Changeset 1579 for draft-ietf-httpbis

Timestamp:

11/03/12 05:42:53 (9 years ago)

Author:

fielding@…

Message:

Consolidate request-target under message routing. Simplify the
sections on Request Line and Status Line, since what they contain
is defined elsewhere.

Change request-target size limit to request-line size limit, since
that is how it is implemented in practice.

Add SHOULDs for error handling when the method is too long or
embedded whitespace is sent in the request-target.

Location:

draft-ietf-httpbis/latest

Files:

• p1-messaging.xml (modified) (12 diffs)
• p2-semantics.xml (modified) (1 diff)

draft-ietf-httpbis/latest/p1-messaging.xml

@@ -1119 +1119 @@
   <x:ref>request-line</x:ref>   = <x:ref>method</x:ref> <x:ref>SP</x:ref> <x:ref>request-target</x:ref> <x:ref>SP</x:ref> <x:ref>HTTP-version</x:ref> <x:ref>CRLF</x:ref>
 </artwork></figure>
-
-<section title="Method" anchor="method">
-  <x:anchor-alias value="method"/>
-<t>
+<iref primary="true" item="method"/>
+<t anchor="method">
    The method token indicates the request method to be performed on the
    target resource. The request method is case-sensitive.
@@ -1134 +1132 @@
    and considerations for defining new methods.
 </t>
-</section>
-
-<section title="Request Target" anchor="request-target">
-  <x:anchor-alias value="request-target"/>
+<iref item="request-target"/>
 <t>
    The request-target identifies the target resource upon which to apply
-   the request.  The four options for request-target are described in
-   <xref target="request-target-types"/>.
-</t>
-<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="request-target"/>
-  <x:ref>request-target</x:ref> = "*"
-                 / <x:ref>absolute-URI</x:ref>
-                 / ( <x:ref>path-absolute</x:ref> [ "?" <x:ref>query</x:ref> ] )
-                 / <x:ref>authority</x:ref>
-</artwork></figure>
-<t>
-   HTTP does not place a pre-defined limit on the length of a request-target.
+   the request, as defined in <xref target="request-target"/>.
+</t>
+<t>
+   No whitespace is allowed inside the method, request-target, and
+   protocol version.  Hence, recipients typically parse the request-line
+   into its component parts by splitting on the SP characters.
+</t>
+<t>
+   Unfortunately, some user agents fail to properly encode hypertext
+   references that have embedded whitespace, sending the characters
+   directly instead of properly percent-encoding the disallowed characters.
+   Recipients of an invalid request-line &SHOULD; respond with either a
+   400 (Bad Request) error or a 301 (Moved Permanently) redirect with the
+   request-target properly encoded.  Recipients &SHOULD-NOT; attempt to
+   autocorrect and then process the request without a redirect, since the
+   invalid request-line might be deliberately crafted to bypass
+   security filters along the request chain.
+</t>
+<t>
+   HTTP does not place a pre-defined limit on the length of a request-line.
+   A server that receives a method longer than any that it implements
+   &SHOULD; respond with either a 404 (Not Allowed), if it is an origin
+   server, or a 501 (Not Implemented) status code.
    A server &MUST; be prepared to receive URIs of unbounded length and
    respond with the 414 (URI Too Long) status code if the received
@@ -1157 +1164 @@
 </t>
 <t>
-   Various ad-hoc limitations on request-target length are found in practice.
-   It is &RECOMMENDED; that all HTTP senders and recipients support
-   request-target lengths of 8000 or more octets.
-</t>
-<x:note>
-  <t>
-    <x:h>Note:</x:h> Fragments (<xref target="RFC3986" x:fmt="," x:sec="3.5"/>)
-    are not part of the request-target and thus will not be transmitted
-    in an HTTP request.
-  </t>
-</x:note>
-</section>
-</section>
-
-<section title="Response Status Line" anchor="status.line">
+   Various ad-hoc limitations on request-line length are found in practice.
+   It is &RECOMMENDED; that all HTTP senders and recipients support, at a
+   minimum, request-line lengths of up to 8000 octets.
+</t>
+</section>
+
+<section title="Status Line" anchor="status.line">
   <x:anchor-alias value="response"/>
   <x:anchor-alias value="status-line"/>
@@ -1184 +1183 @@
 </artwork></figure>
 
-<section title="Status Code" anchor="status.code">
-  <x:anchor-alias value="status-code"/>
-<t>
+<t anchor="status-code">
    The status-code element is a 3-digit integer result code of the attempt to
    understand and satisfy the request. See &status-code-reasonphr; for
@@ -1195 +1192 @@
   <x:ref>status-code</x:ref>    = 3<x:ref>DIGIT</x:ref>
 </artwork></figure>
-</section>
-
-<section title="Reason Phrase" anchor="reason.phrase">
-  <x:anchor-alias value="reason-phrase"/>
-<t>   
+
+<t anchor="reason-phrase">   
    The reason-phrase element exists for the sole purpose of providing a
    textual description associated with the numeric status code, mostly
@@ -1209 +1203 @@
   <x:ref>reason-phrase</x:ref>  = *( <x:ref>HTAB</x:ref> / <x:ref>SP</x:ref> / <x:ref>VCHAR</x:ref> / <x:ref>obs-text</x:ref> )
 </artwork></figure>
-</section>
 </section>
 </section>
@@ -1571 +1564 @@
    The presence of a message body in a response depends on both
    the request method to which it is responding and the response
-   status code (<xref target="status.code"/>).
+   status code (<xref target="status-code"/>).
    Responses to the HEAD request method never include a message body
    because the associated response header fields (e.g., Transfer-Encoding,
@@ -2302 +2295 @@
 
 <section title="Identifying a Target Resource" anchor="target-resource">
+  <iref primary="true" item="target resource"/>
+  <iref primary="true" item="target URI"/>
 <t>
    HTTP is used in a wide variety of applications, ranging from
@@ -2317 +2312 @@
    its absolute form in order to obtain the target URI.  The target URI
    excludes the reference's fragment identifier component, if any,
-   since fragment identifiers are for client-side processing only.
+   since fragment identifiers are reserved for client-side processing
+   (<xref target="RFC3986" x:fmt="," x:sec="3.5"/>).
 </t>
 <t>
@@ -2356 +2352 @@
 </section>
 
-<section title="Types of Request Target" anchor="request-target-types">
-<t>
-   Once an inbound connection is obtained, the client sends an HTTP request
-   message (<xref target="http.message"/>) with a request-target derived from
-   the target URI.  There are four distinct formats for the request-target
-   (<xref target="request-target"/>), depending on both the method being
-   requested and whether the request is to a proxy.
+<section title="Request Target" anchor="request-target">
+<t>
+   Once an inbound connection is obtained (<xref target="connections"/>),
+   the client sends an HTTP request message (<xref target="http.message"/>)
+   with a request-target derived from the target URI.
+   There are four distinct formats for the request-target, depending on both
+   the method being requested and whether the request is to a proxy.
 </t>   
+<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="request-target"/>
+  <x:ref>request-target</x:ref> = "*"
+                 / <x:ref>absolute-URI</x:ref>
+                 / ( <x:ref>path-absolute</x:ref> [ "?" <x:ref>query</x:ref> ] )
+                 / <x:ref>authority</x:ref>
+</artwork></figure>
 <t anchor="origin-form"><iref item="origin form (of request-target)"/>
    The most common form of request-target is that used when making
@@ -2578 +2580 @@
 <section title="Effective Request URI" anchor="effective.request.uri">
   <iref primary="true" item="effective request URI"/>
-  <iref primary="true" item="target resource"/>
 <t>
    HTTP requests often do not carry the absolute URI (<xref target="RFC3986" x:fmt="," x:sec="4.3"/>)
@@ -3931 +3932 @@
 <t>
    To promote interoperability, this specification makes specific
-   recommendations for size limits on request-targets (<xref target="request-target"/>)
+   recommendations for minimum size limits on request-line
+   (<xref target="request.line"/>)
    and blocks of header fields (<xref target="header.fields"/>). These are
    minimum recommendations, chosen to be supportable even by implementations
-   with limited resources; it is expected that most implementations will choose
-   substantially higher limits.
+   with limited resources; it is expected that most implementations will
+   choose substantially higher limits.
 </t>
 <t>

draft-ietf-httpbis/latest/p2-semantics.xml

@@ -938 +938 @@
 </t>
 <t>
-   If the request-target is an asterisk ("*"), the OPTIONS request is
+   If the request-target (&request-target;) is an asterisk ("*"),
+   the OPTIONS request is
    intended to apply to the server in general rather than to a specific
    resource. Since a server's communication options typically depend on