aboutsummaryrefslogtreecommitdiffstats
path: root/vendor/sabre/dav/docs/draft-ietf-httpbis-p1-messaging-11.txt
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/sabre/dav/docs/draft-ietf-httpbis-p1-messaging-11.txt')
-rw-r--r--vendor/sabre/dav/docs/draft-ietf-httpbis-p1-messaging-11.txt5152
1 files changed, 5152 insertions, 0 deletions
diff --git a/vendor/sabre/dav/docs/draft-ietf-httpbis-p1-messaging-11.txt b/vendor/sabre/dav/docs/draft-ietf-httpbis-p1-messaging-11.txt
new file mode 100644
index 000000000..c0d449877
--- /dev/null
+++ b/vendor/sabre/dav/docs/draft-ietf-httpbis-p1-messaging-11.txt
@@ -0,0 +1,5152 @@
+
+
+
+HTTPbis Working Group R. Fielding, Ed.
+Internet-Draft Day Software
+Obsoletes: 2616 (if approved) J. Gettys
+Updates: 2817 (if approved) Alcatel-Lucent
+Intended status: Standards Track J. Mogul
+Expires: February 5, 2011 HP
+ H. Frystyk
+ Microsoft
+ L. Masinter
+ Adobe Systems
+ P. Leach
+ Microsoft
+ T. Berners-Lee
+ W3C/MIT
+ Y. Lafon, Ed.
+ W3C
+ J. Reschke, Ed.
+ greenbytes
+ August 4, 2010
+
+
+ HTTP/1.1, part 1: URIs, Connections, and Message Parsing
+ draft-ietf-httpbis-p1-messaging-11
+
+Abstract
+
+ The Hypertext Transfer Protocol (HTTP) is an application-level
+ protocol for distributed, collaborative, hypertext information
+ systems. HTTP has been in use by the World Wide Web global
+ information initiative since 1990. This document is Part 1 of the
+ seven-part specification that defines the protocol referred to as
+ "HTTP/1.1" and, taken together, obsoletes RFC 2616. Part 1 provides
+ an overview of HTTP and its associated terminology, defines the
+ "http" and "https" Uniform Resource Identifier (URI) schemes, defines
+ the generic message syntax and parsing requirements for HTTP message
+ frames, and describes general security concerns for implementations.
+
+Editorial Note (To be removed by RFC Editor)
+
+ Discussion of this draft should take place on the HTTPBIS working
+ group mailing list (ietf-http-wg@w3.org). The current issues list is
+ at <http://tools.ietf.org/wg/httpbis/trac/report/3> and related
+ documents (including fancy diffs) can be found at
+ <http://tools.ietf.org/wg/httpbis/>.
+
+ The changes in this draft are summarized in Appendix D.12.
+
+Status of This Memo
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 1]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ This Internet-Draft is submitted in full conformance with the
+ provisions of BCP 78 and BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF). Note that other groups may also distribute
+ working documents as Internet-Drafts. The list of current Internet-
+ Drafts is at http://datatracker.ietf.org/drafts/current/.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ This Internet-Draft will expire on February 5, 2011.
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+ This document may contain material from IETF Documents or IETF
+ Contributions published or made publicly available before November
+ 10, 2008. The person(s) controlling the copyright in some of this
+ material may not have granted the IETF Trust the right to allow
+ modifications of such material outside the IETF Standards Process.
+ Without obtaining an adequate license from the person(s) controlling
+ the copyright in such materials, this document may not be modified
+ outside the IETF Standards Process, and derivative works of it may
+ not be created outside the IETF Standards Process, except to format
+ it for publication as an RFC or to translate it into languages other
+ than English.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 7
+ 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 7
+ 1.2.1. ABNF Extension: #rule . . . . . . . . . . . . . . . . 7
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 2]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ 1.2.2. Basic Rules . . . . . . . . . . . . . . . . . . . . . 8
+ 1.2.3. ABNF Rules defined in other Parts of the
+ Specification . . . . . . . . . . . . . . . . . . . . 10
+ 2. HTTP-related architecture . . . . . . . . . . . . . . . . . . 10
+ 2.1. Client/Server Messaging . . . . . . . . . . . . . . . . . 10
+ 2.2. Intermediaries . . . . . . . . . . . . . . . . . . . . . . 12
+ 2.3. Caches . . . . . . . . . . . . . . . . . . . . . . . . . . 13
+ 2.4. Transport Independence . . . . . . . . . . . . . . . . . . 14
+ 2.5. HTTP Version . . . . . . . . . . . . . . . . . . . . . . . 14
+ 2.6. Uniform Resource Identifiers . . . . . . . . . . . . . . . 16
+ 2.6.1. http URI scheme . . . . . . . . . . . . . . . . . . . 16
+ 2.6.2. https URI scheme . . . . . . . . . . . . . . . . . . . 18
+ 2.6.3. http and https URI Normalization and Comparison . . . 18
+ 3. HTTP Message . . . . . . . . . . . . . . . . . . . . . . . . . 19
+ 3.1. Message Parsing Robustness . . . . . . . . . . . . . . . . 20
+ 3.2. Header Fields . . . . . . . . . . . . . . . . . . . . . . 20
+ 3.3. Message Body . . . . . . . . . . . . . . . . . . . . . . . 22
+ 3.4. General Header Fields . . . . . . . . . . . . . . . . . . 25
+ 4. Request . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
+ 4.1. Request-Line . . . . . . . . . . . . . . . . . . . . . . . 26
+ 4.1.1. Method . . . . . . . . . . . . . . . . . . . . . . . . 26
+ 4.1.2. request-target . . . . . . . . . . . . . . . . . . . . 27
+ 4.2. The Resource Identified by a Request . . . . . . . . . . . 29
+ 4.3. Effective Request URI . . . . . . . . . . . . . . . . . . 29
+ 5. Response . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
+ 5.1. Status-Line . . . . . . . . . . . . . . . . . . . . . . . 31
+ 5.1.1. Status Code and Reason Phrase . . . . . . . . . . . . 31
+ 6. Protocol Parameters . . . . . . . . . . . . . . . . . . . . . 32
+ 6.1. Date/Time Formats: Full Date . . . . . . . . . . . . . . . 32
+ 6.2. Transfer Codings . . . . . . . . . . . . . . . . . . . . . 34
+ 6.2.1. Chunked Transfer Coding . . . . . . . . . . . . . . . 35
+ 6.2.2. Compression Codings . . . . . . . . . . . . . . . . . 37
+ 6.2.3. Transfer Coding Registry . . . . . . . . . . . . . . . 38
+ 6.3. Product Tokens . . . . . . . . . . . . . . . . . . . . . . 39
+ 6.4. Quality Values . . . . . . . . . . . . . . . . . . . . . . 39
+ 7. Connections . . . . . . . . . . . . . . . . . . . . . . . . . 39
+ 7.1. Persistent Connections . . . . . . . . . . . . . . . . . . 39
+ 7.1.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . 40
+ 7.1.2. Overall Operation . . . . . . . . . . . . . . . . . . 40
+ 7.1.3. Proxy Servers . . . . . . . . . . . . . . . . . . . . 42
+ 7.1.4. Practical Considerations . . . . . . . . . . . . . . . 44
+ 7.2. Message Transmission Requirements . . . . . . . . . . . . 45
+ 7.2.1. Persistent Connections and Flow Control . . . . . . . 45
+ 7.2.2. Monitoring Connections for Error Status Messages . . . 45
+ 7.2.3. Use of the 100 (Continue) Status . . . . . . . . . . . 46
+ 7.2.4. Client Behavior if Server Prematurely Closes
+ Connection . . . . . . . . . . . . . . . . . . . . . . 48
+ 8. Miscellaneous notes that might disappear . . . . . . . . . . . 49
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 3]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ 8.1. Scheme aliases considered harmful . . . . . . . . . . . . 49
+ 8.2. Use of HTTP for proxy communication . . . . . . . . . . . 49
+ 8.3. Interception of HTTP for access control . . . . . . . . . 49
+ 8.4. Use of HTTP by other protocols . . . . . . . . . . . . . . 49
+ 8.5. Use of HTTP by media type specification . . . . . . . . . 49
+ 9. Header Field Definitions . . . . . . . . . . . . . . . . . . . 49
+ 9.1. Connection . . . . . . . . . . . . . . . . . . . . . . . . 49
+ 9.2. Content-Length . . . . . . . . . . . . . . . . . . . . . . 50
+ 9.3. Date . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
+ 9.3.1. Clockless Origin Server Operation . . . . . . . . . . 52
+ 9.4. Host . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
+ 9.5. TE . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
+ 9.6. Trailer . . . . . . . . . . . . . . . . . . . . . . . . . 54
+ 9.7. Transfer-Encoding . . . . . . . . . . . . . . . . . . . . 55
+ 9.8. Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . 55
+ 9.8.1. Upgrade Token Registry . . . . . . . . . . . . . . . . 56
+ 9.9. Via . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
+ 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59
+ 10.1. Header Field Registration . . . . . . . . . . . . . . . . 59
+ 10.2. URI Scheme Registration . . . . . . . . . . . . . . . . . 59
+ 10.3. Internet Media Type Registrations . . . . . . . . . . . . 59
+ 10.3.1. Internet Media Type message/http . . . . . . . . . . . 59
+ 10.3.2. Internet Media Type application/http . . . . . . . . . 61
+ 10.4. Transfer Coding Registry . . . . . . . . . . . . . . . . . 62
+ 10.5. Upgrade Token Registration . . . . . . . . . . . . . . . . 62
+ 11. Security Considerations . . . . . . . . . . . . . . . . . . . 62
+ 11.1. Personal Information . . . . . . . . . . . . . . . . . . . 63
+ 11.2. Abuse of Server Log Information . . . . . . . . . . . . . 63
+ 11.3. Attacks Based On File and Path Names . . . . . . . . . . . 63
+ 11.4. DNS Spoofing . . . . . . . . . . . . . . . . . . . . . . . 63
+ 11.5. Proxies and Caching . . . . . . . . . . . . . . . . . . . 64
+ 11.6. Denial of Service Attacks on Proxies . . . . . . . . . . . 65
+ 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 65
+ 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 66
+ 13.1. Normative References . . . . . . . . . . . . . . . . . . . 66
+ 13.2. Informative References . . . . . . . . . . . . . . . . . . 68
+ Appendix A. Tolerant Applications . . . . . . . . . . . . . . . . 70
+ Appendix B. Compatibility with Previous Versions . . . . . . . . 71
+ B.1. Changes from HTTP/1.0 . . . . . . . . . . . . . . . . . . 71
+ B.1.1. Changes to Simplify Multi-homed Web Servers and
+ Conserve IP Addresses . . . . . . . . . . . . . . . . 72
+ B.2. Compatibility with HTTP/1.0 Persistent Connections . . . . 72
+ B.3. Changes from RFC 2616 . . . . . . . . . . . . . . . . . . 73
+ Appendix C. Collected ABNF . . . . . . . . . . . . . . . . . . . 74
+ Appendix D. Change Log (to be removed by RFC Editor before
+ publication) . . . . . . . . . . . . . . . . . . . . 78
+ D.1. Since RFC2616 . . . . . . . . . . . . . . . . . . . . . . 78
+ D.2. Since draft-ietf-httpbis-p1-messaging-00 . . . . . . . . . 78
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 4]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ D.3. Since draft-ietf-httpbis-p1-messaging-01 . . . . . . . . . 80
+ D.4. Since draft-ietf-httpbis-p1-messaging-02 . . . . . . . . . 81
+ D.5. Since draft-ietf-httpbis-p1-messaging-03 . . . . . . . . . 81
+ D.6. Since draft-ietf-httpbis-p1-messaging-04 . . . . . . . . . 82
+ D.7. Since draft-ietf-httpbis-p1-messaging-05 . . . . . . . . . 82
+ D.8. Since draft-ietf-httpbis-p1-messaging-06 . . . . . . . . . 83
+ D.9. Since draft-ietf-httpbis-p1-messaging-07 . . . . . . . . . 84
+ D.10. Since draft-ietf-httpbis-p1-messaging-08 . . . . . . . . . 84
+ D.11. Since draft-ietf-httpbis-p1-messaging-09 . . . . . . . . . 85
+ D.12. Since draft-ietf-httpbis-p1-messaging-10 . . . . . . . . . 85
+ Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 5]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+1. Introduction
+
+ The Hypertext Transfer Protocol (HTTP) is an application-level
+ request/response protocol that uses extensible semantics and MIME-
+ like message payloads for flexible interaction with network-based
+ hypertext information systems. HTTP relies upon the Uniform Resource
+ Identifier (URI) standard [RFC3986] to indicate request targets and
+ relationships between resources. Messages are passed in a format
+ similar to that used by Internet mail [RFC5322] and the Multipurpose
+ Internet Mail Extensions (MIME) [RFC2045] (see Appendix A of [Part3]
+ for the differences between HTTP and MIME messages).
+
+ HTTP is a generic interface protocol for information systems. It is
+ designed to hide the details of how a service is implemented by
+ presenting a uniform interface to clients that is independent of the
+ types of resources provided. Likewise, servers do not need to be
+ aware of each client's purpose: an HTTP request can be considered in
+ isolation rather than being associated with a specific type of client
+ or a predetermined sequence of application steps. The result is a
+ protocol that can be used effectively in many different contexts and
+ for which implementations can evolve independently over time.
+
+ HTTP is also designed for use as an intermediation protocol for
+ translating communication to and from non-HTTP information systems.
+ HTTP proxies and gateways can provide access to alternative
+ information services by translating their diverse protocols into a
+ hypertext format that can be viewed and manipulated by clients in the
+ same way as HTTP services.
+
+ One consequence of HTTP flexibility is that the protocol cannot be
+ defined in terms of what occurs behind the interface. Instead, we
+ are limited to defining the syntax of communication, the intent of
+ received communication, and the expected behavior of recipients. If
+ the communication is considered in isolation, then successful actions
+ ought to be reflected in corresponding changes to the observable
+ interface provided by servers. However, since multiple clients might
+ act in parallel and perhaps at cross-purposes, we cannot require that
+ such changes be observable beyond the scope of a single response.
+
+ This document is Part 1 of the seven-part specification of HTTP,
+ defining the protocol referred to as "HTTP/1.1" and obsoleting
+ [RFC2616]. Part 1 describes the architectural elements that are used
+ or referred to in HTTP, defines the "http" and "https" URI schemes,
+ describes overall network operation and connection management, and
+ defines HTTP message framing and forwarding requirements. Our goal
+ is to define all of the mechanisms necessary for HTTP message
+ handling that are independent of message semantics, thereby defining
+ the complete set of requirements for message parsers and message-
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 6]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ forwarding intermediaries.
+
+1.1. Requirements
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+ An implementation is not compliant if it fails to satisfy one or more
+ of the "MUST" or "REQUIRED" level requirements for the protocols it
+ implements. An implementation that satisfies all the "MUST" or
+ "REQUIRED" level and all the "SHOULD" level requirements for its
+ protocols is said to be "unconditionally compliant"; one that
+ satisfies all the "MUST" level requirements but not all the "SHOULD"
+ level requirements for its protocols is said to be "conditionally
+ compliant".
+
+1.2. Syntax Notation
+
+ This specification uses the Augmented Backus-Naur Form (ABNF)
+ notation of [RFC5234].
+
+ The following core rules are included by reference, as defined in
+ [RFC5234], Appendix B.1: ALPHA (letters), CR (carriage return), CRLF
+ (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double quote),
+ HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), OCTET (any 8-bit
+ sequence of data), SP (space), VCHAR (any visible [USASCII]
+ character), and WSP (whitespace).
+
+ As a syntactic convention, ABNF rule names prefixed with "obs-"
+ denote "obsolete" grammar rules that appear for historical reasons.
+
+1.2.1. ABNF Extension: #rule
+
+ The #rule extension to the ABNF rules of [RFC5234] is used to improve
+ readability.
+
+ A construct "#" is defined, similar to "*", for defining comma-
+ delimited lists of elements. The full form is "<n>#<m>element"
+ indicating at least <n> and at most <m> elements, each separated by a
+ single comma (",") and optional whitespace (OWS, Section 1.2.2).
+
+ Thus,
+
+ 1#element => element *( OWS "," OWS element )
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 7]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ and:
+
+ #element => [ 1#element ]
+
+ and for n >= 1 and m > 1:
+
+ <n>#<m>element => element <n-1>*<m-1>( OWS "," OWS element )
+
+ For compatibility with legacy list rules, recipients SHOULD accept
+ empty list elements. In other words, consumers would follow the list
+ productions:
+
+ #element => [ ( "," / element ) *( OWS "," [ OWS element ] ) ]
+
+ 1#element => *( "," OWS ) element *( OWS "," [ OWS element ] )
+
+ Note that empty elements do not contribute to the count of elements
+ present, though.
+
+ For example, given these ABNF productions:
+
+ example-list = 1#example-list-elmt
+ example-list-elmt = token ; see Section 1.2.2
+
+ Then these are valid values for example-list (not including the
+ double quotes, which are present for delimitation only):
+
+ "foo,bar"
+ " foo ,bar,"
+ " foo , ,bar,charlie "
+ "foo ,bar, charlie "
+
+ But these values would be invalid, as at least one non-empty element
+ is required:
+
+ ""
+ ","
+ ", ,"
+
+ Appendix C shows the collected ABNF, with the list rules expanded as
+ explained above.
+
+1.2.2. Basic Rules
+
+ HTTP/1.1 defines the sequence CR LF as the end-of-line marker for all
+ protocol elements other than the message-body (see Appendix A for
+ tolerant applications).
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 8]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ This specification uses three rules to denote the use of linear
+ whitespace: OWS (optional whitespace), RWS (required whitespace), and
+ BWS ("bad" whitespace).
+
+ The OWS rule is used where zero or more linear whitespace characters
+ might appear. OWS SHOULD either not be produced or be produced as a
+ single SP character. Multiple OWS characters that occur within
+ field-content SHOULD be replaced with a single SP before interpreting
+ the field value or forwarding the message downstream.
+
+ RWS is used when at least one linear whitespace character is required
+ to separate field tokens. RWS SHOULD be produced as a single SP
+ character. Multiple RWS characters that occur within field-content
+ SHOULD be replaced with a single SP before interpreting the field
+ value or forwarding the message downstream.
+
+ BWS is used where the grammar allows optional whitespace for
+ historical reasons but senders SHOULD NOT produce it in messages.
+ HTTP/1.1 recipients MUST accept such bad optional whitespace and
+ remove it before interpreting the field value or forwarding the
+ message downstream.
+
+
+ OWS = *( [ obs-fold ] WSP )
+ ; "optional" whitespace
+ RWS = 1*( [ obs-fold ] WSP )
+ ; "required" whitespace
+ BWS = OWS
+ ; "bad" whitespace
+ obs-fold = CRLF
+ ; see Section 3.2
+
+ Many HTTP/1.1 header field values consist of words (token or quoted-
+ string) separated by whitespace or special characters. These special
+ characters MUST be in a quoted string to be used within a parameter
+ value (as defined in Section 6.2).
+
+ word = token / quoted-string
+
+ token = 1*tchar
+
+ tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
+ / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
+ / DIGIT / ALPHA
+ ; any VCHAR, except special
+
+ special = "(" / ")" / "<" / ">" / "@" / ","
+ / ";" / ":" / "\" / DQUOTE / "/" / "["
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 9]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ / "]" / "?" / "=" / "{" / "}"
+
+ A string of text is parsed as a single word if it is quoted using
+ double-quote marks.
+
+ quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE
+ qdtext = OWS / %x21 / %x23-5B / %x5D-7E / obs-text
+ ; OWS / <VCHAR except DQUOTE and "\"> / obs-text
+ obs-text = %x80-FF
+
+ The backslash character ("\") can be used as a single-character
+ quoting mechanism within quoted-string constructs:
+
+ quoted-pair = "\" ( WSP / VCHAR / obs-text )
+
+ Producers SHOULD NOT escape characters that do not require escaping
+ (i.e., other than DQUOTE and the backslash character).
+
+1.2.3. ABNF Rules defined in other Parts of the Specification
+
+ The ABNF rules below are defined in other parts:
+
+ request-header = <request-header, defined in [Part2], Section 3>
+ response-header = <response-header, defined in [Part2], Section 5>
+
+
+ MIME-Version = <MIME-Version, defined in [Part3], Appendix A.1>
+
+
+ Cache-Control = <Cache-Control, defined in [Part6], Section 3.4>
+ Pragma = <Pragma, defined in [Part6], Section 3.4>
+ Warning = <Warning, defined in [Part6], Section 3.6>
+
+2. HTTP-related architecture
+
+ HTTP was created for the World Wide Web architecture and has evolved
+ over time to support the scalability needs of a worldwide hypertext
+ system. Much of that architecture is reflected in the terminology
+ and syntax productions used to define HTTP.
+
+2.1. Client/Server Messaging
+
+ HTTP is a stateless request/response protocol that operates by
+ exchanging messages across a reliable transport or session-layer
+ connection. An HTTP "client" is a program that establishes a
+ connection to a server for the purpose of sending one or more HTTP
+ requests. An HTTP "server" is a program that accepts connections in
+ order to service HTTP requests by sending HTTP responses.
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 10]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ Note that the terms client and server refer only to the roles that
+ these programs perform for a particular connection. The same program
+ might act as a client on some connections and a server on others. We
+ use the term "user agent" to refer to the program that initiates a
+ request, such as a WWW browser, editor, or spider (web-traversing
+ robot), and the term "origin server" to refer to the program that can
+ originate authoritative responses to a request. For general
+ requirements, we use the term "sender" to refer to whichever
+ component sent a given message and the term "recipient" to refer to
+ any component that receives the message.
+
+ Most HTTP communication consists of a retrieval request (GET) for a
+ representation of some resource identified by a URI. In the simplest
+ case, this might be accomplished via a single bidirectional
+ connection (===) between the user agent (UA) and the origin server
+ (O).
+
+ request >
+ UA ======================================= O
+ < response
+
+ A client sends an HTTP request to the server in the form of a request
+ message (Section 4), beginning with a method, URI, and protocol
+ version, followed by MIME-like header fields containing request
+ modifiers, client information, and payload metadata, an empty line to
+ indicate the end of the header section, and finally the payload body
+ (if any).
+
+ A server responds to the client's request by sending an HTTP response
+ message (Section 5), beginning with a status line that includes the
+ protocol version, a success or error code, and textual reason phrase,
+ followed by MIME-like header fields containing server information,
+ resource metadata, and payload metadata, an empty line to indicate
+ the end of the header section, and finally the payload body (if any).
+
+ The following example illustrates a typical message exchange for a
+ GET request on the URI "http://www.example.com/hello.txt":
+
+ client request:
+
+ GET /hello.txt HTTP/1.1
+ User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3
+ Host: www.example.com
+ Accept: */*
+
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 11]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ server response:
+
+ HTTP/1.1 200 OK
+ Date: Mon, 27 Jul 2009 12:28:53 GMT
+ Server: Apache
+ Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
+ ETag: "34aa387-d-1568eb00"
+ Accept-Ranges: bytes
+ Content-Length: 14
+ Vary: Accept-Encoding
+ Content-Type: text/plain
+
+ Hello World!
+
+2.2. Intermediaries
+
+ A more complicated situation occurs when one or more intermediaries
+ are present in the request/response chain. There are three common
+ forms of intermediary: proxy, gateway, and tunnel. In some cases, a
+ single intermediary might act as an origin server, proxy, gateway, or
+ tunnel, switching behavior based on the nature of each request.
+
+ > > > >
+ UA =========== A =========== B =========== C =========== O
+ < < < <
+
+ The figure above shows three intermediaries (A, B, and C) between the
+ user agent and origin server. A request or response message that
+ travels the whole chain will pass through four separate connections.
+ Some HTTP communication options might apply only to the connection
+ with the nearest, non-tunnel neighbor, only to the end-points of the
+ chain, or to all connections along the chain. Although the diagram
+ is linear, each participant might be engaged in multiple,
+ simultaneous communications. For example, B might be receiving
+ requests from many clients other than A, and/or forwarding requests
+ to servers other than C, at the same time that it is handling A's
+ request.
+
+ We use the terms "upstream" and "downstream" to describe various
+ requirements in relation to the directional flow of a message: all
+ messages flow from upstream to downstream. Likewise, we use the
+ terms "inbound" and "outbound" to refer to directions in relation to
+ the request path: "inbound" means toward the origin server and
+ "outbound" means toward the user agent.
+
+ A "proxy" is a message forwarding agent that is selected by the
+ client, usually via local configuration rules, to receive requests
+ for some type(s) of absolute URI and attempt to satisfy those
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 12]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ requests via translation through the HTTP interface. Some
+ translations are minimal, such as for proxy requests for "http" URIs,
+ whereas other requests might require translation to and from entirely
+ different application-layer protocols. Proxies are often used to
+ group an organization's HTTP requests through a common intermediary
+ for the sake of security, annotation services, or shared caching.
+
+ A "gateway" (a.k.a., "reverse proxy") is a receiving agent that acts
+ as a layer above some other server(s) and translates the received
+ requests to the underlying server's protocol. Gateways are often
+ used for load balancing or partitioning HTTP services across multiple
+ machines. Unlike a proxy, a gateway receives requests as if it were
+ the origin server for the target resource; the requesting client will
+ not be aware that it is communicating with a gateway. A gateway
+ communicates with the client as if the gateway is the origin server
+ and thus is subject to all of the requirements on origin servers for
+ that connection. A gateway communicates with inbound servers using
+ any protocol it desires, including private extensions to HTTP that
+ are outside the scope of this specification.
+
+ A "tunnel" acts as a blind relay between two connections without
+ changing the messages. Once active, a tunnel is not considered a
+ party to the HTTP communication, though the tunnel might have been
+ initiated by an HTTP request. A tunnel ceases to exist when both
+ ends of the relayed connection are closed. Tunnels are used to
+ extend a virtual connection through an intermediary, such as when
+ transport-layer security is used to establish private communication
+ through a shared firewall proxy.
+
+2.3. Caches
+
+ A "cache" is a local store of previous response messages and the
+ subsystem that controls its message storage, retrieval, and deletion.
+ A cache stores cacheable responses in order to reduce the response
+ time and network bandwidth consumption on future, equivalent
+ requests. Any client or server MAY employ a cache, though a cache
+ cannot be used by a server while it is acting as a tunnel.
+
+ The effect of a cache is that the request/response chain is shortened
+ if one of the participants along the chain has a cached response
+ applicable to that request. The following illustrates the resulting
+ chain if B has a cached copy of an earlier response from O (via C)
+ for a request which has not been cached by UA or A.
+
+ > >
+ UA =========== A =========== B - - - - - - C - - - - - - O
+ < <
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 13]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ A response is "cacheable" if a cache is allowed to store a copy of
+ the response message for use in answering subsequent requests. Even
+ when a response is cacheable, there might be additional constraints
+ placed by the client or by the origin server on when that cached
+ response can be used for a particular request. HTTP requirements for
+ cache behavior and cacheable responses are defined in Section 2 of
+ [Part6].
+
+ There are a wide variety of architectures and configurations of
+ caches and proxies deployed across the World Wide Web and inside
+ large organizations. These systems include national hierarchies of
+ proxy caches to save transoceanic bandwidth, systems that broadcast
+ or multicast cache entries, organizations that distribute subsets of
+ cached data via optical media, and so on.
+
+2.4. Transport Independence
+
+ HTTP systems are used in a wide variety of environments, from
+ corporate intranets with high-bandwidth links to long-distance
+ communication over low-power radio links and intermittent
+ connectivity.
+
+ HTTP communication usually takes place over TCP/IP connections. The
+ default port is TCP 80
+ (<http://www.iana.org/assignments/port-numbers>), but other ports can
+ be used. This does not preclude HTTP from being implemented on top
+ of any other protocol on the Internet, or on other networks. HTTP
+ only presumes a reliable transport; any protocol that provides such
+ guarantees can be used; the mapping of the HTTP/1.1 request and
+ response structures onto the transport data units of the protocol in
+ question is outside the scope of this specification.
+
+ In HTTP/1.0, most implementations used a new connection for each
+ request/response exchange. In HTTP/1.1, a connection might be used
+ for one or more request/response exchanges, although connections
+ might be closed for a variety of reasons (see Section 7.1).
+
+2.5. HTTP Version
+
+ HTTP uses a "<major>.<minor>" numbering scheme to indicate versions
+ of the protocol. The protocol versioning policy is intended to allow
+ the sender to indicate the format of a message and its capacity for
+ understanding further HTTP communication, rather than the features
+ obtained via that communication. No change is made to the version
+ number for the addition of message components which do not affect
+ communication behavior or which only add to extensible field values.
+ The <minor> number is incremented when the changes made to the
+ protocol add features which do not change the general message parsing
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 14]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ algorithm, but which might add to the message semantics and imply
+ additional capabilities of the sender. The <major> number is
+ incremented when the format of a message within the protocol is
+ changed. See [RFC2145] for a fuller explanation.
+
+ The version of an HTTP message is indicated by an HTTP-Version field
+ in the first line of the message. HTTP-Version is case-sensitive.
+
+ HTTP-Version = HTTP-Prot-Name "/" 1*DIGIT "." 1*DIGIT
+ HTTP-Prot-Name = %x48.54.54.50 ; "HTTP", case-sensitive
+
+ Note that the major and minor numbers MUST be treated as separate
+ integers and that each MAY be incremented higher than a single digit.
+ Thus, HTTP/2.4 is a lower version than HTTP/2.13, which in turn is
+ lower than HTTP/12.3. Leading zeros MUST be ignored by recipients
+ and MUST NOT be sent.
+
+ An application that sends a request or response message that includes
+ HTTP-Version of "HTTP/1.1" MUST be at least conditionally compliant
+ with this specification. Applications that are at least
+ conditionally compliant with this specification SHOULD use an HTTP-
+ Version of "HTTP/1.1" in their messages, and MUST do so for any
+ message that is not compatible with HTTP/1.0. For more details on
+ when to send specific HTTP-Version values, see [RFC2145].
+
+ The HTTP version of an application is the highest HTTP version for
+ which the application is at least conditionally compliant.
+
+ Proxy and gateway applications need to be careful when forwarding
+ messages in protocol versions different from that of the application.
+ Since the protocol version indicates the protocol capability of the
+ sender, a proxy/gateway MUST NOT send a message with a version
+ indicator which is greater than its actual version. If a higher
+ version request is received, the proxy/gateway MUST either downgrade
+ the request version, or respond with an error, or switch to tunnel
+ behavior.
+
+ Due to interoperability problems with HTTP/1.0 proxies discovered
+ since the publication of [RFC2068], caching proxies MUST, gateways
+ MAY, and tunnels MUST NOT upgrade the request to the highest version
+ they support. The proxy/gateway's response to that request MUST be
+ in the same major version as the request.
+
+ Note: Converting between versions of HTTP might involve
+ modification of header fields required or forbidden by the
+ versions involved.
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 15]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+2.6. Uniform Resource Identifiers
+
+ Uniform Resource Identifiers (URIs) [RFC3986] are used throughout
+ HTTP as the means for identifying resources. URI references are used
+ to target requests, indicate redirects, and define relationships.
+ HTTP does not limit what a resource might be; it merely defines an
+ interface that can be used to interact with a resource via HTTP.
+ More information on the scope of URIs and resources can be found in
+ [RFC3986].
+
+ This specification adopts the definitions of "URI-reference",
+ "absolute-URI", "relative-part", "port", "host", "path-abempty",
+ "path-absolute", "query", and "authority" from [RFC3986]. In
+ addition, we define a partial-URI rule for protocol elements that
+ allow a relative URI without a fragment.
+
+ URI-reference = <URI-reference, defined in [RFC3986], Section 4.1>
+ absolute-URI = <absolute-URI, defined in [RFC3986], Section 4.3>
+ relative-part = <relative-part, defined in [RFC3986], Section 4.2>
+ authority = <authority, defined in [RFC3986], Section 3.2>
+ path-abempty = <path-abempty, defined in [RFC3986], Section 3.3>
+ path-absolute = <path-absolute, defined in [RFC3986], Section 3.3>
+ port = <port, defined in [RFC3986], Section 3.2.3>
+ query = <query, defined in [RFC3986], Section 3.4>
+ uri-host = <host, defined in [RFC3986], Section 3.2.2>
+
+ partial-URI = relative-part [ "?" query ]
+
+ Each protocol element in HTTP that allows a URI reference will
+ indicate in its ABNF production whether the element allows only a URI
+ in absolute form (absolute-URI), any relative reference (relative-
+ ref), or some other subset of the URI-reference grammar. Unless
+ otherwise indicated, URI references are parsed relative to the
+ request target (the default base URI for both the request and its
+ corresponding response).
+
+2.6.1. http URI scheme
+
+ The "http" URI scheme is hereby defined for the purpose of minting
+ identifiers according to their association with the hierarchical
+ namespace governed by a potential HTTP origin server listening for
+ TCP connections on a given port. The HTTP server is identified via
+ the generic syntax's authority component, which includes a host
+ identifier and optional TCP port, and the remainder of the URI is
+ considered to be identifying data corresponding to a resource for
+ which that server might provide an HTTP interface.
+
+ http-URI = "http:" "//" authority path-abempty [ "?" query ]
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 16]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ The host identifier within an authority component is defined in
+ [RFC3986], Section 3.2.2. If host is provided as an IP literal or
+ IPv4 address, then the HTTP server is any listener on the indicated
+ TCP port at that IP address. If host is a registered name, then that
+ name is considered an indirect identifier and the recipient might use
+ a name resolution service, such as DNS, to find the address of a
+ listener for that host. The host MUST NOT be empty; if an "http" URI
+ is received with an empty host, then it MUST be rejected as invalid.
+ If the port subcomponent is empty or not given, then TCP port 80 is
+ assumed (the default reserved port for WWW services).
+
+ Regardless of the form of host identifier, access to that host is not
+ implied by the mere presence of its name or address. The host might
+ or might not exist and, even when it does exist, might or might not
+ be running an HTTP server or listening to the indicated port. The
+ "http" URI scheme makes use of the delegated nature of Internet names
+ and addresses to establish a naming authority (whatever entity has
+ the ability to place an HTTP server at that Internet name or address)
+ and allows that authority to determine which names are valid and how
+ they might be used.
+
+ When an "http" URI is used within a context that calls for access to
+ the indicated resource, a client MAY attempt access by resolving the
+ host to an IP address, establishing a TCP connection to that address
+ on the indicated port, and sending an HTTP request message to the
+ server containing the URI's identifying data as described in
+ Section 4. If the server responds to that request with a non-interim
+ HTTP response message, as described in Section 5, then that response
+ is considered an authoritative answer to the client's request.
+
+ Although HTTP is independent of the transport protocol, the "http"
+ scheme is specific to TCP-based services because the name delegation
+ process depends on TCP for establishing authority. An HTTP service
+ based on some other underlying connection protocol would presumably
+ be identified using a different URI scheme, just as the "https"
+ scheme (below) is used for servers that require an SSL/TLS transport
+ layer on a connection. Other protocols might also be used to provide
+ access to "http" identified resources --- it is only the
+ authoritative interface used for mapping the namespace that is
+ specific to TCP.
+
+ The URI generic syntax for authority also includes a deprecated
+ userinfo subcomponent ([RFC3986], Section 3.2.1) for including user
+ authentication information in the URI. The userinfo subcomponent
+ (and its "@" delimiter) MUST NOT be used in an "http" URI. URI
+ reference recipients SHOULD parse for the existence of userinfo and
+ treat its presence as an error, likely indicating that the deprecated
+ subcomponent is being used to obscure the authority for the sake of
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 17]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ phishing attacks.
+
+2.6.2. https URI scheme
+
+ The "https" URI scheme is hereby defined for the purpose of minting
+ identifiers according to their association with the hierarchical
+ namespace governed by a potential HTTP origin server listening for
+ SSL/TLS-secured connections on a given TCP port.
+
+ All of the requirements listed above for the "http" scheme are also
+ requirements for the "https" scheme, except that a default TCP port
+ of 443 is assumed if the port subcomponent is empty or not given, and
+ the TCP connection MUST be secured for privacy through the use of
+ strong encryption prior to sending the first HTTP request.
+
+ https-URI = "https:" "//" authority path-abempty [ "?" query ]
+
+ Unlike the "http" scheme, responses to "https" identified requests
+ are never "public" and thus are ineligible for shared caching. Their
+ default is "private" and might be further constrained via use of the
+ Cache-Control header field.
+
+ Resources made available via the "https" scheme have no shared
+ identity with the "http" scheme even if their resource identifiers
+ only differ by the single "s" in the scheme name. They are different
+ services governed by different authorities. However, some extensions
+ to HTTP that apply to entire host domains, such as the Cookie
+ protocol, do allow one service to effect communication with the other
+ services based on host domain matching.
+
+ The process for authoritative access to an "https" identified
+ resource is defined in [RFC2818].
+
+2.6.3. http and https URI Normalization and Comparison
+
+ Since the "http" and "https" schemes conform to the URI generic
+ syntax, such URIs are normalized and compared according to the
+ algorithm defined in [RFC3986], Section 6, using the defaults
+ described above for each scheme.
+
+ If the port is equal to the default port for a scheme, the normal
+ form is to elide the port subcomponent. Likewise, an empty path
+ component is equivalent to an absolute path of "/", so the normal
+ form is to provide a path of "/" instead. The scheme and host are
+ case-insensitive and normally provided in lowercase; all other
+ components are compared in a case-sensitive manner. Characters other
+ than those in the "reserved" set are equivalent to their percent-
+ encoded octets (see [RFC3986], Section 2.1): the normal form is to
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 18]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ not encode them.
+
+ For example, the following three URIs are equivalent:
+
+ http://example.com:80/~smith/home.html
+ http://EXAMPLE.com/%7Esmith/home.html
+ http://EXAMPLE.com:/%7esmith/home.html
+
+ [[TODO-not-here: This paragraph does not belong here. --roy]] If
+ path-abempty is the empty string (i.e., there is no slash "/" path
+ separator following the authority), then the "http" URI MUST be given
+ as "/" when used as a request-target (Section 4.1.2). If a proxy
+ receives a host name which is not a fully qualified domain name, it
+ MAY add its domain to the host name it received. If a proxy receives
+ a fully qualified domain name, the proxy MUST NOT change the host
+ name.
+
+3. HTTP Message
+
+ All HTTP/1.1 messages consist of a start-line followed by a sequence
+ of characters in a format similar to the Internet Message Format
+ [RFC5322]: zero or more header fields (collectively referred to as
+ the "headers" or the "header section"), an empty line indicating the
+ end of the header section, and an optional message-body.
+
+ An HTTP message can either be a request from client to server or a
+ response from server to client. Syntactically, the two types of
+ message differ only in the start-line, which is either a Request-Line
+ (for requests) or a Status-Line (for responses), and in the algorithm
+ for determining the length of the message-body (Section 3.3). In
+ theory, a client could receive requests and a server could receive
+ responses, distinguishing them by their different start-line formats,
+ but in practice servers are implemented to only expect a request (a
+ response is interpreted as an unknown or invalid request method) and
+ clients are implemented to only expect a response.
+
+ HTTP-message = start-line
+ *( header-field CRLF )
+ CRLF
+ [ message-body ]
+ start-line = Request-Line / Status-Line
+
+ Whitespace (WSP) MUST NOT be sent between the start-line and the
+ first header field. The presence of whitespace might be an attempt
+ to trick a noncompliant implementation of HTTP into ignoring that
+ field or processing the next line as a new request, either of which
+ might result in security issues when implementations within the
+ request chain interpret the same message differently. HTTP/1.1
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 19]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ servers MUST reject such a message with a 400 (Bad Request) response.
+
+3.1. Message Parsing Robustness
+
+ In the interest of robustness, servers SHOULD ignore at least one
+ empty line received where a Request-Line is expected. In other
+ words, if the server is reading the protocol stream at the beginning
+ of a message and receives a CRLF first, it SHOULD ignore the CRLF.
+
+ Some old HTTP/1.0 client implementations generate an extra CRLF after
+ a POST request as a lame workaround for some early server
+ applications that failed to read message-body content that was not
+ terminated by a line-ending. An HTTP/1.1 client MUST NOT preface or
+ follow a request with an extra CRLF. If terminating the request
+ message-body with a line-ending is desired, then the client MUST
+ include the terminating CRLF octets as part of the message-body
+ length.
+
+ The normal procedure for parsing an HTTP message is to read the
+ start-line into a structure, read each header field into a hash table
+ by field name until the empty line, and then use the parsed data to
+ determine if a message-body is expected. If a message-body has been
+ indicated, then it is read as a stream until an amount of octets
+ equal to the message-body length is read or the connection is closed.
+ Care must be taken to parse an HTTP message as a sequence of octets
+ in an encoding that is a superset of US-ASCII. Attempting to parse
+ HTTP as a stream of Unicode characters in a character encoding like
+ UTF-16 might introduce security flaws due to the differing ways that
+ such parsers interpret invalid characters.
+
+ HTTP allows the set of defined header fields to be extended without
+ changing the protocol version (see Section 10.1). However, such
+ fields might not be recognized by a downstream recipient and might be
+ stripped by non-transparent intermediaries. Unrecognized header
+ fields MUST be forwarded by transparent proxies and SHOULD be ignored
+ by a recipient.
