Ignore:
Timestamp:
Feb 16, 2012, 2:26:09 PM (8 years ago)
Author:
julian.reschke@…
Message:

Location header field: define header field recombination in presence of fragment identifiers, mention security impact, rephrase main definition (see #295)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p2-semantics.html

    r1534 r1536  
    460460  }
    461461  @bottom-center {
    462        content: "Expires August 11, 2012";
     462       content: "Expires August 19, 2012";
    463463  }
    464464  @bottom-right {
     
    512512      <meta name="dct.creator" content="Reschke, J. F.">
    513513      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p2-semantics-latest">
    514       <meta name="dct.issued" scheme="ISO8601" content="2012-02-08">
     514      <meta name="dct.issued" scheme="ISO8601" content="2012-02-16">
    515515      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    516516      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 2 of the seven-part specification that defines the protocol referred to as &#34;HTTP/1.1&#34; and, taken together, obsoletes RFC 2616. Part 2 defines the semantics of HTTP messages as expressed by request methods, request header fields, response status codes, and response header fields.">
     
    543543            </tr>
    544544            <tr>
    545                <td class="left">Expires: August 11, 2012</td>
     545               <td class="left">Expires: August 19, 2012</td>
    546546               <td class="right">HP</td>
    547547            </tr>
     
    596596            <tr>
    597597               <td class="left"></td>
    598                <td class="right">February 8, 2012</td>
     598               <td class="right">February 16, 2012</td>
    599599            </tr>
    600600         </tbody>
     
    626626         in progress”.
    627627      </p>
    628       <p>This Internet-Draft will expire on August 11, 2012.</p>
     628      <p>This Internet-Draft will expire on August 19, 2012.</p>
    629629      <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
    630630      <p>Copyright © 2012 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
     
    775775               <li>11.1&nbsp;&nbsp;&nbsp;<a href="#security.sensitive">Transfer of Sensitive Information</a></li>
    776776               <li>11.2&nbsp;&nbsp;&nbsp;<a href="#encoding.sensitive.information.in.uris">Encoding Sensitive Information in URIs</a></li>
    777                <li>11.3&nbsp;&nbsp;&nbsp;<a href="#location.spoofing">Location Headers and Spoofing</a></li>
     777               <li>11.3&nbsp;&nbsp;&nbsp;<a href="#location.spoofing-leakage">Location Header Fields: Spoofing and Information Leakage</a></li>
    778778               <li>11.4&nbsp;&nbsp;&nbsp;<a href="#rfc.section.11.4">Security Considerations for CONNECT</a></li>
    779779            </ul>
     
    23432343      <div id="rfc.iref.h.6"></div>
    23442344      <h2 id="rfc.section.9.5"><a href="#rfc.section.9.5">9.5</a>&nbsp;<a id="header.location" href="#header.location">Location</a></h2>
    2345       <p id="rfc.section.9.5.p.1">The "Location" header field is used to identify a newly created resource, or to redirect the recipient to a different location
    2346          for completion of the request.
    2347       </p>
    2348       <p id="rfc.section.9.5.p.2">For 201 (Created) responses, the Location is the URI of the new resource which was created by the request. For 3xx responses,
     2345      <p id="rfc.section.9.5.p.1">The "Location" header field <em class="bcp14">MAY</em> be sent in responses to refer to a specific resource in accordance with the semantics of the status code.
     2346      </p>
     2347      <div id="rfc.figure.u.23"></div><pre class="inline"><span id="rfc.iref.g.30"></span>  <a href="#header.location" class="smpl">Location</a> = <a href="#abnf.dependencies" class="smpl">URI-reference</a>
     2348</pre><p id="rfc.section.9.5.p.3">For 201 (Created) responses, the Location is the URI of the new resource which was created by the request. For 3xx responses,
    23492349         the location <em class="bcp14">SHOULD</em> indicate the server's preferred URI for automatic redirection to the resource.
    23502350      </p>
    2351       <p id="rfc.section.9.5.p.3">The field value consists of a single URI-reference. When it has the form of a relative reference (<a href="#RFC3986" id="rfc.xref.RFC3986.1"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-4.2">Section 4.2</a>), the final value is computed by resolving it against the effective request URI (<a href="#RFC3986" id="rfc.xref.RFC3986.2"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-5">Section 5</a>).
    2352       </p>
    2353       <div id="rfc.figure.u.23"></div><pre class="inline"><span id="rfc.iref.g.30"></span>  <a href="#header.location" class="smpl">Location</a> = <a href="#abnf.dependencies" class="smpl">URI-reference</a>
    2354 </pre><div id="rfc.figure.u.24"></div>
    2355       <p>Examples are:</p>  <pre class="text">  Location: http://www.example.org/pub/WWW/People.html#tim
    2356 </pre><div id="rfc.figure.u.25"></div><pre class="text">  Location: /index.html
    2357 </pre><div class="note" id="rfc.section.9.5.p.7">
     2351      <p id="rfc.section.9.5.p.4">The field value consists of a single URI-reference. When it has the form of a relative reference (<a href="#RFC3986" id="rfc.xref.RFC3986.1"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-4.2">Section 4.2</a>), the final value is computed by resolving it against the effective request URI (<a href="#RFC3986" id="rfc.xref.RFC3986.2"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-5">Section 5</a>). If the original URI, as navigated to by the user agent, did contain a fragment identifier, and the final value does not,
     2352         then the original URI's fragment identifier is added to the final value.
     2353      </p>
     2354      <div id="rfc.figure.u.24"></div>
     2355      <p>For example, the original URI "http://www.example.org/~tim", combined with a field value given as:</p>  <pre class="text">  Location: /pub/WWW/People.html#tim
     2356</pre>  <p>would result in a final value of "http://www.example.org/pub/WWW/People.html#tim"</p>
     2357      <div id="rfc.figure.u.25"></div>
     2358      <p>An original URI "http://www.example.org/index.html#larry", combined with a field value given as:</p>  <pre class="text">  Location: http://www.example.net/index.html
     2359</pre>  <p>would result in a final value of "http://www.example.net/index.html#larry", preserving the original fragment identifier.</p>
     2360      <div class="note" id="rfc.section.9.5.p.7">
    23582361         <p> <b>Note:</b> Some recipients attempt to recover from Location fields that are not valid URI references. This specification does not mandate
    23592362            or define such processing, but does allow it (see <a href="#intro.conformance.and.error.handling" title="Conformance and Error Handling">Section&nbsp;1.1</a>).
     
    23642367      </p>
    23652368      <div class="note" id="rfc.section.9.5.p.9">
    2366          <p> <b>Note:</b> This specification does not define precedence rules for the case where the original URI, as navigated to by the user agent,
    2367             and the Location header field value both contain fragment identifiers. Thus be aware that including fragment identifiers might
    2368             inconvenience anyone relying on the semantics of the original URI's fragment identifier.
    2369          </p>
    2370       </div>
    2371       <div class="note" id="rfc.section.9.5.p.10">
    23722369         <p> <b>Note:</b> The Content-Location header field (<a href="p3-payload.html#header.content-location" title="Content-Location">Section 6.7</a> of <a href="#Part3" id="rfc.xref.Part3.13"><cite title="HTTP/1.1, part 3: Message Payload and Content Negotiation">[Part3]</cite></a>) differs from Location in that the Content-Location identifies the most specific resource corresponding to the enclosed representation.
    23732370            It is therefore possible for a response to contain header fields for both Location and Content-Location.
     
    29042901         Such services can use POST-based form submission instead.
    29052902      </p>
    2906       <h2 id="rfc.section.11.3"><a href="#rfc.section.11.3">11.3</a>&nbsp;<a id="location.spoofing" href="#location.spoofing">Location Headers and Spoofing</a></h2>
     2903      <h2 id="rfc.section.11.3"><a href="#rfc.section.11.3">11.3</a>&nbsp;<a id="location.spoofing-leakage" href="#location.spoofing-leakage">Location Header Fields: Spoofing and Information Leakage</a></h2>
    29072904      <p id="rfc.section.11.3.p.1">If a single server supports multiple organizations that do not trust one another, then it <em class="bcp14">MUST</em> check the values of Location and Content-Location header fields in responses that are generated under control of said organizations
    29082905         to make sure that they do not attempt to invalidate resources over which they have no authority.
     2906      </p>
     2907      <p id="rfc.section.11.3.p.2">Furthermore, appending the fragment identifier from one URI to another one obtained from a Location header field might leak
     2908         confidential information to the target server — although the fragment identifier is not transmitted in the final request,
     2909         it might be visible to the user agent through other means, such as scripting.
    29092910      </p>
    29102911      <h2 id="rfc.section.11.4"><a href="#rfc.section.11.4">11.4</a>&nbsp;Security Considerations for CONNECT
     
    34913492      <ul>
    34923493         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/238">http://tools.ietf.org/wg/httpbis/trac/ticket/238</a>&gt;: "Requirements for user intervention during redirects"
     3494         </li>
     3495         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/295">http://tools.ietf.org/wg/httpbis/trac/ticket/295</a>&gt;: "Applying original fragment to 'plain' redirected URI"
    34933496         </li>
    34943497         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/302">http://tools.ietf.org/wg/httpbis/trac/ticket/302</a>&gt;: "Misplaced text on connection handling in p2"
Note: See TracChangeset for help on using the changeset viewer.