415 | ||||
(Unsupported Media Type) status code is inappropriate), and the | ||||
syntax of the request payload is correct, but was unable to process | ||||
the contained instructions. For example, this status code can be | ||||
sent if an XML request payload contains well-formed (i.e., | ||||
syntactically correct), but semantically erroneous XML instructions. | ||||
9.5.21. 426 Upgrade Required | 9.5.21. 426 Upgrade Required | |||
The 426 (Upgrade Required) status code indicates that the server | The 426 (Upgrade Required) status code indicates that the server | |||
refuses to perform the request using the current protocol but might | refuses to perform the request using the current protocol but might | |||
be willing to do so after the client upgrades to a different | be willing to do so after the client upgrades to a different | |||
protocol. The server MUST send an Upgrade header field in a 426 | protocol. The server MUST send an Upgrade header field in a 426 | |||
response to indicate the required protocol(s) (Section 6.7 of | response to indicate the required protocol(s) (Section 9.9 of | |||
[RFC7230]). | [Messaging]). | |||
Example: | Example: | |||
HTTP/1.1 426 Upgrade Required | HTTP/1.1 426 Upgrade Required | |||
Upgrade: HTTP/3.0 | Upgrade: HTTP/3.0 | |||
Connection: Upgrade | Connection: Upgrade | |||
Content-Length: 53 | Content-Length: 53 | |||
Content-Type: text/plain | Content-Type: text/plain | |||
This service requires use of the HTTP/3.0 protocol. | This service requires use of the HTTP/3.0 protocol. | |||
6.6. Server Error 5xx | 9.6. Server Error 5xx | |||
The 5xx (Server Error) class of status code indicates that the server | The 5xx (Server Error) class of status code indicates that the server | |||
is aware that it has erred or is incapable of performing the | is aware that it has erred or is incapable of performing the | |||
requested method. Except when responding to a HEAD request, the | requested method. Except when responding to a HEAD request, the | |||
server SHOULD send a representation containing an explanation of the | server SHOULD send a representation containing an explanation of the | |||
error situation, and whether it is a temporary or permanent | error situation, and whether it is a temporary or permanent | |||
condition. A user agent SHOULD display any included representation | condition. A user agent SHOULD display any included representation | |||
to the user. These response codes are applicable to any request | to the user. These response codes are applicable to any request | |||
method. | method. | |||
6.6.1. 500 Internal Server Error | 9.6.1. 500 Internal Server Error | |||
The 500 (Internal Server Error) status code indicates that the server | The 500 (Internal Server Error) status code indicates that the server | |||
encountered an unexpected condition that prevented it from fulfilling | encountered an unexpected condition that prevented it from fulfilling | |||
the request. | the request. | |||
6.6.2. 501 Not Implemented | 9.6.2. 501 Not Implemented | |||
The 501 (Not Implemented) status code indicates that the server does | The 501 (Not Implemented) status code indicates that the server does | |||
not support the functionality required to fulfill the request. This | not support the functionality required to fulfill the request. This | |||
is the appropriate response when the server does not recognize the | is the appropriate response when the server does not recognize the | |||
request method and is not capable of supporting it for any resource. | request method and is not capable of supporting it for any resource. | |||
A 501 response is cacheable by default; i.e., unless otherwise | A 501 response is heuristically cacheable; i.e., unless otherwise | |||
indicated by the method definition or explicit cache controls (see | indicated by the method definition or explicit cache controls (see | |||
Section 4.2.2 of [RFC7234]). | Section 4.2.2 of [Caching]). | |||
6.6.3. 502 Bad Gateway | 9.6.3. 502 Bad Gateway | |||
The 502 (Bad Gateway) status code indicates that the server, while | The 502 (Bad Gateway) status code indicates that the server, while | |||
acting as a gateway or proxy, received an invalid response from an | acting as a gateway or proxy, received an invalid response from an | |||
inbound server it accessed while attempting to fulfill the request. | inbound server it accessed while attempting to fulfill the request. | |||
6.6.4. 503 Service Unavailable | 9.6.4. 503 Service Unavailable | |||
The 503 (Service Unavailable) status code indicates that the server | The 503 (Service Unavailable) status code indicates that the server | |||
is currently unable to handle the request due to a temporary overload | is currently unable to handle the request due to a temporary overload | |||
or scheduled maintenance, which will likely be alleviated after some | or scheduled maintenance, which will likely be alleviated after some | |||
delay. The server MAY send a Retry-After header field | delay. The server MAY send a Retry-After header field | |||
(Section 7.1.3) to suggest an appropriate amount of time for the | (Section 10.1.3) to suggest an appropriate amount of time for the | |||
client to wait before retrying the request. | client to wait before retrying the request. | |||
Note: The existence of the 503 status code does not imply that a | Note: The existence of the 503 status code does not imply that a | |||
server has to use it when becoming overloaded. Some servers might | server has to use it when becoming overloaded. Some servers might | |||
simply refuse the connection. | simply refuse the connection. | |||
6.6.5. 504 Gateway Timeout | 9.6.5. 504 Gateway Timeout | |||
The 504 (Gateway Timeout) status code indicates that the server, | The 504 (Gateway Timeout) status code indicates that the server, | |||
while acting as a gateway or proxy, did not receive a timely response | while acting as a gateway or proxy, did not receive a timely response | |||
from an upstream server it needed to access in order to complete the | from an upstream server it needed to access in order to complete the | |||
request. | request. | |||
6.6.6. 505 HTTP Version Not Supported | 9.6.6. 505 HTTP Version Not Supported | |||
The 505 (HTTP Version Not Supported) status code indicates that the | The 505 (HTTP Version Not Supported) status code indicates that the | |||
server does not support, or refuses to support, the major version of | server does not support, or refuses to support, the major version of | |||
HTTP that was used in the request message. The server is indicating | HTTP that was used in the request message. The server is indicating | |||
that it is unable or unwilling to complete the request using the same | that it is unable or unwilling to complete the request using the same | |||
major version as the client, as described in Section 2.6 of | major version as the client, as described in Section 3.5, other than | |||
[RFC7230], other than with this error message. The server SHOULD | with this error message. The server SHOULD generate a representation | |||
generate a representation for the 505 response that describes why | for the 505 response that describes why that version is not supported | |||
that version is not supported and what other protocols are supported | and what other protocols are supported by that server. | |||
by that server. | ||||
9.7. Status Code Extensibility | 9.7. Status Code Extensibility | |||
9.7.1. Status Code Registry | Additional status codes, outside the scope of this specification, | |||
have been specified for use in HTTP. All such status codes ought to | ||||
The "Hypertext Transfer Protocol (HTTP) Status Code Registry" defines | be registered within the "Hypertext Transfer Protocol (HTTP) Status | |||
the namespace for the response status-code token (Section 6). The | Code Registry". | |||
status code registry is maintained at | ||||
<http://www.iana.org/assignments/http-status-codes>. | ||||
This section replaces the registration procedure for HTTP Status | 9.7.1. Status Code Registry | |||
Codes previously defined in Section 7.1 of [RFC2817]. | ||||
8.2.1. Procedure | The "Hypertext Transfer Protocol (HTTP) Status Code Registry", | |||
maintained by IANA at <https://www.iana.org/assignments/http-status- | ||||
codes>, registers status code numbers. | ||||
A registration MUST include the following fields: | A registration MUST include the following fields: | |||
o Status Code (3 digits) | o Status Code (3 digits) | |||
o Short Description | o Short Description | |||
o Pointer to specification text | o Pointer to specification text | |||
Values to be added to the HTTP status code namespace require IETF | Values to be added to the HTTP status code namespace require IETF | |||
Review (see [RFC5226], Section 4.1). | Review (see [RFC8126], Section 4.8). | |||
8.2.2. Considerations for New Status Codes | 9.7.2. Considerations for New Status Codes | |||
When it is necessary to express semantics for a response that are not | When it is necessary to express semantics for a response that are not | |||
defined by current status codes, a new status code can be registered. | defined by current status codes, a new status code can be registered. | |||
Status codes are generic; they are potentially applicable to any | Status codes are generic; they are potentially applicable to any | |||
resource, not just one particular media type, kind of resource, or | resource, not just one particular media type, kind of resource, or | |||
application of HTTP. As such, it is preferred that new status codes | application of HTTP. As such, it is preferred that new status codes | |||
be registered in a document that isn't specific to a single | be registered in a document that isn't specific to a single | |||
application. | application. | |||
New status codes are required to fall under one of the categories | New status codes are required to fall under one of the categories | |||
defined in Section 6. To allow existing parsers to process the | defined in Section 9. To allow existing parsers to process the | |||
response message, new status codes cannot disallow a payload, | response message, new status codes cannot disallow a payload, | |||
although they can mandate a zero-length payload body. | although they can mandate a zero-length payload body. | |||
Proposals for new status codes that are not yet widely deployed ought | Proposals for new status codes that are not yet widely deployed ought | |||
to avoid allocating a specific number for the code until there is | to avoid allocating a specific number for the code until there is | |||
clear consensus that it will be registered; instead, early drafts can | clear consensus that it will be registered; instead, early drafts can | |||
use a notation such as "4NN", or "3N0" .. "3N9", to indicate the | use a notation such as "4NN", or "3N0" .. "3N9", to indicate the | |||
class of the proposed status code(s) without consuming a number | class of the proposed status code(s) without consuming a number | |||
prematurely. | prematurely. | |||
The definition of a new status code ought to explain the request | The definition of a new status code ought to explain the request | |||
conditions that would cause a response containing that status code | conditions that would cause a response containing that status code | |||
(e.g., combinations of request header fields and/or method(s)) along | (e.g., combinations of request header fields and/or method(s)) along | |||
with any dependencies on response header fields (e.g., what fields | with any dependencies on response header fields (e.g., what fields | |||
are required, what fields can modify the semantics, and what header | are required, what fields can modify the semantics, and what field | |||
field semantics are further refined when used with the new status | semantics are further refined when used with the new status code). | |||
code). | ||||
The definition of a new status code ought to specify whether or not | The definition of a new status code ought to specify whether or not | |||
it is cacheable. Note that all status codes can be cached if the | it is cacheable. Note that all status codes can be cached if the | |||
response they occur in has explicit freshness information; however, | response they occur in has explicit freshness information; however, | |||
status codes that are defined as being cacheable are allowed to be | status codes that are defined as being cacheable are allowed to be | |||
cached without explicit freshness information. Likewise, the | cached without explicit freshness information. Likewise, the | |||
definition of a status code can place constraints upon cache | definition of a status code can place constraints upon cache | |||
behavior. See [RFC7234] for more information. | behavior. See [Caching] for more information. | |||
Finally, the definition of a new status code ought to indicate | Finally, the definition of a new status code ought to indicate | |||
whether the payload has any implied association with an identified | whether the payload has any implied association with an identified | |||
resource (Section 3.1.4.1). | resource (Section 6.3.2). | |||
7. Response Header Fields | 10. Response Header Fields | |||
The response header fields allow the server to pass additional | The response header fields allow the server to pass additional | |||
information about the response beyond what is placed in the | information about the response beyond what is placed in the status- | |||
status-line. These header fields give information about the server, | line. These header fields give information about the server, about | |||
about further access to the target resource, or about related | further access to the target resource, or about related resources. | |||
resources. | ||||
Although each response header field has a defined meaning, in | Although each response header field has a defined meaning, in | |||
general, the precise semantics might be further refined by the | general, the precise semantics might be further refined by the | |||
semantics of the request method and/or response status code. | semantics of the request method and/or response status code. | |||
7.1. Control Data | 10.1. Control Data | |||
Response header fields can supply control data that supplements the | Response header fields can supply control data that supplements the | |||
status code, directs caching, or instructs the client where to go | status code, directs caching, or instructs the client where to go | |||
next. | next. | |||
+-------------------+--------------------------+ | +---------------+--------------------------+ | |||
| Header Field Name | Defined in... | | | Field Name | Defined in... | | |||
+-------------------+--------------------------+ | +---------------+--------------------------+ | |||
| Age | Section 5.1 of [RFC7234] | | | Age | Section 5.1 of [Caching] | | |||
| Cache-Control | Section 5.2 of [RFC7234] | | | Cache-Control | Section 5.2 of [Caching] | | |||
| Expires | Section 5.3 of [RFC7234] | | | Expires | Section 5.3 of [Caching] | | |||
| Date | Section 7.1.1.2 | | | Date | Section 10.1.1.2 | | |||
| Location | Section 7.1.2 | | | Location | Section 10.1.2 | | |||
| Retry-After | Section 7.1.3 | | | Retry-After | Section 10.1.3 | | |||
| Vary | Section 7.1.4 | | | Vary | Section 10.1.4 | | |||
| Warning | Section 5.5 of [RFC7234] | | | Warning | Section 5.5 of [Caching] | | |||
+-------------------+--------------------------+ | +---------------+--------------------------+ | |||
7.1.1. Origination Date | 10.1.1. Origination Date | |||
7.1.1.1. Date/Time Formats | 10.1.1.1. Date/Time Formats | |||
Prior to 1995, there were three different formats commonly used by | Prior to 1995, there were three different formats commonly used by | |||
servers to communicate timestamps. For compatibility with old | servers to communicate timestamps. For compatibility with old | |||
implementations, all three are defined here. The preferred format is | implementations, all three are defined here. The preferred format is | |||
a fixed-length and single-zone subset of the date and time | a fixed-length and single-zone subset of the date and time | |||
specification used by the Internet Message Format [RFC5322]. | specification used by the Internet Message Format [RFC5322]. | |||
HTTP-date = IMF-fixdate / obs-date | HTTP-date = IMF-fixdate / obs-date | |||
An example of the preferred format is | An example of the preferred format is | |||
Sun, 06 Nov 1994 08:49:37 GMT ; IMF-fixdate | Sun, 06 Nov 1994 08:49:37 GMT ; IMF-fixdate | |||
Examples of the two obsolete formats are | Examples of the two obsolete formats are | |||
Sunday, 06-Nov-94 08:49:37 GMT ; obsolete RFC 850 format | Sunday, 06-Nov-94 08:49:37 GMT ; obsolete RFC 850 format | |||
Sun Nov 6 08:49:37 1994 ; ANSI C's asctime() format | Sun Nov 6 08:49:37 1994 ; ANSI C's asctime() format | |||
A recipient that parses a timestamp value in an HTTP header field | A recipient that parses a timestamp value in an HTTP field MUST | |||
MUST accept all three HTTP-date formats. When a sender generates a | accept all three HTTP-date formats. When a sender generates a field | |||
header field that contains one or more timestamps defined as | that contains one or more timestamps defined as HTTP-date, the sender | |||
HTTP-date, the sender MUST generate those timestamps in the | MUST generate those timestamps in the IMF-fixdate format. | |||
IMF-fixdate format. | ||||
An HTTP-date value represents time as an instance of Coordinated | An HTTP-date value represents time as an instance of Coordinated | |||
Universal Time (UTC). The first two formats indicate UTC by the | Universal Time (UTC). The first two formats indicate UTC by the | |||
three-letter abbreviation for Greenwich Mean Time, "GMT", a | three-letter abbreviation for Greenwich Mean Time, "GMT", a | |||
predecessor of the UTC name; values in the asctime format are assumed | predecessor of the UTC name; values in the asctime format are assumed | |||
to be in UTC. A sender that generates HTTP-date values from a local | to be in UTC. A sender that generates HTTP-date values from a local | |||
clock ought to use NTP ([RFC5905]) or some similar protocol to | clock ought to use NTP ([RFC5905]) or some similar protocol to | |||
synchronize its clock to UTC. | synchronize its clock to UTC. | |||
Preferred format: | Preferred format: | |||
IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT | IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT | |||
; fixed length/zone/capitalization subset of the format | ; fixed length/zone/capitalization subset of the format | |||
; see Section 3.3 of [RFC5322] | ; see Section 3.3 of [RFC5322] | |||
day-name = %x4D.6F.6E ; "Mon", case-sensitive | day-name = %s"Mon" / %s"Tue" / %s"Wed" | |||
/ %x54.75.65 ; "Tue", case-sensitive | / %s"Thu" / %s"Fri" / %s"Sat" / %s"Sun" | |||
/ %x57.65.64 ; "Wed", case-sensitive | ||||
/ %x54.68.75 ; "Thu", case-sensitive | ||||
/ %x46.72.69 ; "Fri", case-sensitive | ||||
/ %x53.61.74 ; "Sat", case-sensitive | ||||
/ %x53.75.6E ; "Sun", case-sensitive | ||||
date1 = day SP month SP year | date1 = day SP month SP year | |||
; e.g., 02 Jun 1982 | ; e.g., 02 Jun 1982 | |||
day = 2DIGIT | day = 2DIGIT | |||
month = %x4A.61.6E ; "Jan", case-sensitive | month = %s"Jan" / %s"Feb" / %s"Mar" / %s"Apr" | |||
/ %x46.65.62 ; "Feb", case-sensitive | / %s"May" / %s"Jun" / %s"Jul" / %s"Aug" | |||
/ %x4D.61.72 ; "Mar", case-sensitive | / %s"Sep" / %s"Oct" / %s"Nov" / %s"Dec" | |||
/ %x41.70.72 ; "Apr", case-sensitive | ||||
/ %x4D.61.79 ; "May", case-sensitive | ||||
/ %x4A.75.6E ; "Jun", case-sensitive | ||||
/ %x4A.75.6C ; "Jul", case-sensitive | ||||
/ %x41.75.67 ; "Aug", case-sensitive | ||||
/ %x53.65.70 ; "Sep", case-sensitive | ||||
/ %x4F.63.74 ; "Oct", case-sensitive | ||||
/ %x4E.6F.76 ; "Nov", case-sensitive | ||||
/ %x44.65.63 ; "Dec", case-sensitive | ||||
year = 4DIGIT | year = 4DIGIT | |||
GMT = %x47.4D.54 ; "GMT", case-sensitive | GMT = %s"GMT" | |||
time-of-day = hour ":" minute ":" second | time-of-day = hour ":" minute ":" second | |||
; 00:00:00 - 23:59:60 (leap second) | ; 00:00:00 - 23:59:60 (leap second) | |||
hour = 2DIGIT | hour = 2DIGIT | |||
minute = 2DIGIT | minute = 2DIGIT | |||
second = 2DIGIT | second = 2DIGIT | |||
Obsolete formats: | Obsolete formats: | |||
obs-date = rfc850-date / asctime-date | obs-date = rfc850-date / asctime-date | |||
rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT | rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT | |||
date2 = day "-" month "-" 2DIGIT | date2 = day "-" month "-" 2DIGIT | |||
; e.g., 02-Jun-82 | ; e.g., 02-Jun-82 | |||
day-name-l = %x4D.6F.6E.64.61.79 ; "Monday", case-sensitive | day-name-l = %s"Monday" / %s"Tuesday" / %s"Wednesday" | |||
/ %x54.75.65.73.64.61.79 ; "Tuesday", case-sensitive | / %s"Thursday" / %s"Friday" / %s"Saturday" / %s"Sunday" | |||
/ %x57.65.64.6E.65.73.64.61.79 ; "Wednesday", case-sensitive | ||||
/ %x54.68.75.72.73.64.61.79 ; "Thursday", case-sensitive | ||||
/ %x46.72.69.64.61.79 ; "Friday", case-sensitive | ||||
/ %x53.61.74.75.72.64.61.79 ; "Saturday", case-sensitive | ||||
/ %x53.75.6E.64.61.79 ; "Sunday", case-sensitive | ||||
asctime-date = day-name SP date3 SP time-of-day SP year | asctime-date = day-name SP date3 SP time-of-day SP year | |||
date3 = month SP ( 2DIGIT / ( SP 1DIGIT )) | date3 = month SP ( 2DIGIT / ( SP 1DIGIT )) | |||
; e.g., Jun 2 | ; e.g., Jun 2 | |||
HTTP-date is case sensitive. A sender MUST NOT generate additional | HTTP-date is case sensitive. A sender MUST NOT generate additional | |||
whitespace in an HTTP-date beyond that specifically included as SP in | whitespace in an HTTP-date beyond that specifically included as SP in | |||
the grammar. The semantics of day-name, day, month, year, and | the grammar. The semantics of day-name, day, month, year, and time- | |||
time-of-day are the same as those defined for the Internet Message | of-day are the same as those defined for the Internet Message Format | |||
Format constructs with the corresponding name ([RFC5322], Section | constructs with the corresponding name ([RFC5322], Section 3.3). | |||
3.3). | ||||
Recipients of a timestamp value in rfc850-date format, which uses a | Recipients of a timestamp value in rfc850-date format, which uses a | |||
two-digit year, MUST interpret a timestamp that appears to be more | two-digit year, MUST interpret a timestamp that appears to be more | |||
than 50 years in the future as representing the most recent year in | than 50 years in the future as representing the most recent year in | |||
the past that had the same last two digits. | the past that had the same last two digits. | |||
Recipients of timestamp values are encouraged to be robust in parsing | Recipients of timestamp values are encouraged to be robust in parsing | |||
timestamps unless otherwise restricted by the field definition. For | timestamps unless otherwise restricted by the field definition. For | |||
example, messages are occasionally forwarded over HTTP from a | example, messages are occasionally forwarded over HTTP from a non- | |||
non-HTTP source that might generate any of the date and time | HTTP source that might generate any of the date and time | |||
specifications defined by the Internet Message Format. | specifications defined by the Internet Message Format. | |||
Note: HTTP requirements for the date/time stamp format apply only | Note: HTTP requirements for the date/time stamp format apply only | |||
to their usage within the protocol stream. Implementations are | to their usage within the protocol stream. Implementations are | |||
not required to use these formats for user presentation, request | not required to use these formats for user presentation, request | |||
logging, etc. | logging, etc. | |||
7.1.1.2. Date | 10.1.1.2. Date | |||
The "Date" header field represents the date and time at which the | The "Date" header field represents the date and time at which the | |||
message was originated, having the same semantics as the Origination | message was originated, having the same semantics as the Origination | |||
Date Field (orig-date) defined in Section 3.6.1 of [RFC5322]. The | Date Field (orig-date) defined in Section 3.6.1 of [RFC5322]. The | |||
field value is an HTTP-date, as defined in Section 7.1.1.1. | field value is an HTTP-date, as defined in Section 10.1.1.1. | |||
Date = HTTP-date | Date = HTTP-date | |||
An example is | An example is | |||
Date: Tue, 15 Nov 1994 08:12:31 GMT | Date: Tue, 15 Nov 1994 08:12:31 GMT | |||
When a Date header field is generated, the sender SHOULD generate its | When a Date header field is generated, the sender SHOULD generate its | |||
field value as the best available approximation of the date and time | field value as the best available approximation of the date and time | |||
of message generation. In theory, the date ought to represent the | of message generation. In theory, the date ought to represent the | |||
skipping to change at line 6294 ¶ | skipping to change at page 146, line 8 ¶ | |||