+
+3.2. Header Fields
+
+ Each HTTP header field consists of a case-insensitive field name
+ followed by a colon (":"), optional whitespace, and the field value.
+
+ header-field = field-name ":" OWS [ field-value ] OWS
+ field-name = token
+ field-value = *( field-content / OWS )
+ field-content = *( WSP / VCHAR / obs-text )
+
+ No whitespace is allowed between the header field name and colon.
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 20]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ For security reasons, any request message received containing such
+ whitespace MUST be rejected with a response code of 400 (Bad
+ Request). A proxy MUST remove any such whitespace from a response
+ message before forwarding the message downstream.
+
+ A field value MAY be preceded by optional whitespace (OWS); a single
+ SP is preferred. The field value does not include any leading or
+ trailing white space: OWS occurring before the first non-whitespace
+ character of the field value or after the last non-whitespace
+ character of the field value is ignored and SHOULD be removed before
+ further processing (as this does not change the meaning of the header
+ field).
+
+ The order in which header fields with differing field names are
+ received is not significant. However, it is "good practice" to send
+ header fields that contain control data first, such as Host on
+ requests and Date on responses, so that implementations can decide
+ when not to handle a message as early as possible. A server MUST
+ wait until the entire header section is received before interpreting
+ a request message, since later header fields might include
+ conditionals, authentication credentials, or deliberately misleading
+ duplicate header fields that would impact request processing.
+
+ Multiple header fields with the same field name MUST NOT be sent in a
+ message unless the entire field value for that header field is
+ defined as a comma-separated list [i.e., #(values)]. Multiple header
+ fields with the same field name can be combined into one "field-name:
+ field-value" pair, without changing the semantics of the message, by
+ appending each subsequent field value to the combined field value in
+ order, separated by a comma. The order in which header fields with
+ the same field name are received is therefore significant to the
+ interpretation of the combined field value; a proxy MUST NOT change
+ the order of these field values when forwarding a message.
+
+ Note: The "Set-Cookie" header as implemented in practice (as
+ opposed to how it is specified in [RFC2109]) can occur multiple
+ times, but does not use the list syntax, and thus cannot be
+ combined into a single line. (See Appendix A.2.3 of [Kri2001] for
+ details.) Also note that the Set-Cookie2 header specified in
+ [RFC2965] does not share this problem.
+
+ Historically, HTTP header field values could be extended over
+ multiple lines by preceding each extra line with at least one space
+ or horizontal tab character (line folding). This specification
+ deprecates such line folding except within the message/http media
+ type (Section 10.3.1). HTTP/1.1 senders MUST NOT produce messages
+ that include line folding (i.e., that contain any field-content that
+ matches the obs-fold rule) unless the message is intended for
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 21]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ packaging within the message/http media type. HTTP/1.1 recipients
+ SHOULD accept line folding and replace any embedded obs-fold
+ whitespace with a single SP prior to interpreting the field value or
+ forwarding the message downstream.
+
+ Historically, HTTP has allowed field content with text in the ISO-
+ 8859-1 [ISO-8859-1] character encoding and supported other character
+ sets only through use of [RFC2047] encoding. In practice, most HTTP
+ header field values use only a subset of the US-ASCII character
+ encoding [USASCII]. Newly defined header fields SHOULD limit their
+ field values to US-ASCII characters. Recipients SHOULD treat other
+ (obs-text) octets in field content as opaque data.
+
+ Comments can be included in some HTTP header fields by surrounding
+ the comment text with parentheses. Comments are only allowed in
+ fields containing "comment" as part of their field value definition.
+
+ comment = "(" *( ctext / quoted-cpair / comment ) ")"
+ ctext = OWS / %x21-27 / %x2A-5B / %x5D-7E / obs-text
+ ; OWS / <VCHAR except "(", ")", and "\"> / obs-text
+
+ The backslash character ("\") can be used as a single-character
+ quoting mechanism within comment constructs:
+
+ quoted-cpair = "\" ( WSP / VCHAR / obs-text )
+
+ Producers SHOULD NOT escape characters that do not require escaping
+ (i.e., other than the backslash character "\" and the parentheses "("
+ and ")").
+
+3.3. Message Body
+
+ The message-body (if any) of an HTTP message is used to carry the
+ payload body associated with the request or response.
+
+ message-body = *OCTET
+
+ The message-body differs from the payload body only when a transfer-
+ coding has been applied, as indicated by the Transfer-Encoding header
+ field (Section 9.7). When one or more transfer-codings are applied
+ to a payload in order to form the message-body, the Transfer-Encoding
+ header field MUST contain the list of transfer-codings applied.
+ Transfer-Encoding is a property of the message, not of the payload,
+ and thus MAY be added or removed by any implementation along the
+ request/response chain under the constraints found in Section 6.2.
+
+ The rules for when a message-body is allowed in a message differ for
+ requests and responses.
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 22]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ The presence of a message-body in a request is signaled by the
+ inclusion of a Content-Length or Transfer-Encoding header field in
+ the request's header fields, even if the request method does not
+ define any use for a message-body. This allows the request message
+ framing algorithm to be independent of method semantics.
+
+ For response messages, whether or not a message-body is included with
+ a message is dependent on both the request method and the response
+ status code (Section 5.1.1). Responses to the HEAD request method
+ never include a message-body because the associated response header
+ fields (e.g., Transfer-Encoding, Content-Length, etc.) only indicate
+ what their values would have been if the method had been GET. All
+ 1xx (Informational), 204 (No Content), and 304 (Not Modified)
+ responses MUST NOT include a message-body. All other responses do
+ include a message-body, although the body MAY be of zero length.
+
+ The length of the message-body is determined by one of the following
+ (in order of precedence):
+
+ 1. Any response to a HEAD request and any response with a status
+ code of 100-199, 204, or 304 is always terminated by the first
+ empty line after the header fields, regardless of the header
+ fields present in the message, and thus cannot contain a message-
+ body.
+
+ 2. If a Transfer-Encoding header field (Section 9.7) is present and
+ the "chunked" transfer-coding (Section 6.2) is the final
+ encoding, the message-body length is determined by reading and
+ decoding the chunked data until the transfer-coding indicates the
+ data is complete.
+
+ If a Transfer-Encoding header field is present in a response and
+ the "chunked" transfer-coding is not the final encoding, the
+ message-body length is determined by reading the connection until
+ it is closed by the server. If a Transfer-Encoding header field
+ is present in a request and the "chunked" transfer-coding is not
+ the final encoding, the message-body length cannot be determined
+ reliably; the server MUST respond with the 400 (Bad Request)
+ status code and then close the connection.
+
+ If a message is received with both a Transfer-Encoding header
+ field and a Content-Length header field, the Transfer-Encoding
+ overrides the Content-Length. Such a message might indicate an
+ attempt to perform request or response smuggling (bypass of
+ security-related checks on message routing or content) and thus
+ ought to be handled as an error. The provided Content-Length
+ MUST be removed, prior to forwarding the message downstream, or
+ replaced with the real message-body length after the transfer-
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 23]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ coding is decoded.
+
+ 3. If a message is received without Transfer-Encoding and with
+ either multiple Content-Length header fields or a single Content-
+ Length header field with an invalid value, then the message
+ framing is invalid and MUST be treated as an error to prevent
+ request or response smuggling. If this is a request message, the
+ server MUST respond with a 400 (Bad Request) status code and then
+ close the connection. If this is a response message received by
+ a proxy or gateway, the proxy or gateway MUST discard the
+ received response, send a 502 (Bad Gateway) status code as its
+ downstream response, and then close the connection. If this is a
+ response message received by a user-agent, the message-body
+ length is determined by reading the connection until it is
+ closed; an error SHOULD be indicated to the user.
+
+ 4. If a valid Content-Length header field (Section 9.2) is present
+ without Transfer-Encoding, its decimal value defines the message-
+ body length in octets. If the actual number of octets sent in
+ the message is less than the indicated Content-Length, the
+ recipient MUST consider the message to be incomplete and treat
+ the connection as no longer usable. If the actual number of
+ octets sent in the message is more than the indicated Content-
+ Length, the recipient MUST only process the message-body up to
+ the field value's number of octets; the remainder of the message
+ MUST either be discarded or treated as the next message in a
+ pipeline. For the sake of robustness, a user-agent MAY attempt
+ to detect and correct such an error in message framing if it is
+ parsing the response to the last request on on a connection and
+ the connection has been closed by the server.
+
+ 5. If this is a request message and none of the above are true, then
+ the message-body length is zero (no message-body is present).
+
+ 6. Otherwise, this is a response message without a declared message-
+ body length, so the message-body length is determined by the
+ number of octets received prior to the server closing the
+ connection.
+
+ Since there is no way to distinguish a successfully completed, close-
+ delimited message from a partially-received message interrupted by
+ network failure, implementations SHOULD use encoding or length-
+ delimited messages whenever possible. The close-delimiting feature
+ exists primarily for backwards compatibility with HTTP/1.0.
+
+ A server MAY reject a request that contains a message-body but not a
+ Content-Length by responding with 411 (Length Required).
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 24]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ Unless a transfer-coding other than "chunked" has been applied, a
+ client that sends a request containing a message-body SHOULD use a
+ valid Content-Length header field if the message-body length is known
+ in advance, rather than the "chunked" encoding, since some existing
+ services respond to "chunked" with a 411 (Length Required) status
+ code even though they understand the chunked encoding. This is
+ typically because such services are implemented via a gateway that
+ requires a content-length in advance of being called and the server
+ is unable or unwilling to buffer the entire request before
+ processing.
+
+ A client that sends a request containing a message-body MUST include
+ a valid Content-Length header field if it does not know the server
+ will handle HTTP/1.1 (or later) requests; such knowledge can be in
+ the form of specific user configuration or by remembering the version
+ of a prior received response.
+
+ Request messages that are prematurely terminated, possibly due to a
+ cancelled connection or a server-imposed time-out exception, MUST
+ result in closure of the connection; sending an HTTP/1.1 error
+ response prior to closing the connection is OPTIONAL. Response
+ messages that are prematurely terminated, usually by closure of the
+ connection prior to receiving the expected number of octets or by
+ failure to decode a transfer-encoded message-body, MUST be recorded
+ as incomplete. A user agent MUST NOT render an incomplete response
+ message-body as if it were complete (i.e., some indication must be
+ given to the user that an error occurred). Cache requirements for
+ incomplete responses are defined in Section 2.1.1 of [Part6].
+
+ A server MUST read the entire request message-body or close the
+ connection after sending its response, since otherwise the remaining
+ data on a persistent connection would be misinterpreted as the next
+ request. Likewise, a client MUST read the entire response message-
+ body if it intends to reuse the same connection for a subsequent
+ request. Pipelining multiple requests on a connection is described
+ in Section 7.1.2.2.
+
+3.4. General Header Fields
+
+ There are a few header fields which have general applicability for
+ both request and response messages, but which do not apply to the
+ payload being transferred. These header fields apply only to the
+ message being transmitted.
+
+
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 25]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ general-header = Cache-Control ; [Part6], Section 3.2
+ / Connection ; Section 9.1
+ / Date ; Section 9.3
+ / Pragma ; [Part6], Section 3.4
+ / Trailer ; Section 9.6
+ / Transfer-Encoding ; Section 9.7
+ / Upgrade ; Section 9.8
+ / Via ; Section 9.9
+ / Warning ; [Part6], Section 3.6
+ / MIME-Version ; [Part3], Appendix A.1
+
+ General-header field names can be extended reliably only in
+ combination with a change in the protocol version. However, new or
+ experimental header fields might be given the semantics of general
+ header fields if all parties in the communication recognize them to
+ be general-header fields.
+
+4. Request
+
+ A request message from a client to a server includes, within the
+ first line of that message, the method to be applied to the resource,
+ the identifier of the resource, and the protocol version in use.
+
+ Request = Request-Line ; Section 4.1
+ *( header-field CRLF ) ; Section 3.2
+ CRLF
+ [ message-body ] ; Section 3.3
+
+4.1. Request-Line
+
+ The Request-Line begins with a method token, followed by the request-
+ target and the protocol version, and ending with CRLF. The elements
+ are separated by SP characters. No CR or LF is allowed except in the
+ final CRLF sequence.
+
+ Request-Line = Method SP request-target SP HTTP-Version CRLF
+
+4.1.1. Method
+
+ The Method token indicates the method to be performed on the resource
+ identified by the request-target. The method is case-sensitive.
+
+ Method = token
+
+
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 26]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+4.1.2. request-target
+
+ The request-target identifies the resource upon which to apply the
+ request.
+
+ request-target = "*"
+ / absolute-URI
+ / ( path-absolute [ "?" query ] )
+ / authority
+
+ The four options for request-target are dependent on the nature of
+ the request.
+
+ The asterisk "*" means that the request does not apply to a
+ particular resource, but to the server itself, and is only allowed
+ when the method used does not necessarily apply to a resource. One
+ example would be
+
+ OPTIONS * HTTP/1.1
+
+ The absolute-URI form is REQUIRED when the request is being made to a
+ proxy. The proxy is requested to forward the request or service it
+ from a valid cache, and return the response. Note that the proxy MAY
+ forward the request on to another proxy or directly to the server
+ specified by the absolute-URI. In order to avoid request loops, a
+ proxy MUST be able to recognize all of its server names, including
+ any aliases, local variations, and the numeric IP address. An
+ example Request-Line would be:
+
+ GET http://www.example.org/pub/WWW/TheProject.html HTTP/1.1
+
+ To allow for transition to absolute-URIs in all requests in future
+ versions of HTTP, all HTTP/1.1 servers MUST accept the absolute-URI
+ form in requests, even though HTTP/1.1 clients will only generate
+ them in requests to proxies.
+
+ The authority form is only used by the CONNECT method (Section 7.9 of
+ [Part2]).
+
+ The most common form of request-target is that used to identify a
+ resource on an origin server or gateway. In this case the absolute
+ path of the URI MUST be transmitted (see Section 2.6.1, path-
+ absolute) as the request-target, and the network location of the URI
+ (authority) MUST be transmitted in a Host header field. For example,
+ a client wishing to retrieve the resource above directly from the
+ origin server would create a TCP connection to port 80 of the host
+ "www.example.org" and send the lines:
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 27]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ GET /pub/WWW/TheProject.html HTTP/1.1
+ Host: www.example.org
+
+ followed by the remainder of the Request. Note that the absolute
+ path cannot be empty; if none is present in the original URI, it MUST
+ be given as "/" (the server root).
+
+ If a proxy receives a request without any path in the request-target
+ and the method specified is capable of supporting the asterisk form
+ of request-target, then the last proxy on the request chain MUST
+ forward the request with "*" as the final request-target.
+
+ For example, the request
+
+ OPTIONS http://www.example.org:8001 HTTP/1.1
+
+ would be forwarded by the proxy as
+
+ OPTIONS * HTTP/1.1
+ Host: www.example.org:8001
+
+ after connecting to port 8001 of host "www.example.org".
+
+ The request-target is transmitted in the format specified in
+ Section 2.6.1. If the request-target is percent-encoded ([RFC3986],
+ Section 2.1), the origin server MUST decode the request-target in
+ order to properly interpret the request. Servers SHOULD respond to
+ invalid request-targets with an appropriate status code.
+
+ A transparent proxy MUST NOT rewrite the "path-absolute" part of the
+ received request-target when forwarding it to the next inbound
+ server, except as noted above to replace a null path-absolute with
+ "/" or "*".
+
+ Note: The "no rewrite" rule prevents the proxy from changing the
+ meaning of the request when the origin server is improperly using
+ a non-reserved URI character for a reserved purpose. Implementors
+ need to be aware that some pre-HTTP/1.1 proxies have been known to
+ rewrite the request-target.
+
+ HTTP does not place a pre-defined limit on the length of a request-
+ target. A server MUST be prepared to receive URIs of unbounded
+ length and respond with the 414 (URI Too Long) status code if the
+ received request-target would be longer than the server wishes to
+ handle (see Section 8.4.15 of [Part2]).
+
+ Various ad-hoc limitations on request-target length are found in
+ practice. It is RECOMMENDED that all HTTP senders and recipients
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 28]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ support request-target lengths of 8000 or more octets.
+
+ Note: Fragments ([RFC3986], Section 3.5) are not part of the
+ request-target and thus will not be transmitted in an HTTP
+ request.
+
+4.2. The Resource Identified by a Request
+
+ The exact resource identified by an Internet request is determined by
+ examining both the request-target and the Host header field.
+
+ An origin server that does not allow resources to differ by the
+ requested host MAY ignore the Host header field value when
+ determining the resource identified by an HTTP/1.1 request. (But see
+ Appendix B.1.1 for other requirements on Host support in HTTP/1.1.)
+
+ An origin server that does differentiate resources based on the host
+ requested (sometimes referred to as virtual hosts or vanity host
+ names) MUST use the following rules for determining the requested
+ resource on an HTTP/1.1 request:
+
+ 1. If request-target is an absolute-URI, the host is part of the
+ request-target. Any Host header field value in the request MUST
+ be ignored.
+
+ 2. If the request-target is not an absolute-URI, and the request
+ includes a Host header field, the host is determined by the Host
+ header field value.
+
+ 3. If the host as determined by rule 1 or 2 is not a valid host on
+ the server, the response MUST be a 400 (Bad Request) error
+ message.
+
+ Recipients of an HTTP/1.0 request that lacks a Host header field MAY
+ attempt to use heuristics (e.g., examination of the URI path for
+ something unique to a particular host) in order to determine what
+ exact resource is being requested.
+
+4.3. Effective Request URI
+
+ HTTP requests often do not carry the absolute URI ([RFC3986], Section
+ 4.3) for the target resource; instead, the URI needs to be inferred
+ from the request-target, Host header field, and connection context.
+ The result of this process is called the "effective request URI".
+ The "target resource" is the resource identified by the effective
+ request URI.
+
+ If the request-target is an absolute-URI, then the effective request
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 29]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ URI is the request-target.
+
+ If the request-target uses the path-absolute (plus optional query)
+ syntax or if it is just the asterisk "*", then the effective request
+ URI is constructed by concatenating
+
+ o the scheme name: "http" if the request was received over an
+ insecure TCP connection, or "https" when received over a SSL/
+ TLS-secured TCP connection,
+
+ o the character sequence "://",
+
+ o the authority component, as specified in the Host header
+ (Section 9.4) and determined by the rules in Section 4.2,
+ [[effrequri-nohost: Do we need to include the handling of missing
+ hosts in HTTP/1.0 messages, as described in Section 4.2? -- See
+ <http://tools.ietf.org/wg/httpbis/trac/ticket/221> --jre]] and
+
+ o the request-target obtained from the Request-Line, unless the
+ request-target is just the asterisk "*".
+
+ Otherwise, when request-target uses the authority form, the effective
+ Request URI is undefined.
+
+ Example 1: the effective request URI for the message
+
+ GET /pub/WWW/TheProject.html HTTP/1.1
+ Host: www.example.org:8080
+
+ (received over an insecure TCP connection) is "http", plus "://",
+ plus the authority component "www.example.org:8080", plus the
+ request-target "/pub/WWW/TheProject.html", thus
+ "http://www.example.org:8080/pub/WWW/TheProject.html".
+
+ Example 2: the effective request URI for the message
+
+ GET * HTTP/1.1
+ Host: www.example.org
+
+ (received over an SSL/TLS secured TCP connection) is "https", plus
+ "://", plus the authority component "www.example.org", thus
+ "https://www.example.org".
+
+ Effective request URIs are compared using the rules described in
+ Section 2.6.3, except that empty path components MUST NOT be treated
+ as equivalent to an absolute path of "/".
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 30]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+5. Response
+
+ After receiving and interpreting a request message, a server responds
+ with an HTTP response message.
+
+ Response = Status-Line ; Section 5.1
+ *( header-field CRLF ) ; Section 3.2
+ CRLF
+ [ message-body ] ; Section 3.3
+
+5.1. Status-Line
+
+ The first line of a Response message is the Status-Line, consisting
+ of the protocol version followed by a numeric status code and its
+ associated textual phrase, with each element separated by SP
+ characters. No CR or LF is allowed except in the final CRLF
+ sequence.
+
+ Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF
+
+5.1.1. Status Code and Reason Phrase
+
+ The Status-Code element is a 3-digit integer result code of the
+ attempt to understand and satisfy the request. These codes are fully
+ defined in Section 8 of [Part2]. The Reason Phrase exists for the
+ sole purpose of providing a textual description associated with the
+ numeric status code, out of deference to earlier Internet application
+ protocols that were more frequently used with interactive text
+ clients. A client SHOULD ignore the content of the Reason Phrase.
