draft-reschke-http-jfv-01.txt   draft-reschke-http-jfv-02.txt 
Network Working Group J. Reschke Network Working Group J. Reschke
Internet-Draft greenbytes Internet-Draft greenbytes
Intended status: Standards Track March 9, 2015 Intended status: Standards Track October 5, 2015
Expires: September 10, 2015 Expires: April 7, 2016
A JSON Encoding for HTTP Header Field Values A JSON Encoding for HTTP Header Field Values
draft-reschke-http-jfv-01 draft-reschke-http-jfv-02
Abstract Abstract
This document establishes a convention for use of JSON-encoded field This document establishes a convention for use of JSON-encoded field
values in HTTP header fields. values in HTTP header fields.
Editorial Note (To be removed by RFC Editor before publication) Editorial Note (To be removed by RFC Editor before publication)
Distribution of this document is unlimited. Although this is not a Distribution of this document is unlimited. Although this is not a
work item of the HTTPbis Working Group, comments should be sent to work item of the HTTPbis Working Group, comments should be sent to
the Hypertext Transfer Protocol (HTTP) mailing list at the Hypertext Transfer Protocol (HTTP) mailing list at
ietf-http-wg@w3.org [1], which may be joined by sending a message ietf-http-wg@w3.org [1], which may be joined by sending a message
with subject "subscribe" to ietf-http-wg-request@w3.org [2]. with subject "subscribe" to ietf-http-wg-request@w3.org [2].
Discussions of the HTTPbis Working Group are archived at Discussions of the HTTPbis Working Group are archived at
<http://lists.w3.org/Archives/Public/ietf-http-wg/>. <http://lists.w3.org/Archives/Public/ietf-http-wg/>.
XML versions and latest edits for this document are available from XML versions and latest edits for this document are available from
<http://greenbytes.de/tech/webdav/#draft-reschke-http-jfv>. <http://greenbytes.de/tech/webdav/#draft-reschke-http-jfv>.
The changes in this draft are summarized in Appendix A.2.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 10, 2015. This Internet-Draft will expire on April 7, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Data Model and Format . . . . . . . . . . . . . . . . . . . . . 3 2. Data Model and Format . . . . . . . . . . . . . . . . . . . . 3
3. Sender Requirements . . . . . . . . . . . . . . . . . . . . . . 4 3. Sender Requirements . . . . . . . . . . . . . . . . . . . . . 4
4. Recipient Requirements . . . . . . . . . . . . . . . . . . . . 5 4. Recipient Requirements . . . . . . . . . . . . . . . . . . . . 5
5. Using this Format in Header Field Definitions . . . . . . . . . 5 5. Using this Format in Header Field Definitions . . . . . . . . 5
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6.1. Content-Length . . . . . . . . . . . . . . . . . . . . . . 5 6.1. Content-Length . . . . . . . . . . . . . . . . . . . . . . 5
6.2. Content-Disposition . . . . . . . . . . . . . . . . . . . . 6 6.2. Content-Disposition . . . . . . . . . . . . . . . . . . . 6
6.3. WWW-Authenticate . . . . . . . . . . . . . . . . . . . . . 7 6.3. WWW-Authenticate . . . . . . . . . . . . . . . . . . . . . 7
7. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 7
8. Deployment Considerations . . . . . . . . . . . . . . . . . . . 8 8. Deployment Considerations . . . . . . . . . . . . . . . . . . 8
9. Internationalization Considerations . . . . . . . . . . . . . . 8 9. Internationalization Considerations . . . . . . . . . . . . . 8
10. Security Considerations . . . . . . . . . . . . . . . . . . . . 8 10. Security Considerations . . . . . . . . . . . . . . . . . . . 8
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
11.1. Normative References . . . . . . . . . . . . . . . . . . . 8 11.1. Normative References . . . . . . . . . . . . . . . . . . . 8
11.2. Informative References . . . . . . . . . . . . . . . . . . 9 11.2. Informative References . . . . . . . . . . . . . . . . . . 9
Appendix A. Change Log (to be removed by RFC Editor before Appendix A. Change Log (to be removed by RFC Editor before
publication) . . . . . . . . . . . . . . . . . . . . . 9 publication) . . . . . . . . . . . . . . . . . . . . 10
A.1. draft-reschke-http-jfv-00 . . . . . . . . . . . . . . . . . 9 A.1. Since draft-reschke-http-jfv-00 . . . . . . . . . . . . . 10
A.2. Since draft-reschke-http-jfv-01 . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
Defining syntax for new HTTP header fields ([RFC7230], Section 3.2) Defining syntax for new HTTP header fields ([RFC7230], Section 3.2)
is non-trivial. Among the commonly encountered problems are: is non-trivial. Among the commonly encountered problems are:
o There is no common syntax for complex field values. Several well- o There is no common syntax for complex field values. Several well-
known header fields do use a similarly looking syntax, but it is known header fields do use a similarly looking syntax, but it is
hard to write generic parsing code that will both correctly handle hard to write generic parsing code that will both correctly handle
valid field values but also reject invalid ones. valid field values but also reject invalid ones.
skipping to change at page 5, line 24 skipping to change at page 5, line 24
3. run the resulting octet sequence through a JSON parser. 3. run the resulting octet sequence through a JSON parser.
The result of the parsing operation is either an error (in which case The result of the parsing operation is either an error (in which case
the header field values needs to be considered invalid), or a JSON the header field values needs to be considered invalid), or a JSON
array. array.
5. Using this Format in Header Field Definitions 5. Using this Format in Header Field Definitions
[[anchor5: Explain what a definition of a new header field needs to [[anchor5: Explain what a definition of a new header field needs to
do precisely to use this format]] do precisely to use this format, mention must-ignore extensibiliy]]
6. Examples 6. Examples
This section shows how some of the existing HTTP header fields would This section shows how some of the existing HTTP header fields would
look like if they would use the format defined by this specification. look like if they would use the format defined by this specification.
6.1. Content-Length 6.1. Content-Length
"Content-Length" is defined in Section 3.3.2 of [RFC7230], with the "Content-Length" is defined in Section 3.3.2 of [RFC7230], with the
field value's ABNF being: field value's ABNF being:
skipping to change at page 7, line 7 skipping to change at page 7, line 7
definition of Content-Disposition would have used the format proposed definition of Content-Disposition would have used the format proposed
here, the workaround involving the "parameter*" syntax would not have here, the workaround involving the "parameter*" syntax would not have
been needed at all. been needed at all.
The JSON representation of this value could then be: The JSON representation of this value could then be:
{ "attachment": { "filename" : "\u20AC rates" } } { "attachment": { "filename" : "\u20AC rates" } }
6.3. WWW-Authenticate 6.3. WWW-Authenticate
The WWW-Authenticate is defined in Section 4.1 of [RFC7235] as a list The WWW-Authenticate header field value is defined in Section 4.1 of
of "challenges": [RFC7235] as a list of "challenges":
WWW-Authenticate = 1#challenge WWW-Authenticate = 1#challenge
...where a challenge consists of a scheme with optional parameters: ...where a challenge consists of a scheme with optional parameters:
challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
An example for a complex header field value given in the definition An example for a complex header field value given in the definition
of the header field is: of the header field is:
skipping to change at page 7, line 52 skipping to change at page 7, line 52
...which would translate to a header field value of: ...which would translate to a header field value of:
{ "Newauth" : { "realm": "apps", "type" : 1, { "Newauth" : { "realm": "apps", "type" : 1,
"title": "Login to \"apps\"" }}, "title": "Login to \"apps\"" }},
{ "Basic" : { "realm": "simple"}} { "Basic" : { "realm": "simple"}}
7. Discussion 7. Discussion
This approach uses a default of "JSON array", using implicit array This approach uses a default of "JSON array", using implicit array
markers. An alternative would be a default of "JSON object". This markers. An alternative would be a default of "JSON object". This
would simplify the syntax for non-list-typed haeders, but all the would simplify the syntax for non-list-typed header fields, but all
benefits of having the same data model for both types of header the benefits of having the same data model for both types of header
fields would be gone. A hybrid approach might make sense, as long as fields would be gone. A hybrid approach might make sense, as long as
it doesn't require any heuristics on the recipient's side. it doesn't require any heuristics on the recipient's side.
[[anchor7: Use of generic libs vs compactness of field values..]] [[anchor7: Use of generic libs vs compactness of field values..]]
8. Deployment Considerations 8. Deployment Considerations
This JSON-based syntax will only apply to newly introduced header This JSON-based syntax will only apply to newly introduced header
fields, thus backwards compatibility is not a problem. That being fields, thus backwards compatibility is not a problem. That being
said, it is conceivable that there is existing code that might trip said, it is conceivable that there is existing code that might trip
over double quotes not being used for HTTP's quoted-string syntax over double quotes not being used for HTTP's quoted-string syntax
(Section 3.2.6 of [RFC7230]). (Section 3.2.6 of [RFC7230]).
9. Internationalization Considerations 9. Internationalization Considerations
[[anchor10: TBD, mention migration path to message format that is [[anchor10: TBD, mention migration path to message format that is
robust wrt UTF-8, or other binary encodings of JSON]] robust wrt UTF-8, or other binary encodings of JSON]]
10. Security Considerations 10. Security Considerations
[[anchor12: TBD]] Using JSON-shaped field values is believed to not introduce any new
threads beyond those described in Section 12 of [RFC7159], namely the
risk of recipients using the wrong tools to parse them.
Other than that, any syntax that makes extensions easy can be used to
smuggle information through field values; however, this concern is
shared with other widely used formats, such as those using parameters
in the form of name/value pairs.
11. References 11. References
11.1. Normative References 11.1. Normative References
[RFC0020] Cerf, V., "ASCII format for network interchange", [RFC0020] Cerf, V., "ASCII format for network interchange",
STD 80, RFC 20, October 1969. STD 80, RFC 20, DOI 10.17487/RFC0020, October 1969,
<http://www.rfc-editor.org/info/rfc20>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for
Syntax Specifications: ABNF", STD 68, RFC 5234, Syntax Specifications: ABNF", STD 68, RFC 5234,
January 2008. DOI 10.17487/RFC5234, January 2008,
<http://www.rfc-editor.org/info/rfc5234>.
