source: draft-ietf-httpbis/24/draft-ietf-httpbis-p2-semantics-24.txt @ 2521

Last change on this file since 2521 was 2414, checked in by julian.reschke@…, 7 years ago

Prepare release of -24 on Sept 25

  • Property svn:eol-style set to native
File size: 232.3 KB
Line 
1
2
3
4HTTPbis Working Group                                   R. Fielding, Ed.
5Internet-Draft                                                     Adobe
6Obsoletes: 2616 (if approved)                            J. Reschke, Ed.
7Updates: 2817 (if approved)                                   greenbytes
8Intended status: Standards Track                      September 25, 2013
9Expires: March 29, 2014
10
11
12     Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
13                   draft-ietf-httpbis-p2-semantics-24
14
15Abstract
16
17   The Hypertext Transfer Protocol (HTTP) is an application-level
18   protocol for distributed, collaborative, hypertext information
19   systems.  This document defines the semantics of HTTP/1.1 messages,
20   as expressed by request methods, request header fields, response
21   status codes, and response header fields, along with the payload of
22   messages (metadata and body content) and mechanisms for content
23   negotiation.
24
25Editorial Note (To be removed by RFC Editor)
26
27   Discussion of this draft takes place on the HTTPBIS working group
28   mailing list (ietf-http-wg@w3.org), which is archived at
29   <http://lists.w3.org/Archives/Public/ietf-http-wg/>.
30
31   The current issues list is at
32   <http://tools.ietf.org/wg/httpbis/trac/report/3> and related
33   documents (including fancy diffs) can be found at
34   <http://tools.ietf.org/wg/httpbis/>.
35
36   The changes in this draft are summarized in Appendix E.4.
37
38Status of This Memo
39
40   This Internet-Draft is submitted in full conformance with the
41   provisions of BCP 78 and BCP 79.
42
43   Internet-Drafts are working documents of the Internet Engineering
44   Task Force (IETF).  Note that other groups may also distribute
45   working documents as Internet-Drafts.  The list of current Internet-
46   Drafts is at http://datatracker.ietf.org/drafts/current/.
47
48   Internet-Drafts are draft documents valid for a maximum of six months
49   and may be updated, replaced, or obsoleted by other documents at any
50   time.  It is inappropriate to use Internet-Drafts as reference
51   material or to cite them other than as "work in progress."
52
53
54
55Fielding & Reschke       Expires March 29, 2014                 [Page 1]
56
57Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
58
59
60   This Internet-Draft will expire on March 29, 2014.
61
62Copyright Notice
63
64   Copyright (c) 2013 IETF Trust and the persons identified as the
65   document authors.  All rights reserved.
66
67   This document is subject to BCP 78 and the IETF Trust's Legal
68   Provisions Relating to IETF Documents
69   (http://trustee.ietf.org/license-info) in effect on the date of
70   publication of this document.  Please review these documents
71   carefully, as they describe your rights and restrictions with respect
72   to this document.  Code Components extracted from this document must
73   include Simplified BSD License text as described in Section 4.e of
74   the Trust Legal Provisions and are provided without warranty as
75   described in the Simplified BSD License.
76
77   This document may contain material from IETF Documents or IETF
78   Contributions published or made publicly available before November
79   10, 2008.  The person(s) controlling the copyright in some of this
80   material may not have granted the IETF Trust the right to allow
81   modifications of such material outside the IETF Standards Process.
82   Without obtaining an adequate license from the person(s) controlling
83   the copyright in such materials, this document may not be modified
84   outside the IETF Standards Process, and derivative works of it may
85   not be created outside the IETF Standards Process, except to format
86   it for publication as an RFC or to translate it into languages other
87   than English.
88
89Table of Contents
90
91   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  6
92     1.1.  Conformance and Error Handling . . . . . . . . . . . . . .  6
93     1.2.  Syntax Notation  . . . . . . . . . . . . . . . . . . . . .  6
94   2.  Resources  . . . . . . . . . . . . . . . . . . . . . . . . . .  7
95   3.  Representations  . . . . . . . . . . . . . . . . . . . . . . .  7
96     3.1.  Representation Metadata  . . . . . . . . . . . . . . . . .  8
97       3.1.1.  Processing Representation Data . . . . . . . . . . . .  8
98       3.1.2.  Encoding for Compression or Integrity  . . . . . . . . 11
99       3.1.3.  Audience Language  . . . . . . . . . . . . . . . . . . 13
100       3.1.4.  Identification . . . . . . . . . . . . . . . . . . . . 14
101     3.2.  Representation Data  . . . . . . . . . . . . . . . . . . . 17
102     3.3.  Payload Semantics  . . . . . . . . . . . . . . . . . . . . 17
103     3.4.  Content Negotiation  . . . . . . . . . . . . . . . . . . . 18
104       3.4.1.  Proactive Negotiation  . . . . . . . . . . . . . . . . 19
105       3.4.2.  Reactive Negotiation . . . . . . . . . . . . . . . . . 20
106   4.  Request Methods  . . . . . . . . . . . . . . . . . . . . . . . 21
107     4.1.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . 21
108
109
110
111Fielding & Reschke       Expires March 29, 2014                 [Page 2]
112
113Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
114
115
116     4.2.  Common Method Properties . . . . . . . . . . . . . . . . . 22
117       4.2.1.  Safe Methods . . . . . . . . . . . . . . . . . . . . . 22
118       4.2.2.  Idempotent Methods . . . . . . . . . . . . . . . . . . 23
119       4.2.3.  Cacheable Methods  . . . . . . . . . . . . . . . . . . 24
120     4.3.  Method Definitions . . . . . . . . . . . . . . . . . . . . 24
121       4.3.1.  GET  . . . . . . . . . . . . . . . . . . . . . . . . . 24
122       4.3.2.  HEAD . . . . . . . . . . . . . . . . . . . . . . . . . 25
123       4.3.3.  POST . . . . . . . . . . . . . . . . . . . . . . . . . 25
124       4.3.4.  PUT  . . . . . . . . . . . . . . . . . . . . . . . . . 26
125       4.3.5.  DELETE . . . . . . . . . . . . . . . . . . . . . . . . 29
126       4.3.6.  CONNECT  . . . . . . . . . . . . . . . . . . . . . . . 30
127       4.3.7.  OPTIONS  . . . . . . . . . . . . . . . . . . . . . . . 31
128       4.3.8.  TRACE  . . . . . . . . . . . . . . . . . . . . . . . . 32
129   5.  Request Header Fields  . . . . . . . . . . . . . . . . . . . . 33
130     5.1.  Controls . . . . . . . . . . . . . . . . . . . . . . . . . 33
131       5.1.1.  Expect . . . . . . . . . . . . . . . . . . . . . . . . 34
132       5.1.2.  Max-Forwards . . . . . . . . . . . . . . . . . . . . . 36
133     5.2.  Conditionals . . . . . . . . . . . . . . . . . . . . . . . 36
134     5.3.  Content Negotiation  . . . . . . . . . . . . . . . . . . . 37
135       5.3.1.  Quality Values . . . . . . . . . . . . . . . . . . . . 37
136       5.3.2.  Accept . . . . . . . . . . . . . . . . . . . . . . . . 38
137       5.3.3.  Accept-Charset . . . . . . . . . . . . . . . . . . . . 40
138       5.3.4.  Accept-Encoding  . . . . . . . . . . . . . . . . . . . 41
139       5.3.5.  Accept-Language  . . . . . . . . . . . . . . . . . . . 42
140     5.4.  Authentication Credentials . . . . . . . . . . . . . . . . 43
141     5.5.  Request Context  . . . . . . . . . . . . . . . . . . . . . 44
142       5.5.1.  From . . . . . . . . . . . . . . . . . . . . . . . . . 44
143       5.5.2.  Referer  . . . . . . . . . . . . . . . . . . . . . . . 45
144       5.5.3.  User-Agent . . . . . . . . . . . . . . . . . . . . . . 46
145   6.  Response Status Codes  . . . . . . . . . . . . . . . . . . . . 47
146     6.1.  Overview of Status Codes . . . . . . . . . . . . . . . . . 47
147     6.2.  Informational 1xx  . . . . . . . . . . . . . . . . . . . . 50
148       6.2.1.  100 Continue . . . . . . . . . . . . . . . . . . . . . 50
149       6.2.2.  101 Switching Protocols  . . . . . . . . . . . . . . . 50
150     6.3.  Successful 2xx . . . . . . . . . . . . . . . . . . . . . . 51
151       6.3.1.  200 OK . . . . . . . . . . . . . . . . . . . . . . . . 51
152       6.3.2.  201 Created  . . . . . . . . . . . . . . . . . . . . . 52
153       6.3.3.  202 Accepted . . . . . . . . . . . . . . . . . . . . . 52
154       6.3.4.  203 Non-Authoritative Information  . . . . . . . . . . 52
155       6.3.5.  204 No Content . . . . . . . . . . . . . . . . . . . . 53
156       6.3.6.  205 Reset Content  . . . . . . . . . . . . . . . . . . 53
157     6.4.  Redirection 3xx  . . . . . . . . . . . . . . . . . . . . . 54
158       6.4.1.  300 Multiple Choices . . . . . . . . . . . . . . . . . 55
159       6.4.2.  301 Moved Permanently  . . . . . . . . . . . . . . . . 56
160       6.4.3.  302 Found  . . . . . . . . . . . . . . . . . . . . . . 56
161       6.4.4.  303 See Other  . . . . . . . . . . . . . . . . . . . . 57
162       6.4.5.  305 Use Proxy  . . . . . . . . . . . . . . . . . . . . 57
163       6.4.6.  306 (Unused) . . . . . . . . . . . . . . . . . . . . . 57
164
165
166
167Fielding & Reschke       Expires March 29, 2014                 [Page 3]
168
169Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
170
171
172       6.4.7.  307 Temporary Redirect . . . . . . . . . . . . . . . . 58
173     6.5.  Client Error 4xx . . . . . . . . . . . . . . . . . . . . . 58
174       6.5.1.  400 Bad Request  . . . . . . . . . . . . . . . . . . . 58
175       6.5.2.  402 Payment Required . . . . . . . . . . . . . . . . . 58
176       6.5.3.  403 Forbidden  . . . . . . . . . . . . . . . . . . . . 58
177       6.5.4.  404 Not Found  . . . . . . . . . . . . . . . . . . . . 59
178       6.5.5.  405 Method Not Allowed . . . . . . . . . . . . . . . . 59
179       6.5.6.  406 Not Acceptable . . . . . . . . . . . . . . . . . . 59
180       6.5.7.  408 Request Timeout  . . . . . . . . . . . . . . . . . 60
181       6.5.8.  409 Conflict . . . . . . . . . . . . . . . . . . . . . 60
182       6.5.9.  410 Gone . . . . . . . . . . . . . . . . . . . . . . . 60
183       6.5.10. 411 Length Required  . . . . . . . . . . . . . . . . . 61
184       6.5.11. 413 Payload Too Large  . . . . . . . . . . . . . . . . 61
185       6.5.12. 414 URI Too Long . . . . . . . . . . . . . . . . . . . 61
186       6.5.13. 415 Unsupported Media Type . . . . . . . . . . . . . . 61
187       6.5.14. 417 Expectation Failed . . . . . . . . . . . . . . . . 62
188       6.5.15. 426 Upgrade Required . . . . . . . . . . . . . . . . . 62
189     6.6.  Server Error 5xx . . . . . . . . . . . . . . . . . . . . . 62
190       6.6.1.  500 Internal Server Error  . . . . . . . . . . . . . . 62
191       6.6.2.  501 Not Implemented  . . . . . . . . . . . . . . . . . 62
192       6.6.3.  502 Bad Gateway  . . . . . . . . . . . . . . . . . . . 63
193       6.6.4.  503 Service Unavailable  . . . . . . . . . . . . . . . 63
194       6.6.5.  504 Gateway Timeout  . . . . . . . . . . . . . . . . . 63
195       6.6.6.  505 HTTP Version Not Supported . . . . . . . . . . . . 63
196   7.  Response Header Fields . . . . . . . . . . . . . . . . . . . . 63
197     7.1.  Control Data . . . . . . . . . . . . . . . . . . . . . . . 64
198       7.1.1.  Origination Date . . . . . . . . . . . . . . . . . . . 64
199       7.1.2.  Location . . . . . . . . . . . . . . . . . . . . . . . 68
200       7.1.3.  Retry-After  . . . . . . . . . . . . . . . . . . . . . 69
201       7.1.4.  Vary . . . . . . . . . . . . . . . . . . . . . . . . . 70
202     7.2.  Validator Header Fields  . . . . . . . . . . . . . . . . . 71
203     7.3.  Authentication Challenges  . . . . . . . . . . . . . . . . 72
204     7.4.  Response Context . . . . . . . . . . . . . . . . . . . . . 72
205       7.4.1.  Allow  . . . . . . . . . . . . . . . . . . . . . . . . 72
206       7.4.2.  Server . . . . . . . . . . . . . . . . . . . . . . . . 73
207   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 73
208     8.1.  Method Registry  . . . . . . . . . . . . . . . . . . . . . 74
209       8.1.1.  Procedure  . . . . . . . . . . . . . . . . . . . . . . 74
210       8.1.2.  Considerations for New Methods . . . . . . . . . . . . 74
211       8.1.3.  Registrations  . . . . . . . . . . . . . . . . . . . . 75
212     8.2.  Status Code Registry . . . . . . . . . . . . . . . . . . . 75
213       8.2.1.  Procedure  . . . . . . . . . . . . . . . . . . . . . . 75
214       8.2.2.  Considerations for New Status Codes  . . . . . . . . . 76
215       8.2.3.  Registrations  . . . . . . . . . . . . . . . . . . . . 76
216     8.3.  Header Field Registry  . . . . . . . . . . . . . . . . . . 77
217       8.3.1.  Considerations for New Header Fields . . . . . . . . . 78
218       8.3.2.  Registrations  . . . . . . . . . . . . . . . . . . . . 80
219     8.4.  Content Coding Registry  . . . . . . . . . . . . . . . . . 80
220
221
222
223Fielding & Reschke       Expires March 29, 2014                 [Page 4]
224
225Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
226
227
228       8.4.1.  Procedure  . . . . . . . . . . . . . . . . . . . . . . 80
229       8.4.2.  Registrations  . . . . . . . . . . . . . . . . . . . . 81
230   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 81
231     9.1.  Attacks Based On File and Path Names . . . . . . . . . . . 81
232     9.2.  Personal Information . . . . . . . . . . . . . . . . . . . 82
233     9.3.  Sensitive Information in URIs  . . . . . . . . . . . . . . 82
234     9.4.  Product Information  . . . . . . . . . . . . . . . . . . . 83
235     9.5.  Fragment after Redirects . . . . . . . . . . . . . . . . . 83
236     9.6.  Browser Fingerprinting . . . . . . . . . . . . . . . . . . 83
237   10. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 84
238   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 84
239     11.1. Normative References . . . . . . . . . . . . . . . . . . . 84
240     11.2. Informative References . . . . . . . . . . . . . . . . . . 86
241   Appendix A.  Differences between HTTP and MIME . . . . . . . . . . 88
242     A.1.  MIME-Version . . . . . . . . . . . . . . . . . . . . . . . 88
243     A.2.  Conversion to Canonical Form . . . . . . . . . . . . . . . 88
244     A.3.  Conversion of Date Formats . . . . . . . . . . . . . . . . 89
245     A.4.  Conversion of Content-Encoding . . . . . . . . . . . . . . 89
246     A.5.  Conversion of Content-Transfer-Encoding  . . . . . . . . . 89
247     A.6.  MHTML and Line Length Limitations  . . . . . . . . . . . . 89
248   Appendix B.  Changes from RFC 2616 . . . . . . . . . . . . . . . . 90
249   Appendix C.  Imported ABNF . . . . . . . . . . . . . . . . . . . . 92
250   Appendix D.  Collected ABNF  . . . . . . . . . . . . . . . . . . . 93
251   Appendix E.  Change Log (to be removed by RFC Editor before
252                publication)  . . . . . . . . . . . . . . . . . . . . 96
253     E.1.  Since RFC 2616 . . . . . . . . . . . . . . . . . . . . . . 96
254     E.2.  Since draft-ietf-httpbis-p2-semantics-21 . . . . . . . . . 96
255     E.3.  Since draft-ietf-httpbis-p2-semantics-22 . . . . . . . . . 97
256     E.4.  Since draft-ietf-httpbis-p2-semantics-23 . . . . . . . . . 97
257   Index  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279Fielding & Reschke       Expires March 29, 2014                 [Page 5]
280
281Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
282
283
2841.  Introduction
285
286   Each Hypertext Transfer Protocol (HTTP) message is either a request
287   or a response.  A server listens on a connection for a request,
288   parses each message received, interprets the message semantics in
289   relation to the identified request target, and responds to that
290   request with one or more response messages.  A client constructs
291   request messages to communicate specific intentions, and examines
292   received responses to see if the intentions were carried out and
293   determine how to interpret the results.  This document defines
294   HTTP/1.1 request and response semantics in terms of the architecture
295   defined in [Part1].
296
297   HTTP provides a uniform interface for interacting with a resource
298   (Section 2), regardless of its type, nature, or implementation, via
299   the manipulation and transfer of representations (Section 3).
300
301   HTTP semantics include the intentions defined by each request method
302   (Section 4), extensions to those semantics that might be described in
303   request header fields (Section 5), the meaning of status codes to
304   indicate a machine-readable response (Section 6), and the meaning of
305   other control data and resource metadata that might be given in
306   response header fields (Section 7).
307
308   This document also defines representation metadata that describe how
309   a payload is intended to be interpreted by a recipient, the request
310   header fields that might influence content selection, and the various
311   selection algorithms that are collectively referred to as "content
312   negotiation" (Section 3.4).
313
3141.1.  Conformance and Error Handling
315
316   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
317   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
318   document are to be interpreted as described in [RFC2119].
319
320   Conformance criteria and considerations regarding error handling are
321   defined in Section 2.5 of [Part1].
322
3231.2.  Syntax Notation
324
325   This specification uses the Augmented Backus-Naur Form (ABNF)
326   notation of [RFC5234] with the list rule extension defined in Section
327   7 of [Part1].  Appendix C describes rules imported from other
328   documents.  Appendix D shows the collected ABNF with the list rule
329   expanded.
330
331   This specification uses the terms "character", "character encoding
332
333
334
335Fielding & Reschke       Expires March 29, 2014                 [Page 6]
336
337Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
338
339
340   scheme", "charset", and "protocol element" as they are defined in
341   [RFC6365].
342
3432.  Resources
344
345   The target of an HTTP request is called a resource.  HTTP does not
346   limit the nature of a resource; it merely defines an interface that
347   might be used to interact with resources.  Each resource is
348   identified by a Uniform Resource Identifier (URI), as described in
349   Section 2.7 of [Part1].
350
351   When a client constructs an HTTP/1.1 request message, it sends the
352   target URI in one of various forms, as defined in (Section 5.3 of
353   [Part1]).  When a request is received, the server reconstructs an
354   effective request URI for the target resource (Section 5.5 of
355   [Part1]).
356
357   One design goal of HTTP is to separate resource identification from
358   request semantics, which is made possible by vesting the request
359   semantics in the request method (Section 4) and a few request-
360   modifying header fields (Section 5).  Resource owners SHOULD NOT
361   include request semantics within a URI, such as by specifying an
362   action to invoke within the path or query components of the effective
363   request URI, unless those semantics are disabled when they are
364   inconsistent with the request method.
365
3663.  Representations
367
368   If we consider that a resource could be anything, and that the
369   uniform interface provided by HTTP is similar to a window through
370   which one can observe and act upon such a thing only through the
371   communication of messages to some independent actor on the other
372   side, then we need an abstraction to represent ("take the place of")
373   the current or desired state of that thing in our communications.  We
374   call that abstraction a representation [REST].
375
376   For the purposes of HTTP, a "representation" is information that is
377   intended to reflect a past, current, or desired state of a given
378   resource, in a format that can be readily communicated via the
379   protocol, and that consists of a set of representation metadata and a
380   potentially unbounded stream of representation data.
381
382   An origin server might be provided with, or capable of generating,
383   multiple representations that are each intended to reflect the
384   current state of a target resource.  In such cases, some algorithm is
385   used by the origin server to select one of those representations as
386   most applicable to a given request, usually based on content
387   negotiation.  We refer to that one representation as the "selected
388
389
390
391Fielding & Reschke       Expires March 29, 2014                 [Page 7]
392
393Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
394
395
396   representation" and use its particular data and metadata for
397   evaluating conditional requests [Part4] and constructing the payload
398   for 200 (OK) and 304 (Not Modified) responses to GET (Section 4.3.1).
399
4003.1.  Representation Metadata
401
402   Representation header fields provide metadata about the
403   representation.  When a message includes a payload body, the
404   representation header fields describe how to interpret the
405   representation data enclosed in the payload body.  In a response to a
406   HEAD request, the representation header fields describe the
407   representation data that would have been enclosed in the payload body
408   if the same request had been a GET.
409
410   The following header fields convey representation metadata:
411
412   +-------------------+-----------------+
413   | Header Field Name | Defined in...   |
414   +-------------------+-----------------+
415   | Content-Type      | Section 3.1.1.5 |
416   | Content-Encoding  | Section 3.1.2.2 |
417   | Content-Language  | Section 3.1.3.2 |
418   | Content-Location  | Section 3.1.4.2 |
419   +-------------------+-----------------+
420
4213.1.1.  Processing Representation Data
422
4233.1.1.1.  Media Type
424
425   HTTP uses Internet Media Types [RFC2046] in the Content-Type
426   (Section 3.1.1.5) and Accept (Section 5.3.2) header fields in order
427   to provide open and extensible data typing and type negotiation.
428   Media types define both a data format and various processing models:
429   how to process that data in accordance with each context in which it
430   is received.
431
432     media-type = type "/" subtype *( OWS ";" OWS parameter )
433     type       = token
434     subtype    = token
435
436   The type/subtype MAY be followed by parameters in the form of
437   attribute/value pairs.
438
439     parameter      = attribute "=" value
440     attribute      = token
441     value          = word
442
443   The type, subtype, and parameter attribute names are case-
444
445
446
447Fielding & Reschke       Expires March 29, 2014                 [Page 8]
448
449Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
450
451
452   insensitive.  Parameter values might or might not be case-sensitive,
453   depending on the semantics of the parameter name.  The presence or
454   absence of a parameter might be significant to the processing of a
455   media-type, depending on its definition within the media type
456   registry.
457
458   A parameter value that matches the token production can be
459   transmitted as either a token or within a quoted-string.  The quoted
460   and unquoted values are equivalent.  For example, the following
461   examples are all equivalent, but the first is preferred for
462   consistency:
463
464     text/html;charset=utf-8
465     text/html;charset=UTF-8
466     Text/HTML;Charset="utf-8"
467     text/html; charset="utf-8"
468
469   Internet media types ought to be registered with IANA according to
470   the procedures defined in [BCP13].
471
472      Note: Unlike some similar constructs in other header fields, media
473      type parameters do not allow whitespace (even "bad" whitespace)
474      around the "=" character.
475
4763.1.1.2.  Charset
477
478   HTTP uses charset names to indicate or negotiate the character
479   encoding scheme of a textual representation [RFC6365].  A charset is
480   identified by a case-insensitive token.
481
482     charset = token
483
484   Charset names ought to be registered in IANA Character Set registry
485   (<http://www.iana.org/assignments/character-sets>) according to the
486   procedures defined in [RFC2978].
487
4883.1.1.3.  Canonicalization and Text Defaults
489
490   Internet media types are registered with a canonical form in order to
491   be interoperable among systems with varying native encoding formats.
492   Representations selected or transferred via HTTP ought to be in
493   canonical form, for many of the same reasons described by the
494   Multipurpose Internet Mail Extensions (MIME) [RFC2045].  However, the
495   performance characteristics of email deployments (i.e., store and
496   forward messages to peers) are significantly different from those
497   common to HTTP and the Web (server-based information services).
498   Furthermore, MIME's constraints for the sake of compatibility with
499   older mail transfer protocols do not apply to HTTP (see Appendix A).
500
501
502
503Fielding & Reschke       Expires March 29, 2014                 [Page 9]
504
505Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
506
507
508   MIME's canonical form requires that media subtypes of the "text" type
509   use CRLF as the text line break.  HTTP allows the transfer of text
510   media with plain CR or LF alone representing a line break, when such
511   line breaks are consistent for an entire representation.  An HTTP
512   sender MAY generate, and a recipient MUST be able to parse, line
513   breaks in text media that consist of CRLF, bare CR, or bare LF.  In
514   addition, text media in HTTP is not limited to charsets that use
515   octets 13 and 10 for CR and LF, respectively.  This flexibility
516   regarding line breaks applies only to text within a representation
517   that has been assigned a "text" media type; it does not apply to
518   "multipart" types or HTTP elements outside the payload body (e.g.,
519   header fields).
520
521   If a representation is encoded with a content-coding, the underlying
522   data ought to be in a form defined above prior to being encoded.
523
5243.1.1.4.  Multipart Types
525
526   MIME provides for a number of "multipart" types -- encapsulations of
527   one or more representations within a single message body.  All
528   multipart types share a common syntax, as defined in Section 5.1.1 of
529   [RFC2046], and include a boundary parameter as part of the media type
530   value.  The message body is itself a protocol element; a sender MUST
531   generate only CRLF to represent line breaks between body parts.
532
533   HTTP message framing does not use the multipart boundary as an
534   indicator of message body length, though it might be used by
535   implementations that generate or process the payload.  For example,
536   the "multipart/form-data" type is often used for carrying form data
537   in a request, as described in [RFC2388], and the "multipart/
538   byteranges" type is defined by this specification for use in some 206
539   (Partial Content) responses [Part5].
540
5413.1.1.5.  Content-Type
542
543   The "Content-Type" header field indicates the media type of the
544   associated representation: either the representation enclosed in the
545   message payload or the selected representation, as determined by the
546   message semantics.  The indicated media type defines both the data
547   format and how that data is intended to be processed by a recipient,
548   within the scope of the received message semantics, after any content
549   codings indicated by Content-Encoding are decoded.
550
551     Content-Type = media-type
552
553   Media types are defined in Section 3.1.1.1.  An example of the field
554   is
555
556
557
558
559Fielding & Reschke       Expires March 29, 2014                [Page 10]
560
561Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
562
563
564     Content-Type: text/html; charset=ISO-8859-4
565
566   A sender that generates a message containing a payload body SHOULD
567   generate a Content-Type header field in that message unless the
568   intended media type of the enclosed representation is unknown to the
569   sender.  If a Content-Type header field is not present, the recipient
570   MAY either assume a media type of "application/octet-stream"
571   ([RFC2046], Section 4.5.1) or examine the data to determine its type.
572
573   In practice, resource owners do not always properly configure their
574   origin server to provide the correct Content-Type for a given
575   representation, with the result that some clients will examine a
576   payload's content and override the specified type.  Clients that do
577   so risk drawing incorrect conclusions, which might expose additional
578   security risks (e.g., "privilege escalation").  Furthermore, it is
579   impossible to determine the sender's intent by examining the data
580   format: many data formats match multiple media types that differ only
581   in processing semantics.  Implementers are encouraged to provide a
582   means of disabling such "content sniffing" when it is used.
