Changeset 2547
- Timestamp:
- 15/01/14 17:14:38 (8 years ago)
- Location:
- draft-ietf-httpbis/latest
- Files:
-
- 12 edited
Legend:
- Unmodified
- Added
- Removed
-
draft-ietf-httpbis/latest/p1-messaging.html
r2546 r2547 448 448 } 449 449 @bottom-center { 450 content: "Expires July 1 5, 2014";450 content: "Expires July 19, 2014"; 451 451 } 452 452 @bottom-right { … … 490 490 <meta name="dct.creator" content="Reschke, J. F."> 491 491 <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p1-messaging-latest"> 492 <meta name="dct.issued" scheme="ISO8601" content="2014-01-1 1">492 <meta name="dct.issued" scheme="ISO8601" content="2014-01-15"> 493 493 <meta name="dct.replaces" content="urn:ietf:rfc:2145"> 494 494 <meta name="dct.replaces" content="urn:ietf:rfc:2616"> … … 519 519 <tr> 520 520 <td class="left">Intended status: Standards Track</td> 521 <td class="right">January 1 1, 2014</td>521 <td class="right">January 15, 2014</td> 522 522 </tr> 523 523 <tr> 524 <td class="left">Expires: July 1 5, 2014</td>524 <td class="left">Expires: July 19, 2014</td> 525 525 <td class="right"></td> 526 526 </tr> … … 551 551 in progress”. 552 552 </p> 553 <p>This Internet-Draft will expire on July 1 5, 2014.</p>553 <p>This Internet-Draft will expire on July 19, 2014.</p> 554 554 </div> 555 555 <div id="rfc.copyrightnotice"> … … 2845 2845 <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security concerns relevant to HTTP/1.1 2846 2846 message syntax, parsing, and routing. 2847 </p> 2848 <p id="rfc.section.9.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such 2849 as the "Open Web Application Security Project" (OWASP, <<a href="https://www.owasp.org/">https://www.owasp.org/</a>>), provide information about current research. 2847 2850 </p> 2848 2851 <div id="dns.related.attacks"> … … 3449 3452 </li> 3450 3453 <li><<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/544">http://tools.ietf.org/wg/httpbis/trac/ticket/544</a>>: "moving 2616/2068/2145 to historic" 3454 </li> 3455 <li><<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>>: "augment security considerations with pointers to current research" 3451 3456 </li> 3452 3457 </ul> -
draft-ietf-httpbis/latest/p1-messaging.xml
r2546 r2547 3848 3848 users of known security concerns relevant to HTTP/1.1 message syntax, 3849 3849 parsing, and routing. 3850 </t> 3851 <t> 3852 The list of considerations below is not exhaustive — security 3853 analysis in an ongoing activity. Various organizations, such as the 3854 "Open Web Application Security Project" (OWASP, 3855 <eref target="https://www.owasp.org/"/>), provide information about current 3856 research. 3850 3857 </t> 3851 3858 … … 5463 5470 "moving 2616/2068/2145 to historic" 5464 5471 </t> 5472 <t> 5473 <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>: 5474 "augment security considerations with pointers to current research" 5475 </t> 5465 5476 </list> 5466 5477 </t> -
draft-ietf-httpbis/latest/p2-semantics.html
r2542 r2547 448 448 } 449 449 @bottom-center { 450 content: "Expires July 1 2, 2014";450 content: "Expires July 19, 2014"; 451 451 } 452 452 @bottom-right { … … 493 493 <meta name="dct.creator" content="Reschke, J. F."> 494 494 <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p2-semantics-latest"> 495 <meta name="dct.issued" scheme="ISO8601" content="2014-01- 08">495 <meta name="dct.issued" scheme="ISO8601" content="2014-01-15"> 496 496 <meta name="dct.replaces" content="urn:ietf:rfc:2616"> 497 497 <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines the semantics of HTTP/1.1 messages, as expressed by request methods, request header fields, response status codes, and response header fields, along with the payload of messages (metadata and body content) and mechanisms for content negotiation."> … … 521 521 <tr> 522 522 <td class="left">Intended status: Standards Track</td> 523 <td class="right">January 8, 2014</td>523 <td class="right">January 15, 2014</td> 524 524 </tr> 525 525 <tr> 526 <td class="left">Expires: July 1 2, 2014</td>526 <td class="left">Expires: July 19, 2014</td> 527 527 <td class="right"></td> 528 528 </tr> … … 553 553 in progress”. 554 554 </p> 555 <p>This Internet-Draft will expire on July 1 2, 2014.</p>555 <p>This Internet-Draft will expire on July 19, 2014.</p> 556 556 </div> 557 557 <div id="rfc.copyrightnotice"> … … 859 859 <p id="rfc.section.3.p.3">An origin server might be provided with, or capable of generating, multiple representations that are each intended to reflect 860 860 the current state of a <a href="#resources" class="smpl">target resource</a>. In such cases, some algorithm is used by the origin server to select one of those representations as most applicable to 861 a given request, usually based on <a href="#content.negotiation" class="smpl">content negotiation</a>. We refer to that one representation as the "<dfn>selected representation</dfn>" and use its particular data and metadata for evaluating conditional requests <a href="#Part4" id="rfc.xref.Part4.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a> and constructing the payload for <a href="#status.200" class="smpl">200 (OK)</a> and <a href="p4-conditional.html#status.304" class="smpl">304 (Not Modified)</a> responses to GET (<a href="#GET" id="rfc.xref.GET.1" title="GET">Section 4.3.1</a>). 861 a given request, usually based on <a href="#content.negotiation" class="smpl">content negotiation</a>. We refer to that one representation as the "<dfn>selected representation</dfn>" and use its particular data and metadata for evaluating conditional requests <a href="#Part4" id="rfc.xref.Part4.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a> and constructing the payload for <a href="#status.200" class="smpl">200 (OK)</a> and 862 <div class="error">ERROR: Anchor '304 (Not Modified)' not found in source file 'p4-conditional.xml'. (at line 325)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">304 (Not Modified)</a> responses to GET (<a href="#GET" id="rfc.xref.GET.1" title="GET">Section 4.3.1</a>). 862 863 </p> 863 864 <div id="representation.metadata"> … … 965 966 <p id="rfc.section.3.1.1.4.p.2">HTTP message framing does not use the multipart boundary as an indicator of message body length, though it might be used by 966 967 implementations that generate or process the payload. For example, the "multipart/form-data" type is often used for carrying 967 form data in a request, as described in <a href="#RFC2388" id="rfc.xref.RFC2388.1"><cite title="Returning Values from Forms: multipart/form-data">[RFC2388]</cite></a>, and the "multipart/byteranges" type is defined by this specification for use in some <a href="p5-range.html#status.206" class="smpl">206 (Partial Content)</a> responses <a href="#Part5" id="rfc.xref.Part5.