aboutsummaryrefslogtreecommitdiffstats
path: root/vendor/sabre/dav/docs/draft-nottingham-http-new-status-04.txt
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/sabre/dav/docs/draft-nottingham-http-new-status-04.txt')
-rw-r--r--vendor/sabre/dav/docs/draft-nottingham-http-new-status-04.txt560
1 files changed, 0 insertions, 560 deletions
diff --git a/vendor/sabre/dav/docs/draft-nottingham-http-new-status-04.txt b/vendor/sabre/dav/docs/draft-nottingham-http-new-status-04.txt
deleted file mode 100644
index 37d6808c3..000000000
--- a/vendor/sabre/dav/docs/draft-nottingham-http-new-status-04.txt
+++ /dev/null
@@ -1,560 +0,0 @@
-
-
-
-Network Working Group M. Nottingham
-Internet-Draft Rackspace
-Updates: 2616 (if approved) R. Fielding
-Intended status: Standards Track Adobe
-Expires: August 7, 2012 February 4, 2012
-
-
- Additional HTTP Status Codes
- draft-nottingham-http-new-status-04
-
-Abstract
-
- This document specifies additional HyperText Transfer Protocol (HTTP)
- status codes for a variety of common situations.
-
-Editorial Note (To be removed by RFC Editor before publication)
-
- Distribution of this document is unlimited. Although this is not a
- work item of the HTTPbis Working Group, comments should be sent to
- the Hypertext Transfer Protocol (HTTP) mailing list at
- ietf-http-wg@w3.org [1], which may be joined by sending a message
- with subject "subscribe" to ietf-http-wg-request@w3.org [2].
-
- Discussions of the HTTPbis Working Group are archived at
- <http://lists.w3.org/Archives/Public/ietf-http-wg/>.
-
-Status of this Memo
-
- This Internet-Draft is submitted in full conformance with the
- provisions of BCP 78 and BCP 79.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF). Note that other groups may also distribute
- working documents as Internet-Drafts. The list of current Internet-
- Drafts is at http://datatracker.ietf.org/drafts/current/.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as "work in progress."
-
- This Internet-Draft will expire on August 7, 2012.
-
-Copyright Notice
-
- Copyright (c) 2012 IETF Trust and the persons identified as the
- document authors. All rights reserved.
-
-
-
-
-Nottingham & Fielding Expires August 7, 2012 [Page 1]
-
-Internet-Draft Additional HTTP Status Codes February 2012
-
-
- This document is subject to BCP 78 and the IETF Trust's Legal
- Provisions Relating to IETF Documents
- (http://trustee.ietf.org/license-info) in effect on the date of
- publication of this document. Please review these documents
- carefully, as they describe your rights and restrictions with respect
- to this document. Code Components extracted from this document must
- include Simplified BSD License text as described in Section 4.e of
- the Trust Legal Provisions and are provided without warranty as
- described in the Simplified BSD License.
-
-
-Table of Contents
-
- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
- 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 3
- 3. 428 Precondition Required . . . . . . . . . . . . . . . . . . . 3
- 4. 429 Too Many Requests . . . . . . . . . . . . . . . . . . . . . 4
- 5. 431 Request Header Fields Too Large . . . . . . . . . . . . . . 4
- 6. 511 Network Authentication Required . . . . . . . . . . . . . . 5
- 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
- 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
- 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
- 9.1. Normative References . . . . . . . . . . . . . . . . . . . 8
- 9.2. Informative References . . . . . . . . . . . . . . . . . . 8
- Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 8
- Appendix B. Issues Raised by Captive Portals . . . . . . . . . . . 8
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Nottingham & Fielding Expires August 7, 2012 [Page 2]
-
-Internet-Draft Additional HTTP Status Codes February 2012
-
-
-1. Introduction
-
- This document specifies additional HTTP [RFC2616] status codes for a
- variety of common situations, to improve interoperability and avoid
- confusion when other, less precise status codes are used.
-
- Note that these status codes are optional; servers cannot be required
- to support them. However, because clients will treat unknown status
- codes as a generic error of the same class (e.g., 499 is treated as
- 400 if it is not recognized), they can be safely deployed by existing
- servers (see [RFC2616] Section 6.1.1 for more information).
-
-
-2. Requirements
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in [RFC2119].
-
-
-3. 428 Precondition Required
-
- The 428 status code indicates that the origin server requires the
- request to be conditional.
-
- Its typical use is to avoid the "lost update" problem, where a client
- GETs a resource's state, modifies it, and PUTs it back to the server,
- when meanwhile a third party has modified the state on the server,
- leading to a conflict. By requiring requests to be conditional, the
- server can assure that clients are working with the correct copies.
-
- Responses using this status code SHOULD explain how to resubmit the
- request successfully. For example:
-
- HTTP/1.1 428 Precondition Required
- Content-Type: text/html
-
- <html>
- <head>
- <title>Precondition Required</title>
- </head>
- <body>
- <h1>Precondition Required</h1>
- <p>This request is required to be conditional;
- try using "If-Match".</p>
- </body>
- </html>
-
-
-
-
-Nottingham & Fielding Expires August 7, 2012 [Page 3]
-
-Internet-Draft Additional HTTP Status Codes February 2012
-
-
- Responses with the 428 status code MUST NOT be stored by a cache.
-
-
-4. 429 Too Many Requests
-
- The 429 status code indicates that the user has sent too many
- requests in a given amount of time ("rate limiting").
-
- The response representations SHOULD include details explaining the
- condition, and MAY include a Retry-After header indicating how long
- to wait before making a new request.
-
- For example:
-
- HTTP/1.1 429 Too Many Requests
- Content-Type: text/html
- Retry-After: 3600
-
- <html>
- <head>
- <title>Too Many Requests</title>
- </head>
- <body>
- <h1>Too Many Requests</h1>
- <p>I only allow 50 requests per hour to this Web site per
- logged in user. Try again soon.</p>
- </body>
- </html>
-
- Note that this specification does not define how the origin server
- identifies the user, nor how it counts requests. For example, an
- origin server that is limiting request rates can do so based upon
- counts of requests on a per-resource basis, across the entire server,
- or even among a set of servers. Likewise, it might identify the user
- by its authentication credentials, or a stateful cookie.
-
- Responses with the 429 status code MUST NOT be stored by a cache.
-
-
-5. 431 Request Header Fields Too Large
-
- The 431 status code indicates that the server is unwilling to process
- the request because its header fields are too large. The request MAY
- be resubmitted after reducing the size of the request header fields.
-
- It can be used both when the set of request header fields in total
- are too large, and when a single header field is at fault. In the
- latter case, the response representation SHOULD specify which header
-
-
-
-Nottingham & Fielding Expires August 7, 2012 [Page 4]
-
-Internet-Draft Additional HTTP Status Codes February 2012
-
-
- field was too large.
-
- For example:
-
- HTTP/1.1 431 Request Header Fields Too Large
- Content-Type: text/html
-
- <html>
- <head>
- <title>Request Header Fields Too Large</title>
- </head>
- <body>
- <h1>Request Header Fields Too Large</h1>
- <p>The "Example" header was too large.</p>
- </body>
- </html>
-
- Responses with the 431 status code MUST NOT be stored by a cache.
-
-
-6. 511 Network Authentication Required
-
- The 511 status code indicates that the client needs to authenticate
- to gain network access.
-
- The response representation SHOULD contain a link to a resource that
- allows the user to submit credentials (e.g. with a HTML form).
-
- Note that the 511 response SHOULD NOT contain a challenge or the
- login interface itself, because browsers would show the login
- interface as being associated with the originally requested URL,
- which may cause confusion.
-
- The 511 status SHOULD NOT be generated by origin servers; it is
- intended for use by intercepting proxies that are interposed as a
- means of controlling access to the network.
-
- Responses with the 511 status code MUST NOT be stored by a cache.
-
-6.1. The 511 Status Code and Captive Portals
-
- The 511 status code is designed to mitigate problems caused by
- "captive portals" to software (especially non-browser agents) that is
- expecting a response from the server that a request was made to, not
- the intervening network infrastructure. It is not intended to
- encouraged deployment of captive portals, only to limit the damage
- caused by them.
-
-
-
-
-Nottingham & Fielding Expires August 7, 2012 [Page 5]
-
-Internet-Draft Additional HTTP Status Codes February 2012
-
-
- A network operator wishing to require some authentication, acceptance
- of terms or other user interaction before granting access usually
- does so by identifing clients who have not done so ("unknown
- clients") using their MAC addresses.
-
- Unknown clients then have all traffic blocked, except for that on TCP
- port 80, which is sent to a HTTP server (the "login server")
- dedicated to "logging in" unknown clients, and of course traffic to
- the login server itself.
-
- For example, a user agent might connect to a network and make the
- following HTTP request on TCP port 80:
-
- GET /index.htm HTTP/1.1
- Host: www.example.com
-
- Upon receiving such a request, the login server would generate a 511
- response:
-
- HTTP/1.1 511 Network Authentication Required
- Content-Type: text/html
-
- <html>
- <head>
- <title>Network Authentication Required</title>
- <meta http-equiv="refresh"
- content="0; url=https://login.example.net/">
- </head>
- <body>
- <p>You need to <a href="https://login.example.net/">
- authenticate with the local network</a> in order to gain
- access.</p>
- </body>
- </html>
-
- Here, the 511 status code assures that non-browser clients will not
- interpret the response as being from the origin server, and the META
- HTML element redirects the user agent to the login server.
-
-
-7. Security Considerations
-
-7.1. 428 Precondition Required
-
- The 428 status code is optional; clients cannot rely upon its use to
- prevent "lost update" conflicts.
-
-
-
-
-
-Nottingham & Fielding Expires August 7, 2012 [Page 6]
-
-Internet-Draft Additional HTTP Status Codes February 2012
-
-
-7.2. 429 Too Many Requests
-
- When a server is under attack or just receiving a very large number
- of requests from a single party, responding to each with a 429 status
- code will consume resources.
-
- Therefore, servers are not required to use the 429 status code; when
- limiting resource usage, it may be more appropriate to just drop
- connections, or take other steps.
-
-7.3. 431 Request Header Fields Too Large
-
- Servers are not required to use the 431 status code; when under
- attack, it may be more appropriate to just drop connections, or take
- other steps.
-
-7.4. 511 Network Authentication Required
-
- In common use, a response carrying the 511 status code will not come
- from the origin server indicated in the request's URL. This presents
- many security issues; e.g., an attacking intermediary may be
- inserting cookies into the original domain's name space, may be
- observing cookies or HTTP authentication credentials sent from the
- user agent, and so on.
-
- However, these risks are not unique to the 511 status code; in other
- words, a captive portal that is not using this status code introduces
- the same issues.
-
- Also, note that captive portals using this status code on an SSL or
- TLS connection (commonly, port 443) will generate a certificate error
- on the client.
-
-
-8. IANA Considerations
-
- The HTTP Status Codes Registry should be updated with the following
- entries:
-
- o Code: 428
- o Description: Precondition Required
- o Specification: [ this document ]
-
- o Code: 429
- o Description: Too Many Requests
- o Specification: [ this document ]
-
-
-
-
-
-Nottingham & Fielding Expires August 7, 2012 [Page 7]
-
-Internet-Draft Additional HTTP Status Codes February 2012
-
-
- o Code: 431
- o Description: Request Header Fields Too Large
- o Specification: [ this document ]
-
- o Code: 511
- o Description: Network Authentication Required
- o Specification: [ this document ]
-
-
-9. References
-
-9.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
- Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
- Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
-
-9.2. Informative References
-
- [RFC4791] Daboo, C., Desruisseaux, B., and L. Dusseault,
- "Calendaring Extensions to WebDAV (CalDAV)", RFC 4791,
- March 2007.
-
- [RFC4918] Dusseault, L., "HTTP Extensions for Web Distributed
- Authoring and Versioning (WebDAV)", RFC 4918, June 2007.
-
-URIs
-
- [1] <mailto:ietf-http-wg@w3.org>
-
- [2] <mailto:ietf-http-wg-request@w3.org?subject=subscribe>
-
-
-Appendix A. Acknowledgements
-
- Thanks to Jan Algermissen and Julian Reschke for their suggestions
- and feedback.
-
-
-Appendix B. Issues Raised by Captive Portals
-
- Since clients cannot differentiate between a portal's response and
- that of the HTTP server that they intended to communicate with, a
- number of issues arise. The 511 status code is intended to help
- mitigate some of them.
-
-
-
-Nottingham & Fielding Expires August 7, 2012 [Page 8]
-
-Internet-Draft Additional HTTP Status Codes February 2012
-
-
- One example is the "favicon.ico"
- <http://en.wikipedia.org/wiki/Favicon> commonly used by browsers to
- identify the site being accessed. If the favicon for a given site is
- fetched from a captive portal instead of the intended site (e.g.,
- because the user is unauthenticated), it will often "stick" in the
- browser's cache (most implementations cache favicons aggressively)
- beyond the portal session, so that it seems as if the portal's
- favicon has "taken over" the legitimate site.
-
- Another browser-based issue comes about when P3P
- <http://www.w3.org/TR/P3P/> is supported. Depending on how it is
- implemented, it's possible a browser might interpret a portal's
- response for the p3p.xml file as the server's, resulting in the
- privacy policy (or lack thereof) advertised by the portal being
- interpreted as applying to the intended site. Other Web-based
- protocols such as WebFinger
- <http://code.google.com/p/webfinger/wiki/WebFingerProtocol>, CORS
- <http://www.w3.org/TR/cors/> and OAuth
- <http://tools.ietf.org/html/draft-ietf-oauth-v2> may also be
- vulnerable to such issues.
-
- Although HTTP is most widely used with Web browsers, a growing number
- of non-browsing applications use it as a substrate protocol. For
- example, WebDAV [RFC4918] and CalDAV [RFC4791] both use HTTP as the
- basis (for remote authoring and calendaring, respectively). Using
- these applications from behind a captive portal can result in
- spurious errors being presented to the user, and might result in
- content corruption, in extreme cases.
-
- Similarly, other non-browser applications using HTTP can be affected
- as well; e.g., widgets <http://www.w3.org/TR/widgets/>, software
- updates, and other specialised software such as Twitter clients and
- the iTunes Music Store.
-
- It should be noted that it's sometimes believed that using HTTP
- redirection to direct traffic to the portal addresses these issues.
- However, since many of these uses "follow" redirects, this is not a
- good solution.
-
-
-Authors' Addresses
-
- Mark Nottingham
- Rackspace
-
- Email: mnot@mnot.net
- URI: http://www.mnot.net/
-
-
-
-
-Nottingham & Fielding Expires August 7, 2012 [Page 9]
-
-Internet-Draft Additional HTTP Status Codes February 2012
-
-
- Roy T. Fielding
- Adobe Systems Incorporated
- 345 Park Ave
- San Jose, CA 95110
- USA
-
- Email: fielding@gbiv.com
- URI: http://roy.gbiv.com/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Nottingham & Fielding Expires August 7, 2012 [Page 10]
-