Changeset 2071 for draft-ietf-httpbis/latest/p2-semantics.html

Timestamp:

31/12/12 06:09:31 (8 years ago)

Author:

fielding@…

Message:

add Darwinian requirements to TRACE; fix several more cases of include being used instead of send

File:

• draft-ietf-httpbis/latest/p2-semantics.html (modified) (12 diffs)

draft-ietf-httpbis/latest/p2-semantics.html

@@ -960 +960 @@
       </p>
       <div id="rfc.figure.u.6"></div><pre class="text">  Content-Type: text/html; charset=ISO-8859-4
-</pre><p id="rfc.section.3.1.1.5.p.5">A sender <em class="bcp14">SHOULD</em> include a Content-Type header field in a message containing a payload body, defining the media type of the enclosed representation,
-         unless the intended media type is unknown to the sender. If a Content-Type header field is not present, recipients <em class="bcp14">MAY</em> either assume a media type of "application/octet-stream" (<a href="#RFC2046" id="rfc.xref.RFC2046.3"><cite title="Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types">[RFC2046]</cite></a>, <a href="http://tools.ietf.org/html/rfc2046#section-4.5.1">Section 4.5.1</a>) or examine the representation data to determine its type.
+</pre><p id="rfc.section.3.1.1.5.p.5">A sender that generates a message containing a payload body <em class="bcp14">SHOULD</em> generate a Content-Type header field in that message unless the intended media type of the enclosed representation is unknown
+         to the sender. If a Content-Type header field is not present, recipients <em class="bcp14">MAY</em> either assume a media type of "application/octet-stream" (<a href="#RFC2046" id="rfc.xref.RFC2046.3"><cite title="Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types">[RFC2046]</cite></a>, <a href="http://tools.ietf.org/html/rfc2046#section-4.5.1">Section 4.5.1</a>) or examine the representation data to determine its type.
       </p>
       <p id="rfc.section.3.1.1.5.p.6">In practice, resource owners do not always properly configure their origin server to provide the correct Content-Type for
@@ -1591 +1591 @@
       <h3 id="rfc.section.4.3.8"><a href="#rfc.section.4.3.8">4.3.8</a>&nbsp;<a id="TRACE" href="#TRACE">TRACE</a></h3>
       <div id="rfc.iref.t.1"></div>
-      <p id="rfc.section.4.3.8.p.1">The TRACE method requests a remote, application-level loop-back of the request message. The final recipient of the request <em class="bcp14">SHOULD</em> reflect the message received back to the client as the message body of a <a href="#status.200" class="smpl">200 (OK)</a> response. The final recipient is either the origin server or the first proxy to receive a <a href="#header.max-forwards" class="smpl">Max-Forwards</a> value of zero (0) in the request (see <a href="#header.max-forwards" id="rfc.xref.header.max-forwards.2" title="Max-Forwards">Section&nbsp;5.1.1</a>). A TRACE request <em class="bcp14">MUST NOT</em> include a message body.
-      </p>
-      <p id="rfc.section.4.3.8.p.2">TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing
-         or diagnostic information. The value of the <a href="p1-messaging.html#header.via" class="smpl">Via</a> header field (<a href="p1-messaging.html#header.via" title="Via">Section 5.7.1</a> of <a href="#Part1" id="rfc.xref.Part1.17"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>) is of particular interest, since it acts as a trace of the request chain. Use of the <a href="#header.max-forwards" class="smpl">Max-Forwards</a> header field allows the client to limit the length of the request chain, which is useful for testing a chain of proxies forwarding
+      <p id="rfc.section.4.3.8.p.1">The TRACE method requests a remote, application-level loop-back of the request message. The final recipient of the request <em class="bcp14">SHOULD</em> reflect the message received, excluding some fields described below, back to the client as the message body of a <a href="#status.200" class="smpl">200 (OK)</a> response with a <a href="#header.content-type" class="smpl">Content-Type</a> of "message/http" (<a href="p1-messaging.html#internet.media.type.message.http" title="Internet Media Type message/http">Section 7.3.1</a> of <a href="#Part1" id="rfc.xref.Part1.17"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>). The final recipient is either the origin server or the first server to receive a <a href="#header.max-forwards" class="smpl">Max-Forwards</a> value of zero (0) in the request (<a href="#header.max-forwards" id="rfc.xref.header.max-forwards.2" title="Max-Forwards">Section&nbsp;5.1.1</a>).