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>. 968 form data in a request, as described in <a href="#RFC2388" id="rfc.xref.RFC2388.1"><cite title="Returning Values from Forms: multipart/form-data">[RFC2388]</cite></a>, and the "multipart/byteranges" type is defined by this specification for use in some 969 <div class="error">ERROR: Anchor '206 (Partial Content)' not found in source file 'p5-range.xml'. (at line 478)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">206 (Partial Content)</a> responses <a href="#Part5" id="rfc.xref.Part5.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>. 968 970 </p> 969 971 </div> … … 1113 1115 <p id="rfc.section.3.1.4.1.p.3">For a response message, the following rules are applied in order until a match is found: </p> 1114 1116 <ol> 1115 <li>If the request is GET or HEAD and the response status code is <a href="#status.200" class="smpl">200 (OK)</a>, <a href="#status.204" class="smpl">204 (No Content)</a>, <a href="p5-range.html#status.206" class="smpl">206 (Partial Content)</a>, or <a href="p4-conditional.html#status.304" class="smpl">304 (Not Modified)</a>, the payload is a representation of the resource identified by the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>). 1117 <li>If the request is GET or HEAD and the response status code is <a href="#status.200" class="smpl">200 (OK)</a>, <a href="#status.204" class="smpl">204 (No Content)</a>, 1118 <div class="error">ERROR: Anchor '206 (Partial Content)' not found in source file 'p5-range.xml'. (at line 743)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">206 (Partial Content)</a>, or 1119 <div class="error">ERROR: Anchor '304 (Not Modified)' not found in source file 'p4-conditional.xml'. (at line 744)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">304 (Not Modified)</a>, the payload is a representation of the resource identified by the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>). 1116 1120 </li> 1117 1121 <li>If the request is GET or HEAD and the response status code is <a href="#status.203" class="smpl">203 (Non-Authoritative Information)</a>, the payload is a potentially modified or enhanced representation of the <a href="#resources" class="smpl">target resource</a> as provided by an intermediary. … … 1190 1194 <h2 id="rfc.section.3.3"><a href="#rfc.section.3.3">3.3</a> <a href="#payload">Payload Semantics</a></h2> 1191 1195 <p id="rfc.section.3.3.p.1">Some HTTP messages transfer a complete or partial representation as the message "<dfn>payload</dfn>". In some cases, a payload might contain only the associated representation's header fields (e.g., responses to HEAD) or 1192 only some part(s) of the representation data (e.g., the <a href="p5-range.html#status.206" class="smpl">206 (Partial Content)</a> status code). 1196 only some part(s) of the representation data (e.g., the 1197 <div class="error">ERROR: Anchor '206 (Partial Content)' not found in source file 'p5-range.xml'. (at line 884)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">206 (Partial Content)</a> status code). 1193 1198 </p> 1194 1199 <p id="rfc.section.3.3.p.2">The purpose of a payload in a request is defined by the method semantics. For example, a representation in the payload of … … 1219 1224 <tr> 1220 1225 <td class="left">Content-Range</td> 1221 <td class="left"><a href="p5-range.html#header.content-range" title=" Content-Range">Section 4.2</a> of <a href="#Part5" id="rfc.xref.Part5.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>1226 <td class="left"><a href="p5-range.html#header.content-range" title="ERROR: Anchor 'header.content-range' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.content-range' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td> 1222 1227 </tr> 1223 1228 <tr> … … 1475 1480 </p> 1476 1481 <p id="rfc.section.4.3.1.p.3">A client can alter the semantics of GET to be a "range request", requesting transfer of only some part(s) of the selected 1477 representation, by sending a <a href="p5-range.html#header.range" class="smpl">Range</a> header field in the request (<a href="#Part5" id="rfc.xref.Part5.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>). 1482 representation, by sending a 1483 <div class="error">ERROR: Anchor 'Range' not found in source file 'p5-range.xml'. (at line 1318)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">Range</a> header field in the request (<a href="#Part5" id="rfc.xref.Part5.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>). 1478 1484 </p> 1479 1485 <p id="rfc.section.4.3.1.p.4">A payload within a GET request message has no defined semantics; sending a payload body on a GET request might cause some … … 1562 1568 the server. 1563 1569 </p> 1564 <p id="rfc.section.4.3.4.p.7">An origin server <em class="bcp14">MUST NOT</em> send a validator header field (<a href="#response.validator" title="Validator Header Fields">Section 7.2</a>), such as an <a href="p4-conditional.html#header.etag" class="smpl">ETag</a> or <a href="p4-conditional.html#header.last-modified" class="smpl">Last-Modified</a> field, in a successful response to PUT unless the request's representation data was saved without any transformation applied 1570 <p id="rfc.section.4.3.4.p.7">An origin server <em class="bcp14">MUST NOT</em> send a validator header field (<a href="#response.validator" title="Validator Header Fields">Section 7.2</a>), such as an 1571 <div class="error">ERROR: Anchor 'ETag' not found in source file 'p4-conditional.xml'. (at line 1491)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">ETag</a> or 1572 <div class="error">ERROR: Anchor 'Last-Modified' not found in source file 'p4-conditional.xml'. (at line 1492)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">Last-Modified</a> field, in a successful response to PUT unless the request's representation data was saved without any transformation applied 1565 1573 to the body (i.e., the resource's new representation data is identical to the representation data received in the PUT request) 1566 1574 and the validator field value reflects the new representation. This requirement allows a user agent to know when the representation … … 1585 1593 and might also cause links to be added between the related resources. 