corresponding Date header field to the message's header section if it | corresponding Date header field to the message's header section if it | |||
is cached or forwarded downstream. | is cached or forwarded downstream. | |||
A user agent MAY send a Date header field in a request, though | A user agent MAY send a Date header field in a request, though | |||
generally will not do so unless it is believed to convey useful | generally will not do so unless it is believed to convey useful | |||
information to the server. For example, custom applications of HTTP | information to the server. For example, custom applications of HTTP | |||
might convey a Date if the server is expected to adjust its | might convey a Date if the server is expected to adjust its | |||
interpretation of the user's request based on differences between the | interpretation of the user's request based on differences between the | |||
user agent and server clocks. | user agent and server clocks. | |||
7.1.2. Location | 10.1.2. Location | |||
The "Location" header field is used in some responses to refer to a | The "Location" header field is used in some responses to refer to a | |||
specific resource in relation to the response. The type of | specific resource in relation to the response. The type of | |||
relationship is defined by the combination of request method and | relationship is defined by the combination of request method and | |||
status code semantics. | status code semantics. | |||
Location = URI-reference | Location = URI-reference | |||
The field value consists of a single URI-reference. When it has the | The field value consists of a single URI-reference. When it has the | |||
form of a relative reference ([RFC3986], Section 4.2), the final | form of a relative reference ([RFC3986], Section 4.2), the final | |||
skipping to change at line 6348 ¶ | skipping to change at page 147, line 15 ¶ | |||
There are circumstances in which a fragment identifier in a Location | There are circumstances in which a fragment identifier in a Location | |||
value would not be appropriate. For example, the Location header | value would not be appropriate. For example, the Location header | |||
field in a 201 (Created) response is supposed to provide a URI that | field in a 201 (Created) response is supposed to provide a URI that | |||
is specific to the created resource. | is specific to the created resource. | |||
Note: Some recipients attempt to recover from Location fields that | Note: Some recipients attempt to recover from Location fields that | |||
are not valid URI references. This specification does not mandate | are not valid URI references. This specification does not mandate | |||
or define such processing, but does allow it for the sake of | or define such processing, but does allow it for the sake of | |||
robustness. | robustness. | |||
Note: The Content-Location header field (Section 3.1.4.2) differs | Note: The Content-Location header field (Section 6.2.5) differs | |||
from Location in that the Content-Location refers to the most | from Location in that the Content-Location refers to the most | |||
specific resource corresponding to the enclosed representation. | specific resource corresponding to the enclosed representation. | |||
It is therefore possible for a response to contain both the | It is therefore possible for a response to contain both the | |||
Location and Content-Location header fields. | Location and Content-Location header fields. | |||
7.1.3. Retry-After | 10.1.3. Retry-After | |||
Servers send the "Retry-After" header field to indicate how long the | Servers send the "Retry-After" header field to indicate how long the | |||
user agent ought to wait before making a follow-up request. When | user agent ought to wait before making a follow-up request. When | |||
sent with a 503 (Service Unavailable) response, Retry-After indicates | sent with a 503 (Service Unavailable) response, Retry-After indicates | |||
how long the service is expected to be unavailable to the client. | how long the service is expected to be unavailable to the client. | |||
When sent with any 3xx (Redirection) response, Retry-After indicates | When sent with any 3xx (Redirection) response, Retry-After indicates | |||
the minimum time that the user agent is asked to wait before issuing | the minimum time that the user agent is asked to wait before issuing | |||
the redirected request. | the redirected request. | |||
The value of this field can be either an HTTP-date or a number of | The value of this field can be either an HTTP-date or a number of | |||
skipping to change at line 6381 ¶ | skipping to change at page 147, line 48 ¶ | |||
delay-seconds = 1*DIGIT | delay-seconds = 1*DIGIT | |||
Two examples of its use are | Two examples of its use are | |||
Retry-After: Fri, 31 Dec 1999 23:59:59 GMT | Retry-After: Fri, 31 Dec 1999 23:59:59 GMT | |||
Retry-After: 120 | Retry-After: 120 | |||
In the latter example, the delay is 2 minutes. | In the latter example, the delay is 2 minutes. | |||
7.1.4. Vary | 10.1.4. Vary | |||
The "Vary" header field in a response describes what parts of a | The "Vary" header field in a response describes what parts of a | |||
request message, aside from the method, Host header field, and | request message, aside from the method, Host header field, and | |||
request target, might influence the origin server's process for | request target, might influence the origin server's process for | |||
selecting and representing this response. The value consists of | selecting and representing this response. The value consists of | |||
either a single asterisk ("*") or a list of header field names | either a single asterisk ("*") or a list of header field names (case- | |||
(case-insensitive). | insensitive). | |||
Vary = "*" / 1#field-name | Vary = "*" / 1#field-name | |||
A Vary field value of "*" signals that anything about the request | A Vary field value of "*" signals that anything about the request | |||
might play a role in selecting the response representation, possibly | might play a role in selecting the response representation, possibly | |||
including elements outside the message syntax (e.g., the client's | including elements outside the message syntax (e.g., the client's | |||
network address). A recipient will not be able to determine whether | network address). A recipient will not be able to determine whether | |||
this response is appropriate for a later request without forwarding | this response is appropriate for a later request without forwarding | |||
the request to the origin server. A proxy MUST NOT generate a Vary | the request to the origin server. A proxy MUST NOT generate a Vary | |||
field with a "*" value. | field with a "*" value. | |||
A Vary field value consisting of a comma-separated list of names | A Vary field value consisting of a list of field names indicates that | |||
indicates that the named request header fields, known as the | the named request header fields, known as the selecting header | |||
selecting header fields, might have a role in selecting the | fields, might have a role in selecting the representation. The | |||
representation. The potential selecting header fields are not | potential selecting header fields are not limited to those defined by | |||
limited to those defined by this specification. | this specification. | |||
For example, a response that contains | For example, a response that contains | |||
Vary: accept-encoding, accept-language | Vary: accept-encoding, accept-language | |||
indicates that the origin server might have used the request's | indicates that the origin server might have used the request's | |||
Accept-Encoding and Accept-Language fields (or lack thereof) as | Accept-Encoding and Accept-Language fields (or lack thereof) as | |||
determining factors while choosing the content for this response. | determining factors while choosing the content for this response. | |||
An origin server might send Vary with a list of fields for two | An origin server might send Vary with a list of fields for two | |||
purposes: | purposes: | |||
1. To inform cache recipients that they MUST NOT use this response | 1. To inform cache recipients that they MUST NOT use this response | |||
to satisfy a later request unless the later request has the same | to satisfy a later request unless the later request has the same | |||
values for the listed fields as the original request (Section 4.1 | values for the listed fields as the original request (Section 4.1 | |||
of [RFC7234]). In other words, Vary expands the cache key | of [Caching]). In other words, Vary expands the cache key | |||
required to match a new request to the stored cache entry. | required to match a new request to the stored cache entry. | |||
2. To inform user agent recipients that this response is subject to | 2. To inform user agent recipients that this response is subject to | |||
content negotiation (Section 5.3) and that a different | content negotiation (Section 8.4) and that a different | |||
representation might be sent in a subsequent request if | representation might be sent in a subsequent request if | |||
additional parameters are provided in the listed header fields | additional parameters are provided in the listed header fields | |||
(proactive negotiation). | (proactive negotiation). | |||
An origin server SHOULD send a Vary header field when its algorithm | An origin server SHOULD send a Vary header field when its algorithm | |||
for selecting a representation varies based on aspects of the request | for selecting a representation varies based on aspects of the request | |||
message other than the method and request target, unless the variance | message other than the method and request target, unless the variance | |||
cannot be crossed or the origin server has been deliberately | cannot be crossed or the origin server has been deliberately | |||
configured to prevent cache transparency. For example, there is no | configured to prevent cache transparency. For example, there is no | |||
need to send the Authorization field name in Vary because reuse | need to send the Authorization field name in Vary because reuse | |||
across users is constrained by the field definition (Section 4.2 of | across users is constrained by the field definition (Section 8.5.3). | |||
[RFC7235]). Likewise, an origin server might use Cache-Control | Likewise, an origin server might use Cache-Control response | |||
directives (Section 5.2 of [RFC7234]) to supplant Vary if it | directives (Section 5.2 of [Caching]) to supplant Vary if it | |||
considers the variance less significant than the performance cost of | considers the variance less significant than the performance cost of | |||
Vary's impact on caching. | Vary's impact on caching. | |||
7.2. Validator Header Fields | 10.2. Validators | |||
Validator header fields convey metadata about the selected | Validator header fields convey metadata about the selected | |||
representation (Section 3). In responses to safe requests, validator | representation (Section 6). In responses to safe requests, validator | |||
fields describe the selected representation chosen by the origin | fields describe the selected representation chosen by the origin | |||
server while handling the response. Note that, depending on the | server while handling the response. Note that, depending on the | |||
status code semantics, the selected representation for a given | status code semantics, the selected representation for a given | |||
response is not necessarily the same as the representation enclosed | response is not necessarily the same as the representation enclosed | |||
as response payload. | as response payload. | |||
In a successful response to a state-changing request, validator | In a successful response to a state-changing request, validator | |||
fields describe the new representation that has replaced the prior | fields describe the new representation that has replaced the prior | |||
selected representation as a result of processing the request. | selected representation as a result of processing the request. | |||
For example, an ETag header field in a 201 (Created) response | For example, an ETag field in a 201 (Created) response communicates | |||
communicates the entity-tag of the newly created resource's | the entity-tag of the newly created resource's representation, so | |||
representation, so that it can be used in later conditional requests | that it can be used in later conditional requests to prevent the | |||
to prevent the "lost update" problem [RFC7232]. | "lost update" problem Section 8.2. | |||
+-------------------+--------------------------+ | +---------------+----------------+ | |||
| Header Field Name | Defined in... | | | Field Name | Defined in... | | |||
+-------------------+--------------------------+ | +---------------+----------------+ | |||
| ETag | Section 2.3 of [RFC7232] | | | ETag | Section 10.2.3 | | |||
| Last-Modified | Section 2.2 of [RFC7232] | | | Last-Modified | Section 10.2.2 | | |||
+-------------------+--------------------------+ | +---------------+----------------+ | |||
This specification defines two forms of metadata that are commonly | This specification defines two forms of metadata that are commonly | |||
used to observe resource state and test for preconditions: | used to observe resource state and test for preconditions: | |||
modification dates (Section 2.2) and opaque entity tags | modification dates (Section 10.2.2) and opaque entity tags | |||
(Section 2.3). Additional metadata that reflects resource state has | (Section 10.2.3). Additional metadata that reflects resource state | |||
been defined by various extensions of HTTP, such as Web Distributed | has been defined by various extensions of HTTP, such as Web | |||
Authoring and Versioning (WebDAV, [RFC4918]), that are beyond the | Distributed Authoring and Versioning (WebDAV, [RFC4918]), that are | |||
scope of this specification. A resource metadata value is referred | beyond the scope of this specification. A resource metadata value is | |||
to as a "validator" when it is used within a precondition. | referred to as a "validator" when it is used within a precondition. | |||
2.1. Weak versus Strong | 10.2.1. Weak versus Strong | |||
Validators come in two flavors: strong or weak. Weak validators are | Validators come in two flavors: strong or weak. Weak validators are | |||
easy to generate but are far less useful for comparisons. Strong | easy to generate but are far less useful for comparisons. Strong | |||
validators are ideal for comparisons but can be very difficult (and | validators are ideal for comparisons but can be very difficult (and | |||
occasionally impossible) to generate efficiently. Rather than impose | occasionally impossible) to generate efficiently. Rather than impose | |||
that all forms of resource adhere to the same strength of validator, | that all forms of resource adhere to the same strength of validator, | |||
HTTP exposes the type of validator in use and imposes restrictions on | HTTP exposes the type of validator in use and imposes restrictions on | |||
when weak validators can be used as preconditions. | when weak validators can be used as preconditions. | |||
A "strong validator" is representation metadata that changes value | A "strong validator" is representation metadata that changes value | |||
skipping to change at line 6561 ¶ | skipping to change at page 151, line 41 ¶ | |||
they differ only in the representation metadata, such as when two | they differ only in the representation metadata, such as when two | |||
different media types are available for the same representation data. | different media types are available for the same representation data. | |||
Strong validators are usable for all conditional requests, including | Strong validators are usable for all conditional requests, including | |||
cache validation, partial content ranges, and "lost update" | cache validation, partial content ranges, and "lost update" | |||
avoidance. Weak validators are only usable when the client does not | avoidance. Weak validators are only usable when the client does not | |||
require exact equality with previously obtained representation data, | require exact equality with previously obtained representation data, | |||
such as when validating a cache entry or limiting a web traversal to | such as when validating a cache entry or limiting a web traversal to | |||
recent changes. | recent changes. | |||
2.2. Last-Modified | 10.2.2. Last-Modified | |||
The "Last-Modified" header field in a response provides a timestamp | The "Last-Modified" header field in a response provides a timestamp | |||
indicating the date and time at which the origin server believes the | indicating the date and time at which the origin server believes the | |||
selected representation was last modified, as determined at the | selected representation was last modified, as determined at the | |||
conclusion of handling the request. | conclusion of handling the request. | |||
Last-Modified = HTTP-date | Last-Modified = HTTP-date | |||
An example of its use is | An example of its use is | |||
Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT | Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT | |||
2.2.1. Generation | 10.2.2.1. Generation | |||
An origin server SHOULD send Last-Modified for any selected | An origin server SHOULD send Last-Modified for any selected | |||
representation for which a last modification date can be reasonably | representation for which a last modification date can be reasonably | |||
and consistently determined, since its use in conditional requests | and consistently determined, since its use in conditional requests | |||
and evaluating cache freshness ([RFC7234]) results in a substantial | and evaluating cache freshness ([Caching]) results in a substantial | |||
reduction of HTTP traffic on the Internet and can be a significant | reduction of HTTP traffic on the Internet and can be a significant | |||
factor in improving service scalability and reliability. | factor in improving service scalability and reliability. | |||
A representation is typically the sum of many parts behind the | A representation is typically the sum of many parts behind the | |||
resource interface. The last-modified time would usually be the most | resource interface. The last-modified time would usually be the most | |||
recent time that any of those parts were changed. How that value is | recent time that any of those parts were changed. How that value is | |||
determined for any given resource is an implementation detail beyond | determined for any given resource is an implementation detail beyond | |||
the scope of this specification. What matters to HTTP is how | the scope of this specification. What matters to HTTP is how | |||
recipients of the Last-Modified header field can use its value to | recipients of the Last-Modified header field can use its value to | |||
make conditional requests and test the validity of locally cached | make conditional requests and test the validity of locally cached | |||
skipping to change at line 6611 ¶ | skipping to change at page 152, line 43 ¶ | |||
the last modification time is derived from implementation-specific | the last modification time is derived from implementation-specific | |||
metadata that evaluates to some time in the future, according to the | metadata that evaluates to some time in the future, according to the | |||
origin server's clock, then the origin server MUST replace that value | origin server's clock, then the origin server MUST replace that value | |||
with the message origination date. This prevents a future | with the message origination date. This prevents a future | |||
modification date from having an adverse impact on cache validation. | modification date from having an adverse impact on cache validation. | |||
An origin server without a clock MUST NOT assign Last-Modified values | An origin server without a clock MUST NOT assign Last-Modified values | |||
to a response unless these values were associated with the resource | to a response unless these values were associated with the resource | |||
by some other system or user with a reliable clock. | by some other system or user with a reliable clock. | |||
2.2.2. Comparison | 10.2.2.2. Comparison | |||
A Last-Modified time, when used as a validator in a request, is | A Last-Modified time, when used as a validator in a request, is | |||
implicitly weak unless it is possible to deduce that it is strong, | implicitly weak unless it is possible to deduce that it is strong, | |||
using the following rules: | using the following rules: | |||
o The validator is being compared by an origin server to the actual | o The validator is being compared by an origin server to the actual | |||
current validator for the representation and, | current validator for the representation and, | |||
o That origin server reliably knows that the associated | o That origin server reliably knows that the associated | |||
representation did not change twice during the second covered by | representation did not change twice during the second covered by | |||
the presented validator. | the presented validator. | |||
or | or | |||
o The validator is about to be used by a client in an | o The validator is about to be used by a client in an If-Modified- | |||
If-Modified-Since, If-Unmodified-Since, or If-Range header field, | Since, If-Unmodified-Since, or If-Range header field, because the | |||
because the client has a cache entry for the associated | client has a cache entry for the associated representation, and | |||
representation, and | ||||
o That cache entry includes a Date value, which gives the time when | o That cache entry includes a Date value, which gives the time when | |||
the origin server sent the original response, and | the origin server sent the original response, and | |||
o The presented Last-Modified time is at least 60 seconds before the | o The presented Last-Modified time is at least 60 seconds before the | |||
Date value. | Date value. | |||
or | or | |||
o The validator is being compared by an intermediate cache to the | o The validator is being compared by an intermediate cache to the | |||
skipping to change at line 6658 ¶ | skipping to change at page 153, line 42 ¶ | |||
This method relies on the fact that if two different responses were | This method relies on the fact that if two different responses were | |||
sent by the origin server during the same second, but both had the | sent by the origin server during the same second, but both had the | |||
same Last-Modified time, then at least one of those responses would | same Last-Modified time, then at least one of those responses would | |||
have a Date value equal to its Last-Modified time. The arbitrary | have a Date value equal to its Last-Modified time. The arbitrary | |||
60-second limit guards against the possibility that the Date and | 60-second limit guards against the possibility that the Date and | |||
Last-Modified values are generated from different clocks or at | Last-Modified values are generated from different clocks or at | |||
somewhat different times during the preparation of the response. An | somewhat different times during the preparation of the response. An | |||
implementation MAY use a value larger than 60 seconds, if it is | implementation MAY use a value larger than 60 seconds, if it is | |||
believed that 60 seconds is too short. | believed that 60 seconds is too short. | |||
2.3. ETag | 10.2.3. ETag | |||
The "ETag" header field in a response provides the current entity-tag | The "ETag" field in a response provides the current entity-tag for | |||
for the selected representation, as determined at the conclusion of | the selected representation, as determined at the conclusion of | |||
handling the request. An entity-tag is an opaque validator for | handling the request. An entity-tag is an opaque validator for | |||
differentiating between multiple representations of the same | differentiating between multiple representations of the same | |||
resource, regardless of whether those multiple representations are | resource, regardless of whether those multiple representations are | |||
due to resource state changes over time, content negotiation | due to resource state changes over time, content negotiation | |||
resulting in multiple representations being valid at the same time, | resulting in multiple representations being valid at the same time, | |||
or both. An entity-tag consists of an opaque quoted string, possibly | or both. An entity-tag consists of an opaque quoted string, possibly | |||
prefixed by a weakness indicator. | prefixed by a weakness indicator. | |||
ETag = entity-tag | ETag = entity-tag | |||
entity-tag = [ weak ] opaque-tag | entity-tag = [ weak ] opaque-tag | |||
weak = %x57.2F ; "W/", case-sensitive | weak = %s"W/" | |||
opaque-tag = DQUOTE *etagc DQUOTE | opaque-tag = DQUOTE *etagc DQUOTE | |||
etagc = %x21 / %x23-7E / obs-text | etagc = %x21 / %x23-7E / obs-text | |||
; VCHAR except double quotes, plus obs-text | ; VCHAR except double quotes, plus obs-text | |||
Note: Previously, opaque-tag was defined to be a quoted-string | Note: Previously, opaque-tag was defined to be a quoted-string | |||
([RFC2616], Section 3.11); thus, some recipients might perform | ([RFC2616], Section 3.11); thus, some recipients might perform | |||
backslash unescaping. Servers therefore ought to avoid backslash | backslash unescaping. Servers therefore ought to avoid backslash | |||
characters in entity tags. | characters in entity tags. | |||
An entity-tag can be more reliable for validation than a modification | An entity-tag can be more reliable for validation than a modification | |||
skipping to change at line 6698 ¶ | skipping to change at page 154, line 33 ¶ | |||
Examples: | Examples: | |||
ETag: "xyzzy" | ETag: "xyzzy" | |||
ETag: W/"xyzzy" | ETag: W/"xyzzy" | |||
ETag: "" | ETag: "" | |||
An entity-tag can be either a weak or strong validator, with strong | An entity-tag can be either a weak or strong validator, with strong | |||
being the default. If an origin server provides an entity-tag for a | being the default. If an origin server provides an entity-tag for a | |||
representation and the generation of that entity-tag does not satisfy | representation and the generation of that entity-tag does not satisfy | |||
all of the characteristics of a strong validator (Section 2.1), then | all of the characteristics of a strong validator (Section 10.2.1), | |||
the origin server MUST mark the entity-tag as weak by prefixing its | then the origin server MUST mark the entity-tag as weak by prefixing | |||
opaque value with "W/" (case-sensitive). | its opaque value with "W/" (case-sensitive). | |||
2.3.1. Generation | A sender MAY send the Etag field in a trailer section (see | |||
Section 4.6). However, since trailers are often ignored, it is | ||||
preferable to send Etag as a header field unless the entity-tag is | ||||
generated while sending the message body. | ||||
10.2.3.1. Generation | ||||
The principle behind entity-tags is that only the service author | The principle behind entity-tags is that only the service author | |||
knows the implementation of a resource well enough to select the most | knows the implementation of a resource well enough to select the most | |||
accurate and efficient validation mechanism for that resource, and | accurate and efficient validation mechanism for that resource, and | |||
that any such mechanism can be mapped to a simple sequence of octets | that any such mechanism can be mapped to a simple sequence of octets | |||
for easy comparison. Since the value is opaque, there is no need for | for easy comparison. Since the value is opaque, there is no need for | |||
the client to be aware of how each entity-tag is constructed. | the client to be aware of how each entity-tag is constructed. | |||
For example, a resource that has implementation-specific versioning | For example, a resource that has implementation-specific versioning | |||
applied to all changes might use an internal revision number, perhaps | applied to all changes might use an internal revision number, perhaps | |||
combined with a variance identifier for content negotiation, to | combined with a variance identifier for content negotiation, to | |||
accurately differentiate between representations. Other | accurately differentiate between representations. Other | |||
implementations might use a collision-resistant hash of | implementations might use a collision-resistant hash of | |||
representation content, a combination of various file attributes, or | representation content, a combination of various file attributes, or | |||
a modification timestamp that has sub-second resolution. | a modification timestamp that has sub-second resolution. | |||
An origin server SHOULD send an ETag for any selected representation | An origin server SHOULD send an ETag for any selected representation | |||
for which detection of changes can be reasonably and consistently | for which detection of changes can be reasonably and consistently | |||
determined, since the entity-tag's use in conditional requests and | determined, since the entity-tag's use in conditional requests and | |||
evaluating cache freshness ([RFC7234]) can result in a substantial | evaluating cache freshness ([Caching]) can result in a substantial | |||
reduction of HTTP network traffic and can be a significant factor in | reduction of HTTP network traffic and can be a significant factor in | |||
improving service scalability and reliability. | improving service scalability and reliability. | |||
2.3.2. Comparison | 10.2.3.2. Comparison | |||
There are two entity-tag comparison functions, depending on whether | There are two entity-tag comparison functions, depending on whether | |||
or not the comparison context allows the use of weak validators: | or not the comparison context allows the use of weak validators: | |||
o Strong comparison: two entity-tags are equivalent if both are not | o Strong comparison: two entity-tags are equivalent if both are not | |||
weak and their opaque-tags match character-by-character. | weak and their opaque-tags match character-by-character. | |||
o Weak comparison: two entity-tags are equivalent if their | o Weak comparison: two entity-tags are equivalent if their opaque- | |||
opaque-tags match character-by-character, regardless of either or | tags match character-by-character, regardless of either or both | |||
both being tagged as "weak". | being tagged as "weak". | |||
The example below shows the results for a set of entity-tag pairs and | The example below shows the results for a set of entity-tag pairs and | |||
both the weak and strong comparison function results: | both the weak and strong comparison function results: | |||
+--------+--------+-------------------+-----------------+ | +--------+--------+-------------------+-----------------+ | |||
| ETag 1 | ETag 2 | Strong Comparison | Weak Comparison | | | ETag 1 | ETag 2 | Strong Comparison | Weak Comparison | | |||
+--------+--------+-------------------+-----------------+ | +--------+--------+-------------------+-----------------+ | |||
| W/"1" | W/"1" | no match | match | | | W/"1" | W/"1" | no match | match | | |||
| W/"1" | W/"2" | no match | no match | | | W/"1" | W/"2" | no match | no match | | |||
| W/"1" | "1" | no match | match | | | W/"1" | "1" | no match | match | | |||
| "1" | "1" | match | match | | | "1" | "1" | match | match | | |||
+--------+--------+-------------------+-----------------+ | +--------+--------+-------------------+-----------------+ | |||
2.3.3. Example: Entity-Tags Varying on Content-Negotiated Resources | 10.2.3.3. Example: Entity-Tags Varying on Content-Negotiated Resources | |||
Consider a resource that is subject to content negotiation (Section | Consider a resource that is subject to content negotiation | |||
3.4 of [RFC7231]), and where the representations sent in response to | (Section 6.4), and where the representations sent in response to a | |||
a GET request vary based on the Accept-Encoding request header field | GET request vary based on the Accept-Encoding request header field | |||
(Section 5.3.4 of [RFC7231]): | (Section 8.4.4): | |||
>> Request: | >> Request: | |||
GET /index HTTP/1.1 | GET /index HTTP/1.1 | |||
Host: www.example.com | Host: www.example.com | |||
Accept-Encoding: gzip | Accept-Encoding: gzip | |||
In this case, the response might or might not use the gzip content | In this case, the response might or might not use the gzip content | |||
coding. If it does not, the response might look like: | coding. If it does not, the response might look like: | |||
skipping to change at line 6800 ¶ | skipping to change at page 156, line 46 ¶ | |||
Vary: Accept-Encoding | Vary: Accept-Encoding | |||
Content-Type: text/plain | Content-Type: text/plain | |||
Content-Encoding: gzip | Content-Encoding: gzip | |||
...binary data... | ...binary data... | |||
Note: Content codings are a property of the representation data, | Note: Content codings are a property of the representation data, | |||
so a strong entity-tag for a content-encoded representation has to | so a strong entity-tag for a content-encoded representation has to | |||
be distinct from the entity tag of an unencoded representation to | be distinct from the entity tag of an unencoded representation to | |||
prevent potential conflicts during cache updates and range | prevent potential conflicts during cache updates and range | |||
requests. In contrast, transfer codings (Section 4 of [RFC7230]) | requests. In contrast, transfer codings (Section 7 of | |||
apply only during message transfer and do not result in distinct | [Messaging]) apply only during message transfer and do not result | |||
entity-tags. | in distinct entity-tags. | |||
2.4. When to Use Entity-Tags and Last-Modified Dates | 10.2.4. When to Use Entity-Tags and Last-Modified Dates | |||
In 200 (OK) responses to GET or HEAD, an origin server: | In 200 (OK) responses to GET or HEAD, an origin server: | |||
o SHOULD send an entity-tag validator unless it is not feasible to | o SHOULD send an entity-tag validator unless it is not feasible to | |||
generate one. | generate one. | |||
o MAY send a weak entity-tag instead of a strong entity-tag, if | o MAY send a weak entity-tag instead of a strong entity-tag, if | |||
performance considerations support the use of weak entity-tags, or | performance considerations support the use of weak entity-tags, or | |||
if it is unfeasible to send a strong entity-tag. | if it is unfeasible to send a strong entity-tag. | |||
skipping to change at line 6828 ¶ | skipping to change at page 157, line 29 ¶ | |||
send both a strong entity-tag and a Last-Modified value in successful | send both a strong entity-tag and a Last-Modified value in successful | |||
responses to a retrieval request. | responses to a retrieval request. | |||
A client: | A client: | |||
o MUST send that entity-tag in any cache validation request (using | o MUST send that entity-tag in any cache validation request (using | |||
If-Match or If-None-Match) if an entity-tag has been provided by | If-Match or If-None-Match) if an entity-tag has been provided by | |||
the origin server. | the origin server. | |||
o SHOULD send the Last-Modified value in non-subrange cache | o SHOULD send the Last-Modified value in non-subrange cache | |||
validation requests (using If-Modified-Since) if only a | validation requests (using If-Modified-Since) if only a Last- | |||
Last-Modified value has been provided by the origin server. | Modified value has been provided by the origin server. | |||
o MAY send the Last-Modified value in subrange cache validation | o MAY send the Last-Modified value in subrange cache validation | |||
requests (using If-Unmodified-Since) if only a Last-Modified value | requests (using If-Unmodified-Since) if only a Last-Modified value | |||
has been provided by an HTTP/1.0 origin server. The user agent | has been provided by an HTTP/1.0 origin server. The user agent | |||
SHOULD provide a way to disable this, in case of difficulty. | SHOULD provide a way to disable this, in case of difficulty. | |||
o SHOULD send both validators in cache validation requests if both | o SHOULD send both validators in cache validation requests if both | |||
an entity-tag and a Last-Modified value have been provided by the | an entity-tag and a Last-Modified value have been provided by the | |||
origin server. This allows both HTTP/1.0 and HTTP/1.1 caches to | origin server. This allows both HTTP/1.0 and HTTP/1.1 caches to | |||
respond appropriately. | respond appropriately. | |||
7.3. Authentication Challenges | 10.3. Authentication Challenges | |||
Authentication challenges indicate what mechanisms are available for | Authentication challenges indicate what mechanisms are available for | |||
the client to provide authentication credentials in future requests. | the client to provide authentication credentials in future requests. | |||
+--------------------+--------------------------+ | +--------------------+----------------+ | |||
| Header Field Name | Defined in... | | | Field Name | Defined in... | | |||
+--------------------+--------------------------+ | +--------------------+----------------+ | |||
| WWW-Authenticate | Section 4.1 of [RFC7235] | | | WWW-Authenticate | Section 10.3.1 | | |||
| Proxy-Authenticate | Section 4.3 of [RFC7235] | | | Proxy-Authenticate | Section 10.3.2 | | |||
+--------------------+--------------------------+ | +--------------------+----------------+ | |||
Furthermore, the "Authentication-Info" and "Proxy-Authentication- | ||||
This specification defines the "Authentication-Info" and "Proxy- | Info" response header fields are defined for use in authentication | |||
Authentication-Info" response header fields for use in HTTP | schemes that need to return information once the client's | |||
authentication schemes ([RFC7235]) that need to return information | authentication credentials have been accepted. | |||
once the client's authentication credentials have been accepted. | ||||
This section defines the syntax and semantics of header fields | +---------------------------+----------------+ | |||
related to the HTTP authentication framework. | | Field Name | Defined in... | | |||
+---------------------------+----------------+ | ||||
| Authentication-Info | Section 10.3.3 | | ||||
| Proxy-Authentication-Info | Section 10.3.4 | | ||||
+---------------------------+----------------+ | ||||
4.1. WWW-Authenticate | 10.3.1. WWW-Authenticate | |||
The "WWW-Authenticate" header field indicates the authentication | The "WWW-Authenticate" header field indicates the authentication | |||
scheme(s) and parameters applicable to the target resource. | scheme(s) and parameters applicable to the target resource. | |||
WWW-Authenticate = 1#challenge | WWW-Authenticate = 1#challenge | |||
A server generating a 401 (Unauthorized) response MUST send a | A server generating a 401 (Unauthorized) response MUST send a WWW- | |||
WWW-Authenticate header field containing at least one challenge. A | Authenticate header field containing at least one challenge. A | |||
server MAY generate a WWW-Authenticate header field in other response | server MAY generate a WWW-Authenticate header field in other response | |||
messages to indicate that supplying credentials (or different | messages to indicate that supplying credentials (or different | |||
credentials) might affect the response. | credentials) might affect the response. | |||
A proxy forwarding a response MUST NOT modify any WWW-Authenticate | A proxy forwarding a response MUST NOT modify any WWW-Authenticate | |||
fields in that response. | fields in that response. | |||
User agents are advised to take special care in parsing the field | User agents are advised to take special care in parsing the field | |||
value, as it might contain more than one challenge, and each | value, as it might contain more than one challenge, and each | |||
challenge can contain a comma-separated list of authentication | challenge can contain a comma-separated list of authentication | |||
skipping to change at line 6900 ¶ | skipping to change at page 159, line 7 ¶ | |||
"type" and "title", and another one for the "Basic" scheme with a | "type" and "title", and another one for the "Basic" scheme with a | |||
realm value of "simple". | realm value of "simple". | |||
Note: The challenge grammar production uses the list syntax as | Note: The challenge grammar production uses the list syntax as | |||
well. Therefore, a sequence of comma, whitespace, and comma can | well. Therefore, a sequence of comma, whitespace, and comma can | |||
be considered either as applying to the preceding challenge, or to | be considered either as applying to the preceding challenge, or to | |||
be an empty entry in the list of challenges. In practice, this | be an empty entry in the list of challenges. In practice, this | |||
ambiguity does not affect the semantics of the header field value | ambiguity does not affect the semantics of the header field value | |||
and thus is harmless. | and thus is harmless. | |||
4.3. Proxy-Authenticate | 10.3.2. Proxy-Authenticate | |||
The "Proxy-Authenticate" header field consists of at least one | The "Proxy-Authenticate" header field consists of at least one | |||
challenge that indicates the authentication scheme(s) and parameters | challenge that indicates the authentication scheme(s) and parameters | |||
applicable to the proxy for this effective request URI (Section 5.5 | applicable to the proxy for this effective request URI (Section 5.5). | |||
of [RFC7230]). A proxy MUST send at least one Proxy-Authenticate | A proxy MUST send at least one Proxy-Authenticate header field in | |||
header field in each 407 (Proxy Authentication Required) response | each 407 (Proxy Authentication Required) response that it generates. | |||
that it generates. | ||||
Proxy-Authenticate = 1#challenge | Proxy-Authenticate = 1#challenge | |||
Unlike WWW-Authenticate, the Proxy-Authenticate header field applies | Unlike WWW-Authenticate, the Proxy-Authenticate header field applies | |||
only to the next outbound client on the response chain. This is | only to the next outbound client on the response chain. This is | |||
because only the client that chose a given proxy is likely to have | because only the client that chose a given proxy is likely to have | |||
the credentials necessary for authentication. However, when multiple | the credentials necessary for authentication. However, when multiple | |||
proxies are used within the same administrative domain, such as | proxies are used within the same administrative domain, such as | |||
office and regional caching proxies within a large corporate network, | office and regional caching proxies within a large corporate network, | |||
it is common for credentials to be generated by the user agent and | it is common for credentials to be generated by the user agent and | |||
passed through the hierarchy until consumed. Hence, in such a | passed through the hierarchy until consumed. Hence, in such a | |||
configuration, it will appear as if Proxy-Authenticate is being | configuration, it will appear as if Proxy-Authenticate is being | |||
forwarded because each proxy will send the same challenge set. | forwarded because each proxy will send the same challenge set. | |||
Note that the parsing considerations for WWW-Authenticate apply to | Note that the parsing considerations for WWW-Authenticate apply to | |||
this header field as well; see Section 4.1 for details. | this header field as well; see Section 10.3.1 for details. | |||
3. The Authentication-Info Response Header Field | 10.3.3. Authentication-Info | |||
HTTP authentication schemes can use the Authentication-Info response | HTTP authentication schemes can use the Authentication-Info response | |||
header field to communicate information after the client's | header field to communicate information after the client's | |||
authentication credentials have been accepted. This information can | authentication credentials have been accepted. This information can | |||
include a finalization message from the server (e.g., it can contain | include a finalization message from the server (e.g., it can contain | |||
the server authentication). | the server authentication). | |||
The field value is a list of parameters (name/value pairs), using the | The field value is a list of parameters (name/value pairs), using the | |||
"auth-param" syntax defined in Section 2.1 of [RFC7235]. This | "auth-param" syntax defined in Section 8.5.1. This specification | |||
specification only describes the generic format; authentication | only describes the generic format; authentication schemes using | |||
schemes using Authentication-Info will define the individual | Authentication-Info will define the individual parameters. The | |||
parameters. The "Digest" Authentication Scheme, for instance, | "Digest" Authentication Scheme, for instance, defines multiple | |||
defines multiple parameters in Section 3.5 of [RFC7616]. | parameters in Section 3.5 of [RFC7616]. | |||
Authentication-Info = #auth-param | Authentication-Info = #auth-param | |||
The Authentication-Info header field can be used in any HTTP | The Authentication-Info header field can be used in any HTTP | |||
response, independently of request method and status code. Its | response, independently of request method and status code. Its | |||
semantics are defined by the authentication scheme indicated by the | semantics are defined by the authentication scheme indicated by the | |||
Authorization header field ([RFC7235], Section 4.2) of the | Authorization header field (Section 8.5.3) of the corresponding | |||
corresponding request. | request. | |||
A proxy forwarding a response is not allowed to modify the field | A proxy forwarding a response is not allowed to modify the field | |||
value in any way. | value in any way. | |||
Authentication-Info can be used inside trailers ([RFC7230], | Authentication-Info can be used inside trailers (Section 7.1.2 of | |||
Section 4.1.2) when the authentication scheme explicitly allows this. | [Messaging]) when the authentication scheme explicitly allows this. | |||
3.1. Parameter Value Format | 10.3.3.1. Parameter Value Format | |||
Parameter values can be expressed either as "token" or as "quoted- | Parameter values can be expressed either as "token" or as "quoted- | |||
string" (Section 3.2.6 of [RFC7230]). | string" (Section 4.4.1). | |||
Authentication scheme definitions need to allow both notations, both | Authentication scheme definitions need to allow both notations, both | |||
for senders and recipients. This allows recipients to use generic | for senders and recipients. This allows recipients to use generic | |||
parsing components, independent of the authentication scheme in use. | parsing components, independent of the authentication scheme in use. | |||
For backwards compatibility, authentication scheme definitions can | For backwards compatibility, authentication scheme definitions can | |||
restrict the format for senders to one of the two variants. This can | restrict the format for senders to one of the two variants. This can | |||
be important when it is known that deployed implementations will fail | be important when it is known that deployed implementations will fail | |||
when encountering one of the two formats. | when encountering one of the two formats. | |||
4. The Proxy-Authentication-Info Response Header Field | 10.3.4. Proxy-Authentication-Info | |||
The Proxy-Authentication-Info response header field is equivalent to | The Proxy-Authentication-Info response header field is equivalent to | |||
Authentication-Info, except that it applies to proxy authentication | Authentication-Info, except that it applies to proxy authentication | |||
([RFC7235], Section 2) and its semantics are defined by the | (Section 8.5.1) and its semantics are defined by the authentication | |||
authentication scheme indicated by the Proxy-Authorization header | scheme indicated by the Proxy-Authorization header field | |||
field ([RFC7235], Section 4.4) of the corresponding request: | (Section 8.5.4) of the corresponding request: | |||
Proxy-Authentication-Info = #auth-param | Proxy-Authentication-Info = #auth-param | |||
However, unlike Authentication-Info, the Proxy-Authentication-Info | However, unlike Authentication-Info, the Proxy-Authentication-Info | |||
header field applies only to the next outbound client on the response | header field applies only to the next outbound client on the response | |||
chain. This is because only the client that chose a given proxy is | chain. This is because only the client that chose a given proxy is | |||
likely to have the credentials necessary for authentication. | likely to have the credentials necessary for authentication. | |||
However, when multiple proxies are used within the same | However, when multiple proxies are used within the same | |||
administrative domain, such as office and regional caching proxies | administrative domain, such as office and regional caching proxies | |||
within a large corporate network, it is common for credentials to be | within a large corporate network, it is common for credentials to be | |||
generated by the user agent and passed through the hierarchy until | generated by the user agent and passed through the hierarchy until | |||
consumed. Hence, in such a configuration, it will appear as if | consumed. Hence, in such a configuration, it will appear as if | |||
Proxy-Authentication-Info is being forwarded because each proxy will | Proxy-Authentication-Info is being forwarded because each proxy will | |||
send the same field value. | send the same field value. | |||
10.4. Response Context | 10.4. Response Context | |||
The remaining response header fields provide more information about | The remaining response header fields provide more information about | |||
