Structured Headers for HTTPFastlymnot@mnot.nethttps://www.mnot.net/The Varnish Cache Projectphk@varnish-cache.org
Applications and Real-Time
HTTPInternet-DraftThis document describes a set of data types and parsing algorithms associated with them that are intended to make it easier and safer to define and handle HTTP header fields. It is intended for use by new specifications of HTTP header fields as well as revisions of existing header field specifications when doing so does not cause interoperability issues.RFC EDITOR: please remove this section before publicationDiscussion of this draft takes place on the HTTP working group mailing list (ietf-http-wg@w3.org), which is archived at https://lists.w3.org/Archives/Public/ietf-http-wg/.Working Group information can be found at https://httpwg.github.io/; source code and issues list for this draft can be found at https://github.com/httpwg/http-extensions/labels/header-structure.Tests for implementations are collected at https://github.com/httpwg/structured-header-tests.Implementations are tracked at https://github.com/httpwg/wiki/wiki/Structured-Headers.Specifying the syntax of new HTTP header fields is an onerous task; even with the guidance in , Section 8.3.1, there are many decisions – and pitfalls – for a prospective HTTP header field author.Once a header field is defined, bespoke parsers for it often need to be written, because each header has slightly different handling of what looks like common syntax.This document introduces a set of common data structures for use in HTTP header field values to address these problems. In particular, it defines a generic, abstract model for header field values, along with a concrete serialisation for expressing that model in textual HTTP headers, as used by HTTP/1 and HTTP/2 .HTTP headers that are defined as “Structured Headers” use the types defined in this specification to define their syntax and basic handling rules, thereby simplifying both their definition and parsing.Additionally, future versions of HTTP can define alternative serialisations of the abstract model of these structures, allowing headers that use it to be transmitted more efficiently without being redefined.Note that it is not a goal of this document to redefine the syntax of existing HTTP headers; the mechanisms described herein are only intended to be used with headers that explicitly opt into them.To specify a header field that is a Structured Header, see . defines a number of abstract data types that can be used in Structured Headers. Dictionaries and lists are only usable at the “top” level, while the remaining types can be specified appear at the top level or inside those structures.Those abstract types can be serialised into textual headers – such as those used in HTTP/1 and HTTP/2 – using the algorithms described in .The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”,
“RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as
described in BCP 14 when, and only when, they appear in all capitals, as
shown here.This document uses the Augmented Backus-Naur Form (ABNF) notation of , including the DIGIT, ALPHA and DQUOTE rules from that document. It also includes the OWS rule from .This document uses algorithms to specify normative parsing behaviours, and ABNF to illustrate the on-wire format expected. Implementations MUST follow the normative algorithms, but MAY vary in implementation so as the behaviours are indistinguishable from specified behaviour. If there is disagreement between the algorithms and ABNF, the specified algorithms take precedence.A HTTP header that uses the structures in this specification need to be defined to do so
explicitly; recipients and generators need to know that the requirements of this document are in
effect. The simplest way to do that is by referencing this document in its definition.The field’s definition will also need to specify the field-value’s allowed syntax, in terms of the types described in , along with their associated semantics.A header field definition cannot relax or otherwise modify the requirements of this specification, or change the nature of its data structures; doing so would preclude handling by generic software.However, header field authors are encouraged to clearly state additional constraints upon the syntax, as well as the consequences when those constraints are violated. When Structured Headers parsing fails, the header is discarded (see ); in most situations, header-specific constraints should do likewise.Such constraints could include additional structure inside those defined here (e.g., a list of URLs inside a string).For example:This specification defines minimums for the length or number of various structures supported by Structured Headers implementations. It does not specify maximum sizes in most cases, but header authors should be aware that HTTP implementations do impose various limits on the size of individual header fields, the total number of fields, and/or the size of the entire header block.Note that specifications using Structured Headers do not re-specify its ABNF or parsing algorithms; instead, they should be specified in terms of its abstract data structures.Also, empty header field values are not allowed, and therefore parsing for them will fail.When a receiving implementation parses textual HTTP header fields (e.g., in HTTP/1 or HTTP/2) that are known to be Structured Headers, it is important that care be taken, as there are a number of edge cases that can cause interoperability or even security problems. This section specifies the algorithm for doing so.Given an ASCII string input_string that represents the chosen header’s field-value, and header_type, one of “dictionary”, “list”, “param-list”, or “item”, return the parsed header value.Discard any leading OWS from input_string.If header_type is “dictionary”, let output be the result of Parsing a