| 1 | <!DOCTYPE html
|
|---|
| 2 | PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|---|
| 3 | <html xmlns="http://www.w3.org/1999/xhtml">
|
|---|
| 4 | <head>
|
|---|
| 5 | <title>IETF 78 - HTTPbis vs Content-Disposition</title>
|
|---|
| 6 | <style type="text/css">
|
|---|
| 7 | body {
|
|---|
| 8 | color: black;
|
|---|
| 9 | font-family: verdana, helvetica, arial, sans-serif;
|
|---|
| 10 | font-size: 18pt;
|
|---|
| 11 | }
|
|---|
| 12 | h1 {
|
|---|
| 13 | font-size: 36pt;
|
|---|
| 14 | }
|
|---|
| 15 | li {
|
|---|
| 16 | margin-top: 0.5em;
|
|---|
| 17 | }
|
|---|
| 18 | q {
|
|---|
| 19 | font-style: italic;
|
|---|
| 20 | }
|
|---|
| 21 | .break {
|
|---|
| 22 | page-break-before: always;
|
|---|
| 23 | }
|
|---|
| 24 | @page {
|
|---|
| 25 | size: a4 landscape;
|
|---|
| 26 | }
|
|---|
| 27 | @page {
|
|---|
| 28 | @bottom-left {
|
|---|
| 29 | content: "Julian Reschke, greenbytes";
|
|---|
| 30 | }
|
|---|
| 31 | @bottom-right {
|
|---|
| 32 | content: counter(page);
|
|---|
| 33 | }
|
|---|
| 34 | @top-center {
|
|---|
| 35 | content: "IETF 78 - HTTPbis vs Content-Disposition";
|
|---|
| 36 | }
|
|---|
| 37 | }
|
|---|
| 38 | </style>
|
|---|
| 39 | </head>
|
|---|
| 40 | <body>
|
|---|
| 41 | <h1>IETF 78 - HTTPbis vs Content-Disposition</h1>
|
|---|
| 42 | <p>
|
|---|
| 43 | <a href="mailto:julian.reschke@greenbytes.de">Julian Reschke</a>, greenbytes
|
|---|
| 44 | </p>
|
|---|
| 45 |
|
|---|
| 46 | <h2 class="break">Problem Statement (1/2)</h2>
|
|---|
| 47 | <ul>
|
|---|
| 48 | <li>RFC2616 includes "Content-Disposition" (<a href="http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.19.5.1">RFC 2616, Section 19.5.1)</a>,
|
|---|
| 49 | but also says:
|
|---|
| 50 | <br />
|
|---|
| 51 | <q>RFC 1806 [35], from which the often implemented Content-Disposition (see Appendix 19.5.1) header field in HTTP is derived, has a number of very serious security considerations. Content-Disposition is not part of the HTTP standard, but since it is widely implemented, we are documenting its use and risks for implementers.</q>
|
|---|
| 52 | (<a href="http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.15.5">RFC2616, Section 15.5</a>)
|
|---|
| 53 | </li>
|
|---|
| 54 | <li>
|
|---|
| 55 | Refers to RFC 1806 (definition of Content-Disposition), obsoleted by RFC 2183.
|
|---|
| 56 | </li>
|
|---|
| 57 | <li>
|
|---|
| 58 | I18N for Content-Disposition (filename) relies on on MIME specs RFC 2047, augmented RFC 2184,
|
|---|
| 59 | which itself was obsoleted by RFC 2231 ('MIME Parameter Value and Encoded Word Extensions: Character Sets, Languages, and Continuations').
|
|---|
| 60 | </li>
|
|---|
| 61 | </ul>
|
|---|
| 62 |
|
|---|
| 63 | <h2 class="break">Problem Statement (2/2)</h2>
|
|---|
| 64 | <ul>
|
|---|
| 65 | <li>RFC 2183 did not state that it obsoleted RFC 1806, making it hard to find the
|
|---|
| 66 | up-to-date spec (fixed in RFC Index in the meantime)</li>
|
|---|
| 67 | <li>RFC 2231 specifies many features that are not needed in HTTP, but also
|
|---|
| 68 | fails to REQUIRE common character sets for interoperability</li>
|
|---|
| 69 | <li>Interoperability suffers from all of this, see test cases at
|
|---|
| 70 | <a href="http://greenbytes.de/tech/tc2231/">http://greenbytes.de/tech/tc2231/</a> --
|
|---|
| 71 | Firefox, Konqueror and Opera are fine, the other UAs do not support the I18N extensions
|
|---|
| 72 | defined in RFC 2231.
|
|---|
| 73 | </li>
|
|---|
| 74 | </ul>
|
|---|
| 75 |
|
|---|
| 76 | <h2 class="break">Broken Record Warning</h2>
|
|---|
| 77 | <p>
|
|---|
| 78 | Yes, you have seen this before, but there is progress being made!
|
|---|
| 79 | </p>
|
|---|
| 80 |
|
|---|
| 81 | <h2 class="break">Current Status</h2>
|
|---|
| 82 | <ul>
|
|---|
| 83 | <li>
|
|---|
| 84 | Profile RFC 2231 for use in HTTP (remove ambiguities, fix grammar,
|
|---|
| 85 | remove unneeded features, require a common character set:
|
|---|
| 86 | <a href="http://greenbytes.de/tech/webdav/draft-reschke-rfc2231-in-http-12.html">draft-reschke-rfc2231-in-http-12</a>).
|
|---|
| 87 | <br/>
|
|---|
| 88 | <small>(Note: does not normatively refer to RFC 2231 so it can evolve independently)</small>
|
|---|
| 89 | <br/>
|
|---|
| 90 | <em><b>Approved by IESG on the Standards Track in April, to be published as RFC very soon.</b></em>
|
|---|
| 91 | </li>
|
|---|
| 92 | <li>
|
|---|
| 93 | Profile makes it easier for new HTTP header field definitions to "opt in"
|
|---|
| 94 | (HTTP Link Header field / Web Linking specification, also in the RFC Editor queue, does this)
|
|---|
| 95 | </li>
|
|---|
| 96 | </ul>
|
|---|
| 97 |
|
|---|
| 98 | <h2 class="break">Work Left To Do</h2>
|
|---|
| 99 | <ul>
|
|---|
| 100 | <li>Remove from HTTPbis (discussed during IETF-72 in Dublin)</li>
|
|---|
| 101 | <li>Move actual definition of Content-Disposition as HTTP header field into
|
|---|
| 102 | a separate specification (work has started with
|
|---|
| 103 | <a href="http://greenbytes.de/tech/webdav/draft-reschke-rfc2183-in-http-00.html">draft-reschke-rfc2183-in-http-00</a>)
|
|---|
| 104 | <br />
|
|---|
| 105 | <em><b>Volunteers for helping this getting done appreciated.</b></em>
|
|---|
| 106 | </li>
|
|---|
| 107 | <li>
|
|---|
| 108 | Mention the profile in a yet to be written section about defining new
|
|---|
| 109 | HTTP headers.
|
|---|
| 110 | </li>
|
|---|
| 111 | </ul>
|
|---|
| 112 |
|
|---|
| 113 | </body>
|
|---|
| 114 | </html>
|
|---|
![(please configure the [header_logo] section in trac.ini)](https://www.ietf.org/images/ietflogotrans.gif)