the target resource for potential use in later requests. | the target resource for potential use in later requests. | |||
+-------------------+--------------------------+ | +---------------+----------------+ | |||
| Header Field Name | Defined in... | | | Field Name | Defined in... | | |||
+-------------------+--------------------------+ | +---------------+----------------+ | |||
| Accept-Ranges | Section 2.3 of [RFC7233] | | | Accept-Ranges | Section 10.4.1 | | |||
| Allow | Section 7.4.1 | | | Allow | Section 10.4.2 | | |||
| Server | Section 7.4.2 | | | Server | Section 10.4.3 | | |||
+-------------------+--------------------------+ | +---------------+----------------+ | |||
2.3. Accept-Ranges | 10.4.1. Accept-Ranges | |||
The "Accept-Ranges" header field allows a server to indicate that it | The "Accept-Ranges" header field allows a server to indicate that it | |||
supports range requests for the target resource. | supports range requests for the target resource. | |||
Accept-Ranges = acceptable-ranges | Accept-Ranges = acceptable-ranges | |||
acceptable-ranges = 1#range-unit / "none" | acceptable-ranges = 1#range-unit / "none" | |||
An origin server that supports byte-range requests for a given target | An origin server that supports byte-range requests for a given target | |||
resource MAY send | resource MAY send | |||
Accept-Ranges: bytes | Accept-Ranges: bytes | |||
to indicate what range units are supported. A client MAY generate | to indicate what range units are supported. A client MAY generate | |||
range requests without having received this header field for the | range requests without having received this header field for the | |||
resource involved. Range units are defined in Section 2. | resource involved. Range units are defined in Section 6.1.4. | |||
A server that does not support any kind of range request for the | A server that does not support any kind of range request for the | |||
target resource MAY send | target resource MAY send | |||
Accept-Ranges: none | Accept-Ranges: none | |||
to advise the client not to attempt a range request. | to advise the client not to attempt a range request. | |||
7.4.1. Allow | 10.4.2. Allow | |||
The "Allow" header field lists the set of methods advertised as | The "Allow" header field lists the set of methods advertised as | |||
supported by the target resource. The purpose of this field is | supported by the target resource. The purpose of this field is | |||
strictly to inform the recipient of valid request methods associated | strictly to inform the recipient of valid request methods associated | |||
with the resource. | with the resource. | |||
Allow = #method | Allow = #method | |||
Example of use: | Example of use: | |||
skipping to change at line 7051 ¶ | skipping to change at page 162, line 18 ¶ | |||
the time of each request. An origin server MUST generate an Allow | the time of each request. An origin server MUST generate an Allow | |||
field in a 405 (Method Not Allowed) response and MAY do so in any | field in a 405 (Method Not Allowed) response and MAY do so in any | |||
other response. An empty Allow field value indicates that the | other response. An empty Allow field value indicates that the | |||
resource allows no methods, which might occur in a 405 response if | resource allows no methods, which might occur in a 405 response if | |||
the resource has been temporarily disabled by configuration. | the resource has been temporarily disabled by configuration. | |||
A proxy MUST NOT modify the Allow header field -- it does not need to | A proxy MUST NOT modify the Allow header field -- it does not need to | |||
understand all of the indicated methods in order to handle them | understand all of the indicated methods in order to handle them | |||
according to the generic message handling rules. | according to the generic message handling rules. | |||
7.4.2. Server | 10.4.3. Server | |||
The "Server" header field contains information about the software | The "Server" header field contains information about the software | |||
used by the origin server to handle the request, which is often used | used by the origin server to handle the request, which is often used | |||
by clients to help identify the scope of reported interoperability | by clients to help identify the scope of reported interoperability | |||
problems, to work around or tailor requests to avoid particular | problems, to work around or tailor requests to avoid particular | |||
server limitations, and for analytics regarding server or operating | server limitations, and for analytics regarding server or operating | |||
system use. An origin server MAY generate a Server field in its | system use. An origin server MAY generate a Server field in its | |||
responses. | responses. | |||
Server = product *( RWS ( product / comment ) ) | Server = product *( RWS ( product / comment ) ) | |||
The Server field-value consists of one or more product identifiers, | The Server field value consists of one or more product identifiers, | |||
each followed by zero or more comments (Section 3.2 of [RFC7230]), | each followed by zero or more comments (Section 4.4.1.3), which | |||
which together identify the origin server software and its | together identify the origin server software and its significant | |||
significant subproducts. By convention, the product identifiers are | subproducts. By convention, the product identifiers are listed in | |||
listed in decreasing order of their significance for identifying the | decreasing order of their significance for identifying the origin | |||
origin server software. Each product identifier consists of a name | server software. Each product identifier consists of a name and | |||
and optional version, as defined in Section 5.5.3. | optional version, as defined in Section 8.6.3. | |||
Example: | Example: | |||
Server: CERN/3.0 libwww/2.17 | Server: CERN/3.0 libwww/2.17 | |||
An origin server SHOULD NOT generate a Server field containing | An origin server SHOULD NOT generate a Server field containing | |||
needlessly fine-grained detail and SHOULD limit the addition of | needlessly fine-grained detail and SHOULD limit the addition of | |||
subproducts by third parties. Overly long and detailed Server field | subproducts by third parties. Overly long and detailed Server field | |||
values increase response latency and potentially reveal internal | values increase response latency and potentially reveal internal | |||
implementation details that might make it (slightly) easier for | implementation details that might make it (slightly) easier for | |||
attackers to find and exploit known security holes. | attackers to find and exploit known security holes. | |||
9. Security Considerations | 11. Security Considerations | |||
This section is meant to inform developers, information providers, | This section is meant to inform developers, information providers, | |||
and users of known security concerns relevant to HTTP semantics and | and users of known security concerns relevant to HTTP semantics and | |||
its use for transferring information over the Internet. | its use for transferring information over the Internet. | |||
Considerations related to message syntax, parsing, and routing are | Considerations related to message syntax, parsing, and routing are | |||
discussed in Section 9 of [RFC7230]. | discussed in Section 11 of [Messaging]. | |||
The list of considerations below is not exhaustive. Most security | The list of considerations below is not exhaustive. Most security | |||
concerns related to HTTP semantics are about securing server-side | concerns related to HTTP semantics are about securing server-side | |||
applications (code behind the HTTP interface), securing user agent | applications (code behind the HTTP interface), securing user agent | |||
processing of payloads received via HTTP, or secure use of the | processing of payloads received via HTTP, or secure use of the | |||
Internet in general, rather than security of the protocol. Various | Internet in general, rather than security of the protocol. Various | |||
organizations maintain topical information and links to current | organizations maintain topical information and links to current | |||
research on Web application security (e.g., [OWASP]). | research on Web application security (e.g., [OWASP]). | |||
9.1. Establishing Authority | 11.1. Establishing Authority | |||
HTTP relies on the notion of an authoritative response: a response | HTTP relies on the notion of an authoritative response: a response | |||
that has been determined by (or at the direction of) the authority | that has been determined by (or at the direction of) the origin | |||
identified within the target URI to be the most appropriate response | server identified within the target URI to be the most appropriate | |||
for that request given the state of the target resource at the time | response for that request given the state of the target resource at | |||
of response message origination. | the time of response message origination. | |||
When a registered name is used in the authority component, the "http" | When a registered name is used in the authority component, the "http" | |||
URI scheme (Section 2.7.1) relies on the user's local name resolution | URI scheme (Section 2.5.1) relies on the user's local name resolution | |||
service to determine where it can find authoritative responses. This | service to determine where it can find authoritative responses. This | |||
means that any attack on a user's network host table, cached names, | means that any attack on a user's network host table, cached names, | |||
or name resolution libraries becomes an avenue for attack on | or name resolution libraries becomes an avenue for attack on | |||
establishing authority. Likewise, the user's choice of server for | establishing authority for "http" URIs. Likewise, the user's choice | |||
Domain Name Service (DNS), and the hierarchy of servers from which it | of server for Domain Name Service (DNS), and the hierarchy of servers | |||
obtains resolution results, could impact the authenticity of address | from which it obtains resolution results, could impact the | |||
mappings; DNS Security Extensions (DNSSEC, [RFC4033]) are one way to | authenticity of address mappings; DNS Security Extensions (DNSSEC, | |||
improve authenticity. | [RFC4033]) are one way to improve authenticity. | |||
Furthermore, after an IP address is obtained, establishing authority | Furthermore, after an IP address is obtained, establishing authority | |||
for an "http" URI is vulnerable to attacks on Internet Protocol | for an "http" URI is vulnerable to attacks on Internet Protocol | |||
routing. | routing. | |||
The "https" scheme (Section 2.7.2) is intended to prevent (or at | The "https" scheme (Section 2.5.2) is intended to prevent (or at | |||
least reveal) many of these potential attacks on establishing | least reveal) many of these potential attacks on establishing | |||
authority, provided that the negotiated TLS connection is secured and | authority, provided that the negotiated TLS connection is secured and | |||
the client properly verifies that the communicating server's identity | the client properly verifies that the communicating server's identity | |||
matches the target URI's authority component (see [RFC2818]). | matches the target URI's authority component (Section 5.4.3.1). | |||
Correctly implementing such verification can be difficult (see | Correctly implementing such verification can be difficult (see | |||
[Georgiev]). | [Georgiev]). | |||
Authority for a given origin server can be delegated through protocol | ||||
extensions; for example, [RFC7838]. Likewise, the set of servers | ||||
that a connection is considered authoritative for can be changed with | ||||
a protocol extension like [RFC8336]. | ||||
Providing a response from a non-authoritative source, such as a | Providing a response from a non-authoritative source, such as a | |||
shared cache, is often useful to improve performance and | shared proxy cache, is often useful to improve performance and | |||
availability, but only to the extent that the source can be trusted | availability, but only to the extent that the source can be trusted | |||
or the distrusted response can be safely used. | or the distrusted response can be safely used. | |||
Unfortunately, establishing authority can be difficult. For example, | Unfortunately, communicating authority to users can be difficult. | |||
phishing is an attack on the user's perception of authority, where | For example, phishing is an attack on the user's perception of | |||
that perception can be misled by presenting similar branding in | authority, where that perception can be misled by presenting similar | |||
hypertext, possibly aided by userinfo obfuscating the authority | branding in hypertext, possibly aided by userinfo obfuscating the | |||
component (see Section 2.7.1). User agents can reduce the impact of | authority component (see Section 2.5.1). User agents can reduce the | |||
phishing attacks by enabling users to easily inspect a target URI | impact of phishing attacks by enabling users to easily inspect a | |||
prior to making an action, by prominently distinguishing (or | target URI prior to making an action, by prominently distinguishing | |||
rejecting) userinfo when present, and by not sending stored | (or rejecting) userinfo when present, and by not sending stored | |||
credentials and cookies when the referring document is from an | credentials and cookies when the referring document is from an | |||
unknown or untrusted source. | unknown or untrusted source. | |||
9.2. Risks of Intermediaries | 11.2. Risks of Intermediaries | |||
By their very nature, HTTP intermediaries are men-in-the-middle and, | By their very nature, HTTP intermediaries are men-in-the-middle and, | |||
thus, represent an opportunity for man-in-the-middle attacks. | thus, represent an opportunity for man-in-the-middle attacks. | |||
Compromise of the systems on which the intermediaries run can result | Compromise of the systems on which the intermediaries run can result | |||
in serious security and privacy problems. Intermediaries might have | in serious security and privacy problems. Intermediaries might have | |||
access to security-related information, personal information about | access to security-related information, personal information about | |||
individual users and organizations, and proprietary information | individual users and organizations, and proprietary information | |||
belonging to users and content providers. A compromised | belonging to users and content providers. A compromised | |||
intermediary, or an intermediary implemented or configured without | intermediary, or an intermediary implemented or configured without | |||
regard to security and privacy considerations, might be used in the | regard to security and privacy considerations, might be used in the | |||
commission of a wide range of potential attacks. | commission of a wide range of potential attacks. | |||
Intermediaries that contain a shared cache are especially vulnerable | Intermediaries that contain a shared cache are especially vulnerable | |||
to cache poisoning attacks, as described in Section 8 of [RFC7234]. | to cache poisoning attacks, as described in Section 7 of [Caching]. | |||
Implementers need to consider the privacy and security implications | Implementers need to consider the privacy and security implications | |||
of their design and coding decisions, and of the configuration | of their design and coding decisions, and of the configuration | |||
options they provide to operators (especially the default | options they provide to operators (especially the default | |||
configuration). | configuration). | |||
Users need to be aware that intermediaries are no more trustworthy | Users need to be aware that intermediaries are no more trustworthy | |||
than the people who run them; HTTP itself cannot solve this problem. | than the people who run them; HTTP itself cannot solve this problem. | |||
9.1. Attacks Based on File and Path Names | 11.3. Attacks Based on File and Path Names | |||
Origin servers frequently make use of their local file system to | Origin servers frequently make use of their local file system to | |||
manage the mapping from effective request URI to resource | manage the mapping from effective request URI to resource | |||
representations. Most file systems are not designed to protect | representations. Most file systems are not designed to protect | |||
against malicious file or path names. Therefore, an origin server | against malicious file or path names. Therefore, an origin server | |||
needs to avoid accessing names that have a special significance to | needs to avoid accessing names that have a special significance to | |||
the system when mapping the request target to files, folders, or | the system when mapping the request target to files, folders, or | |||
directories. | directories. | |||
For example, UNIX, Microsoft Windows, and other operating systems use | For example, UNIX, Microsoft Windows, and other operating systems use | |||
skipping to change at line 7194 ¶ | skipping to change at page 165, line 30 ¶ | |||
systems have an annoying tendency to prefer user-friendliness over | systems have an annoying tendency to prefer user-friendliness over | |||
security when handling invalid or unexpected characters, | security when handling invalid or unexpected characters, | |||
recomposition of decomposed characters, and case-normalization of | recomposition of decomposed characters, and case-normalization of | |||
case-insensitive names. | case-insensitive names. | |||
Attacks based on such special names tend to focus on either denial- | Attacks based on such special names tend to focus on either denial- | |||
of-service (e.g., telling the server to read from a COM port) or | of-service (e.g., telling the server to read from a COM port) or | |||
disclosure of configuration and source files that are not meant to be | disclosure of configuration and source files that are not meant to be | |||
served. | served. | |||
9.2. Attacks Based on Command, Code, or Query Injection | 11.4. Attacks Based on Command, Code, or Query Injection | |||
Origin servers often use parameters within the URI as a means of | Origin servers often use parameters within the URI as a means of | |||
identifying system services, selecting database entries, or choosing | identifying system services, selecting database entries, or choosing | |||
a data source. However, data received in a request cannot be | a data source. However, data received in a request cannot be | |||
trusted. An attacker could construct any of the request data | trusted. An attacker could construct any of the request data | |||
elements (method, request-target, header fields, or body) to contain | elements (method, request-target, header fields, or body) to contain | |||
data that might be misinterpreted as a command, code, or query when | data that might be misinterpreted as a command, code, or query when | |||
passed through a command invocation, language interpreter, or | passed through a command invocation, language interpreter, or | |||
database interface. | database interface. | |||
skipping to change at line 7225 ¶ | skipping to change at page 166, line 12 ¶ | |||
Parameters ought to be compared to fixed strings and acted upon as a | Parameters ought to be compared to fixed strings and acted upon as a | |||
result of that comparison, rather than passed through an interface | result of that comparison, rather than passed through an interface | |||
that is not prepared for untrusted data. Received data that isn't | that is not prepared for untrusted data. Received data that isn't | |||
based on fixed parameters ought to be carefully filtered or encoded | based on fixed parameters ought to be carefully filtered or encoded | |||
to avoid being misinterpreted. | to avoid being misinterpreted. | |||
Similar considerations apply to request data when it is stored and | Similar considerations apply to request data when it is stored and | |||
later processed, such as within log files, monitoring tools, or when | later processed, such as within log files, monitoring tools, or when | |||
included within a data format that allows embedded scripts. | included within a data format that allows embedded scripts. | |||
9.3. Attacks via Protocol Element Length | 11.5. Attacks via Protocol Element Length | |||
Because HTTP uses mostly textual, character-delimited fields, parsers | Because HTTP uses mostly textual, character-delimited fields, parsers | |||
are often vulnerable to attacks based on sending very long (or very | are often vulnerable to attacks based on sending very long (or very | |||
slow) streams of data, particularly where an implementation is | slow) streams of data, particularly where an implementation is | |||
expecting a protocol element with no predefined length. | expecting a protocol element with no predefined length (Section 3.3). | |||
To promote interoperability, specific recommendations are made for | To promote interoperability, specific recommendations are made for | |||
minimum size limits on request-line (Section 3.1.1) and header fields | minimum size limits on request-line (Section 3 of [Messaging]) and | |||
(Section 3.2). These are minimum recommendations, chosen to be | fields (Section 4). These are minimum recommendations, chosen to be | |||
supportable even by implementations with limited resources; it is | supportable even by implementations with limited resources; it is | |||
expected that most implementations will choose substantially higher | expected that most implementations will choose substantially higher | |||
limits. | limits. | |||
A server can reject a message that has a request-target that is too | A server can reject a message that has a request-target that is too | |||
long (Section 6.5.12 of [RFC7231]) or a request payload that is too | long (Section 9.5.15) or a request payload that is too large | |||
large (Section 6.5.11 of [RFC7231]). Additional status codes related | (Section 9.5.14). Additional status codes related to capacity limits | |||
to capacity limits have been defined by extensions to HTTP [RFC6585]. | have been defined by extensions to HTTP [RFC6585]. | |||
Recipients ought to carefully limit the extent to which they process | Recipients ought to carefully limit the extent to which they process | |||
other protocol elements, including (but not limited to) request | other protocol elements, including (but not limited to) request | |||
methods, response status phrases, header field-names, numeric values, | methods, response status phrases, field names, numeric values, and | |||
and body chunks. Failure to limit such processing can result in | body chunks. Failure to limit such processing can result in buffer | |||
buffer overflows, arithmetic overflows, or increased vulnerability to | overflows, arithmetic overflows, or increased vulnerability to | |||
denial-of-service attacks. | denial-of-service attacks. | |||
9.3. Disclosure of Personal Information | 11.6. Disclosure of Personal Information | |||
Clients are often privy to large amounts of personal information, | Clients are often privy to large amounts of personal information, | |||
including both information provided by the user to interact with | including both information provided by the user to interact with | |||
resources (e.g., the user's name, location, mail address, passwords, | resources (e.g., the user's name, location, mail address, passwords, | |||
encryption keys, etc.) and information about the user's browsing | encryption keys, etc.) and information about the user's browsing | |||
activity over time (e.g., history, bookmarks, etc.). Implementations | activity over time (e.g., history, bookmarks, etc.). Implementations | |||
need to prevent unintentional disclosure of personal information. | need to prevent unintentional disclosure of personal information. | |||
9.8. Privacy of Server Log Information | 11.7. Privacy of Server Log Information | |||
A server is in the position to save personal data about a user's | A server is in the position to save personal data about a user's | |||
requests over time, which might identify their reading patterns or | requests over time, which might identify their reading patterns or | |||
subjects of interest. In particular, log information gathered at an | subjects of interest. In particular, log information gathered at an | |||
intermediary often contains a history of user agent interaction, | intermediary often contains a history of user agent interaction, | |||
across a multitude of sites, that can be traced to individual users. | across a multitude of sites, that can be traced to individual users. | |||
HTTP log information is confidential in nature; its handling is often | HTTP log information is confidential in nature; its handling is often | |||
constrained by laws and regulations. Log information needs to be | constrained by laws and regulations. Log information needs to be | |||
securely stored and appropriate guidelines followed for its analysis. | securely stored and appropriate guidelines followed for its analysis. | |||
Anonymization of personal information within individual entries | Anonymization of personal information within individual entries | |||
helps, but it is generally not sufficient to prevent real log traces | helps, but it is generally not sufficient to prevent real log traces | |||
from being re-identified based on correlation with other access | from being re-identified based on correlation with other access | |||
characteristics. As such, access traces that are keyed to a specific | characteristics. As such, access traces that are keyed to a specific | |||
client are unsafe to publish even if the key is pseudonymous. | client are unsafe to publish even if the key is pseudonymous. | |||
To minimize the risk of theft or accidental publication, log | To minimize the risk of theft or accidental publication, log | |||
information ought to be purged of personally identifiable | information ought to be purged of personally identifiable | |||
information, including user identifiers, IP addresses, and | information, including user identifiers, IP addresses, and user- | |||
user-provided query parameters, as soon as that information is no | provided query parameters, as soon as that information is no longer | |||
longer necessary to support operational needs for security, auditing, | necessary to support operational needs for security, auditing, or | |||
or fraud control. | fraud control. | |||
9.4. Disclosure of Sensitive Information in URIs | 11.8. Disclosure of Sensitive Information in URIs | |||
URIs are intended to be shared, not secured, even when they identify | URIs are intended to be shared, not secured, even when they identify | |||
secure resources. URIs are often shown on displays, added to | secure resources. URIs are often shown on displays, added to | |||
templates when a page is printed, and stored in a variety of | templates when a page is printed, and stored in a variety of | |||
unprotected bookmark lists. It is therefore unwise to include | unprotected bookmark lists. It is therefore unwise to include | |||
information within a URI that is sensitive, personally identifiable, | information within a URI that is sensitive, personally identifiable, | |||
or a risk to disclose. | or a risk to disclose. | |||
Authors of services ought to avoid GET-based forms for the submission | Authors of services ought to avoid GET-based forms for the submission | |||
of sensitive data because that data will be placed in the | of sensitive data because that data will be placed in the request- | |||
request-target. Many existing servers, proxies, and user agents log | target. Many existing servers, proxies, and user agents log or | |||
or display the request-target in places where it might be visible to | display the request-target in places where it might be visible to | |||
third parties. Such services ought to use POST-based form submission | third parties. Such services ought to use POST-based form submission | |||
instead. | instead. | |||
Since the Referer header field tells a target site about the context | Since the Referer header field tells a target site about the context | |||
that resulted in a request, it has the potential to reveal | that resulted in a request, it has the potential to reveal | |||
information about the user's immediate browsing history and any | information about the user's immediate browsing history and any | |||
personal information that might be found in the referring resource's | personal information that might be found in the referring resource's | |||
URI. Limitations on the Referer header field are described in | URI. Limitations on the Referer header field are described in | |||
Section 5.5.2 to address some of its security considerations. | Section 8.6.2 to address some of its security considerations. | |||
9.5. Disclosure of Fragment after Redirects | 11.9. Disclosure of Fragment after Redirects | |||
Although fragment identifiers used within URI references are not sent | Although fragment identifiers used within URI references are not sent | |||
in requests, implementers ought to be aware that they will be visible | in requests, implementers ought to be aware that they will be visible | |||
to the user agent and any extensions or scripts running as a result | to the user agent and any extensions or scripts running as a result | |||
of the response. In particular, when a redirect occurs and the | of the response. In particular, when a redirect occurs and the | |||
original request's fragment identifier is inherited by the new | original request's fragment identifier is inherited by the new | |||
reference in Location (Section 7.1.2), this might have the effect of | reference in Location (Section 10.1.2), this might have the effect of | |||
disclosing one site's fragment to another site. If the first site | disclosing one site's fragment to another site. If the first site | |||
uses personal information in fragments, it ought to ensure that | uses personal information in fragments, it ought to ensure that | |||
redirects to other sites include a (possibly empty) fragment | redirects to other sites include a (possibly empty) fragment | |||
component in order to block that inheritance. | component in order to block that inheritance. | |||
9.6. Disclosure of Product Information | 11.10. Disclosure of Product Information | |||
The User-Agent (Section 5.5.3), Via (Section 5.7.1 of [RFC7230]), and | The User-Agent (Section 8.6.3), Via (Section 5.7.1), and Server | |||
Server (Section 7.4.2) header fields often reveal information about | (Section 10.4.3) header fields often reveal information about the | |||
the respective sender's software systems. In theory, this can make | respective sender's software systems. In theory, this can make it | |||
it easier for an attacker to exploit known security holes; in | easier for an attacker to exploit known security holes; in practice, | |||
practice, attackers tend to try all potential holes regardless of the | attackers tend to try all potential holes regardless of the apparent | |||
apparent software versions being used. | software versions being used. | |||
Proxies that serve as a portal through a network firewall ought to | Proxies that serve as a portal through a network firewall ought to | |||
take special precautions regarding the transfer of header information | take special precautions regarding the transfer of header information | |||
that might identify hosts behind the firewall. The Via header field | that might identify hosts behind the firewall. The Via header field | |||
allows intermediaries to replace sensitive machine names with | allows intermediaries to replace sensitive machine names with | |||
pseudonyms. | pseudonyms. | |||
9.7. Browser Fingerprinting | 11.11. Browser Fingerprinting | |||
Browser fingerprinting is a set of techniques for identifying a | Browser fingerprinting is a set of techniques for identifying a | |||
specific user agent over time through its unique set of | specific user agent over time through its unique set of | |||
characteristics. These characteristics might include information | characteristics. These characteristics might include information | |||
related to its TCP behavior, feature capabilities, and scripting | related to its TCP behavior, feature capabilities, and scripting | |||
environment, though of particular interest here is the set of unique | environment, though of particular interest here is the set of unique | |||
characteristics that might be communicated via HTTP. Fingerprinting | characteristics that might be communicated via HTTP. Fingerprinting | |||
is considered a privacy concern because it enables tracking of a user | is considered a privacy concern because it enables tracking of a user | |||
agent's behavior over time without the corresponding controls that | agent's behavior over time ([Bujlow]) without the corresponding | |||
the user might have over other forms of data collection (e.g., | controls that the user might have over other forms of data collection | |||
cookies). Many general-purpose user agents (i.e., Web browsers) have | (e.g., cookies). Many general-purpose user agents (i.e., Web | |||
taken steps to reduce their fingerprints. | browsers) have taken steps to reduce their fingerprints. | |||
There are a number of request header fields that might reveal | There are a number of request header fields that might reveal | |||
information to servers that is sufficiently unique to enable | information to servers that is sufficiently unique to enable | |||
fingerprinting. The From header field is the most obvious, though it | fingerprinting. The From header field is the most obvious, though it | |||
is expected that From will only be sent when self-identification is | is expected that From will only be sent when self-identification is | |||
desired by the user. Likewise, Cookie header fields are deliberately | desired by the user. Likewise, Cookie header fields are deliberately | |||
designed to enable re-identification, so fingerprinting concerns only | designed to enable re-identification, so fingerprinting concerns only | |||
apply to situations where cookies are disabled or restricted by the | apply to situations where cookies are disabled or restricted by the | |||
user agent's configuration. | user agent's configuration. | |||
The User-Agent header field might contain enough information to | The User-Agent header field might contain enough information to | |||
uniquely identify a specific device, usually when combined with other | uniquely identify a specific device, usually when combined with other | |||
characteristics, particularly if the user agent sends excessive | characteristics, particularly if the user agent sends excessive | |||
details about the user's system or extensions. However, the source | details about the user's system or extensions. However, the source | |||
of unique information that is least expected by users is proactive | of unique information that is least expected by users is proactive | |||
negotiation (Section 5.3), including the Accept, Accept-Charset, | negotiation (Section 8.4), including the Accept, Accept-Charset, | |||
Accept-Encoding, and Accept-Language header fields. | Accept-Encoding, and Accept-Language header fields. | |||
In addition to the fingerprinting concern, detailed use of the | In addition to the fingerprinting concern, detailed use of the | |||
Accept-Language header field can reveal information the user might | Accept-Language header field can reveal information the user might | |||
consider to be of a private nature. For example, understanding a | consider to be of a private nature. For example, understanding a | |||
given language set might be strongly correlated to membership in a | given language set might be strongly correlated to membership in a | |||
particular ethnic group. An approach that limits such loss of | particular ethnic group. An approach that limits such loss of | |||
privacy would be for a user agent to omit the sending of | privacy would be for a user agent to omit the sending of Accept- | |||
Accept-Language except for sites that have been whitelisted, perhaps | Language except for sites that have been whitelisted, perhaps via | |||
via interaction after detecting a Vary header field that indicates | interaction after detecting a Vary header field that indicates | |||
language negotiation might be useful. | language negotiation might be useful. | |||
In environments where proxies are used to enhance privacy, user | In environments where proxies are used to enhance privacy, user | |||
agents ought to be conservative in sending proactive negotiation | agents ought to be conservative in sending proactive negotiation | |||
header fields. General-purpose user agents that provide a high | header fields. General-purpose user agents that provide a high | |||
degree of header field configurability ought to inform users about | degree of header field configurability ought to inform users about | |||
the loss of privacy that might result if too much detail is provided. | the loss of privacy that might result if too much detail is provided. | |||
As an extreme privacy measure, proxies could filter the proactive | As an extreme privacy measure, proxies could filter the proactive | |||
negotiation header fields in relayed requests. | negotiation header fields in relayed requests. | |||
8. [Conditionals] Security Considerations | 11.12. Validator Retention | |||
This section is meant to inform developers, information providers, | ||||
and users of known security concerns specific to the HTTP conditional | ||||
request mechanisms. More general security considerations are | ||||
addressed in HTTP "Message Syntax and Routing" [RFC7230] and | ||||
"Semantics and Content" [RFC7231]. | ||||
The validators defined by this specification are not intended to | The validators defined by this specification are not intended to | |||
ensure the validity of a representation, guard against malicious | ensure the validity of a representation, guard against malicious | |||
changes, or detect man-in-the-middle attacks. At best, they enable | changes, or detect man-in-the-middle attacks. At best, they enable | |||
more efficient cache updates and optimistic concurrent writes when | more efficient cache updates and optimistic concurrent writes when | |||
all participants are behaving nicely. At worst, the conditions will | all participants are behaving nicely. At worst, the conditions will | |||
fail and the client will receive a response that is no more harmful | fail and the client will receive a response that is no more harmful | |||
than an HTTP exchange without conditional requests. | than an HTTP exchange without conditional requests. | |||
An entity-tag can be abused in ways that create privacy risks. For | An entity-tag can be abused in ways that create privacy risks. For | |||
skipping to change at line 7412 ¶ | skipping to change at page 170, line 5 ¶ | |||
entity-tag that is unique to the user or user agent, send it in a | entity-tag that is unique to the user or user agent, send it in a | |||
cacheable response with a long freshness time, and then read that | cacheable response with a long freshness time, and then read that | |||
entity-tag in later conditional requests as a means of re-identifying | entity-tag in later conditional requests as a means of re-identifying | |||
that user or user agent. Such an identifying tag would become a | that user or user agent. Such an identifying tag would become a | |||
persistent identifier for as long as the user agent retained the | persistent identifier for as long as the user agent retained the | |||
original cache entry. User agents that cache representations ought | original cache entry. User agents that cache representations ought | |||
to ensure that the cache is cleared or replaced whenever the user | to ensure that the cache is cleared or replaced whenever the user | |||
performs privacy-maintaining actions, such as clearing stored cookies | performs privacy-maintaining actions, such as clearing stored cookies | |||
or changing to a private browsing mode. | or changing to a private browsing mode. | |||
6. [Range] Security Considerations | 11.13. Denial-of-Service Attacks Using Range | |||
This section is meant to inform developers, information providers, | ||||
and users of known security concerns specific to the HTTP range | ||||
request mechanisms. More general security considerations are | ||||
addressed in HTTP messaging [RFC7230] and semantics [RFC7231]. | ||||
6.1. Denial-of-Service Attacks Using Range | ||||
Unconstrained multiple range requests are susceptible to denial-of- | Unconstrained multiple range requests are susceptible to denial-of- | |||
service attacks because the effort required to request many | service attacks because the effort required to request many | |||
overlapping ranges of the same data is tiny compared to the time, | overlapping ranges of the same data is tiny compared to the time, | |||
memory, and bandwidth consumed by attempting to serve the requested | memory, and bandwidth consumed by attempting to serve the requested | |||
data in many parts. Servers ought to ignore, coalesce, or reject | data in many parts. Servers ought to ignore, coalesce, or reject | |||
egregious range requests, such as requests for more than two | egregious range requests, such as requests for more than two | |||
overlapping ranges or for many small ranges in a single set, | overlapping ranges or for many small ranges in a single set, | |||
particularly when the ranges are requested out of order for no | particularly when the ranges are requested out of order for no | |||
apparent reason. Multipart range requests are not designed to | apparent reason. Multipart range requests are not designed to | |||
support random access. | support random access. | |||
6. [Auth] Security Considerations | 11.14. Authentication Considerations | |||
This section is meant to inform developers, information providers, | ||||
and users of known security concerns specific to HTTP authentication. | ||||
More general security considerations are addressed in HTTP messaging | ||||
[RFC7230] and semantics [RFC7231]. | ||||
Everything about the topic of HTTP authentication is a security | Everything about the topic of HTTP authentication is a security | |||
consideration, so the list of considerations below is not exhaustive. | consideration, so the list of considerations below is not exhaustive. | |||
Furthermore, it is limited to security considerations regarding the | Furthermore, it is limited to security considerations regarding the | |||
authentication framework, in general, rather than discussing all of | authentication framework, in general, rather than discussing all of | |||
the potential considerations for specific authentication schemes | the potential considerations for specific authentication schemes | |||
(which ought to be documented in the specifications that define those | (which ought to be documented in the specifications that define those | |||
schemes). Various organizations maintain topical information and | schemes). Various organizations maintain topical information and | |||
links to current research on Web application security (e.g., | links to current research on Web application security (e.g., | |||
[OWASP]), including common pitfalls for implementing and using the | [OWASP]), including common pitfalls for implementing and using the | |||
authentication schemes found in practice. | authentication schemes found in practice. | |||
6.1. Confidentiality of Credentials | 11.14.1. Confidentiality of Credentials | |||
The HTTP authentication framework does not define a single mechanism | The HTTP authentication framework does not define a single mechanism | |||
for maintaining the confidentiality of credentials; instead, each | for maintaining the confidentiality of credentials; instead, each | |||
authentication scheme defines how the credentials are encoded prior | authentication scheme defines how the credentials are encoded prior | |||
to transmission. While this provides flexibility for the development | to transmission. While this provides flexibility for the development | |||
of future authentication schemes, it is inadequate for the protection | of future authentication schemes, it is inadequate for the protection | |||
of existing schemes that provide no confidentiality on their own, or | of existing schemes that provide no confidentiality on their own, or | |||
that do not sufficiently protect against replay attacks. | that do not sufficiently protect against replay attacks. | |||
Furthermore, if the server expects credentials that are specific to | Furthermore, if the server expects credentials that are specific to | |||
each individual user, the exchange of those credentials will have the | each individual user, the exchange of those credentials will have the | |||
effect of identifying that user even if the content within | effect of identifying that user even if the content within | |||
credentials remains confidential. | credentials remains confidential. | |||
HTTP depends on the security properties of the underlying transport- | HTTP depends on the security properties of the underlying transport- | |||
or session-level connection to provide confidential transmission of | or session-level connection to provide confidential transmission of | |||
header fields. In other words, if a server limits access to | fields. In other words, if a server limits access to authenticated | |||
authenticated users using this framework, the server needs to ensure | users using this framework, the server needs to ensure that the | |||
that the connection is properly secured in accordance with the nature | connection is properly secured in accordance with the nature of the | |||
of the authentication scheme used. For example, services that depend | authentication scheme used. For example, services that depend on | |||
on individual user authentication often require a connection to be | individual user authentication often require a connection to be | |||
secured with TLS ("Transport Layer Security", [RFC5246]) prior to | secured with TLS ("Transport Layer Security", [RFC8446]) prior to | |||
exchanging any credentials. | exchanging any credentials. | |||
6.2. Authentication Credentials and Idle Clients | 11.14.2. Credentials and Idle Clients | |||
Existing HTTP clients and user agents typically retain authentication | Existing HTTP clients and user agents typically retain authentication | |||
information indefinitely. HTTP does not provide a mechanism for the | information indefinitely. HTTP does not provide a mechanism for the | |||
origin server to direct clients to discard these cached credentials, | origin server to direct clients to discard these cached credentials, | |||
since the protocol has no awareness of how credentials are obtained | since the protocol has no awareness of how credentials are obtained | |||
or managed by the user agent. The mechanisms for expiring or | or managed by the user agent. The mechanisms for expiring or | |||
revoking credentials can be specified as part of an authentication | revoking credentials can be specified as part of an authentication | |||
scheme definition. | scheme definition. | |||
Circumstances under which credential caching can interfere with the | Circumstances under which credential caching can interfere with the | |||
skipping to change at line 7500 ¶ | skipping to change at page 171, line 33 ¶ | |||
o Applications that include a session termination indication (such | o Applications that include a session termination indication (such | |||
as a "logout" or "commit" button on a page) after which the server | as a "logout" or "commit" button on a page) after which the server | |||
side of the application "knows" that there is no further reason | side of the application "knows" that there is no further reason | |||
for the client to retain the credentials. | for the client to retain the credentials. | |||
User agents that cache credentials are encouraged to provide a | User agents that cache credentials are encouraged to provide a | |||
readily accessible mechanism for discarding cached credentials under | readily accessible mechanism for discarding cached credentials under | |||
user control. | user control. | |||
6.3. Protection Spaces | 11.14.3. Protection Spaces | |||
Authentication schemes that solely rely on the "realm" mechanism for | Authentication schemes that solely rely on the "realm" mechanism for | |||
establishing a protection space will expose credentials to all | establishing a protection space will expose credentials to all | |||
resources on an origin server. Clients that have successfully made | resources on an origin server. Clients that have successfully made | |||
authenticated requests with a resource can use the same | authenticated requests with a resource can use the same | |||
authentication credentials for other resources on the same origin | authentication credentials for other resources on the same origin | |||
server. This makes it possible for a different resource to harvest | server. This makes it possible for a different resource to harvest | |||
authentication credentials for other resources. | authentication credentials for other resources. | |||
This is of particular concern when an origin server hosts resources | This is of particular concern when an origin server hosts resources | |||
for multiple parties under the same canonical root URI (Section 2.2). | for multiple parties under the same canonical root URI | |||
Possible mitigation strategies include restricting direct access to | (Section 8.5.2). Possible mitigation strategies include restricting | |||
authentication credentials (i.e., not making the content of the | direct access to authentication credentials (i.e., not making the | |||