583
5843.1.2.  Encoding for Compression or Integrity
585
5863.1.2.1.  Content Codings
587
588   Content coding values indicate an encoding transformation that has
589   been or can be applied to a representation.  Content codings are
590   primarily used to allow a representation to be compressed or
591   otherwise usefully transformed without losing the identity of its
592   underlying media type and without loss of information.  Frequently,
593   the representation is stored in coded form, transmitted directly, and
594   only decoded by the final recipient.
595
596     content-coding   = token
597
598   All content-coding values are case-insensitive and ought to be
599   registered within the HTTP Content Coding registry, as defined in
600   Section 8.4.  They are used in the Accept-Encoding (Section 5.3.4)
601   and Content-Encoding (Section 3.1.2.2) header fields.
602
603   The following content-coding values are defined by this
604   specification:
605
606      compress (and x-compress): See Section 4.2.1 of [Part1].
607
608      deflate: See Section 4.2.2 of [Part1].
609
610      gzip (and x-gzip): See Section 4.2.3 of [Part1].
611
612
613
614
615Fielding & Reschke       Expires March 29, 2014                [Page 11]
616
617Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
618
619
6203.1.2.2.  Content-Encoding
621
622   The "Content-Encoding" header field indicates what content codings
623   have been applied to the representation, beyond those inherent in the
624   media type, and thus what decoding mechanisms have to be applied in
625   order to obtain data in the media type referenced by the Content-Type
626   header field.  Content-Encoding is primarily used to allow a
627   representation's data to be compressed without losing the identity of
628   its underlying media type.
629
630     Content-Encoding = 1#content-coding
631
632   An example of its use is
633
634     Content-Encoding: gzip
635
636   If one or more encodings have been applied to a representation, the
637   sender that applied the encodings MUST generate a Content-Encoding
638   header field that lists the content codings in the order in which
639   they were applied.  Additional information about the encoding
640   parameters MAY be provided by other header fields not defined by this
641   specification.
642
643   Unlike Transfer-Encoding (Section 3.3.1 of [Part1]), the codings
644   listed in Content-Encoding are a characteristic of the
645   representation; the representation is defined in terms of the coded
646   form, and all other metadata about the representation is about the
647   coded form unless otherwise noted in the metadata definition.
648   Typically, the representation is only decoded just prior to rendering
649   or analogous usage.
650
651   If the media type includes an inherent encoding, such as a data
652   format that is always compressed, then that encoding would not be
653   restated in Content-Encoding even if it happens to be the same
654   algorithm as one of the content codings.  Such a content coding would
655   only be listed if, for some bizarre reason, it is applied a second
656   time to form the representation.  Likewise, an origin server might
657   choose to publish the same data as multiple representations that
658   differ only in whether the coding is defined as part of Content-Type
659   or Content-Encoding, since some user agents will behave differently
660   in their handling of each response (e.g., open a "Save as ..." dialog
661   instead of automatic decompression and rendering of content).
662
663   An origin server MAY respond with a status code of 415 (Unsupported
664   Media Type) if a representation in the request message has a content
665   coding that is not acceptable.
666
667
668
669
670
671Fielding & Reschke       Expires March 29, 2014                [Page 12]
672
673Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
674
675
6763.1.3.  Audience Language
677
6783.1.3.1.  Language Tags
679
680   A language tag, as defined in [RFC5646], identifies a natural
681   language spoken, written, or otherwise conveyed by human beings for
682   communication of information to other human beings.  Computer
683   languages are explicitly excluded.
684
685   HTTP uses language tags within the Accept-Language and Content-
686   Language header fields.  Accept-Language uses the broader language-
687   range production defined in Section 5.3.5, whereas Content-Language
688   uses the language-tag production defined below.
689
690     language-tag = <Language-Tag, defined in [RFC5646], Section 2.1>
691
692   A language tag is a sequence of one or more case-insensitive subtags,
693   each separated by a hyphen character ("-", %x2D).  In most cases, a
694   language tag consists of a primary language subtag that identifies a
695   broad family of related languages (e.g., "en" = English) which is
696   optionally followed by a series of subtags that refine or narrow that
697   language's range (e.g., "en-CA" = the variety of English as
698   communicated in Canada).  Whitespace is not allowed within a language
699   tag.  Example tags include:
700
701     fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN
702
703   See [RFC5646] for further information.
704
7053.1.3.2.  Content-Language
706
707   The "Content-Language" header field describes the natural language(s)
708   of the intended audience for the representation.  Note that this
709   might not be equivalent to all the languages used within the
710   representation.
711
712     Content-Language = 1#language-tag
713
714   Language tags are defined in Section 3.1.3.1.  The primary purpose of
715   Content-Language is to allow a user to identify and differentiate
716   representations according to the users' own preferred language.
717   Thus, if the content is intended only for a Danish-literate audience,
718   the appropriate field is
719
720     Content-Language: da
721
722   If no Content-Language is specified, the default is that the content
723   is intended for all language audiences.  This might mean that the
724
725
726
727Fielding & Reschke       Expires March 29, 2014                [Page 13]
728
729Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
730
731
732   sender does not consider it to be specific to any natural language,
733   or that the sender does not know for which language it is intended.
734
735   Multiple languages MAY be listed for content that is intended for
736   multiple audiences.  For example, a rendition of the "Treaty of
737   Waitangi", presented simultaneously in the original Maori and English
738   versions, would call for
739
740     Content-Language: mi, en
741
742   However, just because multiple languages are present within a
743   representation does not mean that it is intended for multiple
744   linguistic audiences.  An example would be a beginner's language
745   primer, such as "A First Lesson in Latin", which is clearly intended
746   to be used by an English-literate audience.  In this case, the
747   Content-Language would properly only include "en".
748
749   Content-Language MAY be applied to any media type -- it is not
750   limited to textual documents.
751
7523.1.4.  Identification
753
7543.1.4.1.  Identifying a Representation
755
756   When a complete or partial representation is transferred in a message
757   payload, it is often desirable for the sender to supply, or the
758   recipient to determine, an identifier for a resource corresponding to
759   that representation.
760
761   For a request message:
762
763   o  If the request has a Content-Location header field, then the
764      sender asserts that the payload is a representation of the
765      resource identified by the Content-Location field-value.  However,
766      such an assertion cannot be trusted unless it can be verified by
767      other means (not defined by this specification).  The information
768      might still be useful for revision history links.
769
770   o  Otherwise, the payload is unidentified.
771
772   For a response message, the following rules are applied in order
773   until a match is found:
774
775   1.  If the request is GET or HEAD and the response status code is 200
776       (OK), 204 (No Content), 206 (Partial Content), or 304 (Not
777       Modified), the payload is a representation of the resource
778       identified by the effective request URI (Section 5.5 of [Part1]).
779
780
781
782
783Fielding & Reschke       Expires March 29, 2014                [Page 14]
784
785Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
786
787
788   2.  If the request is GET or HEAD and the response status code is 203
789       (Non-Authoritative Information), the payload is a potentially
790       modified or enhanced representation of the target resource as
791       provided by an intermediary.
792
793   3.  If the response has a Content-Location header field and its
794       field-value is a reference to the same URI as the effective
795       request URI, the payload is a representation of the resource
796       identified by the effective request URI.
797
798   4.  If the response has a Content-Location header field and its
799       field-value is a reference to a URI different from the effective
800       request URI, then the sender asserts that the payload is a
801       representation of the resource identified by the Content-Location
802       field-value.  However, such an assertion cannot be trusted unless
803       it can be verified by other means (not defined by this
804       specification).
805
806   5.  Otherwise, the payload is unidentified.
807
8083.1.4.2.  Content-Location
809
810   The "Content-Location" header field references a URI that can be used
811   as an identifier for a specific resource corresponding to the
812   representation in this message's payload.  In other words, if one
813   were to perform a GET request on this URI at the time of this
814   message's generation, then a 200 (OK) response would contain the same
815   representation that is enclosed as payload in this message.
816
817     Content-Location = absolute-URI / partial-URI
818
819   The Content-Location value is not a replacement for the effective
820   Request URI (Section 5.5 of [Part1]).  It is representation metadata.
821   It has the same syntax and semantics as the header field of the same
822   name defined for MIME body parts in Section 4 of [RFC2557].  However,
823   its appearance in an HTTP message has some special implications for
824   HTTP recipients.
825
826   If Content-Location is included in a 2xx (Successful) response
827   message and its value refers (after conversion to absolute form) to a
828   URI that is the same as the effective request URI, then the recipient
829   MAY consider the payload to be a current representation of that
830   resource at the time indicated by the message origination date.  For
831   a GET or HEAD request, this is the same as the default semantics when
832   no Content-Location is provided by the server.  For a state-changing
833   request like PUT or POST, it implies that the server's response
834   contains the new representation of that resource, thereby
835   distinguishing it from representations that might only report about
836
837
838
839Fielding & Reschke       Expires March 29, 2014                [Page 15]
840
841Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
842
843
844   the action (e.g., "It worked!").  This allows authoring applications
845   to update their local copies without the need for a subsequent GET
846   request.
847
848   If Content-Location is included in a 2xx (Successful) response
849   message and its field-value refers to a URI that differs from the
850   effective request URI, then the origin server claims that the URI is
851   an identifier for a different resource corresponding to the enclosed
852   representation.  Such a claim can only be trusted if both identifiers
853   share the same resource owner, which cannot be programmatically
854   determined via HTTP.
855
856   o  For a response to a GET or HEAD request, this is an indication
857      that the effective request URI refers to a resource that is
858      subject to content negotiation and the Content-Location field-
859      value is a more specific identifier for the selected
860      representation.
861
862   o  For a 201 (Created) response to a state-changing method, a
863      Content-Location field-value that is identical to the Location
864      field-value indicates that this payload is a current
865      representation of the newly created resource.
866
867   o  Otherwise, such a Content-Location indicates that this payload is
868      a representation reporting on the requested action's status and
869      that the same report is available (for future access with GET) at
870      the given URI.  For example, a purchase transaction made via a
871      POST request might include a receipt document as the payload of
872      the 200 (OK) response; the Content-Location field-value provides
873      an identifier for retrieving a copy of that same receipt in the
874      future.
875
876   A user agent that sends Content-Location in a request message is
877   stating that its value refers to where the user agent originally
878   obtained the content of the enclosed representation (prior to any
879   modifications made by that user agent).  In other words, the user
880   agent is providing a back link to the source of the original
881   representation.
882
883   An origin server that receives a Content-Location field in a request
884   message MUST treat the information as transitory request context
885   rather than as metadata to be saved verbatim as part of the
886   representation.  An origin server MAY use that context to guide in
887   processing the request or to save it for other uses, such as within
888   source links or versioning metadata.  However, an origin server MUST
889   NOT use such context information to alter the request semantics.
890
891   For example, if a client makes a PUT request on a negotiated resource
892
893
894
895Fielding & Reschke       Expires March 29, 2014                [Page 16]
896
897Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
898
899
900   and the origin server accepts that PUT (without redirection), then
901   the new state of that resource is expected to be consistent with the
902   one representation supplied in that PUT; the Content-Location cannot
903   be used as a form of reverse content selection identifier to update
904   only one of the negotiated representations.  If the user agent had
905   wanted the latter semantics, it would have applied the PUT directly
906   to the Content-Location URI.
907
9083.2.  Representation Data
909
910   The representation data associated with an HTTP message is either
911   provided as the payload body of the message or referred to by the
912   message semantics and the effective request URI.  The representation
913   data is in a format and encoding defined by the representation
914   metadata header fields.
915
916   The data type of the representation data is determined via the header
917   fields Content-Type and Content-Encoding.  These define a two-layer,
918   ordered encoding model:
919
920     representation-data := Content-Encoding( Content-Type( bits ) )
921
9223.3.  Payload Semantics
923
924   Some HTTP messages transfer a complete or partial representation as
925   the message "payload".  In some cases, a payload might contain only
926   the associated representation's header fields (e.g., responses to
927   HEAD) or only some part(s) of the representation data (e.g., the 206
928   (Partial Content) status code).
929
930   The purpose of a payload in a request is defined by the method
931   semantics.  For example, a representation in the payload of a PUT
932   request (Section 4.3.4) represents the desired state of the target
933   resource if the request is successfully applied, whereas a
934   representation in the payload of a POST request (Section 4.3.3)
935   represents an anonymous resource for providing data to be processed,
936   such as the information that a user entered within an HTML form.
937
938   In a response, the payload's purpose is defined by both the request
939   method and the response status code.  For example, the payload of a
940   200 (OK) response to GET (Section 4.3.1) represents the current state
941   of the target resource, as observed at the time of the message
942   origination date (Section 7.1.1.2), whereas the payload of the same
943   status code in a response to POST might represent either the
944   processing result or the new state of the target resource after
945   applying the processing.  Response messages with an error status code
946   usually contain a payload that represents the error condition, such
947   that it describes the error state and what next steps are suggested
948
949
950
951Fielding & Reschke       Expires March 29, 2014                [Page 17]
952
953Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
954
955
956   for resolving it.
957
958   Header fields that specifically describe the payload, rather than the
959   associated representation, are referred to as "payload header
960   fields".  Payload header fields are defined in other parts of this
961   specification, due to their impact on message parsing.
962
963   +-------------------+--------------------------+
964   | Header Field Name | Defined in...            |
965   +-------------------+--------------------------+
966   | Content-Length    | Section 3.3.2 of [Part1] |
967   | Content-Range     | Section 4.2 of [Part5]   |
968   | Transfer-Encoding | Section 3.3.1 of [Part1] |
969   +-------------------+--------------------------+
970
9713.4.  Content Negotiation
972
973   When responses convey payload information, whether indicating a
974   success or an error, the origin server often has different ways of
975   representing that information; for example, in different formats,
976   languages, or encodings.  Likewise, different users or user agents
977   might have differing capabilities, characteristics, or preferences
978   that could influence which representation, among those available,
979   would be best to deliver.  For this reason, HTTP provides mechanisms
980   for content negotiation.
981
982   This specification defines two patterns of content negotiation that
983   can be made visible within the protocol: "proactive", where the
984   server selects the representation based upon the user agent's stated
985   preferences, and "reactive" negotiation, where the server provides a
986   list of representations for the user agent to choose from.  Other
987   patterns of content negotiation include "conditional content", where
988   the representation consists of multiple parts that are selectively
989   rendered based on user agent parameters, "active content", where the
990   representation contains a script that makes additional (more
991   specific) requests based on the user agent characteristics, and
992   "Transparent Content Negotiation" ([RFC2295]), where content
993   selection is performed by an intermediary.  These patterns are not
994   mutually exclusive, and each has trade-offs in applicability and
995   practicality.
996
997   Note that, in all cases, HTTP is not aware of the resource semantics.
998   The consistency with which an origin server responds to requests,
999   over time and over the varying dimensions of content negotiation, and
1000   thus the "sameness" of a resource's observed representations over
1001   time, is determined entirely by whatever entity or algorithm selects
1002   or generates those responses.  HTTP pays no attention to the man
1003   behind the curtain.
1004
1005
1006
1007Fielding & Reschke       Expires March 29, 2014                [Page 18]
1008
1009Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1010
1011
10123.4.1.  Proactive Negotiation
1013
1014   When content negotiation preferences are sent by the user agent in a
1015   request to encourage an algorithm located at the server to select the
1016   preferred representation, it is called proactive negotiation (a.k.a.,
1017   server-driven negotiation).  Selection is based on the available
1018   representations for a response (the dimensions over which it might
1019   vary, such as language, content-coding, etc.) compared to various
1020   information supplied in the request, including both the explicit
1021   negotiation fields of Section 5.3 and implicit characteristics, such
1022   as the client's network address or parts of the User-Agent field.
1023
1024   Proactive negotiation is advantageous when the algorithm for
1025   selecting from among the available representations is difficult to
1026   describe to a user agent, or when the server desires to send its
1027   "best guess" to the user agent along with the first response (hoping
1028   to avoid the round-trip delay of a subsequent request if the "best
1029   guess" is good enough for the user).  In order to improve the
1030   server's guess, a user agent MAY send request header fields that
1031   describe its preferences.
1032
1033   Proactive negotiation has serious disadvantages:
1034
1035   o  It is impossible for the server to accurately determine what might
1036      be "best" for any given user, since that would require complete
1037      knowledge of both the capabilities of the user agent and the
1038      intended use for the response (e.g., does the user want to view it
1039      on screen or print it on paper?);
1040
1041   o  Having the user agent describe its capabilities in every request
1042      can be both very inefficient (given that only a small percentage
1043      of responses have multiple representations) and a potential risk
1044      to the user's privacy;
1045
1046   o  It complicates the implementation of an origin server and the
1047      algorithms for generating responses to a request; and,
1048
1049   o  It limits the reusability of responses for shared caching.
1050
1051   A user agent cannot rely on proactive negotiation preferences being
1052   consistently honored, since the origin server might not implement
1053   proactive negotiation for the requested resource or might decide that
1054   sending a response that doesn't conform to the user agent's
1055   preferences is better than sending a 406 (Not Acceptable) response.
1056
1057   An origin server MAY generate a Vary header field (Section 7.1.4) in
1058   responses that are subject to proactive negotiation to indicate what
1059   parameters of request information might be used in its selection
1060
1061
1062
1063Fielding & Reschke       Expires March 29, 2014                [Page 19]
1064
1065Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1066
1067
1068   algorithm, thereby providing a means for recipients to determine the
1069   reusability of that same response for user agents with differing
1070   request information.
1071
10723.4.2.  Reactive Negotiation
1073
1074   With reactive negotiation (a.k.a., agent-driven negotiation),
1075   selection of the best response representation (regardless of the
1076   status code) is performed by the user agent after receiving an
1077   initial response from the origin server that contains a list of
1078   resources for alternative representations.  If the user agent is not
1079   satisfied by the initial response representation, it can perform a
1080   GET request on one or more of the alternative resources, selected
1081   based on metadata included in the list, to obtain a different form of
1082   representation for that response.  Selection of alternatives might be
1083   performed automatically by the user agent or manually by the user
1084   selecting from a generated (possibly hypertext) menu.
1085
1086   Note that the above refers to representations of the response, in
1087   general, not representations of the resource.  The alternative
1088   representations are only considered representations of the target
1089   resource if the response in which those alternatives are provided has
1090   the semantics of being a representation of the target resource (e.g.,
1091   a 200 (OK) response to a GET request) or has the semantics of
1092   providing links to alternative representations for the target
1093   resource (e.g., a 300 (Multiple Choices) response to a GET request).
1094
1095   A server might choose not to send an initial representation, other
1096   than the list of alternatives, and thereby indicate that reactive
1097   negotiation by the user agent is preferred.  For example, the
1098   alternatives listed in responses with the 300 (Multiple Choices) and
1099   406 (Not Acceptable) status codes include information about the
1100   available representations so that the user or user agent can react by
1101   making a selection.
1102
1103   Reactive negotiation is advantageous when the response would vary
1104   over commonly-used dimensions (such as type, language, or encoding),
1105   when the origin server is unable to determine a user agent's
1106   capabilities from examining the request, and generally when public
1107   caches are used to distribute server load and reduce network usage.
1108
1109   Reactive negotiation suffers from the disadvantages of transmitting a
1110   list of alternatives to the user agent, which degrades user-perceived
1111   latency if transmitted in the header section, and needing a second
1112   request to obtain an alternate representation.  Furthermore, this
1113   specification does not define a mechanism for supporting automatic
1114   selection, though it does not prevent such a mechanism from being
1115   developed as an extension.
1116
1117
1118
1119Fielding & Reschke       Expires March 29, 2014                [Page 20]
1120
1121Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1122
1123
11244.  Request Methods
1125
11264.1.  Overview
1127
1128   The request method token is the primary source of request semantics;
1129   it indicates the purpose for which the client has made this request
1130   and what is expected by the client as a successful result.
1131
1132   The request method's semantics might be further specialized by the
1133   semantics of some header fields when present in a request (Section 5)
1134   if those additional semantics do not conflict with the method.  For
1135   example, a client can send conditional request header fields
1136   (Section 5.2) to make the requested action conditional on the current
1137   state of the target resource ([Part4]).
1138
1139     method = token
1140
1141   HTTP was originally designed to be usable as an interface to
1142   distributed object systems.  The request method was envisioned as
1143   applying semantics to a target resource in much the same way as
1144   invoking a defined method on an identified object would apply
1145   semantics.  The method token is case-sensitive because it might be
1146   used as a gateway to object-based systems with case-sensitive method
1147   names.
1148
1149   Unlike distributed objects, the standardized request methods in HTTP
1150   are not resource-specific, since uniform interfaces provide for
1151   better visibility and reuse in network-based systems [REST].  Once
1152   defined, a standardized method ought to have the same semantics when
1153   applied to any resource, though each resource determines for itself
1154   whether those semantics are implemented or allowed.
1155
1156   This specification defines a number of standardized methods that are
1157   commonly used in HTTP, as outlined by the following table.  By
1158   convention, standardized methods are defined in all-uppercase ASCII
1159   letters.
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175Fielding & Reschke       Expires March 29, 2014                [Page 21]
1176
1177Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1178
1179
1180   +---------+-------------------------------------------------+-------+
1181   | Method  | Description                                     | Sec.  |
1182   +---------+-------------------------------------------------+-------+
1183   | GET     | Transfer a current representation of the target | 4.3.1 |
1184   |         | resource.                                       |       |
1185   | HEAD    | Same as GET, but only transfer the status line  | 4.3.2 |
1186   |         | and header section.                             |       |
1187   | POST    | Perform resource-specific processing on the     | 4.3.3 |
1188   |         | request payload.                                |       |
1189   | PUT     | Replace all current representations of the      | 4.3.4 |
1190   |         | target resource with the request payload.       |       |
1191   | DELETE  | Remove all current representations of the       | 4.3.5 |
1192   |         | target resource.                                |       |
1193   | CONNECT | Establish a tunnel to the server identified by  | 4.3.6 |
1194   |         | the target resource.                            |       |
1195   | OPTIONS | Describe the communication options for the      | 4.3.7 |
1196   |         | target resource.                                |       |
1197   | TRACE   | Perform a message loop-back test along the path | 4.3.8 |
1198   |         | to the target resource.                         |       |
1199   +---------+-------------------------------------------------+-------+
1200
1201   All general-purpose servers MUST support the methods GET and HEAD.
1202   All other methods are OPTIONAL; when implemented, a server MUST
1203   implement the above methods according to the semantics defined for
1204   them in Section 4.3.
1205
1206   Additional methods, outside the scope of this specification, have
1207   been standardized for use in HTTP.  All such methods ought to be
1208   registered within the HTTP Method Registry maintained by IANA, as
1209   defined in Section 8.1.
1210
1211   The set of methods allowed by a target resource can be listed in an
1212   Allow header field (Section 7.4.1).  However, the set of allowed
1213   methods can change dynamically.  When a request method is received
1214   that is unrecognized or not implemented by an origin server, the
1215   origin server SHOULD respond with the 501 (Not Implemented) status
1216   code.  When a request method is received that is known by an origin
1217   server but not allowed for the target resource, the origin server
1218   SHOULD respond with the 405 (Method Not Allowed) status code.
1219
12204.2.  Common Method Properties
1221
12224.2.1.  Safe Methods
1223
1224   Request methods are considered "safe" if their defined semantics are
1225   essentially read-only; i.e., the client does not request, and does
1226   not expect, any state change on the origin server as a result of
1227   applying a safe method to a target resource.  Likewise, reasonable
1228
1229
1230
1231Fielding & Reschke       Expires March 29, 2014                [Page 22]
1232
1233Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1234
1235
1236   use of a safe method is not expected to cause any harm, loss of
1237   property, or unusual burden on the origin server.
1238
1239   This definition of safe methods does not prevent an implementation
1240   from including behavior that is potentially harmful, not entirely
1241   read-only, or which causes side-effects while invoking a safe method.
1242   What is important, however, is that the client did not request that
1243   additional behavior and cannot be held accountable for it.  For
1244   example, most servers append request information to access log files
1245   at the completion of every response, regardless of the method, and
1246   that is considered safe even though the log storage might become full
1247   and crash the server.  Likewise, a safe request initiated by
1248   selecting an advertisement on the Web will often have the side-effect
1249   of charging an advertising account.
1250
1251   Of the request methods defined by this specification, the GET, HEAD,
1252   OPTIONS, and TRACE methods are defined to be safe.
1253
1254   The purpose of distinguishing between safe and unsafe methods is to
1255   allow automated retrieval processes (spiders) and cache performance
1256   optimization (pre-fetching) to work without fear of causing harm.  In
1257   addition, it allows a user agent to apply appropriate constraints on
1258   the automated use of unsafe methods when processing potentially
1259   untrusted content.
1260
1261   A user agent SHOULD distinguish between safe and unsafe methods when
1262   presenting potential actions to a user, such that the user can be
1263   made aware of an unsafe action before it is requested.
1264
1265   When a resource is constructed such that parameters within the
1266   effective request URI have the effect of selecting an action, it is
1267   the resource owner's responsibility to ensure that the action is
1268   consistent with the request method semantics.  For example, it is
1269   common for Web-based content editing software to use actions within
1270   query parameters, such as "page?do=delete".  If the purpose of such a
1271   resource is to perform an unsafe action, then the resource owner MUST
1272   disable or disallow that action when it is accessed using a safe
1273   request method.  Failure to do so will result in unfortunate side-
1274   effects when automated processes perform a GET on every URI reference
1275   for the sake of link maintenance, pre-fetching, building a search
1276   index, etc.
1277
12784.2.2.  Idempotent Methods
1279
1280   Request methods are considered "idempotent" if the intended effect of
1281   multiple identical requests is the same as for a single request.  Of
1282   the request methods defined by this specification, the PUT, DELETE,
1283   and safe request methods are idempotent.
1284
1285
1286
1287Fielding & Reschke       Expires March 29, 2014                [Page 23]
1288
1289Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1290
1291
1292   Like the definition of safe, the idempotent property only applies to
1293   what has been requested by the user; a server is free to log each
1294   request separately, retain a revision control history, or implement
1295   other non-idempotent side-effects for each idempotent request.
1296
1297   Idempotent methods are distinguished because the request can be
1298   repeated automatically if a communication failure occurs before the
1299   client is able to read the server's response.  For example, if a
1300   client sends a PUT request and the underlying connection is closed
1301   before any response is received, then it can establish a new
1302   connection and retry the idempotent request because it knows that
1303   repeating the request will have the same effect even if the original
1304   request succeeded.  Note, however, that repeated failures would
1305   indicate a problem within the server.
1306
13074.2.3.  Cacheable Methods
1308
1309   Request methods can be defined as "cacheable" to indicate that
1310   responses to them are allowed to be stored for future reuse; for
1311   specific requirements see [Part6].  In general, safe methods that do
1312   not depend on a current or authoritative response are defined as
1313   cacheable; this specification defines GET, HEAD and POST as
1314   cacheable, although the overwhelming majority of cache
1315   implementations only support GET and HEAD.
1316
13174.3.  Method Definitions
1318
13194.3.1.  GET
1320
1321   The GET method requests transfer of a current selected representation
1322   for the target resource.  GET is the primary mechanism of information
1323   retrieval and the focus of almost all performance optimizations.
1324   Hence, when people speak of retrieving some identifiable information
1325   via HTTP, they are generally referring to making a GET request.
1326
1327   It is tempting to think of resource identifiers as remote filesystem
1328   pathnames, and of representations as being a copy of the contents of
1329   such files.  In fact, that is how many resources are implemented (see
1330   Section 9.1 for related security considerations).  However, there are
1331   no such limitations in practice.  The HTTP interface for a resource
1332   is just as likely to be implemented as a tree of content objects, a
1333   programmatic view on various database records, or a gateway to other
1334   information systems.  Even when the URI mapping mechanism is tied to
1335   a filesystem, an origin server might be configured to execute the
1336   files with the request as input and send the output as the
1337   representation, rather than transfer the files directly.  Regardless,
1338   only the origin server needs to know how each of its resource
1339   identifiers corresponds to an implementation, and how each
1340
1341
1342
1343Fielding & Reschke       Expires March 29, 2014                [Page 24]
1344
1345Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1346
1347
1348   implementation manages to select and send a current representation of
1349   the target resource in a response to GET.
1350
1351   A client can alter the semantics of GET to be a "range request",
1352   requesting transfer of only some part(s) of the selected
1353   representation, by sending a Range header field in the request
1354   ([Part5]).
1355
1356   A payload within a GET request message has no defined semantics;
1357   sending a payload body on a GET request might cause some existing
1358   implementations to reject the request.
1359
1360   The response to a GET request is cacheable; a cache MAY use it to
1361   satisfy subsequent GET and HEAD requests unless otherwise indicated
1362   by the Cache-Control header field (Section 5.2 of [Part6]).
1363
13644.3.2.  HEAD
1365
1366   The HEAD method is identical to GET except that the server MUST NOT
1367   send a message body in the response (i.e., the response terminates at
1368   the end of the header section).  The server SHOULD send the same
1369   header fields in response to a HEAD request as it would have sent if
1370   the request had been a GET, except that the payload header fields
1371   (Section 3.3) MAY be omitted.  This method can be used for obtaining
1372   metadata about the selected representation without transferring the
1373   representation data and is often used for testing hypertext links for
1374   validity, accessibility, and recent modification.
1375
1376   A payload within a HEAD request message has no defined semantics;
1377   sending a payload body on a HEAD request might cause some existing
1378   implementations to reject the request.
1379
1380   The response to a HEAD request is cacheable; a cache MAY use it to
1381   satisfy subsequent HEAD requests unless otherwise indicated by the
1382   Cache-Control header field (Section 5.2 of [Part6]).  A HEAD response
1383   might also have an effect on previously cached responses to GET; see
1384   Section 4.3.5 of [Part6].
1385
13864.3.3.  POST
1387
1388   The POST method requests that the target resource process the
1389   representation enclosed in the request according to the resource's
1390   own specific semantics.  For example, POST is used for the following
1391   functions (among others):
1392
1393   o  Providing a block of data, such as the fields entered into an HTML
1394      form, to a data-handling process;
1395
1396
1397
1398
1399Fielding & Reschke       Expires March 29, 2014                [Page 25]
1400
1401Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1402
1403
1404   o  Posting a message to a bulletin board, newsgroup, mailing list,
1405      blog, or similar group of articles;
1406
1407   o  Creating a new resource that has yet to be identified by the
1408      origin server; and
1409
1410   o  Appending data to a resource's existing representation(s).
1411
1412   An origin server indicates response semantics by choosing an
1413   appropriate status code depending on the result of processing the
1414   POST request; almost all of the status codes defined by this
1415   specification might be received in a response to POST (the exceptions
1416   being 206, 304, and 416).
1417
1418   If one or more resources has been created on the origin server as a
1419   result of successfully processing a POST request, the origin server
1420   SHOULD send a 201 (Created) response containing a Location header
1421   field that provides an identifier for the primary resource created
1422   (Section 7.1.2) and a representation that describes the status of the
1423   request while referring to the new resource(s).
1424
1425   Responses to POST requests are only cacheable when they include
1426   explicit freshness information (see Section 4.2.1 of [Part6]).
1427   However, POST caching is not widely implemented.  For cases where an
1428   origin server wishes the client to be able to cache the result of a
1429   POST in a way that can be reused by a later GET, the origin server
1430   MAY send a 200 (OK) response containing the result and a Content-
1431   Location header field that has the same value as the POST's effective
1432   request URI (Section 3.1.4.2).
1433
1434   If the result of processing a POST would be equivalent to a
1435   representation of an existing resource, an origin server MAY redirect
1436   the user agent to that resource by sending a 303 (See Other) response
1437   with the existing resource's identifier in the Location field.  This
1438   has the benefits of providing the user agent a resource identifier
1439   and transferring the representation via a method more amenable to
1440   shared caching, though at the cost of an extra request if the user
1441   agent does not already have the representation cached.
1442
14434.3.4.  PUT
1444
1445   The PUT method requests that the state of the target resource be
1446   created or replaced with the state defined by the representation
1447   enclosed in the request message payload.  A successful PUT of a given
1448   representation would suggest that a subsequent GET on that same
1449   target resource will result in an equivalent representation being
1450   sent in a 200 (OK) response.  However, there is no guarantee that
1451   such a state change will be observable, since the target resource
1452
1453
1454
1455Fielding & Reschke       Expires March 29, 2014                [Page 26]
1456
1457Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1458
1459
1460   might be acted upon by other user agents in parallel, or might be
1461   subject to dynamic processing by the origin server, before any
1462   subsequent GET is received.  A successful response only implies that
1463   the user agent's intent was achieved at the time of its processing by
1464   the origin server.
1465
1466   If the target resource does not have a current representation and the
1467   PUT successfully creates one, then the origin server MUST inform the
1468   user agent by sending a 201 (Created) response.  If the target
1469   resource does have a current representation and that representation
1470   is successfully modified in accordance with the state of the enclosed
1471   representation, then the origin server MUST send either a 200 (OK) or
1472   a 204 (No Content) response to indicate successful completion of the
1473   request.
1474
1475   An origin server SHOULD ignore unrecognized header fields received in
1476   a PUT request (i.e., do not save them as part of the resource state).
1477
1478   An origin server SHOULD verify that the PUT representation is
1479   consistent with any constraints the server has for the target
1480   resource that cannot or will not be changed by the PUT.  This is
1481   particularly important when the origin server uses internal
1482   configuration information related to the URI in order to set the
1483   values for representation metadata on GET responses.  When a PUT
1484   representation is inconsistent with the target resource, the origin
1485   server SHOULD either make them consistent, by transforming the
1486   representation or changing the resource configuration, or respond
1487   with an appropriate error message containing sufficient information
1488   to explain why the representation is unsuitable.  The 409 (Conflict)
1489   or 415 (Unsupported Media Type) status codes are suggested, with the
1490   latter being specific to constraints on Content-Type values.
1491
1492   For example, if the target resource is configured to always have a
1493   Content-Type of "text/html" and the representation being PUT has a
1494   Content-Type of "image/jpeg", the origin server ought to do one of:
1495
1496   a.  reconfigure the target resource to reflect the new media type;
1497
1498   b.  transform the PUT representation to a format consistent with that
1499       of the resource before saving it as the new resource state; or,
1500
1501   c.  reject the request with a 415 (Unsupported Media Type) response
1502       indicating that the target resource is limited to "text/html",
1503       perhaps including a link to a different resource that would be a
1504       suitable target for the new representation.
1505
1506   HTTP does not define exactly how a PUT method affects the state of an
1507   origin server beyond what can be expressed by the intent of the user
1508
1509
1510
1511Fielding & Reschke       Expires March 29, 2014                [Page 27]
1512
1513Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1514
1515
1516   agent request and the semantics of the origin server response.  It
1517   does not define what a resource might be, in any sense of that word,
1518   beyond the interface provided via HTTP.  It does not define how
1519   resource state is "stored", nor how such storage might change as a
1520   result of a change in resource state, nor how the origin server
1521   translates resource state into representations.  Generally speaking,
1522   all implementation details behind the resource interface are
1523   intentionally hidden by the server.
1524
1525   An origin server MUST NOT send a validator header field
1526   (Section 7.2), such as an ETag or Last-Modified field, in a
1527   successful response to PUT unless the request's representation data
1528   was saved without any transformation applied to the body (i.e., the
1529   resource's new representation data is identical to the representation
1530   data received in the PUT request) and the validator field value
1531   reflects the new representation.  This requirement allows a user
1532   agent to know when the representation body it has in memory remains
1533   current as a result of the PUT, thus not in need of retrieving again
1534   from the origin server, and that the new validator(s) received in the
1535   response can be used for future conditional requests in order to
1536   prevent accidental overwrites (Section 5.2).
1537
1538   The fundamental difference between the POST and PUT methods is
1539   highlighted by the different intent for the enclosed representation.
1540   The target resource in a POST request is intended to handle the
1541   enclosed representation according to the resource's own semantics,
1542   whereas the enclosed representation in a PUT request is defined as
1543   replacing the state of the target resource.  Hence, the intent of PUT
1544   is idempotent and visible to intermediaries, even though the exact
1545   effect is only known by the origin server.
1546
1547   Proper interpretation of a PUT request presumes that the user agent
1548   knows which target resource is desired.  A service that selects a
1549   proper URI on behalf of the client, after receiving a state-changing
1550   request, SHOULD be implemented using the POST method rather than PUT.
1551   If the origin server will not make the requested PUT state change to
1552   the target resource and instead wishes to have it applied to a
1553   different resource, such as when the resource has been moved to a
1554   different URI, then the origin server MUST send an appropriate 3xx
1555   (Redirection) response; the user agent MAY then make its own decision
1556   regarding whether or not to redirect the request.
1557
1558   A PUT request applied to the target resource can have side-effects on
1559   other resources.  For example, an article might have a URI for
1560   identifying "the current version" (a resource) that is separate from
1561   the URIs identifying each particular version (different resources
1562   that at one point shared the same state as the current version
1563   resource).  A successful PUT request on "the current version" URI
1564
1565
1566
1567Fielding & Reschke       Expires March 29, 2014                [Page 28]
1568
1569Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1570
1571
1572   might therefore create a new version resource in addition to changing
1573   the state of the target resource, and might also cause links to be
1574   added between the related resources.
1575
1576   An origin server that allows PUT on a given target resource MUST send
1577   a 400 (Bad Request) response to a PUT request that contains a
1578   Content-Range header field (Section 4.2 of [Part5]), since the
1579   payload is likely to be partial content that has been mistakenly PUT
1580   as a full representation.  Partial content updates are possible by
1581   targeting a separately identified resource with state that overlaps a
1582   portion of the larger resource, or by using a different method that
1583   has been specifically defined for partial updates (for example, the
1584   PATCH method defined in [RFC5789]).
1585
1586   Responses to the PUT method are not cacheable.  If a successful PUT
1587   request passes through a cache that has one or more stored responses
1588   for the effective request URI, those stored responses will be
1589   invalidated (see Section 4.4 of [Part6]).
1590
15914.3.5.  DELETE
1592
1593   The DELETE method requests that the origin server remove the
1594   association between the target resource and its current
1595   functionality.  In effect, this method is similar to the rm command
1596   in UNIX: it expresses a deletion operation on the URI mapping of the
1597   origin server, rather than an expectation that the previously
1598   associated information be deleted.
1599
1600   If the target resource has one or more current representations, they
1601   might or might not be destroyed by the origin server, and the
1602   associated storage might or might not be reclaimed, depending
1603   entirely on the nature of the resource and its implementation by the
1604   origin server (which are beyond the scope of this specification).
1605   Likewise, other implementation aspects of a resource might need to be
1606   deactivated or archived as a result of a DELETE, such as database or
1607   gateway connections.  In general, it is assumed that the origin
1608   server will only allow DELETE on resources for which it has a
1609   prescribed mechanism for accomplishing the deletion.
1610
1611   Relatively few resources allow the DELETE method -- its primary use
1612   is for remote authoring environments, where the user has some
1613   direction regarding its effect.  For example, a resource that was
1614   previously created using a PUT request, or identified via the
1615   Location header field after a 201 (Created) response to a POST
1616   request, might allow a corresponding DELETE request to undo those
1617   actions.  Similarly, custom user agent implementations that implement
1618   an authoring function, such as revision control clients using HTTP
1619   for remote operations, might use DELETE based on an assumption that
1620
1621
1622
1623Fielding & Reschke       Expires March 29, 2014                [Page 29]
1624
1625Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1626
1627
1628   the server's URI space has been crafted to correspond to a version
1629   repository.
1630
1631   If a DELETE method is successfully applied, the origin server SHOULD
1632   send a 202 (Accepted) status code if the action will likely succeed
1633   but has not yet been enacted, a 204 (No Content) status code if the
1634   action has been enacted and no further information is to be supplied,
1635   or a 200 (OK) status code if the action has been enacted and the
1636   response message includes a representation describing the status.
1637
1638   A payload within a DELETE request message has no defined semantics;
1639   sending a payload body on a DELETE request might cause some existing
1640   implementations to reject the request.
1641
1642   Responses to the DELETE method are not cacheable.  If a DELETE
1643   request passes through a cache that has one or more stored responses
1644   for the effective request URI, those stored responses will be
1645   invalidated (see Section 4.4 of [Part6]).
1646
16474.3.6.  CONNECT
1648
1649   The CONNECT method requests that the recipient establish a tunnel to
1650   the destination origin server identified by the request-target and,
1651   if successful, thereafter restrict its behavior to blind forwarding
1652   of packets, in both directions, until the tunnel is closed.
1653
1654   CONNECT is intended only for use in requests to a proxy.  An origin
1655   server that receives a CONNECT request for itself MAY respond with a
1656   2xx status code to indicate that a connection is established.
1657   However, most origin servers do not implement CONNECT.
1658
1659   A client sending a CONNECT request MUST send the authority form of
1660   request-target (Section 5.3 of [Part1]); i.e., the request-target
1661   consists of only the host name and port number of the tunnel
1662   destination, separated by a colon.  For example,
1663
1664     CONNECT server.example.com:80 HTTP/1.1
1665     Host: server.example.com:80
1666
1667
1668   The recipient proxy can establish a tunnel either by directly
1669   connecting to the request-target or, if configured to use another
1670   proxy, by forwarding the CONNECT request to the next inbound proxy.
1671   Any 2xx (Successful) response indicates that the sender (and all
1672   inbound proxies) will switch to tunnel mode immediately after the
1673   blank line that concludes the successful response's header section;
1674   data received after that blank line is from the server identified by
1675   the request-target.  Any response other than a successful response
1676
1677
1678
1679Fielding & Reschke       Expires March 29, 2014                [Page 30]
1680
1681Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1682
1683
1684   indicates that the tunnel has not yet been formed and that the
1685   connection remains governed by HTTP.
1686
1687   A tunnel is closed when a tunnel intermediary detects that either
1688   side has closed its connection: the intermediary MUST attempt to send
1689   any outstanding data that came from the closed side to the other
1690   side, close both connections, and then discard any remaining data
1691   left undelivered.
1692
1693   Proxy authentication might be used to establish the authority to
1694   create a tunnel.  For example,
1695
1696     CONNECT server.example.com:80 HTTP/1.1
1697     Host: server.example.com:80
1698     Proxy-Authorization: basic aGVsbG86d29ybGQ=
1699
1700
1701   There are significant risks in establishing a tunnel to arbitrary
1702   servers, particularly when the destination is a well-known or
1703   reserved TCP port that is not intended for Web traffic.  For example,
1704   a CONNECT to a request-target of "example.com:25" would suggest that
1705   the proxy connect to the reserved port for SMTP traffic; if allowed,
1706   that could trick the proxy into relaying spam email.  Proxies that
1707   support CONNECT SHOULD restrict its use to a limited set of known
1708   ports or a configurable whitelist of safe request targets.
1709
1710   A server MUST NOT send any Transfer-Encoding or Content-Length header
1711   fields in a 2xx (Successful) response to CONNECT.  A client MUST
1712   ignore any Content-Length or Transfer-Encoding header fields received
1713   in a successful response to CONNECT.
1714
1715   A payload within a CONNECT request message has no defined semantics;
1716   sending a payload body on a CONNECT request might cause some existing
1717   implementations to reject the request.
1718
1719   Responses to the CONNECT method are not cacheable.
1720
17214.3.7.  OPTIONS
1722
1723   The OPTIONS method requests information about the communication
1724   options available for the target resource, either at the origin
1725   server or an intervening intermediary.  This method allows a client
1726   to determine the options and/or requirements associated with a
1727   resource, or the capabilities of a server, without implying a
1728   resource action.
1729
1730   An OPTIONS request with an asterisk ("*") as the request-target
1731   (Section 5.3 of [Part1]) applies to the server in general rather than
1732
1733
1734
1735Fielding & Reschke       Expires March 29, 2014                [Page 31]
1736
1737Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1738
1739
1740   to a specific resource.  Since a server's communication options
1741   typically depend on the resource, the "*" request is only useful as a
1742   "ping" or "no-op" type of method; it does nothing beyond allowing the
1743   client to test the capabilities of the server.  For example, this can
1744   be used to test a proxy for HTTP/1.1 conformance (or lack thereof).
1745
1746   If the request-target is not an asterisk, the OPTIONS request applies
1747   to the options that are available when communicating with the target
1748   resource.
1749
1750   A server generating a successful response to OPTIONS SHOULD send any
1751   header fields that might indicate optional features implemented by
1752   the server and applicable to the target resource (e.g., Allow),
1753   including potential extensions not defined by this specification.
1754   The response payload, if any, might also describe the communication
1755   options in a machine or human-readable representation.  A standard
1756   format for such a representation is not defined by this
1757   specification, but might be defined by future extensions to HTTP.  A
1758   server MUST generate a Content-Length field with a value of "0" if no
1759   payload body is to be sent in the response.
1760
1761   A client MAY send a Max-Forwards header field in an OPTIONS request
1762   to target a specific recipient in the request chain (see
1763   Section 5.1.2).  A proxy MUST NOT generate a Max-Forwards header
1764   field while forwarding a request unless that request was received
1765   with a Max-Forwards field.
1766
1767   A client that generates an OPTIONS request containing a payload body
1768   MUST send a valid Content-Type header field describing the
1769   representation media type.  Although this specification does not
1770   define any use for such a payload, future extensions to HTTP might
1771   use the OPTIONS body to make more detailed queries about the target
1772   resource.
1773
1774   Responses to the OPTIONS method are not cacheable.
1775
17764.3.8.  TRACE
1777
1778   The TRACE method requests a remote, application-level loop-back of
1779   the request message.  The final recipient of the request SHOULD
1780   reflect the message received, excluding some fields described below,
1781   back to the client as the message body of a 200 (OK) response with a
1782   Content-Type of "message/http" (Section 8.3.1 of [Part1]).  The final
1783   recipient is either the origin server or the first server to receive
1784   a Max-Forwards value of zero (0) in the request (Section 5.1.2).
1785
1786   A client MUST NOT generate header fields in a TRACE request
1787   containing sensitive data that might be disclosed by the response.
1788
1789
1790
1791Fielding & Reschke       Expires March 29, 2014                [Page 32]
1792
1793Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1794
1795
1796   For example, it would be foolish for a user agent to send stored user
1797   credentials [Part7] or cookies [RFC6265] in a TRACE request.  The
1798   final recipient of the request SHOULD exclude any request header
1799   fields that are likely to contain sensitive data when that recipient
1800   generates the response body.
1801
1802   TRACE allows the client to see what is being received at the other
1803   end of the request chain and use that data for testing or diagnostic
1804   information.  The value of the Via header field (Section 5.7.1 of
1805   [Part1]) is of particular interest, since it acts as a trace of the
1806   request chain.  Use of the Max-Forwards header field allows the
1807   client to limit the length of the request chain, which is useful for
1808   testing a chain of proxies forwarding messages in an infinite loop.
1809
1810   A client MUST NOT send a message body in a TRACE request.
1811
1812   Responses to the TRACE method are not cacheable.
1813
18145.  Request Header Fields
1815
1816   A client sends request header fields to provide more information
1817   about the request context, make the request conditional based on the
1818   target resource state, suggest preferred formats for the response,
1819   supply authentication credentials, or modify the expected request
1820   processing.  These fields act as request modifiers, similar to the
1821   parameters on a programming language method invocation.
1822
18235.1.  Controls
1824
1825   Controls are request header fields that direct specific handling of
1826   the request.
1827
1828   +-------------------+------------------------+
1829   | Header Field Name | Defined in...          |
1830   +-------------------+------------------------+
1831   | Cache-Control     | Section 5.2 of [Part6] |
1832   | Expect            | Section 5.1.1          |
1833   | Host              | Section 5.4 of [Part1] |
1834   | Max-Forwards      | Section 5.1.2          |
1835   | Pragma            | Section 5.4 of [Part6] |
1836   | Range             | Section 3.1 of [Part5] |
1837   | TE                | Section 4.3 of [Part1] |
1838   +-------------------+------------------------+
1839
1840
1841
1842
1843
1844
1845
1846
1847Fielding & Reschke       Expires March 29, 2014                [Page 33]
1848
1849Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1850
1851
18525.1.1.  Expect
1853
1854   The "Expect" header field in a request indicates a certain set of
1855   behaviors (expectations) that need to be supported by the server in
1856   order to properly handle this request.  The only such expectation
1857   defined by this specification is 100-continue.
1858
1859     Expect  = "100-continue"
1860
1861   The Expect field-value is case-insensitive.
1862
1863   A server that receives an Expect field-value other than 100-continue
1864   MAY respond with a 417 (Expectation Failed) status code to indicate
1865   that the unexpected expectation cannot be met.
1866
1867   A 100-continue expectation informs recipients that the client is
1868   about to send a (presumably large) message body in this request and
1869   wishes to receive a 100 (Continue) interim response if the request-
1870   line and header fields are not sufficient to cause an immediate
1871   success, redirect, or error response.  This allows the client to wait
1872   for an indication that it is worthwhile to send the message body
1873   before actually doing so, which can improve efficiency when the
1874   message body is huge or when the client anticipates that an error is
1875   likely (e.g., when sending a state-changing method, for the first
1876   time, without previously verified authentication credentials).
1877
1878   For example, a request that begins with
1879
1880     PUT /somewhere/fun HTTP/1.1
1881     Host: origin.example.com
1882     Content-Type: video/h264
1883     Content-Length: 1234567890987
1884     Expect: 100-continue
1885
1886
1887   allows the origin server to immediately respond with an error
1888   message, such as 401 (Unauthorized) or 405 (Method Not Allowed),
1889   before the client starts filling the pipes with an unnecessary data
1890   transfer.
1891
1892   Requirements for clients:
1893
1894   o  A client MUST NOT generate a 100-continue expectation in a request
1895      that does not include a message body.
1896
1897   o  A client that will wait for a 100 (Continue) response before
1898      sending the request message body MUST send an Expect header field
1899      containing a 100-continue expectation.
1900
1901
1902
1903Fielding & Reschke       Expires March 29, 2014                [Page 34]
1904
1905Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1906
1907
1908   o  A client that sends a 100-continue expectation is not required to
1909      wait for any specific length of time; such a client MAY proceed to
1910      send the message body even if it has not yet received a response.
1911      Furthermore, since 100 (Continue) responses cannot be sent through
1912      an HTTP/1.0 intermediary, such a client SHOULD NOT wait for an
1913      indefinite period before sending the message body.
1914
1915   o  A client that receives a 417 (Expectation Failed) status code in
1916      response to a request containing a 100-continue expectation SHOULD
1917      repeat that request without a 100-continue expectation, since the
1918      417 response merely indicates that the response chain does not
1919      support expectations (e.g., it passes through an HTTP/1.0 server).
1920
1921   Requirements for servers:
1922
1923   o  A server that receives a 100-continue expectation in an HTTP/1.0
1924      request MUST ignore that expectation.
1925
1926   o  A server MAY omit sending a 100 (Continue) response if it has
1927      already received some or all of the message body for the
1928      corresponding request, or if the framing indicates that there is
1929      no message body.
1930
1931   o  A server that sends a 100 (Continue) response MUST ultimately send
1932      a final status code, once the message body is received and
1933      processed, unless the connection is closed prematurely.
1934
1935   o  A server that responds with a final status code before reading the
1936      entire message body SHOULD indicate in that response whether it
1937      intends to close the connection or continue reading and discarding
1938      the request message (see Section 6.6 of [Part1]).
1939
1940   An origin server MUST, upon receiving an HTTP/1.1 (or later) request-
1941   line and a complete header section that contains a 100-continue
1942   expectation and indicates a request message body will follow, either
1943   send an immediate response with a final status code, if that status
1944   can be determined by examining just the request-line and header
1945   fields, or send an immediate 100 (Continue) response to encourage the
1946   client to send the request's message body.  The origin server MUST
1947   NOT wait for the message body before sending the 100 (Continue)
1948   response.
1949
1950   A proxy MUST, upon receiving an HTTP/1.1 (or later) request-line and
1951   a complete header section that contains a 100-continue expectation
1952   and indicates a request message body will follow, either send an
1953   immediate response with a final status code, if that status can be
1954   determined by examining just the request-line and header fields, or
1955   begin forwarding the request toward the origin server by sending a
1956
1957
1958
1959Fielding & Reschke       Expires March 29, 2014                [Page 35]
1960
1961Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
1962
1963
1964   corresponding request-line and header section to the next inbound
1965   server.  If the proxy believes (from configuration or past
1966   interaction) that the next inbound server only supports HTTP/1.0, the
1967   proxy MAY generate an immediate 100 (Continue) response to encourage
1968   the client to begin sending the message body.
1969
1970      Note: The Expect header field was added after the original
1971      publication of HTTP/1.1 [RFC2068] as both the means to request an
1972      interim 100 response and the general mechanism for indicating
1973      must-understand extensions.  However, the extension mechanism has
1974      not been used by clients and the must-understand requirements have
1975      not been implemented by many servers, rendering the extension
1976      mechanism useless.  This specification has removed the extension
1977      mechanism in order to simplify the definition and processing of
1978      100-continue.
1979
19805.1.2.  Max-Forwards
1981
1982   The "Max-Forwards" header field provides a mechanism with the TRACE
1983   (Section 4.3.8) and OPTIONS (Section 4.3.7) request methods to limit
1984   the number of times that the request is forwarded by proxies.  This
1985   can be useful when the client is attempting to trace a request that
1986   appears to be failing or looping mid-chain.
1987
1988     Max-Forwards = 1*DIGIT
1989
1990   The Max-Forwards value is a decimal integer indicating the remaining
1991   number of times this request message can be forwarded.
1992
1993   Each intermediary that receives a TRACE or OPTIONS request containing
1994   a Max-Forwards header field MUST check and update its value prior to
1995   forwarding the request.  If the received value is zero (0), the
1996   intermediary MUST NOT forward the request; instead, the intermediary
1997   MUST respond as the final recipient.  If the received Max-Forwards
1998   value is greater than zero, the intermediary MUST generate an updated
1999   Max-Forwards field in the forwarded message with a field-value that
2000   is the lesser of: a) the received value decremented by one (1), or b)
2001   the recipient's maximum supported value for Max-Forwards.
2002
2003   A recipient MAY ignore a Max-Forwards header field received with any
2004   other request methods.
2005
20065.2.  Conditionals
2007
2008   The HTTP conditional request header fields [Part4] allow a client to
2009   place a precondition on the state of the target resource, so that the
2010   action corresponding to the method semantics will not be applied if
2011   the precondition evaluates to false.  Each precondition defined by
2012
2013
2014
2015Fielding & Reschke       Expires March 29, 2014                [Page 36]
2016
2017Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2018
2019
2020   this specification consists of a comparison between a set of
2021   validators obtained from prior representations of the target resource
2022   to the current state of validators for the selected representation
2023   (Section 7.2).  Hence, these preconditions evaluate whether the state
2024   of the target resource has changed since a given state known by the
2025   client.  The effect of such an evaluation depends on the method
2026   semantics and choice of conditional, as defined in Section 5 of
2027   [Part4].
2028
2029   +---------------------+------------------------+
2030   | Header Field Name   | Defined in...          |
2031   +---------------------+------------------------+
2032   | If-Match            | Section 3.1 of [Part4] |
2033   | If-None-Match       | Section 3.2 of [Part4] |
2034   | If-Modified-Since   | Section 3.3 of [Part4] |
2035   | If-Unmodified-Since | Section 3.4 of [Part4] |
2036   | If-Range            | Section 3.2 of [Part5] |
2037   +---------------------+------------------------+
2038
20395.3.  Content Negotiation
2040
2041   The following request header fields are sent by a user agent to
2042   engage in proactive negotiation of the response content, as defined
2043   in Section 3.4.1.  The preferences sent in these fields apply to any
2044   content in the response, including representations of the target
2045   resource, representations of error or processing status, and
2046   potentially even the miscellaneous text strings that might appear
2047   within the protocol.
2048
2049   +-------------------+---------------+
2050   | Header Field Name | Defined in... |
2051   +-------------------+---------------+
2052   | Accept            | Section 5.3.2 |
2053   | Accept-Charset    | Section 5.3.3 |
2054   | Accept-Encoding   | Section 5.3.4 |
2055   | Accept-Language   | Section 5.3.5 |
2056   +-------------------+---------------+
2057
20585.3.1.  Quality Values
2059
2060   Many of the request header fields for proactive negotiation use a
2061   common parameter, named "q" (case-insensitive), to assign a relative
2062   "weight" to the preference for that associated kind of content.  This
2063   weight is referred to as a "quality value" (or "qvalue") because the
2064   same parameter name is often used within server configurations to
2065   assign a weight to the relative quality of the various
2066   representations that can be selected for a resource.
2067
2068
2069
2070
2071Fielding & Reschke       Expires March 29, 2014                [Page 37]
2072
2073Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2074
2075
2076   The weight is normalized to a real number in the range 0 through 1,
2077   where 0.001 is the least preferred and 1 is the most preferred; a
2078   value of 0 means "not acceptable".  If no "q" parameter is present,
2079   the default weight is 1.
2080
2081     weight = OWS ";" OWS "q=" qvalue
2082     qvalue = ( "0" [ "." 0*3DIGIT ] )
2083            / ( "1" [ "." 0*3("0") ] )
2084
2085   A sender of qvalue MUST NOT generate more than three digits after the
2086   decimal point.  User configuration of these values ought to be
2087   limited in the same fashion.
2088
20895.3.2.  Accept
2090
2091   The "Accept" header field can be used by user agents to specify
2092   response media types that are acceptable.  Accept header fields can
2093   be used to indicate that the request is specifically limited to a
2094   small set of desired types, as in the case of a request for an in-
2095   line image.
2096
2097     Accept = #( media-range [ accept-params ] )
2098
2099     media-range    = ( "*/*"
2100                      / ( type "/" "*" )
2101                      / ( type "/" subtype )
2102                      ) *( OWS ";" OWS parameter )
2103     accept-params  = weight *( accept-ext )
2104     accept-ext     = OWS ";" OWS token [ "=" word ]
2105
2106   The asterisk "*" character is used to group media types into ranges,
2107   with "*/*" indicating all media types and "type/*" indicating all
2108   subtypes of that type.  The media-range can include media type
2109   parameters that are applicable to that range.
2110
2111   Each media-range might be followed by zero or more applicable media
2112   type parameters (e.g., charset), an optional "q" parameter for
2113   indicating a relative weight (Section 5.3.1), and then zero or more
2114   extension parameters.  The "q" parameter is necessary if any
2115   extensions (accept-ext) are present, since it acts as a separator
2116   between the two parameter sets.
2117
2118      Note: Use of the "q" parameter name to separate media type
2119      parameters from Accept extension parameters is due to historical
2120      practice.  Although this prevents any media type parameter named
2121      "q" from being used with a media range, such an event is believed
2122      to be unlikely given the lack of any "q" parameters in the IANA
2123      media type registry and the rare usage of any media type
2124
2125
2126
2127Fielding & Reschke       Expires March 29, 2014                [Page 38]
2128
2129Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2130
2131
2132      parameters in Accept.  Future media types are discouraged from
2133      registering any parameter named "q".
2134
2135   The example
2136
2137     Accept: audio/*; q=0.2, audio/basic
2138
2139   is interpreted as "I prefer audio/basic, but send me any audio type
2140   if it is the best available after an 80% mark-down in quality".
2141
2142   A request without any Accept header field implies that the user agent
2143   will accept any media type in response.  If the header field is
2144   present in a request and none of the available representations for
2145   the response have a media type that is listed as acceptable, the
2146   origin server can either honor the header field by sending a 406 (Not
2147   Acceptable) response or disregard the header field by treating the
2148   response as if it is not subject to content negotiation.
2149
2150   A more elaborate example is
2151
2152     Accept: text/plain; q=0.5, text/html,
2153             text/x-dvi; q=0.8, text/x-c
2154
2155   Verbally, this would be interpreted as "text/html and text/x-c are
2156   the equally preferred media types, but if they do not exist, then
2157   send the text/x-dvi representation, and if that does not exist, send
2158   the text/plain representation".
2159
2160   Media ranges can be overridden by more specific media ranges or
2161   specific media types.  If more than one media range applies to a
2162   given type, the most specific reference has precedence.  For example,
2163
2164     Accept: text/*, text/plain, text/plain;format=flowed, */*
2165
2166   have the following precedence:
2167
2168   1.  text/plain;format=flowed
2169
2170   2.  text/plain
2171
2172   3.  text/*
2173
2174   4.  */*
2175
2176   The media type quality factor associated with a given type is
2177   determined by finding the media range with the highest precedence
2178   that matches the type.  For example,
2179
2180
2181
2182
2183Fielding & Reschke       Expires March 29, 2014                [Page 39]
2184
2185Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2186
2187
2188     Accept: text/*;q=0.3, text/html;q=0.7, text/html;level=1,
2189             text/html;level=2;q=0.4, */*;q=0.5
2190
2191   would cause the following values to be associated:
2192
2193   +-------------------+---------------+
2194   | Media Type        | Quality Value |
2195   +-------------------+---------------+
2196   | text/html;level=1 | 1             |
2197   | text/html         | 0.7           |
2198   | text/plain        | 0.3           |
2199   | image/jpeg        | 0.5           |
2200   | text/html;level=2 | 0.4           |
2201   | text/html;level=3 | 0.7           |
2202   +-------------------+---------------+
2203
2204   Note: A user agent might be provided with a default set of quality
2205   values for certain media ranges.  However, unless the user agent is a
2206   closed system that cannot interact with other rendering agents, this
2207   default set ought to be configurable by the user.
2208
22095.3.3.  Accept-Charset
2210
2211   The "Accept-Charset" header field can be sent by a user agent to
2212   indicate what charsets are acceptable in textual response content.
2213   This field allows user agents capable of understanding more
2214   comprehensive or special-purpose charsets to signal that capability
2215   to an origin server that is capable of representing information in
2216   those charsets.
2217
2218     Accept-Charset = 1#( ( charset / "*" ) [ weight ] )
2219
2220   Charset names are defined in Section 3.1.1.2.  A user agent MAY
2221   associate a quality value with each charset to indicate the user's
2222   relative preference for that charset, as defined in Section 5.3.1.
2223   An example is
2224
2225     Accept-Charset: iso-8859-5, unicode-1-1;q=0.8
2226
2227   The special value "*", if present in the Accept-Charset field,
2228   matches every charset that is not mentioned elsewhere in the Accept-
2229   Charset field.  If no "*" is present in an Accept-Charset field, then
2230   any charsets not explicitly mentioned in the field are considered
2231   "not acceptable" to the client.
2232
2233   A request without any Accept-Charset header field implies that the
2234   user agent will accept any charset in response.  Most general-purpose
2235   user agents do not send Accept-Charset, unless specifically
2236
2237
2238
2239Fielding & Reschke       Expires March 29, 2014                [Page 40]
2240
2241Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2242
2243
2244   configured to do so, because a detailed list of supported charsets
2245   makes it easier for a server to identify an individual by virtue of
2246   the user agent's request characteristics (Section 9.6).
2247
2248   If an Accept-Charset header field is present in a request and none of
2249   the available representations for the response has a charset that is
2250   listed as acceptable, the origin server can either honor the header
2251   field, by sending a 406 (Not Acceptable) response, or disregard the
2252   header field by treating the resource as if it is not subject to
2253   content negotiation.
2254
22555.3.4.  Accept-Encoding
2256
2257   The "Accept-Encoding" header field can be used by user agents to
2258   indicate what response content-codings (Section 3.1.2.1) are
2259   acceptable in the response.  An "identity" token is used as a synonym
2260   for "no encoding" in order to communicate when no encoding is
2261   preferred.
2262
2263     Accept-Encoding  = #( codings [ weight ] )
2264     codings          = content-coding / "identity" / "*"
2265
2266   Each codings value MAY be given an associated quality value
2267   representing the preference for that encoding, as defined in
2268   Section 5.3.1.  The asterisk "*" symbol in an Accept-Encoding field
2269   matches any available content-coding not explicitly listed in the
2270   header field.
2271
2272   For example,
2273
2274     Accept-Encoding: compress, gzip
2275     Accept-Encoding:
2276     Accept-Encoding: *
2277     Accept-Encoding: compress;q=0.5, gzip;q=1.0
2278     Accept-Encoding: gzip;q=1.0, identity; q=0.5, *;q=0
2279
2280   A request without an Accept-Encoding header field implies that the
2281   user agent has no preferences regarding content-codings.  Although
2282   this allows the server to use any content-coding in a response, it
2283   does not imply that the user agent will be able to correctly process
2284   all encodings.
2285
2286   A server tests whether a content-coding for a given representation is
2287   acceptable using these rules:
2288
2289   1.  If no Accept-Encoding field is in the request, any content-coding
2290       is considered acceptable by the user agent.
2291
2292
2293
2294
2295Fielding & Reschke       Expires March 29, 2014                [Page 41]
2296
2297Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2298
2299
2300   2.  If the representation has no content-coding, then it is
2301       acceptable by default unless specifically excluded by the Accept-
2302       Encoding field stating either "identity;q=0" or "*;q=0" without a
2303       more specific entry for "identity".
2304
2305   3.  If the representation's content-coding is one of the content-
2306       codings listed in the Accept-Encoding field, then it is
2307       acceptable unless it is accompanied by a qvalue of 0.  (As
2308       defined in Section 5.3.1, a qvalue of 0 means "not acceptable".)
2309
2310   4.  If multiple content-codings are acceptable, then the acceptable
2311       content-coding with the highest non-zero qvalue is preferred.
2312
2313   An Accept-Encoding header field with a combined field-value that is
2314   empty implies that the user agent does not want any content-coding in
2315   response.  If an Accept-Encoding header field is present in a request
2316   and none of the available representations for the response have a
2317   content-coding that is listed as acceptable, the origin server SHOULD
2318   send a response without any content-coding.
2319
2320      Note: Most HTTP/1.0 applications do not recognize or obey qvalues
2321      associated with content-codings.  This means that qvalues might
2322      not work and are not permitted with x-gzip or x-compress.
2323
23245.3.5.  Accept-Language
2325
2326   The "Accept-Language" header field can be used by user agents to
2327   indicate the set of natural languages that are preferred in the
2328   response.  Language tags are defined in Section 3.1.3.1.
2329
2330     Accept-Language = 1#( language-range [ weight ] )
2331     language-range  =
2332               <language-range, defined in [RFC4647], Section 2.1>
2333
2334   Each language-range can be given an associated quality value
2335   representing an estimate of the user's preference for the languages
2336   specified by that range, as defined in Section 5.3.1.  For example,
2337
2338     Accept-Language: da, en-gb;q=0.8, en;q=0.7
2339
2340   would mean: "I prefer Danish, but will accept British English and
2341   other types of English".
2342
2343   A request without any Accept-Language header field implies that the
2344   user agent will accept any language in response.  If the header field
2345   is present in a request and none of the available representations for
2346   the response have a matching language tag, the origin server can
2347   either disregard the header field by treating the response as if it
2348
2349
2350
2351Fielding & Reschke       Expires March 29, 2014                [Page 42]
2352
2353Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2354
2355
2356   is not subject to content negotiation, or honor the header field by
2357   sending a 406 (Not Acceptable) response.  However, the latter is not
2358   encouraged, as doing so can prevent users from accessing content that
2359   they might be able to use (with translation software, for example).
2360
2361   Note that some recipients treat the order in which language tags are
2362   listed as an indication of descending priority, particularly for tags
2363   that are assigned equal quality values (no value is the same as q=1).
2364   However, this behavior cannot be relied upon.  For consistency and to
2365   maximize interoperability, many user agents assign each language tag
2366   a unique quality value while also listing them in order of decreasing
2367   quality.  Additional discussion of language priority lists can be
2368   found in Section 2.3 of [RFC4647].
2369
2370   For matching, Section 3 of [RFC4647] defines several matching
2371   schemes.  Implementations can offer the most appropriate matching
2372   scheme for their requirements.  The "Basic Filtering" scheme
2373   ([RFC4647], Section 3.3.1) is identical to the matching scheme that
2374   was previously defined for HTTP in Section 14.4 of [RFC2616].
2375
2376   It might be contrary to the privacy expectations of the user to send
2377   an Accept-Language header field with the complete linguistic
2378   preferences of the user in every request (Section 9.6).
2379
2380   Since intelligibility is highly dependent on the individual user,
2381   user agents need to allow user control over the linguistic
2382   preference.  A user agent that does not provide such control to the
2383   user MUST NOT send an Accept-Language header field.
2384
2385      Note: User agents ought to provide guidance to users when setting
2386      a preference, since users are rarely familiar with the details of
2387      language matching as described above.  For example, users might
2388      assume that on selecting "en-gb", they will be served any kind of
2389      English document if British English is not available.  A user
2390      agent might suggest, in such a case, to add "en" to the list for
2391      better matching behavior.
2392
23935.4.  Authentication Credentials
2394
2395   Two header fields are used for carrying authentication credentials,
2396   as defined in [Part7].  Note that various custom mechanisms for user
2397   authentication use the Cookie header field for this purpose, as
2398   defined in [RFC6265].
2399
2400
2401
2402
2403
2404
2405
2406
2407Fielding & Reschke       Expires March 29, 2014                [Page 43]
2408
2409Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2410
2411
2412   +---------------------+------------------------+
2413   | Header Field Name   | Defined in...          |
2414   +---------------------+------------------------+
2415   | Authorization       | Section 4.1 of [Part7] |
2416   | Proxy-Authorization | Section 4.3 of [Part7] |
2417   +---------------------+------------------------+
2418
24195.5.  Request Context
2420
2421   The following request header fields provide additional information
2422   about the request context, including information about the user, user
2423   agent, and resource behind the request.
2424
2425   +-------------------+---------------+
2426   | Header Field Name | Defined in... |
2427   +-------------------+---------------+
2428   | From              | Section 5.5.1 |
2429   | Referer           | Section 5.5.2 |
2430   | User-Agent        | Section 5.5.3 |
2431   +-------------------+---------------+
2432
24335.5.1.  From
2434
2435   The "From" header field contains an Internet email address for a
2436   human user who controls the requesting user agent.  The address ought
2437   to be machine-usable, as defined by "mailbox" in Section 3.4 of
2438   [RFC5322]:
2439
2440     From    = mailbox
2441
2442     mailbox = <mailbox, defined in [RFC5322], Section 3.4>
2443
2444   An example is:
2445
2446     From: webmaster@example.org
2447
2448   The From header field is rarely sent by non-robotic user agents.  A
2449   user agent SHOULD NOT send a From header field without explicit
2450   configuration by the user, since that might conflict with the user's
2451   privacy interests or their site's security policy.
2452
2453   A robotic user agent SHOULD send a valid From header field so that
2454   the person responsible for running the robot can be contacted if
2455   problems occur on servers, such as if the robot is sending excessive,
2456   unwanted, or invalid requests.
2457
2458   A server SHOULD NOT use the From header field for access control or
2459   authentication, since most recipients will assume that the field
2460
2461
2462
2463Fielding & Reschke       Expires March 29, 2014                [Page 44]
2464
2465Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2466
2467
2468   value is public information.
2469
24705.5.2.  Referer
2471
2472   The "Referer" [sic] header field allows the user agent to specify a
2473   URI reference for the resource from which the target URI was obtained
2474   (i.e., the "referrer", though the field name is misspelled).  A user
2475   agent MUST NOT include the fragment and userinfo components of the
2476   URI reference [RFC3986], if any, when generating the Referer field
2477   value.
2478
2479     Referer = absolute-URI / partial-URI
2480
2481   Referer allows servers to generate back-links to other resources for
2482   simple analytics, logging, optimized caching, etc.  It also allows
2483   obsolete or mistyped links to be found for maintenance.  Some servers
2484   use Referer as a means of denying links from other sites (so-called
2485   "deep linking") or restricting cross-site request forgery (CSRF), but
2486   not all requests contain a Referer header field.
2487
2488   Example:
2489
2490     Referer: http://www.example.org/hypertext/Overview.html
2491
2492   If the target URI was obtained from a source that does not have its
2493   own URI (e.g., input from the user keyboard, or an entry within the
2494   user's bookmarks/favorites), the user agent MUST either exclude
2495   Referer or send it with a value of "about:blank".
2496
2497   The Referer field has the potential to reveal information about the
2498   request context or browsing history of the user, which is a privacy
2499   concern if the referring resource's identifier reveals personal
2500   information (such as an account name) or a resource that is supposed
2501   to be confidential (such as behind a firewall or internal to a
2502   secured service).  Most general-purpose user agents do not send the
2503   Referer header field when the referring resource is a local "file" or
2504   "data" URI.  A user agent MUST NOT send a Referer header field in an
2505   unsecured HTTP request if the referring page was received with a
2506   secure protocol.  See Section 9.3 for additional security
2507   considerations.
2508
2509   Some intermediaries have been known to indiscriminately remove
2510   Referer header fields from outgoing requests.  This has the
2511   unfortunate side-effect of interfering with protection against CSRF
2512   attacks, which can be far more harmful to their users.
2513   Intermediaries and user agent extensions that wish to limit
2514   information disclosure in Referer ought to restrict their changes to
2515   specific edits, such as replacing internal domain names with
2516
2517
2518
2519Fielding & Reschke       Expires March 29, 2014                [Page 45]
2520
2521Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2522
2523
2524   pseudonyms or truncating the query and/or path components.  An
2525   intermediary SHOULD NOT modify or delete the Referer header field
2526   when the field value shares the same scheme and host as the request
2527   target.
2528
25295.5.3.  User-Agent
2530
2531   The "User-Agent" header field contains information about the user
2532   agent originating the request, which is often used by servers to help
2533   identify the scope of reported interoperability problems, to work
2534   around or tailor responses to avoid particular user agent
2535   limitations, and for analytics regarding browser or operating system
2536   use.  A user agent SHOULD send a User-Agent field in each request
2537   unless specifically configured not to do so.
2538
2539     User-Agent = product *( RWS ( product / comment ) )
2540
2541   The User-Agent field-value consists of one or more product
2542   identifiers, each followed by zero or more comments (Section 3.2 of
2543   [Part1]), which together identify the user agent software and its
2544   significant subproducts.  By convention, the product identifiers are
2545   listed in decreasing order of their significance for identifying the
2546   user agent software.  Each product identifier consists of a name and
2547   optional version.
2548
2549     product         = token ["/" product-version]
2550     product-version = token
2551
2552   A sender SHOULD limit generated product identifiers to what is
2553   necessary to identify the product; a sender MUST NOT generate
2554   advertising or other non-essential information within the product
2555   identifier.  A sender SHOULD NOT generate information in product-
2556   version that is not a version identifier (i.e., successive versions
2557   of the same product name ought to only differ in the product-version
2558   portion of the product identifier).
2559
2560   Example:
2561
2562     User-Agent: CERN-LineMode/2.15 libwww/2.17b3
2563
2564   A user agent SHOULD NOT generate a User-Agent field containing
2565   needlessly fine-grained detail and SHOULD limit the addition of
2566   subproducts by third parties.  Overly long and detailed User-Agent
2567   field values increase request latency and the risk of a user being
2568   identified against their wishes ("fingerprinting").
2569
2570   Likewise, implementations are encouraged not to use the product
2571   tokens of other implementations in order to declare compatibility
2572
2573
2574
2575Fielding & Reschke       Expires March 29, 2014                [Page 46]
2576
2577Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2578
2579
2580   with them, as this circumvents the purpose of the field.  If a user
2581   agent masquerades as a different user agent, recipients can assume
2582   that the user intentionally desires to see responses tailored for
2583   that identified user agent, even if they might not work as well for
2584   the actual user agent being used.
2585
25866.  Response Status Codes
2587
2588   The status-code element is a 3-digit integer code giving the result
2589   of the attempt to understand and satisfy the request.
2590
2591   HTTP status codes are extensible.  HTTP clients are not required to
2592   understand the meaning of all registered status codes, though such
2593   understanding is obviously desirable.  However, a client MUST
2594   understand the class of any status code, as indicated by the first
2595   digit, and treat an unrecognized status code as being equivalent to
2596   the x00 status code of that class, with the exception that a
2597   recipient MUST NOT cache a response with an unrecognized status code.
2598
2599   For example, if an unrecognized status code of 471 is received by a
2600   client, the client can assume that there was something wrong with its
2601   request and treat the response as if it had received a 400 status
2602   code.  The response message will usually contain a representation
2603   that explains the status.
2604
2605   The first digit of the status-code defines the class of response.
2606   The last two digits do not have any categorization role.  There are 5
2607   values for the first digit:
2608
2609   o  1xx (Informational): The request was received, continuing process
2610
2611   o  2xx (Successful): The request was successfully received,
2612      understood, and accepted
2613
2614   o  3xx (Redirection): Further action needs to be taken in order to
2615      complete the request
2616
2617   o  4xx (Client Error): The request contains bad syntax or cannot be
2618      fulfilled
2619
2620   o  5xx (Server Error): The server failed to fulfill an apparently
2621      valid request
2622
26236.1.  Overview of Status Codes
2624
2625   The status codes listed below are defined in this specification,
2626   Section 4 of [Part4], Section 4 of [Part5], and Section 3 of [Part7].
2627   The reason phrases listed here are only recommendations -- they can
2628
2629
2630
2631Fielding & Reschke       Expires March 29, 2014                [Page 47]
2632
2633Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2634
2635
2636   be replaced by local equivalents without affecting the protocol.
2637
2638   Responses with status codes that are defined as cacheable by default
2639   (e.g., 200, 203, 206, 300, 301, and 410 in this specification) can be
2640   reused by a cache with heuristic expiration unless otherwise
2641   indicated by the method definition or explicit cache controls
2642   [Part6]; all other status codes are not cacheable by default.
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687Fielding & Reschke       Expires March 29, 2014                [Page 48]
2688
2689Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2690
2691
2692   +------+-------------------------------+------------------------+
2693   | code | reason-phrase                 | Defined in...          |
2694   +------+-------------------------------+------------------------+
2695   | 100  | Continue                      | Section 6.2.1          |
2696   | 101  | Switching Protocols           | Section 6.2.2          |
2697   | 200  | OK                            | Section 6.3.1          |
2698   | 201  | Created                       | Section 6.3.2          |
2699   | 202  | Accepted                      | Section 6.3.3          |
2700   | 203  | Non-Authoritative Information | Section 6.3.4          |
2701   | 204  | No Content                    | Section 6.3.5          |
2702   | 205  | Reset Content                 | Section 6.3.6          |
2703   | 206  | Partial Content               | Section 4.1 of [Part5] |
2704   | 300  | Multiple Choices              | Section 6.4.1          |
2705   | 301  | Moved Permanently             | Section 6.4.2          |
2706   | 302  | Found                         | Section 6.4.3          |
2707   | 303  | See Other                     | Section 6.4.4          |
2708   | 304  | Not Modified                  | Section 4.1 of [Part4] |
2709   | 305  | Use Proxy                     | Section 6.4.5          |
2710   | 307  | Temporary Redirect            | Section 6.4.7          |
2711   | 400  | Bad Request                   | Section 6.5.1          |
2712   | 401  | Unauthorized                  | Section 3.1 of [Part7] |
2713   | 402  | Payment Required              | Section 6.5.2          |
2714   | 403  | Forbidden                     | Section 6.5.3          |
2715   | 404  | Not Found                     | Section 6.5.4          |
2716   | 405  | Method Not Allowed            | Section 6.5.5          |
2717   | 406  | Not Acceptable                | Section 6.5.6          |
2718   | 407  | Proxy Authentication Required | Section 3.2 of [Part7] |
2719   | 408  | Request Time-out              | Section 6.5.7          |
2720   | 409  | Conflict                      | Section 6.5.8          |
2721   | 410  | Gone                          | Section 6.5.9          |
2722   | 411  | Length Required               | Section 6.5.10         |
2723   | 412  | Precondition Failed           | Section 4.2 of [Part4] |
2724   | 413  | Payload Too Large             | Section 6.5.11         |
2725   | 414  | URI Too Long                  | Section 6.5.12         |
2726   | 415  | Unsupported Media Type        | Section 6.5.13         |
2727   | 416  | Range Not Satisfiable         | Section 4.4 of [Part5] |
2728   | 417  | Expectation Failed            | Section 6.5.14         |
2729   | 426  | Upgrade Required              | Section 6.5.15         |
2730   | 500  | Internal Server Error         | Section 6.6.1          |
2731   | 501  | Not Implemented               | Section 6.6.2          |
2732   | 502  | Bad Gateway                   | Section 6.6.3          |
2733   | 503  | Service Unavailable           | Section 6.6.4          |
2734   | 504  | Gateway Time-out              | Section 6.6.5          |
2735   | 505  | HTTP Version Not Supported    | Section 6.6.6          |
2736   +------+-------------------------------+------------------------+
2737
2738   Note that this list is not exhaustive -- it does not include
2739   extension status codes defined in other specifications.  The complete
2740
2741
2742
2743Fielding & Reschke       Expires March 29, 2014                [Page 49]
2744
2745Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2746
2747
2748   list of status codes is maintained by IANA.  See Section 8.2 for
2749   details.
2750
27516.2.  Informational 1xx
2752
2753   The 1xx (Informational) class of status code indicates an interim
2754   response for communicating connection status or request progress
2755   prior to completing the requested action and sending a final
2756   response.  All 1xx responses consist of only the status-line and
2757   optional header fields, and thus are terminated by the empty line at
2758   the end of the header section.  Since HTTP/1.0 did not define any 1xx
2759   status codes, a server MUST NOT send a 1xx response to an HTTP/1.0
2760   client.
2761
2762   A client MUST be able to parse one or more 1xx responses received
2763   prior to a final response, even if the client does not expect one.  A
2764   user agent MAY ignore unexpected 1xx responses.
2765
2766   A proxy MUST forward 1xx responses unless the proxy itself requested
2767   the generation of the 1xx response.  For example, if a proxy adds an
2768   "Expect: 100-continue" field when it forwards a request, then it need
2769   not forward the corresponding 100 (Continue) response(s).
2770
27716.2.1.  100 Continue
2772
2773   The 100 (Continue) status code indicates that the initial part of a
2774   request has been received and has not yet been rejected by the
2775   server.  The server intends to send a final response after the
2776   request has been fully received and acted upon.
2777
2778   When the request contains an Expect header field that includes a 100-
2779   continue expectation, the 100 response indicates that the server
2780   wishes to receive the request payload body, as described in
2781   Section 5.1.1.  The client ought to continue sending the request and
2782   discard the 100 response.
2783
2784   If the request did not contain an Expect header field containing the
2785   100-continue expectation, the client can simply discard this interim
2786   response.
2787
27886.2.2.  101 Switching Protocols
2789
2790   The 101 (Switching Protocols) status code indicates that the server
2791   understands and is willing to comply with the client's request, via
2792   the Upgrade header field (Section 6.7 of [Part1]), for a change in
2793   the application protocol being used on this connection.  The server
2794   MUST generate an Upgrade header field in the response that indicates
2795   which protocol(s) will be switched to immediately after the empty
2796
2797
2798
2799Fielding & Reschke       Expires March 29, 2014                [Page 50]
2800
2801Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2802
2803
2804   line that terminates the 101 response.
2805
2806   It is assumed that the server will only agree to switch protocols
2807   when it is advantageous to do so.  For example, switching to a newer
2808   version of HTTP might be advantageous over older versions, and
2809   switching to a real-time, synchronous protocol might be advantageous
2810   when delivering resources that use such features.
2811
28126.3.  Successful 2xx
2813
2814   The 2xx (Successful) class of status code indicates that the client's
2815   request was successfully received, understood, and accepted.
2816
28176.3.1.  200 OK
2818
2819   The
2820   200 (OK) status code indicates that the request has succeeded.  The
2821   payload sent in a 200 response depends on the request method.  For
2822   the methods defined by this specification, the intended meaning of
2823   the payload can be summarized as:
2824
2825   GET  a representation of the target resource;
2826
2827   HEAD  the same representation as GET, but without the representation
2828      data;
2829
2830   POST  a representation of the status of, or results obtained from,
2831      the action;
2832
2833   PUT, DELETE  a representation of the status of the action;
2834
2835   OPTIONS  a representation of the communications options;
2836
2837   TRACE  a representation of the request message as received by the end
2838      server.
2839
2840   Aside from responses to CONNECT, a 200 response always has a payload,
2841   though an origin server MAY generate a payload body of zero length.
2842   If no payload is desired, an origin server ought to send 204 (No
2843   Content) instead.  For CONNECT, no payload is allowed because the
2844   successful result is a tunnel, which begins immediately after the 200
2845   response header section.
2846
2847   A 200 response is cacheable unless otherwise indicated by the method
2848   definition or explicit cache controls (see Section 4.2.2 of [Part6]).
2849
2850
2851
2852
2853
2854
2855Fielding & Reschke       Expires March 29, 2014                [Page 51]
2856
2857Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2858
2859
28606.3.2.  201 Created
2861
2862   The 201 (Created) status code indicates that the request has been
2863   fulfilled and has resulted in one or more new resources being
2864   created.  The primary resource created by the request is identified
2865   by either a Location header field in the response or, if no Location
2866   field is received, by the effective request URI.
2867
2868   The 201 response payload typically describes and links to the
2869   resource(s) created.  See Section 7.2 for a discussion of the meaning
2870   and purpose of validator header fields, such as ETag and Last-
2871   Modified, in a 201 response.
2872
28736.3.3.  202 Accepted
2874
2875   The 202 (Accepted) status code indicates that the request has been
2876   accepted for processing, but the processing has not been completed.
2877   The request might or might not eventually be acted upon, as it might
2878   be disallowed when processing actually takes place.  There is no
2879   facility in HTTP for re-sending a status code from an asynchronous
2880   operation.
2881
2882   The 202 response is intentionally non-committal.  Its purpose is to
2883   allow a server to accept a request for some other process (perhaps a
2884   batch-oriented process that is only run once per day) without
2885   requiring that the user agent's connection to the server persist
2886   until the process is completed.  The representation sent with this
2887   response ought to describe the request's current status and point to
2888   (or embed) a status monitor that can provide the user with an
2889   estimate of when the request will be fulfilled.
2890
28916.3.4.  203 Non-Authoritative Information
2892
2893   The 203 (Non-Authoritative Information) status code indicates that
2894   the request was successful but the enclosed payload has been modified
2895   from that of the origin server's 200 (OK) response by a transforming
2896   proxy (Section 5.7.2 of [Part1]).  This status code allows the proxy
2897   to notify recipients when a transformation has been applied, since
2898   that knowledge might impact later decisions regarding the content.
2899   For example, future cache validation requests for the content might
2900   only be applicable along the same request path (through the same
2901   proxies).
2902
2903   The 203 response is similar to the Warning code of 214 Transformation
2904   Applied (Section 5.5 of [Part6]), which has the advantage of being
2905   applicable to responses with any status code.
2906
2907   A 203 response is cacheable unless otherwise indicated by the method
2908
2909
2910
2911Fielding & Reschke       Expires March 29, 2014                [Page 52]
2912
2913Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2914
2915
2916   definition or explicit cache controls (see Section 4.2.2 of [Part6]).
2917
29186.3.5.  204 No Content
2919
2920   The 204 (No Content) status code indicates that the server has
2921   successfully fulfilled the request and that there is no additional
2922   content to send in the response payload body.  Metadata in the
2923   response header fields refer to the target resource and its selected
2924   representation after the requested action was applied.
2925
2926   For example, if a 204 status code is received in response to a PUT
2927   request and the response contains an ETag header field, then the PUT
2928   was successful and the ETag field-value contains the entity-tag for
2929   the new representation of that target resource.
2930
2931   The 204 response allows a server to indicate that the action has been
2932   successfully applied to the target resource, while implying that the
2933   user agent does not need to traverse away from its current "document
2934   view" (if any).  The server assumes that the user agent will provide
2935   some indication of the success to its user, in accord with its own
2936   interface, and apply any new or updated metadata in the response to
2937   its active representation.
2938
2939   For example, a 204 status code is commonly used with document editing
2940   interfaces corresponding to a "save" action, such that the document
2941   being saved remains available to the user for editing.  It is also
2942   frequently used with interfaces that expect automated data transfers
2943   to be prevalent, such as within distributed version control systems.
2944
2945   A 204 response is terminated by the first empty line after the header
2946   fields because it cannot contain a message body.
2947
2948   A 204 response is cacheable unless otherwise indicated by the method
2949   definition or explicit cache controls (see Section 4.2.2 of [Part6]).
2950
29516.3.6.  205 Reset Content
2952
2953   The 205 (Reset Content) status code indicates that the server has
2954   fulfilled the request and desires that the user agent reset the
2955   "document view", which caused the request to be sent, to its original
2956   state as received from the origin server.
2957
2958   This response is intended to support a common data entry use case
2959   where the user receives content that supports data entry (a form,
2960   notepad, canvas, etc.), enters or manipulates data in that space,
2961   causes the entered data to be submitted in a request, and then the
2962   data entry mechanism is reset for the next entry so that the user can
2963   easily initiate another input action.
2964
2965
2966
2967Fielding & Reschke       Expires March 29, 2014                [Page 53]
2968
2969Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
2970
2971
2972   Since the 205 status code implies that no additional content will be
2973   provided, a server MUST NOT generate a payload in a 205 response.  In
2974   other words, a server MUST do one of the following for a 205
2975   response: a) indicate a zero-length body for the response by
2976   including a Content-Length header field with a value of 0; b)
2977   indicate a zero-length payload for the response by including a
2978   Transfer-Encoding header field with a value of chunked and a message
2979   body consisting of a single chunk of zero-length; or, c) close the
2980   connection immediately after sending the blank line terminating the
2981   header section.
2982
29836.4.  Redirection 3xx
2984
2985   The 3xx (Redirection) class of status code indicates that further
2986   action needs to be taken by the user agent in order to fulfill the
2987   request.  If a Location header field (Section 7.1.2) is provided, the
2988   user agent MAY automatically redirect its request to the URI
2989   referenced by the Location field value, even if the specific status
2990   code is not understood.  Automatic redirection needs to done with
2991   care for methods not known to be safe, as defined in Section 4.2.1,
2992   since the user might not wish to redirect an unsafe request.
2993
2994   There are several types of redirects:
2995
2996   1.  Redirects that indicate the resource might be available at a
2997       different URI, as provided by the Location field, as in the
2998       status codes 301 (Moved Permanently), 302 (Found), and 307
2999       (Temporary Redirect).
3000
3001   2.  Redirection that offers a choice of matching resources, each
3002       capable of representing the original request target, as in the
3003       300 (Multiple Choices) status code.
3004
3005   3.  Redirection to a different resource, identified by the Location
3006       field, that can represent an indirect response to the request, as
3007       in the 303 (See Other) status code.
3008
3009   4.  Redirection to a previously cached result, as in the 304 (Not
3010       Modified) status code.
3011
3012      Note: In HTTP/1.0, the status codes 301 (Moved Permanently) and
3013      302 (Found) were defined for the first type of redirect
3014      ([RFC1945], Section 9.3).  Early user agents split on whether the
3015      method applied to the redirect target would be the same as the
3016      original request or would be rewritten as GET.  Although HTTP
3017      originally defined the former semantics for 301 and 302 (to match
3018      its original implementation at CERN), and defined 303 (See Other)
3019      to match the latter semantics, prevailing practice gradually
3020
3021
3022
3023Fielding & Reschke       Expires March 29, 2014                [Page 54]
3024
3025Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3026
3027
3028      converged on the latter semantics for 301 and 302 as well.  The
3029      first revision of HTTP/1.1 added 307 (Temporary Redirect) to
3030      indicate the former semantics without being impacted by divergent
3031      practice.  Over 10 years later, most user agents still do method
3032      rewriting for 301 and 302; therefore, this specification makes
3033      that behavior conformant when the original request is POST.
3034
3035   A client SHOULD detect and intervene in cyclical redirections (i.e.,
3036   "infinite" redirection loops).
3037
3038      Note: An earlier version of this specification recommended a
3039      maximum of five redirections ([RFC2068], Section 10.3).  Content
3040      developers need to be aware that some clients might implement such
3041      a fixed limitation.
3042
30436.4.1.  300 Multiple Choices
3044
3045   The 300 (Multiple Choices) status code indicates that the target
3046   resource has more than one representation, each with its own more
3047   specific identifier, and information about the alternatives is being
3048   provided so that the user (or user agent) can select a preferred
3049   representation by redirecting its request to one or more of those
3050   identifiers.  In other words, the server desires that the user agent
3051   engage in reactive negotiation to select the most appropriate
3052   representation(s) for its needs (Section 3.4).
3053
3054   If the server has a preferred choice, the server SHOULD generate a
3055   Location header field containing a preferred choice's URI reference.
3056   The user agent MAY use the Location field value for automatic
3057   redirection.
3058
3059   For request methods other than HEAD, the server SHOULD generate a
3060   payload in the 300 response containing a list of representation
3061   metadata and URI reference(s) from which the user or user agent can
3062   choose the one most preferred.  The user agent MAY make a selection
3063   from that list automatically, depending upon the list format, but
3064   this specification does not define a standard for such automatic
3065   selection.
3066
3067   A 300 response is cacheable unless otherwise indicated by the method
3068   definition or explicit cache controls (see Section 4.2.2 of [Part6]).
3069
3070      Note: The original proposal for 300 defined the URI header field
3071      as providing a list of alternative representations, such that it
3072      would be usable for 200, 300, and 406 responses and be transferred
3073      in responses to the HEAD method.  However, lack of deployment and
3074      disagreement over syntax led to both URI and Alternates (a
3075      subsequent proposal) being dropped from this specification.  It is
3076
3077
3078
3079Fielding & Reschke       Expires March 29, 2014                [Page 55]
3080
3081Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3082
3083
3084      possible to communicate the list using a set of Link header fields
3085      [RFC5988], each with a relationship of "alternate", though
3086      deployment is a chicken-and-egg problem.
3087
30886.4.2.  301 Moved Permanently
3089
3090   The 301 (Moved Permanently) status code indicates that the target
3091   resource has been assigned a new permanent URI and any future
3092   references to this resource ought to use one of the enclosed URIs.
3093   Clients with link editing capabilities ought to automatically re-link
3094   references to the effective request URI to one or more of the new
3095   references sent by the server, where possible.
3096
3097   The server SHOULD generate a Location header field in the response
3098   containing a preferred URI reference for the new permanent URI.  The
3099   user agent MAY use the Location field value for automatic
3100   redirection.  The server's response payload usually contains a short
3101   hypertext note with a hyperlink to the new URI(s).
3102
3103      Note: For historic reasons, a user agent MAY change the request
3104      method from POST to GET for the subsequent request.  If this
3105      behavior is undesired, the 307 (Temporary Redirect) status code
3106      can be used instead.
3107
3108   A 301 response is cacheable unless otherwise indicated by the method
3109   definition or explicit cache controls (see Section 4.2.2 of [Part6]).
3110
31116.4.3.  302 Found
3112
3113   The 302 (Found) status code indicates that the target resource
3114   resides temporarily under a different URI.  Since the redirection
3115   might be altered on occasion, the client ought to continue to use the
3116   effective request URI for future requests.
3117
3118   The server SHOULD generate a Location header field in the response
3119   containing a URI reference for the different URI.  The user agent MAY
3120   use the Location field value for automatic redirection.  The server's
3121   response payload usually contains a short hypertext note with a
3122   hyperlink to the different URI(s).
3123
3124      Note: For historic reasons, a user agent MAY change the request
3125      method from POST to GET for the subsequent request.  If this
3126      behavior is undesired, the 307 (Temporary Redirect) status code
3127      can be used instead.
3128
3129
3130
3131
3132
3133
3134
3135Fielding & Reschke       Expires March 29, 2014                [Page 56]
3136
3137Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3138
3139
31406.4.4.  303 See Other
3141
3142   The 303 (See Other) status code indicates that the server is
3143   redirecting the user agent to a different resource, as indicated by a
3144   URI in the Location header field, that is intended to provide an
3145   indirect response to the original request.  In order to satisfy the
3146   original request, a user agent ought to perform a retrieval request
3147   using the Location URI (a GET or HEAD request if using HTTP), which
3148   can itself be redirected further, and present the eventual result as
3149   an answer to the original request.  Note that the new URI in the
3150   Location header field is not considered equivalent to the effective
3151   request URI.
3152
3153   This status code is applicable to any HTTP method.  It is primarily
3154   used to allow the output of a POST action to redirect the user agent
3155   to a selected resource, since doing so provides the information
3156   corresponding to the POST response in a form that can be separately
3157   identified, bookmarked, and cached independent of the original
3158   request.
3159
3160   A 303 response to a GET request indicates that the origin server does
3161   not have a representation of the target resource that can be
3162   transferred by the server over HTTP.  However, the Location field
3163   value refers to a resource that is descriptive of the target
3164   resource, such that making a retrieval request on that other resource
3165   might result in a representation that is useful to recipients without
3166   implying that it represents the original target resource.  Note that
3167   answers to the questions of what can be represented, what
3168   representations are adequate, and what might be a useful description
3169   are outside the scope of HTTP.
3170
3171   Except for responses to a HEAD request, the representation of a 303
3172   response ought to contain a short hypertext note with a hyperlink to
3173   the same URI reference provided in the Location header field.
3174
31756.4.5.  305 Use Proxy
3176
3177   The 305 (Use Proxy) status code was defined in a previous version of
3178   this specification and is now deprecated (Appendix B).
3179
31806.4.6.  306 (Unused)
3181
3182   The 306 status code was defined in a previous version of this
3183   specification, is no longer used, and the code is reserved.
3184
3185
3186
3187
3188
3189
3190
3191Fielding & Reschke       Expires March 29, 2014                [Page 57]
3192
3193Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3194
3195
31966.4.7.  307 Temporary Redirect
3197
3198   The 307 (Temporary Redirect) status code indicates that the target
3199   resource resides temporarily under a different URI and the user agent
3200   MUST NOT change the request method if it performs an automatic
3201   redirection to that URI.  Since the redirection can change over time,
3202   the client ought to continue using the original effective request URI
3203   for future requests.
3204
3205   The server SHOULD generate a Location header field in the response
3206   containing a URI reference for the different URI.  The user agent MAY
3207   use the Location field value for automatic redirection.  The server's
3208   response payload usually contains a short hypertext note with a
3209   hyperlink to the different URI(s).
3210
3211      Note: This status code is similar to 302 (Found), except that it
3212      does not allow changing the request method from POST to GET.  This
3213      specification defines no equivalent counterpart for 301 (Moved
3214      Permanently) ([status-308], however, defines the status code 308
3215      (Permanent Redirect) for this purpose).
3216
32176.5.  Client Error 4xx
3218
3219   The 4xx (Client Error) class of status code indicates that the client
3220   seems to have erred.  Except when responding to a HEAD request, the
3221   server SHOULD send a representation containing an explanation of the
3222   error situation, and whether it is a temporary or permanent
3223   condition.  These status codes are applicable to any request method.
3224   User agents SHOULD display any included representation to the user.
3225
32266.5.1.  400 Bad Request
3227
3228   The 400 (Bad Request) status code indicates that the server cannot or
3229   will not process the request due to something which is perceived to
3230   be a client error (e.g., malformed request syntax, invalid request
3231   message framing, or deceptive request routing).
3232
32336.5.2.  402 Payment Required
3234
3235   The 402 (Payment Required) status code is reserved for future use.
3236
32376.5.3.  403 Forbidden
3238
3239   The 403 (Forbidden) status code indicates that the server understood
3240   the request but refuses to authorize it.  A server that wishes to
3241   make public why the request has been forbidden can describe that
3242   reason in the response payload (if any).
3243
3244
3245
3246
3247Fielding & Reschke       Expires March 29, 2014                [Page 58]
3248
3249Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3250
3251
3252   If authentication credentials were provided in the request, the
3253   server considers them insufficient to grant access.  The client
3254   SHOULD NOT automatically repeat the request with the same
3255   credentials.  The client MAY repeat the request with new or different
3256   credentials.  However, a request might be forbidden for reasons
3257   unrelated to the credentials.
3258
3259   An origin server that wishes to "hide" the current existence of a
3260   forbidden target resource MAY instead respond with a status code of
3261   404 (Not Found).
3262
32636.5.4.  404 Not Found
3264
3265   The 404 (Not Found) status code indicates that the origin server did
3266   not find a current representation for the target resource or is not
3267   willing to disclose that one exists.  A 404 status code does not
3268   indicate whether this lack of representation is temporary or
3269   permanent; the 410 (Gone) status code is preferred over 404 if the
3270   origin server knows, presumably through some configurable means, that
3271   the condition is likely to be permanent.
3272
3273   A 404 response is cacheable unless otherwise indicated by the method
3274   definition or explicit cache controls (see Section 4.2.2 of [Part6]).
3275
32766.5.5.  405 Method Not Allowed
3277
3278   The 405 (Method Not Allowed) status code indicates that the method
3279   received in the request-line is known by the origin server but not
3280   supported by the target resource.  The origin server MUST generate an
3281   Allow header field in a 405 response containing a list of the target
3282   resource's currently supported methods.
3283
3284   A 405 response is cacheable unless otherwise indicated by the method
3285   definition or explicit cache controls (see Section 4.2.2 of [Part6]).
3286
32876.5.6.  406 Not Acceptable
3288
3289   The 406 (Not Acceptable) status code indicates that the target
3290   resource does not have a current representation that would be
3291   acceptable to the user agent, according to the proactive negotiation
3292   header fields received in the request (Section 5.3), and the server
3293   is unwilling to supply a default representation.
3294
3295   The server SHOULD generate a payload containing a list of available
3296   representation characteristics and corresponding resource identifiers
3297   from which the user or user agent can choose the one most
3298   appropriate.  A user agent MAY automatically select the most
3299   appropriate choice from that list.  However, this specification does
3300
3301
3302
3303Fielding & Reschke       Expires March 29, 2014                [Page 59]
3304
3305Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3306
3307
3308   not define any standard for such automatic selection, as described in
3309   Section 6.4.1.
3310
33116.5.7.  408 Request Timeout
3312
3313   The 408 (Request Timeout) status code indicates that the server did
3314   not receive a complete request message within the time that it was
3315   prepared to wait.  A server SHOULD send the close connection option
3316   (Section 6.1 of [Part1]) in the response, since 408 implies that the
3317   server has decided to close the connection rather than continue
3318   waiting.  If the client has an outstanding request in transit, the
3319   client MAY repeat that request on a new connection.
3320
33216.5.8.  409 Conflict
3322
3323   The 409 (Conflict) status code indicates that the request could not
3324   be completed due to a conflict with the current state of the target
3325   resource.  This code is used in situations where the user might be
3326   able to resolve the conflict and resubmit the request.  The server
3327   SHOULD generate a payload that includes enough information for a user
3328   to recognize the source of the conflict.
3329
3330   Conflicts are most likely to occur in response to a PUT request.  For
3331   example, if versioning were being used and the representation being
3332   PUT included changes to a resource that conflict with those made by
3333   an earlier (third-party) request, the origin server might use a 409
3334   response to indicate that it can't complete the request.  In this
3335   case, the response representation would likely contain information
3336   useful for merging the differences based on the revision history.
3337
33386.5.9.  410 Gone
3339
3340   The 410 (Gone) status code indicates that access to the target
3341   resource is no longer available at the origin server and that this
3342   condition is likely to be permanent.  If the origin server does not
3343   know, or has no facility to determine, whether or not the condition
3344   is permanent, the status code 404 (Not Found) ought to be used
3345   instead.
3346
3347   The 410 response is primarily intended to assist the task of web
3348   maintenance by notifying the recipient that the resource is
3349   intentionally unavailable and that the server owners desire that
3350   remote links to that resource be removed.  Such an event is common
3351   for limited-time, promotional services and for resources belonging to
3352   individuals no longer associated with the origin server's site.  It
3353   is not necessary to mark all permanently unavailable resources as
3354   "gone" or to keep the mark for any length of time -- that is left to
3355   the discretion of the server owner.
3356
3357
3358
3359Fielding & Reschke       Expires March 29, 2014                [Page 60]
3360
3361Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3362
3363
3364   A 410 response is cacheable unless otherwise indicated by the method
3365   definition or explicit cache controls (see Section 4.2.2 of [Part6]).
3366
33676.5.10.  411 Length Required
3368
3369   The 411 (Length Required) status code indicates that the server
3370   refuses to accept the request without a defined Content-Length
3371   (Section 3.3.2 of [Part1]).  The client MAY repeat the request if it
3372   adds a valid Content-Length header field containing the length of the
3373   message body in the request message.
3374
33756.5.11.  413 Payload Too Large
3376
3377   The 413 (Payload Too Large) status code indicates that the server is
3378   refusing to process a request because the request payload is larger
3379   than the server is willing or able to process.  The server MAY close
3380   the connection to prevent the client from continuing the request.
3381
3382   If the condition is temporary, the server SHOULD generate a Retry-
3383   After header field to indicate that it is temporary and after what
3384   time the client MAY try again.
3385
33866.5.12.  414 URI Too Long
3387
3388   The 414 (URI Too Long) status code indicates that the server is
3389   refusing to service the request because the request-target (Section
3390   5.3 of [Part1]) is longer than the server is willing to interpret.
3391   This rare condition is only likely to occur when a client has
3392   improperly converted a POST request to a GET request with long query
3393   information, when the client has descended into a "black hole" of
3394   redirection (e.g., a redirected URI prefix that points to a suffix of
3395   itself), or when the server is under attack by a client attempting to
3396   exploit potential security holes.
3397
3398   A 414 response is cacheable unless otherwise indicated by the method
3399   definition or explicit cache controls (see Section 4.2.2 of [Part6]).
3400
34016.5.13.  415 Unsupported Media Type
3402
3403   The 415 (Unsupported Media Type) status code indicates that the
3404   origin server is refusing to service the request because the payload
3405   is in a format not supported by this method on the target resource.
3406   The format problem might be due to the request's indicated Content-
3407   Type or Content-Encoding, or as a result of inspecting the data
3408   directly.
3409
3410
3411
3412
3413
3414
3415Fielding & Reschke       Expires March 29, 2014                [Page 61]
3416
3417Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3418
3419
34206.5.14.  417 Expectation Failed
3421
3422   The 417 (Expectation Failed) status code indicates that the
3423   expectation given in the request's Expect header field
3424   (Section 5.1.1) could not be met by at least one of the inbound
3425   servers.
3426
34276.5.15.  426 Upgrade Required
3428
3429   The 426 (Upgrade Required) status code indicates that the server
3430   refuses to perform the request using the current protocol but might
3431   be willing to do so after the client upgrades to a different
3432   protocol.  The server MUST send an Upgrade header field in a 426
3433   response to indicate the required protocol(s) (Section 6.7 of
3434   [Part1]).
3435
3436   Example:
3437
3438     HTTP/1.1 426 Upgrade Required
3439     Upgrade: HTTP/3.0
3440     Connection: Upgrade
3441     Content-Length: 53
3442     Content-Type: text/plain
3443
3444     This service requires use of the HTTP/3.0 protocol.
3445
34466.6.  Server Error 5xx
3447
3448   The 5xx (Server Error) class of status code indicates that the server
3449   is aware that it has erred or is incapable of performing the
3450   requested method.  Except when responding to a HEAD request, the
3451   server SHOULD send a representation containing an explanation of the
3452   error situation, and whether it is a temporary or permanent
3453   condition.  A user agent SHOULD display any included representation
3454   to the user.  These response codes are applicable to any request
3455   method.
3456
34576.6.1.  500 Internal Server Error
3458
3459   The 500 (Internal Server Error) status code indicates that the server
3460   encountered an unexpected condition that prevented it from fulfilling
3461   the request.
3462
34636.6.2.  501 Not Implemented
3464
3465   The 501 (Not Implemented) status code indicates that the server does
3466   not support the functionality required to fulfill the request.  This
3467   is the appropriate response when the server does not recognize the
3468
3469
3470
3471Fielding & Reschke       Expires March 29, 2014                [Page 62]
3472
3473Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3474
3475
3476   request method and is not capable of supporting it for any resource.
3477
3478   A 501 response is cacheable unless otherwise indicated by the method
3479   definition or explicit cache controls (see Section 4.2.2 of [Part6]).
3480
34816.6.3.  502 Bad Gateway
3482
3483   The 502 (Bad Gateway) status code indicates that the server, while
3484   acting as a gateway or proxy, received an invalid response from an
3485   inbound server it accessed while attempting to fulfill the request.
3486
34876.6.4.  503 Service Unavailable
3488
3489   The 503 (Service Unavailable) status code indicates that the server
3490   is currently unable to handle the request due to a temporary overload
3491   or scheduled maintenance, which will likely be alleviated after some
3492   delay.  The server MAY send a Retry-After header field
3493   (Section 7.1.3) to suggest an appropriate amount of time for the
3494   client to wait before retrying the request.
3495
3496      Note: The existence of the 503 status code does not imply that a
3497      server has to use it when becoming overloaded.  Some servers might
3498      simply refuse the connection.
3499
35006.6.5.  504 Gateway Timeout
3501
3502   The 504 (Gateway Timeout) status code indicates that the server,
3503   while acting as a gateway or proxy, did not receive a timely response
3504   from an upstream server it needed to access in order to complete the
3505   request.
3506
35076.6.6.  505 HTTP Version Not Supported
3508
3509   The 505 (HTTP Version Not Supported) status code indicates that the
3510   server does not support, or refuses to support, the major version of
3511   HTTP that was used in the request message.  The server is indicating
3512   that it is unable or unwilling to complete the request using the same
3513   major version as the client, as described in Section 2.6 of [Part1],
3514   other than with this error message.  The server SHOULD generate a
3515   representation for the 505 response that describes why that version
3516   is not supported and what other protocols are supported by that
3517   server.
3518
35197.  Response Header Fields
3520
3521   The response header fields allow the server to pass additional
3522   information about the response beyond what is placed in the status-
3523   line.  These header fields give information about the server, about
3524
3525
3526
3527Fielding & Reschke       Expires March 29, 2014                [Page 63]
3528
3529Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3530
3531
3532   further access to the target resource, or about related resources.
3533
3534   Although each response header field has a defined meaning, in
3535   general, the precise semantics might be further refined by the
3536   semantics of the request method and/or response status code.
3537
35387.1.  Control Data
3539
3540   Response header fields can supply control data that supplements the
3541   status code, directs caching, or instructs the client where to go
3542   next.
3543
3544   +-------------------+------------------------+
3545   | Header Field Name | Defined in...          |
3546   +-------------------+------------------------+
3547   | Age               | Section 5.1 of [Part6] |
3548   | Cache-Control     | Section 5.2 of [Part6] |
3549   | Expires           | Section 5.3 of [Part6] |
3550   | Date              | Section 7.1.1.2        |
3551   | Location          | Section 7.1.2          |
3552   | Retry-After       | Section 7.1.3          |
3553   | Vary              | Section 7.1.4          |
3554   | Warning           | Section 5.5 of [Part6] |
3555   +-------------------+------------------------+
3556
35577.1.1.  Origination Date
3558
35597.1.1.1.  Date/Time Formats
3560
3561   Prior to 1995, there were three different formats commonly used by
3562   servers to communicate timestamps.  For compatibility with old
3563   implementations, all three are defined here.  The preferred format is
3564   a fixed-length and single-zone subset of the date and time
3565   specification used by the Internet Message Format [RFC5322].
3566
3567     HTTP-date    = IMF-fixdate / obs-date
3568
3569   An example of the preferred format is
3570
3571     Sun, 06 Nov 1994 08:49:37 GMT    ; IMF-fixdate
3572
3573   Examples of the two obsolete formats are
3574
3575     Sunday, 06-Nov-94 08:49:37 GMT   ; obsolete RFC 850 format
3576     Sun Nov  6 08:49:37 1994         ; ANSI C's asctime() format
3577
3578   A recipient that parses a timestamp value in an HTTP header field
3579   MUST accept all three HTTP-date formats.  When a sender generates a
3580
3581
3582
3583Fielding & Reschke       Expires March 29, 2014                [Page 64]
3584
3585Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3586
3587
3588   header field that contains one or more timestamps defined as HTTP-
3589   date, the sender MUST generate those timestamps in the IMF-fixdate
3590   format.
3591
3592   An HTTP-date value represents time as an instance of Coordinated
3593   Universal Time (UTC).  The first two formats indicate UTC by the
3594   three-letter abbreviation for Greenwich Mean Time, "GMT", a
3595   predecessor of the UTC name; values in the asctime format are assumed
3596   to be in UTC.  A sender that generates HTTP-date values from a local
3597   clock ought to use NTP ([RFC1305]) or some similar protocol to
3598   synchronize its clock to UTC.
3599
3600   Preferred format:
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639Fielding & Reschke       Expires March 29, 2014                [Page 65]
3640
3641Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3642
3643
3644     IMF-fixdate  = day-name "," SP date1 SP time-of-day SP GMT
3645     ; fixed length/zone subset of the format defined in
3646     ; Section 3.3 of [RFC5322]
3647
3648     day-name     = %x4D.6F.6E ; "Mon", case-sensitive
3649                  / %x54.75.65 ; "Tue", case-sensitive
3650                  / %x57.65.64 ; "Wed", case-sensitive
3651                  / %x54.68.75 ; "Thu", case-sensitive
3652                  / %x46.72.69 ; "Fri", case-sensitive
3653                  / %x53.61.74 ; "Sat", case-sensitive
3654                  / %x53.75.6E ; "Sun", case-sensitive
3655
3656     date1        = day SP month SP year
3657                  ; e.g., 02 Jun 1982
3658
3659     day          = 2DIGIT
3660     month        = %x4A.61.6E ; "Jan", case-sensitive
3661                  / %x46.65.62 ; "Feb", case-sensitive
3662                  / %x4D.61.72 ; "Mar", case-sensitive
3663                  / %x41.70.72 ; "Apr", case-sensitive
3664                  / %x4D.61.79 ; "May", case-sensitive
3665                  / %x4A.75.6E ; "Jun", case-sensitive
3666                  / %x4A.75.6C ; "Jul", case-sensitive
3667                  / %x41.75.67 ; "Aug", case-sensitive
3668                  / %x53.65.70 ; "Sep", case-sensitive
3669                  / %x4F.63.74 ; "Oct", case-sensitive
3670                  / %x4E.6F.76 ; "Nov", case-sensitive
3671                  / %x44.65.63 ; "Dec", case-sensitive
3672     year         = 4DIGIT
3673
3674     GMT          = %x47.4D.54 ; "GMT", case-sensitive
3675
3676     time-of-day  = hour ":" minute ":" second
3677                  ; 00:00:00 - 23:59:60 (leap second)
3678
3679     hour         = 2DIGIT
3680     minute       = 2DIGIT
3681     second       = 2DIGIT
3682
3683   Obsolete formats:
3684
3685     obs-date     = rfc850-date / asctime-date
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695Fielding & Reschke       Expires March 29, 2014                [Page 66]
3696
3697Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3698
3699
3700     rfc850-date  = day-name-l "," SP date2 SP time-of-day SP GMT
3701     date2        = day "-" month "-" 2DIGIT
3702                  ; e.g., 02-Jun-82
3703
3704     day-name-l   = %x4D.6F.6E.64.61.79    ; "Monday", case-sensitive
3705            / %x54.75.65.73.64.61.79       ; "Tuesday", case-sensitive
3706            / %x57.65.64.6E.65.73.64.61.79 ; "Wednesday", case-sensitive
3707            / %x54.68.75.72.73.64.61.79    ; "Thursday", case-sensitive
3708            / %x46.72.69.64.61.79          ; "Friday", case-sensitive
3709            / %x53.61.74.75.72.64.61.79    ; "Saturday", case-sensitive
3710            / %x53.75.6E.64.61.79          ; "Sunday", case-sensitive
3711
3712
3713     asctime-date = day-name SP date3 SP time-of-day SP year
3714     date3        = month SP ( 2DIGIT / ( SP 1DIGIT ))
3715                  ; e.g., Jun  2
3716
3717   HTTP-date is case sensitive.  A sender MUST NOT generate additional
3718   whitespace in an HTTP-date beyond that specifically included as SP in
3719   the grammar.  The semantics of day-name, day, month, year, and time-
3720   of-day are the same as those defined for the Internet Message Format
3721   constructs with the corresponding name ([RFC5322], Section 3.3).
3722
3723   Recipients of a timestamp value in rfc850-date format, which uses a
3724   two-digit year, MUST interpret a timestamp that appears to be more
3725   than 50 years in the future as representing the most recent year in
3726   the past that had the same last two digits.
3727
3728   Recipients of timestamp values are encouraged to be robust in parsing
3729   timestamps unless otherwise restricted by the field definition.  For
3730   example, messages are occasionally forwarded over HTTP from a non-
3731   HTTP source that might generate any of the date and time
3732   specifications defined by the Internet Message Format.
3733
3734      Note: HTTP requirements for the date/time stamp format apply only
3735      to their usage within the protocol stream.  Implementations are
3736      not required to use these formats for user presentation, request
3737      logging, etc.
3738
37397.1.1.2.  Date
3740
3741   The "Date" header field represents the date and time at which the
3742   message was originated, having the same semantics as the Origination
3743   Date Field (orig-date) defined in Section 3.6.1 of [RFC5322].  The
3744   field value is an HTTP-date, as defined in Section 7.1.1.1.
3745
3746     Date = HTTP-date
3747
3748
3749
3750
3751Fielding & Reschke       Expires March 29, 2014                [Page 67]
3752
3753Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3754
3755
3756   An example is
3757
3758     Date: Tue, 15 Nov 1994 08:12:31 GMT
3759
3760   When a Date header field is generated, the sender SHOULD generate its
3761   field value as the best available approximation of the date and time
3762   of message generation.  In theory, the date ought to represent the
3763   moment just before the payload is generated.  In practice, the date
3764   can be generated at any time during message origination.
3765
3766   An origin server MUST NOT send a Date header field if it does not
3767   have a clock capable of providing a reasonable approximation of the
3768   current instance in Coordinated Universal Time.  An origin server MAY
3769   send a Date header field if the response is in the 1xx
3770   (Informational) or 5xx (Server Error) class of status codes.  An
3771   origin server MUST send a Date header field in all other cases.
3772
3773   A recipient with a clock that receives a response message without a
3774   Date header field MUST record the time it was received and append a
3775   corresponding Date header field to the message's header section if it
3776   is cached or forwarded downstream.
3777
3778   A user agent MAY send a Date header field in a request, though
3779   generally will not do so unless it is believed to convey useful
3780   information to the server.  For example, custom applications of HTTP
3781   might convey a Date if the server is expected to adjust its
3782   interpretation of the user's request based on differences between the
3783   user agent and server clocks.
3784
37857.1.2.  Location
3786
3787   The "Location" header field is used in some responses to refer to a
3788   specific resource in relation to the response.  The type of
3789   relationship is defined by the combination of request method and
3790   status code semantics.
3791
3792     Location = URI-reference
3793
3794   The field value consists of a single URI-reference.  When it has the
3795   form of a relative reference ([RFC3986], Section 4.2), the final
3796   value is computed by resolving it against the effective request URI
3797   ([RFC3986], Section 5).
3798
3799   For 201 (Created) responses, the Location value refers to the primary
3800   resource created by the request.  For 3xx (Redirection) responses,
3801   the Location value refers to the preferred target resource for
3802   automatically redirecting the request.
3803
3804
3805
3806
3807Fielding & Reschke       Expires March 29, 2014                [Page 68]
3808
3809Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3810
3811
3812   If the Location value provided in a 3xx (Redirection) does not have a
3813   fragment component, a user agent MUST process the redirection as if
3814   the value inherits the fragment component of the URI reference used
3815   to generate the request target (i.e., the redirection inherits the
3816   original reference's fragment, if any).
3817
3818   For example, a GET request generated for the URI reference
3819   "http://www.example.org/~tim" might result in a 303 (See Other)
3820   response containing the header field:
3821
3822     Location: /People.html#tim
3823
3824   which suggests that the user agent redirect to
3825   "http://www.example.org/People.html#tim"
3826
3827   Likewise, a GET request generated for the URI reference
3828   "http://www.example.org/index.html#larry" might result in a 301
3829   (Moved Permanently) response containing the header field:
3830
3831     Location: http://www.example.net/index.html
3832
3833   which suggests that the user agent redirect to
3834   "http://www.example.net/index.html#larry", preserving the original
3835   fragment identifier.
3836
3837   There are circumstances in which a fragment identifier in a Location
3838   value would not be appropriate.  For example, the Location header
3839   field in a 201 (Created) response is supposed to provide a URI that
3840   is specific to the created resource.
3841
3842      Note: Some recipients attempt to recover from Location fields that
3843      are not valid URI references.  This specification does not mandate
3844      or define such processing, but does allow it for the sake of
3845      robustness.
3846
3847      Note: The Content-Location header field (Section 3.1.4.2) differs
3848      from Location in that the Content-Location refers to the most
3849      specific resource corresponding to the enclosed representation.
3850      It is therefore possible for a response to contain both the
3851      Location and Content-Location header fields.
3852
38537.1.3.  Retry-After
3854
3855   Servers send the "Retry-After" header field to indicate how long the
3856   user agent ought to wait before making a follow-up request.  When
3857   sent with a 503 (Service Unavailable) response, Retry-After indicates
3858   how long the service is expected to be unavailable to the client.
3859   When sent with any 3xx (Redirection) response, Retry-After indicates
3860
3861
3862
3863Fielding & Reschke       Expires March 29, 2014                [Page 69]
3864
3865Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3866
3867
3868   the minimum time that the user agent is asked to wait before issuing
3869   the redirected request.
3870
3871   The value of this field can be either an HTTP-date or an integer
3872   number of seconds (in decimal) after the time of the response.
3873
3874     Retry-After = HTTP-date / delta-seconds
3875
3876   Time spans are non-negative decimal integers, representing time in
3877   seconds.
3878
3879     delta-seconds  = 1*DIGIT
3880
3881   Two examples of its use are
3882
3883     Retry-After: Fri, 31 Dec 1999 23:59:59 GMT
3884     Retry-After: 120
3885
3886   In the latter example, the delay is 2 minutes.
3887
38887.1.4.  Vary
3889
3890   The "Vary" header field in a response describes what parts of a
3891   request message, aside from the method, Host header field, and
3892   request target, might influence the origin server's process for
3893   selecting and representing this response.  The value consists of
3894   either a single asterisk ("*") or a list of header field names (case-
3895   insensitive).
3896
3897     Vary = "*" / 1#field-name
3898
3899   A Vary field value of "*" signals that anything about the request
3900   might play a role in selecting the response representation, possibly
3901   including elements outside the message syntax (e.g., the client's
3902   network address), and thus a recipient will not be able to determine
3903   whether this response is appropriate for a later request without
3904   forwarding the request to the origin server.  A proxy MUST NOT
3905   generate a Vary field with a "*" value.
3906
3907   A Vary field value consisting of a comma-separated list of names
3908   indicates that the named request header fields, known as the
3909   selecting header fields, might have a role in selecting the
3910   representation.  The potential selecting header fields are not
3911   limited to those defined by this specification.
3912
3913
3914
3915
3916
3917
3918
3919Fielding & Reschke       Expires March 29, 2014                [Page 70]
3920
3921Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3922
3923
3924   For example, a response that contains
3925
3926     Vary: accept-encoding, accept-language
3927
3928   indicates that the origin server might have used the request's
3929   Accept-Encoding and Accept-Language fields (or lack thereof) as
3930   determining factors while choosing the content for this response.
3931
3932   An origin server might send Vary with a list of fields for two
3933   purposes:
3934
3935   1.  To inform cache recipients that they MUST NOT use this response
3936       to satisfy a later request unless the later request has the same
3937       values for the listed fields as the original request (Section 4.1
3938       of [Part6]).  In other words, Vary expands the cache key required
3939       to match a new request to the stored cache entry.
3940
3941   2.  To inform user agent recipients that this response is subject to
3942       content negotiation (Section 5.3) and that a different
3943       representation might be sent in a subsequent request if
3944       additional parameters are provided in the listed header fields
3945       (proactive negotiation).
3946
3947   An origin server SHOULD send a Vary header field when its algorithm
3948   for selecting a representation varies based on aspects of the request
3949   message other than the method and request target, unless the variance
3950   cannot be crossed or the origin server has been deliberately
3951   configured to prevent cache transparency.  For example, there is no
3952   need to send the Authorization field name in Vary because reuse
3953   across users is constrained by the field definition (Section 4.1 of
3954   [Part7]).  Likewise, an origin server might use Cache-Control
3955   directives (Section 5.2 of [Part6]) to supplant Vary if it considers
3956   the variance less significant than the performance cost of Vary's
3957   impact on caching.
3958
39597.2.  Validator Header Fields
3960
3961   Validator header fields convey metadata about the selected
3962   representation (Section 3).  In responses to safe requests, validator
3963   fields describe the selected representation chosen by the origin
3964   server while handling the response.  Note that, depending on the
3965   status code semantics, the selected representation for a given
3966   response is not necessarily the same as the representation enclosed
3967   as response payload.
3968
3969   In a successful response to a state-changing request, validator
3970   fields describe the new representation that has replaced the prior
3971   selected representation as a result of processing the request.
3972
3973
3974
3975Fielding & Reschke       Expires March 29, 2014                [Page 71]
3976
3977Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
3978
3979
3980   For example, an ETag header field in a 201 response communicates the
3981   entity-tag of the newly created resource's representation, so that it
3982   can be used in later conditional requests to prevent the "lost
3983   update" problem [Part4].
3984
3985   +-------------------+------------------------+
3986   | Header Field Name | Defined in...          |
3987   +-------------------+------------------------+
3988   | ETag              | Section 2.3 of [Part4] |
3989   | Last-Modified     | Section 2.2 of [Part4] |
3990   +-------------------+------------------------+
3991
39927.3.  Authentication Challenges
3993
3994   Authentication challenges indicate what mechanisms are available for
3995   the client to provide authentication credentials in future requests.
3996
3997   +--------------------+------------------------+
3998   | Header Field Name  | Defined in...          |
3999   +--------------------+------------------------+
4000   | WWW-Authenticate   | Section 4.4 of [Part7] |
4001   | Proxy-Authenticate | Section 4.2 of [Part7] |
4002   +--------------------+------------------------+
4003
40047.4.  Response Context
4005
4006   The remaining response header fields provide more information about
4007   the target resource for potential use in later requests.
4008
4009   +-------------------+------------------------+
4010   | Header Field Name | Defined in...          |
4011   +-------------------+------------------------+
4012   | Accept-Ranges     | Section 2.3 of [Part5] |
4013   | Allow             | Section 7.4.1          |
4014   | Server            | Section 7.4.2          |
4015   +-------------------+------------------------+
4016
40177.4.1.  Allow
4018
4019   The "Allow" header field lists the set of methods advertised as
4020   supported by the target resource.  The purpose of this field is
4021   strictly to inform the recipient of valid request methods associated
4022   with the resource.
4023
4024     Allow = #method
4025
4026   Example of use:
4027
4028
4029
4030
4031Fielding & Reschke       Expires March 29, 2014                [Page 72]
4032
4033Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4034
4035
4036     Allow: GET, HEAD, PUT
4037
4038   The actual set of allowed methods is defined by the origin server at
4039   the time of each request.  An origin server MUST generate an Allow
4040   field in a 405 (Method Not Allowed) response and MAY do so in any
4041   other response.  An empty Allow field value indicates that the
4042   resource allows no methods, which might occur in a 405 response if
4043   the resource has been temporarily disabled by configuration.
4044
4045   A proxy MUST NOT modify the Allow header field -- it does not need to
4046   understand all of the indicated methods in order to handle them
4047   according to the generic message handling rules.
4048
40497.4.2.  Server
4050
4051   The "Server" header field contains information about the software
4052   used by the origin server to handle the request, which is often used
4053   by clients to help identify the scope of reported interoperability
4054   problems, to work around or tailor requests to avoid particular
4055   server limitations, and for analytics regarding server or operating
4056   system use.  An origin server MAY generate a Server field in its
4057   responses.
4058
4059     Server = product *( RWS ( product / comment ) )
4060
4061   The Server field-value consists of one or more product identifiers,
4062   each followed by zero or more comments (Section 3.2 of [Part1]),
4063   which together identify the origin server software and its
4064   significant subproducts.  By convention, the product identifiers are
4065   listed in decreasing order of their significance for identifying the
4066   origin server software.  Each product identifier consists of a name
4067   and optional version, as defined in Section 5.5.3.
4068
4069   Example:
4070
4071     Server: CERN/3.0 libwww/2.17
4072
4073   An origin server SHOULD NOT generate a Server field containing
4074   needlessly fine-grained detail and SHOULD limit the addition of
4075   subproducts by third parties.  Overly long and detailed Server field
4076   values increase response latency and potentially reveal internal
4077   implementation details that might make it (slightly) easier for
4078   attackers to find and exploit known security holes.
4079
40808.  IANA Considerations
4081
4082
4083
4084
4085
4086
4087Fielding & Reschke       Expires March 29, 2014                [Page 73]
4088
4089Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4090
4091
40928.1.  Method Registry
4093
4094   The HTTP Method Registry defines the name space for the request
4095   method token (Section 4).  The method registry will be created and
4096   maintained at <http://www.iana.org/assignments/http-methods>.
4097
40988.1.1.  Procedure
4099
4100   HTTP method registrations MUST include the following fields:
4101
4102   o  Method Name (see Section 4)
4103
4104   o  Safe ("yes" or "no", see Section 4.2.1)
4105
4106   o  Idempotent ("yes" or "no", see Section 4.2.2)
4107
4108   o  Pointer to specification text
4109
4110   Values to be added to this name space require IETF Review (see
4111   [RFC5226], Section 4.1).
4112
41138.1.2.  Considerations for New Methods
4114
4115   Standardized methods are generic; that is, they are potentially
4116   applicable to any resource, not just one particular media type, kind
4117   of resource, or application.  As such, it is preferred that new
4118   methods be registered in a document that isn't specific to a single
4119   application or data format, since orthogonal technologies deserve
4120   orthogonal specification.
4121
4122   Since message parsing (Section 3.3 of [Part1]) needs to be
4123   independent of method semantics (aside from responses to HEAD),
4124   definitions of new methods cannot change the parsing algorithm or
4125   prohibit the presence of a message body on either the request or the
4126   response message.  Definitions of new methods can specify that only a
4127   zero-length message body is allowed by requiring a Content-Length
4128   header field with a value of "0".
4129
4130   A new method definition needs to indicate whether it is safe
4131   (Section 4.2.1), idempotent (Section 4.2.2), cacheable
4132   (Section 4.2.3), what semantics are to be associated with the payload
4133   body if any is present in the request, and what refinements the
4134   method makes to header field or status code semantics.  If the new
4135   method is cacheable, its definition ought to describe how, and under
4136   what conditions, a cache can store a response and use it to satisfy a
4137   subsequent request.  The new method ought to describe whether it can
4138   be made conditional (Section 5.2) and, if so, how a server responds
4139   when the condition is false.  Likewise, if the new method might have
4140
4141
4142
4143Fielding & Reschke       Expires March 29, 2014                [Page 74]
4144
4145Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4146
4147
4148   some use for partial response semantics ([Part5]), it ought to
4149   document this too.
4150
4151      Note: Avoid defining a method name that starts with "M-", since
4152      that prefix might be misinterpreted as having the semantics
4153      assigned to it by [RFC2774].
4154
41558.1.3.  Registrations
4156
4157   The HTTP Method Registry shall be populated with the registrations
4158   below:
4159
4160   +---------+------+------------+---------------+
4161   | Method  | Safe | Idempotent | Reference     |
4162   +---------+------+------------+---------------+
4163   | CONNECT | no   | no         | Section 4.3.6 |
4164   | DELETE  | no   | yes        | Section 4.3.5 |
4165   | GET     | yes  | yes        | Section 4.3.1 |
4166   | HEAD    | yes  | yes        | Section 4.3.2 |
4167   | OPTIONS | yes  | yes        | Section 4.3.7 |
4168   | POST    | no   | no         | Section 4.3.3 |
4169   | PUT     | no   | yes        | Section 4.3.4 |
4170   | TRACE   | yes  | yes        | Section 4.3.8 |
4171   +---------+------+------------+---------------+
4172
41738.2.  Status Code Registry
4174
4175   The HTTP Status Code Registry defines the name space for the response
4176   status-code token (Section 6).  The status code registry is
4177   maintained at <http://www.iana.org/assignments/http-status-codes>.
4178
4179   This Section replaces the registration procedure for HTTP Status
4180   Codes previously defined in Section 7.1 of [RFC2817].
4181
41828.2.1.  Procedure
4183
4184   A registration MUST include the following fields:
4185
4186   o  Status Code (3 digits)
4187
4188   o  Short Description
4189
4190   o  Pointer to specification text
4191
4192   Values to be added to the HTTP status code name space require IETF
4193   Review (see [RFC5226], Section 4.1).
4194
4195
4196
4197
4198
4199Fielding & Reschke       Expires March 29, 2014                [Page 75]
4200
4201Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4202
4203
42048.2.2.  Considerations for New Status Codes
4205
4206   When it is necessary to express semantics for a response that are not
4207   defined by current status codes, a new status code can be registered.
4208   Status codes are generic; they are potentially applicable to any
4209   resource, not just one particular media type, kind of resource, or
4210   application of HTTP.  As such, it is preferred that new status codes
4211   be registered in a document that isn't specific to a single
4212   application.
4213
4214   New status codes are required to fall under one of the categories
4215   defined in Section 6.  To allow existing parsers to process the
4216   response message, new status codes cannot disallow a payload,
4217   although they can mandate a zero-length payload body.
4218
4219   Proposals for new status codes that are not yet widely deployed ought
4220   to avoid allocating a specific number for the code until there is
4221   clear consensus that it will be registered; instead, early drafts can
4222   use a notation such as "4NN", or "3N0" .. "3N9", to indicate the
4223   class of the proposed status code(s) without consuming a number
4224   prematurely.
4225
4226   The definition of a new status code ought to explain the request
4227   conditions that would cause a response containing that status code
4228   (e.g., combinations of request header fields and/or method(s)) along
4229   with any dependencies on response header fields (e.g., what fields
4230   are required, what fields can modify the semantics, and what header
4231   field semantics are further refined when used with the new status
4232   code).
4233
4234   The definition of a new status code ought to specify whether or not
4235   it is cacheable.  Note that all status codes can be cached if the
4236   response they occur in has explicit freshness information; however,
4237   status codes that are defined as being cacheable are allowed to be
4238   cached without explicit freshness information.  Likewise, the
4239   definition of a status code can place constraints upon cache
4240   behavior.  See [Part6] for more information.
4241
4242   Finally, the definition of a new status code ought to indicate
4243   whether the payload has any implied association with an identified
4244   resource (Section 3.1.4.1).
4245
42468.2.3.  Registrations
4247
4248   The HTTP Status Code Registry shall be updated with the registrations
4249   below:
4250
4251
4252
4253
4254
4255Fielding & Reschke       Expires March 29, 2014                [Page 76]
4256
4257Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4258
4259
4260   +-------+-------------------------------+----------------+
4261   | Value | Description                   | Reference      |
4262   +-------+-------------------------------+----------------+
4263   | 100   | Continue                      | Section 6.2.1  |
4264   | 101   | Switching Protocols           | Section 6.2.2  |
4265   | 200   | OK                            | Section 6.3.1  |
4266   | 201   | Created                       | Section 6.3.2  |
4267   | 202   | Accepted                      | Section 6.3.3  |
4268   | 203   | Non-Authoritative Information | Section 6.3.4  |
4269   | 204   | No Content                    | Section 6.3.5  |
4270   | 205   | Reset Content                 | Section 6.3.6  |
4271   | 300   | Multiple Choices              | Section 6.4.1  |
4272   | 301   | Moved Permanently             | Section 6.4.2  |
4273   | 302   | Found                         | Section 6.4.3  |
4274   | 303   | See Other                     | Section 6.4.4  |
4275   | 305   | Use Proxy                     | Section 6.4.5  |
4276   | 306   | (Unused)                      | Section 6.4.6  |
4277   | 307   | Temporary Redirect            | Section 6.4.7  |
4278   | 400   | Bad Request                   | Section 6.5.1  |
4279   | 402   | Payment Required              | Section 6.5.2  |
4280   | 403   | Forbidden                     | Section 6.5.3  |
4281   | 404   | Not Found                     | Section 6.5.4  |
4282   | 405   | Method Not Allowed            | Section 6.5.5  |
4283   | 406   | Not Acceptable                | Section 6.5.6  |
4284   | 408   | Request Timeout               | Section 6.5.7  |
4285   | 409   | Conflict                      | Section 6.5.8  |
4286   | 410   | Gone                          | Section 6.5.9  |
4287   | 411   | Length Required               | Section 6.5.10 |
4288   | 413   | Payload Too Large             | Section 6.5.11 |
4289   | 414   | URI Too Long                  | Section 6.5.12 |
4290   | 415   | Unsupported Media Type        | Section 6.5.13 |
4291   | 417   | Expectation Failed            | Section 6.5.14 |
4292   | 426   | Upgrade Required              | Section 6.5.15 |
4293   | 500   | Internal Server Error         | Section 6.6.1  |
4294   | 501   | Not Implemented               | Section 6.6.2  |
4295   | 502   | Bad Gateway                   | Section 6.6.3  |
4296   | 503   | Service Unavailable           | Section 6.6.4  |
4297   | 504   | Gateway Timeout               | Section 6.6.5  |
4298   | 505   | HTTP Version Not Supported    | Section 6.6.6  |
4299   +-------+-------------------------------+----------------+
4300
43018.3.  Header Field Registry
4302
4303   HTTP header fields are registered within the Message Header Field
4304   Registry located at <http://www.iana.org/assignments/message-headers/
4305   message-header-index.html>, as defined by [BCP90].
4306
4307
4308
4309
4310
4311Fielding & Reschke       Expires March 29, 2014                [Page 77]
4312
4313Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4314
4315
43168.3.1.  Considerations for New Header Fields
4317
4318   Header fields are key:value pairs that can be used to communicate
4319   data about the message, its payload, the target resource, or the
4320   connection (i.e., control data).  See Section 3.2 of [Part1] for a
4321   general definition of header field syntax in HTTP messages.
4322
4323   The requirements for header field names are defined in [BCP90].
4324   Authors of specifications defining new fields are advised to keep the
4325   name as short as practical and to not prefix the name with "X-"
4326   unless the header field will never be used on the Internet.  (The
4327   "x-" prefix idiom has been extensively misused in practice; it was
4328   intended to only be used as a mechanism for avoiding name collisions
4329   inside proprietary software or intranet processing, since the prefix
4330   would ensure that private names never collide with a newly registered
4331   Internet name.)
4332
4333   New header field values typically have their syntax defined using
4334   ABNF ([RFC5234]), using the extension defined in Section 7 of [Part1]
4335   as necessary, and are usually constrained to the range of ASCII
4336   characters.  Header fields needing a greater range of characters can
4337   use an encoding such as the one defined in [RFC5987].
4338
4339   Leading and trailing whitespace in raw field values is removed upon
4340   field parsing (Section 3.2.4 of [Part1]).  Field definitions where
4341   leading or trailing whitespace in values is significant will have to
4342   use a container syntax such as quoted-string.
4343
4344   Because commas (",") are used as a generic delimiter between field-
4345   values, they need to be treated with care if they are allowed in the
4346   field-value.  Typically, components that might contain a comma are
4347   protected with double-quotes using the quoted-string ABNF production
4348   (Section 3.2.6 of [Part1]).
4349
4350   For example, a textual date and a URI (either of which might contain
4351   a comma) could be safely carried in field-values like these:
4352
4353     Example-URI-Field: "http://example.com/a.html,foo",
4354                        "http://without-a-comma.example.com/"
4355     Example-Date-Field: "Sat, 04 May 1996", "Wed, 14 Sep 2005"
4356
4357   Note that double-quote delimiters almost always are used with the
4358   quoted-string production; using a different syntax inside double-
4359   quotes will likely cause unnecessary confusion.
4360
4361   Many header fields use a format including (case-insensitively) named
4362   parameters (for instance, Content-Type, defined in Section 3.1.1.5).
4363   Allowing both unquoted (token) and quoted (quoted-string) syntax for
4364
4365
4366
4367Fielding & Reschke       Expires March 29, 2014                [Page 78]
4368
4369Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4370
4371
4372   the parameter value enables recipients to use existing parser
4373   components.  When allowing both forms, the meaning of a parameter
4374   value ought to be independent of the syntax used for it (for an
4375   example, see the notes on parameter handling for media types in
4376   Section 3.1.1.1).
4377
4378   Authors of specifications defining new header fields are advised to
4379   consider documenting:
4380
4381   o  Whether the field is a single value, or whether it can be a list
4382      (delimited by commas; see Section 3.2 of [Part1]).
4383
4384      If it does not use the list syntax, document how to treat messages
4385      where the field occurs multiple times (a sensible default would be
4386      to ignore the field, but this might not always be the right
4387      choice).
4388
4389      Note that intermediaries and software libraries might combine
4390      multiple header field instances into a single one, despite the
4391      field's definition not allowing the list syntax.  A robust format
4392      enables recipients to discover these situations (good example:
4393      "Content-Type", as the comma can only appear inside quoted
4394      strings; bad example: "Location", as a comma can occur inside a
4395      URI).
4396
4397   o  Under what conditions the header field can be used; e.g., only in
4398      responses or requests, in all messages, only on responses to a
4399      particular request method, etc.
4400
4401   o  Whether the field should be stored by origin servers that
4402      understand it upon a PUT request.
4403
4404   o  Whether the field semantics are further refined by the context,
4405      such as by existing request methods or status codes.
4406
4407   o  Whether it is appropriate to list the field-name in the Connection
4408      header field (i.e., if the header field is to be hop-by-hop; see
4409      Section 6.1 of [Part1]).
4410
4411   o  Under what conditions intermediaries are allowed to insert,
4412      delete, or modify the field's value.
4413
4414   o  Whether it is appropriate to list the field-name in a Vary
4415      response header field (e.g., when the request header field is used
4416      by an origin server's content selection algorithm; see
4417      Section 7.1.4).
4418
4419
4420
4421
4422
4423Fielding & Reschke       Expires March 29, 2014                [Page 79]
4424
4425Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4426
4427
4428   o  Whether the header field is useful or allowable in trailers (see
4429      Section 4.1 of [Part1]).
4430
4431   o  Whether the header field ought to be preserved across redirects.
4432
44338.3.2.  Registrations
4434
4435   The Message Header Field Registry shall be updated with the following
4436   permanent registrations:
4437
4438   +-------------------+----------+----------+-----------------+
4439   | Header Field Name | Protocol | Status   | Reference       |
4440   +-------------------+----------+----------+-----------------+
4441   | Accept            | http     | standard | Section 5.3.2   |
4442   | Accept-Charset    | http     | standard | Section 5.3.3   |
4443   | Accept-Encoding   | http     | standard | Section 5.3.4   |
4444   | Accept-Language   | http     | standard | Section 5.3.5   |
4445   | Allow             | http     | standard | Section 7.4.1   |
4446   | Content-Encoding  | http     | standard | Section 3.1.2.2 |
4447   | Content-Language  | http     | standard | Section 3.1.3.2 |
4448   | Content-Location  | http     | standard | Section 3.1.4.2 |
4449   | Content-Type      | http     | standard | Section 3.1.1.5 |
4450   | Date              | http     | standard | Section 7.1.1.2 |
4451   | Expect            | http     | standard | Section 5.1.1   |
4452   | From              | http     | standard | Section 5.5.1   |
4453   | Location          | http     | standard | Section 7.1.2   |
4454   | MIME-Version      | http     | standard | Appendix A.1    |
4455   | Max-Forwards      | http     | standard | Section 5.1.2   |
4456   | Referer           | http     | standard | Section 5.5.2   |
4457   | Retry-After       | http     | standard | Section 7.1.3   |
4458   | Server            | http     | standard | Section 7.4.2   |
4459   | User-Agent        | http     | standard | Section 5.5.3   |
4460   | Vary              | http     | standard | Section 7.1.4   |
4461   +-------------------+----------+----------+-----------------+
4462
4463   The change controller for the above registrations is: "IETF
4464   (iesg@ietf.org) - Internet Engineering Task Force".
4465
44668.4.  Content Coding Registry
4467
4468   The HTTP Content Coding Registry defines the name space for content
4469   coding names (Section 4.2 of [Part1]).  The content coding registry
4470   is maintained at <http://www.iana.org/assignments/http-parameters>.
4471
44728.4.1.  Procedure
4473
4474   Content Coding registrations MUST include the following fields:
4475
4476
4477
4478
4479Fielding & Reschke       Expires March 29, 2014                [Page 80]
4480
4481Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4482
4483
4484   o  Name
4485
4486   o  Description
4487
4488   o  Pointer to specification text
4489
4490   Names of content codings MUST NOT overlap with names of transfer
4491   codings (Section 4 of [Part1]), unless the encoding transformation is
4492   identical (as is the case for the compression codings defined in
4493   Section 4.2 of [Part1]).
4494
4495   Values to be added to this name space require IETF Review (see
4496   Section 4.1 of [RFC5226]), and MUST conform to the purpose of content
4497   coding defined in this section.
4498
44998.4.2.  Registrations
4500
4501   The HTTP Content Codings Registry shall be updated with the
4502   registrations below:
4503
4504   +------------+--------------------------------------+---------------+
4505   | Name       | Description                          | Reference     |
4506   +------------+--------------------------------------+---------------+
4507   | compress   | UNIX "compress" data format [Welch]  | Section 4.2.1 |
4508   |            |                                      | of [Part1]    |
4509   | deflate    | "deflate" compressed data            | Section 4.2.2 |
4510   |            | ([RFC1951]) inside the "zlib" data   | of [Part1]    |
4511   |            | format ([RFC1950])                   |               |
4512   | gzip       | GZIP file format [RFC1952]           | Section 4.2.3 |
4513   |            |                                      | of [Part1]    |
4514   | identity   | Reserved (synonym for "no encoding"  | Section 5.3.4 |
4515   |            | in Accept-Encoding)                  |               |
4516   | x-compress | Deprecated (alias for compress)      | Section 4.2.1 |
4517   |            |                                      | of [Part1]    |
4518   | x-gzip     | Deprecated (alias for gzip)          | Section 4.2.3 |
4519   |            |                                      | of [Part1]    |
4520   +------------+--------------------------------------+---------------+
4521
45229.  Security Considerations
4523
4524   This section is meant to inform developers, information providers,
4525   and users of known security concerns relevant to HTTP/1.1 semantics
4526   and its use for transferring information over the Internet.
4527
45289.1.  Attacks Based On File and Path Names
4529
4530   Origin servers frequently make use of their local file system to
4531   manage the mapping from effective request URI to resource
4532
4533
4534
4535Fielding & Reschke       Expires March 29, 2014                [Page 81]
4536
4537Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4538
4539
4540   representations.  Implementers need to be aware that most file
4541   systems are not designed to protect against malicious file or path
4542   names, and thus depend on the origin server to avoid mapping to file
4543   names, folders, or directories that have special significance to the
4544   system.
4545
4546   For example, UNIX, Microsoft Windows, and other operating systems use
4547   ".." as a path component to indicate a directory level above the
4548   current one, and use specially named paths or file names to send data
4549   to system devices.  Similar naming conventions might exist within
4550   other types of storage systems.  Likewise, local storage systems have
4551   an annoying tendency to prefer user-friendliness over security when
4552   handling invalid or unexpected characters, recomposition of
4553   decomposed characters, and case-normalization of case-insensitive
4554   names.
4555
4556   Attacks based on such special names tend to focus on either denial of
4557   service (e.g., telling the server to read from a COM port) or
4558   disclosure of configuration and source files that are not meant to be
4559   served.
4560
45619.2.  Personal Information
4562
4563   Clients are often privy to large amounts of personal information,
4564   including both information provided by the user to interact with
4565   resources (e.g., the user's name, location, mail address, passwords,
4566   encryption keys, etc.) and information about the user's browsing
4567   activity over time (e.g., history, bookmarks, etc.).  Implementations
4568   need to prevent unintentional leakage of personal information.
4569
45709.3.  Sensitive Information in URIs
4571
4572   URIs are intended to be shared, not secured, even when they identify
4573   secure resources.  URIs are often shown on displays, added to
4574   templates when a page is printed, and stored in a variety of
4575   unprotected bookmark lists.  It is therefore unwise to include
4576   information within a URI that is sensitive, personally identifiable,
4577   or a risk to disclose.
4578
4579   Authors of services ought to avoid GET-based forms for the submission
4580   of sensitive data because that data will be placed in the request-
4581   target.  Many existing servers, proxies, and user agents log or
4582   display the request-target in places where it might be visible to
4583   third parties.  Such services ought to use POST-based form submission
4584   instead.
4585
4586   Since the Referer header field tells a target site about the context
4587   that resulted in a request, it has the potential to reveal
4588
4589
4590
4591Fielding & Reschke       Expires March 29, 2014                [Page 82]
4592
4593Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4594
4595
4596   information about the user's immediate browsing history and any
4597   personal information that might be found in the referring resource's
4598   URI.  Limitations on Referer are described in Section 5.5.2 to
4599   address some of its security considerations.
4600
46019.4.  Product Information
4602
4603   The User-Agent (Section 5.5.3), Via (Section 5.7.1 of [Part1]), and
4604   Server (Section 7.4.2) header fields often reveal information about
4605   the respective sender's software systems.  In theory, this can make
4606   it easier for an attacker to exploit known security holes; in
4607   practice, attackers tend to try all potential holes regardless of the
4608   apparent software versions being used.
4609
4610   Proxies that serve as a portal through a network firewall ought to
4611   take special precautions regarding the transfer of header information
4612   that might identify hosts behind the firewall.  The Via header field
4613   allows intermediaries to replace sensitive machine names with
4614   pseudonyms.
4615
46169.5.  Fragment after Redirects
4617
4618   Although fragment identifiers used within URI references are not sent
4619   in requests, implementers ought to be aware that they will be visible
4620   to the user agent and any extensions or scripts running as a result
4621   of the response.  In particular, when a redirect occurs and the
4622   original request's fragment identifier is inherited by the new
4623   reference in Location (Section 7.1.2), this might have the effect of
4624   leaking one site's fragment to another site.  If the first site uses
4625   personal information in fragments, it ought to ensure that redirects
4626   to other sites include a (possibly empty) fragment component in order
4627   to block that inheritance.
4628
46299.6.  Browser Fingerprinting
4630
4631   Browser fingerprinting is a set of techniques for identifying a
4632   specific user agent over time through its unique set of
4633   characteristics.  These characteristics might include information
4634   related to its TCP behavior, feature capabilities, and scripting
4635   environment, though of particular interest here is the set of unique
4636   characteristics that might be communicated via HTTP.  Fingerprinting
4637   is considered a privacy concern because it enables tracking of a user
4638   agent's behavior over time without the corresponding controls that
4639   the user might have over other forms of data collection (e.g.,
4640   cookies).  Many general-purpose user agents (i.e., Web browsers) have
4641   taken steps to reduce their fingerprints.
4642
4643   There are a number of request header fields that might reveal
4644
4645
4646
4647Fielding & Reschke       Expires March 29, 2014                [Page 83]
4648
4649Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4650
4651
4652   information to servers that is sufficiently unique to enable
4653   fingerprinting.  The From header field is the most obvious, though it
4654   is expected that From will only be sent when self-identification is
4655   desired by the user.  Likewise, Cookie header fields are deliberately
4656   designed to enable re-identification, so we can assume that
4657   fingerprinting concerns only apply to situations where cookies are
4658   disabled or restricted by the user agent's configuration.
4659
4660   The User-Agent header field might contain enough information to
4661   uniquely identify a specific device, usually when combined with other
4662   characteristics, particularly if the user agent sends excessive
4663   details about the user's system or extensions.  However, the source
4664   of unique information that is least expected by users is proactive
4665   negotiation (Section 5.3), including the Accept, Accept-Charset,
4666   Accept-Encoding, and Accept-Language header fields.
4667
4668   In addition to the fingerprinting concern, detailed use of the
4669   Accept-Language header field can reveal information the user might
4670   consider to be of a private nature, because the understanding of
4671   particular languages is often strongly correlated to membership in a
4672   particular ethnic group.  An approach that limits such loss of
4673   privacy would be for a user agent to omit the sending of Accept-
4674   Language except for sites that have been whitelisted, perhaps via
4675   interaction after detecting a Vary header field that would indicate
4676   language negotiation might be useful.
4677
4678   In environments where proxies are used to enhance privacy, user
4679   agents ought to be conservative in sending proactive negotiation
4680   header fields.  General-purpose user agents that provide a high
4681   degree of header field configurability ought to inform users about
4682   the loss of privacy that might result if too much detail is provided.
4683   As an extreme privacy measure, proxies could filter the proactive
4684   negotiation header fields in relayed requests.
4685
468610.  Acknowledgments
4687
4688   See Section 10 of [Part1].
4689
469011.  References
4691
469211.1.  Normative References
4693
4694   [Part1]       Fielding, R., Ed. and J. Reschke, Ed., "Hypertext
4695                 Transfer Protocol (HTTP/1.1): Message Syntax and
4696                 Routing", draft-ietf-httpbis-p1-messaging-24 (work in
4697                 progress), September 2013.
4698
4699   [Part4]       Fielding, R., Ed. and J. Reschke, Ed., "Hypertext
4700
4701
4702
4703Fielding & Reschke       Expires March 29, 2014                [Page 84]
4704
4705Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4706
4707
4708                 Transfer Protocol (HTTP/1.1): Conditional Requests",
4709                 draft-ietf-httpbis-p4-conditional-24 (work in
4710                 progress), September 2013.
4711
4712   [Part5]       Fielding, R., Ed., Lafon, Y., Ed., and J. Reschke, Ed.,
4713                 "Hypertext Transfer Protocol (HTTP/1.1): Range
4714                 Requests", draft-ietf-httpbis-p5-range-24 (work in
4715                 progress), September 2013.
4716
4717   [Part6]       Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
4718                 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
4719                 draft-ietf-httpbis-p6-cache-24 (work in progress),
4720                 September 2013.
4721
4722   [Part7]       Fielding, R., Ed. and J. Reschke, Ed., "Hypertext
4723                 Transfer Protocol (HTTP/1.1): Authentication",
4724                 draft-ietf-httpbis-p7-auth-24 (work in progress),
4725                 September 2013.
4726
4727   [RFC1950]     Deutsch, L. and J-L. Gailly, "ZLIB Compressed Data
4728                 Format Specification version 3.3", RFC 1950, May 1996.
4729
4730   [RFC1951]     Deutsch, P., "DEFLATE Compressed Data Format
4731                 Specification version 1.3", RFC 1951, May 1996.
4732
4733   [RFC1952]     Deutsch, P., Gailly, J-L., Adler, M., Deutsch, L., and
4734                 G. Randers-Pehrson, "GZIP file format specification
4735                 version 4.3", RFC 1952, May 1996.
4736
4737   [RFC2045]     Freed, N. and N. Borenstein, "Multipurpose Internet
4738                 Mail Extensions (MIME) Part One: Format of Internet
4739                 Message Bodies", RFC 2045, November 1996.
4740
4741   [RFC2046]     Freed, N. and N. Borenstein, "Multipurpose Internet
4742                 Mail Extensions (MIME) Part Two: Media Types",
4743                 RFC 2046, November 1996.
4744
4745   [RFC2119]     Bradner, S., "Key words for use in RFCs to Indicate
4746                 Requirement Levels", BCP 14, RFC 2119, March 1997.
4747
4748   [RFC3986]     Berners-Lee, T., Fielding, R., and L. Masinter,
4749                 "Uniform Resource Identifier (URI): Generic Syntax",
4750                 STD 66, RFC 3986, January 2005.
4751
4752   [RFC4647]     Phillips, A., Ed. and M. Davis, Ed., "Matching of
4753                 Language Tags", BCP 47, RFC 4647, September 2006.
4754
4755   [RFC5234]     Crocker, D., Ed. and P. Overell, "Augmented BNF for
4756
4757
4758
4759Fielding & Reschke       Expires March 29, 2014                [Page 85]
4760
4761Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4762
4763
4764                 Syntax Specifications: ABNF", STD 68, RFC 5234,
4765                 January 2008.
4766
4767   [RFC5646]     Phillips, A., Ed. and M. Davis, Ed., "Tags for
4768                 Identifying Languages", BCP 47, RFC 5646,
4769                 September 2009.
4770
4771   [RFC6365]     Hoffman, P. and J. Klensin, "Terminology Used in
4772                 Internationalization in the IETF", BCP 166, RFC 6365,
4773                 September 2011.
4774
4775   [Welch]       Welch, T., "A Technique for High Performance Data
4776                 Compression", IEEE Computer 17(6), June 1984.
4777
477811.2.  Informative References
4779
4780   [BCP13]       Freed, N., Klensin, J., and T. Hansen, "Media Type
4781                 Specifications and Registration Procedures", BCP 13,
4782                 RFC 6838, January 2013.
4783
4784   [BCP90]       Klyne, G., Nottingham, M., and J. Mogul, "Registration
4785                 Procedures for Message Header Fields", BCP 90,
4786                 RFC 3864, September 2004.
4787
4788   [REST]        Fielding, R., "Architectural Styles and the Design of
4789                 Network-based Software Architectures", Doctoral
4790                 Dissertation, University of California, Irvine ,
4791                 September 2000,
4792                 <http://roy.gbiv.com/pubs/dissertation/top.htm>.
4793
4794   [RFC1305]     Mills, D., "Network Time Protocol (Version 3)
4795                 Specification, Implementation", RFC 1305, March 1992.
4796
4797   [RFC1945]     Berners-Lee, T., Fielding, R., and H. Nielsen,
4798                 "Hypertext Transfer Protocol -- HTTP/1.0", RFC 1945,
4799                 May 1996.
4800
4801   [RFC2049]     Freed, N. and N. Borenstein, "Multipurpose Internet
4802                 Mail Extensions (MIME) Part Five: Conformance Criteria
4803                 and Examples", RFC 2049, November 1996.
4804
4805   [RFC2068]     Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and
4806                 T. Berners-Lee, "Hypertext Transfer Protocol --
4807                 HTTP/1.1", RFC 2068, January 1997.
4808
4809   [RFC2295]     Holtman, K. and A. Mutz, "Transparent Content
4810                 Negotiation in HTTP", RFC 2295, March 1998.
4811
4812
4813
4814
4815Fielding & Reschke       Expires March 29, 2014                [Page 86]
4816
4817Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4818
4819
4820   [RFC2388]     Masinter, L., "Returning Values from Forms:  multipart/
4821                 form-data", RFC 2388, August 1998.
4822
4823   [RFC2557]     Palme, F., Hopmann, A., Shelness, N., and E. Stefferud,
4824                 "MIME Encapsulation of Aggregate Documents, such as
4825                 HTML (MHTML)", RFC 2557, March 1999.
4826
4827   [RFC2616]     Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
4828                 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
4829                 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
4830
4831   [RFC2774]     Frystyk, H., Leach, P., and S. Lawrence, "An HTTP
4832                 Extension Framework", RFC 2774, February 2000.
4833
4834   [RFC2817]     Khare, R. and S. Lawrence, "Upgrading to TLS Within
4835                 HTTP/1.1", RFC 2817, May 2000.
4836
4837   [RFC2978]     Freed, N. and J. Postel, "IANA Charset Registration
4838                 Procedures", BCP 19, RFC 2978, October 2000.
4839
4840   [RFC5226]     Narten, T. and H. Alvestrand, "Guidelines for Writing
4841                 an IANA Considerations Section in RFCs", BCP 26,
4842                 RFC 5226, May 2008.
4843
4844   [RFC5322]     Resnick, P., "Internet Message Format", RFC 5322,
4845                 October 2008.
4846
4847   [RFC5789]     Dusseault, L. and J. Snell, "PATCH Method for HTTP",
4848                 RFC 5789, March 2010.
4849
4850   [RFC5987]     Reschke, J., "Character Set and Language Encoding for
4851                 Hypertext Transfer Protocol (HTTP) Header Field
4852                 Parameters", RFC 5987, August 2010.
4853
4854   [RFC5988]     Nottingham, M., "Web Linking", RFC 5988, October 2010.
4855
4856   [RFC6265]     Barth, A., "HTTP State Management Mechanism", RFC 6265,
4857                 April 2011.
4858
4859   [RFC6266]     Reschke, J., "Use of the Content-Disposition Header
4860                 Field in the Hypertext Transfer Protocol (HTTP)",
4861                 RFC 6266, June 2011.
4862
4863   [status-308]  Reschke, J., "The Hypertext Transfer Protocol (HTTP)
4864                 Status Code 308 (Permanent Redirect)",
4865                 draft-reschke-http-status-308-07 (work in progress),
4866                 March 2012.
4867
4868
4869
4870
4871Fielding & Reschke       Expires March 29, 2014                [Page 87]
4872
4873Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4874
4875
4876Appendix A.  Differences between HTTP and MIME
4877
4878   HTTP/1.1 uses many of the constructs defined for the Internet Message
4879   Format [RFC5322] and the Multipurpose Internet Mail Extensions (MIME)
4880   [RFC2045] to allow a message body to be transmitted in an open
4881   variety of representations and with extensible header fields.
4882   However, RFC 2045 is focused only on email; applications of HTTP have
4883   many characteristics that differ from email, and hence HTTP has
4884   features that differ from MIME.  These differences were carefully
4885   chosen to optimize performance over binary connections, to allow
4886   greater freedom in the use of new media types, to make date
4887   comparisons easier, and to acknowledge the practice of some early
4888   HTTP servers and clients.
4889
4890   This appendix describes specific areas where HTTP differs from MIME.
4891   Proxies and gateways to and from strict MIME environments need to be
4892   aware of these differences and provide the appropriate conversions
4893   where necessary.
4894
4895A.1.  MIME-Version
4896
4897   HTTP is not a MIME-compliant protocol.  However, messages can include
4898   a single MIME-Version header field to indicate what version of the
4899   MIME protocol was used to construct the message.  Use of the MIME-
4900   Version header field indicates that the message is in full
4901   conformance with the MIME protocol (as defined in [RFC2045]).
4902   Senders are responsible for ensuring full conformance (where
4903   possible) when exporting HTTP messages to strict MIME environments.
4904
4905A.2.  Conversion to Canonical Form
4906
4907   MIME requires that an Internet mail body part be converted to
4908   canonical form prior to being transferred, as described in Section 4
4909   of [RFC2049].  Section 3.1.1.3 of this document describes the forms
4910   allowed for subtypes of the "text" media type when transmitted over
4911   HTTP.  [RFC2046] requires that content with a type of "text"
4912   represent line breaks as CRLF and forbids the use of CR or LF outside
4913   of line break sequences.  HTTP allows CRLF, bare CR, and bare LF to
4914   indicate a line break within text content.
4915
4916   A proxy or gateway from HTTP to a strict MIME environment ought to
4917   translate all line breaks within the text media types described in
4918   Section 3.1.1.3 of this document to the RFC 2049 canonical form of
4919   CRLF.  Note, however, this might be complicated by the presence of a
4920   Content-Encoding and by the fact that HTTP allows the use of some
4921   charsets that do not use octets 13 and 10 to represent CR and LF,
4922   respectively.
4923
4924
4925
4926
4927Fielding & Reschke       Expires March 29, 2014                [Page 88]
4928
4929Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4930
4931
4932   Conversion will break any cryptographic checksums applied to the
4933   original content unless the original content is already in canonical
4934   form.  Therefore, the canonical form is recommended for any content
4935   that uses such checksums in HTTP.
4936
4937A.3.  Conversion of Date Formats
4938
4939   HTTP/1.1 uses a restricted set of date formats (Section 7.1.1.1) to
4940   simplify the process of date comparison.  Proxies and gateways from
4941   other protocols ought to ensure that any Date header field present in
4942   a message conforms to one of the HTTP/1.1 formats and rewrite the
4943   date if necessary.
4944
4945A.4.  Conversion of Content-Encoding
4946
4947   MIME does not include any concept equivalent to HTTP/1.1's Content-
4948   Encoding header field.  Since this acts as a modifier on the media
4949   type, proxies and gateways from HTTP to MIME-compliant protocols
4950   ought to either change the value of the Content-Type header field or
4951   decode the representation before forwarding the message.  (Some
4952   experimental applications of Content-Type for Internet mail have used
4953   a media-type parameter of ";conversions=<content-coding>" to perform
4954   a function equivalent to Content-Encoding.  However, this parameter
4955   is not part of the MIME standards).
4956
4957A.5.  Conversion of Content-Transfer-Encoding
4958
4959   HTTP does not use the Content-Transfer-Encoding field of MIME.
4960   Proxies and gateways from MIME-compliant protocols to HTTP need to
4961   remove any Content-Transfer-Encoding prior to delivering the response
4962   message to an HTTP client.
4963
4964   Proxies and gateways from HTTP to MIME-compliant protocols are
4965   responsible for ensuring that the message is in the correct format
4966   and encoding for safe transport on that protocol, where "safe
4967   transport" is defined by the limitations of the protocol being used.
4968   Such a proxy or gateway ought to transform and label the data with an
4969   appropriate Content-Transfer-Encoding if doing so will improve the
4970   likelihood of safe transport over the destination protocol.
4971
4972A.6.  MHTML and Line Length Limitations
4973
4974   HTTP implementations that share code with MHTML [RFC2557]
4975   implementations need to be aware of MIME line length limitations.
4976   Since HTTP does not have this limitation, HTTP does not fold long
4977   lines.  MHTML messages being transported by HTTP follow all
4978   conventions of MHTML, including line length limitations and folding,
4979   canonicalization, etc., since HTTP transfers message-bodies as
4980
4981
4982
4983Fielding & Reschke       Expires March 29, 2014                [Page 89]
4984
4985Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
4986
4987
4988   payload and, aside from the "multipart/byteranges" type (Appendix A
4989   of [Part5]), does not interpret the content or any MIME header lines
4990   that might be contained therein.
4991
4992Appendix B.  Changes from RFC 2616
4993
4994   The primary changes in this revision have been editorial in nature:
4995   extracting the messaging syntax and partitioning HTTP semantics into
4996   separate documents for the core features, conditional requests,
4997   partial requests, caching, and authentication.  The conformance
4998   language has been revised to clearly target requirements and the
4999   terminology has been improved to distinguish payload from
5000   representations and representations from resources.
5001
5002   A new requirement has been added that semantics embedded in a URI
5003   should be disabled when those semantics are inconsistent with the
5004   request method, since this is a common cause of interoperability
5005   failure.  (Section 2)
5006
5007   An algorithm has been added for determining if a payload is
5008   associated with a specific identifier.  (Section 3.1.4.1)
5009
5010   The default charset of ISO-8859-1 for text media types has been
5011   removed; the default is now whatever the media type definition says.
5012   Likewise, special treatment of ISO-8859-1 has been removed from the
5013   Accept-Charset header field.  (Section 3.1.1.3 and Section 5.3.3)
5014
5015   The definition of Content-Location has been changed to no longer
5016   affect the base URI for resolving relative URI references, due to
5017   poor implementation support and the undesirable effect of potentially
5018   breaking relative links in content-negotiated resources.
5019   (Section 3.1.4.2)
5020
5021   To be consistent with the method-neutral parsing algorithm of
5022   [Part1], the definition of GET has been relaxed so that requests can
5023   have a body, even though a body has no meaning for GET.
5024   (Section 4.3.1)
5025
5026   Servers are no longer required to handle all Content-* header fields
5027   and use of Content-Range has been explicitly banned in PUT requests.
5028   (Section 4.3.4)
5029
5030   Definition of the CONNECT method has been moved from [RFC2817] to
5031   this specification.  (Section 4.3.6)
5032
5033   The OPTIONS and TRACE request methods have been defined as being
5034   safe.  (Section 4.3.7 and Section 4.3.8)
5035
5036
5037
5038
5039Fielding & Reschke       Expires March 29, 2014                [Page 90]
5040
5041Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
5042
5043
5044   The Expect header field's extension mechanism has been removed due to
5045   widely-deployed broken implementations.  (Section 5.1.1)
5046
5047   The Max-Forwards header field has been restricted to the OPTIONS and
5048   TRACE methods; previously, extension methods could have used it as
5049   well.  (Section 5.1.2)
5050
5051   The "about:blank" URI has been suggested as a value for the Referer
5052   header field when no referring URI is applicable, which distinguishes
5053   that case from others where the Referer field is not sent or has been
5054   removed.  (Section 5.5.2)
5055
5056   The following status codes are now cacheable (that is, they can be
5057   stored and reused by a cache without explicit freshness information
5058   present): 204, 404, 405, 414, 501.  (Section 6)
5059
5060   The 201 (Created) status description has been changed to allow for
5061   the possibility that more than one resource has been created.
5062   (Section 6.3.2)
5063
5064   The definition of 203 (Non-Authoritative Information) has been
5065   broadened to include cases of payload transformations as well.
5066   (Section 6.3.4)
5067
5068   The set of request methods that are safe to automatically redirect is
5069   no longer closed; user agents are able to make that determination
5070   based upon the request method semantics.  The redirect status codes
5071   301, 302, and 307 no longer have normative requirements on response
5072   payloads and user interaction.  (Section 6.4)
5073
5074   The status codes 301 and 302 have been changed to allow user agents
5075   to rewrite the method from POST to GET.  (Sections 6.4.2 and 6.4.3)
5076
5077   The description of 303 (See Other) status code has been changed to
5078   allow it to be cached if explicit freshness information is given, and
5079   a specific definition has been added for a 303 response to GET.
5080   (Section 6.4.4)
5081
5082   The 305 (Use Proxy) status code has been deprecated due to security
5083   concerns regarding in-band configuration of a proxy.  (Section 6.4.5)
5084
5085   The 400 (Bad Request) status code has been relaxed so that it isn't
5086   limited to syntax errors.  (Section 6.5.1)
5087
5088   The 426 (Upgrade Required) status code has been incorporated from
5089   [RFC2817].  (Section 6.5.15)
5090
5091   The target of requirements on HTTP-date and the Date header field
5092
5093
5094
5095Fielding & Reschke       Expires March 29, 2014                [Page 91]
5096
5097Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
5098
5099
5100   have been reduced to those systems generating the date, rather than
5101   all systems sending a date.  (Section 7.1.1)
5102
5103   The syntax of the Location header field has been changed to allow all
5104   URI references, including relative references and fragments, along
5105   with some clarifications as to when use of fragments would not be
5106   appropriate.  (Section 7.1.2)
5107
5108   Allow has been reclassified as a response header field, removing the
5109   option to specify it in a PUT request.  Requirements relating to the
5110   content of Allow have been relaxed; correspondingly, clients are not
5111   required to always trust its value.  (Section 7.4.1)
5112
5113   A Method Registry has been defined.  (Section 8.1)
5114
5115   The Status Code Registry has been redefined by this specification;
5116   previously, it was defined in Section 7.1 of [RFC2817].
5117   (Section 8.2)
5118
5119   Registration of Content Codings has been changed to require IETF
5120   Review.  (Section 8.4)
5121
5122   The Content-Disposition header field has been removed since it is now
5123   defined by [RFC6266].
5124
5125   The Content-MD5 header field has been removed because it was
5126   inconsistently implemented with respect to partial responses.
5127
5128Appendix C.  Imported ABNF
5129
5130   The following core rules are included by reference, as defined in
5131   Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return),
5132   CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double
5133   quote), HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF
5134   (line feed), OCTET (any 8-bit sequence of data), SP (space), and
5135   VCHAR (any visible US-ASCII character).
5136
5137   The rules below are defined in [Part1]:
5138
5139
5140
5141
5142
5143
5144
5145
5146
5147
5148
5149
5150
5151Fielding & Reschke       Expires March 29, 2014                [Page 92]
5152
5153Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
5154
5155
5156     BWS           = <BWS, defined in [Part1], Section 3.2.3>
5157     OWS           = <OWS, defined in [Part1], Section 3.2.3>
5158     RWS           = <RWS, defined in [Part1], Section 3.2.3>
5159     URI-reference = <URI-reference, defined in [Part1], Section 2.7>
5160     absolute-URI  = <absolute-URI, defined in [Part1], Section 2.7>
5161     comment       = <comment, defined in [Part1], Section 3.2.6>
5162     field-name    = <comment, defined in [Part1], Section 3.2>
5163     partial-URI   = <partial-URI, defined in [Part1], Section 2.7>
5164     quoted-string = <quoted-string, defined in [Part1], Section 3.2.6>
5165     token         = <token, defined in [Part1], Section 3.2.6>
5166     word          = <word, defined in [Part1], Section 3.2.6>
5167
5168Appendix D.  Collected ABNF
5169
5170   In the collected ABNF below, list rules are expanded as per Section
5171   1.2 of [Part1].
5172
5173   Accept = [ ( "," / ( media-range [ accept-params ] ) ) *( OWS "," [
5174    OWS ( media-range [ accept-params ] ) ] ) ]
5175   Accept-Charset = *( "," OWS ) ( ( charset / "*" ) [ weight ] ) *( OWS
5176    "," [ OWS ( ( charset / "*" ) [ weight ] ) ] )
5177   Accept-Encoding = [ ( "," / ( codings [ weight ] ) ) *( OWS "," [ OWS
5178    ( codings [ weight ] ) ] ) ]
5179   Accept-Language = *( "," OWS ) ( language-range [ weight ] ) *( OWS
5180    "," [ OWS ( language-range [ weight ] ) ] )
5181   Allow = [ ( "," / method ) *( OWS "," [ OWS method ] ) ]
5182
5183   BWS = <BWS, defined in [Part1], Section 3.2.3>
5184
5185   Content-Encoding = *( "," OWS ) content-coding *( OWS "," [ OWS
5186    content-coding ] )
5187   Content-Language = *( "," OWS ) language-tag *( OWS "," [ OWS
5188    language-tag ] )
5189   Content-Location = absolute-URI / partial-URI
5190   Content-Type = media-type
5191
5192   Date = HTTP-date
5193
5194   Expect = "100-continue"
5195
5196   From = mailbox
5197
5198   GMT = %x47.4D.54 ; GMT
5199
5200   HTTP-date = IMF-fixdate / obs-date
5201
5202   IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT
5203
5204
5205
5206
5207Fielding & Reschke       Expires March 29, 2014                [Page 93]
5208
5209Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
5210
5211
5212   Location = URI-reference
5213
5214   Max-Forwards = 1*DIGIT
5215
5216   OWS = <OWS, defined in [Part1], Section 3.2.3>
5217
5218   RWS = <RWS, defined in [Part1], Section 3.2.3>
5219   Referer = absolute-URI / partial-URI
5220   Retry-After = HTTP-date / delta-seconds
5221
5222   Server = product *( RWS ( product / comment ) )
5223
5224   URI-reference = <URI-reference, defined in [Part1], Section 2.7>
5225   User-Agent = product *( RWS ( product / comment ) )
5226
5227   Vary = "*" / ( *( "," OWS ) field-name *( OWS "," [ OWS field-name ]
5228    ) )
5229
5230   absolute-URI = <absolute-URI, defined in [Part1], Section 2.7>
5231   accept-ext = OWS ";" OWS token [ "=" word ]
5232   accept-params = weight *accept-ext
5233   asctime-date = day-name SP date3 SP time-of-day SP year
5234   attribute = token
5235
5236   charset = token
5237   codings = content-coding / "identity" / "*"
5238   comment = <comment, defined in [Part1], Section 3.2.6>
5239   content-coding = token
5240
5241   date1 = day SP month SP year
5242   date2 = day "-" month "-" 2DIGIT
5243   date3 = month SP ( 2DIGIT / ( SP DIGIT ) )
5244   day = 2DIGIT
5245   day-name = %x4D.6F.6E ; Mon
5246    / %x54.75.65 ; Tue
5247    / %x57.65.64 ; Wed
5248    / %x54.68.75 ; Thu
5249    / %x46.72.69 ; Fri
5250    / %x53.61.74 ; Sat
5251    / %x53.75.6E ; Sun
5252   day-name-l = %x4D.6F.6E.64.61.79 ; Monday
5253    / %x54.75.65.73.64.61.79 ; Tuesday
5254    / %x57.65.64.6E.65.73.64.61.79 ; Wednesday
5255    / %x54.68.75.72.73.64.61.79 ; Thursday
5256    / %x46.72.69.64.61.79 ; Friday
5257    / %x53.61.74.75.72.64.61.79 ; Saturday
5258    / %x53.75.6E.64.61.79 ; Sunday
5259   delta-seconds = 1*DIGIT
5260
5261
5262
5263Fielding & Reschke       Expires March 29, 2014                [Page 94]
5264
5265Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
5266
5267
5268   field-name = <comment, defined in [Part1], Section 3.2>
5269
5270   hour = 2DIGIT
5271
5272   language-range = <language-range, defined in [RFC4647], Section 2.1>
5273   language-tag = <Language-Tag, defined in [RFC5646], Section 2.1>
5274
5275   mailbox = <mailbox, defined in [RFC5322], Section 3.4>
5276   media-range = ( "*/*" / ( type "/*" ) / ( type "/" subtype ) ) *( OWS
5277    ";" OWS parameter )
5278   media-type = type "/" subtype *( OWS ";" OWS parameter )
5279   method = token
5280   minute = 2DIGIT
5281   month = %x4A.61.6E ; Jan
5282    / %x46.65.62 ; Feb
5283    / %x4D.61.72 ; Mar
5284    / %x41.70.72 ; Apr
5285    / %x4D.61.79 ; May
5286    / %x4A.75.6E ; Jun
5287    / %x4A.75.6C ; Jul
5288    / %x41.75.67 ; Aug
5289    / %x53.65.70 ; Sep
5290    / %x4F.63.74 ; Oct
5291    / %x4E.6F.76 ; Nov
5292    / %x44.65.63 ; Dec
5293
5294   obs-date = rfc850-date / asctime-date
5295
5296   parameter = attribute "=" value
5297   partial-URI = <partial-URI, defined in [Part1], Section 2.7>
5298   product = token [ "/" product-version ]
5299   product-version = token
5300
5301   quoted-string = <quoted-string, defined in [Part1], Section 3.2.6>
5302   qvalue = ( "0" [ "." *3DIGIT ] ) / ( "1" [ "." *3"0" ] )
5303
5304   rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT
5305
5306   second = 2DIGIT
5307   subtype = token
5308
5309   time-of-day = hour ":" minute ":" second
5310   token = <token, defined in [Part1], Section 3.2.6>
5311   type = token
5312
5313   value = word
5314
5315   weight = OWS ";" OWS "q=" qvalue
5316
5317
5318
5319Fielding & Reschke       Expires March 29, 2014                [Page 95]
5320
5321Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
5322
5323
5324   word = <word, defined in [Part1], Section 3.2.6>
5325
5326   year = 4DIGIT
5327
5328Appendix E.  Change Log (to be removed by RFC Editor before publication)
5329
5330E.1.  Since RFC 2616
5331
5332   Changes up to the first Working Group Last Call draft are summarized
5333   in <http://trac.tools.ietf.org/html/
5334   draft-ietf-httpbis-p2-semantics-21#appendix-F>.
5335
5336E.2.  Since draft-ietf-httpbis-p2-semantics-21
5337
5338   Closed issues:
5339
5340   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/22>: "ETag (and
5341      other metadata) in status messages"
5342
5343   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/96>: "Conditional
5344      GET text"
5345
5346   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/146>: "Clarify
5347      description of 405 (Not Allowed)"
5348
5349   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/223>: "Allowing
5350      heuristic caching for new status codes"
5351
5352   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/315>: "method
5353      semantics: retrieval/representation"
5354
5355   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/388>: "User
5356      confirmation for unsafe methods"
5357
5358   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/404>: "Tentative
5359      Status Codes"
5360
5361   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/418>: "No-Transform"
5362
5363   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/419>: "p2 editorial
5364      feedback"
5365
5366   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/424>: "Absence of
5367      Accept-Encoding"
5368
5369   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/428>: "Accept-
5370      Language ordering for identical qvalues"
5371
5372
5373
5374
5375Fielding & Reschke       Expires March 29, 2014                [Page 96]
5376
5377Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
5378
5379
5380   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/432>: "Identify
5381      additional status codes as cacheable by default"
5382
5383   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/434>: "mention in
5384      header field considerations that leading/trailing WS is lossy"
5385
5386E.3.  Since draft-ietf-httpbis-p2-semantics-22
5387
5388   Closed issues:
5389
5390   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/436>: "explain list
5391      expansion in ABNF appendices"
5392
5393   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/448>: "Fallback for
5394      Accept-Language"
5395
5396   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/449>: "Receiving a
5397      higher minor HTTP version number"
5398
5399   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/456>: "Language-tag
5400      vs. language-range"
5401
5402   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/457>: "Registering
5403      x-gzip and x-deflate"
5404
5405   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/459>: "RFC2774 and
5406      method registrations"
5407
5408   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/488>: "Selection
5409      based upon request target"
5410
5411E.4.  Since draft-ietf-httpbis-p2-semantics-23
5412
5413   Closed issues:
5414
5415   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/303>: "400 response
5416      isn't generic"
5417
5418   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/450>: "p2 Editorial
5419      feedback"
5420
5421   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/452>: "Content-
5422      Length in HEAD responses"
5423
5424   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/458>: "Requirements
5425      upon proxies for Expect"
5426
5427
5428
5429
5430
5431Fielding & Reschke       Expires March 29, 2014                [Page 97]
5432
5433Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
5434
5435
5436   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/468>: "Expectation
5437      Extensions"
5438
5439   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/470>: "What is
5440      'Cacheable'?"
5441
5442   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/478>: "MUSTs and
5443      other feedback"
5444
5445   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/487>: "Resubmission
5446      of 403"
5447
5448   o  <http://tools.ietf.org/wg/httpbis/trac/ticket/491>: "does 205
5449      allow chunked encoding?"
5450
5451Index
5452
5453   1
5454      1xx Informational (status code class)  50
5455
5456   2
5457      2xx Successful (status code class)  51
5458
5459   3
5460      3xx Redirection (status code class)  54
5461
5462   4
5463      4xx Client Error (status code class)  58
5464
5465   5
5466      5xx Server Error (status code class)  62
5467
5468   1
5469      100 Continue (status code)  50
5470      100-continue (expect value)  34
5471      101 Switching Protocols (status code)  50
5472
5473   2
5474      200 OK (status code)  51
5475      201 Created (status code)  52
5476      202 Accepted (status code)  52
5477      203 Non-Authoritative Information (status code)  52
5478      204 No Content (status code)  53
5479      205 Reset Content (status code)  53
5480
5481   3
5482      300 Multiple Choices (status code)  55
5483      301 Moved Permanently (status code)  56
5484
5485
5486
5487Fielding & Reschke       Expires March 29, 2014                [Page 98]
5488
5489Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
5490
5491
5492      302 Found (status code)  56
5493      303 See Other (status code)  57
5494      305 Use Proxy (status code)  57
5495      306 (Unused) (status code)  57
5496      307 Temporary Redirect (status code)  58
5497
5498   4
5499      400 Bad Request (status code)  58
5500      402 Payment Required (status code)  58
5501      403 Forbidden (status code)  58
5502      404 Not Found (status code)  59
5503      405 Method Not Allowed (status code)  59
5504      406 Not Acceptable (status code)  59
5505      408 Request Timeout (status code)  60
5506      409 Conflict (status code)  60
5507      410 Gone (status code)  60
5508      411 Length Required (status code)  61
5509      413 Payload Too Large (status code)  61
5510      414 URI Too Long (status code)  61
5511      415 Unsupported Media Type (status code)  61
5512      417 Expectation Failed (status code)  62
5513      426 Upgrade Required (status code)  62
5514
5515   5
5516      500 Internal Server Error (status code)  62
5517      501 Not Implemented (status code)  62
5518      502 Bad Gateway (status code)  63
5519      503 Service Unavailable (status code)  63
5520      504 Gateway Timeout (status code)  63
5521      505 HTTP Version Not Supported (status code)  63
5522
5523   A
5524      Accept header field  38
5525      Accept-Charset header field  40
5526      Accept-Encoding header field  41
5527      Accept-Language header field  42
5528      Allow header field  72
5529
5530   C
5531      cacheable  24
5532      compress (content coding)  11
5533      conditional request  36
5534      CONNECT method  30
5535      content coding  11
5536      content negotiation  6
5537      Content-Encoding header field  12
5538      Content-Language header field  13
5539      Content-Location header field  15
5540
5541
5542
5543Fielding & Reschke       Expires March 29, 2014                [Page 99]
5544
5545Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
5546
5547
5548      Content-Transfer-Encoding header field  89
5549      Content-Type header field  10
5550
5551   D
5552      Date header field  67
5553      deflate (content coding)  11
5554      DELETE method  29
5555
5556   E
5557      Expect header field  34
5558
5559   F
5560      From header field  44
5561
5562   G
5563      GET method  24
5564      Grammar
5565         Accept  38
5566         Accept-Charset  40
5567         Accept-Encoding  41
5568         accept-ext  38
5569         Accept-Language  42
5570         accept-params  38
5571         Allow  72
5572         asctime-date  67
5573         attribute  8
5574         charset  9
5575         codings  41
5576         content-coding  11
5577         Content-Encoding  12
5578         Content-Language  13
5579         Content-Location  15
5580         Content-Type  10
5581         Date  67
5582         date1  66
5583         day  66
5584         day-name  66
5585         day-name-l  66
5586         delta-seconds  70
5587         Expect  34
5588         From  44
5589         GMT  66
5590         hour  66
5591         HTTP-date  64
5592         IMF-fixdate  66
5593         language-range  42
5594         language-tag  13
5595         Location  68
5596
5597
5598
5599Fielding & Reschke       Expires March 29, 2014               [Page 100]
5600
5601Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
5602
5603
5604         Max-Forwards  36
5605         media-range  38
5606         media-type  8
5607         method  21
5608         minute  66
5609         month  66
5610         obs-date  66
5611         parameter  8
5612         product  46
5613         product-version  46
5614         qvalue  38
5615         Referer  45
5616         Retry-After  70
5617         rfc850-date  67
5618         second  66
5619         Server  73
5620         subtype  8
5621         time-of-day  66
5622         type  8
5623         User-Agent  46
5624         value  8
5625         Vary  70
5626         weight  38
5627         year  66
5628      gzip (content coding)  11
5629
5630   H
5631      HEAD method  25
5632
5633   I
5634      idempotent  23
5635
5636   L
5637      Location header field  68
5638
5639   M
5640      Max-Forwards header field  36
5641      MIME-Version header field  88
5642
5643   O
5644      OPTIONS method  31
5645
5646   P
5647      payload  17
5648      POST method  25
5649      PUT method  26
5650
5651   R
5652
5653
5654
5655Fielding & Reschke       Expires March 29, 2014               [Page 101]
5656
5657Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
5658
5659
5660      Referer header field  45
5661      representation  7
5662      Retry-After header field  69
5663
5664   S
5665      safe  22
5666      selected representation  7, 71
5667      Server header field  73
5668      Status Codes Classes
5669         1xx Informational  50
5670         2xx Successful  51
5671         3xx Redirection  54
5672         4xx Client Error  58
5673         5xx Server Error  62
5674
5675   T
5676      TRACE method  32
5677
5678   U
5679      User-Agent header field  46
5680
5681   V
5682      Vary header field  70
5683
5684   X
5685      x-compress (content coding)  11
5686      x-gzip (content coding)  11
5687
5688Authors' Addresses
5689
5690   Roy T. Fielding (editor)
5691   Adobe Systems Incorporated
5692   345 Park Ave
5693   San Jose, CA  95110
5694   USA
5695
5696   EMail: fielding@gbiv.com
5697   URI:   http://roy.gbiv.com/
5698
5699
5700
5701
5702
5703
5704
5705
5706
5707
5708
5709
5710
5711Fielding & Reschke       Expires March 29, 2014               [Page 102]
5712
5713Internet-Draft       HTTP/1.1 Semantics and Content       September 2013
5714
5715
5716   Julian F. Reschke (editor)
5717   greenbytes GmbH
5718   Hafenweg 16
5719   Muenster, NW  48155
5720   Germany
5721
5722   EMail: julian.reschke@greenbytes.de
5723   URI:   http://greenbytes.de/tech/webdav/
5724
5725
5726
5727
5728
5729
5730
5731
5732
5733
5734
5735
5736
5737
5738
5739
5740
5741
5742
5743
5744
5745
5746
5747
5748
5749
5750
5751
5752
5753
5754
5755
5756
5757
5758
5759
5760
5761
5762
5763
5764
5765
5766
5767Fielding & Reschke       Expires March 29, 2014               [Page 103]
5768
Note: See TracBrowser for help on using the repository browser.