Dictionary from Text ().If header_type is “list”, let output be the result of Parsing a List from Text ().If header_type is “param-list”, let output be the result of Parsing a Parameterised List from Text ().Otherwise, let output be the result of Parsing an Item from Text ().Discard any leading OWS from input_string.If input_string is not empty, fail parsing.Otherwise, return output.When generating input_string, parsers MUST combine all instances of the target header field into one comma-separated field-value, as per , Section 3.2.2; this assures that the header is processed correctly.For Lists, Parameterised Lists and Dictionaries, this has the effect of correctly concatenating all instances of the header field.Strings can but SHOULD NOT be split across multiple header instances, because comma(s) inserted upon combination will become part of the string output by the parser.Integers, Floats and Binary Content cannot be split across multiple headers because the inserted commas will cause parsing to fail.If parsing fails – including when calling another algorithm – the entire header field’s value MUST be discarded. This is intentionally strict, to improve interoperability and safety, and specifications referencing this document cannot loosen this requirement.Note that this has the effect of discarding any header field with non-ASCII characters in input_string.This section defines the abstract value types that can be composed into Structured Headers, along with the textual HTTP serialisations of them.Dictionaries are unordered maps of key-value pairs, where the keys are identifiers () and the values are items (). There can be one or more members, and keys are required to be unique.In the textual HTTP serialisation, keys and values are separated by “=” (without whitespace), and key/value pairs are separated by a comma with optional whitespace. Duplicate keys MUST cause parsing to fail.For example, a header field whose value is defined as a dictionary could look like:Typically, a header field specification will define the semantics of individual keys, as well as whether their presence is required or optional. Recipients MUST ignore keys that are undefined or unknown, unless the header field’s specification specifically disallows them.Parsers MUST support dictionaries containing at least 1024 key/value pairs.Given an ASCII string input_string, return a mapping of (identifier, item). input_string is modified to remove the parsed value.Let dictionary be an empty, unordered mapping.While input_string is not empty:
Let this_key be the result of running Parse Identifier from Text () with input_string.If dictionary already contains this_key, fail parsing.Consume a “=” from input_string; if none is present, fail parsing.Let this_value be the result of running Parse Item from Text () with input_string.Add key this_key with value this_value to dictionary.Discard any leading OWS from input_string.If input_string is empty, return dictionary.Consume a COMMA from input_string; if no comma is present, fail parsing.Discard any leading OWS from input_string.If input_string is empty, fail parsing.No structured data has been found; fail parsing.Lists are arrays of items () with one or more members.In the textual HTTP serialisation, each member is separated by a comma and optional whitespace.For example, a header field whose value is defined as a list of strings could look like:Parsers MUST support lists containing at least 1024 members.Given an ASCII string input_string, return a list of items. input_string is modified to remove the parsed value.Let items be an empty array.While input_string is not empty:
Let item be the result of running Parse Item from Text () with input_string.Append item to items.Discard any leading OWS from input_string.If input_string is empty, return items.Consume a COMMA from input_string; if no comma is present, fail parsing.Discard any leading OWS from input_string.If input_string is empty, fail parsing.No structured data has been found; fail parsing.Parameterised Lists are arrays of a parameterised identifiers.A parameterised identifier is an identifier () with an optional set of parameters, each parameter having a identifier and an optional value that is an item (). Ordering between parameters is not significant, and duplicate parameters MUST cause parsing to fail.In the textual HTTP serialisation, each parameterised identifier is separated by a comma and optional whitespace. Parameters are delimited from each other using semicolons (“;”), and equals (“=”) delimits the parameter name from its value.For example,Parsers MUST support parameterised lists containing at least 1024 members, and support members with at least 256 parameters.Given an ASCII string input_string, return a list of parameterised identifiers. input_string is modified to remove the parsed value.Let items be an empty array.While input_string is not empty:
Let item be the result of running Parse Parameterised Identifier from Text () with input_string.Append item to items.Discard any leading OWS from input_string.If input_string is empty, return items.Consume a COMMA from input_string; if no comma is present, fail parsing.Discard any leading OWS from input_string.If input_string is empty, fail parsing.No structured data has been found; fail parsing.Given an ASCII string input_string, return a identifier with an mapping of parameters. input_string is modified to remove the parsed value.Let primary_identifier be the result of Parsing a Identifier from Text () from input_string.Let parameters be an empty, unordered mapping.In a loop:
Discard any leading OWS from input_string.If the first character of input_string is not “;”, exit the loop.Consume a “;” character from the beginning of input_string.Discard any leading OWS from input_string.let param_name be the result of Parsing a Identifier from Text () from input_string.If param_name is already present in parameters, fail parsing.Let param_value be a null value.If the first character of input_string is “=”:
Consume the “=” character at the beginning of input_string.Let param_value be the result of Parsing an Item from Text () from input_string.Insert (param_name, param_value) into parameters.Return the tuple (primary_identifier, parameters).An item is can be a integer (), float (), string (), or binary content ().Given an ASCII string input_string, return an item. input_string is modified to remove the parsed value.Discard any leading OWS from input_string.If the first character of input_string is a “-“ or a DIGIT, process input_string as a number () and return the result.If the first character of input_string is a DQUOTE, process input_string as a string () and return the result.If the first character of input_string is “*”, process input_string as binary content () and return the result.Otherwise, fail parsing.Abstractly, integers have a range of −9,223,372,036,854,775,808 to 9,223,372,036,854,775,807 inclusive (i.e., a 64-bit signed integer).Parsers that encounter an integer outside the range defined above MUST fail parsing. Therefore, the value “9223372036854775808” would be invalid. Likewise, values that do not conform to the ABNF above are invalid, and MUST fail parsing.For example, a header whose value is defined as a integer could look like:NOTE: This algorithm parses both Integers and Floats , and returns the corresponding structure.Let type be “integer”.Let sign be 1.Let input_number be an empty string.If the first character of input_string is “-“, remove it from input_string and set sign to -1.If input_string is empty, fail parsing.If the first character of input_string is not a DIGIT, fail parsing.While input_string is not empty:
Let char be the result of removing the first character of input_string.If char is a DIGIT, append it to input_number.Else, if type is “integer” and char is “.”, append char to input_number and set type to “float”.Otherwise, fail parsing.If type is “integer” and input_number contains more than 19 characters, fail parsing.If type is “float” and input_number contains more than 16 characters, fail parsing.If type is “integer”, parse input_number as an integer and let output_number be the result.Otherwise:
If the final character of input_number is “.”, fail parsing.Parse input_number as a float and let output_number be the result.Return the product of output_number and sign.Abstractly, floats are integers with a fractional part, that can be stored as IEEE 754 double precision numbers (binary64) ().The textual HTTP serialisation of floats allows a maximum of fifteen digits between the integer and fractional part, with at least one required on each side, along with an optional “-“ indicating negative numbers.Values that do not conform to the ABNF above are invalid, and MUST fail parsing.For example, a header whose value is defined as a float could look like:See for the parsing algorithm for floats.Abstractly, strings are zero or more printable ASCII characters (i.e., the range 0x20 to 0x7E). Note that this excludes tabs, newlines, carriage returns, etc.The textual HTTP serialisation of strings uses a backslash (“\”) to escape double quotes and backslashes in strings.For example, a header whose value is defined as a string could look like:Note that strings only use DQUOTE as a delimiter; single quotes do not delimit strings. Furthermore, only DQUOTE and “\” can be escaped; other sequences MUST cause parsing to fail.Unicode is not directly supported in this document, because it causes a number of interoperability issues, and – with few exceptions – header values do not require it.When it is necessary for a field value to convey non-ASCII string content, binary content () SHOULD be specified, along with a character encoding (preferably, UTF-8).Parsers MUST support strings with at least 1024 characters.Given an ASCII string input_string, return an unquoted string. input_string is modified to remove the parsed value.Let output_string be an empty string.If the first character of input_string is not DQUOTE, fail parsing.Discard the first character of input_string.While input_string is not empty:
Let char be the result of removing the first character of input_string.If char is a backslash (“\”):
If input_string is now empty, fail parsing.Else:
Let next_char be the result of removing the first character of input_string.If next_char is not DQUOTE or “\”, fail parsing.Append next_char to output_string.Else, if char is DQUOTE, return output_string.Else, append char to output_string.Otherwise, fail parsing.Identifiers are short textual identifiers; their abstract model is identical to their expression in the textual HTTP serialisation. Parsers MUST support identifiers with at least 64 characters.Note that identifiers can only contain lowercase letters.Given an ASCII string input_string, return a identifier. input_string is modified to remove the parsed value.If the first character of input_string is not lcalpha, fail parsing.Let output_string be an empty string.While input_string is not empty:
Let char be the result of removing the first character of input_string.If char is not one of lcalpha, DIGIT, “_”, “-“, “*” or “/”:
Prepend char to input_string.Return output_string.Append char to output_string.Return output_string.Arbitrary binary content can be conveyed in Structured Headers.The textual HTTP serialisation encodes the data using Base 64 Encoding , Section 4, and surrounds it with a pair of asterisks (“*”) to delimit from other content.The encoded data is required to be padded with “=”, as per , Section 3.2. It is
RECOMMENDED that parsers reject encoded data that is not properly padded, although this might
not be possible with some base64 implementations.Likewise, encoded data is required to have pad bits set to zero, as per , Section 3.5.
It is RECOMMENDED that parsers fail on encoded data that has non-zero pad bits, although this might
not be possible with some base64 implementations.This specification does not relax the requirements in , Section 3.1 and 3.3; therefore, parsers MUST fail on characters outside the base64 alphabet, and on line feeds in encoded data.For example, a header whose value is defined as binary content could look like:Parsers MUST support binary content with at least 16384 octets after decoding.Given an ASCII string input_string, return binary content. input_string is modified to remove the parsed value.If the first character of input_string is not “*”, fail parsing.Discard the first character of input_string.Let b64_content be the result of removing content of input_string up to but not including the first instance of the character “*”. If there is not a “*” character before the end of input_string, fail parsing.Consume the “*” character at the beginning of input_string.Let binary_content be the result of Base 64 Decoding b64_content, synthesising padding if necessary (note the requirements about recipient behaviour in ).Return binary_content.This draft has no actions for IANA.The size of most types defined by Structured Headers is not limited; as a result, extremely large header fields could be an attack vector (e.g., for resource consumption). Most HTTP implementations limit the sizes of size of individual header fields as well as the overall header block size to mitigate such attacks.It is possible for parties with the ability to inject new HTTP header fields to change the meaning
of a Structured Headers. In some circumstances, this will cause parsing to fail, but it is not possible to reliably fail in all such circumstances.Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and RoutingThe Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document provides an overview of HTTP architecture and its associated terminology, defines the "http" and "https" Uniform Resource Identifier (URI) schemes, defines the HTTP/1.1 message syntax and parsing requirements, and describes related security concerns for implementations.Key words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.Augmented BNF for Syntax Specifications: ABNFInternet technical specifications often need to define a formal syntax. Over the years, a modified version of Backus-Naur Form (BNF), called Augmented BNF (ABNF), has been popular among many Internet specifications. The current specification documents ABNF. It balances compactness and simplicity with reasonable representational power. The differences between standard BNF and ABNF involve naming rules, repetition, alternatives, order-independence, and value ranges. This specification also supplies additional rule definitions and encoding for a core lexical analyzer of the type common to several Internet specifications. [STANDARDS-TRACK]ASCII format for network interchangeThe Base16, Base32, and Base64 Data EncodingsThis document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK]IEEE Standard for Floating-Point ArithmeticIEEESee also http://grouper.ieee.org/groups/754/.Hypertext Transfer Protocol (HTTP/1.1): Semantics and ContentThe Hypertext Transfer Protocol (HTTP) is a stateless \%application- level protocol for distributed, collaborative, hypertext information systems. This document defines the semantics of HTTP/1.1 messages, as expressed by request methods, request header fields, response status codes, and response header fields, along with the payload of messages (metadata and body content) and mechanisms for content negotiation.Hypertext Transfer Protocol Version 2 (HTTP/2)This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced perception of latency by introducing header field compression and allowing multiple concurrent exchanges on the same connection. It also introduces unsolicited push of representations from servers to clients.This specification is an alternative to, but does not obsolete, the HTTP/1.1 message syntax. HTTP's existing semantics remain unchanged.Uniform Resource Identifier (URI): Generic SyntaxA Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]Remove identifiers from item.Remove most limits on sizes.Refine number parsing.Strengthen language around failure handling.Split Numbers into Integers and Floats.Define number parsing.Tighten up binary parsing and give it an explicit end delimiter.Clarify that mappings are unordered.Allow zero-length strings.Improve string parsing algorithm.Improve limits in algorithms.Require parsers to combine header fields before processing.Throw an error on trailing garbage.Replaced with draft-nottingham-structured-headers.Added signed 64bit integer type.Drop UTF8, and settle on BCP137 ::EmbeddedUnicodeChar for h1-unicode-string.Change h1_blob delimiter to “:” since “’” is valid t_char