[RFC7159] Bray, T., "The JavaScript Object Notation (JSON) [RFC7159] Bray, T., "The JavaScript Object Notation (JSON)
Data Interchange Format", RFC 7159, March 2014. Data Interchange Format", RFC 7159, DOI 10.17487/
RFC7159, March 2014,
<http://www.rfc-editor.org/info/rfc7159>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext
Transfer Protocol (HTTP/1.1): Message Syntax and Transfer Protocol (HTTP/1.1): Message Syntax and
Routing", RFC 7230, June 2014. Routing", RFC 7230, DOI 10.17487/RFC7230,
June 2014,
<http://www.rfc-editor.org/info/rfc7230>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext
Transfer Protocol (HTTP/1.1): Semantics and Transfer Protocol (HTTP/1.1): Semantics and
Content", RFC 7231, June 2014. Content", RFC 7231, DOI 10.17487/RFC7231,
June 2014,
<http://www.rfc-editor.org/info/rfc7231>.
11.2. Informative References 11.2. Informative References
[ISO-8859-1] International Organization for Standardization, [ISO-8859-1] International Organization for Standardization,
"Information technology -- 8-bit single-byte coded "Information technology -- 8-bit single-byte coded
graphic character sets -- Part 1: Latin alphabet graphic character sets -- Part 1: Latin alphabet
No. 1", ISO/IEC 8859-1:1998, 1998. No. 1", ISO/IEC 8859-1:1998, 1998.
[RFC5987] Reschke, J., "Character Set and Language Encoding [RFC5987] Reschke, J., "Character Set and Language Encoding
for Hypertext Transfer Protocol (HTTP) Header Field for Hypertext Transfer Protocol (HTTP) Header Field
Parameters", RFC 5987, August 2010. Parameters", RFC 5987, DOI 10.17487/RFC5987,
August 2010,
<http://www.rfc-editor.org/info/rfc5987>.
[RFC6266] Reschke, J., "Use of the Content-Disposition Header [RFC6266] Reschke, J., "Use of the Content-Disposition Header
Field in the Hypertext Transfer Protocol (HTTP)", Field in the Hypertext Transfer Protocol (HTTP)",
RFC 6266, June 2011. RFC 6266, DOI 10.17487/RFC6266, June 2011,
<http://www.rfc-editor.org/info/rfc6266>.
[RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in
Internationalization in the IETF", BCP 166, Internationalization in the IETF", BCP 166,
RFC 6365, September 2011. RFC 6365, DOI 10.17487/RFC6365, September 2011,
<http://www.rfc-editor.org/info/rfc6365>.
[RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext
Transfer Protocol (HTTP/1.1): Authentication", Transfer Protocol (HTTP/1.1): Authentication",
RFC 7235, June 2014. RFC 7235, DOI 10.17487/RFC7235, June 2014,
<http://www.rfc-editor.org/info/rfc7235>.
[XMLHttpRequest] van Kesteren, A., Aubourg, J., Song, J., and H. [XMLHttpRequest] van Kesteren, A., Aubourg, J., Song, J., and H.
Steen, "XMLHttpRequest Level 1", W3C Working Steen, "XMLHttpRequest Level 1", W3C Working
Draft WD-XMLHttpRequest-20140130, January 2014, <ht Draft WD-XMLHttpRequest-20140130, January 2014, <ht
tp://www.w3.org/TR/2014/ tp://www.w3.org/TR/2014/
WD-XMLHttpRequest-20140130/>. WD-XMLHttpRequest-20140130/>.
Latest version available at Latest version available at
<http://www.w3.org/TR/XMLHttpRequest/>. <http://www.w3.org/TR/XMLHttpRequest/>.
URIs URIs
[1] <mailto:ietf-http-wg@w3.org> [1] <mailto:ietf-http-wg@w3.org>
[2] <mailto:ietf-http-wg-request@w3.org?subject=subscribe> [2] <mailto:ietf-http-wg-request@w3.org?subject=subscribe>
Appendix A. Change Log (to be removed by RFC Editor before publication) Appendix A. Change Log (to be removed by RFC Editor before publication)
A.1. draft-reschke-http-jfv-00 A.1. Since draft-reschke-http-jfv-00
Editorial fixes + working on the TODOs. Editorial fixes + working on the TODOs.
A.2. Since draft-reschke-http-jfv-01
Mention slightly increased risk of smuggling information in header
field values.
Author's Address Author's Address
Julian F. Reschke Julian F. Reschke
greenbytes GmbH greenbytes GmbH
Hafenweg 16 Hafenweg 16
Muenster, NW 48155 Muenster, NW 48155
Germany Germany
EMail: julian.reschke@greenbytes.de EMail: julian.reschke@greenbytes.de
URI: http://greenbytes.de/tech/webdav/ URI: http://greenbytes.de/tech/webdav/
 End of changes. 22 change blocks. 
39 lines changed or deleted 66 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/