+      </p>
+      <p id="rfc.section.4.3.8.p.2">A client <em class="bcp14">MUST NOT</em> send a message body in a TRACE request.
+      </p>
+      <p id="rfc.section.4.3.8.p.3">A client <em class="bcp14">MUST NOT</em> send header fields in a TRACE request containing sensitive data that might be disclosed by the response. For example, it would
+         be foolish for a user agent to send stored user credentials <a href="#Part7" id="rfc.xref.Part7.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a> or cookies <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> in a TRACE request. The final recipient <em class="bcp14">SHOULD</em> exclude any request header fields from the response body that are likely to contain sensitive data.
+      </p>
+      <p id="rfc.section.4.3.8.p.4">TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing
+         or diagnostic information. The value of the <a href="p1-messaging.html#header.via" class="smpl">Via</a> header field (<a href="p1-messaging.html#header.via" title="Via">Section 5.7.1</a> of <a href="#Part1" id="rfc.xref.Part1.18"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>) is of particular interest, since it acts as a trace of the request chain. Use of the <a href="#header.max-forwards" class="smpl">Max-Forwards</a> header field allows the client to limit the length of the request chain, which is useful for testing a chain of proxies forwarding
          messages in an infinite loop.
       </p>
-      <p id="rfc.section.4.3.8.p.3">If the request is valid, the response <em class="bcp14">SHOULD</em> have a <a href="#header.content-type" class="smpl">Content-Type</a> of "message/http" (see <a href="p1-messaging.html#internet.media.type.message.http" title="Internet Media Type message/http">Section 7.3.1</a> of <a href="#Part1" id="rfc.xref.Part1.18"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>) and contain a message body that encloses a copy of the entire request message. Responses to the TRACE method are not cacheable.
-      </p>
+      <p id="rfc.section.4.3.8.p.5">Responses to the TRACE method are not cacheable.</p>
       <h1 id="rfc.section.5"><a href="#rfc.section.5">5.</a>&nbsp;<a id="request.header.fields" href="#request.header.fields">Request Header Fields</a></h1>
       <p id="rfc.section.5.p.1">A client sends request header fields to provide more information about the request context, make the request conditional based
@@ -2006 +2010 @@
                <tr>
                   <td class="left">Authorization</td>
-                  <td class="left"><a href="p7-auth.html#header.authorization" title="Authorization">Section 4.1</a> of <a href="#Part7" id="rfc.xref.Part7.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a></td>
+                  <td class="left"><a href="p7-auth.html#header.authorization" title="Authorization">Section 4.1</a> of <a href="#Part7" id="rfc.xref.Part7.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a></td>
                </tr>
                <tr>
                   <td class="left">Proxy-Authorization</td>
-                  <td class="left"><a href="p7-auth.html#header.proxy-authorization" title="Proxy-Authorization">Section 4.3</a> of <a href="#Part7" id="rfc.xref.Part7.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a></td>
+                  <td class="left"><a href="p7-auth.html#header.proxy-authorization" title="Proxy-Authorization">Section 4.3</a> of <a href="#Part7" id="rfc.xref.Part7.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a></td>
                </tr>
             </tbody>
@@ -2133 +2137 @@
       </ul>
       <h2 id="rfc.section.6.1"><a href="#rfc.section.6.1">6.1</a>&nbsp;<a id="overview.of.status.codes" href="#overview.of.status.codes">Overview of Status Codes</a></h2>
-      <p id="rfc.section.6.1.p.1">The status codes listed below are defined in this specification, <a href="p4-conditional.html#status.code.definitions" title="Status Code Definitions">Section 4</a> of <a href="#Part4" id="rfc.xref.Part4.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a>, <a href="p5-range.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part5" id="rfc.xref.Part5.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>, and <a href="p7-auth.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part7" id="rfc.xref.Part7.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a>. The reason phrases listed here are only recommendations — they can be replaced by local equivalents without affecting the
+      <p id="rfc.section.6.1.p.1">The status codes listed below are defined in this specification, <a href="p4-conditional.html#status.code.definitions" title="Status Code Definitions">Section 4</a> of <a href="#Part4" id="rfc.xref.Part4.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a>, <a href="p5-range.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part5" id="rfc.xref.Part5.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>, and <a href="p7-auth.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part7" id="rfc.xref.Part7.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a>. The reason phrases listed here are only recommendations — they can be replaced by local equivalents without affecting the
          protocol.
       </p>
@@ -2234 +2238 @@
                   <td class="left">401</td>
                   <td class="left">Unauthorized</td>
-                  <td id="status.401" class="left"><a href="p7-auth.html#status.401" title="401 Unauthorized">Section 3.1</a> of <a href="#Part7" id="rfc.xref.Part7.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a></td>
+                  <td id="status.401" class="left"><a href="p7-auth.html#status.401" title="401 Unauthorized">Section 3.1</a> of <a href="#Part7" id="rfc.xref.Part7.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a></td>
                </tr>
                <tr>
@@ -2264 +2268 @@
                   <td class="left">407</td>
                   <td class="left">Proxy Authentication Required</td>
-                  <td id="status.407" class="left"><a href="p7-auth.html#status.407" title="407 Proxy Authentication Required">Section 3.2</a> of <a href="#Part7" id="rfc.xref.Part7.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a></td>
+                  <td id="status.407" class="left"><a href="p7-auth.html#status.407" title="407 Proxy Authentication Required">Section 3.2</a> of <a href="#Part7" id="rfc.xref.Part7.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a></td>
                </tr>
                <tr>
@@ -3030 +3034 @@
                <tr>
                   <td class="left">WWW-Authenticate</td>
-                  <td class="left"><a href="p7-auth.html#header.www-authenticate" title="WWW-Authenticate">Section 4.4</a> of <a href="#Part7" id="rfc.xref.Part7.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a></td>
+                  <td class="left"><a href="p7-auth.html#header.www-authenticate" title="WWW-Authenticate">Section 4.4</a> of <a href="#Part7" id="rfc.xref.Part7.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a></td>
                </tr>
                <tr>
                   <td class="left">Proxy-Authenticate</td>
-                  <td class="left"><a href="p7-auth.html#header.proxy-authenticate" title="Proxy-Authenticate">Section 4.2</a> of <a href="#Part7" id="rfc.xref.Part7.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a></td>
+                  <td class="left"><a href="p7-auth.html#header.proxy-authenticate" title="Proxy-Authenticate">Section 4.2</a> of <a href="#Part7" id="rfc.xref.Part7.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a></td>
                </tr>
             </tbody>
@@ -3928 +3932 @@
       <h2 id="rfc.references.2"><a href="#rfc.section.11.2" id="rfc.section.11.2">11.2</a> Informative References
       </h2>
-      <table>                                          
+      <table>                                            
          <tr>
             <td class="reference"><b id="BCP13">[BCP13]</b></td>
@@ -4022 +4026 @@
             <td class="reference"><b id="RFC6151">[RFC6151]</b></td>
             <td class="top">Turner, S. and L. Chen, “<a href="http://tools.ietf.org/html/rfc6151">Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms</a>”, RFC&nbsp;6151, March&nbsp;2011.
+            </td>
+         </tr>
+         <tr>
+            <td class="reference"><b id="RFC6265">[RFC6265]</b></td>
+            <td class="top"><a href="mailto:abarth@eecs.berkeley.edu" title="&#xA;        University of California, Berkeley&#xA;      ">Barth, A.</a>, “<a href="http://tools.ietf.org/html/rfc6265">HTTP State Management Mechanism</a>”, RFC&nbsp;6265, April&nbsp;2011.
             </td>
          </tr>
@@ -4586 +4595 @@
                         <li><em>Section 5.4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.19">5.1</a></li>
                         <li><em>Section 5.5</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.6">2</a>, <a href="#rfc.xref.Part1.11">3.1.4.1</a>, <a href="#rfc.xref.Part1.12">3.1.4.2</a></li>
-                        <li><em>Section 5.7.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.17">4.3.8</a>, <a href="#rfc.xref.Part1.44">C</a></li>
+                        <li><em>Section 5.7.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.18">4.3.8</a>, <a href="#rfc.xref.Part1.44">C</a></li>
                         <li><em>Section 5.7.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.23">6.3.4</a></li>
                         <li><em>Section 6.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.24">6.5.7</a>, <a href="#rfc.xref.Part1.35">8.3.1</a></li>
                         <li><em>Section 6.7</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.22">6.2.2</a>, <a href="#rfc.xref.Part1.27">6.5.15</a></li>
-                        <li><em>Section 7.3.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.18">4.3.8</a></li>
+                        <li><em>Section 7.3.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.17">4.3.8</a></li>
                         <li><em>Section 9</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.43">10</a></li>
                         <li><em>Appendix B</em>&nbsp;&nbsp;<a href="#rfc.xref.Part1.32">8.3.1</a></li>
@@ -4628 +4637 @@
                      </ul>
                   </li>
-                  <li><em>Part7</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.1">5.4</a>, <a href="#rfc.xref.Part7.2">5.4</a>, <a href="#rfc.xref.Part7.3">6.1</a>, <a href="#rfc.xref.Part7.4">6.1</a>, <a href="#rfc.xref.Part7.5">6.1</a>, <a href="#rfc.xref.Part7.6">7.3</a>, <a href="#rfc.xref.Part7.7">7.3</a>, <a href="#Part7"><b>11.1</b></a><ul>
-                        <li><em>Section 3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.3">6.1</a></li>
-                        <li><em>Section 3.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.4">6.1</a></li>
-                        <li><em>Section 3.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.5">6.1</a></li>
-                        <li><em>Section 4.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.1">5.4</a></li>
-                        <li><em>Section 4.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.7">7.3</a></li>
-                        <li><em>Section 4.3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.2">5.4</a></li>
-                        <li><em>Section 4.4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.6">7.3</a></li>
+                  <li><em>Part7</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.1">4.3.8</a>, <a href="#rfc.xref.Part7.2">5.4</a>, <a href="#rfc.xref.Part7.3">5.4</a>, <a href="#rfc.xref.Part7.4">6.1</a>, <a href="#rfc.xref.Part7.5">6.1</a>, <a href="#rfc.xref.Part7.6">6.1</a>, <a href="#rfc.xref.Part7.7">7.3</a>, <a href="#rfc.xref.Part7.8">7.3</a>, <a href="#Part7"><b>11.1</b></a><ul>
+                        <li><em>Section 3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.4">6.1</a></li>
+                        <li><em>Section 3.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.5">6.1</a></li>
+                        <li><em>Section 3.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.6">6.1</a></li>
+                        <li><em>Section 4.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.2">5.4</a></li>
+                        <li><em>Section 4.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.8">7.3</a></li>
+                        <li><em>Section 4.3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.3">5.4</a></li>
+                        <li><em>Section 4.4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part7.7">7.3</a></li>
                      </ul>
                   </li>
@@ -4725 +4734 @@
                   <li><em>RFC5987</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC5987.1">8.3.1</a>, <a href="#RFC5987"><b>11.2</b></a></li>
                   <li><em>RFC6151</em>&nbsp;&nbsp;<a href="#RFC6151"><b>11.2</b></a>, <a href="#rfc.xref.RFC6151.1">C</a></li>
+                  <li><em>RFC6265</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC6265.1">4.3.8</a>, <a href="#RFC6265"><b>11.2</b></a></li>
                   <li><em>RFC6266</em>&nbsp;&nbsp;<a href="#RFC6266"><b>11.2</b></a>, <a href="#rfc.xref.RFC6266.1">B</a>, <a href="#rfc.xref.RFC6266.2">C</a></li>
                   <li><em>RFC6365</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC6365.1">1.2</a>, <a href="#rfc.xref.RFC6365.2">3.1.1.2</a>, <a href="#RFC6365"><b>11.1</b></a></li>