Changeset 2396


Ignore:
Timestamp:
14/09/13 20:24:52 (7 years ago)
Author:
fielding@…
Message:

strengthen requirements on Referrer, rfc850-date, and Location fragment inheritance; addresses #475

Location:
draft-ietf-httpbis/latest
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • draft-ietf-httpbis/latest/p2-semantics.html

    r2395 r2396  
    21252125         is a privacy concern if the referring resource's identifier reveals personal information (such as an account name) or a resource
    21262126         that is supposed to be confidential (such as behind a firewall or internal to a secured service). Most general-purpose user
    2127          agents do not send the Referer header field when the referring resource is a local "file" or "data" URI. A user agent <em class="bcp14">SHOULD NOT</em> send a <a href="#header.referer" class="smpl">Referer</a> header field in an unsecured HTTP request if the referring page was received with a secure protocol. See <a href="#sensitive.information.in.uris" title="Sensitive Information in URIs">Section&nbsp;9.3</a> for additional security considerations.
     2127         agents do not send the Referer header field when the referring resource is a local "file" or "data" URI. A user agent <em class="bcp14">MUST NOT</em> send a <a href="#header.referer" class="smpl">Referer</a> header field in an unsecured HTTP request if the referring page was received with a secure protocol. See <a href="#sensitive.information.in.uris" title="Sensitive Information in URIs">Section&nbsp;9.3</a> for additional security considerations.
    21282128      </p>
    21292129      <p id="rfc.section.5.5.2.p.8">Some intermediaries have been known to indiscriminately remove Referer header fields from outgoing requests. This has the
     
    29602960</pre><p id="rfc.section.7.1.1.1.p.13">HTTP-date is case sensitive. A sender <em class="bcp14">MUST NOT</em> generate additional whitespace in an HTTP-date beyond that specifically included as SP in the grammar. The semantics of <a href="#preferred.date.format" class="smpl">day-name</a>, <a href="#preferred.date.format" class="smpl">day</a>, <a href="#preferred.date.format" class="smpl">month</a>, <a href="#preferred.date.format" class="smpl">year</a>, and <a href="#preferred.date.format" class="smpl">time-of-day</a> are the same as those defined for the Internet Message Format constructs with the corresponding name (<a href="#RFC5322" id="rfc.xref.RFC5322.5"><cite title="Internet Message Format">[RFC5322]</cite></a>, <a href="http://tools.ietf.org/html/rfc5322#section-3.3">Section 3.3</a>).
    29612961      </p>
    2962       <p id="rfc.section.7.1.1.1.p.14">Recipients of a timestamp value in rfc850-date format, which uses a two-digit year, <em class="bcp14">SHOULD</em> interpret a timestamp that appears to be more than 50 years in the future as representing the most recent year in the past
     2962      <p id="rfc.section.7.1.1.1.p.14">Recipients of a timestamp value in rfc850-date format, which uses a two-digit year, <em class="bcp14">MUST</em> interpret a timestamp that appears to be more than 50 years in the future as representing the most recent year in the past
    29632963         that had the same last two digits.
    29642964      </p>
     
    30043004      <p id="rfc.section.7.1.2.p.4">For <a href="#status.201" class="smpl">201 (Created)</a> responses, the Location value refers to the primary resource created by the request. For <a href="#status.3xx" class="smpl">3xx (Redirection)</a> responses, the Location value refers to the preferred target resource for automatically redirecting the request.
    30053005      </p>
    3006       <p id="rfc.section.7.1.2.p.5">When Location is provided in a <a href="#status.3xx" class="smpl">3xx (Redirection)</a> response and the URI reference that the user agent used to generate the request target contains a fragment identifier, the
    3007          user agent <em class="bcp14">SHOULD</em> process the redirection as if the Location field value inherits the original fragment. In other words, if the Location does
    3008          not have a fragment component, the user agent <em class="bcp14">SHOULD</em> interpret the Location reference as if it had the original reference's fragment.
     3006      <p id="rfc.section.7.1.2.p.5">If the Location value provided in a <a href="#status.3xx" class="smpl">3xx (Redirection)</a> does not have a fragment component, a user agent <em class="bcp14">MUST</em> process the redirection as if the value inherits the fragment component of the URI reference used to generate the request
     3007         target (i.e., the redirection inherits the original reference's fragment, if any).
    30093008      </p>
    30103009      <div id="rfc.figure.u.53"></div>

  • draft-ietf-httpbis/latest/p2-semantics.xml

    r2395 r2396  
    25102510   behind a firewall or internal to a secured service). Most general-purpose
    25112511   user agents do not send the Referer header field when the referring
    2512    resource is a local "file" or "data" URI. A user agent &SHOULD-NOT; send a
     2512   resource is a local "file" or "data" URI. A user agent &MUST-NOT; send a
    25132513   <x:ref>Referer</x:ref> header field in an unsecured HTTP request if the
    25142514   referring page was received with a secure protocol.
     
    38003800<t>
    38013801   Recipients of a timestamp value in rfc850-date format, which uses a
    3802    two-digit year, &SHOULD; interpret a timestamp that appears to be more
     3802   two-digit year, &MUST; interpret a timestamp that appears to be more
    38033803   than 50 years in the future as representing the most recent year in the
    38043804   past that had the same last two digits.
     
    38953895</t>
    38963896<t>
    3897    When Location is provided in a <x:ref>3xx (Redirection)</x:ref> response
    3898    and the URI reference that the user agent used to generate the request
    3899    target contains a fragment identifier, the user agent &SHOULD; process the
    3900    redirection as if the Location field value inherits the original fragment.
    3901    In other words, if the Location does not have a fragment component, the
    3902    user agent &SHOULD; interpret the Location reference as if it had the
    3903    original reference's fragment.
     3897   If the Location value provided in a <x:ref>3xx (Redirection)</x:ref>
     3898   does not have a fragment component, a user agent &MUST; process the
     3899   redirection as if the value inherits the fragment component of the URI
     3900   reference used to generate the request target (i.e., the redirection
     3901   inherits the original reference's fragment, if any).
    39043902</t>
    39053903<figure>
Note: See TracChangeset for help on using the changeset viewer.