1586 1594 </p> 1587 <p id="rfc.section.4.3.4.p.11">An origin server that allows PUT on a given target resource <em class="bcp14">MUST</em> send a <a href="#status.400" class="smpl">400 (Bad Request)</a> response to a PUT request that contains a <a href="p5-range.html#header.content-range" class="smpl">Content-Range</a> header field (<a href="p5-range.html#header.content-range" title="Content-Range">Section 4.2</a> of <a href="#Part5" id="rfc.xref.Part5.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>), since the payload is likely to be partial content that has been mistakenly PUT as a full representation. Partial content 1595 <p id="rfc.section.4.3.4.p.11">An origin server that allows PUT on a given target resource <em class="bcp14">MUST</em> send a <a href="#status.400" class="smpl">400 (Bad Request)</a> response to a PUT request that contains a 1596 <div class="error">ERROR: Anchor 'Content-Range' not found in source file 'p5-range.xml'. (at line 1539)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">Content-Range</a> header field (<a href="p5-range.html#header.content-range" title="ERROR: Anchor 'header.content-range' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.content-range' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>), since the payload is likely to be partial content that has been mistakenly PUT as a full representation. Partial content 1588 1597 updates are possible by targeting a separately identified resource with state that overlaps a portion of the larger resource, 1589 1598 or by using a different method that has been specifically defined for partial updates (for example, the PATCH method defined … … 1751 1760 <tr> 1752 1761 <td class="left">Range</td> 1753 <td class="left"><a href="p5-range.html#header.range" title=" Range">Section 3.1</a> of <a href="#Part5" id="rfc.xref.Part5.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>1762 <td class="left"><a href="p5-range.html#header.range" title="ERROR: Anchor 'header.range' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.range' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td> 1754 1763 </tr> 1755 1764 <tr> … … 1851 1860 of a comparison between a set of validators obtained from prior representations of the target resource to the current state 1852 1861 of validators for the <a href="#representations" class="smpl">selected representation</a> (<a href="#response.validator" title="Validator Header Fields">Section 7.2</a>). Hence, these preconditions evaluate whether the state of the target resource has changed since a given state known by the 1853 client. The effect of such an evaluation depends on the method semantics and choice of conditional, as defined in <a href="p4-conditional.html#evaluation" title="E valuation">Section 5</a> of <a href="#Part4" id="rfc.xref.Part4.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a>.1862 client. The effect of such an evaluation depends on the method semantics and choice of conditional, as defined in <a href="p4-conditional.html#evaluation" title="ERROR: Anchor 'evaluation' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'evaluation' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a>. 1854 1863 </p> 1855 1864 <div id="rfc.table.u.4"> … … 1864 1873 <tr> 1865 1874 <td class="left">If-Match</td> 1866 <td class="left"><a href="p4-conditional.html#header.if-match" title=" If-Match">Section 3.1</a> of <a href="#Part4" id="rfc.xref.Part4.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>1875 <td class="left"><a href="p4-conditional.html#header.if-match" title="ERROR: Anchor 'header.if-match' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.if-match' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td> 1867 1876 </tr> 1868 1877 <tr> 1869 1878 <td class="left">If-None-Match</td> 1870 <td class="left"><a href="p4-conditional.html#header.if-none-match" title=" If-None-Match">Section 3.2</a> of <a href="#Part4" id="rfc.xref.Part4.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>1879 <td class="left"><a href="p4-conditional.html#header.if-none-match" title="ERROR: Anchor 'header.if-none-match' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.if-none-match' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td> 1871 1880 </tr> 1872 1881 <tr> 1873 1882 <td class="left">If-Modified-Since</td> 1874 <td class="left"><a href="p4-conditional.html#header.if-modified-since" title=" If-Modified-Since">Section 3.3</a> of <a href="#Part4" id="rfc.xref.Part4.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>1883 <td class="left"><a href="p4-conditional.html#header.if-modified-since" title="ERROR: Anchor 'header.if-modified-since' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.if-modified-since' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td> 1875 1884 </tr> 1876 1885 <tr> 1877 1886 <td class="left">If-Unmodified-Since</td> 1878 <td class="left"><a href="p4-conditional.html#header.if-unmodified-since" title=" If-Unmodified-Since">Section 3.4</a> of <a href="#Part4" id="rfc.xref.Part4.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>1887 <td class="left"><a href="p4-conditional.html#header.if-unmodified-since" title="ERROR: Anchor 'header.if-unmodified-since' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.if-unmodified-since' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td> 1879 1888 </tr> 1880 1889 <tr> 1881 1890 <td class="left">If-Range</td> 1882 <td class="left"><a href="p5-range.html#header.if-range" title=" If-Range">Section 3.2</a> of <a href="#Part5" id="rfc.xref.Part5.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>1891 <td class="left"><a href="p5-range.html#header.if-range" title="ERROR: Anchor 'header.if-range' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.if-range' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td> 1883 1892 </tr> 1884 1893 </tbody> … … 2307 2316 <div id="overview.of.status.codes"> 2308 2317 <h2 id="rfc.section.6.1"><a href="#rfc.section.6.1">6.1</a> <a href="#overview.of.status.codes">Overview of Status Codes</a></h2> 2309 <p id="rfc.section.6.1.p.1">The status codes listed below are defined in this specification, <a href="p4-conditional.html#status.code.definitions" title=" Status Code Definitions">Section 4</a> of <a href="#Part4" id="rfc.xref.Part4.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a>, <a href="p5-range.html#range.response" title="Responses to a Range Request">Section 4</a> of <a href="#Part5" id="rfc.xref.Part5.