source: draft-ietf-httpbis/22/draft-ietf-httpbis-p2-semantics-22.txt @ 2561

Last change on this file since 2561 was 2190, checked in by julian.reschke@…, 7 years ago

prepare -22 for release

  • Property svn:eol-style set to native
  • Property svn:executable set to *
File size: 226.9 KB
Line 
1
2
3
4HTTPbis Working Group                                   R. Fielding, Ed.
5Internet-Draft                                                     Adobe
6Obsoletes: 2616 (if approved)                            J. Reschke, Ed.
7Updates: 2817 (if approved)                                   greenbytes
8Intended status: Standards Track                       February 23, 2013
9Expires: August 27, 2013
10
11
12     Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
13                   draft-ietf-httpbis-p2-semantics-22
14
15Abstract
16
17   The Hypertext Transfer Protocol (HTTP) is an application-level
18   protocol for distributed, collaborative, hypertext information
19   systems.  This document defines the semantics of HTTP/1.1 messages,
20   as expressed by request methods, request header fields, response
21   status codes, and response header fields, along with the payload of
22   messages (metadata and body content) and mechanisms for content
23   negotiation.
24
25Editorial Note (To be removed by RFC Editor)
26
27   Discussion of this draft takes place on the HTTPBIS working group
28   mailing list (ietf-http-wg@w3.org), which is archived at
29   <http://lists.w3.org/Archives/Public/ietf-http-wg/>.
30
31   The current issues list is at
32   <http://tools.ietf.org/wg/httpbis/trac/report/3> and related
33   documents (including fancy diffs) can be found at
34   <http://tools.ietf.org/wg/httpbis/>.
35
36   The changes in this draft are summarized in Appendix E.2.
37
38Status of This Memo
39
40   This Internet-Draft is submitted in full conformance with the
41   provisions of BCP 78 and BCP 79.
42
43   Internet-Drafts are working documents of the Internet Engineering
44   Task Force (IETF).  Note that other groups may also distribute
45   working documents as Internet-Drafts.  The list of current Internet-
46   Drafts is at http://datatracker.ietf.org/drafts/current/.
47
48   Internet-Drafts are draft documents valid for a maximum of six months
49   and may be updated, replaced, or obsoleted by other documents at any
50   time.  It is inappropriate to use Internet-Drafts as reference
51   material or to cite them other than as "work in progress."
52
53
54
55Fielding & Reschke       Expires August 27, 2013                [Page 1]
56
57Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
58
59
60   This Internet-Draft will expire on August 27, 2013.
61
62Copyright Notice
63
64   Copyright (c) 2013 IETF Trust and the persons identified as the
65   document authors.  All rights reserved.
66
67   This document is subject to BCP 78 and the IETF Trust's Legal
68   Provisions Relating to IETF Documents
69   (http://trustee.ietf.org/license-info) in effect on the date of
70   publication of this document.  Please review these documents
71   carefully, as they describe your rights and restrictions with respect
72   to this document.  Code Components extracted from this document must
73   include Simplified BSD License text as described in Section 4.e of
74   the Trust Legal Provisions and are provided without warranty as
75   described in the Simplified BSD License.
76
77   This document may contain material from IETF Documents or IETF
78   Contributions published or made publicly available before November
79   10, 2008.  The person(s) controlling the copyright in some of this
80   material may not have granted the IETF Trust the right to allow
81   modifications of such material outside the IETF Standards Process.
82   Without obtaining an adequate license from the person(s) controlling
83   the copyright in such materials, this document may not be modified
84   outside the IETF Standards Process, and derivative works of it may
85   not be created outside the IETF Standards Process, except to format
86   it for publication as an RFC or to translate it into languages other
87   than English.
88
89Table of Contents
90
91   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  6
92     1.1.  Conformance and Error Handling . . . . . . . . . . . . . .  6
93     1.2.  Syntax Notation  . . . . . . . . . . . . . . . . . . . . .  6
94   2.  Resources  . . . . . . . . . . . . . . . . . . . . . . . . . .  7
95   3.  Representations  . . . . . . . . . . . . . . . . . . . . . . .  7
96     3.1.  Representation Metadata  . . . . . . . . . . . . . . . . .  8
97       3.1.1.  Processing the Data  . . . . . . . . . . . . . . . . .  8
98       3.1.2.  Encoding for Compression or Integrity  . . . . . . . . 11
99       3.1.3.  Audience Language  . . . . . . . . . . . . . . . . . . 13
100       3.1.4.  Identification . . . . . . . . . . . . . . . . . . . . 14
101     3.2.  Representation Data  . . . . . . . . . . . . . . . . . . . 17
102     3.3.  Payload Semantics  . . . . . . . . . . . . . . . . . . . . 17
103     3.4.  Content Negotiation  . . . . . . . . . . . . . . . . . . . 18
104       3.4.1.  Proactive Negotiation  . . . . . . . . . . . . . . . . 18
105       3.4.2.  Reactive Negotiation . . . . . . . . . . . . . . . . . 19
106   4.  Request Methods  . . . . . . . . . . . . . . . . . . . . . . . 20
107     4.1.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . 20
108
109
110
111Fielding & Reschke       Expires August 27, 2013                [Page 2]
112
113Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
114
115
116     4.2.  Common Method Properties . . . . . . . . . . . . . . . . . 22
117       4.2.1.  Safe Methods . . . . . . . . . . . . . . . . . . . . . 22
118       4.2.2.  Idempotent Methods . . . . . . . . . . . . . . . . . . 23
119       4.2.3.  Cacheable Methods  . . . . . . . . . . . . . . . . . . 23
120     4.3.  Method Definitions . . . . . . . . . . . . . . . . . . . . 23
121       4.3.1.  GET  . . . . . . . . . . . . . . . . . . . . . . . . . 24
122       4.3.2.  HEAD . . . . . . . . . . . . . . . . . . . . . . . . . 24
123       4.3.3.  POST . . . . . . . . . . . . . . . . . . . . . . . . . 25
124       4.3.4.  PUT  . . . . . . . . . . . . . . . . . . . . . . . . . 26
125       4.3.5.  DELETE . . . . . . . . . . . . . . . . . . . . . . . . 28
126       4.3.6.  CONNECT  . . . . . . . . . . . . . . . . . . . . . . . 29
127       4.3.7.  OPTIONS  . . . . . . . . . . . . . . . . . . . . . . . 31
128       4.3.8.  TRACE  . . . . . . . . . . . . . . . . . . . . . . . . 32
129   5.  Request Header Fields  . . . . . . . . . . . . . . . . . . . . 32
130     5.1.  Controls . . . . . . . . . . . . . . . . . . . . . . . . . 32
131       5.1.1.  Expect . . . . . . . . . . . . . . . . . . . . . . . . 33
132       5.1.2.  Max-Forwards . . . . . . . . . . . . . . . . . . . . . 36
133     5.2.  Conditionals . . . . . . . . . . . . . . . . . . . . . . . 36
134     5.3.  Content Negotiation  . . . . . . . . . . . . . . . . . . . 37
135       5.3.1.  Quality Values . . . . . . . . . . . . . . . . . . . . 37
136       5.3.2.  Accept . . . . . . . . . . . . . . . . . . . . . . . . 38
137       5.3.3.  Accept-Charset . . . . . . . . . . . . . . . . . . . . 40
138       5.3.4.  Accept-Encoding  . . . . . . . . . . . . . . . . . . . 41
139       5.3.5.  Accept-Language  . . . . . . . . . . . . . . . . . . . 42
140     5.4.  Authentication Credentials . . . . . . . . . . . . . . . . 43
141     5.5.  Request Context  . . . . . . . . . . . . . . . . . . . . . 43
142       5.5.1.  From . . . . . . . . . . . . . . . . . . . . . . . . . 44
143       5.5.2.  Referer  . . . . . . . . . . . . . . . . . . . . . . . 44
144       5.5.3.  User-Agent . . . . . . . . . . . . . . . . . . . . . . 45
145   6.  Response Status Codes  . . . . . . . . . . . . . . . . . . . . 46
146     6.1.  Overview of Status Codes . . . . . . . . . . . . . . . . . 47
147     6.2.  Informational 1xx  . . . . . . . . . . . . . . . . . . . . 49
148       6.2.1.  100 Continue . . . . . . . . . . . . . . . . . . . . . 49
149       6.2.2.  101 Switching Protocols  . . . . . . . . . . . . . . . 50
150     6.3.  Successful 2xx . . . . . . . . . . . . . . . . . . . . . . 50
151       6.3.1.  200 OK . . . . . . . . . . . . . . . . . . . . . . . . 50
152       6.3.2.  201 Created  . . . . . . . . . . . . . . . . . . . . . 51
153       6.3.3.  202 Accepted . . . . . . . . . . . . . . . . . . . . . 51
154       6.3.4.  203 Non-Authoritative Information  . . . . . . . . . . 51
155       6.3.5.  204 No Content . . . . . . . . . . . . . . . . . . . . 52
156       6.3.6.  205 Reset Content  . . . . . . . . . . . . . . . . . . 52
157     6.4.  Redirection 3xx  . . . . . . . . . . . . . . . . . . . . . 53
158       6.4.1.  300 Multiple Choices . . . . . . . . . . . . . . . . . 54
159       6.4.2.  301 Moved Permanently  . . . . . . . . . . . . . . . . 55
160       6.4.3.  302 Found  . . . . . . . . . . . . . . . . . . . . . . 55
161       6.4.4.  303 See Other  . . . . . . . . . . . . . . . . . . . . 56
162       6.4.5.  305 Use Proxy  . . . . . . . . . . . . . . . . . . . . 56
163       6.4.6.  306 (Unused) . . . . . . . . . . . . . . . . . . . . . 56
164
165
166
167Fielding & Reschke       Expires August 27, 2013                [Page 3]
168
169Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
170
171
172       6.4.7.  307 Temporary Redirect . . . . . . . . . . . . . . . . 57
173     6.5.  Client Error 4xx . . . . . . . . . . . . . . . . . . . . . 57
174       6.5.1.  400 Bad Request  . . . . . . . . . . . . . . . . . . . 57
175       6.5.2.  402 Payment Required . . . . . . . . . . . . . . . . . 57
176       6.5.3.  403 Forbidden  . . . . . . . . . . . . . . . . . . . . 57
177       6.5.4.  404 Not Found  . . . . . . . . . . . . . . . . . . . . 58
178       6.5.5.  405 Method Not Allowed . . . . . . . . . . . . . . . . 58
179       6.5.6.  406 Not Acceptable . . . . . . . . . . . . . . . . . . 58
180       6.5.7.  408 Request Timeout  . . . . . . . . . . . . . . . . . 59
181       6.5.8.  409 Conflict . . . . . . . . . . . . . . . . . . . . . 59
182       6.5.9.  410 Gone . . . . . . . . . . . . . . . . . . . . . . . 59
183       6.5.10. 411 Length Required  . . . . . . . . . . . . . . . . . 60
184       6.5.11. 413 Payload Too Large  . . . . . . . . . . . . . . . . 60
185       6.5.12. 414 URI Too Long . . . . . . . . . . . . . . . . . . . 60
186       6.5.13. 415 Unsupported Media Type . . . . . . . . . . . . . . 60
187       6.5.14. 417 Expectation Failed . . . . . . . . . . . . . . . . 61
188       6.5.15. 426 Upgrade Required . . . . . . . . . . . . . . . . . 61
189     6.6.  Server Error 5xx . . . . . . . . . . . . . . . . . . . . . 61
190       6.6.1.  500 Internal Server Error  . . . . . . . . . . . . . . 61
191       6.6.2.  501 Not Implemented  . . . . . . . . . . . . . . . . . 61
192       6.6.3.  502 Bad Gateway  . . . . . . . . . . . . . . . . . . . 62
193       6.6.4.  503 Service Unavailable  . . . . . . . . . . . . . . . 62
194       6.6.5.  504 Gateway Timeout  . . . . . . . . . . . . . . . . . 62
195       6.6.6.  505 HTTP Version Not Supported . . . . . . . . . . . . 62
196   7.  Response Header Fields . . . . . . . . . . . . . . . . . . . . 62
197     7.1.  Control Data . . . . . . . . . . . . . . . . . . . . . . . 63
198       7.1.1.  Origination Date . . . . . . . . . . . . . . . . . . . 63
199       7.1.2.  Location . . . . . . . . . . . . . . . . . . . . . . . 66
200       7.1.3.  Retry-After  . . . . . . . . . . . . . . . . . . . . . 68
201       7.1.4.  Vary . . . . . . . . . . . . . . . . . . . . . . . . . 68
202     7.2.  Validator Header Fields  . . . . . . . . . . . . . . . . . 69
203     7.3.  Authentication Challenges  . . . . . . . . . . . . . . . . 70
204     7.4.  Response Context . . . . . . . . . . . . . . . . . . . . . 70
205       7.4.1.  Allow  . . . . . . . . . . . . . . . . . . . . . . . . 71
206       7.4.2.  Server . . . . . . . . . . . . . . . . . . . . . . . . 71
207   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 72
208     8.1.  Method Registry  . . . . . . . . . . . . . . . . . . . . . 72
209       8.1.1.  Procedure  . . . . . . . . . . . . . . . . . . . . . . 72
210       8.1.2.  Considerations for New Methods . . . . . . . . . . . . 72
211       8.1.3.  Registrations  . . . . . . . . . . . . . . . . . . . . 73
212     8.2.  Status Code Registry . . . . . . . . . . . . . . . . . . . 73
213       8.2.1.  Procedure  . . . . . . . . . . . . . . . . . . . . . . 73
214       8.2.2.  Considerations for New Status Codes  . . . . . . . . . 73
215       8.2.3.  Registrations  . . . . . . . . . . . . . . . . . . . . 74
216     8.3.  Header Field Registry  . . . . . . . . . . . . . . . . . . 75
217       8.3.1.  Considerations for New Header Fields . . . . . . . . . 76
218       8.3.2.  Registrations  . . . . . . . . . . . . . . . . . . . . 78
219     8.4.  Content Coding Registry  . . . . . . . . . . . . . . . . . 78
220
221
222
223Fielding & Reschke       Expires August 27, 2013                [Page 4]
224
225Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
226
227
228       8.4.1.  Procedure  . . . . . . . . . . . . . . . . . . . . . . 78
229       8.4.2.  Registrations  . . . . . . . . . . . . . . . . . . . . 79
230   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 79
231     9.1.  Attacks Based On File and Path Names . . . . . . . . . . . 79
232     9.2.  Personal Information . . . . . . . . . . . . . . . . . . . 80
233     9.3.  Sensitive Information in URIs  . . . . . . . . . . . . . . 80
234     9.4.  Product Information  . . . . . . . . . . . . . . . . . . . 81
235     9.5.  Fragment after Redirects . . . . . . . . . . . . . . . . . 81
236     9.6.  Browser Fingerprinting . . . . . . . . . . . . . . . . . . 81
237   10. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 82
238   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 82
239     11.1. Normative References . . . . . . . . . . . . . . . . . . . 82
240     11.2. Informative References . . . . . . . . . . . . . . . . . . 84
241   Appendix A.  Differences between HTTP and MIME . . . . . . . . . . 85
242     A.1.  MIME-Version . . . . . . . . . . . . . . . . . . . . . . . 86
243     A.2.  Conversion to Canonical Form . . . . . . . . . . . . . . . 86
244     A.3.  Conversion of Date Formats . . . . . . . . . . . . . . . . 86
245     A.4.  Conversion of Content-Encoding . . . . . . . . . . . . . . 87
246     A.5.  Conversion of Content-Transfer-Encoding  . . . . . . . . . 87
247     A.6.  MHTML and Line Length Limitations  . . . . . . . . . . . . 87
248   Appendix B.  Changes from RFC 2616 . . . . . . . . . . . . . . . . 87
249   Appendix C.  Imported ABNF . . . . . . . . . . . . . . . . . . . . 90
250   Appendix D.  Collected ABNF  . . . . . . . . . . . . . . . . . . . 90
251   Appendix E.  Change Log (to be removed by RFC Editor before
252                publication)  . . . . . . . . . . . . . . . . . . . . 93
253     E.1.  Since RFC 2616 . . . . . . . . . . . . . . . . . . . . . . 93
254     E.2.  Since draft-ietf-httpbis-p2-semantics-21 . . . . . . . . . 94
255   Index  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279Fielding & Reschke       Expires August 27, 2013                [Page 5]
280
281Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
282
283
2841.  Introduction
285
286   Each Hypertext Transfer Protocol (HTTP) message is either a request
287   or a response.  A server listens on a connection for a request,
288   parses each message received, interprets the message semantics in
289   relation to the identified request target, and responds to that
290   request with one or more response messages.  A client constructs
291   request messages to communicate specific intentions, and examines
292   received responses to see if the intentions were carried out and
293   determine how to interpret the results.  This document defines
294   HTTP/1.1 request and response semantics in terms of the architecture
295   defined in [Part1].
296
297   HTTP provides a uniform interface for interacting with a resource
298   (Section 2), regardless of its type, nature, or implementation, via
299   the manipulation and transfer of representations (Section 3).
300
301   HTTP semantics include the intentions defined by each request method
302   (Section 4), extensions to those semantics that might be described in
303   request header fields (Section 5), the meaning of status codes to
304   indicate a machine-readable response (Section 6), and the meaning of
305   other control data and resource metadata that might be given in
306   response header fields (Section 7).
307
308   This document also defines representation metadata that describe how
309   a payload is intended to be interpreted by a recipient, the request
310   header fields that might influence content selection, and the various
311   selection algorithms that are collectively referred to as "content
312   negotiation" (Section 3.4).
313
3141.1.  Conformance and Error Handling
315
316   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
317   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
318   document are to be interpreted as described in [RFC2119].
319
320   Conformance criteria and considerations regarding error handling are
321   defined in Section 2.5 of [Part1].
322
3231.2.  Syntax Notation
324
325   This specification uses the Augmented Backus-Naur Form (ABNF)
326   notation of [RFC5234] with the list rule extension defined in Section
327   1.2 of [Part1].  Appendix C describes rules imported from other
328   documents.  Appendix D shows the collected ABNF with the list rule
329   expanded.
330
331   This specification uses the terms "character", "character encoding
332
333
334
335Fielding & Reschke       Expires August 27, 2013                [Page 6]
336
337Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
338
339
340   scheme", "charset", and "protocol element" as they are defined in
341   [RFC6365].
342
3432.  Resources
344
345   The target of each HTTP request is called a resource.  HTTP does not
346   limit the nature of a resource; it merely defines an interface that
347   might be used to interact with resources.  Each resource is
348   identified by a Uniform Resource Identifier (URI), as described in
349   Section 2.7 of [Part1].
350
351   When a client constructs an HTTP/1.1 request message, it sends the
352   target URI in one of various forms, as defined in (Section 5.3 of
353   [Part1]).  When a request is received, the server reconstructs an
354   effective request URI for the target resource (Section 5.5 of
355   [Part1]).
356
357   One design goal of HTTP is to separate resource identification from
358   request semantics, which is made possible by vesting the request
359   semantics in the request method (Section 4) and a few request-
360   modifying header fields (Section 5).  Resource owners SHOULD NOT
361   include request semantics within a URI, such as by specifying an
362   action to invoke within the path or query components of the effective
363   request URI, unless those semantics are disabled when they are
364   inconsistent with the request method.
365
3663.  Representations
367
368   If we consider that a resource could be anything, and that the
369   uniform interface provided by HTTP is similar to a window through
370   which one can observe and act upon such a thing only through the
371   communication of messages to some independent actor on the other
372   side, then we need an abstraction to represent ("take the place of")
373   the current or desired state of that thing in our communications.  We
374   call that abstraction a representation [REST].
375
376   For the purposes of HTTP, a "representation" is information that is
377   intended to reflect a past, current, or desired state of a given
378   resource, in a format that can be readily communicated via the
379   protocol, and that consists of a set of representation metadata and a
380   potentially unbounded stream of representation data.
381
382   An origin server might be provided with, or capable of generating,
383   multiple representations that are each intended to reflect the
384   current state of a target resource.  In such cases, some algorithm is
385   used by the origin server to select one of those representations as
386   most applicable to a given request, usually based on content
387   negotiation.  We refer to that one representation as the "selected
388
389
390
391Fielding & Reschke       Expires August 27, 2013                [Page 7]
392
393Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
394
395
396   representation" and use its particular data and metadata for
397   evaluating conditional requests [Part4] and constructing the payload
398   for 200 (OK) and 304 (Not Modified) responses to GET (Section 4.3.1).
399
4003.1.  Representation Metadata
401
402   Representation header fields provide metadata about the
403   representation.  When a message includes a payload body, the
404   representation header fields describe how to interpret the
405   representation data enclosed in the payload body.  In a response to a
406   HEAD request, the representation header fields describe the
407   representation data that would have been enclosed in the payload body
408   if the same request had been a GET.
409
410   The following header fields are defined to convey representation
411   metadata:
412
413   +-------------------+-----------------+
414   | Header Field Name | Defined in...   |
415   +-------------------+-----------------+
416   | Content-Type      | Section 3.1.1.5 |
417   | Content-Encoding  | Section 3.1.2.2 |
418   | Content-Language  | Section 3.1.3.2 |
419   | Content-Location  | Section 3.1.4.2 |
420   +-------------------+-----------------+
421
4223.1.1.  Processing the Data
423
4243.1.1.1.  Media Type
425
426   HTTP uses Internet Media Types [RFC2046] in the Content-Type
427   (Section 3.1.1.5) and Accept (Section 5.3.2) header fields in order
428   to provide open and extensible data typing and type negotiation.
429   Media types define both a data format and various processing models:
430   how to process that data in accordance with each context in which it
431   is received.
432
433     media-type = type "/" subtype *( OWS ";" OWS parameter )
434     type       = token
435     subtype    = token
436
437   The type/subtype MAY be followed by parameters in the form of
438   attribute/value pairs.
439
440     parameter      = attribute "=" value
441     attribute      = token
442     value          = word
443
444
445
446
447Fielding & Reschke       Expires August 27, 2013                [Page 8]
448
449Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
450
451
452   The type, subtype, and parameter attribute names are case-
453   insensitive.  Parameter values might or might not be case-sensitive,
454   depending on the semantics of the parameter name.  The presence or
455   absence of a parameter might be significant to the processing of a
456   media-type, depending on its definition within the media type
457   registry.
458
459   A parameter value that matches the token production can be
460   transmitted as either a token or within a quoted-string.  The quoted
461   and unquoted values are equivalent.  For example, the following
462   examples are all equivalent, but the first is preferred for
463   consistency:
464
465     text/html;charset=utf-8
466     text/html;charset=UTF-8
467     Text/HTML;Charset="utf-8"
468     text/html; charset="utf-8"
469
470   Internet media types ought to be registered with IANA according to
471   the procedures defined in [BCP13].
472
4733.1.1.2.  Charset
474
475   HTTP uses charset names to indicate or negotiate the character
476   encoding scheme of a textual representation [RFC6365].  A charset is
477   identified by a case-insensitive token.
478
479     charset = token
480
481   Charset names ought to be registered in IANA Character Set registry
482   (<http://www.iana.org/assignments/character-sets>) according to the
483   procedures defined in [RFC2978].
484
4853.1.1.3.  Canonicalization and Text Defaults
486
487   Internet media types are registered with a canonical form in order to
488   be interoperable among systems with varying native encoding formats.
489   Representations selected or transferred via HTTP ought to be in
490   canonical form, for many of the same reasons described by the
491   Multipurpose Internet Mail Extensions (MIME) [RFC2045].  However, the
492   performance characteristics of email deployments (i.e., store and
493   forward messages to peers) are significantly different from those
494   common to HTTP and the Web (server-based information services).
495   Furthermore, MIME's constraints for the sake of compatibility with
496   older mail transfer protocols do not apply to HTTP (see Appendix A).
497
498   MIME's canonical form requires that media subtypes of the "text" type
499   use CRLF as the text line break.  HTTP allows the transfer of text
500
501
502
503Fielding & Reschke       Expires August 27, 2013                [Page 9]
504
505Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
506
507
508   media with plain CR or LF alone representing a line break, when such
509   line breaks are consistent for an entire representation.  HTTP
510   senders MAY generate, and recipients MUST be able to parse, line
511   breaks in text media that consist of CRLF, bare CR, or bare LF.  In
512   addition, text media in HTTP is not limited to charsets that use
513   octets 13 and 10 for CR and LF, respectively.  This flexibility
514   regarding line breaks applies only to text within a representation
515   that has been assigned a "text" media type; it does not apply to
516   "multipart" types or HTTP elements outside the payload body (e.g.,
517   header fields).
518
519   If a representation is encoded with a content-coding, the underlying
520   data ought to be in a form defined above prior to being encoded.
521
5223.1.1.4.  Multipart Types
523
524   MIME provides for a number of "multipart" types -- encapsulations of
525   one or more representations within a single message body.  All
526   multipart types share a common syntax, as defined in Section 5.1.1 of
527   [RFC2046], and include a boundary parameter as part of the media type
528   value.  The message body is itself a protocol element; a sender MUST
529   generate only CRLF to represent line breaks between body parts.
530
531   HTTP message framing does not use the multipart boundary as an
532   indicator of message body length, though it might be used by
533   implementations that generate or process the payload.  For example,
534   the "multipart/form-data" type is often used for carrying form data
535   in a request, as described in [RFC2388], and the "multipart/
536   byteranges" type is defined by this specification for use in some 206
537   (Partial Content) responses [Part5].
538
5393.1.1.5.  Content-Type
540
541   The "Content-Type" header field indicates the media type of the
542   associated representation: either the representation enclosed in the
543   message payload or the selected representation, as determined by the
544   message semantics.  The indicated media type defines both the data
545   format and how that data is intended to be processed by a recipient,
546   within the scope of the received message semantics, after any content
547   codings indicated by Content-Encoding are decoded.
548
549     Content-Type = media-type
550
551   Media types are defined in Section 3.1.1.1.  An example of the field
552   is
553
554     Content-Type: text/html; charset=ISO-8859-4
555
556
557
558
559Fielding & Reschke       Expires August 27, 2013               [Page 10]
560
561Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
562
563
564   A sender that generates a message containing a payload body SHOULD
565   generate a Content-Type header field in that message unless the
566   intended media type of the enclosed representation is unknown to the
567   sender.  If a Content-Type header field is not present, recipients
568   MAY either assume a media type of "application/octet-stream"
569   ([RFC2046], Section 4.5.1) or examine the data to determine its type.