+
+ The first digit of the Status-Code defines the class of response.
+ The last two digits do not have any categorization role. There are 5
+ values for the first digit:
+
+ o 1xx: Informational - Request received, continuing process
+
+ o 2xx: Success - The action was successfully received, understood,
+ and accepted
+
+ o 3xx: Redirection - Further action must be taken in order to
+ complete the request
+
+ o 4xx: Client Error - The request contains bad syntax or cannot be
+ fulfilled
+
+ o 5xx: Server Error - The server failed to fulfill an apparently
+ valid request
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 31]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ Status-Code = 3DIGIT
+ Reason-Phrase = *( WSP / VCHAR / obs-text )
+
+6. Protocol Parameters
+
+6.1. Date/Time Formats: Full Date
+
+ HTTP applications have historically allowed three different formats
+ for date/time stamps. However, the preferred format is a fixed-
+ length subset of that defined by [RFC1123]:
+
+ Sun, 06 Nov 1994 08:49:37 GMT ; RFC 1123
+
+ The other formats are described here only for compatibility with
+ obsolete implementations.
+
+ Sunday, 06-Nov-94 08:49:37 GMT ; obsolete RFC 850 format
+ Sun Nov 6 08:49:37 1994 ; ANSI C's asctime() format
+
+ HTTP/1.1 clients and servers that parse a date value MUST accept all
+ three formats (for compatibility with HTTP/1.0), though they MUST
+ only generate the RFC 1123 format for representing HTTP-date values
+ in header fields. See Appendix A for further information.
+
+ All HTTP date/time stamps MUST be represented in Greenwich Mean Time
+ (GMT), without exception. For the purposes of HTTP, GMT is exactly
+ equal to UTC (Coordinated Universal Time). This is indicated in the
+ first two formats by the inclusion of "GMT" as the three-letter
+ abbreviation for time zone, and MUST be assumed when reading the
+ asctime format. HTTP-date is case sensitive and MUST NOT include
+ additional whitespace beyond that specifically included as SP in the
+ grammar.
+
+ HTTP-date = rfc1123-date / obs-date
+
+ Preferred format:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 32]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ rfc1123-date = day-name "," SP date1 SP time-of-day SP GMT
+
+ day-name = %x4D.6F.6E ; "Mon", case-sensitive
+ / %x54.75.65 ; "Tue", case-sensitive
+ / %x57.65.64 ; "Wed", case-sensitive
+ / %x54.68.75 ; "Thu", case-sensitive
+ / %x46.72.69 ; "Fri", case-sensitive
+ / %x53.61.74 ; "Sat", case-sensitive
+ / %x53.75.6E ; "Sun", case-sensitive
+
+ date1 = day SP month SP year
+ ; e.g., 02 Jun 1982
+
+ day = 2DIGIT
+ month = %x4A.61.6E ; "Jan", case-sensitive
+ / %x46.65.62 ; "Feb", case-sensitive
+ / %x4D.61.72 ; "Mar", case-sensitive
+ / %x41.70.72 ; "Apr", case-sensitive
+ / %x4D.61.79 ; "May", case-sensitive
+ / %x4A.75.6E ; "Jun", case-sensitive
+ / %x4A.75.6C ; "Jul", case-sensitive
+ / %x41.75.67 ; "Aug", case-sensitive
+ / %x53.65.70 ; "Sep", case-sensitive
+ / %x4F.63.74 ; "Oct", case-sensitive
+ / %x4E.6F.76 ; "Nov", case-sensitive
+ / %x44.65.63 ; "Dec", case-sensitive
+ year = 4DIGIT
+
+ GMT = %x47.4D.54 ; "GMT", case-sensitive
+
+ time-of-day = hour ":" minute ":" second
+ ; 00:00:00 - 23:59:59
+
+ hour = 2DIGIT
+ minute = 2DIGIT
+ second = 2DIGIT
+
+ The semantics of day-name, day, month, year, and time-of-day are the
+ same as those defined for the RFC 5322 constructs with the
+ corresponding name ([RFC5322], Section 3.3).
+
+ Obsolete formats:
+
+ obs-date = rfc850-date / asctime-date
+
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 33]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT
+ date2 = day "-" month "-" 2DIGIT
+ ; day-month-year (e.g., 02-Jun-82)
+
+ day-name-l = %x4D.6F.6E.64.61.79 ; "Monday", case-sensitive
+ / %x54.75.65.73.64.61.79 ; "Tuesday", case-sensitive
+ / %x57.65.64.6E.65.73.64.61.79 ; "Wednesday", case-sensitive
+ / %x54.68.75.72.73.64.61.79 ; "Thursday", case-sensitive
+ / %x46.72.69.64.61.79 ; "Friday", case-sensitive
+ / %x53.61.74.75.72.64.61.79 ; "Saturday", case-sensitive
+ / %x53.75.6E.64.61.79 ; "Sunday", case-sensitive
+
+
+ asctime-date = day-name SP date3 SP time-of-day SP year
+ date3 = month SP ( 2DIGIT / ( SP 1DIGIT ))
+ ; month day (e.g., Jun 2)
+
+ Note: Recipients of date values are encouraged to be robust in
+ accepting date values that might have been sent by non-HTTP
+ applications, as is sometimes the case when retrieving or posting
+ messages via proxies/gateways to SMTP or NNTP.
+
+ Note: HTTP requirements for the date/time stamp format apply only
+ to their usage within the protocol stream. Clients and servers
+ are not required to use these formats for user presentation,
+ request logging, etc.
+
+6.2. Transfer Codings
+
+ Transfer-coding values are used to indicate an encoding
+ transformation that has been, can be, or might need to be applied to
+ a payload body in order to ensure "safe transport" through the
+ network. This differs from a content coding in that the transfer-
+ coding is a property of the message rather than a property of the
+ representation that is being transferred.
+
+ transfer-coding = "chunked" ; Section 6.2.1
+ / "compress" ; Section 6.2.2.1
+ / "deflate" ; Section 6.2.2.2
+ / "gzip" ; Section 6.2.2.3
+ / transfer-extension
+ transfer-extension = token *( OWS ";" OWS transfer-parameter )
+
+ Parameters are in the form of attribute/value pairs.
+
+ transfer-parameter = attribute BWS "=" BWS value
+ attribute = token
+ value = word
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 34]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ All transfer-coding values are case-insensitive. HTTP/1.1 uses
+ transfer-coding values in the TE header field (Section 9.5) and in
+ the Transfer-Encoding header field (Section 9.7).
+
+ Transfer-codings are analogous to the Content-Transfer-Encoding
+ values of MIME, which were designed to enable safe transport of
+ binary data over a 7-bit transport service ([RFC2045], Section 6).
+ However, safe transport has a different focus for an 8bit-clean
+ transfer protocol. In HTTP, the only unsafe characteristic of
+ message-bodies is the difficulty in determining the exact message
+ body length (Section 3.3), or the desire to encrypt data over a
+ shared transport.
+
+ A server that receives a request message with a transfer-coding it
+ does not understand SHOULD respond with 501 (Not Implemented) and
+ then close the connection. A server MUST NOT send transfer-codings
+ to an HTTP/1.0 client.
+
+6.2.1. Chunked Transfer Coding
+
+ The chunked encoding modifies the body of a message in order to
+ transfer it as a series of chunks, each with its own size indicator,
+ followed by an OPTIONAL trailer containing header fields. This
+ allows dynamically produced content to be transferred along with the
+ information necessary for the recipient to verify that it has
+ received the full message.
+
+ Chunked-Body = *chunk
+ last-chunk
+ trailer-part
+ CRLF
+
+ chunk = chunk-size *WSP [ chunk-ext ] CRLF
+ chunk-data CRLF
+ chunk-size = 1*HEXDIG
+ last-chunk = 1*("0") *WSP [ chunk-ext ] CRLF
+
+ chunk-ext = *( ";" *WSP chunk-ext-name
+ [ "=" chunk-ext-val ] *WSP )
+ chunk-ext-name = token
+ chunk-ext-val = token / quoted-str-nf
+ chunk-data = 1*OCTET ; a sequence of chunk-size octets
+ trailer-part = *( header-field CRLF )
+
+ quoted-str-nf = DQUOTE *( qdtext-nf / quoted-pair ) DQUOTE
+ ; like quoted-string, but disallowing line folding
+ qdtext-nf = WSP / %x21 / %x23-5B / %x5D-7E / obs-text
+ ; WSP / <VCHAR except DQUOTE and "\"> / obs-text
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 35]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ The chunk-size field is a string of hex digits indicating the size of
+ the chunk-data in octets. The chunked encoding is ended by any chunk
+ whose size is zero, followed by the trailer, which is terminated by
+ an empty line.
+
+ The trailer allows the sender to include additional HTTP header
+ fields at the end of the message. The Trailer header field can be
+ used to indicate which header fields are included in a trailer (see
+ Section 9.6).
+
+ A server using chunked transfer-coding in a response MUST NOT use the
+ trailer for any header fields unless at least one of the following is
+ true:
+
+ 1. the request included a TE header field that indicates "trailers"
+ is acceptable in the transfer-coding of the response, as
+ described in Section 9.5; or,
+
+ 2. the server is the origin server for the response, the trailer
+ fields consist entirely of optional metadata, and the recipient
+ could use the message (in a manner acceptable to the origin
+ server) without receiving this metadata. In other words, the
+ origin server is willing to accept the possibility that the
+ trailer fields might be silently discarded along the path to the
+ client.
+
+ This requirement prevents an interoperability failure when the
+ message is being received by an HTTP/1.1 (or later) proxy and
+ forwarded to an HTTP/1.0 recipient. It avoids a situation where
+ compliance with the protocol would have necessitated a possibly
+ infinite buffer on the proxy.
+
+ A process for decoding the "chunked" transfer-coding can be
+ represented in pseudo-code as:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 36]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ length := 0
+ read chunk-size, chunk-ext (if any) and CRLF
+ while (chunk-size > 0) {
+ read chunk-data and CRLF
+ append chunk-data to decoded-body
+ length := length + chunk-size
+ read chunk-size and CRLF
+ }
+ read header-field
+ while (header-field not empty) {
+ append header-field to existing header fields
+ read header-field
+ }
+ Content-Length := length
+ Remove "chunked" from Transfer-Encoding
+
+ All HTTP/1.1 applications MUST be able to receive and decode the
+ "chunked" transfer-coding and MUST ignore chunk-ext extensions they
+ do not understand.
+
+ Since "chunked" is the only transfer-coding required to be understood
+ by HTTP/1.1 recipients, it plays a crucial role in delimiting
+ messages on a persistent connection. Whenever a transfer-coding is
+ applied to a payload body in a request, the final transfer-coding
+ applied MUST be "chunked". If a transfer-coding is applied to a
+ response payload body, then either the final transfer-coding applied
+ MUST be "chunked" or the message MUST be terminated by closing the
+ connection. When the "chunked" transfer-coding is used, it MUST be
+ the last transfer-coding applied to form the message-body. The
+ "chunked" transfer-coding MUST NOT be applied more than once in a
+ message-body.
+
+6.2.2. Compression Codings
+
+ The codings defined below can be used to compress the payload of a
+ message.
+
+ Note: Use of program names for the identification of encoding
+ formats is not desirable and is discouraged for future encodings.
+ Their use here is representative of historical practice, not good
+ design.
+
+ Note: For compatibility with previous implementations of HTTP,
+ applications SHOULD consider "x-gzip" and "x-compress" to be
+ equivalent to "gzip" and "compress" respectively.
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 37]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+6.2.2.1. Compress Coding
+
+ The "compress" format is produced by the common UNIX file compression
+ program "compress". This format is an adaptive Lempel-Ziv-Welch
+ coding (LZW).
+
+6.2.2.2. Deflate Coding
+
+ The "deflate" format is defined as the "deflate" compression
+ mechanism (described in [RFC1951]) used inside the "zlib" data format
+ ([RFC1950]).
+
+ Note: Some incorrect implementations send the "deflate" compressed
+ data without the zlib wrapper.
+
+6.2.2.3. Gzip Coding
+
+ The "gzip" format is produced by the file compression program "gzip"
+ (GNU zip), as described in [RFC1952]. This format is a Lempel-Ziv
+ coding (LZ77) with a 32 bit CRC.
+
+6.2.3. Transfer Coding Registry
+
+ The HTTP Transfer Coding Registry defines the name space for the
+ transfer coding names.
+
+ Registrations MUST include the following fields:
+
+ o Name
+
+ o Description
+
+ o Pointer to specification text
+
+ Names of transfer codings MUST NOT overlap with names of content
+ codings (Section 2.2 of [Part3]), unless the encoding transformation
+ is identical (as it is the case for the compression codings defined
+ in Section 6.2.2).
+
+ Values to be added to this name space require a specification (see
+ "Specification Required" in Section 4.1 of [RFC5226]), and MUST
+ conform to the purpose of transfer coding defined in this section.
+
+ The registry itself is maintained at
+ <http://www.iana.org/assignments/http-parameters>.
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 38]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+6.3. Product Tokens
+
+ Product tokens are used to allow communicating applications to
+ identify themselves by software name and version. Most fields using
+ product tokens also allow sub-products which form a significant part
+ of the application to be listed, separated by whitespace. By
+ convention, the products are listed in order of their significance
+ for identifying the application.
+
+ product = token ["/" product-version]
+ product-version = token
+
+ Examples:
+
+ User-Agent: CERN-LineMode/2.15 libwww/2.17b3
+ Server: Apache/0.8.4
+
+ Product tokens SHOULD be short and to the point. They MUST NOT be
+ used for advertising or other non-essential information. Although
+ any token character MAY appear in a product-version, this token
+ SHOULD only be used for a version identifier (i.e., successive
+ versions of the same product SHOULD only differ in the product-
+ version portion of the product value).
+
+6.4. Quality Values
+
+ Both transfer codings (TE request header, Section 9.5) and content
+ negotiation (Section 5 of [Part3]) use short "floating point" numbers
+ to indicate the relative importance ("weight") of various negotiable
+ parameters. A weight is normalized to a real number in the range 0
+ through 1, where 0 is the minimum and 1 the maximum value. If a
+ parameter has a quality value of 0, then content with this parameter
+ is "not acceptable" for the client. HTTP/1.1 applications MUST NOT
+ generate more than three digits after the decimal point. User
+ configuration of these values SHOULD also be limited in this fashion.
+
+ qvalue = ( "0" [ "." 0*3DIGIT ] )
+ / ( "1" [ "." 0*3("0") ] )
+
+ Note: "Quality values" is a misnomer, since these values merely
+ represent relative degradation in desired quality.
+
+7. Connections
+
+7.1. Persistent Connections
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 39]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+7.1.1. Purpose
+
+ Prior to persistent connections, a separate TCP connection was
+ established to fetch each URL, increasing the load on HTTP servers
+ and causing congestion on the Internet. The use of inline images and
+ other associated data often requires a client to make multiple
+ requests of the same server in a short amount of time. Analysis of
+ these performance problems and results from a prototype
+ implementation are available [Pad1995] [Spe]. Implementation
+ experience and measurements of actual HTTP/1.1 implementations show
+ good results [Nie1997]. Alternatives have also been explored, for
+ example, T/TCP [Tou1998].
+
+ Persistent HTTP connections have a number of advantages:
+
+ o By opening and closing fewer TCP connections, CPU time is saved in
+ routers and hosts (clients, servers, proxies, gateways, tunnels,
+ or caches), and memory used for TCP protocol control blocks can be
+ saved in hosts.
+
+ o HTTP requests and responses can be pipelined on a connection.
+ Pipelining allows a client to make multiple requests without
+ waiting for each response, allowing a single TCP connection to be
+ used much more efficiently, with much lower elapsed time.
+
+ o Network congestion is reduced by reducing the number of packets
+ caused by TCP opens, and by allowing TCP sufficient time to
+ determine the congestion state of the network.
+
+ o Latency on subsequent requests is reduced since there is no time
+ spent in TCP's connection opening handshake.
+
+ o HTTP can evolve more gracefully, since errors can be reported
+ without the penalty of closing the TCP connection. Clients using
+ future versions of HTTP might optimistically try a new feature,
+ but if communicating with an older server, retry with old
+ semantics after an error is reported.
+
+ HTTP implementations SHOULD implement persistent connections.
+
+7.1.2. Overall Operation
+
+ A significant difference between HTTP/1.1 and earlier versions of
+ HTTP is that persistent connections are the default behavior of any
+ HTTP connection. That is, unless otherwise indicated, the client
+ SHOULD assume that the server will maintain a persistent connection,
+ even after error responses from the server.
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 40]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ Persistent connections provide a mechanism by which a client and a
+ server can signal the close of a TCP connection. This signaling
+ takes place using the Connection header field (Section 9.1). Once a
+ close has been signaled, the client MUST NOT send any more requests
+ on that connection.
+
+7.1.2.1. Negotiation
+
+ An HTTP/1.1 server MAY assume that a HTTP/1.1 client intends to
+ maintain a persistent connection unless a Connection header including
+ the connection-token "close" was sent in the request. If the server
+ chooses to close the connection immediately after sending the
+ response, it SHOULD send a Connection header including the
+ connection-token "close".
+
+ An HTTP/1.1 client MAY expect a connection to remain open, but would
+ decide to keep it open based on whether the response from a server
+ contains a Connection header with the connection-token close. In
+ case the client does not want to maintain a connection for more than
+ that request, it SHOULD send a Connection header including the
+ connection-token close.
+
+ If either the client or the server sends the close token in the
+ Connection header, that request becomes the last one for the
+ connection.
+
+ Clients and servers SHOULD NOT assume that a persistent connection is
+ maintained for HTTP versions less than 1.1 unless it is explicitly
+ signaled. See Appendix B.2 for more information on backward
+ compatibility with HTTP/1.0 clients.
+
+ In order to remain persistent, all messages on the connection MUST
+ have a self-defined message length (i.e., one not defined by closure
+ of the connection), as described in Section 3.3.
+
+7.1.2.2. Pipelining
+
+ A client that supports persistent connections MAY "pipeline" its
+ requests (i.e., send multiple requests without waiting for each
+ response). A server MUST send its responses to those requests in the
+ same order that the requests were received.
+
+ Clients which assume persistent connections and pipeline immediately
+ after connection establishment SHOULD be prepared to retry their
+ connection if the first pipelined attempt fails. If a client does
+ such a retry, it MUST NOT pipeline before it knows the connection is
+ persistent. Clients MUST also be prepared to resend their requests
+ if the server closes the connection before sending all of the
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 41]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ corresponding responses.
+
+ Clients SHOULD NOT pipeline requests using non-idempotent methods or
+ non-idempotent sequences of methods (see Section 7.1.2 of [Part2]).
+ Otherwise, a premature termination of the transport connection could
+ lead to indeterminate results. A client wishing to send a non-
+ idempotent request SHOULD wait to send that request until it has
+ received the response status line for the previous request.
+
+7.1.3. Proxy Servers
+
+ It is especially important that proxies correctly implement the
+ properties of the Connection header field as specified in
+ Section 9.1.
+
+ The proxy server MUST signal persistent connections separately with
+ its clients and the origin servers (or other proxy servers) that it
+ connects to. Each persistent connection applies to only one
+ transport link.
+
+ A proxy server MUST NOT establish a HTTP/1.1 persistent connection
+ with an HTTP/1.0 client (but see Section 19.7.1 of [RFC2068] for
+ information and discussion of the problems with the Keep-Alive header
+ implemented by many HTTP/1.0 clients).
+
+7.1.3.1. End-to-end and Hop-by-hop Headers
+
+ For the purpose of defining the behavior of caches and non-caching
+ proxies, we divide HTTP headers into two categories:
+
+ o End-to-end headers, which are transmitted to the ultimate
+ recipient of a request or response. End-to-end headers in
+ responses MUST be stored as part of a cache entry and MUST be
+ transmitted in any response formed from a cache entry.
+
+ o Hop-by-hop headers, which are meaningful only for a single
+ transport-level connection, and are not stored by caches or
+ forwarded by proxies.
+
+ The following HTTP/1.1 headers are hop-by-hop headers:
+
+ o Connection
+
+ o Keep-Alive
+
+ o Proxy-Authenticate
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 42]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ o Proxy-Authorization
+
+ o TE
+
+ o Trailer
+
+ o Transfer-Encoding
+
+ o Upgrade
+
+ All other headers defined by HTTP/1.1 are end-to-end headers.
+
+ Other hop-by-hop headers MUST be listed in a Connection header
+ (Section 9.1).
+
+7.1.3.2. Non-modifiable Headers
+
+ Some features of HTTP/1.1, such as Digest Authentication, depend on
+ the value of certain end-to-end headers. A transparent proxy SHOULD
+ NOT modify an end-to-end header unless the definition of that header
+ requires or specifically allows that.