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>, and <a href="p7-auth.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part7" id="rfc.xref.Part7.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a>. The reason phrases listed here are only recommendations — they can be replaced by local equivalents without affecting the2318 <p id="rfc.section.6.1.p.1">The status codes listed below are defined in this specification, <a href="p4-conditional.html#status.code.definitions" title="ERROR: Anchor 'status.code.definitions' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'status.code.definitions' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a>, <a href="p5-range.html#range.response" title="ERROR: Anchor 'range.response' not found in p5-range.xml.">Appendix ERROR: Anchor 'range.response' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>, and <a href="p7-auth.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part7" id="rfc.xref.Part7.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a>. The reason phrases listed here are only recommendations — they can be replaced by local equivalents without affecting the 2310 2319 protocol. 2311 2320 </p> … … 2367 2376 <td class="left">206</td> 2368 2377 <td class="left">Partial Content</td> 2369 <td id="status.206" class="left"><a href="p5-range.html#status.206" title=" 206 Partial Content">Section 4.1</a> of <a href="#Part5" id="rfc.xref.Part5.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>2378 <td id="status.206" class="left"><a href="p5-range.html#status.206" title="ERROR: Anchor 'status.206' not found in p5-range.xml.">Appendix ERROR: Anchor 'status.206' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td> 2370 2379 </tr> 2371 2380 <tr> … … 2392 2401 <td class="left">304</td> 2393 2402 <td class="left">Not Modified</td> 2394 <td id="status.304" class="left"><a href="p4-conditional.html#status.304" title=" 304 Not Modified">Section 4.1</a> of <a href="#Part4" id="rfc.xref.Part4.10"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>2403 <td id="status.304" class="left"><a href="p4-conditional.html#status.304" title="ERROR: Anchor 'status.304' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'status.304' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.10"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td> 2395 2404 </tr> 2396 2405 <tr> … … 2467 2476 <td class="left">412</td> 2468 2477 <td class="left">Precondition Failed</td> 2469 <td id="status.412" class="left"><a href="p4-conditional.html#status.412" title=" 412 Precondition Failed">Section 4.2</a> of <a href="#Part4" id="rfc.xref.Part4.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>2478 <td id="status.412" class="left"><a href="p4-conditional.html#status.412" title="ERROR: Anchor 'status.412' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'status.412' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td> 2470 2479 </tr> 2471 2480 <tr> … … 2487 2496 <td class="left">416</td> 2488 2497 <td class="left">Range Not Satisfiable</td> 2489 <td id="status.416" class="left"><a href="p5-range.html#status.416" title=" 416 Range Not Satisfiable">Section 4.4</a> of <a href="#Part5" id="rfc.xref.Part5.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>2498 <td id="status.416" class="left"><a href="p5-range.html#status.416" title="ERROR: Anchor 'status.416' not found in p5-range.xml.">Appendix ERROR: Anchor 'status.416' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td> 2490 2499 </tr> 2491 2500 <tr> … … 2614 2623 primary resource created by the request is identified by either a <a href="#header.location" class="smpl">Location</a> header field in the response or, if no <a href="#header.location" class="smpl">Location</a> field is received, by the effective request URI. 2615 2624 </p> 2616 <p id="rfc.section.6.3.2.p.2">The 201 response payload typically describes and links to the resource(s) created. See <a href="#response.validator" title="Validator Header Fields">Section 7.2</a> for a discussion of the meaning and purpose of validator header fields, such as <a href="p4-conditional.html#header.etag" class="smpl">ETag</a> and <a href="p4-conditional.html#header.last-modified" class="smpl">Last-Modified</a>, in a 201 response. 2625 <p id="rfc.section.6.3.2.p.2">The 201 response payload typically describes and links to the resource(s) created. See <a href="#response.validator" title="Validator Header Fields">Section 7.2</a> for a discussion of the meaning and purpose of validator header fields, such as 2626 <div class="error">ERROR: Anchor 'ETag' not found in source file 'p4-conditional.xml'. (at line 2866)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">ETag</a> and 2627 <div class="error">ERROR: Anchor 'Last-Modified' not found in source file 'p4-conditional.xml'. (at line 2866)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">Last-Modified</a>, in a 201 response. 2617 2628 </p> 2618 2629 </div> … … 2650 2661 in the response payload body. Metadata in the response header fields refer to the <a href="#resources" class="smpl">target resource</a> and its <a href="#representations" class="smpl">selected representation</a> after the requested action was applied. 2651 2662 </p> 2652 <p id="rfc.section.6.3.5.p.2">For example, if a 204 status code is received in response to a PUT request and the response contains an <a href="p4-conditional.html#header.etag" class="smpl">ETag</a> header field, then the PUT was successful and the ETag field-value contains the entity-tag for the new representation of that 2663 <p id="rfc.section.6.3.5.p.2">For example, if a 204 status code is received in response to a PUT request and the response contains an 2664 <div class="error">ERROR: Anchor 'ETag' not found in source file 'p4-conditional.xml'. (at line 2929)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">ETag</a> header field, then the PUT was successful and the ETag field-value contains the entity-tag for the new representation of that 2653 2665 target resource. 