Authorization request header field available), and separating | content of the Authorization request header field available), and | |||
protection spaces by using a different host name (or port number) for | separating protection spaces by using a different host name (or port | |||
each party. | number) for each party. | |||
13.14.4. [RFC7615] | 11.14.4. Additional Response Fields | |||
Adding information to HTTP responses that are sent over an | Adding information to responses that are sent over an unencrypted | |||
unencrypted channel can affect security and privacy. The presence of | channel can affect security and privacy. The presence of the | |||
the header fields alone indicates that HTTP authentication is in use. | Authentication-Info and Proxy-Authentication-Info header fields alone | |||
Additional information could be exposed by the contents of the | indicates that HTTP authentication is in use. Additional information | |||
authentication-scheme specific parameters; this will have to be | could be exposed by the contents of the authentication-scheme | |||
considered in the definitions of these schemes. | specific parameters; this will have to be considered in the | |||
definitions of these schemes. | ||||
14. IANA Considerations | 12. IANA Considerations | |||
The change controller for the above registrations is: "IETF | The change controller for the following registrations is: "IETF | |||
(iesg@ietf.org) - Internet Engineering Task Force". | (iesg@ietf.org) - Internet Engineering Task Force". | |||
12.1. URI Scheme Registration | 12.1. URI Scheme Registration | |||
IANA maintains the registry of URI Schemes [BCP115] at | Please update the registry of URI Schemes [BCP35] at | |||
<http://www.iana.org/assignments/uri-schemes/>. | <https://www.iana.org/assignments/uri-schemes/> with the permanent | |||
schemes listed in the first table of Section 2.5. | ||||
This document defines the following URI schemes, so the "Permanent | ||||
URI Schemes" registry has been updated accordingly. | ||||
12.2. Method Registration | 12.2. Method Registration | |||
The "Hypertext Transfer Protocol (HTTP) Method Registry" has been | Please update the "Hypertext Transfer Protocol (HTTP) Method | |||
populated with the registrations below: | Registry" at <https://www.iana.org/assignments/http-methods> with the | |||
registration procedure of Section 7.4.1 and the method names | ||||
summarized in the table of Section 7.2. | ||||
12.3. Status Code Registration | 12.3. Status Code Registration | |||
The status code registry has been updated with the registrations | Please update the "Hypertext Transfer Protocol (HTTP) Status Code | |||
below: | Registry" at <https://www.iana.org/assignments/http-status-codes> | |||
with the registration procedure of Section 9.7.1 and the status code | ||||
values summarized in the table of Section 9.1. | ||||
Additionally, please update the following entry in the Hypertext | ||||
Transfer Protocol (HTTP) Status Code Registry: | ||||
Value: 418 | ||||
Description: (Unused) | ||||
Reference Section 9.5.19 | ||||
12.4. HTTP Field Name Registration | 12.4. HTTP Field Name Registration | |||
[new section] | Please create a new registry as outlined in Section 4.3.2. | |||
After creating the registry, all entries in the Permanent and | ||||
Provisional Message Header Registries with the protocol 'http' are to | ||||
be moved to it, with the following changes applied: | ||||
1. The 'Applicable Protocol' field is to be omitted. | ||||
2. Entries with a status of 'standard', 'experimental', 'reserved', | ||||
or 'informational' are to have a status of 'permanent'. | ||||
3. Provisional entries without a status are to have a status of | ||||
'provisional'. | ||||
4. Permanent entries without a status (after confirmation that the | ||||
registration document did not define one) will have a status of | ||||
'provisional'. The Expert(s) can choose to update their status | ||||
if there is evidence that another is more appropriate. | ||||
Please annotate the Permanent and Provisional Message Header | ||||
registries to indicate that HTTP field name registrations have moved, | ||||
with an appropriate link. | ||||
After that is complete, please update the new registry with the field | ||||
names listed in the table of Section 4.3. | ||||
Finally, please update the "Content-MD5" entry in the new registry to | ||||
have a status of 'obsoleted' with references to Section 14.15 of | ||||
[RFC2616] (for the definition of the header field) and Appendix B of | ||||
[RFC7231] (which removed the field definition from the updated | ||||
specification). | ||||
12.5. Authentication Scheme Registration | 12.5. Authentication Scheme Registration | |||
The "Hypertext Transfer Protocol (HTTP) Authentication Scheme | Please update the "Hypertext Transfer Protocol (HTTP) Authentication | |||
Registry" defines the namespace for the authentication schemes in | Scheme Registry" at <https://www.iana.org/assignments/http- | |||
challenges and credentials. It has been created and is now | authschemes> with the registration procedure of Section 8.5.5.1. No | |||
maintained at <http://www.iana.org/assignments/http-authschemes>. | authentication schemes are defined in this document. | |||
12.6. Content Coding Registration | 12.6. Content Coding Registration | |||
IANA maintains the "HTTP Content Coding Registry" at | Please update the "HTTP Content Coding Registry" at | |||
<http://www.iana.org/assignments/http-parameters>. | <https://www.iana.org/assignments/http-parameters/> with the | |||
registration procedure of Section 6.1.2.4 and the content coding | ||||
The "HTTP Content Coding Registry" has been updated with the | names summarized in the table of Section 6.1.2. | |||
registrations below: | ||||
12.7. Range Unit Registration | 12.7. Range Unit Registration | |||
The initial range unit registry contains the registrations below: | Please update the "HTTP Range Unit Registry" at | |||
<https://www.iana.org/assignments/http-parameters/> with the | ||||
registration procedure of Section 6.1.4.4 and the range unit names | ||||
summarized in the table of Section 6.1.4. | ||||
12.8. Media Type Registration | 12.8. Media Type Registration | |||
IANA maintains the registry of Internet media types [BCP13] at | Please update the "Media Types" registry at | |||
<http://www.iana.org/assignments/media-types>. | <https://www.iana.org/assignments/media-types> with the registration | |||
information in Section 6.3.5 for the media type "multipart/ | ||||
byteranges". | ||||
12.9. Port Registration | ||||
Please update the "Service Name and Transport Protocol Port Number" | ||||
registry at <https://www.iana.org/assignments/service-names-port- | ||||
numbers/> for the services on ports 80 and 443 that use UDP or TCP | ||||
to: | ||||
1. use this document as "Reference", and | ||||
2. when currently unspecified, set "Assignee" to "IESG" and | ||||
"Contact" to "IETF_Chair". | ||||
13. References | 13. References | |||
13.1. Normative References | 13.1. Normative References | |||
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, | [Caching] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | |||
RFC 793, September 1981. | Ed., "HTTP Caching", draft-ietf-httpbis-cache-07 (work in | |||
progress), March 2020. | ||||
[Messaging] | ||||
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | ||||
Ed., "HTTP/1.1 Messaging", draft-ietf-httpbis-messaging-07 | ||||
(work in progress), March 2020. | ||||
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, | ||||
RFC 793, DOI 10.17487/RFC0793, September 1981, | ||||
<https://www.rfc-editor.org/info/rfc793>. | ||||
[RFC1950] Deutsch, L. and J-L. Gailly, "ZLIB Compressed Data Format | ||||
Specification version 3.3", RFC 1950, | ||||
DOI 10.17487/RFC1950, May 1996, | ||||
<https://www.rfc-editor.org/info/rfc1950>. | ||||
[RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification | ||||
version 1.3", RFC 1951, DOI 10.17487/RFC1951, May 1996, | ||||
<https://www.rfc-editor.org/info/rfc1951>. | ||||
[RFC1952] Deutsch, P., Gailly, J-L., Adler, M., Deutsch, L., and G. | ||||
Randers-Pehrson, "GZIP file format specification version | ||||
4.3", RFC 1952, DOI 10.17487/RFC1952, May 1996, | ||||
<https://www.rfc-editor.org/info/rfc1952>. | ||||
[RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
Extensions (MIME) Part One: Format of Internet Message | Extensions (MIME) Part One: Format of Internet Message | |||
Bodies", RFC 2045, November 1996. | Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, | |||
<https://www.rfc-editor.org/info/rfc2045>. | ||||
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
Extensions (MIME) Part Two: Media Types", RFC 2046, | Extensions (MIME) Part Two: Media Types", RFC 2046, | |||
November 1996. | DOI 10.17487/RFC2046, November 1996, | |||
<https://www.rfc-editor.org/info/rfc2046>. | ||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | ||||
<https://www.rfc-editor.org/info/rfc2119>. | ||||
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
Resource Identifier (URI): Generic Syntax", STD 66, | Resource Identifier (URI): Generic Syntax", STD 66, | |||
RFC 3986, January 2005. | RFC 3986, DOI 10.17487/RFC3986, January 2005, | |||
<https://www.rfc-editor.org/info/rfc3986>. | ||||
[RFC4647] Phillips, A., Ed. and M. Davis, Ed., "Matching of Language | [RFC4647] Phillips, A., Ed. and M. Davis, Ed., "Matching of Language | |||
Tags", BCP 47, RFC 4647, September 2006. | Tags", BCP 47, RFC 4647, DOI 10.17487/RFC4647, September | |||
2006, <https://www.rfc-editor.org/info/rfc4647>. | ||||
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | |||
Encodings", RFC 4648, October 2006. | Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, | |||
<https://www.rfc-editor.org/info/rfc4648>. | ||||
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax | [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax | |||
Specifications: ABNF", STD 68, RFC 5234, January 2008. | Specifications: ABNF", STD 68, RFC 5234, | |||
DOI 10.17487/RFC5234, January 2008, | ||||
<https://www.rfc-editor.org/info/rfc5234>. | ||||
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | ||||
Housley, R., and W. Polk, "Internet X.509 Public Key | ||||
Infrastructure Certificate and Certificate Revocation List | ||||
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | ||||
<https://www.rfc-editor.org/info/rfc5280>. | ||||
[RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying | [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying | |||
Languages", BCP 47, RFC 5646, September 2009. | Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646, | |||
September 2009, <https://www.rfc-editor.org/info/rfc5646>. | ||||
[RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in | [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in | |||
Internationalization in the IETF", BCP 166, RFC 6365, | Internationalization in the IETF", BCP 166, RFC 6365, | |||
September 2011. | DOI 10.17487/RFC6365, September 2011, | |||
<https://www.rfc-editor.org/info/rfc6365>. | ||||
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | ||||
Protocol (HTTP/1.1): Message Syntax and Routing", | ||||
RFC 7230, June 2014. | ||||
[RFC7232] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | [RFC7405] Kyzivat, P., "Case-Sensitive String Support in ABNF", | |||
Protocol (HTTP/1.1): Conditional Requests", RFC 7232, | RFC 7405, DOI 10.17487/RFC7405, December 2014, | |||
June 2014. | <https://www.rfc-editor.org/info/rfc7405>. | |||
[RFC7233] Fielding, R., Ed., Lafon, Y., Ed., and J. Reschke, Ed., | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
"Hypertext Transfer Protocol (HTTP/1.1): Range Requests", | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
RFC 7233, June 2014. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
[RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | [USASCII] American National Standards Institute, "Coded Character | |||
Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", | Set -- 7-bit American Standard Code for Information | |||
RFC 7234, June 2014. | Interchange", ANSI X3.4, 1986. | |||
[RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | [Welch] Welch, T., "A Technique for High-Performance Data | |||
Protocol (HTTP/1.1): Authentication", RFC 7235, June 2014. | Compression", IEEE Computer 17(6), | |||
DOI 10.1109/MC.1984.1659158, June 1984, | ||||
<https://ieeexplore.ieee.org/document/1659158/>. | ||||
13.2. Informative References | 13.2. Informative References | |||
[BCP115] Hansen, T., Hardie, T., and L. Masinter, "Guidelines | ||||
and Registration Procedures for New URI Schemes", | ||||
BCP 115, RFC 4395, February 2006. | ||||
[BCP13] Freed, N., Klensin, J., and T. Hansen, "Media Type | [BCP13] Freed, N., Klensin, J., and T. Hansen, "Media Type | |||
Specifications and Registration Procedures", BCP 13, | Specifications and Registration Procedures", BCP 13, | |||
RFC 6838, January 2013. | RFC 6838, January 2013, | |||
<https://www.rfc-editor.org/info/bcp13>. | ||||
[BCP178] Saint-Andre, P., Crocker, D., and M. Nottingham, | [BCP178] Saint-Andre, P., Crocker, D., and M. Nottingham, | |||
"Deprecating the "X-" Prefix and Similar Constructs in | "Deprecating the "X-" Prefix and Similar Constructs in | |||
Application Protocols", BCP 178, RFC 6648, June 2012. | Application Protocols", BCP 178, RFC 6648, June 2012, | |||
<https://www.rfc-editor.org/info/bcp178>. | ||||
[BCP90] Klyne, G., Nottingham, M., and J. Mogul, "Registration | [BCP35] Thaler, D., Ed., Hansen, T., and T. Hardie, "Guidelines | |||
Procedures for Message Header Fields", BCP 90, RFC 3864, | and Registration Procedures for URI Schemes", BCP 35, | |||
September 2004. | RFC 7595, June 2015, | |||
<https://www.rfc-editor.org/info/bcp35>. | ||||
[Georgiev] Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., | [Bujlow] Bujlow, T., Carela-Espanol, V., Sole-Pareta, J., and P. | |||
Boneh, D., and V. Shmatikov, "The Most Dangerous Code | Barlet-Ros, "A Survey on Web Tracking: Mechanisms, | |||
in the World: Validating SSL Certificates in Non- | Implications, and Defenses", | |||
browser Software", In Proceedings of the 2012 ACM | DOI 10.1109/JPROC.2016.2637878, Proceedings of the | |||
Conference on Computer and Communications Security (CCS | IEEE 105(8), August 2017. | |||
'12), pp. 38-49, October 2012, | ||||
<http://doi.acm.org/10.1145/2382196.2382204>. | [Err1912] RFC Errata, Erratum ID 1912, RFC 2978, | |||
<https://www.rfc-editor.org/errata/eid1912>. | ||||
[Err5433] RFC Errata, Erratum ID 5433, RFC 2978, | ||||
<https://www.rfc-editor.org/errata/eid5433>. | ||||
[Georgiev] | ||||
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, | ||||
D., and V. Shmatikov, "The Most Dangerous Code in the | ||||
World: Validating SSL Certificates in Non-browser | ||||
Software", DOI 10.1145/2382196.2382204, In Proceedings of | ||||
the 2012 ACM Conference on Computer and Communications | ||||
Security (CCS '12), pp. 38-49, October 2012. | ||||
[ISO-8859-1] | ||||
International Organization for Standardization, | ||||
"Information technology -- 8-bit single-byte coded graphic | ||||
character sets -- Part 1: Latin alphabet No. 1", ISO/ | ||||
IEC 8859-1:1998, 1998. | ||||
[Kri2001] Kristol, D., "HTTP Cookies: Standards, Privacy, and | ||||
Politics", ACM Transactions on Internet Technology 1(2), | ||||
November 2001, <http://arxiv.org/abs/cs.SE/0105018>. | ||||
[OWASP] van der Stock, A., Ed., "A Guide to Building Secure Web | [OWASP] van der Stock, A., Ed., "A Guide to Building Secure Web | |||
Applications and Web Services", The Open Web Application | Applications and Web Services", The Open Web Application | |||
Security Project (OWASP) 2.0.1, July 2005, | Security Project (OWASP) 2.0.1, July 2005, | |||
<https://www.owasp.org/>. | <https://www.owasp.org/>. | |||
[REST] Fielding, R., "Architectural Styles and the Design of | [REST] Fielding, R., "Architectural Styles and the Design of | |||
Network-based Software Architectures", | Network-based Software Architectures", | |||
Doctoral Dissertation, University of California, Irvine, | Doctoral Dissertation, University of California, Irvine, | |||
September 2000, | September 2000, | |||
<http://roy.gbiv.com/pubs/dissertation/top.htm>. | <https://roy.gbiv.com/pubs/dissertation/top.htm>. | |||
[RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", | [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", | |||
RFC 1919, March 1996. | RFC 1919, DOI 10.17487/RFC1919, March 1996, | |||
<https://www.rfc-editor.org/info/rfc1919>. | ||||
[RFC1945] Berners-Lee, T., Fielding, R., and H. Nielsen, "Hypertext | [RFC1945] Berners-Lee, T., Fielding, R., and H. Nielsen, "Hypertext | |||
Transfer Protocol -- HTTP/1.0", RFC 1945, May 1996. | Transfer Protocol -- HTTP/1.0", RFC 1945, | |||
DOI 10.17487/RFC1945, May 1996, | ||||
<https://www.rfc-editor.org/info/rfc1945>. | ||||
[RFC2047] Moore, K., "MIME (Multipurpose Internet Mail Extensions) | ||||
Part Three: Message Header Extensions for Non-ASCII Text", | ||||
RFC 2047, DOI 10.17487/RFC2047, November 1996, | ||||
<https://www.rfc-editor.org/info/rfc2047>. | ||||
[RFC2068] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and T. | [RFC2068] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and T. | |||
Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", | Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", | |||
RFC 2068, January 1997. | RFC 2068, DOI 10.17487/RFC2068, January 1997, | |||
<https://www.rfc-editor.org/info/rfc2068>. | ||||
[RFC2145] Mogul, J., Fielding, R., Gettys, J., and H. Nielsen, | [RFC2145] Mogul, J., Fielding, R., Gettys, J., and H. Nielsen, "Use | |||
"Use and Interpretation of HTTP Version Numbers", | and Interpretation of HTTP Version Numbers", RFC 2145, | |||
RFC 2145, May 1997. | DOI 10.17487/RFC2145, May 1997, | |||
<https://www.rfc-editor.org/info/rfc2145>. | ||||
[RFC2295] Holtman, K. and A. Mutz, "Transparent Content Negotiation | [RFC2295] Holtman, K. and A. Mutz, "Transparent Content Negotiation | |||
in HTTP", RFC 2295, March 1998. | in HTTP", RFC 2295, DOI 10.17487/RFC2295, March 1998, | |||
<https://www.rfc-editor.org/info/rfc2295>. | ||||
[RFC2388] Masinter, L., "Returning Values from Forms: multipart/ | [RFC2324] Masinter, L., "Hyper Text Coffee Pot Control Protocol | |||
form-data", RFC 2388, August 1998. | (HTCPCP/1.0)", RFC 2324, DOI 10.17487/RFC2324, April 1998, | |||
<https://www.rfc-editor.org/info/rfc2324>. | ||||
[RFC2557] Palme, F., Hopmann, A., Shelness, N., and E. Stefferud, | [RFC2557] Palme, F., Hopmann, A., Shelness, N., and E. Stefferud, | |||
"MIME Encapsulation of Aggregate Documents, such as HTML | "MIME Encapsulation of Aggregate Documents, such as HTML | |||
(MHTML)", RFC 2557, March 1999. | (MHTML)", RFC 2557, DOI 10.17487/RFC2557, March 1999, | |||
<https://www.rfc-editor.org/info/rfc2557>. | ||||
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | |||
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | |||
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. | Transfer Protocol -- HTTP/1.1", RFC 2616, | |||
DOI 10.17487/RFC2616, June 1999, | ||||
<https://www.rfc-editor.org/info/rfc2616>. | ||||
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | |||
Leach, P., Luotonen, A., and L. Stewart, "HTTP | Leach, P., Luotonen, A., and L. Stewart, "HTTP | |||
Authentication: Basic and Digest Access Authentication", | Authentication: Basic and Digest Access Authentication", | |||
RFC 2617, June 1999. | RFC 2617, DOI 10.17487/RFC2617, June 1999, | |||
<https://www.rfc-editor.org/info/rfc2617>. | ||||
[RFC2774] Frystyk, H., Leach, P., and S. Lawrence, "An HTTP | [RFC2774] Frystyk, H., Leach, P., and S. Lawrence, "An HTTP | |||
Extension Framework", RFC 2774, February 2000. | Extension Framework", RFC 2774, DOI 10.17487/RFC2774, | |||
February 2000, <https://www.rfc-editor.org/info/rfc2774>. | ||||
[RFC2817] Khare, R. and S. Lawrence, "Upgrading to TLS Within | ||||
HTTP/1.1", RFC 2817, May 2000. | ||||
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. | [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | |||
DOI 10.17487/RFC2818, May 2000, | ||||
<https://www.rfc-editor.org/info/rfc2818>. | ||||
[RFC2978] Freed, N. and J. Postel, "IANA Charset Registration | [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration | |||
Procedures", BCP 19, RFC 2978, October 2000. | Procedures", BCP 19, RFC 2978, DOI 10.17487/RFC2978, | |||
October 2000, <https://www.rfc-editor.org/info/rfc2978>. | ||||
[RFC3040] Cooper, I., Melve, I., and G. Tomlinson, "Internet Web | [RFC3040] Cooper, I., Melve, I., and G. Tomlinson, "Internet Web | |||
Replication and Caching Taxonomy", RFC 3040, | Replication and Caching Taxonomy", RFC 3040, | |||
January 2001. | DOI 10.17487/RFC3040, January 2001, | |||
<https://www.rfc-editor.org/info/rfc3040>. | ||||
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
Rose, "DNS Security Introduction and Requirements", | Rose, "DNS Security Introduction and Requirements", | |||
RFC 4033, March 2005. | RFC 4033, DOI 10.17487/RFC4033, March 2005, | |||
<https://www.rfc-editor.org/info/rfc4033>. | ||||
[RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based | [RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based | |||
Kerberos and NTLM HTTP Authentication in Microsoft | Kerberos and NTLM HTTP Authentication in Microsoft | |||
Windows", RFC 4559, June 2006. | Windows", RFC 4559, DOI 10.17487/RFC4559, June 2006, | |||
<https://www.rfc-editor.org/info/rfc4559>. | ||||
[RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed | [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed | |||
Authoring and Versioning (WebDAV)", RFC 4918, June 2007. | Authoring and Versioning (WebDAV)", RFC 4918, | |||
DOI 10.17487/RFC4918, June 2007, | ||||
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | <https://www.rfc-editor.org/info/rfc4918>. | |||
IANA Considerations Section in RFCs", BCP 26, RFC 5226, | ||||
May 2008. | ||||
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | ||||
(TLS) Protocol Version 1.2", RFC 5246, August 2008. | ||||
[RFC5322] Resnick, P., "Internet Message Format", RFC 5322, | [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, | |||
October 2008. | DOI 10.17487/RFC5322, October 2008, | |||
<https://www.rfc-editor.org/info/rfc5322>. | ||||
[RFC5789] Dusseault, L. and J. Snell, "PATCH Method for HTTP", | [RFC5789] Dusseault, L. and J. Snell, "PATCH Method for HTTP", | |||
RFC 5789, March 2010. | RFC 5789, DOI 10.17487/RFC5789, March 2010, | |||
<https://www.rfc-editor.org/info/rfc5789>. | ||||
[RFC5861] Nottingham, M., "HTTP Cache-Control Extensions for Stale | ||||
Content", RFC 5861, April 2010. | ||||
[RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, | [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, | |||
"Network Time Protocol Version 4: Protocol and Algorithms | "Network Time Protocol Version 4: Protocol and Algorithms | |||
Specification", RFC 5905, June 2010. | Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, | |||
<https://www.rfc-editor.org/info/rfc5905>. | ||||
[RFC5987] Reschke, J., "Character Set and Language Encoding for | ||||
Hypertext Transfer Protocol (HTTP) Header Field | ||||
Parameters", RFC 5987, August 2010. | ||||
[RFC5988] Nottingham, M., "Web Linking", RFC 5988, October 2010. | [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | |||
Verification of Domain-Based Application Service Identity | ||||
within Internet Public Key Infrastructure Using X.509 | ||||
(PKIX) Certificates in the Context of Transport Layer | ||||
Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March | ||||
2011, <https://www.rfc-editor.org/info/rfc6125>. | ||||
[RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, | [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, | |||
April 2011. | DOI 10.17487/RFC6265, April 2011, | |||
<https://www.rfc-editor.org/info/rfc6265>. | ||||
[RFC6266] Reschke, J., "Use of the Content-Disposition Header Field | [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, | |||
in the Hypertext Transfer Protocol (HTTP)", RFC 6266, | DOI 10.17487/RFC6454, December 2011, | |||
June 2011. | <https://www.rfc-editor.org/info/rfc6454>. | |||
[RFC7238] Reschke, J., "The Hypertext Transfer Protocol (HTTP) | [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status | |||
Status Code 308 (Permanent Redirect)", RFC 7238, | Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012, | |||
June 2014. | <https://www.rfc-editor.org/info/rfc6585>. | |||
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | ||||
Protocol (HTTP/1.1): Message Syntax and Routing", | ||||
RFC 7230, DOI 10.17487/RFC7230, June 2014, | ||||
<https://www.rfc-editor.org/info/rfc7230>. | ||||
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | ||||
Protocol (HTTP/1.1): Semantics and Content", RFC 7231, | ||||
DOI 10.17487/RFC7231, June 2014, | ||||
<https://www.rfc-editor.org/info/rfc7231>. | ||||
[RFC7232] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | ||||
Protocol (HTTP/1.1): Conditional Requests", RFC 7232, | ||||
DOI 10.17487/RFC7232, June 2014, | ||||
<https://www.rfc-editor.org/info/rfc7232>. | ||||
[RFC7233] Fielding, R., Ed., Lafon, Y., Ed., and J. Reschke, Ed., | ||||