+
+ A transparent proxy MUST NOT modify any of the following fields in a
+ request or response, and it MUST NOT add any of these fields if not
+ already present:
+
+ o Content-Location
+
+ o Content-MD5
+
+ o ETag
+
+ o Last-Modified
+
+ A transparent proxy MUST NOT modify any of the following fields in a
+ response:
+
+ o Expires
+
+ but it MAY add any of these fields if not already present. If an
+ Expires header is added, it MUST be given a field-value identical to
+ that of the Date header in that response.
+
+ A proxy MUST NOT modify or add any of the following fields in a
+ message that contains the no-transform cache-control directive, or in
+ any request:
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 43]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ o Content-Encoding
+
+ o Content-Range
+
+ o Content-Type
+
+ A non-transparent proxy MAY modify or add these fields to a message
+ that does not include no-transform, but if it does so, it MUST add a
+ Warning 214 (Transformation applied) if one does not already appear
+ in the message (see Section 3.6 of [Part6]).
+
+ Warning: Unnecessary modification of end-to-end headers might
+ cause authentication failures if stronger authentication
+ mechanisms are introduced in later versions of HTTP. Such
+ authentication mechanisms MAY rely on the values of header fields
+ not listed here.
+
+ A transparent proxy MUST preserve the message payload ([Part3]),
+ though it MAY change the message-body through application or removal
+ of a transfer-coding (Section 6.2).
+
+7.1.4. Practical Considerations
+
+ Servers will usually have some time-out value beyond which they will
+ no longer maintain an inactive connection. Proxy servers might make
+ this a higher value since it is likely that the client will be making
+ more connections through the same server. The use of persistent
+ connections places no requirements on the length (or existence) of
+ this time-out for either the client or the server.
+
+ When a client or server wishes to time-out it SHOULD issue a graceful
+ close on the transport connection. Clients and servers SHOULD both
+ constantly watch for the other side of the transport close, and
+ respond to it as appropriate. If a client or server does not detect
+ the other side's close promptly it could cause unnecessary resource
+ drain on the network.
+
+ A client, server, or proxy MAY close the transport connection at any
+ time. For example, a client might have started to send a new request
+ at the same time that the server has decided to close the "idle"
+ connection. From the server's point of view, the connection is being
+ closed while it was idle, but from the client's point of view, a
+ request is in progress.
+
+ This means that clients, servers, and proxies MUST be able to recover
+ from asynchronous close events. Client software SHOULD reopen the
+ transport connection and retransmit the aborted sequence of requests
+ without user interaction so long as the request sequence is
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 44]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ idempotent (see Section 7.1.2 of [Part2]). Non-idempotent methods or
+ sequences MUST NOT be automatically retried, although user agents MAY
+ offer a human operator the choice of retrying the request(s).
+ Confirmation by user-agent software with semantic understanding of
+ the application MAY substitute for user confirmation. The automatic
+ retry SHOULD NOT be repeated if the second sequence of requests
+ fails.
+
+ Servers SHOULD always respond to at least one request per connection,
+ if at all possible. Servers SHOULD NOT close a connection in the
+ middle of transmitting a response, unless a network or client failure
+ is suspected.
+
+ Clients (including proxies) SHOULD limit the number of simultaneous
+ connections that they maintain to a given server (including proxies).
+
+ Previous revisions of HTTP gave a specific number of connections as a
+ ceiling, but this was found to be impractical for many applications.
+ As a result, this specification does not mandate a particular maximum
+ number of connections, but instead encourages clients to be
+ conservative when opening multiple connections.
+
+ In particular, while using multiple connections avoids the "head-of-
+ line blocking" problem (whereby a request that takes significant
+ server-side processing and/or has a large payload can block
+ subsequent requests on the same connection), each connection used
+ consumes server resources (sometimes significantly), and furthermore
+ using multiple connections can cause undesirable side effects in
+ congested networks.
+
+ Note that servers might reject traffic that they deem abusive,
+ including an excessive number of connections from a client.
+
+7.2. Message Transmission Requirements
+
+7.2.1. Persistent Connections and Flow Control
+
+ HTTP/1.1 servers SHOULD maintain persistent connections and use TCP's
+ flow control mechanisms to resolve temporary overloads, rather than
+ terminating connections with the expectation that clients will retry.
+ The latter technique can exacerbate network congestion.
+
+7.2.2. Monitoring Connections for Error Status Messages
+
+ An HTTP/1.1 (or later) client sending a message-body SHOULD monitor
+ the network connection for an error status code while it is
+ transmitting the request. If the client sees an error status code,
+ it SHOULD immediately cease transmitting the body. If the body is
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 45]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ being sent using a "chunked" encoding (Section 6.2), a zero length
+ chunk and empty trailer MAY be used to prematurely mark the end of
+ the message. If the body was preceded by a Content-Length header,
+ the client MUST close the connection.
+
+7.2.3. Use of the 100 (Continue) Status
+
+ The purpose of the 100 (Continue) status code (see Section 8.1.1 of
+ [Part2]) is to allow a client that is sending a request message with
+ a request body to determine if the origin server is willing to accept
+ the request (based on the request headers) before the client sends
+ the request body. In some cases, it might either be inappropriate or
+ highly inefficient for the client to send the body if the server will
+ reject the message without looking at the body.
+
+ Requirements for HTTP/1.1 clients:
+
+ o If a client will wait for a 100 (Continue) response before sending
+ the request body, it MUST send an Expect request-header field
+ (Section 9.2 of [Part2]) with the "100-continue" expectation.
+
+ o A client MUST NOT send an Expect request-header field (Section 9.2
+ of [Part2]) with the "100-continue" expectation if it does not
+ intend to send a request body.
+
+ Because of the presence of older implementations, the protocol allows
+ ambiguous situations in which a client might send "Expect: 100-
+ continue" without receiving either a 417 (Expectation Failed) or a
+ 100 (Continue) status code. Therefore, when a client sends this
+ header field to an origin server (possibly via a proxy) from which it
+ has never seen a 100 (Continue) status code, the client SHOULD NOT
+ wait for an indefinite period before sending the request body.
+
+ Requirements for HTTP/1.1 origin servers:
+
+ o Upon receiving a request which includes an Expect request-header
+ field with the "100-continue" expectation, an origin server MUST
+ either respond with 100 (Continue) status code and continue to
+ read from the input stream, or respond with a final status code.
+ The origin server MUST NOT wait for the request body before
+ sending the 100 (Continue) response. If it responds with a final
+ status code, it MAY close the transport connection or it MAY
+ continue to read and discard the rest of the request. It MUST NOT
+ perform the requested method if it returns a final status code.
+
+ o An origin server SHOULD NOT send a 100 (Continue) response if the
+ request message does not include an Expect request-header field
+ with the "100-continue" expectation, and MUST NOT send a 100
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 46]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ (Continue) response if such a request comes from an HTTP/1.0 (or
+ earlier) client. There is an exception to this rule: for
+ compatibility with [RFC2068], a server MAY send a 100 (Continue)
+ status code in response to an HTTP/1.1 PUT or POST request that
+ does not include an Expect request-header field with the "100-
+ continue" expectation. This exception, the purpose of which is to
+ minimize any client processing delays associated with an
+ undeclared wait for 100 (Continue) status code, applies only to
+ HTTP/1.1 requests, and not to requests with any other HTTP-version
+ value.
+
+ o An origin server MAY omit a 100 (Continue) response if it has
+ already received some or all of the request body for the
+ corresponding request.
+
+ o An origin server that sends a 100 (Continue) response MUST
+ ultimately send a final status code, once the request body is
+ received and processed, unless it terminates the transport
+ connection prematurely.
+
+ o If an origin server receives a request that does not include an
+ Expect request-header field with the "100-continue" expectation,
+ the request includes a request body, and the server responds with
+ a final status code before reading the entire request body from
+ the transport connection, then the server SHOULD NOT close the
+ transport connection until it has read the entire request, or
+ until the client closes the connection. Otherwise, the client
+ might not reliably receive the response message. However, this
+ requirement is not be construed as preventing a server from
+ defending itself against denial-of-service attacks, or from badly
+ broken client implementations.
+
+ Requirements for HTTP/1.1 proxies:
+
+ o If a proxy receives a request that includes an Expect request-
+ header field with the "100-continue" expectation, and the proxy
+ either knows that the next-hop server complies with HTTP/1.1 or
+ higher, or does not know the HTTP version of the next-hop server,
+ it MUST forward the request, including the Expect header field.
+
+ o If the proxy knows that the version of the next-hop server is
+ HTTP/1.0 or lower, it MUST NOT forward the request, and it MUST
+ respond with a 417 (Expectation Failed) status code.
+
+ o Proxies SHOULD maintain a cache recording the HTTP version numbers
+ received from recently-referenced next-hop servers.
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 47]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ o A proxy MUST NOT forward a 100 (Continue) response if the request
+ message was received from an HTTP/1.0 (or earlier) client and did
+ not include an Expect request-header field with the "100-continue"
+ expectation. This requirement overrides the general rule for
+ forwarding of 1xx responses (see Section 8.1 of [Part2]).
+
+7.2.4. Client Behavior if Server Prematurely Closes Connection
+
+ If an HTTP/1.1 client sends a request which includes a request body,
+ but which does not include an Expect request-header field with the
+ "100-continue" expectation, and if the client is not directly
+ connected to an HTTP/1.1 origin server, and if the client sees the
+ connection close before receiving a status line from the server, the
+ client SHOULD retry the request. If the client does retry this
+ request, it MAY use the following "binary exponential backoff"
+ algorithm to be assured of obtaining a reliable response:
+
+ 1. Initiate a new connection to the server
+
+ 2. Transmit the request-headers
+
+ 3. Initialize a variable R to the estimated round-trip time to the
+ server (e.g., based on the time it took to establish the
+ connection), or to a constant value of 5 seconds if the round-
+ trip time is not available.
+
+ 4. Compute T = R * (2**N), where N is the number of previous retries
+ of this request.
+
+ 5. Wait either for an error response from the server, or for T
+ seconds (whichever comes first)
+
+ 6. If no error response is received, after T seconds transmit the
+ body of the request.
+
+ 7. If client sees that the connection is closed prematurely, repeat
+ from step 1 until the request is accepted, an error response is
+ received, or the user becomes impatient and terminates the retry
+ process.
+
+ If at any point an error status code is received, the client
+
+ o SHOULD NOT continue and
+
+ o SHOULD close the connection if it has not completed sending the
+ request message.
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 48]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+8. Miscellaneous notes that might disappear
+
+8.1. Scheme aliases considered harmful
+
+ [[TBD-aliases-harmful: describe why aliases like webcal are
+ harmful.]]
+
+8.2. Use of HTTP for proxy communication
+
+ [[TBD-proxy-other: Configured to use HTTP to proxy HTTP or other
+ protocols.]]
+
+8.3. Interception of HTTP for access control
+
+ [[TBD-intercept: Interception of HTTP traffic for initiating access
+ control.]]
+
+8.4. Use of HTTP by other protocols
+
+ [[TBD-profiles: Profiles of HTTP defined by other protocol.
+ Extensions of HTTP like WebDAV.]]
+
+8.5. Use of HTTP by media type specification
+
+ [[TBD-hypertext: Instructions on composing HTTP requests via
+ hypertext formats.]]
+
+9. Header Field Definitions
+
+ This section defines the syntax and semantics of HTTP/1.1 header
+ fields related to message framing and transport protocols.
+
+9.1. Connection
+
+ The "Connection" general-header field allows the sender to specify
+ options that are desired for that particular connection and MUST NOT
+ be communicated by proxies over further connections.
+
+ The Connection header's value has the following grammar:
+
+ Connection = "Connection" ":" OWS Connection-v
+ Connection-v = 1#connection-token
+ connection-token = token
+
+ HTTP/1.1 proxies MUST parse the Connection header field before a
+ message is forwarded and, for each connection-token in this field,
+ remove any header field(s) from the message with the same name as the
+ connection-token. Connection options are signaled by the presence of
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 49]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ a connection-token in the Connection header field, not by any
+ corresponding additional header field(s), since the additional header
+ field might not be sent if there are no parameters associated with
+ that connection option.
+
+ Message headers listed in the Connection header MUST NOT include end-
+ to-end headers, such as Cache-Control.
+
+ HTTP/1.1 defines the "close" connection option for the sender to
+ signal that the connection will be closed after completion of the
+ response. For example,
+
+ Connection: close
+
+ in either the request or the response header fields indicates that
+ the connection SHOULD NOT be considered "persistent" (Section 7.1)
+ after the current request/response is complete.
+
+ An HTTP/1.1 client that does not support persistent connections MUST
+ include the "close" connection option in every request message.
+
+ An HTTP/1.1 server that does not support persistent connections MUST
+ include the "close" connection option in every response message that
+ does not have a 1xx (Informational) status code.
+
+ A system receiving an HTTP/1.0 (or lower-version) message that
+ includes a Connection header MUST, for each connection-token in this
+ field, remove and ignore any header field(s) from the message with
+ the same name as the connection-token. This protects against
+ mistaken forwarding of such header fields by pre-HTTP/1.1 proxies.
+ See Appendix B.2.
+
+9.2. Content-Length
+
+ The "Content-Length" header field indicates the size of the message-
+ body, in decimal number of octets, for any message other than a
+ response to the HEAD method or a response with a status code of 304.
+ In the case of responses to the HEAD method, it indicates the size of
+ the payload body (not including any potential transfer-coding) that
+ would have been sent had the request been a GET. In the case of the
+ 304 (Not Modified) response, it indicates the size of the payload
+ body (not including any potential transfer-coding) that would have
+ been sent in a 200 (OK) response.
+
+ Content-Length = "Content-Length" ":" OWS 1*Content-Length-v
+ Content-Length-v = 1*DIGIT
+
+ An example is
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 50]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ Content-Length: 3495
+
+ Implementations SHOULD use this field to indicate the message-body
+ length when no transfer-coding is being applied and the payload's
+ body length can be determined prior to being transferred.
+ Section 3.3 describes how recipients determine the length of a
+ message-body.
+
+ Any Content-Length greater than or equal to zero is a valid value.
+
+ Note that the use of this field in HTTP is significantly different
+ from the corresponding definition in MIME, where it is an optional
+ field used within the "message/external-body" content-type.
+
+9.3. Date
+
+ The "Date" general-header field represents the date and time at which
+ the message was originated, having the same semantics as the
+ Origination Date Field (orig-date) defined in Section 3.6.1 of
+ [RFC5322]. The field value is an HTTP-date, as described in
+ Section 6.1; it MUST be sent in rfc1123-date format.
+
+ Date = "Date" ":" OWS Date-v
+ Date-v = HTTP-date
+
+ An example is
+
+ Date: Tue, 15 Nov 1994 08:12:31 GMT
+
+ Origin servers MUST include a Date header field in all responses,
+ except in these cases:
+
+ 1. If the response status code is 100 (Continue) or 101 (Switching
+ Protocols), the response MAY include a Date header field, at the
+ server's option.
+
+ 2. If the response status code conveys a server error, e.g., 500
+ (Internal Server Error) or 503 (Service Unavailable), and it is
+ inconvenient or impossible to generate a valid Date.
+
+ 3. If the server does not have a clock that can provide a reasonable
+ approximation of the current time, its responses MUST NOT include
+ a Date header field. In this case, the rules in Section 9.3.1
+ MUST be followed.
+
+ A received message that does not have a Date header field MUST be
+ assigned one by the recipient if the message will be cached by that
+ recipient or gatewayed via a protocol which requires a Date. An HTTP
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 51]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ implementation without a clock MUST NOT cache responses without
+ revalidating them on every use. An HTTP cache, especially a shared
+ cache, SHOULD use a mechanism, such as NTP [RFC1305], to synchronize
+ its clock with a reliable external standard.
+
+ Clients SHOULD only send a Date header field in messages that include
+ a payload, as is usually the case for PUT and POST requests, and even
+ then it is optional. A client without a clock MUST NOT send a Date
+ header field in a request.
+
+ The HTTP-date sent in a Date header SHOULD NOT represent a date and
+ time subsequent to the generation of the message. It SHOULD
+ represent the best available approximation of the date and time of
+ message generation, unless the implementation has no means of
+ generating a reasonably accurate date and time. In theory, the date
+ ought to represent the moment just before the payload is generated.
+ In practice, the date can be generated at any time during the message
+ origination without affecting its semantic value.
+
+9.3.1. Clockless Origin Server Operation
+
+ Some origin server implementations might not have a clock available.
+ An origin server without a clock MUST NOT assign Expires or Last-
+ Modified values to a response, unless these values were associated
+ with the resource by a system or user with a reliable clock. It MAY
+ assign an Expires value that is known, at or before server
+ configuration time, to be in the past (this allows "pre-expiration"
+ of responses without storing separate Expires values for each
+ resource).
+
+9.4. Host
+
+ The "Host" request-header field specifies the Internet host and port
+ number of the resource being requested, allowing the origin server or
+ gateway to differentiate between internally-ambiguous URLs, such as
+ the root "/" URL of a server for multiple host names on a single IP
+ address.
+
+ The Host field value MUST represent the naming authority of the
+ origin server or gateway given by the original URL obtained from the
+ user or referring resource (generally an http URI, as described in
+ Section 2.6.1).
+
+ Host = "Host" ":" OWS Host-v
+ Host-v = uri-host [ ":" port ] ; Section 2.6.1
+
+ A "host" without any trailing port information implies the default
+ port for the service requested (e.g., "80" for an HTTP URL). For
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 52]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ example, a request on the origin server for
+ <http://www.example.org/pub/WWW/> would properly include:
+
+ GET /pub/WWW/ HTTP/1.1
+ Host: www.example.org
+
+ A client MUST include a Host header field in all HTTP/1.1 request
+ messages. If the requested URI does not include an Internet host
+ name for the service being requested, then the Host header field MUST
+ be given with an empty value. An HTTP/1.1 proxy MUST ensure that any
+ request message it forwards does contain an appropriate Host header
+ field that identifies the service being requested by the proxy. All
+ Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad Request)
+ status code to any HTTP/1.1 request message which lacks a Host header
+ field.
+
+ See Sections 4.2 and B.1.1 for other requirements relating to Host.
+
+9.5. TE
+
+ The "TE" request-header field indicates what extension transfer-
+ codings it is willing to accept in the response, and whether or not
+ it is willing to accept trailer fields in a chunked transfer-coding.
+
+ Its value consists of the keyword "trailers" and/or a comma-separated
+ list of extension transfer-coding names with optional accept
+ parameters (as described in Section 6.2).
+
+ TE = "TE" ":" OWS TE-v
+ TE-v = #t-codings
+ t-codings = "trailers" / ( transfer-extension [ te-params ] )
+ te-params = OWS ";" OWS "q=" qvalue *( te-ext )
+ te-ext = OWS ";" OWS token [ "=" word ]
+
+ The presence of the keyword "trailers" indicates that the client is
+ willing to accept trailer fields in a chunked transfer-coding, as
+ defined in Section 6.2.1. This keyword is reserved for use with
+ transfer-coding values even though it does not itself represent a
+ transfer-coding.
+
+ Examples of its use are:
+
+ TE: deflate
+ TE:
+ TE: trailers, deflate;q=0.5
+
+ The TE header field only applies to the immediate connection.
+ Therefore, the keyword MUST be supplied within a Connection header
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 53]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ field (Section 9.1) whenever TE is present in an HTTP/1.1 message.
+
+ A server tests whether a transfer-coding is acceptable, according to
+ a TE field, using these rules:
+
+ 1. The "chunked" transfer-coding is always acceptable. If the
+ keyword "trailers" is listed, the client indicates that it is
+ willing to accept trailer fields in the chunked response on
+ behalf of itself and any downstream clients. The implication is
+ that, if given, the client is stating that either all downstream
+ clients are willing to accept trailer fields in the forwarded
+ response, or that it will attempt to buffer the response on
+ behalf of downstream recipients.
+
+ Note: HTTP/1.1 does not define any means to limit the size of a
+ chunked response such that a client can be assured of buffering
+ the entire response.
+
+ 2. If the transfer-coding being tested is one of the transfer-
+ codings listed in the TE field, then it is acceptable unless it
+ is accompanied by a qvalue of 0. (As defined in Section 6.4, a
+ qvalue of 0 means "not acceptable".)
+
+ 3. If multiple transfer-codings are acceptable, then the acceptable
+ transfer-coding with the highest non-zero qvalue is preferred.
+ The "chunked" transfer-coding always has a qvalue of 1.
+
+ If the TE field-value is empty or if no TE field is present, the only
+ transfer-coding is "chunked". A message with no transfer-coding is
+ always acceptable.
+
+9.6. Trailer
+
+ The "Trailer" general-header field indicates that the given set of
+ header fields is present in the trailer of a message encoded with
+ chunked transfer-coding.
+
+ Trailer = "Trailer" ":" OWS Trailer-v
+ Trailer-v = 1#field-name
+
+ An HTTP/1.1 message SHOULD include a Trailer header field in a
+ message using chunked transfer-coding with a non-empty trailer.
+ Doing so allows the recipient to know which header fields to expect
+ in the trailer.
+
+ If no Trailer header field is present, the trailer SHOULD NOT include
+ any header fields. See Section 6.2.1 for restrictions on the use of
+ trailer fields in a "chunked" transfer-coding.
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 54]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ Message header fields listed in the Trailer header field MUST NOT
+ include the following header fields:
+
+ o Transfer-Encoding
+
+ o Content-Length
+
+ o Trailer
+
+9.7. Transfer-Encoding
+
+ The "Transfer-Encoding" general-header field indicates what transfer-
+ codings (if any) have been applied to the message body. It differs
+ from Content-Encoding (Section 2.2 of [Part3]) in that transfer-
+ codings are a property of the message (and therefore are removed by
+ intermediaries), whereas content-codings are not.
+
+ Transfer-Encoding = "Transfer-Encoding" ":" OWS
+ Transfer-Encoding-v
+ Transfer-Encoding-v = 1#transfer-coding
+
+ Transfer-codings are defined in Section 6.2. An example is:
+
+ Transfer-Encoding: chunked
+
+ If multiple encodings have been applied to a representation, the
+ transfer-codings MUST be listed in the order in which they were
+ applied. Additional information about the encoding parameters MAY be
+ provided by other header fields not defined by this specification.
+
+ Many older HTTP/1.0 applications do not understand the Transfer-
+ Encoding header.
+
+9.8. Upgrade
+
+ The "Upgrade" general-header field allows the client to specify what
+ additional communication protocols it would like to use, if the
+ server chooses to switch protocols. Additionally, the server MUST
+ use the Upgrade header field within a 101 (Switching Protocols)
+ response to indicate which protocol(s) are being switched to.
+
+ Upgrade = "Upgrade" ":" OWS Upgrade-v
+ Upgrade-v = 1#product
+
+ For example,
+
+ Upgrade: HTTP/2.0, SHTTP/1.3, IRC/6.9, RTA/x11
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 55]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ The Upgrade header field is intended to provide a simple mechanism
+ for transition from HTTP/1.1 to some other, incompatible protocol.
+ It does so by allowing the client to advertise its desire to use
+ another protocol, such as a later version of HTTP with a higher major
+ version number, even though the current request has been made using
+ HTTP/1.1. This eases the difficult transition between incompatible
+ protocols by allowing the client to initiate a request in the more
+ commonly supported protocol while indicating to the server that it
+ would like to use a "better" protocol if available (where "better" is
+ determined by the server, possibly according to the nature of the
+ method and/or resource being requested).
+
+ The Upgrade header field only applies to switching application-layer
+ protocols upon the existing transport-layer connection. Upgrade
+ cannot be used to insist on a protocol change; its acceptance and use
+ by the server is optional. The capabilities and nature of the
+ application-layer communication after the protocol change is entirely
+ dependent upon the new protocol chosen, although the first action
+ after changing the protocol MUST be a response to the initial HTTP
+ request containing the Upgrade header field.
+
+ The Upgrade header field only applies to the immediate connection.
+ Therefore, the upgrade keyword MUST be supplied within a Connection
+ header field (Section 9.1) whenever Upgrade is present in an HTTP/1.1
+ message.
+
+ The Upgrade header field cannot be used to indicate a switch to a
+ protocol on a different connection. For that purpose, it is more
+ appropriate to use a 301, 302, 303, or 305 redirection response.
+
+ This specification only defines the protocol name "HTTP" for use by
+ the family of Hypertext Transfer Protocols, as defined by the HTTP
+ version rules of Section 2.5 and future updates to this
+ specification. Additional tokens can be registered with IANA using
+ the registration procedure defined below.
+
+9.8.1. Upgrade Token Registry
+
+ The HTTP Upgrade Token Registry defines the name space for product
+ tokens used to identify protocols in the Upgrade header field. Each
+ registered token is associated with contact information and an
+ optional set of specifications that details how the connection will
+ be processed after it has been upgraded.
+
+ Registrations are allowed on a First Come First Served basis as
+ described in Section 4.1 of [RFC5226]. The specifications need not
+ be IETF documents or be subject to IESG review. Registrations are
+ subject to the following rules:
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 56]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ 1. A token, once registered, stays registered forever.
+
+ 2. The registration MUST name a responsible party for the
+ registration.
+
+ 3. The registration MUST name a point of contact.
+
+ 4. The registration MAY name a set of specifications associated with
+ that token. Such specifications need not be publicly available.
+
+ 5. The responsible party MAY change the registration at any time.
+ The IANA will keep a record of all such changes, and make them
+ available upon request.
+
+ 6. The responsible party for the first registration of a "product"
+ token MUST approve later registrations of a "version" token
+ together with that "product" token before they can be registered.
+
+ 7. If absolutely required, the IESG MAY reassign the responsibility
+ for a token. This will normally only be used in the case when a
+ responsible party cannot be contacted.
+
+9.9. Via
+
+ The "Via" general-header field MUST be used by gateways and proxies
+ to indicate the intermediate protocols and recipients between the
+ user agent and the server on requests, and between the origin server
+ and the client on responses. It is analogous to the "Received" field
+ defined in Section 3.6.7 of [RFC5322] and is intended to be used for
+ tracking message forwards, avoiding request loops, and identifying
+ the protocol capabilities of all senders along the request/response
+ chain.
+
+ Via = "Via" ":" OWS Via-v
+ Via-v = 1#( received-protocol RWS received-by
+ [ RWS comment ] )
+ received-protocol = [ protocol-name "/" ] protocol-version
+ protocol-name = token
+ protocol-version = token
+ received-by = ( uri-host [ ":" port ] ) / pseudonym
+ pseudonym = token
+
+ The received-protocol indicates the protocol version of the message
+ received by the server or client along each segment of the request/
+ response chain. The received-protocol version is appended to the Via
+ field value when the message is forwarded so that information about
+ the protocol capabilities of upstream applications remains visible to
+ all recipients.
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 57]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ The protocol-name is optional if and only if it would be "HTTP". The
+ received-by field is normally the host and optional port number of a
+ recipient server or client that subsequently forwarded the message.
+ However, if the real host is considered to be sensitive information,
+ it MAY be replaced by a pseudonym. If the port is not given, it MAY
+ be assumed to be the default port of the received-protocol.
+
+ Multiple Via field values represent each proxy or gateway that has
+ forwarded the message. Each recipient MUST append its information
+ such that the end result is ordered according to the sequence of
+ forwarding applications.
+
+ Comments MAY be used in the Via header field to identify the software
+ of the recipient proxy or gateway, analogous to the User-Agent and
+ Server header fields. However, all comments in the Via field are
+ optional and MAY be removed by any recipient prior to forwarding the
+ message.
+
+ For example, a request message could be sent from an HTTP/1.0 user
+ agent to an internal proxy code-named "fred", which uses HTTP/1.1 to
+ forward the request to a public proxy at p.example.net, which
+ completes the request by forwarding it to the origin server at
+ www.example.com. The request received by www.example.com would then
+ have the following Via header field:
+
+ Via: 1.0 fred, 1.1 p.example.net (Apache/1.1)
+
+ Proxies and gateways used as a portal through a network firewall
+ SHOULD NOT, by default, forward the names and ports of hosts within
+ the firewall region. This information SHOULD only be propagated if
+ explicitly enabled. If not enabled, the received-by host of any host
+ behind the firewall SHOULD be replaced by an appropriate pseudonym
+ for that host.
+
+ For organizations that have strong privacy requirements for hiding
+ internal structures, a proxy MAY combine an ordered subsequence of
+ Via header field entries with identical received-protocol values into
+ a single such entry. For example,
+
+ Via: 1.0 ricky, 1.1 ethel, 1.1 fred, 1.0 lucy
+
+ could be collapsed to
+
+ Via: 1.0 ricky, 1.1 mertz, 1.0 lucy
+
+ Applications SHOULD NOT combine multiple entries unless they are all
+ under the same organizational control and the hosts have already been
+ replaced by pseudonyms. Applications MUST NOT combine entries which
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 58]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ have different received-protocol values.
+
+10. IANA Considerations
+
+10.1. Header Field Registration
+
+ The Message Header Field Registry located at <http://www.iana.org/
+ assignments/message-headers/message-header-index.html> shall be
+ updated with the permanent registrations below (see [RFC3864]):
+
+ +-------------------+----------+----------+-------------+
+ | Header Field Name | Protocol | Status | Reference |
+ +-------------------+----------+----------+-------------+
+ | Connection | http | standard | Section 9.1 |
+ | Content-Length | http | standard | Section 9.2 |
+ | Date | http | standard | Section 9.3 |
+ | Host | http | standard | Section 9.4 |
+ | TE | http | standard | Section 9.5 |
+ | Trailer | http | standard | Section 9.6 |
+ | Transfer-Encoding | http | standard | Section 9.7 |
+ | Upgrade | http | standard | Section 9.8 |
+ | Via | http | standard | Section 9.9 |
+ +-------------------+----------+----------+-------------+
+
+ The change controller is: "IETF (iesg@ietf.org) - Internet
+ Engineering Task Force".
+
+10.2. URI Scheme Registration
+
+ The entries for the "http" and "https" URI Schemes in the registry
+ located at <http://www.iana.org/assignments/uri-schemes.html> shall
+ be updated to point to Sections 2.6.1 and 2.6.2 of this document (see
+ [RFC4395]).
+
+10.3. Internet Media Type Registrations
+
+ This document serves as the specification for the Internet media
+ types "message/http" and "application/http". The following is to be
+ registered with IANA (see [RFC4288]).
+
+10.3.1. Internet Media Type message/http
+
+ The message/http type can be used to enclose a single HTTP request or
+ response message, provided that it obeys the MIME restrictions for
+ all "message" types regarding line length and encodings.
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 59]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ Type name: message
+
+ Subtype name: http
+
+ Required parameters: none
+
+ Optional parameters: version, msgtype
+
+ version: The HTTP-Version number of the enclosed message (e.g.,
+ "1.1"). If not present, the version can be determined from the
+ first line of the body.
+
+ msgtype: The message type -- "request" or "response". If not
+ present, the type can be determined from the first line of the
+ body.
+
+ Encoding considerations: only "7bit", "8bit", or "binary" are
+ permitted
+
+ Security considerations: none
+
+ Interoperability considerations: none
+
+ Published specification: This specification (see Section 10.3.1).
+
+ Applications that use this media type:
+
+ Additional information:
+
+ Magic number(s): none
+
+ File extension(s): none
+
+ Macintosh file type code(s): none
+
+ Person and email address to contact for further information: See
+ Authors Section.
+
+ Intended usage: COMMON
+
+ Restrictions on usage: none
+
+ Author/Change controller: IESG
+
+
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 60]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+10.3.2. Internet Media Type application/http
+
+ The application/http type can be used to enclose a pipeline of one or
+ more HTTP request or response messages (not intermixed).
+
+ Type name: application
+
+ Subtype name: http
+
+ Required parameters: none
+
+ Optional parameters: version, msgtype
+
+ version: The HTTP-Version number of the enclosed messages (e.g.,
+ "1.1"). If not present, the version can be determined from the
+ first line of the body.
+
+ msgtype: The message type -- "request" or "response". If not
+ present, the type can be determined from the first line of the
+ body.
+
+ Encoding considerations: HTTP messages enclosed by this type are in
+ "binary" format; use of an appropriate Content-Transfer-Encoding
+ is required when transmitted via E-mail.
+
+ Security considerations: none
+
+ Interoperability considerations: none
+
+ Published specification: This specification (see Section 10.3.2).
+
+ Applications that use this media type:
+
+ Additional information:
+
+ Magic number(s): none
+
+ File extension(s): none
+
+ Macintosh file type code(s): none
+
+ Person and email address to contact for further information: See
+ Authors Section.
+
+ Intended usage: COMMON
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 61]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ Restrictions on usage: none
+
+ Author/Change controller: IESG
+
+10.4. Transfer Coding Registry
+
+ The registration procedure for HTTP Transfer Codings is now defined
+ by Section 6.2.3 of this document.
+
+ The HTTP Transfer Codings Registry located at
+ <http://www.iana.org/assignments/http-parameters> shall be updated
+ with the registrations below:
+
+ +----------+--------------------------------------+-----------------+
+ | Name | Description | Reference |
+ +----------+--------------------------------------+-----------------+
+ | chunked | Transfer in a series of chunks | Section 6.2.1 |
+ | compress | UNIX "compress" program method | Section 6.2.2.1 |
+ | deflate | "deflate" compression mechanism | Section 6.2.2.2 |
+ | | ([RFC1951]) used inside the "zlib" | |
+ | | data format ([RFC1950]) | |
+ | gzip | Same as GNU zip [RFC1952] | Section 6.2.2.3 |
+ +----------+--------------------------------------+-----------------+
+
+10.5. Upgrade Token Registration
+
+ The registration procedure for HTTP Upgrade Tokens -- previously
+ defined in Section 7.2 of [RFC2817] -- is now defined by
+ Section 9.8.1 of this document.
+
+ The HTTP Status Code Registry located at
+ <http://www.iana.org/assignments/http-upgrade-tokens/> shall be
+ updated with the registration below:
+
+ +-------+---------------------------+-------------------------------+
+ | Value | Description | Reference |
+ +-------+---------------------------+-------------------------------+
+ | HTTP | Hypertext Transfer | Section 2.5 of this |
+ | | Protocol | specification |
+ +-------+---------------------------+-------------------------------+
+
+11. Security Considerations
+
+ This section is meant to inform application developers, information
+ providers, and users of the security limitations in HTTP/1.1 as
+ described by this document. The discussion does not include
+ definitive solutions to the problems revealed, though it does make
+ some suggestions for reducing security risks.
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 62]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+11.1. Personal Information
+
+ HTTP clients are often privy to large amounts of personal information
+ (e.g., the user's name, location, mail address, passwords, encryption
+ keys, etc.), and SHOULD be very careful to prevent unintentional
+ leakage of this information. We very strongly recommend that a
+ convenient interface be provided for the user to control
+ dissemination of such information, and that designers and
+ implementors be particularly careful in this area. History shows
+ that errors in this area often create serious security and/or privacy
+ problems and generate highly adverse publicity for the implementor's
+ company.
+
+11.2. Abuse of Server Log Information
+
+ A server is in the position to save personal data about a user's
+ requests which might identify their reading patterns or subjects of
+ interest. This information is clearly confidential in nature and its
+ handling can be constrained by law in certain countries. People
+ using HTTP to provide data are responsible for ensuring that such
+ material is not distributed without the permission of any individuals
+ that are identifiable by the published results.
+
+11.3. Attacks Based On File and Path Names
+
+ Implementations of HTTP origin servers SHOULD be careful to restrict
+ the documents returned by HTTP requests to be only those that were
+ intended by the server administrators. If an HTTP server translates
+ HTTP URIs directly into file system calls, the server MUST take
+ special care not to serve files that were not intended to be
+ delivered to HTTP clients. For example, UNIX, Microsoft Windows, and
+ other operating systems use ".." as a path component to indicate a
+ directory level above the current one. On such a system, an HTTP
+ server MUST disallow any such construct in the request-target if it
+ would otherwise allow access to a resource outside those intended to
+ be accessible via the HTTP server. Similarly, files intended for
+ reference only internally to the server (such as access control
+ files, configuration files, and script code) MUST be protected from
+ inappropriate retrieval, since they might contain sensitive
+ information. Experience has shown that minor bugs in such HTTP
+ server implementations have turned into security risks.
+
+11.4. DNS Spoofing
+
+ Clients using HTTP rely heavily on the Domain Name Service, and are
+ thus generally prone to security attacks based on the deliberate mis-
+ association of IP addresses and DNS names. Clients need to be
+ cautious in assuming the continuing validity of an IP number/DNS name
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 63]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ association.
+
+ In particular, HTTP clients SHOULD rely on their name resolver for
+ confirmation of an IP number/DNS name association, rather than
+ caching the result of previous host name lookups. Many platforms
+ already can cache host name lookups locally when appropriate, and
+ they SHOULD be configured to do so. It is proper for these lookups
+ to be cached, however, only when the TTL (Time To Live) information
+ reported by the name server makes it likely that the cached
+ information will remain useful.
+
+ If HTTP clients cache the results of host name lookups in order to
+ achieve a performance improvement, they MUST observe the TTL
+ information reported by DNS.
+
+ If HTTP clients do not observe this rule, they could be spoofed when
+ a previously-accessed server's IP address changes. As network
+ renumbering is expected to become increasingly common [RFC1900], the
+ possibility of this form of attack will grow. Observing this
+ requirement thus reduces this potential security vulnerability.
+
+ This requirement also improves the load-balancing behavior of clients
+ for replicated servers using the same DNS name and reduces the
+ likelihood of a user's experiencing failure in accessing sites which
+ use that strategy.
+
+11.5. Proxies and Caching
+
+ By their very nature, HTTP proxies are men-in-the-middle, and
+ represent an opportunity for man-in-the-middle attacks. Compromise
+ of the systems on which the proxies run can result in serious
+ security and privacy problems. Proxies have access to security-
+ related information, personal information about individual users and
+ organizations, and proprietary information belonging to users and
+ content providers. A compromised proxy, or a proxy implemented or
+ configured without regard to security and privacy considerations,
+ might be used in the commission of a wide range of potential attacks.
+
+ Proxy operators need to protect the systems on which proxies run as
+ they would protect any system that contains or transports sensitive
+ information. In particular, log information gathered at proxies
+ often contains highly sensitive personal information, and/or
+ information about organizations. Log information needs to be
+ carefully guarded, and appropriate guidelines for use need to be
+ developed and followed. (Section 11.2).
+
+ Proxy implementors need to consider the privacy and security
+ implications of their design and coding decisions, and of the
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 64]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ configuration options they provide to proxy operators (especially the
+ default configuration).
+
+ Users of a proxy need to be aware that proxies are no trustworthier
+ than the people who run them; HTTP itself cannot solve this problem.
+
+ The judicious use of cryptography, when appropriate, might suffice to
+ protect against a broad range of security and privacy attacks. Such
+ cryptography is beyond the scope of the HTTP/1.1 specification.
+
+11.6. Denial of Service Attacks on Proxies
+
+ They exist. They are hard to defend against. Research continues.
+ Beware.
+
+12. Acknowledgments
+
+ HTTP has evolved considerably over the years. It has benefited from
+ a large and active developer community--the many people who have
+ participated on the www-talk mailing list--and it is that community
+ which has been most responsible for the success of HTTP and of the
+ World-Wide Web in general. Marc Andreessen, Robert Cailliau, Daniel
+ W. Connolly, Bob Denny, John Franks, Jean-Francois Groff, Phillip M.
+ Hallam-Baker, Hakon W. Lie, Ari Luotonen, Rob McCool, Lou Montulli,
+ Dave Raggett, Tony Sanders, and Marc VanHeyningen deserve special
+ recognition for their efforts in defining early aspects of the
+ protocol.
+
+ This document has benefited greatly from the comments of all those
+ participating in the HTTP-WG. In addition to those already
+ mentioned, the following individuals have contributed to this
+ specification:
+
+ Gary Adams, Harald Tveit Alvestrand, Keith Ball, Brian Behlendorf,
+ Paul Burchard, Maurizio Codogno, Josh Cohen, Mike Cowlishaw, Roman
+ Czyborra, Michael A. Dolan, Daniel DuBois, David J. Fiander, Alan
+ Freier, Marc Hedlund, Greg Herlihy, Koen Holtman, Alex Hopmann, Bob
+ Jernigan, Shel Kaphan, Rohit Khare, John Klensin, Martijn Koster,
+ Alexei Kosut, David M. Kristol, Daniel LaLiberte, Ben Laurie, Paul J.
+ Leach, Albert Lunde, John C. Mallery, Jean-Philippe Martin-Flatin,
+ Mitra, David Morris, Gavin Nicol, Ross Patterson, Bill Perry, Jeffrey
+ Perry, Scott Powers, Owen Rees, Luigi Rizzo, David Robinson, Marc
+ Salomon, Rich Salz, Allan M. Schiffman, Jim Seidman, Chuck Shotton,
+ Eric W. Sink, Simon E. Spero, Richard N. Taylor, Robert S. Thau, Bill
+ (BearHeart) Weinman, Francois Yergeau, Mary Ellen Zurko.
+
+ Thanks to the "cave men" of Palo Alto. You know who you are.