2654 2666 </p> … … 2705 2717 </li> 2706 2718 <li> 2707 <p>Redirection to a previously cached result, as in the <a href="p4-conditional.html#status.304" class="smpl">304 (Not Modified)</a> status code. 2719 <p>Redirection to a previously cached result, as in the 2720 <div class="error">ERROR: Anchor '304 (Not Modified)' not found in source file 'p4-conditional.xml'. (at line 3036)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">304 (Not Modified)</a> status code. 2708 2721 </p> 2709 2722 </li> … … 3338 3351 <tr> 3339 3352 <td class="left">ETag</td> 3340 <td class="left"><a href="p4-conditional.html#header.etag" title="E Tag">Section 2.3</a> of <a href="#Part4" id="rfc.xref.Part4.13"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>3353 <td class="left"><a href="p4-conditional.html#header.etag" title="ERROR: Anchor 'header.etag' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.etag' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.13"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td> 3341 3354 </tr> 3342 3355 <tr> 3343 3356 <td class="left">Last-Modified</td> 3344 <td class="left"><a href="p4-conditional.html#header.last-modified" title=" Last-Modified">Section 2.2</a> of <a href="#Part4" id="rfc.xref.Part4.14"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>3357 <td class="left"><a href="p4-conditional.html#header.last-modified" title="ERROR: Anchor 'header.last-modified' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.last-modified' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.14"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td> 3345 3358 </tr> 3346 3359 </tbody> … … 3389 3402 <tr> 3390 3403 <td class="left">Accept-Ranges</td> 3391 <td class="left"><a href="p5-range.html#header.accept-ranges" title=" Accept-Ranges">Section 2.3</a> of <a href="#Part5" id="rfc.xref.Part5.10"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>3404 <td class="left"><a href="p5-range.html#header.accept-ranges" title="ERROR: Anchor 'header.accept-ranges' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.accept-ranges' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.10"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td> 3392 3405 </tr> 3393 3406 <tr> … … 4138 4151 semantics and its use for transferring information over the Internet. Considerations related to message syntax, parsing, and 4139 4152 routing are discussed in <a href="p1-messaging.html#security.considerations" title="Security Considerations">Section 9</a> of <a href="#Part1" id="rfc.xref.Part1.42"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>. 4153 </p> 4154 <p id="rfc.section.9.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such 4155 as the "Open Web Application Security Project" (OWASP, <<a href="https://www.owasp.org/">https://www.owasp.org/</a>>), provide information about current research. 4140 4156 </p> 4141 4157 <div id="attack.pathname"> … … 4498 4514 fold long lines. MHTML messages being transported by HTTP follow all conventions of MHTML, including line length limitations 4499 4515 and folding, canonicalization, etc., since HTTP transfers message-bodies as payload and, aside from the "multipart/byteranges" 4500 type (<a href="p5-range.html#internet.media.type.multipart.byteranges" title=" Internet Media Type multipart/byteranges">Appendix A</a> of <a href="#Part5" id="rfc.xref.Part5.12"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>), does not interpret the content or any MIME header lines that might be contained therein.4516 type (<a href="p5-range.html#internet.media.type.multipart.byteranges" title="ERROR: Anchor 'internet.media.type.multipart.byteranges' not found in p5-range.xml.">Appendix ERROR: Anchor 'internet.media.type.multipart.byteranges' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.12"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>), does not interpret the content or any MIME header lines that might be contained therein. 4501 4517 </p> 4502 4518 </div> … … 4522 4538 <p id="rfc.section.B.p.6">To be consistent with the method-neutral parsing algorithm of <a href="#Part1" id="rfc.xref.Part1.45"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>, the definition of GET has been relaxed so that requests can have a body, even though a body has no meaning for GET. (<a href="#GET" id="rfc.xref.GET.5" title="GET">Section 4.3.1</a>) 4523 4539 </p> 4524 <p id="rfc.section.B.p.7">Servers are no longer required to handle all Content-* header fields and use of <a href="p5-range.html#header.content-range" class="smpl">Content-Range</a> has been explicitly banned in PUT requests. (<a href="#PUT" id="rfc.xref.PUT.4" title="PUT">Section 4.3.4</a>) 4540 <p id="rfc.section.B.p.7">Servers are no longer required to handle all Content-* header fields and use of 4541 <div class="error">ERROR: Anchor 'Content-Range' not found in source file 'p5-range.xml'. (at line 5924)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">Content-Range</a> has been explicitly banned in PUT requests. (<a href="#PUT" id="rfc.xref.PUT.4" title="PUT">Section 4.3.4</a>) 4525 4542 </p> 4526 4543 <p id="rfc.section.B.p.8">Definition of the CONNECT method has been moved from <a href="#RFC2817" id="rfc.xref.RFC2817.2"><cite title="Upgrading to TLS Within HTTP/1.1">[RFC2817]</cite></a> to this specification. (<a href="#CONNECT" id="rfc.xref.CONNECT.3" title="CONNECT">Section 4.3.6</a>) … … 4759 4776 </li> 4760 4777 <li><<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/546">http://tools.ietf.org/wg/httpbis/trac/ticket/546</a>>: "considerations for new headers: privacy" 4778 </li> 4779 <li><<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>>: "augment security considerations with pointers to current research" 4761 4780 </li> 4762 4781 </ul> … … 4990 5009 </li> 4991 5010 <li><em>Part4</em> <a href="#rfc.xref.Part4.1">3</a>, <a href="#rfc.xref.Part4.2">4.1</a>, <a href="#rfc.xref.Part4.3">5.2</a>, <a href="#rfc.xref.Part4.4">5.2</a>, <a href="#rfc.xref.Part4.5">5.2</a>, <a href="#rfc.xref.Part4.6">5.2</a>, <a href="#rfc.xref.Part4.7">5.2</a>, <a href="#rfc.xref.Part4.8">5.2</a>, <a href="#rfc.xref.Part4.9">6.1</a>, <a href="#rfc.xref.Part4.10">6.1</a>, <a href="#rfc.xref.Part4.11">6.1</a>, <a href="#rfc.xref.Part4.12">7.2</a>, <a href="#rfc.xref.Part4.13">7.2</a>, <a href="#rfc.xref.Part4.14">7.2</a>, <a href="#Part4"><b>11.1</b></a><ul> 4992 <li><em> Section 2.2</em> <a href="#rfc.xref.Part4.14">7.2</a></li>4993 <li><em> Section 2.3</em> <a href="#rfc.xref.Part4.13">7.2</a></li>4994 <li><em> Section 3.1</em> <a href="#rfc.xref.Part4.5">5.2</a></li>4995 <li><em> Section 3.2</em> <a href="#rfc.xref.Part4.6">5.2</a></li>4996 <li><em> Section 3.3</em> <a href="#rfc.xref.Part4.7">5.2</a></li>4997 <li><em> Section 3.4</em> <a href="#rfc.xref.Part4.8">5.2</a></li>4998 <li><em> Section 4</em> <a href="#rfc.xref.Part4.9">6.1</a></li>4999 <li><em> Section 4.1</em> <a href="#rfc.xref.Part4.10">6.1</a></li>5000 <li><em> Section 4.2</em> <a href="#rfc.xref.Part4.11">6.1</a></li>5001 <li><em> Section 5</em> <a href="#rfc.xref.Part4.4">5.2</a></li>5011 <li><em>Appendix </em> <a href="#rfc.xref.Part4.4">5.2</a></li> 5012 <li><em>Appendix </em> <a href="#rfc.xref.Part4.5">5.2</a></li> 5013 <li><em>Appendix </em> <a href="#rfc.xref.Part4.6">5.2</a></li> 5014 <li><em>Appendix </em> <a href="#rfc.xref.Part4.7">5.2</a></li> 5015 <li><em>Appendix </em> <a href="#rfc.xref.Part4.8">5.2</a></li> 5016 <li><em>Appendix </em> <a href="#rfc.xref.Part4.9">6.1</a></li> 5017 <li><em>Appendix </em> <a href="#rfc.xref.Part4.10">6.1</a></li> 5018 <li><em>Appendix </em> <a href="#rfc.xref.Part4.11">6.1</a></li> 5019 <li><em>Appendix </em> <a href="#rfc.xref.Part4.13">7.2</a></li> 5020 <li><em>Appendix </em> <a href="#rfc.xref.Part4.14">7.2</a></li> 5002 5021 </ul> 5003 5022 </li> 5004 5023 <li><em>Part5</em> <a href="#rfc.xref.Part5.1">3.1.1.4</a>, <a href="#rfc.xref.Part5.2">3.3</a>, <a href="#rfc.xref.Part5.3">4.3.1</a>, <a href="#rfc.xref.Part5.4">4.3.4</a>, <a href="#rfc.xref.Part5.5">5.1</a>, <a href="#rfc.xref.Part5.6">5.2</a>, <a href="#rfc.xref.Part5.7">6.1</a>, <a href="#rfc.xref.Part5.8">6.1</a>, <a href="#rfc.xref.Part5.9">6.1</a>, <a href="#rfc.xref.Part5.10">7.4</a>, <a href="#rfc.xref.Part5.11">8.1.2</a>, <a href="#Part5"><b>11.1</b></a>, <a href="#rfc.xref.Part5.12">A.6</a><ul> 5005 <li><em> Section 2.3</em> <a href="#rfc.xref.Part5.10">7.4</a></li>5006 <li><em> Section 3.1</em> <a href="#rfc.xref.Part5.5">5.1</a></li>5007 <li><em> Section 3.2</em> <a href="#rfc.xref.Part5.6">5.2</a></li>5008 <li><em> Section 4</em> <a href="#rfc.xref.Part5.7">6.1</a></li>5009 <li><em> Section 4.1</em> <a href="#rfc.xref.Part5.8">6.1</a></li>5010 <li><em> Section 4.2</em> <a href="#rfc.xref.Part5.2">3.3</a>, <a href="#rfc.xref.Part5.4">4.3.4</a></li>5011 <li><em> Section 4.4</em> <a href="#rfc.xref.Part5.9">6.1</a></li>5012 <li><em>Appendix A</em> <a href="#rfc.xref.Part5.12">A.6</a></li>5024 <li><em>Appendix </em> <a href="#rfc.xref.Part5.2">3.3</a>, <a href="#rfc.xref.Part5.4">4.3.4</a></li> 5025 <li><em>Appendix </em> <a href="#rfc.xref.Part5.5">5.1</a></li> 5026 <li><em>Appendix </em> <a href="#rfc.xref.Part5.6">5.2</a></li> 5027 <li><em>Appendix </em> <a href="#rfc.xref.Part5.7">6.1</a></li> 5028 <li><em>Appendix </em> <a href="#rfc.xref.Part5.8">6.1</a></li> 5029 <li><em>Appendix </em> <a href="#rfc.xref.Part5.9">6.1</a></li> 5030 <li><em>Appendix </em> <a href="#rfc.xref.Part5.10">7.4</a></li> 5031 <li><em>Appendix </em> <a href="#rfc.xref.Part5.12">A.6</a></li> 5013 5032 </ul> 5014 5033 </li> -
draft-ietf-httpbis/latest/p2-semantics.xml
r2542 r2547 4915 4915 &p1-security-considerations;. 4916 4916 </t> 4917 <t> 4918 The list of considerations below is not exhaustive — security 4919 analysis in an ongoing activity. Various organizations, such as the 4920 "Open Web Application Security Project" (OWASP, 4921 <eref target="https://www.owasp.org/"/>), provide information about current 4922 research. 4923 </t> 4917 4924 4918 4925 <section title="Attacks Based On File and Path Names" anchor="attack.pathname"> … … 6278 6285 "considerations for new headers: privacy" 6279 6286 </t> 6287 <t> 6288 <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>: 6289 "augment security considerations with pointers to current research" 6290 </t> 6280 6291 </list> 6281 6292 </t> -
draft-ietf-httpbis/latest/p4-conditional.html
r2531 r2547 448 448 } 449 449 @bottom-center { 450 content: "Expires July 7, 2014";450 content: "Expires July 19, 2014"; 451 451 } 452 452 @bottom-right { … … 491 491 <meta name="dct.creator" content="Reschke, J. F."> 492 492 <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p4-conditional-latest"> 493 <meta name="dct.issued" scheme="ISO8601" content="2014-01- 03">493 <meta name="dct.issued" scheme="ISO8601" content="2014-01-15"> 494 494 <meta name="dct.replaces" content="urn:ietf:rfc:2616"> 495 495 <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP/1.1 conditional requests, including metadata header fields for indicating state changes, request header fields for making preconditions on such state, and rules for constructing the responses to a conditional request when one or more preconditions evaluate to false."> … … 517 517 </tr> 518 518 <tr> 519 <td class="left">Expires: July 7, 2014</td>520 <td class="right">January 3, 2014</td>519 <td class="left">Expires: July 19, 2014</td> 520 <td class="right">January 15, 2014</td> 521 521 </tr> 522 522 </tbody> … … 546 546 in progress”. 547 547 </p> 548 <p>This Internet-Draft will expire on July 7, 2014.</p>548 <p>This Internet-Draft will expire on July 19, 2014.</p> 549 549 </div> 550 550 <div id="rfc.copyrightnotice"> … … 1311 1311 conditional request mechanisms. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>. 1312 1312 </p> 1313 <p id="rfc.section.8.p.2">The validators defined by this specification are not intended to ensure the validity of a representation, guard against malicious 1313 <p id="rfc.section.8.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such 1314 as the "Open Web Application Security Project" (OWASP, <<a href="https://www.owasp.org/">https://www.owasp.org/</a>>), provide information about current research. 1315 </p> 1316 <p id="rfc.section.8.p.3">The validators defined by this specification are not intended to ensure the validity of a representation, guard against malicious 1314 1317 changes, or detect man-in-the-middle attacks. At best, they enable more efficient cache updates and optimistic concurrent 1315 1318 writes when all participants are behaving nicely. At worst, the conditions will fail and the client will receive a response 1316 1319 that is no more harmful than an HTTP exchange without conditional requests. 1317 1320 </p> 1318 <p id="rfc.section.8.p. 3">An entity-tag can be abused in ways that create privacy risks. For example, a site might deliberately construct a semantically1321 <p id="rfc.section.8.p.4">An entity-tag can be abused in ways that create privacy risks. For example, a site might deliberately construct a semantically 1319 1322 invalid entity-tag that is unique to the user or user agent, send it in a cacheable response with a long freshness time, and 1320 1323 then read that entity-tag in later conditional requests as a means of re-identifying that user or user agent. Such an identifying … … 1466 1469 <li><<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/542">http://tools.ietf.org/wg/httpbis/trac/ticket/542</a>>: "improve introduction of list rule" 1467 1470 </li> 1471 <li><<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>>: "augment security considerations with pointers to current research" 1472 </li> 1468 1473 </ul> 1469 1474 </div> -
draft-ietf-httpbis/latest/p4-conditional.xml
r2531 r2547 15 15 <!ENTITY ID-MONTH "January"> 16 16 <!ENTITY ID-YEAR "2014"> 17 <!ENTITY mdash "—"> 17 18 <!ENTITY Note "<x:h xmlns:x='http://purl.org/net/xml2rfc/ext'>Note:</x:h>"> 18 19 <!ENTITY architecture "<xref target='Part1' x:rel='#architecture' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> … … 1239 1240 </t> 1240 1241 <t> 1242 The list of considerations below is not exhaustive — security 1243 analysis in an ongoing activity. Various organizations, such as the 1244 "Open Web Application Security Project" (OWASP, 1245 <eref target="https://www.owasp.org/"/>), provide information about current 1246 research. 1247 </t> 1248 <t> 1241 1249 The validators defined by this specification are not intended to ensure 1242 1250 the validity of a representation, guard against malicious changes, or … … 1597 1605 "improve introduction of list rule" 1598 1606 </t> 1607 <t> 1608 <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>: 1609 "augment security considerations with pointers to current research" 1610 </t> 1599 1611 </list> 1600 1612 </t> -
draft-ietf-httpbis/latest/p5-range.html
r2531 r2547 448 448 } 449 449 @bottom-center { 450 content: "Expires July 7, 2014";450 content: "Expires July 19, 2014"; 451 451 } 452 452 @bottom-right { … … 491 491 <meta name="dct.creator" content="Reschke, J. F."> 492 492 <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p5-range-latest"> 493 <meta name="dct.issued" scheme="ISO8601" content="2014-01- 03">493 <meta name="dct.issued" scheme="ISO8601" content="2014-01-15"> 494 494 <meta name="dct.replaces" content="urn:ietf:rfc:2616"> 495 495 <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines range requests and the rules for constructing and combining responses to those requests."> … … 517 517 </tr> 518 518 <tr> 519 <td class="left">Expires: July 7, 2014</td>519 <td class="left">Expires: July 19, 2014</td> 520 520 <td class="right">J. Reschke, Editor</td> 521 521 </tr> … … 526 526 <tr> 527 527 <td class="left"></td> 528 <td class="right">January 3, 2014</td>528 <td class="right">January 15, 2014</td> 529 529 </tr> 530 530 </tbody> … … 552 552 in progress”. 553 553 </p> 554 <p>This Internet-Draft will expire on July 7, 2014.</p>554 <p>This Internet-Draft will expire on July 19, 2014.</p> 555 555 </div> 556 556 <div id="rfc.copyrightnotice"> … … 1167 1167 <p id="rfc.section.6.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP/1.1 1168 1168 range request mechanisms. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>. 1169 </p> 1170 <p id="rfc.section.6.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such 1171 as the "Open Web Application Security Project" (OWASP, <<a href="https://www.owasp.org/">https://www.owasp.org/</a>>), provide information about current research. 1169 1172 </p> 1170 1173 <div id="overlapping.ranges"> … … 1405 1408 </li> 1406 1409 <li><<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/542">http://tools.ietf.org/wg/httpbis/trac/ticket/542</a>>: "improve introduction of list rule" 1410 </li> 1411 <li><<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>>: "augment security considerations with pointers to current research" 1407 1412 </li> 1408 1413 </ul> -
draft-ietf-httpbis/latest/p5-range.xml
r2531 r2547 15 15 <!ENTITY ID-MONTH "January"> 16 16 <!ENTITY ID-YEAR "2014"> 17 <!ENTITY mdash "—"> 17 18 <!ENTITY Note "<x:h xmlns:x='http://purl.org/net/xml2rfc/ext'>Note:</x:h>"> 18 19 <!ENTITY architecture "<xref target='Part1' x:rel='#architecture' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> … … 1048 1049 in HTTP messaging &messaging; and semantics &semantics;. 1049 1050 </t> 1051 <t> 1052 The list of considerations below is not exhaustive — security 1053 analysis in an ongoing activity. Various organizations, such as the 1054 "Open Web Application Security Project" (OWASP, 1055 <eref target="https://www.owasp.org/"/>), provide information about current 1056 research. 1057 </t> 1050 1058 1051 1059 <section title="Denial of Service Attacks using Range" anchor="overlapping.ranges"> … … 1549 1557 "improve introduction of list rule" 1550 1558 </t> 1559 <t> 1560 <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>: 1561 "augment security considerations with pointers to current research" 1562 </t> 1551 1563 </list> 1552 1564 </t> -
draft-ietf-httpbis/latest/p6-cache.html
r2531 r2547 451 451 } 452 452 @bottom-center { 453 content: "Expires July 7, 2014";453 content: "Expires July 19, 2014"; 454 454 } 455 455 @bottom-right { … … 495 495 <meta name="dct.creator" content="Reschke, J. F."> 496 496 <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p6-cache-latest"> 497 <meta name="dct.issued" scheme="ISO8601" content="2014-01- 03">497 <meta name="dct.issued" scheme="ISO8601" content="2014-01-15"> 498 498 <meta name="dct.replaces" content="urn:ietf:rfc:2616"> 499 499 <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages."> … … 521 521 </tr> 522 522 <tr> 523 <td class="left">Expires: July 7, 2014</td>523 <td class="left">Expires: July 19, 2014</td> 524 524 <td class="right">J. Reschke, Editor</td> 525 525 </tr> … … 530 530 <tr> 531 531 <td class="left"></td> 532 <td class="right">January 3, 2014</td>532 <td class="right">January 15, 2014</td> 533 533 </tr> 534 534 </tbody> … … 557 557 in progress”. 558 558 </p> 559 <p>This Internet-Draft will expire on July 7, 2014.</p>559 <p>This Internet-Draft will expire on July 19, 2014.</p> 560 560 </div> 561 561 <div id="rfc.copyrightnotice"> … … 1930 1930 caching. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>. 1931 1931 </p> 1932 <p id="rfc.section.8.p.2">Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious 1932 <p id="rfc.section.8.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such 1933 as the "Open Web Application Security Project" (OWASP, <<a href="https://www.owasp.org/">https://www.owasp.org/</a>>), provide information about current research. 1934 </p> 1935 <p id="rfc.section.8.p.3">Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious 1933 1936 exploitation. Because cache contents persist after an HTTP request is complete, an attack on the cache can reveal information 1934 1937 long after a user believes that the information has been removed from the network. Therefore, cache contents need to be protected 1935 1938 as sensitive information. 