570
571   In practice, resource owners do not always properly configure their
572   origin server to provide the correct Content-Type for a given
573   representation, with the result that some clients will examine a
574   payload's content and override the specified type.  Clients that do
575   so risk drawing incorrect conclusions, which might expose additional
576   security risks (e.g., "privilege escalation").  Furthermore, it is
577   impossible to determine the sender's intent by examining the data
578   format: many data formats match multiple media types that differ only
579   in processing semantics.  Implementers are encouraged to provide a
580   means of disabling such "content sniffing" when it is used.
581
5823.1.2.  Encoding for Compression or Integrity
583
5843.1.2.1.  Content Codings
585
586   Content coding values indicate an encoding transformation that has
587   been or can be applied to a representation.  Content codings are
588   primarily used to allow a representation to be compressed or
589   otherwise usefully transformed without losing the identity of its
590   underlying media type and without loss of information.  Frequently,
591   the representation is stored in coded form, transmitted directly, and
592   only decoded by the recipient.
593
594     content-coding   = token
595
596   All content-coding values are case-insensitive and ought to be
597   registered within the HTTP Content Coding registry, as defined in
598   Section 8.4.  They are used in the Accept-Encoding (Section 5.3.4)
599   and Content-Encoding (Section 3.1.2.2) header fields.
600
601   The following content-coding values are defined by this
602   specification:
603
604      compress (and x-compress): See Section 4.2.1 of [Part1].
605
606      deflate: See Section 4.2.2 of [Part1].
607
608      gzip (and x-gzip): See Section 4.2.3 of [Part1].
609
610
611
612
613
614
615Fielding & Reschke       Expires August 27, 2013               [Page 11]
616
617Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
618
619
6203.1.2.2.  Content-Encoding
621
622   The "Content-Encoding" header field indicates what content codings
623   have been applied to the representation, beyond those inherent in the
624   media type, and thus what decoding mechanisms have to be applied in
625   order to obtain data in the media type referenced by the Content-Type
626   header field.  Content-Encoding is primarily used to allow a
627   representation's data to be compressed without losing the identity of
628   its underlying media type.
629
630     Content-Encoding = 1#content-coding
631
632   An example of its use is
633
634     Content-Encoding: gzip
635
636   If multiple encodings have been applied to a representation, the
637   content codings MUST be listed in the order in which they were
638   applied.  Additional information about the encoding parameters MAY be
639   provided by other header fields not defined by this specification.
640
641   Unlike Transfer-Encoding (Section 3.3.1 of [Part1]), the codings
642   listed in Content-Encoding are a characteristic of the
643   representation; the representation is defined in terms of the coded
644   form, and all other metadata about the representation is about the
645   coded form unless otherwise noted in the metadata definition.
646   Typically, the representation is only decoded just prior to rendering
647   or analogous usage.
648
649   If the media type includes an inherent encoding, such as a data
650   format that is always compressed, then that encoding would not be
651   restated in Content-Encoding even if it happens to be the same
652   algorithm as one of the content codings.  Such a content coding would
653   only be listed if, for some bizarre reason, it is applied a second
654   time to form the representation.  Likewise, an origin server might
655   choose to publish the same data as multiple representations that
656   differ only in whether the coding is defined as part of Content-Type
657   or Content-Encoding, since some user agents will behave differently
658   in their handling of each response (e.g., open a "Save as ..." dialog
659   instead of automatic decompression and rendering of content).
660
661   An origin server MAY respond with a status code of 415 (Unsupported
662   Media Type) if a representation in the request message has a content
663   coding that is not acceptable.
664
665
666
667
668
669
670
671Fielding & Reschke       Expires August 27, 2013               [Page 12]
672
673Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
674
675
6763.1.3.  Audience Language
677
6783.1.3.1.  Language Tags
679
680   A language tag, as defined in [RFC5646], identifies a natural
681   language spoken, written, or otherwise conveyed by human beings for
682   communication of information to other human beings.  Computer
683   languages are explicitly excluded.  HTTP uses language tags within
684   the Accept-Language and Content-Language fields.
685
686     language-tag = <Language-Tag, defined in [RFC5646], Section 2.1>
687
688   A language tag is composed of one or more parts: a primary language
689   subtag followed by a possibly empty series of subtags.  White space
690   is not allowed within the tag and all tags are case-insensitive.
691   Example tags include:
692
693     en, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN
694
695   See [RFC5646] for further information.
696
6973.1.3.2.  Content-Language
698
699   The "Content-Language" header field describes the natural language(s)
700   of the intended audience for the representation.  Note that this
701   might not be equivalent to all the languages used within the
702   representation.
703
704     Content-Language = 1#language-tag
705
706   Language tags are defined in Section 3.1.3.1.  The primary purpose of
707   Content-Language is to allow a user to identify and differentiate
708   representations according to the users' own preferred language.
709   Thus, if the content is intended only for a Danish-literate audience,
710   the appropriate field is
711
712     Content-Language: da
713
714   If no Content-Language is specified, the default is that the content
715   is intended for all language audiences.  This might mean that the
716   sender does not consider it to be specific to any natural language,
717   or that the sender does not know for which language it is intended.
718
719   Multiple languages MAY be listed for content that is intended for
720   multiple audiences.  For example, a rendition of the "Treaty of
721   Waitangi", presented simultaneously in the original Maori and English
722   versions, would call for
723
724
725
726
727Fielding & Reschke       Expires August 27, 2013               [Page 13]
728
729Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
730
731
732     Content-Language: mi, en
733
734   However, just because multiple languages are present within a
735   representation does not mean that it is intended for multiple
736   linguistic audiences.  An example would be a beginner's language
737   primer, such as "A First Lesson in Latin", which is clearly intended
738   to be used by an English-literate audience.  In this case, the
739   Content-Language would properly only include "en".
740
741   Content-Language MAY be applied to any media type -- it is not
742   limited to textual documents.
743
7443.1.4.  Identification
745
7463.1.4.1.  Identifying a Representation
747
748   When a complete or partial representation is transferred in a message
749   payload, it is often desirable for the sender to supply, or the
750   recipient to determine, an identifier for a resource corresponding to
751   that representation.
752
753   For a request message:
754
755   o  If the request has a Content-Location header field, then the
756      sender asserts that the payload is a representation of the
757      resource identified by the Content-Location field-value.  However,
758      such an assertion cannot be trusted unless it can be verified by
759      other means (not defined by HTTP).  The information might still be
760      useful for revision history links.
761
762   o  Otherwise, the payload is unidentified.
763
764   For a response message, the following rules are applied in order
765   until a match is found:
766
767   1.  If the request is GET or HEAD and the response status code is 200
768       (OK), 204 (No Content), 206 (Partial Content), or 304 (Not
769       Modified), the payload is a representation of the resource
770       identified by the effective request URI (Section 5.5 of [Part1]).
771
772   2.  If the request is GET or HEAD and the response status code is 203
773       (Non-Authoritative Information), the payload is a potentially
774       modified or enhanced representation of the target resource as
775       provided by an intermediary.
776
777   3.  If the response has a Content-Location header field and its
778       field-value is a reference to the same URI as the effective
779       request URI, the payload is a representation of the resource
780
781
782
783Fielding & Reschke       Expires August 27, 2013               [Page 14]
784
785Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
786
787
788       identified by the effective request URI.
789
790   4.  If the response has a Content-Location header field and its
791       field-value is a reference to a URI different from the effective
792       request URI, then the sender asserts that the payload is a
793       representation of the resource identified by the Content-Location
794       field-value.  However, such an assertion cannot be trusted unless
795       it can be verified by other means (not defined by HTTP).
796
797   5.  Otherwise, the payload is unidentified.
798
7993.1.4.2.  Content-Location
800
801   The "Content-Location" header field references a URI that can be used
802   as an identifier for a specific resource corresponding to the
803   representation in this message's payload.  In other words, if one
804   were to perform a GET request on this URI at the time of this
805   message's generation, then a 200 (OK) response would contain the same
806   representation that is enclosed as payload in this message.
807
808     Content-Location = absolute-URI / partial-URI
809
810   The Content-Location value is not a replacement for the effective
811   Request URI (Section 5.5 of [Part1]).  It is representation metadata.
812   It has the same syntax and semantics as the header field of the same
813   name defined for MIME body parts in Section 4 of [RFC2557].  However,
814   its appearance in an HTTP message has some special implications for
815   HTTP recipients.
816
817   If Content-Location is included in a 2xx (Successful) response
818   message and its value refers (after conversion to absolute form) to a
819   URI that is the same as the effective request URI, then the recipient
820   MAY consider the payload to be a current representation of that
821   resource at the time indicated by the message origination date.  For
822   a GET or HEAD request, this is the same as the default semantics when
823   no Content-Location is provided by the server.  For a state-changing
824   request like PUT or POST, it implies that the server's response
825   contains the new representation of that resource, thereby
826   distinguishing it from representations that might only report about
827   the action (e.g., "It worked!").  This allows authoring applications
828   to update their local copies without the need for a subsequent GET
829   request.
830
831   If Content-Location is included in a 2xx (Successful) response
832   message and its field-value refers to a URI that differs from the
833   effective request URI, then the origin server claims that the URI is
834   an identifier for a different resource corresponding to the enclosed
835   representation.  Such a claim can only be trusted if both identifiers
836
837
838
839Fielding & Reschke       Expires August 27, 2013               [Page 15]
840
841Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
842
843
844   share the same resource owner, which cannot be programmatically
845   determined via HTTP.
846
847   o  For a response to a GET or HEAD request, this is an indication
848      that the effective request URI refers to a resource that is
849      subject to content negotiation and the Content-Location field-
850      value is a more specific identifier for the selected
851      representation.
852
853   o  For a 201 (Created) response to a state-changing method, a
854      Content-Location field-value that is identical to the Location
855      field-value indicates that this payload is a current
856      representation of the newly created resource.
857
858   o  Otherwise, such a Content-Location indicates that this payload is
859      a representation reporting on the requested action's status and
860      that the same report is available (for future access with GET) at
861      the given URI.  For example, a purchase transaction made via a
862      POST request might include a receipt document as the payload of
863      the 200 (OK) response; the Content-Location field-value provides
864      an identifier for retrieving a copy of that same receipt in the
865      future.
866
867   A user agent that sends Content-Location in a request message is
868   stating that its value refers to where the user agent originally
869   obtained the content of the enclosed representation (prior to any
870   modifications made by that user agent).  In other words, the user
871   agent is providing a back link to the source of the original
872   representation.
873
874   An origin server that receives a Content-Location field in a request
875   message MUST treat the information as transitory request context
876   rather than as metadata to be saved verbatim as part of the
877   representation.  An origin server MAY use that context to guide in
878   processing the request or to save it for other uses, such as within
879   source links or versioning metadata.  However, an origin server MUST
880   NOT use such context information to alter the request semantics.
881
882   For example, if a client makes a PUT request on a negotiated resource
883   and the origin server accepts that PUT (without redirection), then
884   the new state of that resource is expected to be consistent with the
885   one representation supplied in that PUT; the Content-Location cannot
886   be used as a form of reverse content selection identifier to update
887   only one of the negotiated representations.  If the user agent had
888   wanted the latter semantics, it would have applied the PUT directly
889   to the Content-Location URI.
890
891
892
893
894
895Fielding & Reschke       Expires August 27, 2013               [Page 16]
896
897Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
898
899
9003.2.  Representation Data
901
902   The representation data associated with an HTTP message is either
903   provided as the payload body of the message or referred to by the
904   message semantics and the effective request URI.  The representation
905   data is in a format and encoding defined by the representation
906   metadata header fields.
907
908   The data type of the representation data is determined via the header
909   fields Content-Type and Content-Encoding.  These define a two-layer,
910   ordered encoding model:
911
912     representation-data := Content-Encoding( Content-Type( bits ) )
913
9143.3.  Payload Semantics
915
916   Some HTTP messages transfer a complete or partial representation as
917   the message "payload".  In some cases, a payload might contain only
918   the associated representation's header fields (e.g., responses to
919   HEAD) or only some part(s) of the representation data (e.g., the 206
920   (Partial Content) status code).
921
922   The purpose of a payload in a request is defined by the method
923   semantics.  For example, a representation in the payload of a PUT
924   request (Section 4.3.4) represents the desired state of the target
925   resource if the request is successfully applied, whereas a
926   representation in the payload of a POST request (Section 4.3.3)
927   represents an anonymous resource for providing data to be processed,
928   such as the information that a user entered within an HTML form.
929
930   In a response, the payload's purpose is defined by both the request
931   method and the response status code.  For example, the payload of a
932   200 (OK) response to GET (Section 4.3.1) represents the current state
933   of the target resource, as observed at the time of the message
934   origination date (Section 7.1.1.2), whereas the payload of the same
935   status code in a response to POST might represent either the
936   processing result or the new state of the target resource after
937   applying the processing.  Response messages with an error status code
938   usually contain a payload that represents the error condition, such
939   that it describes the error state and what next steps are suggested
940   for resolving it.
941
942   Header fields that specifically describe the payload, rather than the
943   associated representation, are referred to as "payload header
944   fields".  Payload header fields are defined in other parts of this
945   specification, due to their impact on message parsing.
946
947
948
949
950
951Fielding & Reschke       Expires August 27, 2013               [Page 17]
952
953Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
954
955
956   +-------------------+--------------------------+
957   | Header Field Name | Defined in...            |
958   +-------------------+--------------------------+
959   | Content-Length    | Section 3.3.2 of [Part1] |
960   | Content-Range     | Section 4.2 of [Part5]   |
961   | Transfer-Encoding | Section 3.3.1 of [Part1] |
962   +-------------------+--------------------------+
963
9643.4.  Content Negotiation
965
966   When responses convey payload information, whether indicating a
967   success or an error, the origin server often has different ways of
968   representing that information; for example, in different formats,
969   languages, or encodings.  Likewise, different users or user agents
970   might have differing capabilities, characteristics, or preferences
971   that could influence which representation, among those available,
972   would be best to deliver.  For this reason, HTTP provides mechanisms
973   for content negotiation.
974
975   This specification defines two patterns of content negotiation that
976   can be made visible within the protocol: "proactive", where the
977   server selects the representation based upon the user agent's stated
978   preferences, and "reactive" negotiation, where the server provides a
979   list of representations for the user agent to choose from.  Other
980   patterns of content negotiation include "conditional content", where
981   the representation consists of multiple parts that are selectively
982   rendered based on user agent parameters, "active content", where the
983   representation contains a script that makes additional (more
984   specific) requests based on the user agent characteristics, and
985   "Transparent Content Negotiation" ([RFC2295]), where content
986   selection is performed by an intermediary.  These patterns are not
987   mutually exclusive, and each has trade-offs in applicability and
988   practicality.
989
990   Note that, in all cases, the supplier of representations to the
991   origin server determines which representations might be considered to
992   be the "same information".
993
9943.4.1.  Proactive Negotiation
995
996   When content negotiation preferences are sent by the user agent in a
997   request in order to encourage an algorithm located at the server to
998   select the preferred representation, it is called proactive
999   negotiation (a.k.a., server-driven negotiation).  Selection is based
1000   on the available representations for a response (the dimensions over
1001   which it might vary, such as language, content-coding, etc.) compared
1002   to various information supplied in the request, including both the
1003   explicit negotiation fields of Section 5.3 and implicit
1004
1005
1006
1007Fielding & Reschke       Expires August 27, 2013               [Page 18]
1008
1009Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1010
1011
1012   characteristics, such as the client's network address or parts of the
1013   User-Agent field.
1014
1015   Proactive negotiation is advantageous when the algorithm for
1016   selecting from among the available representations is difficult to
1017   describe to a user agent, or when the server desires to send its
1018   "best guess" to the user agent along with the first response (hoping
1019   to avoid the round-trip delay of a subsequent request if the "best
1020   guess" is good enough for the user).  In order to improve the
1021   server's guess, a user agent MAY send request header fields that
1022   describe its preferences.
1023
1024   Proactive negotiation has serious disadvantages:
1025
1026   o  It is impossible for the server to accurately determine what might
1027      be "best" for any given user, since that would require complete
1028      knowledge of both the capabilities of the user agent and the
1029      intended use for the response (e.g., does the user want to view it
1030      on screen or print it on paper?);
1031
1032   o  Having the user agent describe its capabilities in every request
1033      can be both very inefficient (given that only a small percentage
1034      of responses have multiple representations) and a potential risk
1035      to the user's privacy;
1036
1037   o  It complicates the implementation of an origin server and the
1038      algorithms for generating responses to a request; and,
1039
1040   o  It limits the reusability of responses for shared caching.
1041
1042   A user agent cannot rely on proactive negotiation preferences being
1043   consistently honored, since the origin server might not implement
1044   proactive negotiation for the requested resource or might decide that
1045   sending a response that doesn't conform to the user agent's
1046   preferences is better than sending a 406 (Not Acceptable) response.
1047
1048   An origin server MAY generate a Vary header field (Section 7.1.4) in
1049   responses that are subject to proactive negotiation to indicate what
1050   parameters of request information might be used in its selection
1051   algorithm, thereby providing a means for recipients to determine the
1052   reusability of that same response for user agents with differing
1053   request information.
1054
10553.4.2.  Reactive Negotiation
1056
1057   With reactive negotiation (a.k.a., agent-driven negotiation),
1058   selection of the best representation for a response is performed by
1059   the user agent after receiving an initial response from the origin
1060
1061
1062
1063Fielding & Reschke       Expires August 27, 2013               [Page 19]
1064
1065Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1066
1067
1068   server with a list of alternative resources.  If the user agent is
1069   not satisfied by the initial response, it can perform a GET request
1070   on one or more of the alternative resources, selected based on
1071   metadata included in the list, to obtain a different form of
1072   representation.  Selection of alternatives might be performed
1073   automatically by the user agent or manually by the user selecting
1074   from a generated (possibly hypertext) menu.
1075
1076   A server can send a 300 (Multiple Choices) response to indicate that
1077   reactive negotiation by the user agent is desired, or a 406 (Not
1078   Acceptable) status code to indicate that proactive negotiation has
1079   failed.  In both cases, the response ought to include information
1080   about the available representations so that the user or user agent
1081   can react by making a selection.
1082
1083   Reactive negotiation is advantageous when the response would vary
1084   over commonly-used dimensions (such as type, language, or encoding),
1085   when the origin server is unable to determine a user agent's
1086   capabilities from examining the request, and generally when public
1087   caches are used to distribute server load and reduce network usage.
1088
1089   Reactive negotiation suffers from the disadvantages of transmitting a
1090   list of alternatives to the user agent, which degrades user-perceived
1091   latency if transmitted in the header section, and needing a second
1092   request to obtain an alternate representation.  Furthermore, this
1093   specification does not define a mechanism for supporting automatic
1094   selection, though it does not prevent such a mechanism from being
1095   developed as an extension.
1096
10974.  Request Methods
1098
10994.1.  Overview
1100
1101   The request method token is the primary source of request semantics;
1102   it indicates the purpose for which the client has made this request
1103   and what is expected by the client as a successful result.  The
1104   request semantics might be further specialized by the semantics of
1105   some header fields when present in a request (Section 5) if those
1106   additional semantics do not conflict with the method.
1107
1108     method = token
1109
1110   HTTP was originally designed to be usable as an interface to
1111   distributed object systems.  The request method was envisioned as
1112   applying semantics to a target resource in much the same way as
1113   invoking a defined method on an identified object would apply
1114   semantics.  The method token is case-sensitive because it might be
1115   used as a gateway to object-based systems with case-sensitive method
1116
1117
1118
1119Fielding & Reschke       Expires August 27, 2013               [Page 20]
1120
1121Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1122
1123
1124   names.
1125
1126   Unlike distributed objects, the standardized request methods in HTTP
1127   are not resource-specific, since uniform interfaces provide for
1128   better visibility and reuse in network-based systems [REST].  Once
1129   defined, a standardized method ought to have the same semantics when
1130   applied to any resource, though each resource determines for itself
1131   whether those semantics are implemented or allowed.
1132
1133   This specification defines a number of standardized methods that are
1134   commonly used in HTTP, as outlined by the following table.  By
1135   convention, standardized methods are defined in all-uppercase ASCII
1136   letters.
1137
1138   +---------+-------------------------------------------------+-------+
1139   | Method  | Description                                     | Sec.  |
1140   +---------+-------------------------------------------------+-------+
1141   | GET     | Transfer a current representation of the target | 4.3.1 |
1142   |         | resource.                                       |       |
1143   | HEAD    | Same as GET, but only transfer the status line  | 4.3.2 |
1144   |         | and header block.                               |       |
1145   | POST    | Perform resource-specific processing on the     | 4.3.3 |
1146   |         | request payload.                                |       |
1147   | PUT     | Replace all current representations of the      | 4.3.4 |
1148   |         | target resource with the request payload.       |       |
1149   | DELETE  | Remove all current representations of the       | 4.3.5 |
1150   |         | target resource.                                |       |
1151   | CONNECT | Establish a tunnel to the server identified by  | 4.3.6 |
1152   |         | the target resource.                            |       |
1153   | OPTIONS | Describe the communication options for the      | 4.3.7 |
1154   |         | target resource.                                |       |
1155   | TRACE   | Perform a message loop-back test along the path | 4.3.8 |
1156   |         | to the target resource.                         |       |
1157   +---------+-------------------------------------------------+-------+
1158
1159   All general-purpose servers MUST support the methods GET and HEAD.
1160   All other methods are OPTIONAL; when implemented, a server MUST
1161   implement the above methods according to the semantics defined for
1162   them in Section 4.3.
1163
1164   Additional methods, outside the scope of this specification, have
1165   been standardized for use in HTTP.  All such methods ought to be
1166   registered within the HTTP Method Registry maintained by IANA, as
1167   defined in Section 8.1.
1168
1169   The set of methods allowed by a target resource can be listed in an
1170   Allow header field (Section 7.4.1).  However, the set of allowed
1171   methods can change dynamically.  When a request method is received
1172
1173
1174
1175Fielding & Reschke       Expires August 27, 2013               [Page 21]
1176
1177Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1178
1179
1180   that is unrecognized or not implemented by an origin server, the
1181   origin server SHOULD respond with the 501 (Not Implemented) status
1182   code.  When a request method is received that is known by an origin
1183   server but not allowed for the target resource, the origin server
1184   SHOULD respond with the 405 (Method Not Allowed) status code.
1185
1186   A client can send conditional request header fields (Section 5.2) to
1187   make the requested action conditional on the current state of the
1188   target resource ([Part4]).
1189
11904.2.  Common Method Properties
1191
11924.2.1.  Safe Methods
1193
1194   Request methods are considered "safe" if their defined semantics are
1195   essentially read-only; i.e., the client does not request, and does
1196   not expect, any state change on the origin server as a result of
1197   applying a safe method to a target resource.  Likewise, reasonable
1198   use of a safe method is not expected to cause any harm, loss of
1199   property, or unusual burden on the origin server.
1200
1201   This definition of safe methods does not prevent an implementation
1202   from including behavior that is potentially harmful, not entirely
1203   read-only, or which causes side-effects while invoking a safe method.
1204   What is important, however, is that the client did not request that
1205   additional behavior and cannot be held accountable for it.  For
1206   example, most servers append request information to access log files
1207   at the completion of every response, regardless of the method, and
1208   that is considered safe even though the log storage might become full
1209   and crash the server.  Likewise, a safe request initiated by
1210   selecting an advertisement on the Web will often have the side-effect
1211   of charging an advertising account.
1212
1213   Of the request methods defined by this specification, the GET, HEAD,
1214   OPTIONS, and TRACE methods are defined to be safe.
1215
1216   The purpose of distinguishing between safe and unsafe methods is to
1217   allow automated retrieval processes (spiders) and cache performance
1218   optimization (pre-fetching) to work without fear of causing harm.  In
1219   addition, it allows a user agent to apply appropriate constraints on
1220   the automated use of unsafe methods when processing potentially
1221   untrusted content.
1222
1223   A user agent SHOULD distinguish between safe and unsafe methods when
1224   presenting potential actions to a user, such that the user can be
1225   made aware of an unsafe action before it is requested.
1226
1227   When a resource is constructed such that parameters within the
1228
1229
1230
1231Fielding & Reschke       Expires August 27, 2013               [Page 22]
1232
1233Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1234
1235
1236   effective request URI have the effect of selecting an action, it is
1237   the resource owner's responsibility to ensure that the action is
1238   consistent with the request method semantics.  For example, it is
1239   common for Web-based content editing software to use actions within
1240   query parameters, such as "page?do=delete".  If the purpose of such a
1241   resource is to perform an unsafe action, then the resource MUST
1242   disable or disallow that action when it is accessed using a safe
1243   request method.  Failure to do so will result in unfortunate side-
1244   effects when automated processes perform a GET on every URI reference
1245   for the sake of link maintenance, pre-fetching, building a search
1246   index, etc.
1247
12484.2.2.  Idempotent Methods
1249
1250   Request methods are considered "idempotent" if the intended effect of
1251   multiple identical requests is the same as for a single request.  Of
1252   the request methods defined by this specification, the PUT, DELETE,
1253   and safe request methods are idempotent.
1254
1255   Like the definition of safe, the idempotent property only applies to
1256   what has been requested by the user; a server is free to log each
1257   request separately, retain a revision control history, or implement
1258   other non-idempotent side-effects for each idempotent request.
1259
1260   Idempotent methods are distinguished because the request can be
1261   repeated automatically if a communication failure occurs before the
1262   client is able to read the server's response.  For example, if a
1263   client sends a PUT request and the underlying connection is closed
1264   before any response is received, then it can establish a new
1265   connection and retry the idempotent request because it knows that
1266   repeating the request will have the same effect even if the original
1267   request succeeded.  Note, however, that repeated failures would
1268   indicate a problem within the server.
1269
12704.2.3.  Cacheable Methods
1271
1272   Request methods are considered "cacheable" if it is possible and
1273   useful to answer a current client request with a stored response from
1274   a prior request.  GET and HEAD are defined to be cacheable.  In
1275   general, safe methods that do not depend on a current or
1276   authoritative response are cacheable, though the overwhelming
1277   majority of caches only support GET and HEAD.  HTTP requirements for
1278   cache behavior and cacheable responses are defined in [Part6].
1279
12804.3.  Method Definitions
1281
1282
1283
1284
1285
1286
1287Fielding & Reschke       Expires August 27, 2013               [Page 23]
1288
1289Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1290
1291
12924.3.1.  GET
1293
1294   The GET method requests transfer of a current selected representation
1295   for the target resource.  GET is the primary mechanism of information
1296   retrieval and the focus of almost all performance optimizations.
1297   Hence, when people speak of retrieving some identifiable information
1298   via HTTP, they are generally referring to making a GET request.
1299
1300   It is tempting to think of resource identifiers as remote filesystem
1301   pathnames, and of representations as being a copy of the contents of
1302   such files.  In fact, that is how many resources are implemented (see
1303   Section 9.1 for related security considerations).  However, there are
1304   no such limitations in practice.  The HTTP interface for a resource
1305   is just as likely to be implemented as a tree of content objects, a
1306   programmatic view on various database records, or a gateway to other
1307   information systems.  Even when the URI mapping mechanism is tied to
1308   a filesystem, an origin server might be configured to execute the
1309   files with the request as input and send the output as the
1310   representation, rather then transfer the files directly.  Regardless,
1311   only the origin server needs to know how each of its resource
1312   identifiers correspond to an implementation, and how each
1313   implementation manages to select and send a current representation of
1314   the target resource in a response to GET.
1315
1316   A client can alter the semantics of GET to be a "range request",
1317   requesting transfer of only some part(s) of the selected
1318   representation, by sending a Range header field in the request
1319   ([Part5]).
1320
1321   A payload within a GET request message has no defined semantics;
1322   sending a payload body on a GET request might cause some existing
1323   implementations to reject the request.
1324
1325   The response to a GET request is cacheable; a cache MAY use it to
1326   satisfy subsequent GET and HEAD requests unless otherwise indicated
1327   by the Cache-Control header field (Section 7.2 of [Part6]).
1328
13294.3.2.  HEAD
1330
1331   The HEAD method is identical to GET except that the server MUST NOT
1332   send a message body in the response (i.e., the response terminates at
1333   the end of the header block).  Aside from the payload header fields
1334   (Section 3.3), the server SHOULD send the same header fields in
1335   response to a HEAD request as it would have sent if the request had
1336   been a GET.  This method can be used for obtaining metadata about the
1337   selected representation without transferring the representation data.
1338   This method is often used for testing hypertext links for validity,
1339   accessibility, and recent modification.
1340
1341
1342
1343Fielding & Reschke       Expires August 27, 2013               [Page 24]
1344
1345Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1346
1347
1348   A payload within a HEAD request message has no defined semantics;
1349   sending a payload body on a HEAD request might cause some existing
1350   implementations to reject the request.
1351
1352   The response to a HEAD request is cacheable; a cache MAY use it to
1353   satisfy subsequent HEAD requests unless otherwise indicated by the
1354   Cache-Control header field (Section 7.2 of [Part6]).  A HEAD response
1355   might also have an effect on previously cached responses to GET; see
1356   Section 5 of [Part6].
1357
13584.3.3.  POST
1359
1360   The POST method requests that the target resource process the
1361   representation enclosed in the request according to the resource's
1362   own specific semantics.  For example, POST is used for the following
1363   functions (among others):
1364
1365   o  Providing a block of data, such as the fields entered into an HTML
1366      form, to a data-handling process;
1367
1368   o  Posting a message to a bulletin board, newsgroup, mailing list,
1369      blog, or similar group of articles;
1370
1371   o  Creating a new resource that has yet to be identified by the
1372      origin server; and
1373
1374   o  Appending data to a resource's existing representation(s).
1375
1376   An origin server indicates response semantics by choosing an
1377   appropriate status code depending on the result of processing the
1378   POST request; almost all of the status codes defined by this
1379   specification might be received in a response to POST (the exceptions
1380   being 206, 304, and 416).
1381
1382   If one or more resources has been created on the origin server as a
1383   result of successfully processing a POST request, the origin server
1384   SHOULD send a 201 (Created) response containing a Location header
1385   field that provides an identifier for the primary resource created
1386   (Section 7.1.2) and a representation that describes the status of the
1387   request while referring to the new resource(s).
1388
1389   Responses to POST requests are only cacheable when they include
1390   explicit freshness information (see Section 4.1.1 of [Part6]).
1391   However, POST caching is not widely implemented.  For cases where an
1392   origin server wishes the client to be able to cache the result of a
1393   POST in a way that can be reused by a later GET, the origin server
1394   MAY send a 200 (OK) response containing the result and a Content-
1395   Location header field that has the same value as the POST's effective
1396
1397
1398
1399Fielding & Reschke       Expires August 27, 2013               [Page 25]
1400
1401Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1402
1403
1404   request URI (Section 3.1.4.2).
1405
1406   If the result of processing a POST would be equivalent to a
1407   representation of an existing resource, an origin server MAY redirect
1408   the user agent to that resource by sending a 303 (See Other) response
1409   with the existing resource's identifier in the Location field.  This
1410   has the benefits of providing the user agent a resource identifier
1411   and transferring the representation via a method more amenable to
1412   shared caching, though at the cost of an extra request if the user
1413   agent does not already have the representation cached.
1414
14154.3.4.  PUT
1416
1417   The PUT method requests that the state of the target resource be
1418   created or replaced with the state defined by the representation
1419   enclosed in the request message payload.  A successful PUT of a given
1420   representation would suggest that a subsequent GET on that same
1421   target resource will result in an equivalent representation being
1422   sent in a 200 (OK) response.  However, there is no guarantee that
1423   such a state change will be observable, since the target resource
1424   might be acted upon by other user agents in parallel, or might be
1425   subject to dynamic processing by the origin server, before any
1426   subsequent GET is received.  A successful response only implies that
1427   the user agent's intent was achieved at the time of its processing by
1428   the origin server.
1429
1430   If the target resource does not have a current representation and the
1431   PUT successfully creates one, then the origin server MUST inform the
1432   user agent by sending a 201 (Created) response.  If the target
1433   resource does have a current representation and that representation
1434   is successfully modified in accordance with the state of the enclosed
1435   representation, then either a 200 (OK) or 204 (No Content) response
1436   SHOULD be sent to indicate successful completion of the request.
1437
1438   An origin server SHOULD ignore unrecognized header fields received in
1439   a PUT request (i.e., do not save them as part of the resource state).
1440
1441   An origin server SHOULD verify that the PUT representation is
1442   consistent with any constraints the server has for the target
1443   resource that cannot or will not be changed by the PUT.  This is
1444   particularly important when the origin server uses internal
1445   configuration information related to the URI in order to set the
1446   values for representation metadata on GET responses.  When a PUT
1447   representation is inconsistent with the target resource, the origin
1448   server SHOULD either make them consistent, by transforming the
1449   representation or changing the resource configuration, or respond
1450   with an appropriate error message containing sufficient information
1451   to explain why the representation is unsuitable.  The 409 (Conflict)
1452
1453
1454
1455Fielding & Reschke       Expires August 27, 2013               [Page 26]
1456
1457Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1458
1459
1460   or 415 (Unsupported Media Type) status codes are suggested, with the
1461   latter being specific to constraints on Content-Type values.
1462
1463   For example, if the target resource is configured to always have a
1464   Content-Type of "text/html" and the representation being PUT has a
1465   Content-Type of "image/jpeg", then the origin server SHOULD do one
1466   of:
1467
1468   a.  reconfigure the target resource to reflect the new media type;
1469
1470   b.  transform the PUT representation to a format consistent with that
1471       of the resource before saving it as the new resource state; or,
1472
1473   c.  reject the request with a 415 (Unsupported Media Type) response
1474       indicating that the target resource is limited to "text/html",
1475       perhaps including a link to a different resource that would be a
1476       suitable target for the new representation.
1477
1478   HTTP does not define exactly how a PUT method affects the state of an
1479   origin server beyond what can be expressed by the intent of the user
1480   agent request and the semantics of the origin server response.  It
1481   does not define what a resource might be, in any sense of that word,
1482   beyond the interface provided via HTTP.  It does not define how
1483   resource state is "stored", nor how such storage might change as a
1484   result of a change in resource state, nor how the origin server
1485   translates resource state into representations.  Generally speaking,
1486   all implementation details behind the resource interface are
1487   intentionally hidden by the server.
1488
1489   An origin server MUST NOT send a validator header field
1490   (Section 7.2), such as an ETag or Last-Modified field, in a
1491   successful response to PUT unless the request's representation data
1492   was saved without any transformation applied to the body (i.e., the
1493   resource's new representation data is identical to the representation
1494   data received in the PUT request) and the validator field value
1495   reflects the new representation.  This requirement allows a user
1496   agent to know when the representation body it has in memory remains
1497   current as a result of the PUT, thus not in need of retrieving again
1498   from the origin server, and that the new validator(s) received in the
1499   response can be used for future conditional requests in order to
1500   prevent accidental overwrites (Section 5.2).
1501
1502   The fundamental difference between the POST and PUT methods is
1503   highlighted by the different intent for the enclosed representation.
1504   The target resource in a POST request is intended to handle the
1505   enclosed representation according to the resource's own semantics,
1506   whereas the enclosed representation in a PUT request is defined as
1507   replacing the state of the target resource.  Hence, the intent of PUT
1508
1509
1510
1511Fielding & Reschke       Expires August 27, 2013               [Page 27]
1512
1513Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1514
1515
1516   is idempotent and visible to intermediaries, even though the exact
1517   effect is only known by the origin server.
1518
1519   Proper interpretation of a PUT request presumes that the user agent
1520   knows which target resource is desired.  A service that selects a
1521   proper URI on behalf of the client, after receiving a state-changing
1522   request, SHOULD be implemented using the POST method rather than PUT.
1523   If the origin server will not make the requested PUT state change to
1524   the target resource and instead wishes to have it applied to a
1525   different resource, such as when the resource has been moved to a
1526   different URI, then the origin server MUST send an appropriate 3xx
1527   (Redirection) response; the user agent MAY then make its own decision
1528   regarding whether or not to redirect the request.
1529
1530   A PUT request applied to the target resource MAY have side-effects on
1531   other resources.  For example, an article might have a URI for
1532   identifying "the current version" (a resource) that is separate from
1533   the URIs identifying each particular version (different resources
1534   that at one point shared the same state as the current version
1535   resource).  A successful PUT request on "the current version" URI
1536   might therefore create a new version resource in addition to changing
1537   the state of the target resource, and might also cause links to be
1538   added between the related resources.
1539
1540   An origin server SHOULD reject any PUT request that contains a
1541   Content-Range header field (Section 4.2 of [Part5]), since it might
1542   be misinterpreted as partial content (or might be partial content
1543   that is being mistakenly PUT as a full representation).  Partial
1544   content updates are possible by targeting a separately identified
1545   resource with state that overlaps a portion of the larger resource,
1546   or by using a different method that has been specifically defined for
1547   partial updates (for example, the PATCH method defined in [RFC5789]).
1548
1549   Responses to the PUT method are not cacheable.  If a PUT request
1550   passes through a cache that has one or more stored responses for the
1551   effective request URI, those stored responses will be invalidated
1552   (see Section 6 of [Part6]).
1553
15544.3.5.  DELETE
1555
1556   The DELETE method requests that the origin server remove the
1557   association between the target resource and its current
1558   functionality.  In effect, this method is similar to the rm command
1559   in UNIX: it expresses a deletion operation on the URI mapping of the
1560   origin server, rather than an expectation that the previously
1561   associated information be deleted.
1562
1563   If the target resource has one or more current representations, they
1564
1565
1566
1567Fielding & Reschke       Expires August 27, 2013               [Page 28]
1568
1569Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1570
1571
1572   might or might not be destroyed by the origin server, and the
1573   associated storage might or might not be reclaimed, depending
1574   entirely on the nature of the resource and its implementation by the
1575   origin server (which are beyond the scope of this specification).
1576   Likewise, other implementation aspects of a resource might need to be
1577   deactivated or archived as a result of a DELETE, such as database or
1578   gateway connections.  In general, it is assumed that the origin
1579   server will only allow DELETE on resources for which it has a
1580   prescribed mechanism for accomplishing the deletion.
1581
1582   Relatively few resources allow the DELETE method -- its primary use
1583   is for remote authoring environments, where the user has some
1584   direction regarding its effect.  For example, a resource that was
1585   previously created using a PUT request, or identified via the
1586   Location header field after a 201 (Created) response to a POST
1587   request, might allow a corresponding DELETE request to undo those
1588   actions.  Similarly, custom user agent implementations that implement
1589   an authoring function, such as revision control clients using HTTP
1590   for remote operations, might use DELETE based on an assumption that
1591   the server's URI space has been crafted to correspond to a version
1592   repository.
1593
1594   If a DELETE method is successfully applied, the origin server SHOULD
1595   send a 202 (Accepted) status code if the action seems okay but has
1596   not yet been enacted, a 204 (No Content) status code if the action
1597   has been enacted and no further information is to be supplied, or a
1598   200 (OK) status code if the action has been enacted and the response
1599   message includes a representation describing the status.
1600
1601   A payload within a DELETE request message has no defined semantics;
1602   sending a payload body on a DELETE request might cause some existing
1603   implementations to reject the request.
1604
1605   Responses to the DELETE method are not cacheable.  If a DELETE
1606   request passes through a cache that has one or more stored responses
1607   for the effective request URI, those stored responses will be
1608   invalidated (see Section 6 of [Part6]).
1609
16104.3.6.  CONNECT
1611
1612   The CONNECT method requests that the recipient establish a tunnel to
1613   the destination origin server identified by the request-target and,
1614   if successful, thereafter restrict its behavior to blind forwarding
1615   of packets, in both directions, until the connection is closed.
1616
1617   CONNECT is intended only for use in requests to a proxy.  An origin
1618   server that receives a CONNECT request for itself MAY respond with a
1619   2xx status code to indicate that a connection is established.
1620
1621
1622
1623Fielding & Reschke       Expires August 27, 2013               [Page 29]
1624
1625Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1626
1627
1628   However, most origin servers do not implement CONNECT.
1629
1630   A client sending a CONNECT request MUST send the authority form of
1631   request-target (Section 5.3 of [Part1]); i.e., the request-target
1632   consists of only the host name and port number of the tunnel
1633   destination, separated by a colon.  For example,
1634
1635     CONNECT server.example.com:80 HTTP/1.1
1636     Host: server.example.com:80
1637
1638
1639   The recipient proxy can establish a tunnel either by directly
1640   connecting to the request-target or, if configured to use another
1641   proxy, by forwarding the CONNECT request to the next inbound proxy.
1642   Any 2xx (Successful) response indicates that the sender (and all
1643   inbound proxies) will switch to tunnel mode immediately after the
1644   blank line that concludes the successful response's header block;
1645   data received after that blank line is from the server identified by
1646   the request-target.  Any response other than a successful response
1647   indicates that the tunnel has not yet been formed and that the
1648   connection remains governed by HTTP.
1649
1650   A server SHOULD NOT send any Transfer-Encoding or Content-Length
1651   header fields in a successful response.  A client MUST ignore any
1652   Content-Length or Transfer-Encoding header fields received in a
1653   successful response.
1654
1655   There are significant risks in establishing a tunnel to arbitrary
1656   servers, particularly when the destination is a well-known or
1657   reserved TCP port that is not intended for Web traffic.  For example,
1658   a CONNECT to a request-target of "example.com:25" would suggest that
1659   the proxy connect to the reserved port for SMTP traffic; if allowed,
1660   that could trick the proxy into relaying spam email.  Proxies that
1661   support CONNECT SHOULD restrict its use to a limited set of known
1662   ports or a configurable whitelist of safe request targets.
1663
1664   Proxy authentication might be used to establish the authority to
1665   create a tunnel.  For example,
1666
1667     CONNECT server.example.com:80 HTTP/1.1
1668     Host: server.example.com:80
1669     Proxy-Authorization: basic aGVsbG86d29ybGQ=
1670
1671
1672   When a tunnel intermediary detects that either side has closed its
1673   connection, any outstanding data that came from that side will first
1674   be sent to the other side and then the intermediary will close both
1675   connections.  If there is outstanding data left undelivered, that
1676
1677
1678
1679Fielding & Reschke       Expires August 27, 2013               [Page 30]
1680
1681Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1682
1683
1684   data will be discarded.
1685
1686   A payload within a CONNECT request message has no defined semantics;
1687   sending a payload body on a CONNECT request might cause some existing
1688   implementations to reject the request.
1689
1690   Responses to the CONNECT method are not cacheable.
1691
16924.3.7.  OPTIONS
1693
1694   The OPTIONS method requests information about the communication
1695   options available on the request/response chain identified by the
1696   effective request URI.  This method allows a client to determine the
1697   options and/or requirements associated with a resource, or the
1698   capabilities of a server, without implying a resource action.
1699
1700   An OPTIONS request with an asterisk ("*") as the request-target
1701   (Section 5.3 of [Part1]) applies to the server in general rather than
1702   to a specific resource.  Since a server's communication options
1703   typically depend on the resource, the "*" request is only useful as a
1704   "ping" or "no-op" type of method; it does nothing beyond allowing the
1705   client to test the capabilities of the server.  For example, this can
1706   be used to test a proxy for HTTP/1.1 conformance (or lack thereof).
1707
1708   If the request-target is not an asterisk, the OPTIONS request applies
1709   to the options that are available when communicating with the target
1710   resource.
1711
1712   A server generating a successful response to OPTIONS SHOULD send any
1713   header fields that might indicate optional features implemented by
1714   the server and applicable to the target resource (e.g., Allow),
1715   including potential extensions not defined by this specification.
1716   The response payload, if any, might also describe the communication
1717   options in a machine or human-readable representation.  A standard
1718   format for such a representation is not defined by this
1719   specification, but might be defined by future extensions to HTTP.  A
1720   server MUST generate a Content-Length field with a value of "0" if no
1721   payload body is to be sent in the response.
1722
1723   A client MAY send a Max-Forwards header field in an OPTIONS request
1724   to target a specific recipient in the request chain (see
1725   Section 5.1.2).  A proxy MUST NOT generate a Max-Forwards header
1726   field while forwarding a request unless that request was received
1727   with a Max-Forwards field.
1728
1729   A client that generates an OPTIONS request containing a payload body
1730   MUST send a valid Content-Type header field describing the
1731   representation media type.  Although this specification does not
1732
1733
1734
1735Fielding & Reschke       Expires August 27, 2013               [Page 31]
1736
1737Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1738
1739
1740   define any use for such a payload, future extensions to HTTP might
1741   use the OPTIONS body to make more detailed queries about the target
1742   resource.
1743
1744   Responses to the OPTIONS method are not cacheable.
1745
17464.3.8.  TRACE
1747
1748   The TRACE method requests a remote, application-level loop-back of
1749   the request message.  The final recipient of the request SHOULD
1750   reflect the message received, excluding some fields described below,
1751   back to the client as the message body of a 200 (OK) response with a
1752   Content-Type of "message/http" (Section 7.3.1 of [Part1]).  The final
1753   recipient is either the origin server or the first server to receive
1754   a Max-Forwards value of zero (0) in the request (Section 5.1.2).
1755
1756   A client MUST NOT send header fields in a TRACE request containing
1757   sensitive data that might be disclosed by the response.  For example,
1758   it would be foolish for a user agent to send stored user credentials
1759   [Part7] or cookies [RFC6265] in a TRACE request.  The final recipient
1760   SHOULD exclude any request header fields from the response body that
1761   are likely to contain sensitive data.
1762
1763   TRACE allows the client to see what is being received at the other
1764   end of the request chain and use that data for testing or diagnostic
1765   information.  The value of the Via header field (Section 5.7.1 of
1766   [Part1]) is of particular interest, since it acts as a trace of the
1767   request chain.  Use of the Max-Forwards header field allows the
1768   client to limit the length of the request chain, which is useful for
1769   testing a chain of proxies forwarding messages in an infinite loop.
1770
1771   A client MUST NOT send a message body in a TRACE request.
1772
1773   Responses to the TRACE method are not cacheable.
1774
17755.  Request Header Fields
1776
1777   A client sends request header fields to provide more information
1778   about the request context, make the request conditional based on the
1779   target resource state, suggest preferred formats for the response,
1780   supply authentication credentials, or modify the expected request
1781   processing.  These fields act as request modifiers, similar to the
1782   parameters on a programming language method invocation.
1783
17845.1.  Controls
1785
1786   Controls are request header fields that direct specific handling of
1787   the request.
1788
1789
1790
1791Fielding & Reschke       Expires August 27, 2013               [Page 32]
1792
1793Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1794
1795
1796   +-------------------+------------------------+
1797   | Header Field Name | Defined in...          |
1798   +-------------------+------------------------+
1799   | Cache-Control     | Section 7.2 of [Part6] |
1800   | Expect            | Section 5.1.1          |
1801   | Host              | Section 5.4 of [Part1] |
1802   | Max-Forwards      | Section 5.1.2          |
1803   | Pragma            | Section 7.4 of [Part6] |
1804   | Range             | Section 3.1 of [Part5] |
1805   | TE                | Section 4.3 of [Part1] |
1806   +-------------------+------------------------+
1807
18085.1.1.  Expect
1809
1810   The "Expect" header field is used to indicate that particular server
1811   behaviors are required by the client.
1812
1813     Expect       = 1#expectation
1814
1815     expectation  = expect-name [ BWS "=" BWS expect-value ]
1816                                *( OWS ";" [ OWS expect-param ] )
1817     expect-param = expect-name [ BWS "=" BWS expect-value ]
1818
1819     expect-name  = token
1820     expect-value = token / quoted-string
1821
1822   If all received Expect header field(s) are syntactically valid but
1823   contain an expectation that the recipient does not understand or
1824   cannot comply with, the recipient MUST respond with a 417
1825   (Expectation Failed) status code.  A recipient of a syntactically
1826   invalid Expectation header field MUST respond with a 4xx status code
1827   other than 417.
1828
1829   Comparison is case-insensitive for names (expect-name), and case-
1830   sensitive for values (expect-value).
1831
1832   The Expect header field MUST be forwarded if the request is
1833   forwarded.
1834
1835   Many older HTTP/1.0 and HTTP/1.1 servers do not understand the Expect
1836   header field.
1837
18385.1.1.1.  Use of the 100 (Continue) Status
1839
1840   The only expectation defined by this specification is:
1841
1842
1843
1844
1845
1846
1847Fielding & Reschke       Expires August 27, 2013               [Page 33]
1848
1849Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1850
1851
1852   100-continue
1853
1854      The request includes a payload body and the client will wait for a
1855      100 (Continue) response after sending the request header section
1856      but before sending the payload body.  The 100-continue expectation
1857      does not use any expect-params.
1858
1859   The primary purpose of the 100 (Continue) status code (Section 6.2.1)
1860   is to allow a client that is sending a request message with a payload
1861   to determine if the origin server is willing to accept the request
1862   (based on the request header fields) before the client sends the
1863   payload body.  In some cases, it might either be inappropriate or
1864   highly inefficient for the client to send the payload body if the
1865   server will reject the message without looking at the body.
1866
1867   Requirements for HTTP/1.1 clients:
1868
1869   o  If a client will wait for a 100 (Continue) response before sending
1870      the payload body, it MUST send an Expect header field with the
1871      "100-continue" expectation.
1872
1873   o  A client MUST NOT send an Expect header field with the "100-
1874      continue" expectation if it does not intend to send a payload
1875      body.
1876
1877   Because of the presence of older implementations, the protocol allows
1878   ambiguous situations in which a client might send "Expect: 100-
1879   continue" without receiving either a 417 (Expectation Failed) or a
1880   100 (Continue) status code.  Therefore, when a client sends this
1881   header field to an origin server (possibly via a proxy) from which it
1882   has never seen a 100 (Continue) status code, the client SHOULD NOT
1883   wait for an indefinite period before sending the payload body.
1884
1885   Requirements for HTTP/1.1 origin servers:
1886
1887   o  Upon receiving a request that includes an Expect header field with
1888      the "100-continue" expectation, an origin server MUST either
1889      respond with 100 (Continue) status code and continue to read from
1890      the input stream, or respond with a final status code.  The origin
1891      server MUST NOT wait for the payload body before sending the 100
1892      (Continue) response.  If the origin server responds with a final
1893      status code, it MUST NOT have performed the request method and MAY
1894      either close the connection or continue to read and discard the
1895      rest of the request.
1896
1897   o  An origin server SHOULD NOT send a 100 (Continue) response if the
1898      request message does not include an Expect header field with the
1899      "100-continue" expectation, and MUST NOT send a 100 (Continue)
1900
1901
1902
1903Fielding & Reschke       Expires August 27, 2013               [Page 34]
1904
1905Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1906
1907
1908      response if such a request comes from an HTTP/1.0 (or earlier)
1909      client.  There is an exception to this rule: for compatibility
1910      with [RFC2068], a server MAY send a 100 (Continue) status code in
1911      response to an HTTP/1.1 PUT or POST request that does not include
1912      an Expect header field with the "100-continue" expectation.  This
1913      exception, the purpose of which is to minimize any client
1914      processing delays associated with an undeclared wait for 100
1915      (Continue) status code, applies only to HTTP/1.1 requests, and not
1916      to requests with any other HTTP-version value.
1917
1918   o  An origin server MAY omit a 100 (Continue) response if it has
1919      already received some or all of the payload body for the
1920      corresponding request.
1921
1922   o  An origin server that sends a 100 (Continue) response MUST
1923      ultimately send a final status code, once the payload body is
1924      received and processed, unless it terminates the transport
1925      connection prematurely.
1926
1927   o  If an origin server receives a request that does not include an
1928      Expect header field with the "100-continue" expectation, the
1929      request includes a payload body, and the server responds with a
1930      final status code before reading the entire payload body from the
1931      transport connection, then the server SHOULD NOT close the
1932      transport connection until it has read the entire request, or
1933      until the client closes the connection.  Otherwise, the client
1934      might not reliably receive the response message.  However, this
1935      requirement ought not be construed as preventing a server from
1936      defending itself against denial-of-service attacks, or from badly
1937      broken client implementations.
1938
1939   Requirements for HTTP/1.1 proxies:
1940
1941   o  If a proxy receives a request that includes an Expect header field
1942      with the "100-continue" expectation, and the proxy either knows
1943      that the next-hop server complies with HTTP/1.1 or higher, or does
1944      not know the HTTP version of the next-hop server, it MUST forward
1945      the request, including the Expect header field.
1946
1947   o  If the proxy knows that the version of the next-hop server is
1948      HTTP/1.0 or lower, it MUST NOT forward the request, and it MUST
1949      respond with a 417 (Expectation Failed) status code.
1950
1951   o  Proxies SHOULD maintain a record of the HTTP version numbers
1952      received from recently-referenced next-hop servers.
1953
1954   o  A proxy MUST NOT forward a 100 (Continue) response if the request
1955      message was received from an HTTP/1.0 (or earlier) client and did
1956
1957
1958
1959Fielding & Reschke       Expires August 27, 2013               [Page 35]
1960
1961Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
1962
1963
1964      not include an Expect header field with the "100-continue"
1965      expectation.  This requirement overrides the general rule for
1966      forwarding of 1xx responses (see Section 6.2.1).
1967
19685.1.2.  Max-Forwards
1969
1970   The "Max-Forwards" header field provides a mechanism with the TRACE
1971   (Section 4.3.8) and OPTIONS (Section 4.3.7) methods to limit the
1972   number of times that the request is forwarded by proxies.  This can
1973   be useful when the client is attempting to trace a request that
1974   appears to be failing or looping mid-chain.
1975
1976     Max-Forwards = 1*DIGIT
1977
1978   The Max-Forwards value is a decimal integer indicating the remaining
1979   number of times this request message can be forwarded.
1980
1981   Each recipient of a TRACE or OPTIONS request containing a Max-
1982   Forwards header field MUST check and update its value prior to
1983   forwarding the request.  If the received value is zero (0), the
1984   recipient MUST NOT forward the request; instead, it MUST respond as
1985   the final recipient.  If the received Max-Forwards value is greater
1986   than zero, then the forwarded message MUST contain an updated Max-
1987   Forwards field with a value decremented by one (1).
1988
1989   The Max-Forwards header field MAY be ignored for all other request
1990   methods.
1991
19925.2.  Conditionals
1993
1994   The HTTP conditional request header fields [Part4] allow a client to
1995   place a precondition on the state of the target resource, so that the
1996   action corresponding to the method semantics will not be applied if
1997   the precondition evaluates to false.  Each precondition defined by
1998   this specification consists of a comparison between a set of
1999   validators obtained from prior representations of the target resource
2000   to the current state of validators for the selected representation
2001   (Section 7.2).  Hence, these preconditions evaluate whether the state
2002   of the target resource has changed since a given state known by the
2003   client.  The effect of such an evaluation depends on the method
2004   semantics and choice of conditional, as defined in Section 5 of
2005   [Part4].
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015Fielding & Reschke       Expires August 27, 2013               [Page 36]
2016
2017Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2018
2019
2020   +---------------------+------------------------+
2021   | Header Field Name   | Defined in...          |
2022   +---------------------+------------------------+
2023   | If-Match            | Section 3.1 of [Part4] |
2024   | If-None-Match       | Section 3.2 of [Part4] |
2025   | If-Modified-Since   | Section 3.3 of [Part4] |
2026   | If-Unmodified-Since | Section 3.4 of [Part4] |
2027   | If-Range            | Section 3.2 of [Part5] |
2028   +---------------------+------------------------+
2029
20305.3.  Content Negotiation
2031
2032   The following request header fields are sent by a user agent to
2033   engage in proactive negotiation of the response content, as defined
2034   in Section 3.4.1.  The preferences sent in these fields apply to any
2035   content in the response, including representations of the target
2036   resource, representations of error or processing status, and
2037   potentially even the miscellaneous text strings that might appear
2038   within the protocol.
2039
2040   +-------------------+---------------+
2041   | Header Field Name | Defined in... |
2042   +-------------------+---------------+
2043   | Accept            | Section 5.3.2 |
2044   | Accept-Charset    | Section 5.3.3 |
2045   | Accept-Encoding   | Section 5.3.4 |
2046   | Accept-Language   | Section 5.3.5 |
2047   +-------------------+---------------+
2048
20495.3.1.  Quality Values
2050
2051   Many of the request header fields for proactive negotiation use a
2052   common parameter, named "q" (case-insensitive), to assign a relative
2053   "weight" to the preference for that associated kind of content.  This
2054   weight is referred to as a "quality value" (or "qvalue") because the
2055   same parameter name is often used within server configurations to
2056   assign a weight to the relative quality of the various
2057   representations that can be selected for a resource.
2058
2059   The weight is normalized to a real number in the range 0 through 1,
2060   where 0.001 is the least preferred and 1 is the most preferred; a
2061   value of 0 means "not acceptable".  If no "q" parameter is present,
2062   the default weight is 1.
2063
2064     weight = OWS ";" OWS "q=" qvalue
2065     qvalue = ( "0" [ "." 0*3DIGIT ] )
2066            / ( "1" [ "." 0*3("0") ] )
2067
2068
2069
2070
2071Fielding & Reschke       Expires August 27, 2013               [Page 37]
2072
2073Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2074
2075
2076   A sender of qvalue MUST NOT generate more than three digits after the
2077   decimal point.  User configuration of these values ought to be
2078   limited in the same fashion.
2079
20805.3.2.  Accept
2081
2082   The "Accept" header field can be used by user agents to specify
2083   response media types that are acceptable.  Accept header fields can
2084   be used to indicate that the request is specifically limited to a
2085   small set of desired types, as in the case of a request for an in-
2086   line image.
2087
2088     Accept = #( media-range [ accept-params ] )
2089
2090     media-range    = ( "*/*"
2091                      / ( type "/" "*" )
2092                      / ( type "/" subtype )
2093                      ) *( OWS ";" OWS parameter )
2094     accept-params  = weight *( accept-ext )
2095     accept-ext     = OWS ";" OWS token [ "=" word ]
2096
2097   The asterisk "*" character is used to group media types into ranges,
2098   with "*/*" indicating all media types and "type/*" indicating all
2099   subtypes of that type.  The media-range can include media type
2100   parameters that are applicable to that range.
2101
2102   Each media-range might be followed by zero or more applicable media
2103   type parameters (e.g., charset), an optional "q" parameter for
2104   indicating a relative weight (Section 5.3.1), and then zero or more
2105   extension parameters.  The "q" parameter is necessary if any accept-
2106   ext are present, since it acts as a separator between the two
2107   parameter sets.
2108
2109      Note: Use of the "q" parameter name to separate media type
2110      parameters from Accept extension parameters is due to historical
2111      practice.  Although this prevents any media type parameter named
2112      "q" from being used with a media range, such an event is believed
2113      to be unlikely given the lack of any "q" parameters in the IANA
2114      media type registry and the rare usage of any media type
2115      parameters in Accept.  Future media types are discouraged from
2116      registering any parameter named "q".
2117
2118   The example
2119
2120     Accept: audio/*; q=0.2, audio/basic
2121
2122   SHOULD be interpreted as "I prefer audio/basic, but send me any audio
2123   type if it is the best available after an 80% mark-down in quality".
2124
2125
2126
2127Fielding & Reschke       Expires August 27, 2013               [Page 38]
2128
2129Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2130
2131
2132   A request without any Accept header field implies that the user agent
2133   will accept any media type in response.  If an Accept header field is
2134   present in a request and none of the available representations for
2135   the response have a media type that is listed as acceptable, the
2136   origin server MAY either honor the Accept header field by sending a
2137   406 (Not Acceptable) response or disregard the Accept header field by
2138   treating the response as if it is not subject to content negotiation.
2139
2140   A more elaborate example is
2141
2142     Accept: text/plain; q=0.5, text/html,
2143             text/x-dvi; q=0.8, text/x-c
2144
2145   Verbally, this would be interpreted as "text/html and text/x-c are
2146   the equally preferred media types, but if they do not exist, then
2147   send the text/x-dvi representation, and if that does not exist, send
2148   the text/plain representation".
2149
2150   Media ranges can be overridden by more specific media ranges or
2151   specific media types.  If more than one media range applies to a
2152   given type, the most specific reference has precedence.  For example,
2153
2154     Accept: text/*, text/plain, text/plain;format=flowed, */*
2155
2156   have the following precedence:
2157
2158   1.  text/plain;format=flowed
2159
2160   2.  text/plain
2161
2162   3.  text/*
2163
2164   4.  */*
2165
2166   The media type quality factor associated with a given type is
2167   determined by finding the media range with the highest precedence
2168   that matches the type.  For example,
2169
2170     Accept: text/*;q=0.3, text/html;q=0.7, text/html;level=1,
2171             text/html;level=2;q=0.4, */*;q=0.5
2172
2173   would cause the following values to be associated:
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183Fielding & Reschke       Expires August 27, 2013               [Page 39]
2184
2185Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2186
2187
2188   +-------------------+---------------+
2189   | Media Type        | Quality Value |
2190   +-------------------+---------------+
2191   | text/html;level=1 | 1             |
2192   | text/html         | 0.7           |
2193   | text/plain        | 0.3           |
2194   | image/jpeg        | 0.5           |
2195   | text/html;level=2 | 0.4           |
2196   | text/html;level=3 | 0.7           |
2197   +-------------------+---------------+
2198
2199   Note: A user agent might be provided with a default set of quality
2200   values for certain media ranges.  However, unless the user agent is a
2201   closed system that cannot interact with other rendering agents, this
2202   default set ought to be configurable by the user.
2203
22045.3.3.  Accept-Charset
2205
2206   The "Accept-Charset" header field can be sent by a user agent to
2207   indicate what charsets are acceptable in textual response content.
2208   This field allows user agents capable of understanding more
2209   comprehensive or special-purpose charsets to signal that capability
2210   to an origin server that is capable of representing information in
2211   those charsets.
2212
2213     Accept-Charset = 1#( ( charset / "*" ) [ weight ] )
2214
2215   Charset names are defined in Section 3.1.1.2.  A user agent MAY
2216   associate a quality value with each charset to indicate the user's
2217   relative preference for that charset, as defined in Section 5.3.1.
2218   An example is
2219
2220     Accept-Charset: iso-8859-5, unicode-1-1;q=0.8
2221
2222   The special value "*", if present in the Accept-Charset field,
2223   matches every charset that is not mentioned elsewhere in the Accept-
2224   Charset field.  If no "*" is present in an Accept-Charset field, then
2225   any charsets not explicitly mentioned in the field are considered
2226   "not acceptable" to the client.
2227
2228   A request without any Accept-Charset header field implies that the
2229   user agent will accept any charset in response.  Most general-purpose
2230   user agents do not send Accept-Charset, unless specifically
2231   configured to do so, because a detailed list of supported charsets
2232   makes it easier for a server to identify an individual by virtue of
2233   the user agent's request characteristics (Section 9.6).
2234
2235   If an Accept-Charset header field is present in a request and none of
2236
2237
2238
2239Fielding & Reschke       Expires August 27, 2013               [Page 40]
2240
2241Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2242
2243
2244   the available representations for the response has a charset that is
2245   listed as acceptable, the origin server MAY either honor the Accept-
2246   Charset header field, by sending a 406 (Not Acceptable) response, or
2247   disregard the Accept-Charset header field by treating the resource as
2248   if it is not subject to content negotiation.
2249
22505.3.4.  Accept-Encoding
2251
2252   The "Accept-Encoding" header field can be used by user agents to
2253   indicate what response content-codings (Section 3.1.2.1) are
2254   acceptable in the response.  An "identity" token is used as a synonym
2255   for "no encoding" in order to communicate when no encoding is
2256   preferred.
2257
2258     Accept-Encoding  = #( codings [ weight ] )
2259     codings          = content-coding / "identity" / "*"
2260
2261   Each codings value MAY be given an associated quality value
2262   representing the preference for that encoding, as defined in
2263   Section 5.3.1.  The asterisk "*" symbol in an Accept-Encoding field
2264   matches any available content-coding not explicitly listed in the
2265   header field.
2266
2267   For example,
2268
2269     Accept-Encoding: compress, gzip
2270     Accept-Encoding:
2271     Accept-Encoding: *
2272     Accept-Encoding: compress;q=0.5, gzip;q=1.0
2273     Accept-Encoding: gzip;q=1.0, identity; q=0.5, *;q=0
2274
2275   A request without an Accept-Encoding header field implies that the
2276   user agent has no preferences regarding content-codings.  Although
2277   this allows the server to use any content-coding in a response, it
2278   does not imply that the user agent will be able to correctly process
2279   all encodings.
2280
2281   A server tests whether a content-coding for a given representation is
2282   acceptable using these rules:
2283
2284   1.  If no Accept-Encoding field is in the request, any content-coding
2285       is considered acceptable by the user agent.
2286
2287   2.  If the representation has no content-coding, then it is
2288       acceptable by default unless specifically excluded by the Accept-
2289       Encoding field stating either "identity;q=0" or "*;q=0" without a
2290       more specific entry for "identity".
2291
2292
2293
2294
2295Fielding & Reschke       Expires August 27, 2013               [Page 41]
2296
2297Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2298
2299
2300   3.  If the representation's content-coding is one of the content-
2301       codings listed in the Accept-Encoding field, then it is
2302       acceptable unless it is accompanied by a qvalue of 0.  (As
2303       defined in Section 5.3.1, a qvalue of 0 means "not acceptable".)
2304
2305   4.  If multiple content-codings are acceptable, then the acceptable
2306       content-coding with the highest non-zero qvalue is preferred.
2307
2308   An Accept-Encoding header field with a combined field-value that is
2309   empty implies that the user agent does not want any content-coding in
2310   response.  If an Accept-Encoding header field is present in a request
2311   and none of the available representations for the response have a
2312   content-coding that is listed as acceptable, the origin server SHOULD
2313   send a response without any content-coding.
2314
2315      Note: Most HTTP/1.0 applications do not recognize or obey qvalues
2316      associated with content-codings.  This means that qvalues might
2317      not work and are not permitted with x-gzip or x-compress.
2318
23195.3.5.  Accept-Language
2320
2321   The "Accept-Language" header field can be used by user agents to
2322   indicate the set of natural languages that are preferred in the
2323   response.  Language tags are defined in Section 3.1.3.1.
2324
2325     Accept-Language = 1#( language-range [ weight ] )
2326     language-range  =
2327               <language-range, defined in [RFC4647], Section 2.1>
2328
2329   Each language-range can be given an associated quality value
2330   representing an estimate of the user's preference for the languages
2331   specified by that range, as defined in Section 5.3.1.  For example,
2332
2333     Accept-Language: da, en-gb;q=0.8, en;q=0.7
2334
2335   would mean: "I prefer Danish, but will accept British English and
2336   other types of English".
2337
2338   Note that some recipients treat the order in which language tags are
2339   listed as an indication of descending priority, particularly for tags
2340   that are assigned equal quality values (no value is the same as q=1).
2341   However, this behavior cannot be relied upon.  For consistency and to
2342   maximize interoperability, many user agents assign each language tag
2343   a unique quality value while also listing them in order of decreasing
2344   quality.  Additional discussion of language priority lists can be
2345   found in Section 2.3 of [RFC4647].
2346
2347   For matching, Section 3 of [RFC4647] defines several matching
2348
2349
2350
2351Fielding & Reschke       Expires August 27, 2013               [Page 42]
2352
2353Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2354
2355
2356   schemes.  Implementations can offer the most appropriate matching
2357   scheme for their requirements.  The "Basic Filtering" scheme
2358   ([RFC4647], Section 3.3.1) is identical to the matching scheme that
2359   was previously defined for HTTP in Section 14.4 of [RFC2616].
2360
2361   It might be contrary to the privacy expectations of the user to send
2362   an Accept-Language header field with the complete linguistic
2363   preferences of the user in every request (Section 9.6).
2364
2365   Since intelligibility is highly dependent on the individual user,
2366   user agents need to allow user control over the linguistic
2367   preference.  A user agent that does not provide such control to the
2368   user MUST NOT send an Accept-Language header field.
2369
2370      Note: User agents ought to provide guidance to users when setting
2371      a preference, since users are rarely familiar with the details of
2372      language matching as described above.  For example, users might
2373      assume that on selecting "en-gb", they will be served any kind of
2374      English document if British English is not available.  A user
2375      agent might suggest, in such a case, to add "en" to the list for
2376      better matching behavior.
2377
23785.4.  Authentication Credentials
2379
2380   Two header fields are used for carrying authentication credentials,
2381   as defined in [Part7].  Note that various custom mechanisms for user
2382   authentication use the Cookie header field for this purpose, as
2383   defined in [RFC6265].
2384
2385   +---------------------+------------------------+
2386   | Header Field Name   | Defined in...          |
2387   +---------------------+------------------------+
2388   | Authorization       | Section 4.1 of [Part7] |
2389   | Proxy-Authorization | Section 4.3 of [Part7] |
2390   +---------------------+------------------------+
2391
23925.5.  Request Context
2393
2394   The following request header fields provide additional information
2395   about the request context, including information about the user, user
2396   agent, and resource behind the request.
2397
2398   +-------------------+---------------+
2399   | Header Field Name | Defined in... |
2400   +-------------------+---------------+
2401   | From              | Section 5.5.1 |
2402   | Referer           | Section 5.5.2 |
2403
2404
2405
2406
2407Fielding & Reschke       Expires August 27, 2013               [Page 43]
2408
2409Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2410
2411
2412   | User-Agent        | Section 5.5.3 |
2413   +-------------------+---------------+
2414
24155.5.1.  From
2416
2417   The "From" header field contains an Internet email address for a
2418   human user who controls the requesting user agent.  The address ought
2419   to be machine-usable, as defined by "mailbox" in Section 3.4 of
2420   [RFC5322]:
2421
2422     From    = mailbox
2423
2424     mailbox = <mailbox, defined in [RFC5322], Section 3.4>
2425
2426   An example is:
2427
2428     From: webmaster@example.org
2429
2430   The From header field is rarely sent by non-robotic user agents.  A
2431   user agent SHOULD NOT send a From header field without explicit
2432   configuration by the user, since that might conflict with the user's
2433   privacy interests or their site's security policy.
2434
2435   Robotic user agents SHOULD send a valid From header field so that the
2436   person responsible for running the robot can be contacted if problems
2437   occur on servers, such as if the robot is sending excessive,
2438   unwanted, or invalid requests.
2439
2440   Servers SHOULD NOT use the From header field for access control or
2441   authentication, since most recipients will assume that the field
2442   value is public information.
2443
24445.5.2.  Referer
2445
2446   The "Referer" [sic] header field allows the user agent to specify a
2447   URI reference for the resource from which the target URI was obtained
2448   (i.e., the "referrer", though the field name is misspelled).  A user
2449   agent MUST exclude any fragment or userinfo components [RFC3986] when
2450   generating the Referer field value.
2451
2452     Referer = absolute-URI / partial-URI
2453
2454   Referer allows servers to generate back-links to other resources for
2455   simple analytics, logging, optimized caching, etc.  It also allows
2456   obsolete or mistyped links to be found for maintenance.  Some servers
2457   use Referer as a means of denying links from other sites (so-called
2458   "deep linking") or restricting cross-site request forgery (CSRF), but
2459   not all requests contain a Referer header field.
2460
2461
2462
2463Fielding & Reschke       Expires August 27, 2013               [Page 44]
2464
2465Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2466
2467
2468   Example:
2469
2470     Referer: http://www.example.org/hypertext/Overview.html
2471
2472   If the target URI was obtained from a source that does not have its
2473   own URI (e.g., input from the user keyboard, or an entry within the
2474   user's bookmarks/favorites), the user agent MUST either exclude
2475   Referer or send it with a value of "about:blank".
2476
2477   The Referer field has the potential to reveal information about the
2478   request context or browsing history of the user, which is a privacy
2479   concern if the referring resource's identifier reveals personal
2480   information (such as an account name) or a resource that is supposed
2481   to be confidential (such as behind a firewall or internal to a
2482   secured service).  Most general-purpose user agents do not send the
2483   Referer header field when the referring resource is a local "file" or
2484   "data" URI.  A user agent SHOULD NOT send a Referer header field in
2485   an unsecured HTTP request if the referring page was received with a
2486   secure protocol.  See Section 9.3 for additional security
2487   considerations.
2488
2489   Some intermediaries have been known to indiscriminately remove
2490   Referer header fields from outgoing requests.  This has the
2491   unfortunate side-effect of interfering with protection against CSRF
2492   attacks, which can be far more harmful to their users.
2493   Intermediaries and user agent extensions that wish to limit
2494   information disclosure in Referer ought to restrict their changes to
2495   specific edits, such as replacing internal domain names with
2496   pseudonyms or truncating the query and/or path components.
2497   Intermediaries SHOULD NOT modify or delete the Referer field when the
2498   field value shares the same scheme and host as the request target.
2499
25005.5.3.  User-Agent
2501
2502   The "User-Agent" header field contains information about the user
2503   agent originating the request, which is often used by servers to help
2504   identify the scope of reported interoperability problems, to work
2505   around or tailor responses to avoid particular user agent
2506   limitations, and for analytics regarding browser or operating system
2507   use.  A user agent SHOULD send a User-Agent field in each request
2508   unless specifically configured not to do so.
2509
2510     User-Agent = product *( RWS ( product / comment ) )
2511
2512   The User-Agent field-value consists of one or more product
2513   identifiers, each followed by zero or more comments (Section 3.2 of
2514   [Part1]), which together identify the user agent software and its
2515   significant subproducts.  By convention, the product identifiers are
2516
2517
2518
2519Fielding & Reschke       Expires August 27, 2013               [Page 45]
2520
2521Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2522
2523
2524   listed in decreasing order of their significance for identifying the
2525   user agent software.  Each product identifier consists of a name and
2526   optional version.
2527
2528     product         = token ["/" product-version]
2529     product-version = token
2530
2531   Senders SHOULD limit generated product identifiers to what is
2532   necessary to identify the product; senders MUST NOT generate
2533   advertising or other non-essential information within the product
2534   identifier.  Senders SHOULD NOT generate information in product-
2535   version that is not a version identifier (i.e., successive versions
2536   of the same product name ought to only differ in the product-version
2537   portion of the product identifier).
2538
2539   Example:
2540
2541     User-Agent: CERN-LineMode/2.15 libwww/2.17b3
2542
2543   A user agent SHOULD NOT generate a User-Agent field containing
2544   needlessly fine-grained detail and SHOULD limit the addition of
2545   subproducts by third parties.  Overly long and detailed User-Agent
2546   field values increase request latency and the risk of a user being
2547   identified against their wishes ("fingerprinting").
2548
2549   Likewise, implementations are encouraged not to use the product
2550   tokens of other implementations in order to declare compatibility
2551   with them, as this circumvents the purpose of the field.  If a user
2552   agent masquerades as a different user agent, recipients can assume
2553   that the user intentionally desires to see responses tailored for
2554   that identified user agent, even if they might not work as well for
2555   the actual user agent being used.
2556
25576.  Response Status Codes
2558
2559   The status-code element is a 3-digit integer code giving the result
2560   of the attempt to understand and satisfy the request.
2561
2562   HTTP status codes are extensible.  HTTP clients are not required to
2563   understand the meaning of all registered status codes, though such
2564   understanding is obviously desirable.  However, clients MUST
2565   understand the class of any status code, as indicated by the first
2566   digit, and treat an unrecognized status code as being equivalent to
2567   the x00 status code of that class, with the exception that a response
2568   with an unrecognized status code MUST NOT be cached.
2569
2570   For example, if an unrecognized status code of 471 is received by a
2571   client, the client can assume that there was something wrong with its
2572
2573
2574
2575Fielding & Reschke       Expires August 27, 2013               [Page 46]
2576
2577Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2578
2579
2580   request and treat the response as if it had received a 400 status
2581   code.  The response message will usually contain a representation
2582   that explains the status.
2583
2584   The first digit of the status-code defines the class of response.
2585   The last two digits do not have any categorization role.  There are 5
2586   values for the first digit:
2587
2588   o  1xx (Informational): The request was received, continuing process
2589
2590   o  2xx (Successful): The request was successfully received,
2591      understood, and accepted
2592
2593   o  3xx (Redirection): Further action needs to be taken in order to
2594      complete the request
2595
2596   o  4xx (Client Error): The request contains bad syntax or cannot be
2597      fulfilled
2598
2599   o  5xx (Server Error): The server failed to fulfill an apparently
2600      valid request
2601
26026.1.  Overview of Status Codes
2603
2604   The status codes listed below are defined in this specification,
2605   Section 4 of [Part4], Section 4 of [Part5], and Section 3 of [Part7].
2606   The reason phrases listed here are only recommendations -- they can
2607   be replaced by local equivalents without affecting the protocol.
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631Fielding & Reschke       Expires August 27, 2013               [Page 47]
2632
2633Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2634
2635
2636   +------+-------------------------------+------------------------+
2637   | code | reason-phrase                 | Defined in...          |
2638   +------+-------------------------------+------------------------+
2639   | 100  | Continue                      | Section 6.2.1          |
2640   | 101  | Switching Protocols           | Section 6.2.2          |
2641   | 200  | OK                            | Section 6.3.1          |
2642   | 201  | Created                       | Section 6.3.2          |
2643   | 202  | Accepted                      | Section 6.3.3          |
2644   | 203  | Non-Authoritative Information | Section 6.3.4          |
2645   | 204  | No Content                    | Section 6.3.5          |
2646   | 205  | Reset Content                 | Section 6.3.6          |
2647   | 206  | Partial Content               | Section 4.1 of [Part5] |
2648   | 300  | Multiple Choices              | Section 6.4.1          |
2649   | 301  | Moved Permanently             | Section 6.4.2          |
2650   | 302  | Found                         | Section 6.4.3          |
2651   | 303  | See Other                     | Section 6.4.4          |
2652   | 304  | Not Modified                  | Section 4.1 of [Part4] |
2653   | 305  | Use Proxy                     | Section 6.4.5          |
2654   | 307  | Temporary Redirect            | Section 6.4.7          |
2655   | 400  | Bad Request                   | Section 6.5.1          |
2656   | 401  | Unauthorized                  | Section 3.1 of [Part7] |
2657   | 402  | Payment Required              | Section 6.5.2          |
2658   | 403  | Forbidden                     | Section 6.5.3          |
2659   | 404  | Not Found                     | Section 6.5.4          |
2660   | 405  | Method Not Allowed            | Section 6.5.5          |
2661   | 406  | Not Acceptable                | Section 6.5.6          |
2662   | 407  | Proxy Authentication Required | Section 3.2 of [Part7] |
2663   | 408  | Request Time-out              | Section 6.5.7          |
2664   | 409  | Conflict                      | Section 6.5.8          |
2665   | 410  | Gone                          | Section 6.5.9          |
2666   | 411  | Length Required               | Section 6.5.10         |
2667   | 412  | Precondition Failed           | Section 4.2 of [Part4] |
2668   | 413  | Payload Too Large             | Section 6.5.11         |
2669   | 414  | URI Too Long                  | Section 6.5.12         |
2670   | 415  | Unsupported Media Type        | Section 6.5.13         |
2671   | 416  | Range Not Satisfiable         | Section 4.4 of [Part5] |
2672   | 417  | Expectation Failed            | Section 6.5.14         |
2673   | 426  | Upgrade Required              | Section 6.5.15         |
2674   | 500  | Internal Server Error         | Section 6.6.1          |
2675   | 501  | Not Implemented               | Section 6.6.2          |
2676   | 502  | Bad Gateway                   | Section 6.6.3          |
2677   | 503  | Service Unavailable           | Section 6.6.4          |
2678   | 504  | Gateway Time-out              | Section 6.6.5          |
2679   | 505  | HTTP Version Not Supported    | Section 6.6.6          |
2680   +------+-------------------------------+------------------------+
2681
2682   Note that this list is not exhaustive -- it does not include
2683   extension status codes defined in other specifications.
2684
2685
2686
2687Fielding & Reschke       Expires August 27, 2013               [Page 48]
2688
2689Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2690
2691
2692   Responses with status codes that are defined as cacheable by default
2693   (e.g., 200, 203, 206, 300, 301, and 410 in this specification) can be
2694   reused by a cache with heuristic expiration unless otherwise
2695   indicated by the method definition or explicit cache controls
2696   [Part6]; all other status codes are not cacheable by default.
2697
26986.2.  Informational 1xx
2699
2700   The 1xx (Informational) class of status code indicates an interim
2701   response for communicating connection status or request progress
2702   prior to completing the requested action and sending a final
2703   response.  All 1xx responses consist of only the status-line and
2704   optional header fields, and thus are terminated by the empty line at
2705   the end of the header block.  Since HTTP/1.0 did not define any 1xx
2706   status codes, servers MUST NOT send a 1xx response to an HTTP/1.0
2707   client except under experimental conditions.
2708
2709   A client MUST be prepared to accept one or more 1xx status responses
2710   prior to a final response, even if the client does not expect one.  A
2711   user agent MAY ignore unexpected 1xx status responses.
2712
2713   Proxies MUST forward 1xx responses, unless the connection between the
2714   proxy and its client has been closed, or unless the proxy itself
2715   requested the generation of the 1xx response.  For example, if a
2716   proxy adds an "Expect: 100-continue" field when it forwards a
2717   request, then it need not forward the corresponding 100 (Continue)
2718   response(s).
2719
27206.2.1.  100 Continue
2721
2722   The 100 (Continue) status code indicates that the initial part of a
2723   request has been received and has not yet been rejected by the
2724   server.  The server intends to send a final response after the
2725   request has been fully received and acted upon.
2726
2727   When the request contains an Expect header field that includes a 100-
2728   continue expectation, the 100 response indicates that the server
2729   wishes to receive the request payload body, as described in
2730   Section 5.1.1.1.  The client ought to continue sending the request
2731   and discard the 100 response.
2732
2733   If the request did not contain an Expect header field containing the
2734   100-continue expectation, the client can simply discard this interim
2735   response.
2736
2737
2738
2739
2740
2741
2742
2743Fielding & Reschke       Expires August 27, 2013               [Page 49]
2744
2745Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2746
2747
27486.2.2.  101 Switching Protocols
2749
2750   The 101 (Switching Protocols) status code indicates that the server
2751   understands and is willing to comply with the client's request, via
2752   the Upgrade header field (Section 6.7 of [Part1]), for a change in
2753   the application protocol being used on this connection.  The server
2754   MUST generate an Upgrade header field in the response that indicates
2755   which protocol(s) will be switched to immediately after the empty
2756   line that terminates the 101 response.
2757
2758   It is assumed that the server will only agree to switch protocols
2759   when it is advantageous to do so.  For example, switching to a newer
2760   version of HTTP might be advantageous over older versions, and
2761   switching to a real-time, synchronous protocol might be advantageous
2762   when delivering resources that use such features.
2763
27646.3.  Successful 2xx
2765
2766   The 2xx (Successful) class of status code indicates that the client's
2767   request was successfully received, understood, and accepted.
2768
27696.3.1.  200 OK
2770
2771   The
2772   200 (OK) status code indicates that the request has succeeded.  The
2773   payload sent in a 200 response depends on the request method.  For
2774   the methods defined by this specification, the intended meaning of
2775   the payload can be summarized as:
2776
2777   GET  a representation of the target resource;
2778
2779   HEAD  the same representation as GET, but without the representation
2780      data;
2781
2782   POST  a representation of the status of, or results obtained from,
2783      the action;
2784
2785   PUT, DELETE  a representation of the status of the action;
2786
2787   OPTIONS  a representation of the communications options;
2788
2789   TRACE  a representation of the request message as received by the end
2790      server.
2791
2792   Aside from responses to CONNECT, a 200 response always has a payload,
2793   though an origin server MAY generate a payload body of zero length.
2794   If no payload is desired, an origin server ought to send 204 (No
2795   Content) instead.  For CONNECT, no payload is allowed because the
2796
2797
2798
2799Fielding & Reschke       Expires August 27, 2013               [Page 50]
2800
2801Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2802
2803
2804   successful result is a tunnel, which begins immediately after the 200
2805   response header block.
2806
2807   A 200 response is cacheable unless otherwise indicated by the method
2808   definition or explicit cache controls (see Section 4.1.2 of [Part6]).
2809
28106.3.2.  201 Created
2811
2812   The 201 (Created) status code indicates that the request has been
2813   fulfilled and has resulted in one or more new resources being
2814   created.  The primary resource created by the request is identified
2815   by either a Location header field in the response or, if no Location
2816   field is received, by the effective request URI.
2817
2818   The 201 response payload typically describes and links to the
2819   resource(s) created.  See Section 7.2 for a discussion of the meaning
2820   and purpose of validator header fields, such as ETag and Last-
2821   Modified, in a 201 response.
2822
28236.3.3.  202 Accepted
2824
2825   The 202 (Accepted) status code indicates that the request has been
2826   accepted for processing, but the processing has not been completed.
2827   The request might or might not eventually be acted upon, as it might
2828   be disallowed when processing actually takes place.  There is no
2829   facility in HTTP for re-sending a status code from an asynchronous
2830   operation.
2831
2832   The 202 response is intentionally non-committal.  Its purpose is to
2833   allow a server to accept a request for some other process (perhaps a
2834   batch-oriented process that is only run once per day) without
2835   requiring that the user agent's connection to the server persist
2836   until the process is completed.  The representation sent with this
2837   response ought to describe the request's current status and point to
2838   (or embed) a status monitor that can provide the user with an
2839   estimate of when the request will be fulfilled.
2840
28416.3.4.  203 Non-Authoritative Information
2842
2843   The 203 (Non-Authoritative Information) status code indicates that
2844   the request was successful but the enclosed payload has been modified
2845   from that of the origin server's 200 (OK) response by a transforming
2846   proxy (Section 5.7.2 of [Part1]).  This status code allows the proxy
2847   to notify recipients when a transformation has been applied, since
2848   that knowledge might impact later decisions regarding the content.
2849   For example, future cache validation requests for the content might
2850   only be applicable along the same request path (through the same
2851   proxies).
2852
2853
2854
2855Fielding & Reschke       Expires August 27, 2013               [Page 51]
2856
2857Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2858
2859
2860   The 203 response is similar to the Warning code of 214 Transformation
2861   Applied (Section 7.5 of [Part6]), which has the advantage of being
2862   applicable to responses with any status code.
2863
2864   A 203 response is cacheable unless otherwise indicated by the method
2865   definition or explicit cache controls (see Section 4.1.2 of [Part6]).
2866
28676.3.5.  204 No Content
2868
2869   The 204 (No Content) status code indicates that the server has
2870   successfully fulfilled the request and that there is no additional
2871   content to send in the response payload body.  Metadata in the
2872   response header fields refer to the target resource and its selected
2873   representation after the requested action was applied.
2874
2875   For example, if a 204 status code is received in response to a PUT
2876   request and the response contains an ETag header field, then the PUT
2877   was successful and the ETag field-value contains the entity-tag for
2878   the new representation of that target resource.
2879
2880   The 204 response allows a server to indicate that the action has been
2881   successfully applied to the target resource, while implying that the
2882   user agent does not need to traverse away from its current "document
2883   view" (if any).  The server assumes that the user agent will provide
2884   some indication of the success to its user, in accord with its own
2885   interface, and apply any new or updated metadata in the response to
2886   its active representation.
2887
2888   For example, a 204 status code is commonly used with document editing
2889   interfaces corresponding to a "save" action, such that the document
2890   being saved remains available to the user for editing.  It is also
2891   frequently used with interfaces that expect automated data transfers
2892   to be prevalent, such as within distributed version control systems.
2893
2894   A 204 response is terminated by the first empty line after the header
2895   fields because it cannot contain a message body.
2896
2897   A 204 response is cacheable unless otherwise indicated by the method
2898   definition or explicit cache controls (see Section 4.1.2 of [Part6]).
2899
29006.3.6.  205 Reset Content
2901
2902   The 205 (Reset Content) status code indicates that the server has
2903   fulfilled the request and desires that the user agent reset the
2904   "document view", which caused the request to be sent, to its original
2905   state as received from the origin server.
2906
2907   This response is intended to support a common data entry use case
2908
2909
2910
2911Fielding & Reschke       Expires August 27, 2013               [Page 52]
2912
2913Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2914
2915
2916   where the user receives content that supports data entry (a form,
2917   notepad, canvas, etc.), enters or manipulates data in that space,
2918   causes the entered data to be submitted in a request, and then the
2919   data entry mechanism is reset for the next entry so that the user can
2920   easily initiate another input action.
2921
2922   Since the 205 status code implies that no additional content will be
2923   provided in the payload, the server MUST send a message body of zero
2924   length.  In other words, the server MUST send a "Content-Length: 0"
2925   field in a 205 response or close the connection immediately after
2926   sending the blank line terminating the header section.
2927
29286.4.  Redirection 3xx
2929
2930   The 3xx (Redirection) class of status code indicates that further
2931   action needs to be taken by the user agent in order to fulfill the
2932   request.  If a Location header field (Section 7.1.2) is provided, the
2933   user agent MAY automatically redirect its request to the URI
2934   referenced by the Location field value, even if the specific status
2935   code is not understood.  Automatic redirection needs to done with
2936   care for methods not known to be safe, as defined in Section 4.2.1,
2937   since the user might not wish to redirect an unsafe request.
2938
2939   There are several types of redirects:
2940
2941   1.  Redirects that indicate the resource might be available at a
2942       different URI, as provided by the Location field, as in the
2943       status codes 301 (Moved Permanently), 302 (Found), and 307
2944       (Temporary Redirect).
2945
2946   2.  Redirection that offers a choice of matching resources, each
2947       capable of representing the original request target, as in the
2948       300 (Multiple Choices) status code.
2949
2950   3.  Redirection to a different resource, identified by the Location
2951       field, that can represent an indirect response to the request, as
2952       in the 303 (See Other) status code.
2953
2954   4.  Redirection to a previously cached result, as in the 304 (Not
2955       Modified) status code.
2956
2957      Note: In HTTP/1.0, the status codes 301 (Moved Permanently) and
2958      302 (Found) were defined for the first type of redirect
2959      ([RFC1945], Section 9.3).  Early user agents split on whether the
2960      method applied to the redirect target would be the same as the
2961      original request or would be rewritten as GET.  Although HTTP
2962      originally defined the former semantics for 301 and 302 (to match
2963      its original implementation at CERN), and defined 303 (See Other)
2964
2965
2966
2967Fielding & Reschke       Expires August 27, 2013               [Page 53]
2968
2969Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
2970
2971
2972      to match the latter semantics, prevailing practice gradually
2973      converged on the latter semantics for 301 and 302 as well.  The
2974      first revision of HTTP/1.1 added 307 (Temporary Redirect) to
2975      indicate the former semantics without being impacted by divergent
2976      practice.  Over 10 years later, most user agents still do method
2977      rewriting for 301 and 302; therefore, this specification makes
2978      that behavior conformant when the original request is POST.
2979
2980   Clients SHOULD detect and intervene in cyclical redirections (i.e.,
2981   "infinite" redirection loops).
2982
2983      Note: An earlier version of this specification recommended a
2984      maximum of five redirections ([RFC2068], Section 10.3).  Content
2985      developers need to be aware that some clients might implement such
2986      a fixed limitation.
2987
29886.4.1.  300 Multiple Choices
2989
2990   The 300 (Multiple Choices) status code indicates that the target
2991   resource has more than one representation, each with its own more
2992   specific identifier, and information about the alternatives is being
2993   provided so that the user (or user agent) can select a preferred
2994   representation by redirecting its request to one or more of those
2995   identifiers.  In other words, the server desires that the user agent
2996   engage in reactive negotiation to select the most appropriate
2997   representation(s) for its needs (Section 3.4).
2998
2999   If the server has a preferred choice, the server SHOULD generate a
3000   Location header field containing a preferred choice's URI reference.
3001   The user agent MAY use the Location field value for automatic
3002   redirection.
3003
3004   For request methods other than HEAD, the server SHOULD generate a
3005   payload in the 300 response containing a list of representation
3006   metadata and URI reference(s) from which the user or user agent can
3007   choose the one most preferred.  The user agent MAY make a selection
3008   from that list automatically, depending upon the list format, but
3009   this specification does not define a standard for such automatic
3010   selection.
3011
3012   A 300 response is cacheable unless otherwise indicated by the method
3013   definition or explicit cache controls (see Section 4.1.2 of [Part6]).
3014
3015      Note: The original proposal for 300 defined the URI header field
3016      as providing a list of alternative representations, such that it
3017      would be usable for 200, 300, and 406 responses and be transferred
3018      in responses to the HEAD method.  However, lack of deployment and
3019      disagreement over syntax led to both URI and Alternates (a
3020
3021
3022
3023Fielding & Reschke       Expires August 27, 2013               [Page 54]
3024
3025Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3026
3027
3028      subsequent proposal) being dropped from this specification.  It is
3029      possible to communicate the list using a set of Link header fields
3030      [RFC5988], each with a relationship of "alternate", though
3031      deployment is a chicken-and-egg problem.
3032
30336.4.2.  301 Moved Permanently
3034
3035   The 301 (Moved Permanently) status code indicates that the target
3036   resource has been assigned a new permanent URI and any future
3037   references to this resource ought to use one of the enclosed URIs.
3038   Clients with link editing capabilities ought to automatically re-link
3039   references to the effective request URI to one or more of the new
3040   references sent by the server, where possible.
3041
3042   The server SHOULD generate a Location header field in the response
3043   containing a preferred URI reference for the new permanent URI.  The
3044   user agent MAY use the Location field value for automatic
3045   redirection.  The server's response payload usually contains a short
3046   hypertext note with a hyperlink to the new URI(s).
3047
3048      Note: For historic reasons, user agents MAY change the request
3049      method from POST to GET for the subsequent request.  If this
3050      behavior is undesired, status code 307 (Temporary Redirect) can be
3051      used instead.
3052
3053   A 301 response is cacheable unless otherwise indicated by the method
3054   definition or explicit cache controls (see Section 4.1.2 of [Part6]).
3055
30566.4.3.  302 Found
3057
3058   The 302 (Found) status code indicates that the target resource
3059   resides temporarily under a different URI.  Since the redirection
3060   might be altered on occasion, the client ought to continue to use the
3061   effective request URI for future requests.
3062
3063   The server SHOULD generate a Location header field in the response
3064   containing a URI reference for the different URI.  The user agent MAY
3065   use the Location field value for automatic redirection.  The server's
3066   response payload usually contains a short hypertext note with a
3067   hyperlink to the different URI(s).
3068
3069      Note: For historic reasons, user agents MAY change the request
3070      method from POST to GET for the subsequent request.  If this
3071      behavior is undesired, status code 307 (Temporary Redirect) can be
3072      used instead.
3073
3074
3075
3076
3077
3078
3079Fielding & Reschke       Expires August 27, 2013               [Page 55]
3080
3081Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3082
3083
30846.4.4.  303 See Other
3085
3086   The 303 (See Other) status code indicates that the server is
3087   redirecting the user agent to a different resource, as indicated by a
3088   URI in the Location header field, that is intended to provide an
3089   indirect response to the original request.  In order to satisfy the
3090   original request, a user agent ought to perform a retrieval request
3091   using the Location URI (a GET or HEAD request if using HTTP), which
3092   can itself be redirected further, and present the eventual result as
3093   an answer to the original request.  Note that the new URI in the
3094   Location header field is not considered equivalent to the effective
3095   request URI.
3096
3097   This status code is applicable to any HTTP method.  It is primarily
3098   used to allow the output of a POST action to redirect the user agent
3099   to a selected resource, since doing so provides the information
3100   corresponding to the POST response in a form that can be separately
3101   identified, bookmarked, and cached independent of the original
3102   request.
3103
3104   A 303 response to a GET request indicates that the origin server does
3105   not have a representation of the target resource that can be
3106   transferred by the server over HTTP.  However, the Location field
3107   value refers to a resource that is descriptive of the target
3108   resource, such that making a retrieval request on that other resource
3109   might result in a representation that is useful to recipients without
3110   implying that it represents the original target resource.  Note that
3111   answers to the questions of what can be represented, what
3112   representations are adequate, and what might be a useful description
3113   are outside the scope of HTTP.
3114
3115   Except for responses to a HEAD request, the representation of a 303
3116   response ought to contain a short hypertext note with a hyperlink to
3117   the same URI reference provided in the Location header field.
3118
31196.4.5.  305 Use Proxy
3120
3121   The 305 (Use Proxy) status code was defined in a previous version of
3122   this specification and is now deprecated (Appendix B).
3123
31246.4.6.  306 (Unused)
3125
3126   The 306 status code was defined in a previous version of this
3127   specification, is no longer used, and the code is reserved.
3128
3129
3130
3131
3132
3133
3134
3135Fielding & Reschke       Expires August 27, 2013               [Page 56]
3136
3137Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3138
3139
31406.4.7.  307 Temporary Redirect
3141
3142   The 307 (Temporary Redirect) status code indicates that the target
3143   resource resides temporarily under a different URI and the user agent
3144   MUST NOT change the request method if it performs an automatic
3145   redirection to that URI.  Since the redirection can change over time,
3146   the client ought to continue using the original effective request URI
3147   for future requests.
3148
3149   The server SHOULD generate a Location header field in the response
3150   containing a URI reference for the different URI.  The user agent MAY
3151   use the Location field value for automatic redirection.  The server's
3152   response payload usually contains a short hypertext note with a
3153   hyperlink to the different URI(s).
3154
3155      Note: This status code is similar to 302 (Found), except that it
3156      does not allow changing the request method from POST to GET.  This
3157      specification defines no equivalent counterpart for 301 (Moved
3158      Permanently) ([status-308], however, defines the status code 308
3159      (Permanent Redirect) for this purpose).
3160
31616.5.  Client Error 4xx
3162
3163   The 4xx (Client Error) class of status code indicates that the client
3164   seems to have erred.  Except when responding to a HEAD request, the
3165   server SHOULD send a representation containing an explanation of the
3166   error situation, and whether it is a temporary or permanent
3167   condition.  These status codes are applicable to any request method.
3168   User agents SHOULD display any included representation to the user.
3169
31706.5.1.  400 Bad Request
3171
3172   The 400 (Bad Request) status code indicates that the server cannot or
3173   will not process the request because the received syntax is invalid,
3174   nonsensical, or exceeds some limitation on what the server is willing
3175   to process.
3176
31776.5.2.  402 Payment Required
3178
3179   The 402 (Payment Required) status code is reserved for future use.
3180
31816.5.3.  403 Forbidden
3182
3183   The 403 (Forbidden) status code indicates that the server understood
3184   the request but refuses to authorize it.  A server that wishes to
3185   make public why the request has been forbidden can describe that
3186   reason in the response payload (if any).
3187
3188
3189
3190
3191Fielding & Reschke       Expires August 27, 2013               [Page 57]
3192
3193Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3194
3195
3196   If authentication credentials were provided in the request, the
3197   server considers them insufficient to grant access.  The client
3198   SHOULD NOT repeat the request with the same credentials.  The client
3199   MAY repeat the request with new or different credentials.  However, a
3200   request might be forbidden for reasons unrelated to the credentials.
3201
3202   An origin server that wishes to "hide" the current existence of a
3203   forbidden target resource MAY instead respond with a status code of
3204   404 (Not Found).
3205
32066.5.4.  404 Not Found
3207
3208   The 404 (Not Found) status code indicates that the origin server did
3209   not find a current representation for the target resource or is not
3210   willing to disclose that one exists.  A 404 status does not indicate
3211   whether this lack of representation is temporary or permanent; the
3212   410 (Gone) status code is preferred over 404 if the origin server
3213   knows, presumably through some configurable means, that the condition
3214   is likely to be permanent.
3215
3216   A 404 response is cacheable unless otherwise indicated by the method
3217   definition or explicit cache controls (see Section 4.1.2 of [Part6]).
3218
32196.5.5.  405 Method Not Allowed
3220
3221   The 405 (Method Not Allowed) status code indicates that the method
3222   specified in the request-line is known by the origin server but not
3223   supported by the target resource.  The origin server MUST generate an
3224   Allow header field in a 405 response containing a list of the target
3225   resource's currently supported methods.
3226
3227   A 405 response is cacheable unless otherwise indicated by the method
3228   definition or explicit cache controls (see Section 4.1.2 of [Part6]).
3229
32306.5.6.  406 Not Acceptable
3231
3232   The 406 (Not Acceptable) status code indicates that the target
3233   resource does not have a current representation that would be
3234   acceptable to the user agent, according to the proactive negotiation
3235   header fields received in the request (Section 5.3), and the server
3236   is unwilling to supply a default representation.
3237
3238   The server SHOULD generate a payload containing a list of available
3239   representation characteristics and corresponding resource identifiers
3240   from which the user or user agent can choose the one most
3241   appropriate.  A user agent MAY automatically select the most
3242   appropriate choice from that list.  However, this specification does
3243   not define any standard for such automatic selection, as described in
3244
3245
3246
3247Fielding & Reschke       Expires August 27, 2013               [Page 58]
3248
3249Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3250
3251
3252   Section 6.4.1.
3253
32546.5.7.  408 Request Timeout
3255
3256   The 408 (Request Timeout) status code indicates that the server did
3257   not receive a complete request message within the time that it was
3258   prepared to wait.  A server SHOULD send the close connection option
3259   (Section 6.1 of [Part1]) in the response, since 408 implies that the
3260   server has decided to close the connection rather than continue
3261   waiting.  If the client has an outstanding request in transit, the
3262   client MAY repeat that request on a new connection.
3263
32646.5.8.  409 Conflict
3265
3266   The 409 (Conflict) status code indicates that the request could not
3267   be completed due to a conflict with the current state of the
3268   resource.  This code is used in situations where the user might be
3269   able to resolve the conflict and resubmit the request.  The server
3270   SHOULD generate a payload that includes enough information for a user
3271   to recognize the source of the conflict.
3272
3273   Conflicts are most likely to occur in response to a PUT request.  For
3274   example, if versioning were being used and the representation being
3275   PUT included changes to a resource that conflict with those made by
3276   an earlier (third-party) request, the origin server might use a 409
3277   response to indicate that it can't complete the request.  In this
3278   case, the response representation would likely contain information
3279   useful for merging the differences based on the revision history.
3280
32816.5.9.  410 Gone
3282
3283   The 410 (Gone) status code indicates that access to the target
3284   resource is no longer available at the origin server and that this
3285   condition is likely to be permanent.  If the origin server does not
3286   know, or has no facility to determine, whether or not the condition
3287   is permanent, the status code 404 (Not Found) ought to be used
3288   instead.
3289
3290   The 410 response is primarily intended to assist the task of web
3291   maintenance by notifying the recipient that the resource is
3292   intentionally unavailable and that the server owners desire that
3293   remote links to that resource be removed.  Such an event is common
3294   for limited-time, promotional services and for resources belonging to
3295   individuals no longer associated with the origin server's site.  It
3296   is not necessary to mark all permanently unavailable resources as
3297   "gone" or to keep the mark for any length of time -- that is left to
3298   the discretion of the server owner.
3299
3300
3301
3302
3303Fielding & Reschke       Expires August 27, 2013               [Page 59]
3304
3305Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3306
3307
3308   A 410 response is cacheable unless otherwise indicated by the method
3309   definition or explicit cache controls (see Section 4.1.2 of [Part6]).
3310
33116.5.10.  411 Length Required
3312
3313   The 411 (Length Required) status code indicates that the server
3314   refuses to accept the request without a defined Content-Length
3315   (Section 3.3.2 of [Part1]).  The client MAY repeat the request if it
3316   adds a valid Content-Length header field containing the length of the
3317   message body in the request message.
3318
33196.5.11.  413 Payload Too Large
3320
3321   The 413 (Payload Too Large) status code indicates that the server is
3322   refusing to process a request because the request payload is larger
3323   than the server is willing or able to process.  The server MAY close
3324   the connection to prevent the client from continuing the request.
3325
3326   If the condition is temporary, the server SHOULD generate a Retry-
3327   After header field to indicate that it is temporary and after what
3328   time the client MAY try again.
3329
33306.5.12.  414 URI Too Long
3331
3332   The 414 (URI Too Long) status code indicates that the server is
3333   refusing to service the request because the request-target (Section
3334   5.3 of [Part1]) is longer than the server is willing to interpret.
3335   This rare condition is only likely to occur when a client has
3336   improperly converted a POST request to a GET request with long query
3337   information, when the client has descended into a "black hole" of
3338   redirection (e.g., a redirected URI prefix that points to a suffix of
3339   itself), or when the server is under attack by a client attempting to
3340   exploit potential security holes.
3341
3342   A 414 response is cacheable unless otherwise indicated by the method
3343   definition or explicit cache controls (see Section 4.1.2 of [Part6]).
3344
33456.5.13.  415 Unsupported Media Type
3346
3347   The 415 (Unsupported Media Type) status code indicates that the
3348   origin server is refusing to service the request because the payload
3349   is in a format not supported by the target resource for this method.
3350   The format problem might be due to the request's indicated Content-
3351   Type or Content-Encoding, or as a result of inspecting the data
3352   directly.
3353
3354
3355
3356
3357
3358
3359Fielding & Reschke       Expires August 27, 2013               [Page 60]
3360
3361Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3362
3363
33646.5.14.  417 Expectation Failed
3365
3366   The 417 (Expectation Failed) status code indicates that the
3367   expectation given in the request's Expect header field
3368   (Section 5.1.1) could not be met by at least one of the inbound
3369   servers.
3370
33716.5.15.  426 Upgrade Required
3372
3373   The 426 (Upgrade Required) status code indicates that the server
3374   refuses to perform the request using the current protocol but might
3375   be willing to do so after the client upgrades to a different
3376   protocol.  The server MUST send an Upgrade header field in a 426
3377   response to indicate the required protocol(s) (Section 6.7 of
3378   [Part1]).
3379
3380   Example:
3381
3382     HTTP/1.1 426 Upgrade Required
3383     Upgrade: HTTP/3.0
3384     Connection: Upgrade
3385     Content-Length: 53
3386     Content-Type: text/plain
3387
3388     This service requires use of the HTTP/3.0 protocol.
3389
33906.6.  Server Error 5xx
3391
3392   The 5xx (Server Error) class of status code indicates that the server
3393   is aware that it has erred or is incapable of performing the
3394   requested method.  Except when responding to a HEAD request, the
3395   server SHOULD send a representation containing an explanation of the
3396   error situation, and whether it is a temporary or permanent
3397   condition.  User agents SHOULD display any included representation to
3398   the user.  These response codes are applicable to any request method.
3399
34006.6.1.  500 Internal Server Error
3401
3402   The 500 (Internal Server Error) status code indicates that the server
3403   encountered an unexpected condition that prevented it from fulfilling
3404   the request.
3405
34066.6.2.  501 Not Implemented
3407
3408   The 501 (Not Implemented) status code indicates that the server does
3409   not support the functionality required to fulfill the request.  This
3410   is the appropriate response when the server does not recognize the
3411   request method and is not capable of supporting it for any resource.
3412
3413
3414
3415Fielding & Reschke       Expires August 27, 2013               [Page 61]
3416
3417Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3418
3419
3420   A 501 response is cacheable unless otherwise indicated by the method
3421   definition or explicit cache controls (see Section 4.1.2 of [Part6]).
3422
34236.6.3.  502 Bad Gateway
3424
3425   The 502 (Bad Gateway) status code indicates that the server, while
3426   acting as a gateway or proxy, received an invalid response from an
3427   inbound server it accessed while attempting to fulfill the request.
3428
34296.6.4.  503 Service Unavailable
3430
3431   The 503 (Service Unavailable) status code indicates that the server
3432   is currently unable to handle the request due to a temporary overload
3433   or scheduled maintenance, which will likely be alleviated after some
3434   delay.  The server MAY send a Retry-After header field
3435   (Section 7.1.3) to suggest an appropriate amount of time for the
3436   client to wait before retrying the request.
3437
3438      Note: The existence of the 503 status code does not imply that a
3439      server has to use it when becoming overloaded.  Some servers might
3440      simply refuse the connection.
3441
34426.6.5.  504 Gateway Timeout
3443
3444   The 504 (Gateway Timeout) status code indicates that the server,
3445   while acting as a gateway or proxy, did not receive a timely response
3446   from an upstream server it needed to access in order to complete the
3447   request.
3448
34496.6.6.  505 HTTP Version Not Supported
3450
3451   The 505 (HTTP Version Not Supported) status code indicates that the
3452   server does not support, or refuses to support, the protocol version
3453   that was used in the request message.  The server is indicating that
3454   it is unable or unwilling to complete the request using the same
3455   major version as the client, as described in Section 2.6 of [Part1],
3456   other than with this error message.  The server SHOULD generate a
3457   representation for the 505 response that describes why that version
3458   is not supported and what other protocols are supported by that
3459   server.
3460
34617.  Response Header Fields
3462
3463   The response header fields allow the server to pass additional
3464   information about the response beyond what is placed in the status-
3465   line.  These header fields give information about the server, about
3466   further access to the target resource, or about related resources.
3467
3468
3469
3470
3471Fielding & Reschke       Expires August 27, 2013               [Page 62]
3472
3473Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3474
3475
3476   Although each response header field has a defined meaning, in
3477   general, the precise semantics might be further refined by the
3478   semantics of the request method and/or response status code.
3479
34807.1.  Control Data
3481
3482   Response header fields can supply control data that supplements the
3483   status code, directs caching, or instructs the client where to go
3484   next.
3485
3486   +-------------------+------------------------+
3487   | Header Field Name | Defined in...          |
3488   +-------------------+------------------------+
3489   | Age               | Section 7.1 of [Part6] |
3490   | Cache-Control     | Section 7.2 of [Part6] |
3491   | Expires           | Section 7.3 of [Part6] |
3492   | Date              | Section 7.1.1.2        |
3493   | Location          | Section 7.1.2          |
3494   | Retry-After       | Section 7.1.3          |
3495   | Vary              | Section 7.1.4          |
3496   | Warning           | Section 7.5 of [Part6] |
3497   +-------------------+------------------------+
3498
34997.1.1.  Origination Date
3500
35017.1.1.1.  Date/Time Formats
3502
3503   Prior to 1995, there were three different formats commonly used by
3504   servers to communicate timestamps.  For compatibility with old
3505   implementations, all three are defined here.  The preferred format is
3506   a fixed-length and single-zone subset of the date and time
3507   specification used by the Internet Message Format [RFC5322].
3508
3509     HTTP-date    = IMF-fixdate / obs-date
3510
3511   An example of the preferred format is
3512
3513     Sun, 06 Nov 1994 08:49:37 GMT    ; IMF-fixdate
3514
3515   Examples of the two obsolete formats are
3516
3517     Sunday, 06-Nov-94 08:49:37 GMT   ; obsolete RFC 850 format
3518     Sun Nov  6 08:49:37 1994         ; ANSI C's asctime() format
3519
3520   A recipient that parses a timestamp value in an HTTP header field
3521   MUST accept all three formats.  A sender MUST generate the IMF-
3522   fixdate format when sending an HTTP-date value in a header field.
3523
3524
3525
3526
3527Fielding & Reschke       Expires August 27, 2013               [Page 63]
3528
3529Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3530
3531
3532   An HTTP-date value represents time as an instance of Coordinated
3533   Universal Time (UTC).  The first two formats indicate UTC by the
3534   three-letter abbreviation for Greenwich Mean Time, "GMT", a
3535   predecessor of the UTC name; values in the asctime format are assumed
3536   to be in UTC.  A sender that generates HTTP-date values from a local
3537   clock ought to use NTP ([RFC1305]) or some similar protocol to
3538   synchronize its clock to UTC.
3539
3540   Preferred format:
3541
3542     IMF-fixdate  = day-name "," SP date1 SP time-of-day SP GMT
3543     ; fixed length/zone subset of the format defined in
3544     ; Section 3.3 of [RFC5322]
3545
3546     day-name     = %x4D.6F.6E ; "Mon", case-sensitive
3547                  / %x54.75.65 ; "Tue", case-sensitive
3548                  / %x57.65.64 ; "Wed", case-sensitive
3549                  / %x54.68.75 ; "Thu", case-sensitive
3550                  / %x46.72.69 ; "Fri", case-sensitive
3551                  / %x53.61.74 ; "Sat", case-sensitive
3552                  / %x53.75.6E ; "Sun", case-sensitive
3553
3554     date1        = day SP month SP year
3555                  ; e.g., 02 Jun 1982
3556
3557     day          = 2DIGIT
3558     month        = %x4A.61.6E ; "Jan", case-sensitive
3559                  / %x46.65.62 ; "Feb", case-sensitive
3560                  / %x4D.61.72 ; "Mar", case-sensitive
3561                  / %x41.70.72 ; "Apr", case-sensitive
3562                  / %x4D.61.79 ; "May", case-sensitive
3563                  / %x4A.75.6E ; "Jun", case-sensitive
3564                  / %x4A.75.6C ; "Jul", case-sensitive
3565                  / %x41.75.67 ; "Aug", case-sensitive
3566                  / %x53.65.70 ; "Sep", case-sensitive
3567                  / %x4F.63.74 ; "Oct", case-sensitive
3568                  / %x4E.6F.76 ; "Nov", case-sensitive
3569                  / %x44.65.63 ; "Dec", case-sensitive
3570     year         = 4DIGIT
3571
3572     GMT          = %x47.4D.54 ; "GMT", case-sensitive
3573
3574     time-of-day  = hour ":" minute ":" second
3575                  ; 00:00:00 - 23:59:60 (leap second)
3576
3577     hour         = 2DIGIT
3578     minute       = 2DIGIT
3579     second       = 2DIGIT
3580
3581
3582
3583Fielding & Reschke       Expires August 27, 2013               [Page 64]
3584
3585Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3586
3587
3588   Obsolete formats:
3589
3590     obs-date     = rfc850-date / asctime-date
3591
3592
3593     rfc850-date  = day-name-l "," SP date2 SP time-of-day SP GMT
3594     date2        = day "-" month "-" 2DIGIT
3595                  ; e.g., 02-Jun-82
3596
3597     day-name-l   = %x4D.6F.6E.64.61.79    ; "Monday", case-sensitive
3598            / %x54.75.65.73.64.61.79       ; "Tuesday", case-sensitive
3599            / %x57.65.64.6E.65.73.64.61.79 ; "Wednesday", case-sensitive
3600            / %x54.68.75.72.73.64.61.79    ; "Thursday", case-sensitive
3601            / %x46.72.69.64.61.79          ; "Friday", case-sensitive
3602            / %x53.61.74.75.72.64.61.79    ; "Saturday", case-sensitive
3603            / %x53.75.6E.64.61.79          ; "Sunday", case-sensitive
3604
3605
3606     asctime-date = day-name SP date3 SP time-of-day SP year
3607     date3        = month SP ( 2DIGIT / ( SP 1DIGIT ))
3608                  ; e.g., Jun  2
3609
3610   HTTP-date is case sensitive.  A sender MUST NOT generate additional
3611   whitespace in an HTTP-date beyond that specifically included as SP in
3612   the grammar.  The semantics of day-name, day, month, year, and time-
3613   of-day are the same as those defined for the Internet Message Format
3614   constructs with the corresponding name ([RFC5322], Section 3.3).
3615
3616   Recipients of a timestamp value in rfc850-date format, which uses a
3617   two-digit year, SHOULD interpret a timestamp that appears to be more
3618   than 50 years in the future as representing the most recent year in
3619   the past that had the same last two digits.
3620
3621   Recipients of timestamp values are encouraged to be robust in parsing
3622   timestamps unless otherwise restricted by the field definition.  For
3623   example, messages are occasionally forwarded over HTTP from a non-
3624   HTTP source that might generate any of the date and time
3625   specifications defined by the Internet Message Format.
3626
3627      Note: HTTP requirements for the date/time stamp format apply only
3628      to their usage within the protocol stream.  Implementations are
3629      not required to use these formats for user presentation, request
3630      logging, etc.
3631
3632
3633
3634
3635
3636
3637
3638
3639Fielding & Reschke       Expires August 27, 2013               [Page 65]
3640
3641Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3642
3643
36447.1.1.2.  Date
3645
3646   The "Date" header field represents the date and time at which the
3647   message was originated, having the same semantics as the Origination
3648   Date Field (orig-date) defined in Section 3.6.1 of [RFC5322].  The
3649   field value is an HTTP-date, as defined in Section 7.1.1.1.
3650
3651     Date = HTTP-date
3652
3653   An example is
3654
3655     Date: Tue, 15 Nov 1994 08:12:31 GMT
3656
3657   When a Date header field is generated, the sender SHOULD generate its
3658   field value as the best available approximation of the date and time
3659   of message generation.  In theory, the date ought to represent the
3660   moment just before the payload is generated.  In practice, the date
3661   can be generated at any time during message origination.
3662
3663   An origin server MUST NOT send a Date header field if it does not
3664   have a clock capable of providing a reasonable approximation of the
3665   current instance in Coordinated Universal Time.  An origin server MAY
3666   send a Date header field if the response is in the 1xx
3667   (Informational) or 5xx (Server Error) class of status codes.  An
3668   origin server MUST send a Date header field in all other cases.
3669
3670   A recipient with a clock that receives a response message without a
3671   Date header field MUST record the time it was received and append a
3672   corresponding Date header field to the message's header block if it
3673   is cached or forwarded downstream.
3674
3675   A user agent MAY send a Date header field in a request, though
3676   generally will not do so unless it is believed to convey useful
3677   information to the server.  For example, custom applications of HTTP
3678   might convey a Date if the server is expected to adjust its
3679   interpretation of the user's request based on differences between the
3680   user agent and server clocks.
3681
36827.1.2.  Location
3683
3684   The "Location" header field is used in some responses to refer to a
3685   specific resource in relation to the response.  The type of
3686   relationship is defined by the combination of request method and
3687   status code semantics.
3688
3689     Location = URI-reference
3690
3691   The field value consists of a single URI-reference.  When it has the
3692
3693
3694
3695Fielding & Reschke       Expires August 27, 2013               [Page 66]
3696
3697Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3698
3699
3700   form of a relative reference ([RFC3986], Section 4.2), the final
3701   value is computed by resolving it against the effective request URI
3702   ([RFC3986], Section 5).
3703
3704   For 201 (Created) responses, the Location value refers to the primary
3705   resource created by the request.  For 3xx (Redirection) responses,
3706   the Location value refers to the preferred target resource for
3707   automatically redirecting the request.
3708
3709   When Location is provided in a 3xx (Redirection) response and the URI
3710   reference that the user agent used to generate the request target
3711   contains a fragment identifier, the user agent SHOULD process the
3712   redirection as if the Location field value inherits the original
3713   fragment.  In other words, if the Location does not have a fragment
3714   component, the user agent SHOULD interpret the Location reference as
3715   if it had the original reference's fragment.
3716
3717   For example, a GET request generated for the URI reference
3718   "http://www.example.org/~tim" might result in a 303 (See Other)
3719   response containing the header field:
3720
3721     Location: /People.html#tim
3722
3723   which suggests that the user agent redirect to
3724   "http://www.example.org/People.html#tim"
3725
3726   Likewise, a GET request generated for the URI reference
3727   "http://www.example.org/index.html#larry" might result in a 301
3728   (Moved Permanently) response containing the header field:
3729
3730     Location: http://www.example.net/index.html
3731
3732   which suggests that the user agent redirect to
3733   "http://www.example.net/index.html#larry", preserving the original
3734   fragment identifier.
3735
3736   There are circumstances in which a fragment identifier in a Location
3737   value would not be appropriate.  For example, the Location header
3738   field in a 201 (Created) response is supposed to provide a URI that
3739   is specific to the created resource.
3740
3741      Note: Some recipients attempt to recover from Location fields that
3742      are not valid URI references.  This specification does not mandate
3743      or define such processing, but does allow it for the sake of
3744      robustness.
3745
3746
3747
3748
3749
3750
3751Fielding & Reschke       Expires August 27, 2013               [Page 67]
3752
3753Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3754
3755
3756      Note: The Content-Location header field (Section 3.1.4.2) differs
3757      from Location in that the Content-Location refers to the most
3758      specific resource corresponding to the enclosed representation.
3759      It is therefore possible for a response to contain both the
3760      Location and Content-Location header fields.
3761
37627.1.3.  Retry-After
3763
3764   Servers send the "Retry-After" header field to indicate how long the
3765   user agent ought to wait before making a follow-up request.  When
3766   sent with a 503 (Service Unavailable) response, Retry-After indicates
3767   how long the service is expected to be unavailable to the client.
3768   When sent with any 3xx (Redirection) response, Retry-After indicates
3769   the minimum time that the user agent is asked to wait before issuing
3770   the redirected request.
3771
3772   The value of this field can be either an HTTP-date or an integer
3773   number of seconds (in decimal) after the time of the response.
3774
3775     Retry-After = HTTP-date / delta-seconds
3776
3777   Time spans are non-negative decimal integers, representing time in
3778   seconds.
3779
3780     delta-seconds  = 1*DIGIT
3781
3782   Two examples of its use are
3783
3784     Retry-After: Fri, 31 Dec 1999 23:59:59 GMT
3785     Retry-After: 120
3786
3787   In the latter example, the delay is 2 minutes.
3788
37897.1.4.  Vary
3790
3791   The "Vary" header field describes what parts of a request message,
3792   aside from the method and request target, might influence the origin
3793   server's process for selecting and representing the response.  The
3794   value consists of either a single asterisk ("*") or a list of header
3795   field names (case-insensitive).
3796
3797     Vary = "*" / 1#field-name
3798
3799   A Vary field value of "*" signals that anything about the request
3800   might play a role in selecting the response representation, possibly
3801   including elements outside the message syntax (e.g., the client's
3802   network address), and thus a recipient will not be able to determine
3803   whether this response is appropriate for a later request without
3804
3805
3806
3807Fielding & Reschke       Expires August 27, 2013               [Page 68]
3808
3809Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3810
3811
3812   forwarding the request to the origin server.  A proxy MUST NOT
3813   generate a Vary field with a "*" value.
3814
3815   A Vary field value consisting of a comma-separated list of names
3816   indicates that the named request header fields, known as the
3817   selecting header fields, might have a role in selecting the
3818   representation.  The potential selecting header fields are not
3819   limited to those defined by this specification.
3820
3821   For example, a response that contains
3822
3823     Vary: accept-encoding, accept-language
3824
3825   indicates that the origin server might have used the request's
3826   Accept-Encoding and Accept-Language fields (or lack thereof) as
3827   determining factors while choosing the content for this response.
3828
3829   An origin server might send Vary with a list of fields for two
3830   purposes:
3831
3832   1.  To inform cache recipients that they MUST NOT use this response
3833       to satisfy a later request unless the later request has the same
3834       values for the listed fields as the original request (Section 4.3
3835       of [Part6]).  In other words, Vary expands the cache key required
3836       to match a new request to the stored cache entry.
3837
3838   2.  To inform user agent recipients that this response is subject to
3839       content negotiation (Section 5.3) and that a different
3840       representation might be sent in a subsequent request if
3841       additional parameters are provided in the listed header fields
3842       (proactive negotiation).
3843
3844   An origin server SHOULD send a Vary header field when its algorithm
3845   for selecting a representation varies based on aspects of the request
3846   message other than the method and request target, unless the variance
3847   cannot be crossed or the origin server has been deliberately
3848   configured to prevent cache transparency.  For example, there is no
3849   need to send the Authorization field name in Vary because reuse
3850   across users is constrained by the field definition (Section 4.1 of
3851   [Part7]).  Likewise, an origin server might use Cache-Control
3852   directives (Section 7.2 of [Part6]) to supplant Vary if it considers
3853   the variance less significant than the performance cost of Vary's
3854   impact on caching.
3855
38567.2.  Validator Header Fields
3857
3858   Validator header fields convey metadata about the selected
3859   representation (Section 3).  In responses to safe requests, validator
3860
3861
3862
3863Fielding & Reschke       Expires August 27, 2013               [Page 69]
3864
3865Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3866
3867
3868   fields describe the selected representation chosen by the origin
3869   server while handling the response.  Note that, depending on the
3870   status code semantics, the selected representation for a given
3871   response is not necessarily the same as the representation enclosed
3872   as response payload.
3873
3874   In a successful response to a state-changing request, validator
3875   fields describe the new representation that has replaced the prior
3876   selected representation as a result of processing the request.
3877
3878   For example, an ETag header field in a 201 response communicates the
3879   entity-tag of the newly created resource's representation, so that it
3880   can be used in later conditional requests to prevent the "lost
3881   update" problem [Part4].
3882
3883   +-------------------+------------------------+
3884   | Header Field Name | Defined in...          |
3885   +-------------------+------------------------+
3886   | ETag              | Section 2.3 of [Part4] |
3887   | Last-Modified     | Section 2.2 of [Part4] |
3888   +-------------------+------------------------+
3889
38907.3.  Authentication Challenges
3891
3892   Authentication challenges indicate what mechanisms are available for
3893   the client to provide authentication credentials in future requests.
3894
3895   +--------------------+------------------------+
3896   | Header Field Name  | Defined in...          |
3897   +--------------------+------------------------+
3898   | WWW-Authenticate   | Section 4.4 of [Part7] |
3899   | Proxy-Authenticate | Section 4.2 of [Part7] |
3900   +--------------------+------------------------+
3901
39027.4.  Response Context
3903
3904   The remaining response header fields provide more information about
3905   the target resource for potential use in later requests.
3906
3907   +-------------------+------------------------+
3908   | Header Field Name | Defined in...          |
3909   +-------------------+------------------------+
3910   | Accept-Ranges     | Section 2.3 of [Part5] |
3911   | Allow             | Section 7.4.1          |
3912   | Server            | Section 7.4.2          |
3913   +-------------------+------------------------+
3914
3915
3916
3917
3918
3919Fielding & Reschke       Expires August 27, 2013               [Page 70]
3920
3921Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3922
3923
39247.4.1.  Allow
3925
3926   The "Allow" header field lists the set of methods advertised as
3927   supported by the target resource.  The purpose of this field is
3928   strictly to inform the recipient of valid request methods associated
3929   with the resource.
3930
3931     Allow = #method
3932
3933   Example of use:
3934
3935     Allow: GET, HEAD, PUT
3936
3937   The actual set of allowed methods is defined by the origin server at
3938   the time of each request.  An origin server MUST generate an Allow
3939   field in a 405 (Method Not Allowed) response and MAY do so in any
3940   other response.  An empty Allow field value indicates that the
3941   resource allows no methods, which might occur in a 405 response if
3942   the resource has been temporarily disabled by configuration.
3943
3944   A proxy MUST NOT modify the Allow header field -- it does not need to
3945   understand all of the indicated methods in order to handle them
3946   according to the generic message handling rules.
3947
39487.4.2.  Server
3949
3950   The "Server" header field contains information about the software
3951   used by the origin server to handle the request, which is often used
3952   by clients to help identify the scope of reported interoperability
3953   problems, to work around or tailor requests to avoid particular
3954   server limitations, and for analytics regarding server or operating
3955   system use.  An origin server MAY generate a Server field in its
3956   responses.
3957
3958     Server = product *( RWS ( product / comment ) )
3959
3960   The Server field-value consists of one or more product identifiers,
3961   each followed by zero or more comments (Section 3.2 of [Part1]),
3962   which together identify the origin server software and its
3963   significant subproducts.  By convention, the product identifiers are
3964   listed in decreasing order of their significance for identifying the
3965   origin server software.  Each product identifier consists of a name
3966   and optional version, as defined in Section 5.5.3.
3967
3968   Example:
3969
3970     Server: CERN/3.0 libwww/2.17
3971
3972
3973
3974
3975Fielding & Reschke       Expires August 27, 2013               [Page 71]
3976
3977Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
3978
3979
3980   An origin server SHOULD NOT generate a Server field containing
3981   needlessly fine-grained detail and SHOULD limit the addition of
3982   subproducts by third parties.  Overly long and detailed Server field
3983   values increase response latency and potentially reveal internal
3984   implementation details that might make it (slightly) easier for
3985   attackers to find and exploit known security holes.
3986
39878.  IANA Considerations
3988
39898.1.  Method Registry
3990
3991   The HTTP Method Registry defines the name space for the request
3992   method token (Section 4).  The method registry is maintained at
3993   <http://www.iana.org/assignments/http-methods>.
3994
39958.1.1.  Procedure
3996
3997   HTTP method registrations MUST include the following fields:
3998
3999   o  Method Name (see Section 4)
4000
4001   o  Safe ("yes" or "no", see Section 4.2.1)
4002
4003   o  Idempotent ("yes" or "no", see Section 4.2.2)
4004
4005   o  Pointer to specification text
4006
4007   Values to be added to this name space require IETF Review (see
4008   [RFC5226], Section 4.1).
4009
40108.1.2.  Considerations for New Methods
4011
4012   Standardized methods are generic; that is, they are potentially
4013   applicable to any resource, not just one particular media type, kind
4014   of resource, or application.  As such, it is preferred that new
4015   methods be registered in a document that isn't specific to a single
4016   application or data format, since orthogonal technologies deserve
4017   orthogonal specification.
4018
4019   Since message parsing (Section 3.3 of [Part1]) needs to be
4020   independent of method semantics (aside from responses to HEAD),
4021   definitions of new methods cannot change the parsing algorithm or
4022   prohibit the presence of a message body on either the request or the
4023   response message.  Definitions of new methods can specify that only a
4024   zero-length message body is allowed by requiring a Content-Length
4025   header field with a value of "0".
4026
4027   A new method definition needs to indicate whether it is safe
4028
4029
4030
4031Fielding & Reschke       Expires August 27, 2013               [Page 72]
4032
4033Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4034
4035
4036   (Section 4.2.1), idempotent (Section 4.2.2), cacheable
4037   (Section 4.2.3), what semantics are to be associated with the payload
4038   body if any is present in the request, and what refinements the
4039   method makes to header field or status code semantics.  If the new
4040   method is cacheable, its definition ought to describe how, and under
4041   what conditions, a cache can store a response and use it to satisfy a
4042   subsequent request.  The new method ought to describe whether it can
4043   be made conditional (Section 5.2) and, if so, how a server responds
4044   when the condition is false.  Likewise, if the new method might have
4045   some use for partial response semantics ([Part5]), it ought to
4046   document this too.
4047
40488.1.3.  Registrations
4049
4050   The HTTP Method Registry shall be populated with the registrations
4051   below:
4052
4053   +---------+------+------------+---------------+
4054   | Method  | Safe | Idempotent | Reference     |
4055   +---------+------+------------+---------------+
4056   | CONNECT | no   | no         | Section 4.3.6 |
4057   | DELETE  | no   | yes        | Section 4.3.5 |
4058   | GET     | yes  | yes        | Section 4.3.1 |
4059   | HEAD    | yes  | yes        | Section 4.3.2 |
4060   | OPTIONS | yes  | yes        | Section 4.3.7 |
4061   | POST    | no   | no         | Section 4.3.3 |
4062   | PUT     | no   | yes        | Section 4.3.4 |
4063   | TRACE   | yes  | yes        | Section 4.3.8 |
4064   +---------+------+------------+---------------+
4065
40668.2.  Status Code Registry
4067
4068   The HTTP Status Code Registry defines the name space for the response
4069   status-code token (Section 6).  The status code registry is
4070   maintained at <http://www.iana.org/assignments/http-status-codes>.
4071
4072   This section replaces the registration procedure for HTTP Status
4073   Codes previously defined in Section 7.1 of [RFC2817].
4074
40758.2.1.  Procedure
4076
4077   Values to be added to the HTTP status code name space require IETF
4078   Review (see [RFC5226], Section 4.1).
4079
40808.2.2.  Considerations for New Status Codes
4081
4082   When it is necessary to express semantics for a response that are not
4083   defined by current status codes, a new status code can be registered.
4084
4085
4086
4087Fielding & Reschke       Expires August 27, 2013               [Page 73]
4088
4089Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4090
4091
4092   Status codes are generic; they are potentially applicable to any
4093   resource, not just one particular media type, kind of resource, or
4094   application of HTTP.  As such, it is preferred that new status codes
4095   be registered in a document that isn't specific to a single
4096   application.
4097
4098   New status codes are required to fall under one of the categories
4099   defined in Section 6.  To allow existing parsers to process the
4100   response message, new status codes cannot disallow a payload,
4101   although they can mandate a zero-length payload body.
4102
4103   Proposals for new status codes that are not yet widely deployed ought
4104   to avoid allocating a specific number for the code until there is
4105   clear consensus that it will be registered; instead, early drafts can
4106   use a notation such as "4NN", or "3N0" .. "3N9", to indicate the
4107   class of the proposed status code(s) without consuming a number
4108   prematurely.
4109
4110   The definition of a new status code ought to explain the request
4111   conditions that would cause a response containing that status code
4112   (e.g., combinations of request header fields and/or method(s)) along
4113   with any dependencies on response header fields (e.g., what fields
4114   are required, what fields can modify the semantics, and what header
4115   field semantics are further refined when used with the new status
4116   code).
4117
4118   The definition of a new status code ought to specify whether or not
4119   it is cacheable.  Note that all status codes can be cached if the
4120   response they occur in has explicit freshness information; however,
4121   status codes that are defined as being cacheable are allowed to be
4122   cached without explicit freshness information.  Likewise, the
4123   definition of a status code can place constraints upon cache
4124   behaviour.  See [Part6] for more information.
4125
4126   Finally, the definition of a new status code ought to indicate
4127   whether the payload has any implied association with an identified
4128   resource (Section 3.1.4.1).
4129
41308.2.3.  Registrations
4131
4132   The HTTP Status Code Registry shall be updated with the registrations
4133   below:
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143Fielding & Reschke       Expires August 27, 2013               [Page 74]
4144
4145Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4146
4147
4148   +-------+-------------------------------+----------------+
4149   | Value | Description                   | Reference      |
4150   +-------+-------------------------------+----------------+
4151   | 100   | Continue                      | Section 6.2.1  |
4152   | 101   | Switching Protocols           | Section 6.2.2  |
4153   | 200   | OK                            | Section 6.3.1  |
4154   | 201   | Created                       | Section 6.3.2  |
4155   | 202   | Accepted                      | Section 6.3.3  |
4156   | 203   | Non-Authoritative Information | Section 6.3.4  |
4157   | 204   | No Content                    | Section 6.3.5  |
4158   | 205   | Reset Content                 | Section 6.3.6  |
4159   | 300   | Multiple Choices              | Section 6.4.1  |
4160   | 301   | Moved Permanently             | Section 6.4.2  |
4161   | 302   | Found                         | Section 6.4.3  |
4162   | 303   | See Other                     | Section 6.4.4  |
4163   | 305   | Use Proxy                     | Section 6.4.5  |
4164   | 306   | (Unused)                      | Section 6.4.6  |
4165   | 307   | Temporary Redirect            | Section 6.4.7  |
4166   | 400   | Bad Request                   | Section 6.5.1  |
4167   | 402   | Payment Required              | Section 6.5.2  |
4168   | 403   | Forbidden                     | Section 6.5.3  |
4169   | 404   | Not Found                     | Section 6.5.4  |
4170   | 405   | Method Not Allowed            | Section 6.5.5  |
4171   | 406   | Not Acceptable                | Section 6.5.6  |
4172   | 408   | Request Timeout               | Section 6.5.7  |
4173   | 409   | Conflict                      | Section 6.5.8  |
4174   | 410   | Gone                          | Section 6.5.9  |
4175   | 411   | Length Required               | Section 6.5.10 |
4176   | 413   | Payload Too Large             | Section 6.5.11 |
4177   | 414   | URI Too Long                  | Section 6.5.12 |
4178   | 415   | Unsupported Media Type        | Section 6.5.13 |
4179   | 417   | Expectation Failed            | Section 6.5.14 |
4180   | 426   | Upgrade Required              | Section 6.5.15 |
4181   | 500   | Internal Server Error         | Section 6.6.1  |
4182   | 501   | Not Implemented               | Section 6.6.2  |
4183   | 502   | Bad Gateway                   | Section 6.6.3  |
4184   | 503   | Service Unavailable           | Section 6.6.4  |
4185   | 504   | Gateway Timeout               | Section 6.6.5  |
4186   | 505   | HTTP Version Not Supported    | Section 6.6.6  |
4187   +-------+-------------------------------+----------------+
4188
41898.3.  Header Field Registry
4190
4191   HTTP header fields are registered within the Message Header Field
4192   Registry located at <http://www.iana.org/assignments/message-headers/
4193   message-header-index.html>, as defined by [BCP90].
4194
4195
4196
4197
4198
4199Fielding & Reschke       Expires August 27, 2013               [Page 75]
4200
4201Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4202
4203
42048.3.1.  Considerations for New Header Fields
4205
4206   Header fields are key:value pairs that can be used to communicate
4207   data about the message, its payload, the target resource, or the
4208   connection (i.e., control data).  See Section 3.2 of [Part1] for a
4209   general definition of header field syntax in HTTP messages.
4210
4211   The requirements for header field names are defined in [BCP90].
4212   Authors of specifications defining new fields are advised to keep the
4213   name as short as practical and to not prefix the name with "X-"
4214   unless the header field will never be used on the Internet.  (The
4215   "x-" prefix idiom has been extensively misused in practice; it was
4216   intended to only be used as a mechanism for avoiding name collisions
4217   inside proprietary software or intranet processing, since the prefix
4218   would ensure that private names never collide with a newly registered
4219   Internet name.)
4220
4221   New header field values typically have their syntax defined using
4222   ABNF ([RFC5234]), using the extension defined in Appendix B of
4223   [Part1] as necessary, and are usually constrained to the range of
4224   ASCII characters.  Header fields needing a greater range of
4225   characters can use an encoding such as the one defined in [RFC5987].
4226
4227   Leading and trailing whitespace in raw field values is removed upon
4228   field parsing (Section 3.2.4 of [Part1]).  Field definitions where
4229   leading or trailing whitespace in values is significant will have to
4230   use a container syntax such as quoted-string.
4231
4232   Because commas (",") are used as a generic delimiter between field-
4233   values, they need to be treated with care if they are allowed in the
4234   field-value.  Typically, components that might contain a comma are
4235   protected with double-quotes using the quoted-string ABNF production
4236   (Section 3.2.6 of [Part1]).
4237
4238   For example, a textual date and a URI (either of which might contain
4239   a comma) could be safely carried in field-values like these:
4240
4241     Example-URI-Field: "http://example.com/a.html,foo",
4242                        "http://without-a-comma.example.com/"
4243     Example-Date-Field: "Sat, 04 May 1996", "Wed, 14 Sep 2005"
4244
4245   Note that double-quote delimiters almost always are used with the
4246   quoted-string production; using a different syntax inside double-
4247   quotes will likely cause unnecessary confusion.
4248
4249   Many header fields use a format including (case-insensitively) named
4250   parameters (for instance, Content-Type, defined in Section 3.1.1.5).
4251   Allowing both unquoted (token) and quoted (quoted-string) syntax for
4252
4253
4254
4255Fielding & Reschke       Expires August 27, 2013               [Page 76]
4256
4257Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4258
4259
4260   the parameter value enables recipients to use existing parser
4261   components.  When allowing both forms, the meaning of a parameter
4262   value ought to be independent of the syntax used for it (for an
4263   example, see the notes on parameter handling for media types in
4264   Section 3.1.1.1).
4265
4266   Authors of specifications defining new header fields are advised to
4267   consider documenting:
4268
4269   o  Whether the field is a single value, or whether it can be a list
4270      (delimited by commas; see Section 3.2 of [Part1]).
4271
4272      If it does not use the list syntax, document how to treat messages
4273      where the field occurs multiple times (a sensible default would be
4274      to ignore the field, but this might not always be the right
4275      choice).
4276
4277      Note that intermediaries and software libraries might combine
4278      multiple header field instances into a single one, despite the
4279      field's definition not allowing the list syntax.  A robust format
4280      enables recipients to discover these situations (good example:
4281      "Content-Type", as the comma can only appear inside quoted
4282      strings; bad example: "Location", as a comma can occur inside a
4283      URI).
4284
4285   o  Under what conditions the header field can be used; e.g., only in
4286      responses or requests, in all messages, only on responses to a
4287      particular request method, etc.
4288
4289   o  Whether the field semantics are further refined by the context,
4290      such as by existing request methods or status codes.
4291
4292   o  Whether it is appropriate to list the field-name in the Connection
4293      header field (i.e., if the header field is to be hop-by-hop; see
4294      Section 6.1 of [Part1]).
4295
4296   o  Under what conditions intermediaries are allowed to insert,
4297      delete, or modify the field's value.
4298
4299   o  How the header field might interact with caching (see [Part6]).
4300
4301   o  Whether the header field is useful or allowable in trailers (see
4302      Section 4.1 of [Part1]).
4303
4304   o  Whether the header field ought to be preserved across redirects.
4305
4306
4307
4308
4309
4310
4311Fielding & Reschke       Expires August 27, 2013               [Page 77]
4312
4313Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4314
4315
43168.3.2.  Registrations
4317
4318   The Message Header Field Registry shall be updated with the following
4319   permanent registrations:
4320
4321   +-------------------+----------+----------+-----------------+
4322   | Header Field Name | Protocol | Status   | Reference       |
4323   +-------------------+----------+----------+-----------------+
4324   | Accept            | http     | standard | Section 5.3.2   |
4325   | Accept-Charset    | http     | standard | Section 5.3.3   |
4326   | Accept-Encoding   | http     | standard | Section 5.3.4   |
4327   | Accept-Language   | http     | standard | Section 5.3.5   |
4328   | Allow             | http     | standard | Section 7.4.1   |
4329   | Content-Encoding  | http     | standard | Section 3.1.2.2 |
4330   | Content-Language  | http     | standard | Section 3.1.3.2 |
4331   | Content-Location  | http     | standard | Section 3.1.4.2 |
4332   | Content-Type      | http     | standard | Section 3.1.1.5 |
4333   | Date              | http     | standard | Section 7.1.1.2 |
4334   | Expect            | http     | standard | Section 5.1.1   |
4335   | From              | http     | standard | Section 5.5.1   |
4336   | Location          | http     | standard | Section 7.1.2   |
4337   | MIME-Version      | http     | standard | Appendix A.1    |
4338   | Max-Forwards      | http     | standard | Section 5.1.2   |
4339   | Referer           | http     | standard | Section 5.5.2   |
4340   | Retry-After       | http     | standard | Section 7.1.3   |
4341   | Server            | http     | standard | Section 7.4.2   |
4342   | User-Agent        | http     | standard | Section 5.5.3   |
4343   | Vary              | http     | standard | Section 7.1.4   |
4344   +-------------------+----------+----------+-----------------+
4345
4346   The change controller for the above registrations is: "IETF
4347   (iesg@ietf.org) - Internet Engineering Task Force".
4348
43498.4.  Content Coding Registry
4350
4351   The HTTP Content Coding Registry defines the name space for content
4352   coding names (Section 4.2 of [Part1]).  The content coding registry
4353   is maintained at <http://www.iana.org/assignments/http-parameters>.
4354
43558.4.1.  Procedure
4356
4357   Content Coding registrations MUST include the following fields:
4358
4359   o  Name
4360
4361   o  Description
4362
4363
4364
4365
4366
4367Fielding & Reschke       Expires August 27, 2013               [Page 78]
4368
4369Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4370
4371
4372   o  Pointer to specification text
4373
4374   Names of content codings MUST NOT overlap with names of transfer
4375   codings (Section 4 of [Part1]), unless the encoding transformation is
4376   identical (as is the case for the compression codings defined in
4377   Section 4.2 of [Part1]).
4378
4379   Values to be added to this name space require IETF Review (see
4380   Section 4.1 of [RFC5226]), and MUST conform to the purpose of content
4381   coding defined in this section.
4382
43838.4.2.  Registrations
4384
4385   The HTTP Content Codings Registry shall be updated with the
4386   registrations below:
4387
4388   +----------+----------------------------------------+---------------+
4389   | Name     | Description                            | Reference     |
4390   +----------+----------------------------------------+---------------+
4391   | compress | UNIX "compress" program method         | Section 4.2.1 |
4392   |          |                                        | of [Part1]    |
4393   | deflate  | "deflate" compression mechanism        | Section 4.2.2 |
4394   |          | ([RFC1951]) used inside the "zlib"     | of [Part1]    |
4395   |          | data format ([RFC1950])                |               |
4396   | gzip     | Same as GNU zip [RFC1952]              | Section 4.2.3 |
4397   |          |                                        | of [Part1]    |
4398   | identity | reserved (synonym for "no encoding" in | Section 5.3.4 |
4399   |          | Accept-Encoding header field)          |               |
4400   +----------+----------------------------------------+---------------+
4401
44029.  Security Considerations
4403
4404   This section is meant to inform developers, information providers,
4405   and users of known security concerns relevant to HTTP/1.1 semantics
4406   and its use for transferring information over the Internet.
4407
44089.1.  Attacks Based On File and Path Names
4409
4410   Origin servers frequently make use of their local file system to
4411   manage the mapping from effective request URI to resource
4412   representations.  Implementors need to be aware that most file
4413   systems are not designed to protect against malicious file or path
4414   names, and thus depend on the origin server to avoid mapping to file
4415   names, folders, or directories that have special significance to the
4416   system.
4417
4418   For example, UNIX, Microsoft Windows, and other operating systems use
4419   ".." as a path component to indicate a directory level above the
4420
4421
4422
4423Fielding & Reschke       Expires August 27, 2013               [Page 79]
4424
4425Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4426
4427
4428   current one, and use specially named paths or file names to send data
4429   to system devices.  Similar naming conventions might exist within
4430   other types of storage systems.  Likewise, local storage systems have
4431   an annoying tendency to prefer user-friendliness over security when
4432   handling invalid or unexpected characters, recomposition of
4433   decomposed characters, and case-normalization of case-insensitive
4434   names.
4435
4436   Attacks based on such special names tend to focus on either denial of
4437   service (e.g., telling the server to read from a COM port) or
4438   disclosure of configuration and source files that are not meant to be
4439   served.
4440
44419.2.  Personal Information
4442
4443   Clients are often privy to large amounts of personal information,
4444   including both information provided by the user to interact with
4445   resources (e.g., the user's name, location, mail address, passwords,
4446   encryption keys, etc.) and information about the user's browsing
4447   activity over time (e.g., history, bookmarks, etc.).  Implementations
4448   need to prevent unintentional leakage of personal information.
4449
44509.3.  Sensitive Information in URIs
4451
4452   URIs are intended to be shared, not secured, even when they identify
4453   secure resources.  URIs are often shown on displays, added to
4454   templates when a page is printed, and stored in a variety of
4455   unprotected bookmark lists.  It is therefore unwise to include
4456   information within a URI that is sensitive, personally identifiable,
4457   or a risk to disclose.
4458
4459   Authors of services ought to avoid GET-based forms for the submission
4460   of sensitive data because that data will be placed in the request-
4461   target.  Many existing servers, proxies, and user agents log or
4462   display the request-target in places where it might be visible to
4463   third parties.  Such services ought to use POST-based form submission
4464   instead.
4465
4466   Since the Referer header field tells a target site about the context
4467   that resulted in a request, it has the potential to reveal
4468   information about the user's immediate browsing history and any
4469   personal information that might be found in the referring resource's
4470   URI.  Limitations on Referer are described in Section 5.5.2 to
4471   address some of its security considerations.
4472
4473
4474
4475
4476
4477
4478
4479Fielding & Reschke       Expires August 27, 2013               [Page 80]
4480
4481Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4482
4483
44849.4.  Product Information
4485
4486   The User-Agent (Section 5.5.3), Via (Section 5.7.1 of [Part1]), and
4487   Server (Section 7.4.2) header fields often reveal information about
4488   the respective sender's software systems.  In theory, this can make
4489   it easier for an attacker to exploit known security holes; in
4490   practice, attackers tend to try all potential holes regardless of the
4491   apparent software versions being used.
4492
4493   Proxies that serve as a portal through a network firewall ought to
4494   take special precautions regarding the transfer of header information
4495   that might identify hosts behind the firewall.  The Via header field
4496   allows intermediaries to replace sensitive machine names with
4497   pseudonyms.
4498
44999.5.  Fragment after Redirects
4500
4501   Although fragment identifiers used within URI references are not sent
4502   in requests, implementers ought to be aware that they will be visible
4503   to the user agent and any extensions or scripts running as a result
4504   of the response.  In particular, when a redirect occurs and the
4505   original request's fragment identifier is inherited by the new
4506   reference in Location (Section 7.1.2), this might have the effect of
4507   leaking one site's fragment to another site.  If the first site uses
4508   personal information in fragments, it ought to ensure that redirects
4509   to other sites include a (possibly empty) fragment component in order
4510   to block that inheritance.
4511
45129.6.  Browser Fingerprinting
4513
4514   Browser fingerprinting is a set of techniques for identifying a
4515   specific user agent over time through its unique set of
4516   characteristics.  These characteristics might include information
4517   related to its TCP behavior, feature capabilities, and scripting
4518   environment, though of particular interest here is the set of unique
4519   characteristics that might be communicated via HTTP.  Fingerprinting
4520   is considered a privacy concern because it enables tracking of a user
4521   agent's behavior over time without the corresponding controls that
4522   the user might have over other forms of data collection (e.g.,
4523   cookies).  Many general-purpose user agents (i.e., Web browsers) have
4524   taken steps to reduce their fingerprints.
4525
4526   There are a number of request header fields that might reveal
4527   information to servers that is sufficiently unique to enable
4528   fingerprinting.  The From header field is the most obvious, though it
4529   is expected that From will only be sent when self-identification is
4530   desired by the user.  Likewise, Cookie header fields are deliberately
4531   designed to enable re-identification, so we can assume that
4532
4533
4534
4535Fielding & Reschke       Expires August 27, 2013               [Page 81]
4536
4537Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4538
4539
4540   fingerprinting concerns only apply to situations where cookies are
4541   disabled or restricted by browser configuration.
4542
4543   The User-Agent header field might contain enough information to
4544   uniquely identify a specific device, usually when combined with other
4545   characteristics, particularly if the user agent sends excessive
4546   details about the user's system or extensions.  However, the source
4547   of unique information that is least expected by users is proactive
4548   negotiation (Section 5.3), including the Accept, Accept-Charset,
4549   Accept-Encoding, and Accept-Language header fields.
4550
4551   In addition to the fingerprinting concern, detailed use of the
4552   Accept-Language header field can reveal information the user might
4553   consider to be of a private nature, because the understanding of
4554   particular languages is often strongly correlated to membership in a
4555   particular ethnic group.  An approach that limits such loss of
4556   privacy would be for a user agent to omit the sending of Accept-
4557   Language except for sites that have been whitelisted, perhaps via
4558   interaction after detecting a Vary header field that would indicate
4559   language negotiation might be useful.
4560
4561   In environments where proxies are used to enhance privacy, user
4562   agents ought to be conservative in sending proactive negotiation
4563   header fields.  General-purpose user agents that provide a high
4564   degree of header field configurability ought to inform users about
4565   the loss of privacy that might result if too much detail is provided.
4566   As an extreme privacy measure, proxies could filter the proactive
4567   negotiation header fields in relayed requests.
4568
456910.  Acknowledgments
4570
4571   See Section 9 of [Part1].
4572
457311.  References
4574
457511.1.  Normative References
4576
4577   [Part1]       Fielding, R., Ed. and J. Reschke, Ed., "Hypertext
4578                 Transfer Protocol (HTTP/1.1): Message Syntax and
4579                 Routing", draft-ietf-httpbis-p1-messaging-22 (work in
4580                 progress), February 2013.
4581
4582   [Part4]       Fielding, R., Ed. and J. Reschke, Ed., "Hypertext
4583                 Transfer Protocol (HTTP/1.1): Conditional Requests",
4584                 draft-ietf-httpbis-p4-conditional-22 (work in
4585                 progress), February 2013.
4586
4587   [Part5]       Fielding, R., Ed., Lafon, Y., Ed., and J. Reschke, Ed.,
4588
4589
4590
4591Fielding & Reschke       Expires August 27, 2013               [Page 82]
4592
4593Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4594
4595
4596                 "Hypertext Transfer Protocol (HTTP/1.1): Range
4597                 Requests", draft-ietf-httpbis-p5-range-22 (work in
4598                 progress), February 2013.
4599
4600   [Part6]       Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
4601                 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
4602                 draft-ietf-httpbis-p6-cache-22 (work in progress),
4603                 February 2013.
4604
4605   [Part7]       Fielding, R., Ed. and J. Reschke, Ed., "Hypertext
4606                 Transfer Protocol (HTTP/1.1): Authentication",
4607                 draft-ietf-httpbis-p7-auth-22 (work in progress),
4608                 February 2013.
4609
4610   [RFC1950]     Deutsch, L. and J-L. Gailly, "ZLIB Compressed Data
4611                 Format Specification version 3.3", RFC 1950, May 1996.
4612
4613   [RFC1951]     Deutsch, P., "DEFLATE Compressed Data Format
4614                 Specification version 1.3", RFC 1951, May 1996.
4615
4616   [RFC1952]     Deutsch, P., Gailly, J-L., Adler, M., Deutsch, L., and
4617                 G. Randers-Pehrson, "GZIP file format specification
4618                 version 4.3", RFC 1952, May 1996.
4619
4620   [RFC2045]     Freed, N. and N. Borenstein, "Multipurpose Internet
4621                 Mail Extensions (MIME) Part One: Format of Internet
4622                 Message Bodies", RFC 2045, November 1996.
4623
4624   [RFC2046]     Freed, N. and N. Borenstein, "Multipurpose Internet
4625                 Mail Extensions (MIME) Part Two: Media Types",
4626                 RFC 2046, November 1996.
4627
4628   [RFC2119]     Bradner, S., "Key words for use in RFCs to Indicate
4629                 Requirement Levels", BCP 14, RFC 2119, March 1997.
4630
4631   [RFC3986]     Berners-Lee, T., Fielding, R., and L. Masinter,
4632                 "Uniform Resource Identifier (URI): Generic Syntax",
4633                 STD 66, RFC 3986, January 2005.
4634
4635   [RFC4647]     Phillips, A., Ed. and M. Davis, Ed., "Matching of
4636                 Language Tags", BCP 47, RFC 4647, September 2006.
4637
4638   [RFC5234]     Crocker, D., Ed. and P. Overell, "Augmented BNF for
4639                 Syntax Specifications: ABNF", STD 68, RFC 5234,
4640                 January 2008.
4641
4642   [RFC5646]     Phillips, A., Ed. and M. Davis, Ed., "Tags for
4643                 Identifying Languages", BCP 47, RFC 5646,
4644
4645
4646
4647Fielding & Reschke       Expires August 27, 2013               [Page 83]
4648
4649Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4650
4651
4652                 September 2009.
4653
4654   [RFC6365]     Hoffman, P. and J. Klensin, "Terminology Used in
4655                 Internationalization in the IETF", BCP 166, RFC 6365,
4656                 September 2011.
4657
465811.2.  Informative References
4659
4660   [BCP13]       Freed, N., Klensin, J., and T. Hansen, "Media Type
4661                 Specifications and Registration Procedures", BCP 13,
4662                 RFC 6838, January 2013.
4663
4664   [BCP90]       Klyne, G., Nottingham, M., and J. Mogul, "Registration
4665                 Procedures for Message Header Fields", BCP 90,
4666                 RFC 3864, September 2004.
4667
4668   [REST]        Fielding, R., "Architectural Styles and the Design of
4669                 Network-based Software Architectures", Doctoral
4670                 Dissertation, University of California, Irvine ,
4671                 September 2000,
4672                 <http://roy.gbiv.com/pubs/dissertation/top.htm>.
4673
4674   [RFC1305]     Mills, D., "Network Time Protocol (Version 3)
4675                 Specification, Implementation", RFC 1305, March 1992.
4676
4677   [RFC1945]     Berners-Lee, T., Fielding, R., and H. Nielsen,
4678                 "Hypertext Transfer Protocol -- HTTP/1.0", RFC 1945,
4679                 May 1996.
4680
4681   [RFC2049]     Freed, N. and N. Borenstein, "Multipurpose Internet
4682                 Mail Extensions (MIME) Part Five: Conformance Criteria
4683                 and Examples", RFC 2049, November 1996.
4684
4685   [RFC2068]     Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and
4686                 T. Berners-Lee, "Hypertext Transfer Protocol --
4687                 HTTP/1.1", RFC 2068, January 1997.
4688
4689   [RFC2295]     Holtman, K. and A. Mutz, "Transparent Content
4690                 Negotiation in HTTP", RFC 2295, March 1998.
4691
4692   [RFC2388]     Masinter, L., "Returning Values from Forms:  multipart/
4693                 form-data", RFC 2388, August 1998.
4694
4695   [RFC2557]     Palme, F., Hopmann, A., Shelness, N., and E. Stefferud,
4696                 "MIME Encapsulation of Aggregate Documents, such as
4697                 HTML (MHTML)", RFC 2557, March 1999.
4698
4699   [RFC2616]     Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
4700
4701
4702
4703Fielding & Reschke       Expires August 27, 2013               [Page 84]
4704
4705Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4706
4707
4708                 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
4709                 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
4710
4711   [RFC2817]     Khare, R. and S. Lawrence, "Upgrading to TLS Within
4712                 HTTP/1.1", RFC 2817, May 2000.
4713
4714   [RFC2978]     Freed, N. and J. Postel, "IANA Charset Registration
4715                 Procedures", BCP 19, RFC 2978, October 2000.
4716
4717   [RFC5226]     Narten, T. and H. Alvestrand, "Guidelines for Writing
4718                 an IANA Considerations Section in RFCs", BCP 26,
4719                 RFC 5226, May 2008.
4720
4721   [RFC5322]     Resnick, P., "Internet Message Format", RFC 5322,
4722                 October 2008.
4723
4724   [RFC5789]     Dusseault, L. and J. Snell, "PATCH Method for HTTP",
4725                 RFC 5789, March 2010.
4726
4727   [RFC5987]     Reschke, J., "Character Set and Language Encoding for
4728                 Hypertext Transfer Protocol (HTTP) Header Field
4729                 Parameters", RFC 5987, August 2010.
4730
4731   [RFC5988]     Nottingham, M., "Web Linking", RFC 5988, October 2010.
4732
4733   [RFC6265]     Barth, A., "HTTP State Management Mechanism", RFC 6265,
4734                 April 2011.
4735
4736   [RFC6266]     Reschke, J., "Use of the Content-Disposition Header
4737                 Field in the Hypertext Transfer Protocol (HTTP)",
4738                 RFC 6266, June 2011.
4739
4740   [status-308]  Reschke, J., "The Hypertext Transfer Protocol (HTTP)
4741                 Status Code 308 (Permanent Redirect)",
4742                 draft-reschke-http-status-308-07 (work in progress),
4743                 March 2012.
4744
4745Appendix A.  Differences between HTTP and MIME
4746
4747   HTTP/1.1 uses many of the constructs defined for the Internet Message
4748   Format [RFC5322] and the Multipurpose Internet Mail Extensions (MIME)
4749   [RFC2045] to allow a message body to be transmitted in an open
4750   variety of representations and with extensible header fields.
4751   However, RFC 2045 is focused only on email; applications of HTTP have
4752   many characteristics that differ from email, and hence HTTP has
4753   features that differ from MIME.  These differences were carefully
4754   chosen to optimize performance over binary connections, to allow
4755   greater freedom in the use of new media types, to make date
4756
4757
4758
4759Fielding & Reschke       Expires August 27, 2013               [Page 85]
4760
4761Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4762
4763
4764   comparisons easier, and to acknowledge the practice of some early
4765   HTTP servers and clients.
4766
4767   This appendix describes specific areas where HTTP differs from MIME.
4768   Proxies and gateways to and from strict MIME environments need to be
4769   aware of these differences and provide the appropriate conversions
4770   where necessary.
4771
4772A.1.  MIME-Version
4773
4774   HTTP is not a MIME-compliant protocol.  However, messages can include
4775   a single MIME-Version header field to indicate what version of the
4776   MIME protocol was used to construct the message.  Use of the MIME-
4777   Version header field indicates that the message is in full
4778   conformance with the MIME protocol (as defined in [RFC2045]).
4779   Senders are responsible for ensuring full conformance (where
4780   possible) when exporting HTTP messages to strict MIME environments.
4781
4782A.2.  Conversion to Canonical Form
4783
4784   MIME requires that an Internet mail body part be converted to
4785   canonical form prior to being transferred, as described in Section 4
4786   of [RFC2049].  Section 3.1.1.3 of this document describes the forms
4787   allowed for subtypes of the "text" media type when transmitted over
4788   HTTP.  [RFC2046] requires that content with a type of "text"
4789   represent line breaks as CRLF and forbids the use of CR or LF outside
4790   of line break sequences.  HTTP allows CRLF, bare CR, and bare LF to
4791   indicate a line break within text content.
4792
4793   A proxy or gateway from HTTP to a strict MIME environment ought to
4794   translate all line breaks within the text media types described in
4795   Section 3.1.1.3 of this document to the RFC 2049 canonical form of
4796   CRLF.  Note, however, this might be complicated by the presence of a
4797   Content-Encoding and by the fact that HTTP allows the use of some
4798   charsets that do not use octets 13 and 10 to represent CR and LF,
4799   respectively.
4800
4801   Conversion will break any cryptographic checksums applied to the
4802   original content unless the original content is already in canonical
4803   form.  Therefore, the canonical form is recommended for any content
4804   that uses such checksums in HTTP.
4805
4806A.3.  Conversion of Date Formats
4807
4808   HTTP/1.1 uses a restricted set of date formats (Section 7.1.1.1) to
4809   simplify the process of date comparison.  Proxies and gateways from
4810   other protocols ought to ensure that any Date header field present in
4811   a message conforms to one of the HTTP/1.1 formats and rewrite the
4812
4813
4814
4815Fielding & Reschke       Expires August 27, 2013               [Page 86]
4816
4817Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4818
4819
4820   date if necessary.
4821
4822A.4.  Conversion of Content-Encoding
4823
4824   MIME does not include any concept equivalent to HTTP/1.1's Content-
4825   Encoding header field.  Since this acts as a modifier on the media
4826   type, proxies and gateways from HTTP to MIME-compliant protocols
4827   ought to either change the value of the Content-Type header field or
4828   decode the representation before forwarding the message.  (Some
4829   experimental applications of Content-Type for Internet mail have used
4830   a media-type parameter of ";conversions=<content-coding>" to perform
4831   a function equivalent to Content-Encoding.  However, this parameter
4832   is not part of the MIME standards).
4833
4834A.5.  Conversion of Content-Transfer-Encoding
4835
4836   HTTP does not use the Content-Transfer-Encoding field of MIME.
4837   Proxies and gateways from MIME-compliant protocols to HTTP need to
4838   remove any Content-Transfer-Encoding prior to delivering the response
4839   message to an HTTP client.
4840
4841   Proxies and gateways from HTTP to MIME-compliant protocols are
4842   responsible for ensuring that the message is in the correct format
4843   and encoding for safe transport on that protocol, where "safe
4844   transport" is defined by the limitations of the protocol being used.
4845   Such a proxy or gateway ought to transform and label the data with an
4846   appropriate Content-Transfer-Encoding if doing so will improve the
4847   likelihood of safe transport over the destination protocol.
4848
4849A.6.  MHTML and Line Length Limitations
4850
4851   HTTP implementations that share code with MHTML [RFC2557]
4852   implementations need to be aware of MIME line length limitations.
4853   Since HTTP does not have this limitation, HTTP does not fold long
4854   lines.  MHTML messages being transported by HTTP follow all
4855   conventions of MHTML, including line length limitations and folding,
4856   canonicalization, etc., since HTTP transfers message-bodies as
4857   payload and, aside from the "multipart/byteranges" type (Appendix A
4858   of [Part5]), does not interpret the content or any MIME header lines
4859   that might be contained therein.
4860
4861Appendix B.  Changes from RFC 2616
4862
4863   The primary changes in this revision have been editorial in nature:
4864   extracting the messaging syntax and partitioning HTTP semantics into
4865   separate documents for the core features, conditional requests,
4866   partial requests, caching, and authentication.  The conformance
4867   language has been revised to clearly target requirements and the
4868
4869
4870
4871Fielding & Reschke       Expires August 27, 2013               [Page 87]
4872
4873Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4874
4875
4876   terminology has been improved to distinguish payload from
4877   representations and representations from resources.  An algorithm has
4878   been added for determining if a payload is associated with a specific
4879   identifier (Section 3.1.4.1).
4880
4881   A new requirement has been added that semantics embedded in a URI
4882   should be disabled when those semantics are inconsistent with the
4883   request method, since this is a common cause of interoperability
4884   failure.
4885
4886   The default charset of ISO-8859-1 for text media types has been
4887   removed; the default is now whatever the media type definition says
4888   (Section 3.1.1.3).  Likewise, special treatment of ISO-8859-1 has
4889   been removed from the Accept-Charset header field (Section 5.3.3).
4890
4891   The Content-Disposition header field has been removed since it is now
4892   defined by [RFC6266].
4893
4894   The definition of Content-Location has been changed to no longer
4895   affect the base URI for resolving relative URI references, due to
4896   poor implementation support and the undesirable effect of potentially
4897   breaking relative links in content-negotiated resources
4898   (Section 3.1.4.2).
4899
4900   The Content-MD5 header field has been removed because it was
4901   inconsistently implemented with respect to partial responses.
4902
4903   To be consistent with the method-neutral parsing algorithm of
4904   [Part1], the definition of GET has been relaxed so that requests can
4905   have a body, even though a body has no meaning for GET
4906   (Section 4.3.1).
4907
4908   Servers are no longer required to handle all Content-* header fields
4909   and use of Content-Range has been explicitly banned in PUT requests
4910   (Section 4.3.4).
4911
4912   Definition of the CONNECT method has been moved from [RFC2817] to
4913   this specification (Section 4.3.6).
4914
4915   The OPTIONS (Section 4.3.7) and TRACE (Section 4.3.8) request methods
4916   have been defined as being safe.
4917
4918   The definition of Expect has been both fixed to allow parameters for
4919   value-less expectations and simplified to allow trailing semicolons
4920   after "100-continue" (Section 5.1.1).
4921
4922   The Max-Forwards header field (Section 5.1.2) has been restricted to
4923   the OPTIONS and TRACE methods; previously, extension methods could
4924
4925
4926
4927Fielding & Reschke       Expires August 27, 2013               [Page 88]
4928
4929Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4930
4931
4932   have used it as well.
4933
4934   The "about:blank" URI has been suggested as a value for the Referer
4935   header field when no referring URI is applicable, which distinguishes
4936   that case from others where the Referer field is not sent or has been
4937   removed (Section 5.5.2).
4938
4939   The 201 (Created) status description has been changed to allow for
4940   the possibility that more than one resource has been created
4941   (Section 6.3.2).
4942
4943   The definition of 203 (Non-Authoritative Information) has been
4944   broadened to include cases of payload transformations as well
4945   (Section 6.3.4).
4946
4947   The redirect status codes 301, 302, and 307 no longer have normative
4948   requirements on response payloads and user interaction (Section 6.4).
4949
4950   The request methods that are safe to automatically redirect is no
4951   longer a closed set; user agents are able to make that determination
4952   based upon the request method semantics (Section 6.4).
4953
4954   The description of 303 (See Other) status code has been changed to
4955   allow it to be cached if explicit freshness information is given, and
4956   a specific definition has been added for a 303 response to GET
4957   (Section 6.4.4).
4958
4959   The status codes 301 and 302 (sections 6.4.2 and 6.4.3) have been
4960   changed to allow user agents to rewrite the method from POST to GET.
4961
4962   The 305 (Use Proxy) status code has been deprecated due to security
4963   concerns regarding in-band configuration of a proxy (Section 6.4.5).
4964
4965   The 400 (Bad Request) status code has been relaxed so that it isn't
4966   limited to syntax errors (Section 6.5.1).
4967
4968   The 426 (Upgrade Required) status code has been incorporated from
4969   [RFC2817] (Section 6.5.15).
4970
4971   The following status codes are now cacheable (that is, they can be
4972   stored and reused by a cache without explicit freshness information
4973   present): 204, 404, 405, 414, 501.
4974
4975   Allow has been reclassified as a response header field, removing the
4976   option to specify it in a PUT request.  Requirements relating to the
4977   content of Allow have been relaxed; correspondingly, clients are not
4978   required to always trust its value (Section 7.4.1).
4979
4980
4981
4982
4983Fielding & Reschke       Expires August 27, 2013               [Page 89]
4984
4985Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
4986
4987
4988   The target of requirements on HTTP-date and the Date header field
4989   have been reduced to those systems generating the date, rather than
4990   all systems sending a date (Section 7.1.1).
4991
4992   The syntax of the Location header field has been changed to allow all
4993   URI references, including relative references and fragments, along
4994   with some clarifications as to when use of fragments would not be
4995   appropriate (Section 7.1.2).
4996
4997   A Method Registry has been defined (Section 8.1).
4998
4999   The Status Code Registry (Section 8.2) has been redefined by this
5000   specification; previously, it was defined in Section 7.1 of
5001   [RFC2817].
5002
5003   Registration of Content Codings has been changed to require IETF
5004   Review (Section 8.4).
5005
5006Appendix C.  Imported ABNF
5007
5008   The following core rules are included by reference, as defined in
5009   Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return),
5010   CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double
5011   quote), HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF
5012   (line feed), OCTET (any 8-bit sequence of data), SP (space), and
5013   VCHAR (any visible US-ASCII character).
5014
5015   The rules below are defined in [Part1]:
5016
5017     BWS           = <BWS, defined in [Part1], Section 3.2.3>
5018     OWS           = <OWS, defined in [Part1], Section 3.2.3>
5019     RWS           = <RWS, defined in [Part1], Section 3.2.3>
5020     URI-reference = <URI-reference, defined in [Part1], Section 2.7>
5021     absolute-URI  = <absolute-URI, defined in [Part1], Section 2.7>
5022     comment       = <comment, defined in [Part1], Section 3.2.6>
5023     field-name    = <comment, defined in [Part1], Section 3.2>
5024     partial-URI   = <partial-URI, defined in [Part1], Section 2.7>
5025     quoted-string = <quoted-string, defined in [Part1], Section 3.2.6>
5026     token         = <token, defined in [Part1], Section 3.2.6>
5027     word          = <word, defined in [Part1], Section 3.2.6>
5028
5029Appendix D.  Collected ABNF
5030
5031   Accept = [ ( "," / ( media-range [ accept-params ] ) ) *( OWS "," [
5032    OWS ( media-range [ accept-params ] ) ] ) ]
5033   Accept-Charset = *( "," OWS ) ( ( charset / "*" ) [ weight ] ) *( OWS
5034    "," [ OWS ( ( charset / "*" ) [ weight ] ) ] )
5035
5036
5037
5038
5039Fielding & Reschke       Expires August 27, 2013               [Page 90]
5040
5041Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
5042
5043
5044   Accept-Encoding = [ ( "," / ( codings [ weight ] ) ) *( OWS "," [ OWS
5045    ( codings [ weight ] ) ] ) ]
5046   Accept-Language = *( "," OWS ) ( language-range [ weight ] ) *( OWS
5047    "," [ OWS ( language-range [ weight ] ) ] )
5048   Allow = [ ( "," / method ) *( OWS "," [ OWS method ] ) ]
5049
5050   BWS = <BWS, defined in [Part1], Section 3.2.3>
5051
5052   Content-Encoding = *( "," OWS ) content-coding *( OWS "," [ OWS
5053    content-coding ] )
5054   Content-Language = *( "," OWS ) language-tag *( OWS "," [ OWS
5055    language-tag ] )
5056   Content-Location = absolute-URI / partial-URI
5057   Content-Type = media-type
5058
5059   Date = HTTP-date
5060
5061   Expect = *( "," OWS ) expectation *( OWS "," [ OWS expectation ] )
5062
5063   From = mailbox
5064
5065   GMT = %x47.4D.54 ; GMT
5066
5067   HTTP-date = IMF-fixdate / obs-date
5068
5069   IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT
5070
5071   Location = URI-reference
5072
5073   Max-Forwards = 1*DIGIT
5074
5075   OWS = <OWS, defined in [Part1], Section 3.2.3>
5076
5077   RWS = <RWS, defined in [Part1], Section 3.2.3>
5078   Referer = absolute-URI / partial-URI
5079   Retry-After = HTTP-date / delta-seconds
5080
5081   Server = product *( RWS ( product / comment ) )
5082
5083   URI-reference = <URI-reference, defined in [Part1], Section 2.7>
5084   User-Agent = product *( RWS ( product / comment ) )
5085
5086   Vary = "*" / ( *( "," OWS ) field-name *( OWS "," [ OWS field-name ]
5087    ) )
5088
5089   absolute-URI = <absolute-URI, defined in [Part1], Section 2.7>
5090   accept-ext = OWS ";" OWS token [ "=" word ]
5091   accept-params = weight *accept-ext
5092
5093
5094
5095Fielding & Reschke       Expires August 27, 2013               [Page 91]
5096
5097Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
5098
5099
5100   asctime-date = day-name SP date3 SP time-of-day SP year
5101   attribute = token
5102
5103   charset = token
5104   codings = content-coding / "identity" / "*"
5105   comment = <comment, defined in [Part1], Section 3.2.6>
5106   content-coding = token
5107
5108   date1 = day SP month SP year
5109   date2 = day "-" month "-" 2DIGIT
5110   date3 = month SP ( 2DIGIT / ( SP DIGIT ) )
5111   day = 2DIGIT
5112   day-name = %x4D.6F.6E ; Mon
5113    / %x54.75.65 ; Tue
5114    / %x57.65.64 ; Wed
5115    / %x54.68.75 ; Thu
5116    / %x46.72.69 ; Fri
5117    / %x53.61.74 ; Sat
5118    / %x53.75.6E ; Sun
5119   day-name-l = %x4D.6F.6E.64.61.79 ; Monday
5120    / %x54.75.65.73.64.61.79 ; Tuesday
5121    / %x57.65.64.6E.65.73.64.61.79 ; Wednesday
5122    / %x54.68.75.72.73.64.61.79 ; Thursday
5123    / %x46.72.69.64.61.79 ; Friday
5124    / %x53.61.74.75.72.64.61.79 ; Saturday
5125    / %x53.75.6E.64.61.79 ; Sunday
5126   delta-seconds = 1*DIGIT
5127
5128   expect-name = token
5129   expect-param = expect-name [ BWS "=" BWS expect-value ]
5130   expect-value = token / quoted-string
5131   expectation = expect-name [ BWS "=" BWS expect-value ] *( OWS ";" [
5132    OWS expect-param ] )
5133
5134   field-name = <comment, defined in [Part1], Section 3.2>
5135
5136   hour = 2DIGIT
5137
5138   language-range = <language-range, defined in [RFC4647], Section 2.1>
5139   language-tag = <Language-Tag, defined in [RFC5646], Section 2.1>
5140
5141   mailbox = <mailbox, defined in [RFC5322], Section 3.4>
5142   media-range = ( "*/*" / ( type "/*" ) / ( type "/" subtype ) ) *( OWS
5143    ";" OWS parameter )
5144   media-type = type "/" subtype *( OWS ";" OWS parameter )
5145   method = token
5146   minute = 2DIGIT
5147
5148
5149
5150
5151Fielding & Reschke       Expires August 27, 2013               [Page 92]
5152
5153Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
5154
5155
5156   month = %x4A.61.6E ; Jan
5157    / %x46.65.62 ; Feb
5158    / %x4D.61.72 ; Mar
5159    / %x41.70.72 ; Apr
5160    / %x4D.61.79 ; May
5161    / %x4A.75.6E ; Jun
5162    / %x4A.75.6C ; Jul
5163    / %x41.75.67 ; Aug
5164    / %x53.65.70 ; Sep
5165    / %x4F.63.74 ; Oct
5166    / %x4E.6F.76 ; Nov
5167    / %x44.65.63 ; Dec
5168
5169   obs-date = rfc850-date / asctime-date
5170
5171   parameter = attribute "=" value
5172   partial-URI = <partial-URI, defined in [Part1], Section 2.7>
5173   product = token [ "/" product-version ]
5174   product-version = token
5175
5176   quoted-string = <quoted-string, defined in [Part1], Section 3.2.6>
5177   qvalue = ( "0" [ "." *3DIGIT ] ) / ( "1" [ "." *3"0" ] )
5178
5179   rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT
5180
5181   second = 2DIGIT
5182   subtype = token
5183
5184   time-of-day = hour ":" minute ":" second
5185   token = <token, defined in [Part1], Section 3.2.6>
5186   type = token
5187
5188   value = word
5189
5190   weight = OWS ";" OWS "q=" qvalue
5191   word = <word, defined in [Part1], Section 3.2.6>
5192
5193   year = 4DIGIT
5194
5195Appendix E.  Change Log (to be removed by RFC Editor before publication)
5196
5197E.1.  Since RFC 2616
5198
5199   Changes up to the first Working Group Last Call draft are summarized
5200   in <http://trac.tools.ietf.org/html/
5201   draft-ietf-httpbis-p2-semantics-21#appendix-F>.
5202
5203
5204
5205
5206
5207Fielding & Reschke       Expires August 27, 2013               [Page 93]
5208
5209Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
5210
5211
5212E.2.  Since draft-ietf-httpbis-p2-semantics-21
5213
5214   Closed issues:
5215
5216   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/22>: "ETag (and
5217      other metadata) in status messages"
5218
5219   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/96>: "Conditional
5220      GET text"
5221
5222   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/146>: "Clarify
5223      description of 405 (Not Allowed)"
5224
5225   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/223>: "Allowing
5226      heuristic caching for new status codes"
5227
5228   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/315>: "method
5229      semantics: retrieval/representation"
5230
5231   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/388>: "User
5232      confirmation for unsafe methods"
5233
5234   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/404>: "Tentative
5235      Status Codes"
5236
5237   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/418>: "No-Transform"
5238
5239   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/419>: "p2 editorial
5240      feedback"
5241
5242   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/424>: "Absence of
5243      Accept-Encoding"
5244
5245   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/428>: "Accept-
5246      Language ordering for identical qvalues"
5247
5248   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/432>: "Identify
5249      additional status codes as cacheable by default"
5250
5251   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/434>: "mention in
5252      header field considerations that leading/trailing WS is lossy"
5253
5254Index
5255
5256   1
5257      1xx Informational (status code class)  49
5258
5259   2
5260
5261
5262
5263Fielding & Reschke       Expires August 27, 2013               [Page 94]
5264
5265Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
5266
5267
5268      2xx Successful (status code class)  50
5269
5270   3
5271      3xx Redirection (status code class)  53
5272
5273   4
5274      4xx Client Error (status code class)  57
5275
5276   5
5277      5xx Server Error (status code class)  61
5278
5279   1
5280      100 Continue (status code)  49
5281      100-continue (expect value)  33
5282      101 Switching Protocols (status code)  50
5283
5284   2
5285      200 OK (status code)  50
5286      201 Created (status code)  51
5287      202 Accepted (status code)  51
5288      203 Non-Authoritative Information (status code)  51
5289      204 No Content (status code)  52
5290      205 Reset Content (status code)  52
5291
5292   3
5293      300 Multiple Choices (status code)  54
5294      301 Moved Permanently (status code)  55
5295      302 Found (status code)  55
5296      303 See Other (status code)  56
5297      305 Use Proxy (status code)  56
5298      306 (Unused) (status code)  56
5299      307 Temporary Redirect (status code)  57
5300
5301   4
5302      400 Bad Request (status code)  57
5303      402 Payment Required (status code)  57
5304      403 Forbidden (status code)  57
5305      404 Not Found (status code)  58
5306      405 Method Not Allowed (status code)  58
5307      406 Not Acceptable (status code)  58
5308      408 Request Timeout (status code)  59
5309      409 Conflict (status code)  59
5310      410 Gone (status code)  59
5311      411 Length Required (status code)  60
5312      413 Payload Too Large (status code)  60
5313      414 URI Too Long (status code)  60
5314      415 Unsupported Media Type (status code)  60
5315      417 Expectation Failed (status code)  61
5316
5317
5318
5319Fielding & Reschke       Expires August 27, 2013               [Page 95]
5320
5321Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
5322
5323
5324      426 Upgrade Required (status code)  61
5325
5326   5
5327      500 Internal Server Error (status code)  61
5328      501 Not Implemented (status code)  61
5329      502 Bad Gateway (status code)  62
5330      503 Service Unavailable (status code)  62
5331      504 Gateway Timeout (status code)  62
5332      505 HTTP Version Not Supported (status code)  62
5333
5334   A
5335      Accept header field  38
5336      Accept-Charset header field  40
5337      Accept-Encoding header field  41
5338      Accept-Language header field  42
5339      Allow header field  71
5340
5341   C
5342      cacheable  23
5343      compress (content coding)  11
5344      conditional request  36
5345      CONNECT method  29
5346      content coding  11
5347      content negotiation  6
5348      Content-Encoding header field  12
5349      Content-Language header field  13
5350      Content-Location header field  15
5351      Content-Transfer-Encoding header field  87
5352      Content-Type header field  10
5353
5354   D
5355      Date header field  66
5356      deflate (content coding)  11
5357      DELETE method  28
5358
5359   E
5360      Expect header field  33
5361      Expect Values
5362         100-continue  33
5363
5364   F
5365      From header field  44
5366
5367   G
5368      GET method  24
5369      Grammar
5370         Accept  38
5371         Accept-Charset  40
5372
5373
5374
5375Fielding & Reschke       Expires August 27, 2013               [Page 96]
5376
5377Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
5378
5379
5380         Accept-Encoding  41
5381         accept-ext  38
5382         Accept-Language  42
5383         accept-params  38
5384         Allow  71
5385         asctime-date  65
5386         attribute  8
5387         charset  9
5388         codings  41
5389         content-coding  11
5390         Content-Encoding  12
5391         Content-Language  13
5392         Content-Location  15
5393         Content-Type  10
5394         Date  66
5395         date1  64
5396         day  64
5397         day-name  64
5398         day-name-l  64
5399         delta-seconds  68
5400         Expect  33
5401         expect-name  33
5402         expect-param  33
5403         expect-value  33
5404         expectation  33
5405         From  44
5406         GMT  64
5407         hour  64
5408         HTTP-date  63
5409         IMF-fixdate  64
5410         language-range  42
5411         language-tag  13
5412         Location  66
5413         Max-Forwards  36
5414         media-range  38
5415         media-type  8
5416         method  20
5417         minute  64
5418         month  64
5419         obs-date  65
5420         parameter  8
5421         product  46
5422         product-version  46
5423         qvalue  37
5424         Referer  44
5425         Retry-After  68
5426         rfc850-date  65
5427         second  64
5428
5429
5430
5431Fielding & Reschke       Expires August 27, 2013               [Page 97]
5432
5433Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
5434
5435
5436         Server  71
5437         subtype  8
5438         time-of-day  64
5439         type  8
5440         User-Agent  45
5441         value  8
5442         Vary  68
5443         weight  37
5444         year  64
5445      gzip (content coding)  11
5446
5447   H
5448      HEAD method  24
5449
5450   I
5451      idempotent  23
5452
5453   L
5454      Location header field  66
5455
5456   M
5457      Max-Forwards header field  36
5458      MIME-Version header field  86
5459
5460   O
5461      OPTIONS method  31
5462
5463   P
5464      payload  17
5465      POST method  25
5466      PUT method  26
5467
5468   R
5469      Referer header field  44
5470      representation  7
5471      Retry-After header field  68
5472
5473   S
5474      safe  22
5475      selected representation  7, 69
5476      Server header field  71
5477      Status Codes Classes
5478         1xx Informational  49
5479         2xx Successful  50
5480         3xx Redirection  53
5481         4xx Client Error  57
5482         5xx Server Error  61
5483
5484
5485
5486
5487Fielding & Reschke       Expires August 27, 2013               [Page 98]
5488
5489Internet-Draft       HTTP/1.1 Semantics and Content        February 2013
5490
5491
5492   T
5493      TRACE method  32
5494
5495   U
5496      User-Agent header field  45
5497
5498   V
5499      Vary header field  68
5500
5501   X
5502      x-compress (content coding)  11
5503      x-gzip (content coding)  11
5504
5505Authors' Addresses
5506
5507   Roy T. Fielding (editor)
5508   Adobe Systems Incorporated
5509   345 Park Ave
5510   San Jose, CA  95110
5511   USA
5512
5513   EMail: fielding@gbiv.com
5514   URI:   http://roy.gbiv.com/
5515
5516
5517   Julian F. Reschke (editor)
5518   greenbytes GmbH
5519   Hafenweg 16
5520   Muenster, NW  48155
5521   Germany
5522
5523   EMail: julian.reschke@greenbytes.de
5524   URI:   http://greenbytes.de/tech/webdav/
5525
5526
5527
5528
5529
5530
5531
5532
5533
5534
5535
5536
5537
5538
5539
5540
5541
5542
5543Fielding & Reschke       Expires August 27, 2013               [Page 99]
5544
Note: See TracBrowser for help on using the repository browser.