"Hypertext Transfer Protocol (HTTP): Range Requests", | ||||
RFC 7233, DOI 10.17487/RFC7233, June 2014, | ||||
<https://www.rfc-editor.org/info/rfc7233>. | ||||
[RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | ||||
Protocol (HTTP/1.1): Authentication", RFC 7235, | ||||
DOI 10.17487/RFC7235, June 2014, | ||||
<https://www.rfc-editor.org/info/rfc7235>. | ||||
[RFC7538] Reschke, J., "The Hypertext Transfer Protocol Status Code | ||||
308 (Permanent Redirect)", RFC 7538, DOI 10.17487/RFC7538, | ||||
April 2015, <https://www.rfc-editor.org/info/rfc7538>. | ||||
[RFC7578] Masinter, L., "Returning Values from Forms: multipart/ | ||||
form-data", RFC 7578, DOI 10.17487/RFC7578, July 2015, | ||||
<https://www.rfc-editor.org/info/rfc7578>. | ||||
[RFC7615] Reschke, J., "HTTP Authentication-Info and Proxy- | ||||
Authentication-Info Response Header Fields", RFC 7615, | ||||
DOI 10.17487/RFC7615, September 2015, | ||||
<https://www.rfc-editor.org/info/rfc7615>. | ||||
[RFC7616] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP | ||||
Digest Access Authentication", RFC 7616, | ||||
DOI 10.17487/RFC7616, September 2015, | ||||
<https://www.rfc-editor.org/info/rfc7616>. | ||||
[RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme", | ||||
RFC 7617, DOI 10.17487/RFC7617, September 2015, | ||||
<https://www.rfc-editor.org/info/rfc7617>. | ||||
[RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP | ||||
Alternative Services", RFC 7838, DOI 10.17487/RFC7838, | ||||
April 2016, <https://www.rfc-editor.org/info/rfc7838>. | ||||
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | ||||
Writing an IANA Considerations Section in RFCs", BCP 26, | ||||
RFC 8126, DOI 10.17487/RFC8126, June 2017, | ||||
<https://www.rfc-editor.org/info/rfc8126>. | ||||
[RFC8187] Reschke, J., "Indicating Character Encoding and Language | ||||
for HTTP Header Field Parameters", RFC 8187, | ||||
DOI 10.17487/RFC8187, September 2017, | ||||
<https://www.rfc-editor.org/info/rfc8187>. | ||||
[RFC8246] McManus, P., "HTTP Immutable Responses", RFC 8246, | ||||
DOI 10.17487/RFC8246, September 2017, | ||||
<https://www.rfc-editor.org/info/rfc8246>. | ||||
[RFC8288] Nottingham, M., "Web Linking", RFC 8288, | ||||
DOI 10.17487/RFC8288, October 2017, | ||||
<https://www.rfc-editor.org/info/rfc8288>. | ||||
[RFC8336] Nottingham, M. and E. Nygren, "The ORIGIN HTTP/2 Frame", | ||||
RFC 8336, DOI 10.17487/RFC8336, March 2018, | ||||
<https://www.rfc-editor.org/info/rfc8336>. | ||||
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | ||||
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | ||||
<https://www.rfc-editor.org/info/rfc8446>. | ||||
[Sniffing] | ||||
WHATWG, "MIME Sniffing", | ||||
<https://mimesniff.spec.whatwg.org>. | ||||
Appendix A. Collected ABNF | Appendix A. Collected ABNF | |||
In the collected ABNF below, list rules are expanded as per Section | In the collected ABNF below, list rules are expanded as per | |||
1.2 of [RFC7230]. | Section 4.5. | |||
Accept = [ ( "," / ( media-range [ accept-params ] ) ) *( OWS "," [ | Accept = [ ( "," / ( media-range [ accept-params ] ) ) *( OWS "," [ | |||
OWS ( media-range [ accept-params ] ) ] ) ] | OWS ( media-range [ accept-params ] ) ] ) ] | |||
Accept-Charset = *( "," OWS ) ( ( charset / "*" ) [ weight ] ) *( OWS | Accept-Charset = *( "," OWS ) ( ( charset / "*" ) [ weight ] ) *( OWS | |||
"," [ OWS ( ( charset / "*" ) [ weight ] ) ] ) | "," [ OWS ( ( charset / "*" ) [ weight ] ) ] ) | |||
Accept-Encoding = [ ( "," / ( codings [ weight ] ) ) *( OWS "," [ OWS | Accept-Encoding = [ ( "," / ( codings [ weight ] ) ) *( OWS "," [ OWS | |||
( codings [ weight ] ) ] ) ] | ( codings [ weight ] ) ] ) ] | |||
Accept-Language = *( "," OWS ) ( language-range [ weight ] ) *( OWS | Accept-Language = *( "," OWS ) ( language-range [ weight ] ) *( OWS | |||
"," [ OWS ( language-range [ weight ] ) ] ) | "," [ OWS ( language-range [ weight ] ) ] ) | |||
Allow = [ ( "," / method ) *( OWS "," [ OWS method ] ) ] | Accept-Ranges = acceptable-ranges | |||
Allow = [ method ] *( OWS "," OWS [ method ] ) | ||||
Authentication-Info = [ auth-param ] *( OWS "," OWS [ auth-param ] ) | ||||
Authorization = credentials | ||||
BWS = <BWS, see [RFC7230], Section 3.2.3> | BWS = OWS | |||
Content-Encoding = *( "," OWS ) content-coding *( OWS "," [ OWS | Content-Encoding = [ content-coding ] *( OWS "," OWS [ content-coding | |||
content-coding ] ) | ] ) | |||
Content-Language = *( "," OWS ) language-tag *( OWS "," [ OWS | Content-Language = [ language-tag ] *( OWS "," OWS [ language-tag ] | |||
language-tag ] ) | ) | |||
Content-Length = 1*DIGIT | ||||
Content-Location = absolute-URI / partial-URI | Content-Location = absolute-URI / partial-URI | |||
Content-Range = range-unit SP ( range-resp / unsatisfied-range ) | ||||
Content-Type = media-type | Content-Type = media-type | |||
Date = HTTP-date | Date = HTTP-date | |||
ETag = entity-tag | ||||
Expect = "100-continue" | Expect = "100-continue" | |||
From = mailbox | From = mailbox | |||
GMT = %x47.4D.54 ; GMT | GMT = %x47.4D.54 ; GMT | |||
HTTP-date = IMF-fixdate / obs-date | HTTP-date = IMF-fixdate / obs-date | |||
Host = uri-host [ ":" port ] | ||||
IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT | IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT | |||
If-Match = "*" / ( [ entity-tag ] *( OWS "," OWS [ entity-tag ] ) ) | ||||
If-Modified-Since = HTTP-date | ||||
If-None-Match = "*" / ( [ entity-tag ] *( OWS "," OWS [ entity-tag ] | ||||
) ) | ||||
If-Range = entity-tag / HTTP-date | ||||
If-Unmodified-Since = HTTP-date | ||||
Last-Modified = HTTP-date | ||||
Location = URI-reference | Location = URI-reference | |||
Max-Forwards = 1*DIGIT | Max-Forwards = 1*DIGIT | |||
OWS = <OWS, see [RFC7230], Section 3.2.3> | OWS = *( SP / HTAB ) | |||
RWS = <RWS, see [RFC7230], Section 3.2.3> | Proxy-Authenticate = [ challenge ] *( OWS "," OWS [ challenge ] ) | |||
Proxy-Authentication-Info = [ auth-param ] *( OWS "," OWS [ | ||||
auth-param ] ) | ||||
Proxy-Authorization = credentials | ||||
RWS = 1*( SP / HTAB ) | ||||
Range = ranges-specifier | ||||
Referer = absolute-URI / partial-URI | Referer = absolute-URI / partial-URI | |||
Retry-After = HTTP-date / delay-seconds | Retry-After = HTTP-date / delay-seconds | |||
Server = product *( RWS ( product / comment ) ) | Server = product *( RWS ( product / comment ) ) | |||
URI-reference = <URI-reference, see [RFC7230], Section 2.7> | Trailer = [ field-name ] *( OWS "," OWS [ field-name ] ) | |||
URI-reference = <URI-reference, see [RFC3986], Section 4.1> | ||||
User-Agent = product *( RWS ( product / comment ) ) | User-Agent = product *( RWS ( product / comment ) ) | |||
Vary = "*" / ( *( "," OWS ) field-name *( OWS "," [ OWS field-name ] | Vary = "*" / ( [ field-name ] *( OWS "," OWS [ field-name ] ) ) | |||
) ) | Via = *( "," OWS ) ( received-protocol RWS received-by [ RWS comment | |||
] ) *( OWS "," [ OWS ( received-protocol RWS received-by [ RWS | ||||
comment ] ) ] ) | ||||
absolute-URI = <absolute-URI, see [RFC7230], Section 2.7> | WWW-Authenticate = [ challenge ] *( OWS "," OWS [ challenge ] ) | |||
absolute-URI = <absolute-URI, see [RFC3986], Section 4.3> | ||||
absolute-path = 1*( "/" segment ) | ||||
accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] | accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] | |||
accept-params = weight *accept-ext | accept-params = weight *accept-ext | |||
acceptable-ranges = ( [ range-unit ] *( OWS "," OWS [ range-unit ] ) | ||||
) / "none" | ||||
asctime-date = day-name SP date3 SP time-of-day SP year | asctime-date = day-name SP date3 SP time-of-day SP year | |||
auth-param = token BWS "=" BWS ( token / quoted-string ) | ||||
auth-scheme = token | ||||
authority = <authority, see [RFC3986], Section 3.2> | ||||
challenge = auth-scheme [ 1*SP ( token68 / ( [ auth-param ] *( OWS | ||||
"," OWS [ auth-param ] ) ) ) ] | ||||
charset = token | charset = token | |||
codings = content-coding / "identity" / "*" | codings = content-coding / "identity" / "*" | |||
comment = <comment, see [RFC7230], Section 3.2.6> | comment = "(" *( ctext / quoted-pair / comment ) ")" | |||
complete-length = 1*DIGIT | ||||
content-coding = token | content-coding = token | |||
credentials = auth-scheme [ 1*SP ( token68 / ( [ auth-param ] *( OWS | ||||
"," OWS [ auth-param ] ) ) ) ] | ||||
ctext = HTAB / SP / %x21-27 ; '!'-''' | ||||
/ %x2A-5B ; '*'-'[' | ||||
/ %x5D-7E ; ']'-'~' | ||||
/ obs-text | ||||
date1 = day SP month SP year | date1 = day SP month SP year | |||
date2 = day "-" month "-" 2DIGIT | date2 = day "-" month "-" 2DIGIT | |||
date3 = month SP ( 2DIGIT / ( SP DIGIT ) ) | date3 = month SP ( 2DIGIT / ( SP DIGIT ) ) | |||
day = 2DIGIT | day = 2DIGIT | |||
day-name = %x4D.6F.6E ; Mon | day-name = %x4D.6F.6E ; Mon | |||
/ %x54.75.65 ; Tue | / %x54.75.65 ; Tue | |||
/ %x57.65.64 ; Wed | / %x57.65.64 ; Wed | |||
/ %x54.68.75 ; Thu | / %x54.68.75 ; Thu | |||
/ %x46.72.69 ; Fri | / %x46.72.69 ; Fri | |||
skipping to change at line 7852 ¶ | skipping to change at page 184, line 32 ¶ | |||
/ %x53.75.6E ; Sun | / %x53.75.6E ; Sun | |||
day-name-l = %x4D.6F.6E.64.61.79 ; Monday | day-name-l = %x4D.6F.6E.64.61.79 ; Monday | |||
/ %x54.75.65.73.64.61.79 ; Tuesday | / %x54.75.65.73.64.61.79 ; Tuesday | |||
/ %x57.65.64.6E.65.73.64.61.79 ; Wednesday | / %x57.65.64.6E.65.73.64.61.79 ; Wednesday | |||
/ %x54.68.75.72.73.64.61.79 ; Thursday | / %x54.68.75.72.73.64.61.79 ; Thursday | |||
/ %x46.72.69.64.61.79 ; Friday | / %x46.72.69.64.61.79 ; Friday | |||
/ %x53.61.74.75.72.64.61.79 ; Saturday | / %x53.61.74.75.72.64.61.79 ; Saturday | |||
/ %x53.75.6E.64.61.79 ; Sunday | / %x53.75.6E.64.61.79 ; Sunday | |||
delay-seconds = 1*DIGIT | delay-seconds = 1*DIGIT | |||
field-name = <comment, see [RFC7230], Section 3.2> | entity-tag = [ weak ] opaque-tag | |||
etagc = "!" / %x23-7E ; '#'-'~' | ||||
/ obs-text | ||||
field-content = field-vchar [ 1*( SP / HTAB / field-vchar ) | ||||
field-vchar ] | ||||
field-name = token | ||||
field-value = *( field-content / obs-fold ) | ||||
field-vchar = VCHAR / obs-text | ||||
first-pos = 1*DIGIT | ||||
hour = 2DIGIT | hour = 2DIGIT | |||
http-URI = "http://" authority path-abempty [ "?" query ] | ||||
https-URI = "https://" authority path-abempty [ "?" query ] | ||||
incl-range = first-pos "-" last-pos | ||||
int-range = first-pos "-" [ last-pos ] | ||||
language-range = <language-range, see [RFC4647], Section 2.1> | language-range = <language-range, see [RFC4647], Section 2.1> | |||
language-tag = <Language-Tag, see [RFC5646], Section 2.1> | language-tag = <Language-Tag, see [RFC5646], Section 2.1> | |||
last-pos = 1*DIGIT | ||||
mailbox = <mailbox, see [RFC5322], Section 3.4> | mailbox = <mailbox, see [RFC5322], Section 3.4> | |||
media-range = ( "*/*" / ( type "/*" ) / ( type "/" subtype ) ) *( OWS | media-range = ( "*/*" / ( type "/*" ) / ( type "/" subtype ) ) *( OWS | |||
";" OWS parameter ) | ";" OWS parameter ) | |||
media-type = type "/" subtype *( OWS ";" OWS parameter ) | media-type = type "/" subtype *( OWS ";" OWS parameter ) | |||
method = token | method = token | |||
minute = 2DIGIT | minute = 2DIGIT | |||
month = %x4A.61.6E ; Jan | month = %x4A.61.6E ; Jan | |||
/ %x46.65.62 ; Feb | / %x46.65.62 ; Feb | |||
/ %x4D.61.72 ; Mar | / %x4D.61.72 ; Mar | |||
/ %x41.70.72 ; Apr | / %x41.70.72 ; Apr | |||
/ %x4D.61.79 ; May | / %x4D.61.79 ; May | |||
/ %x4A.75.6E ; Jun | / %x4A.75.6E ; Jun | |||
/ %x4A.75.6C ; Jul | / %x4A.75.6C ; Jul | |||
skipping to change at line 7880 ¶ | skipping to change at page 185, line 26 ¶ | |||
/ %x4D.61.79 ; May | / %x4D.61.79 ; May | |||
/ %x4A.75.6E ; Jun | / %x4A.75.6E ; Jun | |||
/ %x4A.75.6C ; Jul | / %x4A.75.6C ; Jul | |||
/ %x41.75.67 ; Aug | / %x41.75.67 ; Aug | |||
/ %x53.65.70 ; Sep | / %x53.65.70 ; Sep | |||
/ %x4F.63.74 ; Oct | / %x4F.63.74 ; Oct | |||
/ %x4E.6F.76 ; Nov | / %x4E.6F.76 ; Nov | |||
/ %x44.65.63 ; Dec | / %x44.65.63 ; Dec | |||
obs-date = rfc850-date / asctime-date | obs-date = rfc850-date / asctime-date | |||
obs-fold = <obs-fold, see [Messaging], Section 5.2> | ||||
obs-text = %x80-FF | ||||
opaque-tag = DQUOTE *etagc DQUOTE | ||||
other-range = 1*( %x21-2B ; '!'-'+' | ||||
/ %x2D-7E ; '-'-'~' | ||||
) | ||||
parameter = token "=" ( token / quoted-string ) | parameter = parameter-name "=" parameter-value | |||
partial-URI = <partial-URI, see [RFC7230], Section 2.7> | parameter-name = token | |||
parameter-value = ( token / quoted-string ) | ||||
partial-URI = relative-part [ "?" query ] | ||||
path-abempty = <path-abempty, see [RFC3986], Section 3.3> | ||||
port = <port, see [RFC3986], Section 3.2.3> | ||||
product = token [ "/" product-version ] | product = token [ "/" product-version ] | |||
product-version = token | product-version = token | |||
quoted-string = <quoted-string, see [RFC7230], Section 3.2.6> | protocol-name = <protocol-name, see [Messaging], Section 9.9> | |||
qvalue = ( "0" [ "." *3DIGIT ] ) / ( "1" [ "." *3"0" ] ) | protocol-version = <protocol-version, see [Messaging], Section 9.9> | |||
pseudonym = token | ||||
qdtext = HTAB / SP / "!" / %x23-5B ; '#'-'[' | ||||
/ %x5D-7E ; ']'-'~' | ||||
/ obs-text | ||||
query = <query, see [RFC3986], Section 3.4> | ||||
quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) | ||||
quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE | ||||
qvalue = ( "0" [ "." *3DIGIT ] ) / ( "1" [ "." *3"0" ] ) | ||||
range-resp = incl-range "/" ( complete-length / "*" ) | ||||
range-set = [ range-spec ] *( OWS "," OWS [ range-spec ] ) | ||||
range-spec = int-range / suffix-range / other-range | ||||
range-unit = token | ||||
ranges-specifier = range-unit "=" range-set | ||||
received-by = pseudonym [ ":" port ] | ||||
received-protocol = [ protocol-name "/" ] protocol-version | ||||
relative-part = <relative-part, see [RFC3986], Section 4.2> | ||||
request-target = <request-target, see [Messaging], Section 3.2> | ||||
rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT | rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT | |||
second = 2DIGIT | second = 2DIGIT | |||
segment = <segment, see [RFC3986], Section 3.3> | ||||
subtype = token | subtype = token | |||
suffix-length = 1*DIGIT | ||||
suffix-range = "-" suffix-length | ||||
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / | ||||
"^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA | ||||
time-of-day = hour ":" minute ":" second | time-of-day = hour ":" minute ":" second | |||
token = <token, see [RFC7230], Section 3.2.6> | token = 1*tchar | |||
token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) | ||||
*"=" | ||||
type = token | type = token | |||
unsatisfied-range = "*/" complete-length | ||||
uri-host = <host, see [RFC3986], Section 3.2.2> | ||||
weak = %x57.2F ; W/ | ||||
weight = OWS ";" OWS "q=" qvalue | weight = OWS ";" OWS "q=" qvalue | |||
year = 4DIGIT | year = 4DIGIT | |||
Appendix B. Changes from RFC 2616 | Appendix B. Changes from previous RFCs | |||
[elided] | B.1. Changes from RFC 2818 | |||
Index | None yet. | |||
1 | B.2. Changes from RFC 7230 | |||
1xx Informational (status code class) 50 | ||||
2 | The sections introducing HTTP's design goals, history, architecture, | |||
2xx Successful (status code class) 51 | conformance criteria, protocol versioning, URIs, message routing, and | |||
header fields have been moved here (without substantive change). | ||||
3 | "Field value" now refers to the value after multiple instances are | |||
3xx Redirection (status code class) 54 | combined with commas -- by far the most common use. To refer to a | |||
single header line's value, use "field line value". (Section 4) | ||||
Trailer field semantics now transcend the specifics of chunked | ||||
encoding. Use of trailer fields has been further limited to only | ||||
allow generation as a trailer field when the sender knows the field | ||||
defines that usage and to only allow merging into the header section | ||||
if the recipient knows the corresponding field definition permits and | ||||
defines how to merge. In all other cases, implementations are | ||||
encouraged to either store the trailer fields separately or discard | ||||
them instead of merging. (Section 4.6.2) | ||||
4 | Made the priority of the absolute form of the request URI over the | |||
4xx Client Error (status code class) 58 | Host header by origin servers explicit, to align with proxy handling. | |||
(Section 5.6) | ||||
5 | The grammar definition for the Via field's "received-by" was expanded | |||
5xx Server Error (status code class) 62 | in 7230 due to changes in the URI grammar for host [RFC3986] that are | |||
not desirable for Via. For simplicity, we have removed uri-host from | ||||
the received-by production because it can be encompassed by the | ||||
existing grammar for pseudonym. In particular, this change removed | ||||
comma from the allowed set of charaters for a host name in received- | ||||
by. (Section 5.7.1) | ||||
Added status code 308 (previously defined in [RFC7538]) so that it's | ||||
defined closer to status codes 301, 302, and 307. (Section 9.4.9) | ||||
Added status code 422 (previously defined in Section 11.2 of | ||||
[RFC4918]) because of its general applicability. (Section 9.5.20) | ||||
The description of an origin and authoritative access to origin | ||||
servers has been extended for both "http" and "https" URIs to account | ||||
for alternative services and secured connections that are not | ||||
necessarily based on TCP. (Section 2.5.1, Section 2.5.2, | ||||
Section 5.2, Section 5.4) | ||||
B.3. Changes from RFC 7231 | ||||
Minimum URI lengths to be supported by implementations are now | ||||
recommended. (Section 2.5) | ||||
Range units are compared in a case insensitive fashion. | ||||
(Section 6.1.4) | ||||
Restrictions on client retries have been loosened, to reflect | ||||
implementation behavior. (Section 7.2.2) | ||||
Clarified that request bodies on GET and DELETE are not | ||||
interoperable. (Section 7.3.1, Section 7.3.5) | ||||
Removed a superfluous requirement about setting Content-Length from | ||||
the description of the OPTIONS method. (Section 7.3.7) | ||||
B.4. Changes from RFC 7232 | ||||
None yet. | ||||
B.5. Changes from RFC 7233 | ||||
Refactored the range-unit and ranges-specifier grammars to simplify | ||||
and reduce artificial distinctions between bytes and other | ||||
(extension) range units, removing the overlapping grammar of other- | ||||
range-unit by defining range units generically as a token and placing | ||||
extensions within the scope of a range-spec (other-range). This | ||||
disambiguates the role of list syntax (commas) in all range sets, | ||||
including extension range units, for indicating a range-set of more | ||||
than one range. Moving the extension grammar into range specifiers | ||||
also allows protocol specific to byte ranges to be specified | ||||
separately. | ||||
B.6. Changes from RFC 7235 | ||||
None yet. | ||||
B.7. Changes from RFC 7538 | ||||
None yet. | ||||
B.8. Changes from RFC 7615 | ||||
None yet. | ||||
Appendix C. Change Log | ||||
This section is to be removed before publishing as an RFC. | ||||
C.1. Between RFC723x and draft 00 | ||||
The changes were purely editorial: | ||||
o Change boilerplate and abstract to indicate the "draft" status, | ||||
and update references to ancestor specifications. | ||||
o Remove version "1.1" from document title, indicating that this | ||||
specification applies to all HTTP versions. | ||||
o Adjust historical notes. | ||||
o Update links to sibling specifications. | ||||
o Replace sections listing changes from RFC 2616 by new empty | ||||
sections referring to RFC 723x. | ||||
o Remove acknowledgements specific to RFC 723x. | ||||
o Move "Acknowledgements" to the very end and make them unnumbered. | ||||
C.2. Since draft-ietf-httpbis-semantics-00 | ||||
The changes in this draft are editorial, with respect to HTTP as a | ||||
whole, to merge core HTTP semantics into this document: | ||||
o Merged introduction, architecture, conformance, and ABNF | ||||
extensions from RFC 7230 (Messaging). | ||||
o Rearranged architecture to extract conformance, http(s) schemes, | ||||
and protocol versioning into a separate major section. | ||||
o Moved discussion of MIME differences to [Messaging] since that is | ||||
primarily concerned with transforming 1.1 messages. | ||||
o Merged entire content of RFC 7232 (Conditional Requests). | ||||
o Merged entire content of RFC 7233 (Range Requests). | ||||
o Merged entire content of RFC 7235 (Auth Framework). | ||||
o Moved all extensibility tips, registration procedures, and | ||||
registry tables from the IANA considerations to normative | ||||
sections, reducing the IANA considerations to just instructions | ||||
that will be removed prior to publication as an RFC. | ||||
C.3. Since draft-ietf-httpbis-semantics-01 | ||||
o Improve [Welch] citation (<https://github.com/httpwg/http-core/ | ||||
issues/63>) | ||||
o Remove HTTP/1.1-ism about Range Requests | ||||
(<https://github.com/httpwg/http-core/issues/71>) | ||||
o Cite RFC 8126 instead of RFC 5226 (<https://github.com/httpwg/ | ||||
http-core/issues/75>) | ||||
o Cite RFC 7538 instead of RFC 7238 (<https://github.com/httpwg/ | ||||
http-core/issues/76>) | ||||
o Cite RFC 8288 instead of RFC 5988 (<https://github.com/httpwg/ | ||||
http-core/issues/77>) | ||||
o Cite RFC 8187 instead of RFC 5987 (<https://github.com/httpwg/ | ||||
http-core/issues/78>) | ||||
o Cite RFC 7578 instead of RFC 2388 (<https://github.com/httpwg/ | ||||
http-core/issues/79>) | ||||
o Cite RFC 7595 instead of RFC 4395 (<https://github.com/httpwg/ | ||||
http-core/issues/80>) | ||||
o improve ABNF readability for qdtext (<https://github.com/httpwg/ | ||||
http-core/issues/81>, <https://www.rfc-editor.org/errata/eid4891>) | ||||
o Clarify "resource" vs "representation" in definition of status | ||||
code 416 (<https://github.com/httpwg/http-core/issues/83>, | ||||
<https://www.rfc-editor.org/errata/eid4664>) | ||||
o Resolved erratum 4072, no change needed here | ||||
(<https://github.com/httpwg/http-core/issues/84>, | ||||
<https://www.rfc-editor.org/errata/eid4072>) | ||||
o Clarify DELETE status code suggestions | ||||
(<https://github.com/httpwg/http-core/issues/85>, | ||||
<https://www.rfc-editor.org/errata/eid4436>) | ||||
o In Section 6.3.4, fix ABNF for "other-range-resp" to use VCHAR | ||||
instead of CHAR (<https://github.com/httpwg/http-core/issues/86>, | ||||
<https://www.rfc-editor.org/errata/eid4707>) | ||||
o Resolved erratum 5162, no change needed here | ||||
(<https://github.com/httpwg/http-core/issues/89>, | ||||
<https://www.rfc-editor.org/errata/eid5162>) | ||||
o Replace "response code" with "response status code" and "status- | ||||
code" (the ABNF production name from the HTTP/1.1 message format) | ||||
by "status code" (<https://github.com/httpwg/http-core/issues/94>, | ||||
<https://www.rfc-editor.org/errata/eid4050>) | ||||
o Added a missing word in Section 9.4 (<https://github.com/httpwg/ | ||||
http-core/issues/98>, <https://www.rfc-editor.org/errata/eid4452>) | ||||
o In Section 4.5, fixed an example that had trailing whitespace | ||||
where it shouldn't (<https://github.com/httpwg/http-core/ | ||||
issues/104>, <https://www.rfc-editor.org/errata/eid4169>) | ||||
o In Section 9.3.7, remove words that were potentially misleading | ||||
with respect to the relation to the requested ranges | ||||
(<https://github.com/httpwg/http-core/issues/102>, | ||||
<https://www.rfc-editor.org/errata/eid4358>) | ||||
C.4. Since draft-ietf-httpbis-semantics-02 | ||||
o Included (Proxy-)Auth-Info header field definition from RFC 7615 | ||||
(<https://github.com/httpwg/http-core/issues/9>) | ||||
o In Section 7.3.3, clarify POST caching | ||||
(<https://github.com/httpwg/http-core/issues/17>) | ||||
o Add Section 9.5.19 to reserve the 418 status code | ||||
(<https://github.com/httpwg/http-core/issues/43>) | ||||
o In Section 2.1 and Section 8.1.1, clarified when a response can be | ||||
sent (<https://github.com/httpwg/http-core/issues/82>) | ||||
o In Section 6.1.1.1, explain the difference between the "token" | ||||
production, the RFC 2978 ABNF for charset names, and the actual | ||||
registration practice (<https://github.com/httpwg/http-core/ | ||||
issues/100>, <https://www.rfc-editor.org/errata/eid4689>) | ||||
o In Section 2.5, removed the fragment component in the URI scheme | ||||
definitions as per Section 4.3 of [RFC3986], furthermore moved | ||||
fragment discussion into a separate section | ||||
(<https://github.com/httpwg/http-core/issues/103>, | ||||
<https://www.rfc-editor.org/errata/eid4251>, <https://www.rfc- | ||||
editor.org/errata/eid4252>) | ||||
o In Section 3.5, add language about minor HTTP version number | ||||
defaulting (<https://github.com/httpwg/http-core/issues/115>) | ||||
o Added Section 9.5.20 for status code 422, previously defined in | ||||
Section 11.2 of [RFC4918] (<https://github.com/httpwg/http-core/ | ||||
issues/123>) | ||||
o In Section 9.5.17, fixed prose about byte range comparison | ||||
(<https://github.com/httpwg/http-core/issues/135>, | ||||