1936 1939 </p> 1937 <p id="rfc.section.8.p. 3">In particular, various attacks might be amplified by being stored in a shared cache; such "cache poisoning" attacks use the1940 <p id="rfc.section.8.p.4">In particular, various attacks might be amplified by being stored in a shared cache; such "cache poisoning" attacks use the 1938 1941 cache to distribute a malicious payload to many clients, and are especially effective when an attacker can use implmentation 1939 1942 flaws, elevated priviledges or other techniques to insert such a response into a cache. One common attack vector for cache 1940 1943 poisoning is to exploit differences in message parsing on proxies and in user agents; see <a href="p1-messaging.html#message.body.length" title="Message Body Length">Section 3.3.3</a> of <a href="#Part1" id="rfc.xref.Part1.12"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> for the relevant requirements. 1941 1944 </p> 1942 <p id="rfc.section.8.p. 4">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information1945 <p id="rfc.section.8.p.5">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information 1943 1946 (e.g., authentication credentials) that is thought to be private, exposing it to unauthorized parties. 1944 1947 </p> 1945 <p id="rfc.section.8.p. 5">Furthermore, the very use of a cache can bring about privacy concerns. For example, if two users share a cache, and the first1948 <p id="rfc.section.8.p.6">Furthermore, the very use of a cache can bring about privacy concerns. For example, if two users share a cache, and the first 1946 1949 one browses to a site, the second may be able to detect that the other has been to that site, because the resources from it 1947 1950 load more quickly, thanks to the cache. 1948 1951 </p> 1949 <p id="rfc.section.8.p. 6">Note that the Set-Cookie response header field <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header field can be (and often is) used to satisfy subsequent1952 <p id="rfc.section.8.p.7">Note that the Set-Cookie response header field <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header field can be (and often is) used to satisfy subsequent 1950 1953 requests to caches. Servers who wish to control caching of these responses are encouraged to emit appropriate Cache-Control 1951 1954 response header fields. … … 2173 2176 <li><<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/542">http://tools.ietf.org/wg/httpbis/trac/ticket/542</a>>: "improve introduction of list rule" 2174 2177 </li> 2178 <li><<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>>: "augment security considerations with pointers to current research" 2179 </li> 2175 2180 </ul> 2176 2181 <p id="rfc.section.D.2.p.2">Partly closed issues: </p> -
draft-ietf-httpbis/latest/p6-cache.xml
r2531 r2547 2162 2162 </t> 2163 2163 <t> 2164 The list of considerations below is not exhaustive — security 2165 analysis in an ongoing activity. Various organizations, such as the 2166 "Open Web Application Security Project" (OWASP, 2167 <eref target="https://www.owasp.org/"/>), provide information about current 2168 research. 2169 </t> 2170 <t> 2164 2171 Caches expose additional potential vulnerabilities, since the contents of 2165 2172 the cache represent an attractive target for malicious exploitation. … … 2710 2717 "improve introduction of list rule" 2711 2718 </t> 2719 <t> 2720 <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>: 2721 "augment security considerations with pointers to current research" 2722 </t> 2712 2723 </list> 2713 2724 </t> -
draft-ietf-httpbis/latest/p7-auth.html
r2531 r2547 448 448 } 449 449 @bottom-center { 450 content: "Expires July 7, 2014";450 content: "Expires July 19, 2014"; 451 451 } 452 452 @bottom-right { … … 488 488 <meta name="dct.creator" content="Reschke, J. F."> 489 489 <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest"> 490 <meta name="dct.issued" scheme="ISO8601" content="2014-01- 03">490 <meta name="dct.issued" scheme="ISO8601" content="2014-01-15"> 491 491 <meta name="dct.replaces" content="urn:ietf:rfc:2616"> 492 492 <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. This document defines the HTTP Authentication framework."> … … 516 516 <tr> 517 517 <td class="left">Intended status: Standards Track</td> 518 <td class="right">January 3, 2014</td>518 <td class="right">January 15, 2014</td> 519 519 </tr> 520 520 <tr> 521 <td class="left">Expires: July 7, 2014</td>521 <td class="left">Expires: July 19, 2014</td> 522 522 <td class="right"></td> 523 523 </tr> … … 546 546 in progress”. 547 547 </p> 548 <p>This Internet-Draft will expire on July 7, 2014.</p>548 <p>This Internet-Draft will expire on July 19, 2014.</p> 549 549 </div> 550 550 <div id="rfc.copyrightnotice"> … … 975 975 <p id="rfc.section.6.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to HTTP/1.1 976 976 authentication. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>. 977 </p> 978 <p id="rfc.section.6.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such 979 as the "Open Web Application Security Project" (OWASP, <<a href="https://www.owasp.org/">https://www.owasp.org/</a>>), provide information about current research. 977 980 </p> 978 981 <div id="auth.credentials.and.idle.clients"> … … 1177 1180 <li><<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/542">http://tools.ietf.org/wg/httpbis/trac/ticket/542</a>>: "improve introduction of list rule" 1178 1181 </li> 1182 <li><<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>>: "augment security considerations with pointers to current research" 1183 </li> 1179 1184 </ul> 1180 1185 </div> -
draft-ietf-httpbis/latest/p7-auth.xml
r2531 r2547 680 680 &messaging; and semantics &semantics;. 681 681 </t> 682 <t> 683 The list of considerations below is not exhaustive — security 684 analysis in an ongoing activity. Various organizations, such as the 685 "Open Web Application Security Project" (OWASP, 686 <eref target="https://www.owasp.org/"/>), provide information about current 687 research. 688 </t> 682 689 683 690 <section title="Authentication Credentials and Idle Clients" anchor="auth.credentials.and.idle.clients"> … … 1128 1135 "improve introduction of list rule" 1129 1136 </t> 1137 <t> 1138 <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>: 1139 "augment security considerations with pointers to current research" 1140 </t> 1130 1141 </list> 1131 1142 </t>
Note: See TracChangeset
for help on using the changeset viewer.