IETF 77 - HTTPbis vs RFC2231

Julian Reschke, greenbytes

Problem Statement (1/2)

• RFC2616 includes "Content-Disposition" (RFC 2616, Section 19.5.1), but also says:
  RFC 1806 [35], from which the often implemented Content-Disposition (see Appendix 19.5.1) header in HTTP is derived, has a number of very serious security considerations. Content-Disposition is not part of the HTTP standard, but since it is widely implemented, we are documenting its use and risks for implementers. (RFC2616, Section 15.5)
• Refers to RFC 1806 (definition of Content-Disposition), obsoleted by RFC 2183.
• I18N for Content-Disposition (filename) relies on on MIME specs RFC 2047, augmented RFC 2184, which itself was obsoleted by RFC 2231 ('MIME Parameter Value and Encoded Word Extensions: Character Sets, Languages, and Continuations').

Problem Statement (2/2)

• RFC 2183 did not state that it obsoleted RFC 1806, making it hard to find the up-to-date spec (fixed in RFC Index in the meantime)
• RFC 2231 specifies many features that are not needed in HTTP, but also fails to REQUIRE common character sets for interoperability
• Interoperability suffers from all of this, see test cases at http://greenbytes.de/tech/tc2231/ -- Firefox, Konqueror and Opera are fine, the other UAs do not support the I18N extensions defined in RFC 2231.

Proposal

• Remove from HTTPbis (discussed during IETF-72 in Dublin)
• Profile RFC 2231 for use in HTTP (remove ambiguities, fix grammar, remove unneeded features, require a common character set: draft-reschke-rfc2231-in-http-10).
  (Note: does not normatively refer to RFC 2231 so it can evolve independently)
  In IETF Last Call - ending 2010-03-22 (yes, today!)
• Profile makes it easier for new HTTP header definitions to "opt in" (HTTP Link Header / Web Linking specification, past IETF LC, does this)
• Get feedback from "other" UA vendors (I was told that profiling RFC 2231 made it more reasonable to implement)
• Move actual definition of Content-Disposition as HTTP header into a separate specification (work has started with draft-reschke-rfc2183-in-http-00)
• Mention the profile in a yet to be written section about defining new HTTP headers.