<https://www.rfc-editor.org/errata/eid5474>) | ||||
o In Section 2.1, explain that request/response correlation is | ||||
version specific (<https://github.com/httpwg/http-core/ | ||||
issues/145>) | ||||
C.5. Since draft-ietf-httpbis-semantics-03 | ||||
o In Section 9.4.9, include status code 308 from RFC 7538 | ||||
(<https://github.com/httpwg/http-core/issues/3>) | ||||
o In Section 6.1.1, clarify that the charset parameter value is | ||||
case-insensitive due to the definition in RFC 2046 | ||||
(<https://github.com/httpwg/http-core/issues/13>) | ||||
o Define a separate registry for HTTP header field names | ||||
(<https://github.com/httpwg/http-core/issues/42>) | ||||
o In Section 8.4, refactor and clarify description of wildcard ("*") | ||||
handling (<https://github.com/httpwg/http-core/issues/46>) | ||||
o Deprecate Accept-Charset (<https://github.com/httpwg/http-core/ | ||||
issues/61>) | ||||
o In Section 8.2.1, mention Cache-Control: immutable | ||||
(<https://github.com/httpwg/http-core/issues/69>) | ||||
o In Section 4.1, clarify when header field combination is allowed | ||||
(<https://github.com/httpwg/http-core/issues/74>) | ||||
o In Section 12.4, instruct IANA to mark Content-MD5 as obsolete | ||||
(<https://github.com/httpwg/http-core/issues/93>) | ||||
o Use RFC 7405 ABNF notation for case-sensitive string constants | ||||
(<https://github.com/httpwg/http-core/issues/133>) | ||||
o Rework Section 2.1 to be more version-independent | ||||
(<https://github.com/httpwg/http-core/issues/142>) | ||||
o In Section 7.3.5, clarify that DELETE needs to be successful to | ||||
invalidate cache (<https://github.com/httpwg/http-core/ | ||||
issues/167>, <https://www.rfc-editor.org/errata/eid5541>) | ||||
C.6. Since draft-ietf-httpbis-semantics-04 | ||||
o In Section 4.4, fix field-content ABNF | ||||
(<https://github.com/httpwg/http-core/issues/19>, | ||||
<https://www.rfc-editor.org/errata/eid4189>) | ||||
o Move Section 4.4.1.4 into its own section | ||||
(<https://github.com/httpwg/http-core/issues/45>) | ||||
o In Section 6.2.1, reference MIME Sniffing | ||||
(<https://github.com/httpwg/http-core/issues/51>) | ||||
o In Section 4.5, simplify the #rule mapping for recipients | ||||
(<https://github.com/httpwg/http-core/issues/164>, | ||||
<https://www.rfc-editor.org/errata/eid5257>) | ||||
o In Section 7.3.7, remove misleading text about "extension" of HTTP | ||||
is needed to define method payloads (<https://github.com/httpwg/ | ||||
http-core/issues/204>) | ||||
o Fix editorial issue in Section 6 (<https://github.com/httpwg/http- | ||||
core/issues/223>) | ||||
o In Section 9.5.20, rephrase language not to use "entity" anymore, | ||||
and also avoid lowercase "may" (<https://github.com/httpwg/http- | ||||
core/issues/224>) | ||||
o Move discussion of retries from [Messaging] into Section 7.2.2 | ||||
(<https://github.com/httpwg/http-core/issues/230>) | ||||
C.7. Since draft-ietf-httpbis-semantics-05 | ||||
o Moved transport-independent part of the description of trailers | ||||
into Section 4.6 (<https://github.com/httpwg/http-core/issues/16>) | ||||
o Loosen requirements on retries based upon implementation behavior | ||||
(<https://github.com/httpwg/http-core/issues/27>) | ||||
o In Section 12.9, update IANA port registry for TCP/UDP on ports 80 | ||||
and 443 (<https://github.com/httpwg/http-core/issues/36>) | ||||
o In Section 4.7, revise guidelines for new header field names | ||||
(<https://github.com/httpwg/http-core/issues/47>) | ||||
o In Section 7.2.3, remove concept of "cacheable methods" in favor | ||||
of prose (<https://github.com/httpwg/http-core/issues/54>, | ||||
<https://www.rfc-editor.org/errata/eid5300>) | ||||
o In Section 11.1, mention that the concept of authority can be | ||||
modified by protocol extensions (<https://github.com/httpwg/http- | ||||
core/issues/143>) | ||||
o Create new subsection on payload body in Section 6.3.3, taken from | ||||
portions of message body (<https://github.com/httpwg/http-core/ | ||||
issues/159>) | ||||
o Moved definition of "Whitespace" into new container "Generic | ||||
Syntax" (<https://github.com/httpwg/http-core/issues/162>) | ||||
o In Section 2.5, recommend minimum URI size support for | ||||
implementations (<https://github.com/httpwg/http-core/issues/169>) | ||||
o In Section 6.1.4, refactored the range-unit and ranges-specifier | ||||
grammars (<https://github.com/httpwg/http-core/issues/196>, | ||||
<https://www.rfc-editor.org/errata/eid5620>) | ||||
o In Section 7.3.1, caution against a request body more strongly | ||||
(<https://github.com/httpwg/http-core/issues/202>) | ||||
o Reorganized text in Section 4.7 (<https://github.com/httpwg/http- | ||||
core/issues/214>) | ||||
o In Section 9.5.4, replace "authorize" with "fulfill" | ||||
(<https://github.com/httpwg/http-core/issues/218>) | ||||
o In Section 7.3.7, removed a misleading statement about Content- | ||||
Length (<https://github.com/httpwg/http-core/issues/235>, | ||||
<https://www.rfc-editor.org/errata/eid5806>) | ||||
o In Section 11.1, add text from RFC 2818 | ||||
(<https://github.com/httpwg/http-core/issues/236>) | ||||
o Changed "cacheable by default" to "heuristically cacheable" | ||||
throughout (<https://github.com/httpwg/http-core/issues/242>) | ||||
C.8. Since draft-ietf-httpbis-semantics-06 | ||||
o In Section 5.7.1, simplify received-by grammar (and disallow comma | ||||
character) (<https://github.com/httpwg/http-core/issues/24>) | ||||
o In Section 4.3, give guidance on interoperable field names | ||||
(<https://github.com/httpwg/http-core/issues/30>) | ||||
o In Section 1.2.1, define the semantics and possible replacement of | ||||
whitespace when it is known to occur (<https://github.com/httpwg/ | ||||
http-core/issues/53>) | ||||
o In Section 4, introduce field terminology and distinguish between | ||||
field line values and field values; use terminology consistently | ||||
throughout (<https://github.com/httpwg/http-core/issues/111>) | ||||
o Moved #rule definition into Section 4.4 and whitespace into | ||||
Section 1.2 (<https://github.com/httpwg/http-core/issues/162>) | ||||
o In Section 6.1.4, explicitly call out range unit names as case- | ||||
insensitive, and encourage registration | ||||
(<https://github.com/httpwg/http-core/issues/179>) | ||||
o In Section 6.1.2, explicitly call out content codings as case- | ||||
insensitive, and encourage registration | ||||
(<https://github.com/httpwg/http-core/issues/179>) | ||||
o In Section 4.3, explicitly call out field names as case- | ||||
insensitive (<https://github.com/httpwg/http-core/issues/179>) | ||||
o In Section 11.11, cite [Bujlow] (<https://github.com/httpwg/http- | ||||
core/issues/185>) | ||||
o In Section 9, formally define "final" and "interim" status codes | ||||
(<https://github.com/httpwg/http-core/issues/245>) | ||||
o In Section 7.3.5, caution against a request body more strongly | ||||
(<https://github.com/httpwg/http-core/issues/258>) | ||||
o In Section 10.2.3, note that Etag can be used in trailers | ||||
(<https://github.com/httpwg/http-core/issues/262>) | ||||
o In Section 12.4, consider reserved fields as well | ||||
(<https://github.com/httpwg/http-core/issues/273>) | ||||
o In Section 2.5.4, be more correct about what was deprecated by RFC | ||||
3986 (<https://github.com/httpwg/http-core/issues/278>, | ||||
<https://www.rfc-editor.org/errata/eid5964>) | ||||
o In Section 4.1, recommend comma SP when combining field lines | ||||
(<https://github.com/httpwg/http-core/issues/148>) | ||||
o In Section 5.6, make explicit requirements on origin server to use | ||||
authority from absolute-form when available | ||||
(<https://github.com/httpwg/http-core/issues/191>) | ||||
o In Section 2.5.1, Section 2.5.2, Section 5.2, and Section 5.4, | ||||
refactored schemes to define origin and authoritative access to an | ||||
origin server for both "http" and "https" URIs to account for | ||||
alternative services and secured connections that are not | ||||
necessarily based on TCP (<https://github.com/httpwg/http-core/ | ||||
issues/237>) | ||||
o In Section 1.1, reference RFC 8174 as well | ||||
(<https://github.com/httpwg/http-core/issues/303>) | ||||
Index | ||||
1 | 1 | |||
100 Continue (status code) 50 | 100 Continue (status code) 121 | |||
100-continue (expect value) 34 | 100-continue (expect value) 88 | |||
101 Switching Protocols (status code) 50 | 101 Switching Protocols (status code) 121 | |||
1xx Informational (status code class) 120 | ||||
2 | 2 | |||
200 OK (status code) 51 | 200 OK (status code) 121 | |||
201 Created (status code) 52 | 201 Created (status code) 122 | |||
202 Accepted (status code) 52 | 202 Accepted (status code) 122 | |||
203 Non-Authoritative Information (status code) 52 | 203 Non-Authoritative Information (status code) 123 | |||
204 No Content (status code) 53 | 204 No Content (status code) 123 | |||
205 Reset Content (status code) 53 | 205 Reset Content (status code) 124 | |||
206 Partial Content (status code) 124 | ||||
2xx Successful (status code class) 121 | ||||
3 | 3 | |||
300 Multiple Choices (status code) 55 | 300 Multiple Choices (status code) 129 | |||
301 Moved Permanently (status code) 56 | 301 Moved Permanently (status code) 130 | |||
302 Found (status code) 56 | 302 Found (status code) 130 | |||
303 See Other (status code) 57 | 303 See Other (status code) 131 | |||
305 Use Proxy (status code) 58 | 304 Not Modified (status code) 131 | |||
306 (Unused) (status code) 58 | 305 Use Proxy (status code) 132 | |||
307 Temporary Redirect (status code) 58 | 306 (Unused) (status code) 132 | |||
307 Temporary Redirect (status code) 132 | ||||
308 Permanent Redirect (status code) 133 | ||||
3xx Redirection (status code class) 127 | ||||
4 | 4 | |||
400 Bad Request (status code) 58 | 400 Bad Request (status code) 133 | |||
402 Payment Required (status code) 59 | 401 Unauthorized (status code) 133 | |||
403 Forbidden (status code) 59 | 402 Payment Required (status code) 134 | |||
404 Not Found (status code) 59 | 403 Forbidden (status code) 134 | |||
405 Method Not Allowed (status code) 59 | 404 Not Found (status code) 134 | |||
406 Not Acceptable (status code) 59 | 405 Method Not Allowed (status code) 135 | |||
408 Request Timeout (status code) 60 | 406 Not Acceptable (status code) 135 | |||
409 Conflict (status code) 60 | 407 Proxy Authentication Required (status code) 135 | |||
410 Gone (status code) 60 | 408 Request Timeout (status code) 135 | |||
411 Length Required (status code) 61 | 409 Conflict (status code) 136 | |||
413 Payload Too Large (status code) 61 | 410 Gone (status code) 136 | |||
414 URI Too Long (status code) 61 | 411 Length Required (status code) 136 | |||
415 Unsupported Media Type (status code) 62 | 412 Precondition Failed (status code) 137 | |||
417 Expectation Failed (status code) 62 | 413 Payload Too Large (status code) 137 | |||
426 Upgrade Required (status code) 62 | 414 URI Too Long (status code) 137 | |||
415 Unsupported Media Type (status code) 137 | ||||
416 Range Not Satisfiable (status code) 138 | ||||
417 Expectation Failed (status code) 138 | ||||
418 (Unused) (status code) 138 | ||||
422 Unprocessable Payload (status code) 139 | ||||
426 Upgrade Required (status code) 139 | ||||
4xx Client Error (status code class) 133 | ||||
5 | 5 | |||
500 Internal Server Error (status code) 63 | 500 Internal Server Error (status code) 140 | |||
501 Not Implemented (status code) 63 | 501 Not Implemented (status code) 140 | |||
502 Bad Gateway (status code) 63 | 502 Bad Gateway (status code) 140 | |||
503 Service Unavailable (status code) 63 | 503 Service Unavailable (status code) 140 | |||
504 Gateway Timeout (status code) 63 | 504 Gateway Timeout (status code) 140 | |||
505 HTTP Version Not Supported (status code) 64 | 505 HTTP Version Not Supported (status code) 140 | |||
5xx Server Error (status code class) 139 | ||||
A | A | |||
Accept header field 38 | Accept header field 104 | |||
Accept-Charset header field 40 | Accept-Charset header field 106 | |||
Accept-Encoding header field 41 | Accept-Encoding header field 107 | |||
Accept-Language header field 42 | Accept-Language header field 108 | |||
Allow header field 72 | Accept-Ranges header field 161 | |||
Allow header field 161 | ||||
Authentication-Info header field 159 | ||||
Authorization header field 112 | ||||
accelerator 14 | ||||
authoritative response 163 | ||||
B | ||||
browser 11 | ||||
C | C | |||
cacheable 24 | CONNECT method 83 | |||
compress (content coding) 11 | Canonical Root URI 111 | |||
conditional request 36 | Content-Encoding header field 59 | |||
CONNECT method 30 | Content-Language header field 60 | |||
content coding 11 | Content-Length header field 61 | |||
content negotiation 6 | Content-Location header field 62 | |||
Content-Encoding header field 12 | Content-MD5 header field 173 | |||
Content-Language header field 13 | Content-Range header field 66 | |||
Content-Location header field 15 | Content-Type header field 58 | |||
Content-Transfer-Encoding header field 89 | cache 15 | |||
Content-Type header field 10 | cacheable 15 | |||
captive portal 15 | ||||
client 11 | ||||
compress (Coding Format) 52 | ||||
compress (content coding) 51 | ||||
conditional request 91 | ||||
connection 11 | ||||
content coding 51 | ||||
content negotiation 9 | ||||
D | D | |||
Date header field 67 | DELETE method 82 | |||
deflate (content coding) 11 | Date header field 145 | |||
DELETE method 29 | Delimiters 30 | |||
deflate (Coding Format) 52 | ||||
deflate (content coding) 51 | ||||
downstream 14 | ||||
E | E | |||
Expect header field 34 | ETag field 153 | |||
Expect header field 88 | ||||
effective request URI 43 | ||||
F | F | |||
From header field 44 | Fields | |||
Accept 104 | ||||
Accept-Charset 106 | ||||
Accept-Encoding 107 | ||||
Accept-Language 108 | ||||
Accept-Ranges 161 | ||||
Allow 161 | ||||
Authentication-Info 159 | ||||
Authorization 112 | ||||
Content-Encoding 59 | ||||
Content-Language 60 | ||||
Content-Length 61 | ||||
Content-Location 62 | ||||
Content-MD5 173 | ||||
Content-Range 66 | ||||
Content-Type 58 | ||||
Date 145 | ||||
ETag 153 | ||||
Expect 88 | ||||
From 115 | ||||
Host 43 | ||||
If-Match 95 | ||||
If-Modified-Since 97 | ||||
If-None-Match 96 | ||||
If-Range 100 | ||||
If-Unmodified-Since 98 | ||||
Last-Modified 151 | ||||
Location 146 | ||||
Max-Forwards 90 | ||||
Proxy-Authenticate 159 | ||||
Proxy-Authentication-Info 160 | ||||
Proxy-Authorization 112 | ||||
Range 101 | ||||
Referer 116 | ||||
Retry-After 147 | ||||
Server 162 | ||||
Trailer 34 | ||||
User-Agent 117 | ||||
Vary 147 | ||||
Via 45 | ||||
WWW-Authenticate 158 | ||||
Fragment Identifiers 20 | ||||
From header field 115 | ||||
field 24 | ||||
field line 24 | ||||
field line value 24 | ||||
field name 24 | ||||
field value 24 | ||||
G | G | |||
GET method 24 | GET method 77 | |||
Grammar | Grammar | |||
Accept 38 | absolute-path 16 | |||
Accept-Charset 40 | absolute-URI 16 | |||
Accept-Encoding 41 | Accept 104 | |||
accept-ext 38 | Accept-Charset 106 | |||
Accept-Language 42 | Accept-Encoding 107 | |||
accept-params 38 | accept-ext 104 | |||
Allow 72 | Accept-Language 108 | |||
asctime-date 66 | accept-params 104 | |||
charset 9 | Accept-Ranges 161 | |||
codings 41 | acceptable-ranges 161 | |||
content-coding 11 | Allow 161 | |||
Content-Encoding 12 | ALPHA 10 | |||
Content-Language 13 | asctime-date 144 | |||
Content-Location 15 | auth-param 110 | |||
Content-Type 10 | auth-scheme 110 | |||
Date 67 | Authentication-Info 159 | |||
date1 65 | authority 16 | |||
day 65 | Authorization 112 | |||
day-name 65 | BWS 11 | |||
day-name-l 65 | challenge 110 | |||
delay-seconds 69 | charset 49 | |||
Expect 34 | codings 107 | |||
From 44 | comment 31 | |||
GMT 65 | complete-length 67 | |||
hour 65 | content-coding 51 | |||
HTTP-date 65 | Content-Encoding 59 | |||
IMF-fixdate 65 | Content-Language 60 | |||
language-range 42 | Content-Length 61 | |||
language-tag 13 | Content-Location 62 | |||
Location 68 | Content-Range 67 | |||
Max-Forwards 36 | Content-Type 58 | |||
media-range 38 | CR 10 | |||
media-type 8 | credentials 111 | |||
method 21 | CRLF 10 | |||
minute 65 | ctext 31 | |||
month 65 | CTL 10 | |||
obs-date 66 | Date 145 | |||
parameter 8 | date1 144 | |||
product 46 | day 144 | |||
product-version 46 | day-name 144 | |||
qvalue 38 | day-name-l 144 | |||
Referer 45 | delay-seconds 147 | |||
Retry-After 69 | DIGIT 10 | |||
rfc850-date 66 | DQUOTE 10 | |||
second 65 | entity-tag 154 | |||
Server 73 | ETag 154 | |||
subtype 8 | etagc 154 | |||
time-of-day 65 | Expect 88 | |||
type 8 | field-content 28 | |||
User-Agent 46 | field-name 26, 34 | |||
Vary 70 | field-value 28 | |||
weight 38 | field-vchar 28 | |||
year 65 | first-pos 55, 67 | |||
gzip (content coding) 11 | From 115 | |||
GMT 144 | ||||
HEXDIG 10 | ||||
Host 43 | ||||
hour 144 | ||||
HTAB 10 | ||||
HTTP-date 143 | ||||
http-URI 17 | ||||
https-URI 18 | ||||
If-Match 95 | ||||
If-Modified-Since 97 | ||||
If-None-Match 96 | ||||
If-Range 100 | ||||
If-Unmodified-Since 98 | ||||
IMF-fixdate 144 | ||||
incl-range 67 | ||||
int-range 55 | ||||
language-range 108 | ||||
language-tag 53 | ||||
Last-Modified 151 | ||||
last-pos 55, 67 | ||||
LF 10 | ||||
Location 146 | ||||
Max-Forwards 90 | ||||
media-range 104 | ||||
media-type 49 | ||||
method 73 | ||||
minute 144 | ||||
month 144 | ||||
obs-date 144 | ||||
obs-text 30 | ||||
OCTET 10 | ||||
opaque-tag 154 | ||||
other-range 55 | ||||
OWS 11 | ||||
parameter 31 | ||||
parameter-name 31 | ||||
parameter-value 31 | ||||
partial-URI 16 | ||||
port 16 | ||||
product 117 | ||||
product-version 117 | ||||
protocol-name 45 | ||||
protocol-version 45 | ||||
Proxy-Authenticate 159 | ||||
Proxy-Authentication-Info 160 | ||||
Proxy-Authorization 112 | ||||
pseudonym 45 | ||||
qdtext 30 | ||||
query 16 | ||||
quoted-pair 30 | ||||
quoted-string 30 | ||||
qvalue 104 | ||||
Range 101 | ||||
range-resp 67 | ||||
range-set 55 | ||||
range-spec 55 | ||||
range-unit 54 | ||||
ranges-specifier 55 | ||||
received-by 45 | ||||
received-protocol 45 | ||||
Referer 116 | ||||
Retry-After 147 | ||||
rfc850-date 144 | ||||
RWS 11 | ||||
second 144 | ||||
segment 16 | ||||
Server 162 | ||||
SP 10 | ||||
subtype 49 | ||||
suffix-length 55 | ||||
suffix-range 55 | ||||
tchar 30 | ||||
time-of-day 144 | ||||
token 30 | ||||
token68 110 | ||||
Trailer 34 | ||||
type 49 | ||||
unsatisfied-range 67 | ||||
uri-host 16 | ||||
URI-reference 16 | ||||
User-Agent 117 | ||||
Vary 148 | ||||
VCHAR 10 | ||||
Via 45 | ||||
weak 154 | ||||
weight 104 | ||||
WWW-Authenticate 158 | ||||
year 144 | ||||
gateway 14 | ||||
gzip (Coding Format) 52 | ||||
gzip (content coding) 51 | ||||
H | H | |||
HEAD method 25 | HEAD method 78 | |||
Header Fields | ||||
Accept 104 | ||||
Accept-Charset 106 | ||||
Accept-Encoding 107 | ||||
Accept-Language 108 | ||||
Accept-Ranges 161 | ||||
Allow 161 | ||||
Authentication-Info 159 | ||||
Authorization 112 | ||||
Content-Encoding 59 | ||||
Content-Language 60 | ||||
Content-Length 61 | ||||
Content-Location 62 | ||||
Content-MD5 173 | ||||
Content-Range 66 | ||||
Content-Type 58 | ||||
Date 145 | ||||
ETag 153 | ||||
Expect 88 | ||||
From 115 | ||||
Host 43 | ||||
If-Match 95 | ||||
If-Modified-Since 97 | ||||
If-None-Match 96 | ||||
If-Range 100 | ||||
If-Unmodified-Since 98 | ||||
Last-Modified 151 | ||||
Location 146 | ||||
Max-Forwards 90 | ||||
Proxy-Authenticate 159 | ||||
Proxy-Authentication-Info 160 | ||||
Proxy-Authorization 112 | ||||
Range 101 | ||||
Referer 116 | ||||
Retry-After 147 | ||||
Server 162 | ||||
Trailer 34 | ||||
User-Agent 117 | ||||
Vary 147 | ||||
Via 45 | ||||
WWW-Authenticate 158 | ||||
Host header field 43 | ||||
header section 24 | ||||
http URI scheme 17 | ||||
https URI scheme 18 | ||||
I | I | |||
idempotent 23 | If-Match header field 95 | |||
If-Modified-Since header field 97 | ||||
If-None-Match header field 96 | ||||
If-Range header field 100 | ||||
If-Unmodified-Since header field 98 | ||||
idempotent 76 | ||||
inbound 14 | ||||
interception proxy 15 | ||||
intermediary 13 | ||||
L | L | |||
Location header field 68 | Last-Modified header field 151 | |||
Location header field 146 | ||||
M | M | |||
Max-Forwards header field 36 | Max-Forwards header field 90 | |||
MIME-Version header field 89 | Media Type | |||
multipart/byteranges 68 | ||||
multipart/x-byteranges 69 | ||||
message 12 | ||||
metadata 149 | ||||
multipart/byteranges Media Type 68 | ||||
multipart/x-byteranges Media Type 69 | ||||
N | ||||
non-transforming proxy 47 | ||||
O | O | |||
OPTIONS method 31 | OPTIONS method 85 | |||
origin 37 | ||||
origin server 11 | ||||
outbound 14 | ||||
P | P | |||
payload 17 | POST method 79 | |||
POST method 25 | PUT method 80 | |||
PUT method 26 | Protection Space 111 | |||
Proxy-Authenticate header field 159 | ||||
Proxy-Authentication-Info header field 160 | ||||
Proxy-Authorization header field 112 | ||||
payload 64 | ||||
phishing 163 | ||||
proxy 14 | ||||
R | R | |||
Referer header field 45 | Range header field 101 | |||
representation 7 | Realm 111 | |||
Retry-After header field 69 | Referer header field 116 | |||
Retry-After header field 147 | ||||
recipient 11 | ||||
representation 48 | ||||
request 12 | ||||
resource 16 | ||||
response 12 | ||||
reverse proxy 14 | ||||
S | S | |||
safe 22 | Server header field 162 | |||
selected representation 7, 71 | Status Code 118 | |||
Server header field 73 | Status Codes | |||
Final 119 | ||||
Informational 119 | ||||
Interim 119 | ||||
Status Codes Classes | Status Codes Classes | |||
1xx Informational 50 | 1xx Informational 120 | |||
2xx Successful 51 | 2xx Successful 121 | |||
3xx Redirection 54 | 3xx Redirection 127 | |||
4xx Client Error 58 | 4xx Client Error 133 | |||
5xx Server Error 62 | 5xx Server Error 139 | |||
safe 75 | ||||
secured 18 | ||||
selected representation 48, 91, 149 | ||||
sender 11 | ||||
server 11 | ||||
spider 11 | ||||
T | T | |||
TRACE method 32 | TRACE method 86 | |||
Trailer Fields | ||||
ETag 153 | ||||
Trailer header field 34 | ||||
target URI 37 | ||||
target resource 37 | ||||
trailer fields 33 | ||||
trailer section 24 | ||||
trailers 33 | ||||
transforming proxy 47 | ||||
transparent proxy 15 | ||||
tunnel 14 | ||||
U | U | |||
User-Agent header field 46 | URI | |||
origin 37 | ||||
URI scheme | ||||
http 17 | ||||
https 18 | ||||
User-Agent header field 117 | ||||
upstream 14 | ||||
user agent 11 | ||||
V | V | |||
Vary header field 70 | Vary header field 147 | |||
Via header field 45 | ||||
validator 149 | ||||
strong 150 | ||||
weak 150 | ||||
W | ||||
WWW-Authenticate header field 158 | ||||
X | X | |||
x-compress (content coding) 11 | x-compress (content coding) 51 | |||
x-gzip (content coding) 11 | x-gzip (content coding) 51 | |||
Acknowledgments | Acknowledgments | |||
See Section 10 of [RFC7230]. | This edition of the HTTP specification builds on the many | |||
contributions that went into RFC 1945, RFC 2068, RFC 2145, RFC 2616, | ||||
and RFC 2818, including substantial contributions made by the | ||||
previous authors, editors, and Working Group Chairs: Tim Berners-Lee, | ||||
Ari Luotonen, Roy T. Fielding, Henrik Frystyk Nielsen, Jim Gettys, | ||||
Jeffrey C. Mogul, Larry Masinter, Paul J. Leach, Eric Rescorla, and | ||||
Yves Lafon. | ||||
This specification takes over the definition of the HTTP | See Section 10 of [RFC7230] for further acknowledgements from prior | |||
Authentication Framework, previously defined in RFC 2617. We thank | revisions. | |||
John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. | ||||
Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for | In addition, this document has reincorporated the HTTP Authentication | |||
their work on that specification. See Section 6 of [RFC2617] for | Framework, previously defined in RFC 7235 and RFC 2617. We thank | |||
John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott | ||||
D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart | ||||
for their work on that specification. See Section 6 of [RFC2617] for | ||||
further acknowledgements. | further acknowledgements. | |||
[[newacks: New acks to be added here.]] | ||||
Authors' Addresses | Authors' Addresses | |||
Roy T. Fielding (editor) | Roy T. Fielding (editor) | |||
Adobe Systems Incorporated | Adobe | |||
345 Park Ave | 345 Park Ave | |||
San Jose, CA 95110 | San Jose, CA 95110 | |||
USA | United States of America | |||
EMail: fielding@gbiv.com | EMail: fielding@gbiv.com | |||
URI: http://roy.gbiv.com/ | URI: https://roy.gbiv.com/ | |||
Mark Nottingham (editor) | ||||
Fastly | ||||
EMail: mnot@mnot.net | ||||
URI: https://www.mnot.net/ | ||||
Julian F. Reschke (editor) | Julian F. Reschke (editor) | |||
greenbytes GmbH | greenbytes GmbH | |||
Hafenweg 16 | Hafenweg 16 | |||
Muenster, NW 48155 | Muenster 48155 | |||
Germany | Germany | |||
EMail: julian.reschke@greenbytes.de | EMail: julian.reschke@greenbytes.de | |||
URI: http://greenbytes.de/tech/webdav/ | URI: https://greenbytes.de/tech/webdav/ | |||
End of changes. 913 change blocks. | ||||
2429 lines changed or deleted | 3920 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |