| Internet-Draft | Communicating Warning Information in HTT | March 2020 |
| Cedik & Wilde | Expires 1 October 2020 | [Page] |
This document defines a new HTTP header field Content-Warning and a standard response format for representing warning information in HTTP APIs.¶
This draft should be discussed on the rfc-interest mailing list (https://lists.w3.org/Archives/Public/ietf-http-wg/).¶
Online access to all versions and files is available on GitHub (https://github.com/dret/I-D/tree/master/http-warning).¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 1 October 2020.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
Many current APIs are based on HTTP [RFC7230] as their application protocol. Their response handling model is based on the assumption that requests either are successful or they fail. In both cases (success and failure) an HTTP status code [RFC7231] is returned to convey either fact.¶
But response status is not always strictly either success or failure. For example, there are cases where an underlying system returns a response with data that cannot be defined as a clear error. API providers who are integrating such a service might want to return a success response nonetheless, but returning a HTTP status code of e.g. 200 OK without any additional information is not the only possible approach in this case.¶
As defined in the principles of Web architecture [W3C.REC-webarch-20041215], agents that "recover from errors by making a choice without the user's consent are not acting on the user's behalf". Therefore APIs should be able to communicate what has happened to their consumers, which then allows clients or users to make more informed decisions. Note that this specification specifically targets warnings and not errors, meaning that while it may be useful for clients to understand the warning condition and act on it, they also may choose to ignore it and treat the response as a successful one.¶
This document defines a warning code and a standard response structure for communicating and representing warning information in HTTP APIs. The goal is to allow HTTP providers to have a standardized way of communicating to their consumers that while the response can be considered to represent success, there is warning information available that they might want to take into account.¶
As a general guideline, warning information should be considered to be any information that can be safely ignored (treating the response as if it did not communicate or embed any warning information), but that might help clients and users to make better decisions.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
The Content-Warning header field allows to represent different kinds of warning information via HTTP. It is defined as a Structured Header List [I-D.ietf-httpbis-header-structure]. Its ABNF is:¶
Content-Warning = sh-list¶
Each member of the list MUST have exactly the two parameters "type" and "date".¶
This document introduces the Content-Warning Type "embedded-warning".¶
As mentioned in the introduction (Section 1), HTTP requests can be successful or they can fail. They can also result in a state where the original intent was satisfied, but a side effect happened that should be conveyed back to the client.¶
To make it easier for clients to handle such an event, the Content-Warning type "embedded-warning" MAY be returned. In this case, the client MAY either treat the response according to its HTTP status code, or in addition the client MAY use the embedded warning information to understand the nature of the warning.¶
The "embedded-warning" type does not prescribe the way in which warnings are represented. The assumption is that the response will have embedded information that allows the client to learn about the nature of the warning. The following section describes a JSON structure that MAY be used to represent the warning. HTTP services are free to use this or other formats to represent the warning information they are embedding.¶
An exemplary Content-Warning header field looks like this:¶
Content-Warning: "embedded-warning"; 1590190500¶
The JSON warning format uses the JSON format described in [RFC8259]. It is intended to be used as a building block in the response schemas of JSON-based APIs.¶
In many current designs of JSON-based HTTP APIs, services represent response data as members of the returned JSON object. In order to make it easier for consumers to identify information about warnings, a top-level member is defined that contains all warning information in a representation. A "warnings" member MUST encapsulate the warnings that will be returned to the client.¶
When an condition occurs that can not be defined as a "hard error" (i.e., that allows clients to continue treating the resulting response as a success), additional information about this condition can be returned to the API client. The "warnings" member MUST be an array that is structured with one object for each and every warning message that is returned to the client.¶
Entries in these individual objects follow the pattern described in [RFC7807].¶
When warnings are present the Content-Warning header field (as defined in Section 3) SHOULD be set to indicate that warnings have be returned. This way a client will not have to parse the response body to find out whether a warnings member is present.¶
Since warnings do not have an effect on the returned HTTP status code, the response status code SHOULD be in the 2xx range, indicating that the intent of the API client was successful.¶
POST /example HTTP/1.1
Host: example.com
Accept: application/json
HTTP/1.1 200 OK
Content-Type: application/json
Content-Warning: "embedded-warning"; 1590190500
{
"request_id": "2326b087-d64e-43bd-a557-42171155084f",
"warnings": [
{
"detail": "Street name was too long. It has been shortened...",
"instance": "https://example.com/shipments/3a186c51/msgs/c94d",
"status": "200",
"title": "Street name too long. It has been shortened.",
"type": "https://example.com/errors/shortened_entry"
},
{
"detail": "City for this zipcode unknown. Code for shipment..",
"instance": "https://example.com/shipments/3a186c51/msgs/5927",
"status": "200",
"title": "City for zipcode unknown.",
"type": "https://example.com/errors/city_unknown"
}
],
"id": "3a186c51d4281acb",
"carrier_tracking_no": "84168117830018",
"tracking_url": "http://example.com/3a186c51d",
"label_url": "http://example.com/shipping_label_3a186c51d.pdf",
"price": 3.4
}
¶
API providers need to exercise care when reporting warnings. Malicious actors could use this information for orchestrating attacks. Social engineering can also be a factor when warning information is returned by the API.¶
This specification registers the following entry in the Permanent Message Header Field Names registry established by [RFC3864]:¶
The "Content-Warning Type Registry" defines the namespace for new Content-Warning types. This specification establishes a new registry according to the guidelines given in [RFC8126]. This new registry should not be included in an existing group of registries.¶
A registration MUST include the following fields:¶
The registration policy for this registry is "Specification Required" as defined by [RFC8126], Section 4.6. They MUST follow the "sh-token" syntax defined by [I-D.ietf-httpbis-header-structure].¶
The registry has been populated with the registered values shown below:¶
+------------------------+----------------------------------+ | Content-Warning Type | Reference | +------------------------+----------------------------------+ | embedded-warning | this RFC, Section 4 | +------------------------+----------------------------------+¶
Thanks for comments and suggestions provided by ...¶