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 65]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ Jim Gettys (the editor of [RFC2616]) wishes particularly to thank Roy
+ Fielding, the editor of [RFC2068], along with John Klensin, Jeff
+ Mogul, Paul Leach, Dave Kristol, Koen Holtman, John Franks, Josh
+ Cohen, Alex Hopmann, Scott Lawrence, and Larry Masinter for their
+ help. And thanks go particularly to Jeff Mogul and Scott Lawrence
+ for performing the "MUST/MAY/SHOULD" audit.
+
+ The Apache Group, Anselm Baird-Smith, author of Jigsaw, and Henrik
+ Frystyk implemented RFC 2068 early, and we wish to thank them for the
+ discovery of many of the problems that this document attempts to
+ rectify.
+
+ This specification makes heavy use of the augmented BNF and generic
+ constructs defined by David H. Crocker for [RFC5234]. Similarly, it
+ reuses many of the definitions provided by Nathaniel Borenstein and
+ Ned Freed for MIME [RFC2045]. We hope that their inclusion in this
+ specification will help reduce past confusion over the relationship
+ between HTTP and Internet mail message formats.
+
+13. References
+
+13.1. Normative References
+
+ [ISO-8859-1] International Organization for Standardization,
+ "Information technology -- 8-bit single-byte coded
+ graphic character sets -- Part 1: Latin alphabet No.
+ 1", ISO/IEC 8859-1:1998, 1998.
+
+ [Part2] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H.,
+ Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y.,
+ Ed., and J. Reschke, Ed., "HTTP/1.1, part 2: Message
+ Semantics", draft-ietf-httpbis-p2-semantics-11 (work in
+ progress), August 2010.
+
+ [Part3] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H.,
+ Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y.,
+ Ed., and J. Reschke, Ed., "HTTP/1.1, part 3: Message
+ Payload and Content Negotiation",
+ draft-ietf-httpbis-p3-payload-11 (work in progress),
+ August 2010.
+
+ [Part6] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H.,
+ Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y.,
+ Ed., Nottingham, M., Ed., and J. Reschke, Ed.,
+ "HTTP/1.1, part 6: Caching",
+ draft-ietf-httpbis-p6-cache-11 (work in progress),
+ August 2010.
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 66]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ [RFC1950] Deutsch, L. and J-L. Gailly, "ZLIB Compressed Data
+ Format Specification version 3.3", RFC 1950, May 1996.
+
+ RFC 1950 is an Informational RFC, thus it might be less
+ stable than this specification. On the other hand,
+ this downward reference was present since the
+ publication of RFC 2068 in 1997 ([RFC2068]), therefore
+ it is unlikely to cause problems in practice. See also
+ [BCP97].
+
+ [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format
+ Specification version 1.3", RFC 1951, May 1996.
+
+ RFC 1951 is an Informational RFC, thus it might be less
+ stable than this specification. On the other hand,
+ this downward reference was present since the
+ publication of RFC 2068 in 1997 ([RFC2068]), therefore
+ it is unlikely to cause problems in practice. See also
+ [BCP97].
+
+ [RFC1952] Deutsch, P., Gailly, J-L., Adler, M., Deutsch, L., and
+ G. Randers-Pehrson, "GZIP file format specification
+ version 4.3", RFC 1952, May 1996.
+
+ RFC 1952 is an Informational RFC, thus it might be less
+ stable than this specification. On the other hand,
+ this downward reference was present since the
+ publication of RFC 2068 in 1997 ([RFC2068]), therefore
+ it is unlikely to cause problems in practice. See also
+ [BCP97].
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter,
+ "Uniform Resource Identifier (URI): Generic Syntax",
+ RFC 3986, STD 66, January 2005.
+
+ [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for
+ Syntax Specifications: ABNF", STD 68, RFC 5234,
+ January 2008.
+
+ [USASCII] American National Standards Institute, "Coded Character
+ Set -- 7-bit American Standard Code for Information
+ Interchange", ANSI X3.4, 1986.
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 67]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+13.2. Informative References
+
+ [BCP97] Klensin, J. and S. Hartman, "Handling Normative
+ References to Standards-Track Documents", BCP 97,
+ RFC 4897, June 2007.
+
+ [Kri2001] Kristol, D., "HTTP Cookies: Standards, Privacy, and
+ Politics", ACM Transactions on Internet Technology Vol.
+ 1, #2, November 2001,
+ <http://arxiv.org/abs/cs.SE/0105018>.
+
+ [Nie1997] Frystyk, H., Gettys, J., Prud'hommeaux, E., Lie, H.,
+ and C. Lilley, "Network Performance Effects of
+ HTTP/1.1, CSS1, and PNG", ACM Proceedings of the ACM
+ SIGCOMM '97 conference on Applications, technologies,
+ architectures, and protocols for computer communication
+ SIGCOMM '97, September 1997,
+ <http://doi.acm.org/10.1145/263105.263157>.
+
+ [Pad1995] Padmanabhan, V. and J. Mogul, "Improving HTTP Latency",
+ Computer Networks and ISDN Systems v. 28, pp. 25-35,
+ December 1995,
+ <http://portal.acm.org/citation.cfm?id=219094>.
+
+ [RFC1123] Braden, R., "Requirements for Internet Hosts -
+ Application and Support", STD 3, RFC 1123,
+ October 1989.
+
+ [RFC1305] Mills, D., "Network Time Protocol (Version 3)
+ Specification, Implementation", RFC 1305, March 1992.
+
+ [RFC1900] Carpenter, B. and Y. Rekhter, "Renumbering Needs Work",
+ RFC 1900, February 1996.
+
+ [RFC1945] Berners-Lee, T., Fielding, R., and H. Nielsen,
+ "Hypertext Transfer Protocol -- HTTP/1.0", RFC 1945,
+ May 1996.
+
+ [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet
+ Mail Extensions (MIME) Part One: Format of Internet
+ Message Bodies", RFC 2045, November 1996.
+
+ [RFC2047] Moore, K., "MIME (Multipurpose Internet Mail
+ Extensions) Part Three: Message Header Extensions for
+ Non-ASCII Text", RFC 2047, November 1996.
+
+ [RFC2068] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and
+ T. Berners-Lee, "Hypertext Transfer Protocol --
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 68]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ HTTP/1.1", RFC 2068, January 1997.
+
+ [RFC2109] Kristol, D. and L. Montulli, "HTTP State Management
+ Mechanism", RFC 2109, February 1997.
+
+ [RFC2145] Mogul, J., Fielding, R., Gettys, J., and H. Nielsen,
+ "Use and Interpretation of HTTP Version Numbers",
+ RFC 2145, May 1997.
+
+ [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
+ Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
+ Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
+
+ [RFC2817] Khare, R. and S. Lawrence, "Upgrading to TLS Within
+ HTTP/1.1", RFC 2817, May 2000.
+
+ [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
+
+ [RFC2965] Kristol, D. and L. Montulli, "HTTP State Management
+ Mechanism", RFC 2965, October 2000.
+
+ [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
+ Procedures for Message Header Fields", BCP 90,
+ RFC 3864, September 2004.
+
+ [RFC4288] Freed, N. and J. Klensin, "Media Type Specifications
+ and Registration Procedures", BCP 13, RFC 4288,
+ December 2005.
+
+ [RFC4395] Hansen, T., Hardie, T., and L. Masinter, "Guidelines
+ and Registration Procedures for New URI Schemes",
+ BCP 115, RFC 4395, February 2006.
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing
+ an IANA Considerations Section in RFCs", BCP 26,
+ RFC 5226, May 2008.
+
+ [RFC5322] Resnick, P., "Internet Message Format", RFC 5322,
+ October 2008.
+
+ [Spe] Spero, S., "Analysis of HTTP Performance Problems",
+ <http://sunsite.unc.edu/mdma-release/http-prob.html>.
+
+ [Tou1998] Touch, J., Heidemann, J., and K. Obraczka, "Analysis of
+ HTTP Performance", ISI Research Report ISI/RR-98-463,
+ Aug 1998, <http://www.isi.edu/touch/pubs/http-perf96/>.
+
+ (original report dated Aug. 1996)
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 69]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+Appendix A. Tolerant Applications
+
+ Although this document specifies the requirements for the generation
+ of HTTP/1.1 messages, not all applications will be correct in their
+ implementation. We therefore recommend that operational applications
+ be tolerant of deviations whenever those deviations can be
+ interpreted unambiguously.
+
+ Clients SHOULD be tolerant in parsing the Status-Line and servers
+ SHOULD be tolerant when parsing the Request-Line. In particular,
+ they SHOULD accept any amount of WSP characters between fields, even
+ though only a single SP is required.
+
+ The line terminator for header fields is the sequence CRLF. However,
+ we recommend that applications, when parsing such headers, recognize
+ a single LF as a line terminator and ignore the leading CR.
+
+ The character set of a representation SHOULD be labeled as the lowest
+ common denominator of the character codes used within that
+ representation, with the exception that not labeling the
+ representation is preferred over labeling the representation with the
+ labels US-ASCII or ISO-8859-1. See [Part3].
+
+ Additional rules for requirements on parsing and encoding of dates
+ and other potential problems with date encodings include:
+
+ o HTTP/1.1 clients and caches SHOULD assume that an RFC-850 date
+ which appears to be more than 50 years in the future is in fact in
+ the past (this helps solve the "year 2000" problem).
+
+ o Although all date formats are specified to be case-sensitive,
+ recipients SHOULD match day, week and timezone names case-
+ insensitively.
+
+ o An HTTP/1.1 implementation MAY internally represent a parsed
+ Expires date as earlier than the proper value, but MUST NOT
+ internally represent a parsed Expires date as later than the
+ proper value.
+
+ o All expiration-related calculations MUST be done in GMT. The
+ local time zone MUST NOT influence the calculation or comparison
+ of an age or expiration time.
+
+ o If an HTTP header incorrectly carries a date value with a time
+ zone other than GMT, it MUST be converted into GMT using the most
+ conservative possible conversion.
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 70]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+Appendix B. Compatibility with Previous Versions
+
+ HTTP has been in use by the World-Wide Web global information
+ initiative since 1990. The first version of HTTP, later referred to
+ as HTTP/0.9, was a simple protocol for hypertext data transfer across
+ the Internet with only a single method and no metadata. HTTP/1.0, as
+ defined by [RFC1945], added a range of request methods and MIME-like
+ messaging that could include metadata about the data transferred and
+ modifiers on the request/response semantics. However, HTTP/1.0 did
+ not sufficiently take into consideration the effects of hierarchical
+ proxies, caching, the need for persistent connections, or name-based
+ virtual hosts. The proliferation of incompletely-implemented
+ applications calling themselves "HTTP/1.0" further necessitated a
+ protocol version change in order for two communicating applications
+ to determine each other's true capabilities.
+
+ HTTP/1.1 remains compatible with HTTP/1.0 by including more stringent
+ requirements that enable reliable implementations, adding only those
+ new features that will either be safely ignored by an HTTP/1.0
+ recipient or only sent when communicating with a party advertising
+ compliance with HTTP/1.1.
+
+ It is beyond the scope of a protocol specification to mandate
+ compliance with previous versions. HTTP/1.1 was deliberately
+ designed, however, to make supporting previous versions easy. It is
+ worth noting that, at the time of composing this specification, we
+ would expect general-purpose HTTP/1.1 servers to:
+
+ o understand any valid request in the format of HTTP/1.0 and 1.1;
+
+ o respond appropriately with a message in the same major version
+ used by the client.
+
+ And we would expect HTTP/1.1 clients to:
+
+ o understand any valid response in the format of HTTP/1.0 or 1.1.
+
+ For most implementations of HTTP/1.0, each connection is established
+ by the client prior to the request and closed by the server after
+ sending the response. Some implementations implement the Keep-Alive
+ version of persistent connections described in Section 19.7.1 of
+ [RFC2068].
+
+B.1. Changes from HTTP/1.0
+
+ This section summarizes major differences between versions HTTP/1.0
+ and HTTP/1.1.
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 71]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+B.1.1. Changes to Simplify Multi-homed Web Servers and Conserve IP
+ Addresses
+
+ The requirements that clients and servers support the Host request-
+ header, report an error if the Host request-header (Section 9.4) is
+ missing from an HTTP/1.1 request, and accept absolute URIs
+ (Section 4.1.2) are among the most important changes defined by this
+ specification.
+
+ Older HTTP/1.0 clients assumed a one-to-one relationship of IP
+ addresses and servers; there was no other established mechanism for
+ distinguishing the intended server of a request than the IP address
+ to which that request was directed. The changes outlined above will
+ allow the Internet, once older HTTP clients are no longer common, to
+ support multiple Web sites from a single IP address, greatly
+ simplifying large operational Web servers, where allocation of many
+ IP addresses to a single host has created serious problems. The
+ Internet will also be able to recover the IP addresses that have been
+ allocated for the sole purpose of allowing special-purpose domain
+ names to be used in root-level HTTP URLs. Given the rate of growth
+ of the Web, and the number of servers already deployed, it is
+ extremely important that all implementations of HTTP (including
+ updates to existing HTTP/1.0 applications) correctly implement these
+ requirements:
+
+ o Both clients and servers MUST support the Host request-header.
+
+ o A client that sends an HTTP/1.1 request MUST send a Host header.
+
+ o Servers MUST report a 400 (Bad Request) error if an HTTP/1.1
+ request does not include a Host request-header.
+
+ o Servers MUST accept absolute URIs.
+
+B.2. Compatibility with HTTP/1.0 Persistent Connections
+
+ Some clients and servers might wish to be compatible with some
+ previous implementations of persistent connections in HTTP/1.0
+ clients and servers. Persistent connections in HTTP/1.0 are
+ explicitly negotiated as they are not the default behavior. HTTP/1.0
+ experimental implementations of persistent connections are faulty,
+ and the new facilities in HTTP/1.1 are designed to rectify these
+ problems. The problem was that some existing HTTP/1.0 clients might
+ send Keep-Alive to a proxy server that doesn't understand Connection,
+ which would then erroneously forward it to the next inbound server,
+ which would establish the Keep-Alive connection and result in a hung
+ HTTP/1.0 proxy waiting for the close on the response. The result is
+ that HTTP/1.0 clients must be prevented from using Keep-Alive when
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 72]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ talking to proxies.
+
+ However, talking to proxies is the most important use of persistent
+ connections, so that prohibition is clearly unacceptable. Therefore,
+ we need some other mechanism for indicating a persistent connection
+ is desired, which is safe to use even when talking to an old proxy
+ that ignores Connection. Persistent connections are the default for
+ HTTP/1.1 messages; we introduce a new keyword (Connection: close) for
+ declaring non-persistence. See Section 9.1.
+
+ The original HTTP/1.0 form of persistent connections (the Connection:
+ Keep-Alive and Keep-Alive header) is documented in Section 19.7.1 of
+ [RFC2068].
+
+B.3. Changes from RFC 2616
+
+ Empty list elements in list productions have been deprecated.
+ (Section 1.2.1)
+
+ Rules about implicit linear whitespace between certain grammar
+ productions have been removed; now it's only allowed when
+ specifically pointed out in the ABNF. The NUL character is no longer
+ allowed in comment and quoted-string text. The quoted-pair rule no
+ longer allows escaping control characters other than HTAB. Non-ASCII
+ content in header fields and reason phrase has been obsoleted and
+ made opaque (the TEXT rule was removed) (Section 1.2.2)
+
+ Clarify that HTTP-Version is case sensitive. (Section 2.5)
+
+ Remove reference to non-existent identity transfer-coding value
+ tokens. (Sections 6.2 and 3.3)
+
+ Require that invalid whitespace around field-names be rejected.
+ (Section 3.2)
+
+ Update use of abs_path production from RFC1808 to the path-absolute +
+ query components of RFC3986. (Section 4.1.2)
+
+ Clarification that the chunk length does not include the count of the
+ octets in the chunk header and trailer. Furthermore disallowed line
+ folding in chunk extensions. (Section 6.2.1)
+
+ Remove hard limit of two connections per server. (Section 7.1.4)
+
+ Clarify exactly when close connection options must be sent.
+ (Section 9.1)
+
+Appendix C. Collected ABNF
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 73]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ BWS = OWS
+
+ Cache-Control = <Cache-Control, defined in [Part6], Section 3.4>
+ Chunked-Body = *chunk last-chunk trailer-part CRLF
+ Connection = "Connection:" OWS Connection-v
+ Connection-v = *( "," OWS ) connection-token *( OWS "," [ OWS
+ connection-token ] )
+ Content-Length = "Content-Length:" OWS 1*Content-Length-v
+ Content-Length-v = 1*DIGIT
+
+ Date = "Date:" OWS Date-v
+ Date-v = HTTP-date
+
+ GMT = %x47.4D.54 ; GMT
+
+ HTTP-Prot-Name = %x48.54.54.50 ; HTTP
+ HTTP-Version = HTTP-Prot-Name "/" 1*DIGIT "." 1*DIGIT
+ HTTP-date = rfc1123-date / obs-date
+ HTTP-message = start-line *( header-field CRLF ) CRLF [ message-body
+ ]
+ Host = "Host:" OWS Host-v
+ Host-v = uri-host [ ":" port ]
+
+ MIME-Version = <MIME-Version, defined in [Part3], Appendix A.1>
+ Method = token
+
+ OWS = *( [ obs-fold ] WSP )
+
+ Pragma = <Pragma, defined in [Part6], Section 3.4>
+
+ RWS = 1*( [ obs-fold ] WSP )
+ Reason-Phrase = *( WSP / VCHAR / obs-text )
+ Request = Request-Line *( header-field CRLF ) CRLF [ message-body ]
+ Request-Line = Method SP request-target SP HTTP-Version CRLF
+ Response = Status-Line *( header-field CRLF ) CRLF [ message-body ]
+
+ Status-Code = 3DIGIT
+ Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF
+
+ TE = "TE:" OWS TE-v
+ TE-v = [ ( "," / t-codings ) *( OWS "," [ OWS t-codings ] ) ]
+ Trailer = "Trailer:" OWS Trailer-v
+ Trailer-v = *( "," OWS ) field-name *( OWS "," [ OWS field-name ] )
+ Transfer-Encoding = "Transfer-Encoding:" OWS Transfer-Encoding-v
+ Transfer-Encoding-v = *( "," OWS ) transfer-coding *( OWS "," [ OWS
+ transfer-coding ] )
+
+ URI-reference = <URI-reference, defined in [RFC3986], Section 4.1>
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 74]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ Upgrade = "Upgrade:" OWS Upgrade-v
+ Upgrade-v = *( "," OWS ) product *( OWS "," [ OWS product ] )
+
+ Via = "Via:" OWS Via-v
+ Via-v = *( "," OWS ) received-protocol RWS received-by [ RWS comment
+ ] *( OWS "," [ OWS received-protocol RWS received-by [ RWS comment ]
+ ] )
+
+ Warning = <Warning, defined in [Part6], Section 3.6>
+
+ absolute-URI = <absolute-URI, defined in [RFC3986], Section 4.3>
+ asctime-date = day-name SP date3 SP time-of-day SP year
+ attribute = token
+ authority = <authority, defined in [RFC3986], Section 3.2>
+
+ chunk = chunk-size *WSP [ chunk-ext ] CRLF chunk-data CRLF
+ chunk-data = 1*OCTET
+ chunk-ext = *( ";" *WSP chunk-ext-name [ "=" chunk-ext-val ] *WSP )
+ chunk-ext-name = token
+ chunk-ext-val = token / quoted-str-nf
+ chunk-size = 1*HEXDIG
+ comment = "(" *( ctext / quoted-cpair / comment ) ")"
+ connection-token = token
+ ctext = OWS / %x21-27 ; '!'-'''
+ / %x2A-5B ; '*'-'['
+ / %x5D-7E ; ']'-'~'
+ / obs-text
+
+ date1 = day SP month SP year
+ date2 = day "-" month "-" 2DIGIT
+ date3 = month SP ( 2DIGIT / ( SP DIGIT ) )
+ day = 2DIGIT
+ day-name = %x4D.6F.6E ; Mon
+ / %x54.75.65 ; Tue
+ / %x57.65.64 ; Wed
+ / %x54.68.75 ; Thu
+ / %x46.72.69 ; Fri
+ / %x53.61.74 ; Sat
+ / %x53.75.6E ; Sun
+ day-name-l = %x4D.6F.6E.64.61.79 ; Monday
+ / %x54.75.65.73.64.61.79 ; Tuesday
+ / %x57.65.64.6E.65.73.64.61.79 ; Wednesday
+ / %x54.68.75.72.73.64.61.79 ; Thursday
+ / %x46.72.69.64.61.79 ; Friday
+ / %x53.61.74.75.72.64.61.79 ; Saturday
+ / %x53.75.6E.64.61.79 ; Sunday
+
+ field-content = *( WSP / VCHAR / obs-text )
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 75]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ field-name = token
+ field-value = *( field-content / OWS )
+
+ general-header = Cache-Control / Connection / Date / Pragma / Trailer
+ / Transfer-Encoding / Upgrade / Via / Warning / MIME-Version
+
+ header-field = field-name ":" OWS [ field-value ] OWS
+ hour = 2DIGIT
+ http-URI = "http://" authority path-abempty [ "?" query ]
+ https-URI = "https://" authority path-abempty [ "?" query ]
+
+ last-chunk = 1*"0" *WSP [ chunk-ext ] CRLF
+
+ message-body = *OCTET
+ minute = 2DIGIT
+ month = %x4A.61.6E ; Jan
+ / %x46.65.62 ; Feb
+ / %x4D.61.72 ; Mar
+ / %x41.70.72 ; Apr
+ / %x4D.61.79 ; May
+ / %x4A.75.6E ; Jun
+ / %x4A.75.6C ; Jul
+ / %x41.75.67 ; Aug
+ / %x53.65.70 ; Sep
+ / %x4F.63.74 ; Oct
+ / %x4E.6F.76 ; Nov
+ / %x44.65.63 ; Dec
+
+ obs-date = rfc850-date / asctime-date
+ obs-fold = CRLF
+ obs-text = %x80-FF
+
+ partial-URI = relative-part [ "?" query ]
+ path-abempty = <path-abempty, defined in [RFC3986], Section 3.3>
+ path-absolute = <path-absolute, defined in [RFC3986], Section 3.3>
+ port = <port, defined in [RFC3986], Section 3.2.3>
+ product = token [ "/" product-version ]
+ product-version = token
+ protocol-name = token
+ protocol-version = token
+ pseudonym = token
+
+ qdtext = OWS / "!" / %x23-5B ; '#'-'['
+ / %x5D-7E ; ']'-'~'
+ / obs-text
+ qdtext-nf = WSP / "!" / %x23-5B ; '#'-'['
+ / %x5D-7E ; ']'-'~'
+ / obs-text
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 76]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ query = <query, defined in [RFC3986], Section 3.4>
+ quoted-cpair = "\" ( WSP / VCHAR / obs-text )
+ quoted-pair = "\" ( WSP / VCHAR / obs-text )
+ quoted-str-nf = DQUOTE *( qdtext-nf / quoted-pair ) DQUOTE
+ quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE
+ qvalue = ( "0" [ "." *3DIGIT ] ) / ( "1" [ "." *3"0" ] )
+
+ received-by = ( uri-host [ ":" port ] ) / pseudonym
+ received-protocol = [ protocol-name "/" ] protocol-version
+ relative-part = <relative-part, defined in [RFC3986], Section 4.2>
+ request-header = <request-header, defined in [Part2], Section 3>
+ request-target = "*" / absolute-URI / ( path-absolute [ "?" query ] )
+ / authority
+ response-header = <response-header, defined in [Part2], Section 5>
+ rfc1123-date = day-name "," SP date1 SP time-of-day SP GMT
+ rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT
+
+ second = 2DIGIT
+ special = "(" / ")" / "<" / ">" / "@" / "," / ";" / ":" / "\" /
+ DQUOTE / "/" / "[" / "]" / "?" / "=" / "{" / "}"
+ start-line = Request-Line / Status-Line
+
+ t-codings = "trailers" / ( transfer-extension [ te-params ] )
+ tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." /
+ "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
+ te-ext = OWS ";" OWS token [ "=" word ]
+ te-params = OWS ";" OWS "q=" qvalue *te-ext
+ time-of-day = hour ":" minute ":" second
+ token = 1*tchar
+ trailer-part = *( header-field CRLF )
+ transfer-coding = "chunked" / "compress" / "deflate" / "gzip" /
+ transfer-extension
+ transfer-extension = token *( OWS ";" OWS transfer-parameter )
+ transfer-parameter = attribute BWS "=" BWS value
+
+ uri-host = <host, defined in [RFC3986], Section 3.2.2>
+
+ value = word
+
+ word = token / quoted-string
+
+ year = 4DIGIT
+
+
+
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 77]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ ABNF diagnostics:
+
+ ; Chunked-Body defined but not used
+ ; Content-Length defined but not used
+ ; HTTP-message defined but not used
+ ; Host defined but not used
+ ; Request defined but not used
+ ; Response defined but not used
+ ; TE defined but not used
+ ; URI-reference defined but not used
+ ; general-header defined but not used
+ ; http-URI defined but not used
+ ; https-URI defined but not used
+ ; partial-URI defined but not used
+ ; request-header defined but not used
+ ; response-header defined but not used
+ ; special defined but not used
+
+Appendix D. Change Log (to be removed by RFC Editor before publication)
+
+D.1. Since RFC2616
+
+ Extracted relevant partitions from [RFC2616].
+
+D.2. Since draft-ietf-httpbis-p1-messaging-00
+
+ Closed issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/1>: "HTTP Version
+ should be case sensitive"
+ (<http://purl.org/NET/http-errata#verscase>)
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/2>: "'unsafe'
+ characters" (<http://purl.org/NET/http-errata#unsafe-uri>)
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/3>: "Chunk Size
+ Definition" (<http://purl.org/NET/http-errata#chunk-size>)
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/4>: "Message Length"
+ (<http://purl.org/NET/http-errata#msg-len-chars>)
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/8>: "Media Type
+ Registrations" (<http://purl.org/NET/http-errata#media-reg>)
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/11>: "URI includes
+ query" (<http://purl.org/NET/http-errata#uriquery>)
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 78]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/15>: "No close on
+ 1xx responses" (<http://purl.org/NET/http-errata#noclose1xx>)
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/16>: "Remove
+ 'identity' token references"
+ (<http://purl.org/NET/http-errata#identity>)
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/26>: "Import query
+ BNF"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/31>: "qdtext BNF"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/35>: "Normative and
+ Informative references"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/42>: "RFC2606
+ Compliance"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/45>: "RFC977
+ reference"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/46>: "RFC1700
+ references"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/47>: "inconsistency
+ in date format explanation"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/48>: "Date reference
+ typo"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/65>: "Informative
+ references"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/66>: "ISO-8859-1
+ Reference"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/86>: "Normative up-
+ to-date references"
+
+ Other changes:
+
+ o Update media type registrations to use RFC4288 template.
+
+ o Use names of RFC4234 core rules DQUOTE and WSP, fix broken ABNF
+ for chunk-data (work in progress on
+ <http://tools.ietf.org/wg/httpbis/trac/ticket/36>)
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 79]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+D.3. Since draft-ietf-httpbis-p1-messaging-01
+
+ Closed issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/19>: "Bodies on GET
+ (and other) requests"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/55>: "Updating to
+ RFC4288"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/57>: "Status Code
+ and Reason Phrase"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/82>: "rel_path not
+ used"
+
+ Ongoing work on ABNF conversion
+ (<http://tools.ietf.org/wg/httpbis/trac/ticket/36>):
+
+ o Get rid of duplicate BNF rule names ("host" -> "uri-host",
+ "trailer" -> "trailer-part").
+
+ o Avoid underscore character in rule names ("http_URL" -> "http-
+ URL", "abs_path" -> "path-absolute").
+
+ o Add rules for terms imported from URI spec ("absoluteURI",
+ "authority", "path-absolute", "port", "query", "relativeURI",
+ "host) -- these will have to be updated when switching over to
+ RFC3986.
+
+ o Synchronize core rules with RFC5234.
+
+ o Get rid of prose rules that span multiple lines.
+
+ o Get rid of unused rules LOALPHA and UPALPHA.
+
+ o Move "Product Tokens" section (back) into Part 1, as "token" is
+ used in the definition of the Upgrade header.
+
+ o Add explicit references to BNF syntax and rules imported from
+ other parts of the specification.
+
+ o Rewrite prose rule "token" in terms of "tchar", rewrite prose rule
+ "TEXT".
+
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 80]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+D.4. Since draft-ietf-httpbis-p1-messaging-02
+
+ Closed issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/51>: "HTTP-date vs.
+ rfc1123-date"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/64>: "WS in quoted-
+ pair"
+
+ Ongoing work on IANA Message Header Registration
+ (<http://tools.ietf.org/wg/httpbis/trac/ticket/40>):
+
+ o Reference RFC 3984, and update header registrations for headers
+ defined in this document.
+
+ Ongoing work on ABNF conversion
+ (<http://tools.ietf.org/wg/httpbis/trac/ticket/36>):
+
+ o Replace string literals when the string really is case-sensitive
+ (HTTP-Version).
+
+D.5. Since draft-ietf-httpbis-p1-messaging-03
+
+ Closed issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/28>: "Connection
+ closing"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/97>: "Move
+ registrations and registry information to IANA Considerations"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/120>: "need new URL
+ for PAD1995 reference"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/127>: "IANA
+ Considerations: update HTTP URI scheme registration"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/128>: "Cite HTTPS
+ URI scheme definition"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/129>: "List-type
+ headers vs Set-Cookie"
+
+ Ongoing work on ABNF conversion
+ (<http://tools.ietf.org/wg/httpbis/trac/ticket/36>):
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 81]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ o Replace string literals when the string really is case-sensitive
+ (HTTP-Date).
+
+ o Replace HEX by HEXDIG for future consistence with RFC 5234's core
+ rules.
+
+D.6. Since draft-ietf-httpbis-p1-messaging-04
+
+ Closed issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/34>: "Out-of-date
+ reference for URIs"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/132>: "RFC 2822 is
+ updated by RFC 5322"
+
+ Ongoing work on ABNF conversion
+ (<http://tools.ietf.org/wg/httpbis/trac/ticket/36>):
+
+ o Use "/" instead of "|" for alternatives.
+
+ o Get rid of RFC822 dependency; use RFC5234 plus extensions instead.
+
+ o Only reference RFC 5234's core rules.
+
+ o Introduce new ABNF rules for "bad" whitespace ("BWS"), optional
+ whitespace ("OWS") and required whitespace ("RWS").
+
+ o Rewrite ABNFs to spell out whitespace rules, factor out header
+ value format definitions.
+
+D.7. Since draft-ietf-httpbis-p1-messaging-05
+
+ Closed issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/30>: "Header LWS"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/52>: "Sort 1.3
+ Terminology"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/63>: "RFC2047
+ encoded words"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/74>: "Character
+ Encodings in TEXT"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/77>: "Line Folding"
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 82]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/83>: "OPTIONS * and
+ proxies"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/94>: "Reason-Phrase
+ BNF"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/111>: "Use of TEXT"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/118>: "Join
+ "Differences Between HTTP Entities and RFC 2045 Entities"?"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/134>: "RFC822
+ reference left in discussion of date formats"
+
+ Final work on ABNF conversion
+ (<http://tools.ietf.org/wg/httpbis/trac/ticket/36>):
+
+ o Rewrite definition of list rules, deprecate empty list elements.
+
+ o Add appendix containing collected and expanded ABNF.
+
+ Other changes:
+
+ o Rewrite introduction; add mostly new Architecture Section.
+
+ o Move definition of quality values from Part 3 into Part 1; make TE
+ request header grammar independent of accept-params (defined in
+ Part 3).
+
+D.8. Since draft-ietf-httpbis-p1-messaging-06
+
+ Closed issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/161>: "base for
+ numeric protocol elements"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/162>: "comment ABNF"
+
+ Partly resolved issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/88>: "205 Bodies"
+ (took out language that implied that there might be methods for
+ which a request body MUST NOT be included)
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/163>: "editorial
+ improvements around HTTP-date"
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 83]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+D.9. Since draft-ietf-httpbis-p1-messaging-07
+
+ Closed issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/93>: "Repeating
+ single-value headers"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/131>: "increase
+ connection limit"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/157>: "IP addresses
+ in URLs"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/172>: "take over
+ HTTP Upgrade Token Registry"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/173>: "CR and LF in
+ chunk extension values"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/184>: "HTTP/0.9
+ support"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/188>: "pick IANA
+ policy (RFC5226) for Transfer Coding / Content Coding"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/189>: "move
+ definitions of gzip/deflate/compress to part 1"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/194>: "disallow
+ control characters in quoted-pair"
+
+ Partly resolved issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/148>: "update IANA
+ requirements wrt Transfer-Coding values" (add the IANA
+ Considerations subsection)
+
+D.10. Since draft-ietf-httpbis-p1-messaging-08
+
+ Closed issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/201>: "header
+ parsing, treatment of leading and trailing OWS"
+
+ Partly resolved issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/60>: "Placement of
+ 13.5.1 and 13.5.2"
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 84]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/200>: "use of term
+ "word" when talking about header structure"
+
+D.11. Since draft-ietf-httpbis-p1-messaging-09
+
+ Closed issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/73>: "Clarification
+ of the term 'deflate'"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/83>: "OPTIONS * and
+ proxies"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/122>: "MIME-Version
+ not listed in P1, general header fields"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/143>: "IANA registry
+ for content/transfer encodings"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/165>: "Case-
+ sensitivity of HTTP-date"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/200>: "use of term
+ "word" when talking about header structure"
+
+ Partly resolved issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/196>: "Term for the
+ requested resource's URI"
+
+D.12. Since draft-ietf-httpbis-p1-messaging-10
+
+ Closed issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/28>: "Connection
+ Closing"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/90>: "Delimiting
+ messages with multipart/byteranges"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/95>: "Handling
+ multiple Content-Length headers"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/109>: "Clarify
+ entity / representation / variant terminology"
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/220>: "consider
+ removing the 'changes from 2068' sections"
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 85]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ Partly resolved issues:
+
+ o <http://tools.ietf.org/wg/httpbis/trac/ticket/159>: "HTTP(s) URI
+ scheme definitions"
+
+Index
+
+ A
+ application/http Media Type 61
+
+ B
+ browser 10
+
+ C
+ cache 13
+ cacheable 14
+ chunked (Coding Format) 35
+ client 10
+ Coding Format
+ chunked 35
+ compress 38
+ deflate 38
+ gzip 38
+ compress (Coding Format) 38
+ connection 10
+ Connection header 49
+ Content-Length header 50
+
+ D
+ Date header 51
+ deflate (Coding Format) 38
+ downstream 12
+
+ E
+ effective request URI 29
+
+ G
+ gateway 13
+ Grammar
+ absolute-URI 16
+ ALPHA 7
+ asctime-date 34
+ attribute 34
+ authority 16
+ BWS 9
+ chunk 35
+ chunk-data 35
+ chunk-ext 35
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 86]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ chunk-ext-name 35
+ chunk-ext-val 35
+ chunk-size 35
+ Chunked-Body 35
+ comment 22
+ Connection 49
+ connection-token 49
+ Connection-v 49
+ Content-Length 50
+ Content-Length-v 50
+ CR 7
+ CRLF 7
+ ctext 22
+ CTL 7
+ Date 51
+ Date-v 51
+ date1 33
+ date2 34
+ date3 34
+ day 33
+ day-name 33
+ day-name-l 33
+ DIGIT 7
+ DQUOTE 7
+ extension-code 32
+ extension-method 26
+ field-content 20
+ field-name 20
+ field-value 20
+ general-header 26
+ GMT 33
+ header-field 20
+ HEXDIG 7
+ Host 52
+ Host-v 52
+ hour 33
+ HTTP-date 32
+ HTTP-message 19
+ HTTP-Prot-Name 15
+ http-URI 16
+ HTTP-Version 15
+ https-URI 18
+ last-chunk 35
+ LF 7
+ message-body 22
+ Method 26
+ minute 33
+ month 33
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 87]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ obs-date 33
+ obs-text 10
+ OCTET 7
+ OWS 9
+ path-absolute 16
+ port 16
+ product 39
+ product-version 39
+ protocol-name 57
+ protocol-version 57
+ pseudonym 57
+ qdtext 10
+ qdtext-nf 35
+ query 16
+ quoted-cpair 22
+ quoted-pair 10
+ quoted-str-nf 35
+ quoted-string 10
+ qvalue 39
+ Reason-Phrase 32
+ received-by 57
+ received-protocol 57
+ Request 26
+ Request-Line 26
+ request-target 27
+ Response 31
+ rfc850-date 34
+ rfc1123-date 33
+ RWS 9
+ second 33
+ SP 7
+ special 9
+ Status-Code 32
+ Status-Line 31
+ t-codings 53
+ tchar 9
+ TE 53
+ te-ext 53
+ te-params 53
+ TE-v 53
+ time-of-day 33
+ token 9
+ Trailer 54
+ trailer-part 35
+ Trailer-v 54
+ transfer-coding 34
+ Transfer-Encoding 55
+ Transfer-Encoding-v 55
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 88]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ transfer-extension 34
+ transfer-parameter 34
+ Upgrade 55
+ Upgrade-v 55
+ uri-host 16
+ URI-reference 16
+ value 34
+ VCHAR 7
+ Via 57
+ Via-v 57
+ word 9
+ WSP 7
+ year 33
+ gzip (Coding Format) 38
+
+ H
+ header field 19
+ header section 19
+ Headers
+ Connection 49
+ Content-Length 50
+ Date 51
+ Host 52
+ TE 53
+ Trailer 54
+ Transfer-Encoding 55
+ Upgrade 55
+ Via 57
+ headers 19
+ Host header 52
+ http URI scheme 16
+ https URI scheme 18
+
+ I
+ inbound 12
+ intermediary 12
+
+ M
+ Media Type
+ application/http 61
+ message/http 59
+ message 11
+ message/http Media Type 59
+
+ O
+ origin server 10
+ outbound 12
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 89]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ P
+ proxy 12
+
+ R
+ request 11
+ resource 16
+ response 11
+ reverse proxy 13
+
+ S
+ server 10
+ spider 10
+
+ T
+ target resource 29
+ TE header 53
+ Trailer header 54
+ Transfer-Encoding header 55
+ tunnel 13
+
+ U
+ Upgrade header 55
+ upstream 12
+ URI scheme
+ http 16
+ https 18
+ user agent 10
+
+ V
+ Via header 57
+
+Authors' Addresses
+
+ Roy T. Fielding (editor)
+ Day Software
+ 23 Corporate Plaza DR, Suite 280
+ Newport Beach, CA 92660
+ USA
+
+ Phone: +1-949-706-5300
+ Fax: +1-949-706-5305
+ EMail: fielding@gbiv.com
+ URI: http://roy.gbiv.com/
+
+
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 90]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ Jim Gettys
+ Alcatel-Lucent Bell Labs
+ 21 Oak Knoll Road
+ Carlisle, MA 01741
+ USA
+
+ EMail: jg@freedesktop.org
+ URI: http://gettys.wordpress.com/
+
+
+ Jeffrey C. Mogul
+ Hewlett-Packard Company
+ HP Labs, Large Scale Systems Group
+ 1501 Page Mill Road, MS 1177
+ Palo Alto, CA 94304
+ USA
+
+ EMail: JeffMogul@acm.org
+
+
+ Henrik Frystyk Nielsen
+ Microsoft Corporation
+ 1 Microsoft Way
+ Redmond, WA 98052
+ USA
+
+ EMail: henrikn@microsoft.com
+
+
+ Larry Masinter
+ Adobe Systems, Incorporated
+ 345 Park Ave
+ San Jose, CA 95110
+ USA
+
+ EMail: LMM@acm.org
+ URI: http://larry.masinter.net/
+
+
+ Paul J. Leach
+ Microsoft Corporation
+ 1 Microsoft Way
+ Redmond, WA 98052
+
+ EMail: paulle@microsoft.com
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 91]
+
+Internet-Draft HTTP/1.1, Part 1 August 2010
+
+
+ Tim Berners-Lee
+ World Wide Web Consortium
+ MIT Computer Science and Artificial Intelligence Laboratory
+ The Stata Center, Building 32
+ 32 Vassar Street
+ Cambridge, MA 02139
+ USA
+
+ EMail: timbl@w3.org
+ URI: http://www.w3.org/People/Berners-Lee/
+
+
+ Yves Lafon (editor)
+ World Wide Web Consortium
+ W3C / ERCIM
+ 2004, rte des Lucioles
+ Sophia-Antipolis, AM 06902
+ France
+
+ EMail: ylafon@w3.org
+ URI: http://www.raubacapeu.net/people/yves/
+
+
+ Julian F. Reschke (editor)
+ greenbytes GmbH
+ Hafenweg 16
+ Muenster, NW 48155
+ Germany
+
+ Phone: +49 251 2807760
+ Fax: +49 251 2807761
+ EMail: julian.reschke@greenbytes.de
+ URI: http://greenbytes.de/tech/webdav/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Fielding, et al. Expires February 5, 2011 [Page 92]
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-05 16:02:30 +0000