Context Navigation

← Previous Change
Next Change →

p2-semantics.html

Timestamp:

Dec 31, 2012, 2:51:33 AM (7 years ago)

Author:

fielding@…

Message:

update the description of Referer to current practice and actual security concerns

File:

: 1 edited

draft-ietf-httpbis/latest/p2-semantics.html (modified) (13 diffs)

Legend:

: Unmodified
: Added
: Removed

draft-ietf-httpbis/latest/p2-semantics.html

-                      r2071
+                      r2072
+  }
   @bottom-center {
        content: "Expires July 3, 2013";
+       content: "Expires July 4, 2013";
+  }
   @bottom-right {
 …
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p2-semantics-latest">
       <meta name="dct.issued" scheme="ISO8601" content="2012-12-30">
+      <meta name="dct.issued" scheme="ISO8601" content="2012-12-31">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines the semantics of HTTP/1.1 messages, as expressed by request methods, request header fields, response status codes, and response header fields, along with the payload of messages (metadata and body content) and mechanisms for content negotiation.">
 …
             <tr>
                <td class="left">Intended status: Standards Track</td>
                <td class="right">December 30, 2012</td>
+               <td class="right">December 31, 2012</td>
             </tr>
             <tr>
                <td class="left">Expires: July 3, 2013</td>
+               <td class="left">Expires: July 4, 2013</td>
                <td class="right"></td>
             </tr>
 …
          in progress”.
       </p>
       <p>This Internet-Draft will expire on July 3, 2013.</p>
+      <p>This Internet-Draft will expire on July 4, 2013.</p>
       <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
       <p>Copyright © 2012 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
 …
          in <a href="p1-messaging.html#uri" title="Uniform Resource Identifiers">Section 2.7</a> of <a href="#Part1" id="rfc.xref.Part1.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>.
       </p>
       <p id="rfc.section.2.p.2">When a client constructs an HTTP/1.1 request message, it sends the "target URI" in one of various forms, as defined in (<a href="p1-messaging.html#request-target" title="Request Target">Section 5.3</a> of <a href="#Part1" id="rfc.xref.Part1.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>). When a request is received, the server reconstructs an "effective request URI" for the target resource (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#Part1" id="rfc.xref.Part1.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>).
+      <p id="rfc.section.2.p.2">When a client constructs an HTTP/1.1 request message, it sends the <a href="p1-messaging.html#target-resource" class="smpl">target URI</a> in one of various forms, as defined in (<a href="p1-messaging.html#request-target" title="Request Target">Section 5.3</a> of <a href="#Part1" id="rfc.xref.Part1.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>). When a request is received, the server reconstructs an <a href="p1-messaging.html#effective.request.uri" class="smpl">effective request URI</a> for the target resource (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#Part1" id="rfc.xref.Part1.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>).
       </p>
       <p id="rfc.section.2.p.3">One design goal of HTTP is to separate resource identification from request semantics, which is made possible by vesting the
 …
   <a href="#header.accept" class="smpl">accept-ext</a>     = <a href="#imported.abnf" class="smpl">OWS</a> ";" <a href="#imported.abnf" class="smpl">OWS</a> <a href="#imported.abnf" class="smpl">token</a> [ "=" <a href="#imported.abnf" class="smpl">word</a> ]
 </pre><p id="rfc.section.5.3.2.p.3">The asterisk "*" character is used to group media types into ranges, with "*/*" indicating all media types and "type/*" indicating
+         all subtypes of that type. The media-range <em class="bcp14">MAY</em> include media type parameters that are applicable to that range.
+      </p>
+      <p id="rfc.section.5.3.2.p.4">Each media-range <em class="bcp14">MAY</em> be followed by one or more accept-params, beginning with the "q" parameter for indicating a relative weight, as defined in <a href="#quality.values" title="Quality Values">Section&nbsp;5.3.1</a>. The first "q" parameter (if any) separates the media-range parameter(s) from the accept-params.
+         all subtypes of that type. The media-range can include media type parameters that are applicable to that range.
+      </p>
+      <p id="rfc.section.5.3.2.p.4">Each media-range might be followed by zero or more applicable media type parameters (e.g., <a href="#charset" class="smpl">charset</a>), an optional "q" parameter for indicating a relative weight (<a href="#quality.values" title="Quality Values">Section&nbsp;5.3.1</a>), and then zero or more extension parameters. The "q" parameter is necessary if any accept-ext are present, since it acts
+         as a separator between the two parameter sets.
       </p>
       <div class="note" id="rfc.section.5.3.2.p.5">
 …
       <div id="rfc.iref.r.2"></div>
       <h3 id="rfc.section.5.5.2"><a href="#rfc.section.5.5.2">5.5.2</a>&nbsp;<a id="header.referer" href="#header.referer">Referer</a></h3>
+      <p id="rfc.section.5.5.2.p.1">The "Referer" [sic] header field allows the client to specify the URI of the resource from which the target URI was obtained
+         (the "referrer", although the header field is misspelled.).
+      </p>
+      <p id="rfc.section.5.5.2.p.2">The Referer header field allows servers to generate lists of back-links to resources for interest, logging, optimized caching,
+         etc. It also allows obsolete or mistyped links to be traced for maintenance. Some servers use Referer as a means of controlling
+         where they allow links from (so-called "deep linking"), but legitimate requests do not always contain a Referer header field.
+      </p>
+      <p id="rfc.section.5.5.2.p.3">If the target URI was obtained from a source that does not have its own URI (e.g., input from the user keyboard), the Referer
+         field <em class="bcp14">MUST</em> either be sent with the value "about:blank", or not be sent at all. Note that this requirement does not apply to sources with
+         non-HTTP URIs (e.g., FTP).
+      <p id="rfc.section.5.5.2.p.1">The "Referer" [sic] header field allows the user agent to specify a URI reference for the resource from which the <a href="p1-messaging.html#target-resource" class="smpl">target URI</a> was obtained (i.e., the "referrer", though the field name is misspelled). A user agent <em class="bcp14">MUST</em> exclude any fragment or userinfo components <a href="#RFC3986" id="rfc.xref.RFC3986.1"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a> when generating the Referer field value.
       </p>
       <div id="rfc.figure.u.36"></div><pre class="inline"><span id="rfc.iref.g.35"></span>  <a href="#header.referer" class="smpl">Referer</a> = <a href="#imported.abnf" class="smpl">absolute-URI</a> / <a href="#imported.abnf" class="smpl">partial-URI</a>
+</pre><p id="rfc.section.5.5.2.p.5">Example:</p>
+</pre><p id="rfc.section.5.5.2.p.3">Referer allows servers to generate back-links to other resources for simple analytics, logging, optimized caching, etc. It
+         also allows obsolete or mistyped links to be found for maintenance. Some servers use Referer as a means of denying links from
+         other sites (so-called "deep linking") or restricting cross-site request forgery (CSRF), but not all requests contain a Referer
+         header field.
+      </p>
+      <p id="rfc.section.5.5.2.p.4">Example:</p>
       <div id="rfc.figure.u.37"></div><pre class="text">  Referer: http://www.example.org/hypertext/Overview.html
+</pre><p id="rfc.section.5.5.2.p.7">If the field value is a relative URI, it <em class="bcp14">SHOULD</em> be interpreted relative to the effective request URI. The URI <em class="bcp14">MUST NOT</em> include a fragment. See <a href="#encoding.sensitive.information.in.uris" title="Encoding Sensitive Information in URIs">Section&nbsp;9.4</a> for security considerations.
+</pre><p id="rfc.section.5.5.2.p.6">If the target URI was obtained from a source that does not have its own URI (e.g., input from the user keyboard, or an entry
+         within the user's bookmarks/favorites), the user agent <em class="bcp14">MUST</em> either exclude Referer or send it with a value of "about:blank".
+      </p>
+      <p id="rfc.section.5.5.2.p.7">The Referer field has the potential to reveal information about the request context or browsing history of the user, which
+         is a privacy concern if the referring resource's identifier reveals personal information (such as an account name) or a resource
+         that is supposed to be confidential (such as behind a firewall or internal to a secured service). Most general-purpose user
+         agents do not send the Referer header field when the referring resource is a local "file" or "data" URI. A user agent <em class="bcp14">SHOULD NOT</em> send a <a href="#header.referer" class="smpl">Referer</a> header field in a (non-secure) HTTP request if the referring page was received with a secure protocol. See <a href="#encoding.sensitive.information.in.uris" title="Encoding Sensitive Information in URIs">Section&nbsp;9.4</a> for additional security considerations.
+      </p>
+      <p id="rfc.section.5.5.2.p.8">Some intermediaries have been known to indiscriminately remove Referer header fields from outgoing requests. This has the
+         unfortunate side-effect of interfering with protection against CSRF attacks, which can be far more harmful to their users.
+         Intermediaries and user agent extensions that wish to limit information disclosure in Referer ought to restrict their changes
+         to specific edits, such as replacing internal domain names with pseudonyms or truncating the query and/or path components.
+         Intermediaries <em class="bcp14">SHOULD NOT</em> modify or delete the Referer field when the field value shares the same scheme and host as the request target.
       </p>
       <div id="rfc.iref.u.1"></div>
 …
       </p>
       <div id="rfc.figure.u.51"></div><pre class="inline"><span id="rfc.iref.g.56"></span>  <a href="#header.location" class="smpl">Location</a> = <a href="#imported.abnf" class="smpl">URI-reference</a>
 </pre><p id="rfc.section.7.1.2.p.3">The field value consists of a single URI-reference. When it has the form of a relative reference (<a href="#RFC3986" id="rfc.xref.RFC3986.1"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-4.2">Section 4.2</a>), the final value is computed by resolving it against the effective request URI (<a href="#RFC3986" id="rfc.xref.RFC3986.2"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-5">Section 5</a>). If the original URI, as navigated to by the user agent, contains a fragment identifier, and the Location value does not,
+</pre><p id="rfc.section.7.1.2.p.3">The field value consists of a single URI-reference. When it has the form of a relative reference (<a href="#RFC3986" id="rfc.xref.RFC3986.2"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-4.2">Section 4.2</a>), the final value is computed by resolving it against the effective request URI (<a href="#RFC3986" id="rfc.xref.RFC3986.3"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>, <a href="http://tools.ietf.org/html/rfc3986#section-5">Section 5</a>). If the original URI, as navigated to by the user agent, contains a fragment identifier, and the Location value does not,
          then the original URI's fragment identifier is appended to the Location value.
       </p>
 …
       </p>
       <h2 id="rfc.section.9.4"><a href="#rfc.section.9.4">9.4</a>&nbsp;<a id="encoding.sensitive.information.in.uris" href="#encoding.sensitive.information.in.uris">Encoding Sensitive Information in URIs</a></h2>
+      <p id="rfc.section.9.4.p.1">Because the source of a link might be private information or might reveal an otherwise private information source, it is strongly
+         recommended that the user be able to select whether or not the <a href="#header.referer" class="smpl">Referer</a> field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively
+         enable/disable the sending of Referer and From information.
+      </p>
+      <p id="rfc.section.9.4.p.2">Clients <em class="bcp14">SHOULD NOT</em> include a <a href="#header.referer" class="smpl">Referer</a> header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.
+      <p id="rfc.section.9.4.p.1">URIs are intended to be shared, not secured, even when they identify secure resources. URIs are often shown on displays, added
+         to templates when a page is printed, and stored in a variety of unprotected bookmark lists. It is therefore unwise to include
+         information within a URI that is sensitive, personally identifiable, or a risk to disclose.
+      </p>
+      <p id="rfc.section.9.4.p.2">Since the Referer header field tells a target site about the context that resulted in a request, it has the potential to reveal
+         information about the user's immediate browsing history and any personal information that might be found in the referring
+         resource's URI. Further discussion of Referer considerations can be found in <a href="#header.referer" id="rfc.xref.header.referer.3" title="Referer">Section&nbsp;5.5.2</a>.
       </p>
       <p id="rfc.section.9.4.p.3">Authors of services <em class="bcp14">SHOULD NOT</em> use GET-based forms for the submission of sensitive data because that data will be placed in the request-target. Many existing
          servers, proxies, and user agents log or display the request-target in places where it might be visible to third parties.
          Such services can use POST-based form submission instead.
+         Such services ought to use POST-based form submission instead.
       </p>
       <h2 id="rfc.section.9.5"><a href="#rfc.section.9.5">9.5</a>&nbsp;<a id="location.spoofing-leakage" href="#location.spoofing-leakage">Location Header Fields: Spoofing and Information Leakage</a></h2>
 …
       <p id="rfc.section.C.p.16">Requirements for sending the Date header field have been clarified. (<a href="#header.date" id="rfc.xref.header.date.4" title="Date">Section&nbsp;7.1.1.2</a>)
       </p>
       <p id="rfc.section.C.p.17">The <a href="#header.referer" class="smpl">Referer</a> header field can now have a value of "about:blank" as an alternative to not sending a Referer header field. (<a href="#header.referer" id="rfc.xref.header.referer.3" title="Referer">Section&nbsp;5.5.2</a>)
+      <p id="rfc.section.C.p.17">The <a href="#header.referer" class="smpl">Referer</a> header field can now have a value of "about:blank" as an alternative to not sending a Referer header field. (<a href="#header.referer" id="rfc.xref.header.referer.4" title="Referer">Section&nbsp;5.5.2</a>)
       </p>
       <p id="rfc.section.C.p.18">The <a href="#status.201" class="smpl">201 (Created)</a> status code can indicate that more than one resource has been created (as well as just one).
 …
             </li>
             <li><a id="rfc.index.R" href="#rfc.index.R"><b>R</b></a><ul>
                   <li>Referer header field&nbsp;&nbsp;<a href="#rfc.xref.header.referer.1">5.5</a>, <a href="#rfc.iref.r.2"><b>5.5.2</b></a>, <a href="#rfc.xref.header.referer.2">8.3.2</a>, <a href="#rfc.xref.header.referer.3">C</a></li>
+                  <li>Referer header field&nbsp;&nbsp;<a href="#rfc.xref.header.referer.1">5.5</a>, <a href="#rfc.iref.r.2"><b>5.5.2</b></a>, <a href="#rfc.xref.header.referer.2">8.3.2</a>, <a href="#rfc.xref.header.referer.3">9.4</a>, <a href="#rfc.xref.header.referer.4">C</a></li>
                   <li>representation&nbsp;&nbsp;<a href="#rfc.iref.r.1">3</a></li>
                   <li><em>REST</em>&nbsp;&nbsp;<a href="#rfc.xref.REST.1">3</a>, <a href="#rfc.xref.REST.2">4.1</a>, <a href="#REST"><b>11.2</b></a></li>
 …
                   </li>
                   <li><em>RFC2978</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC2978.1">3.1.1.2</a>, <a href="#RFC2978"><b>11.2</b></a></li>
                   <li><em>RFC3986</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC3986.1">7.1.2</a>, <a href="#rfc.xref.RFC3986.2">7.1.2</a>, <a href="#RFC3986"><b>11.1</b></a><ul>
                         <li><em>Section 4.2</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC3986.1">7.1.2</a></li>
                         <li><em>Section 5</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC3986.2">7.1.2</a></li>
+                  <li><em>RFC3986</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC3986.1">5.5.2</a>, <a href="#rfc.xref.RFC3986.2">7.1.2</a>, <a href="#rfc.xref.RFC3986.3">7.1.2</a>, <a href="#RFC3986"><b>11.1</b></a><ul>
+                        <li><em>Section 4.2</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC3986.2">7.1.2</a></li>
+                        <li><em>Section 5</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC3986.3">7.1.2</a></li>
                      </ul>
                   </li>
 …
             </li>
             <li><a id="rfc.index.T" href="#rfc.index.T"><b>T</b></a><ul>
                   <li>TRACE method&nbsp;&nbsp;<a href="#rfc.xref.TRACE.1">4.1</a>, <a href="#rfc.iref.t.1"><b>4.3.8</b></a>, <a href="#rfc.xref.TRACE.2">5.1.1</a>, <a href="#rfc.xref.TRACE.3">8.1.3</a>, <a href="#rfc.xref.TRACE.4">9.3</a>, <a href="#rfc.extref.t.48">C</a>, <a href="#rfc.xref.TRACE.5">C</a></li>
+                  <li>TRACE method&nbsp;&nbsp;<a href="#rfc.xref.TRACE.1">4.1</a>, <a href="#rfc.iref.t.1"><b>4.3.8</b></a>, <a href="#rfc.xref.TRACE.2">5.1.1</a>, <a href="#rfc.xref.TRACE.3">8.1.3</a>, <a href="#rfc.xref.TRACE.4">9.3</a>, <a href="#rfc.extref.t.50">C</a>, <a href="#rfc.xref.TRACE.5">C</a></li>
                </ul>
             </li>

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 2072 for draft-ietf-httpbis/latest/p2-semantics.html

Legend:

draft-ietf-httpbis/latest/p2-semantics.html

Download in other formats: