Changeset 2547 for draft-ietf-httpbis


Ignore:
Timestamp:
15/01/14 17:14:38 (6 years ago)
Author:
julian.reschke@…
Message:

augment security considerations with pointers to current research (see #549)

Location:
draft-ietf-httpbis/latest
Files:
12 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p1-messaging.html

    r2546 r2547  
    448448  }
    449449  @bottom-center {
    450        content: "Expires July 15, 2014";
     450       content: "Expires July 19, 2014";
    451451  }
    452452  @bottom-right {
     
    490490      <meta name="dct.creator" content="Reschke, J. F.">
    491491      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p1-messaging-latest">
    492       <meta name="dct.issued" scheme="ISO8601" content="2014-01-11">
     492      <meta name="dct.issued" scheme="ISO8601" content="2014-01-15">
    493493      <meta name="dct.replaces" content="urn:ietf:rfc:2145">
    494494      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
     
    519519            <tr>
    520520               <td class="left">Intended status: Standards Track</td>
    521                <td class="right">January 11, 2014</td>
     521               <td class="right">January 15, 2014</td>
    522522            </tr>
    523523            <tr>
    524                <td class="left">Expires: July 15, 2014</td>
     524               <td class="left">Expires: July 19, 2014</td>
    525525               <td class="right"></td>
    526526            </tr>
     
    551551            in progress”.
    552552         </p>
    553          <p>This Internet-Draft will expire on July 15, 2014.</p>
     553         <p>This Internet-Draft will expire on July 19, 2014.</p>
    554554      </div>
    555555      <div id="rfc.copyrightnotice">
     
    28452845         <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security concerns relevant to HTTP/1.1
    28462846            message syntax, parsing, and routing.
     2847         </p>
     2848         <p id="rfc.section.9.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
     2849            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
    28472850         </p>
    28482851         <div id="dns.related.attacks">
     
    34493452               </li>
    34503453               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/544">http://tools.ietf.org/wg/httpbis/trac/ticket/544</a>&gt;: "moving 2616/2068/2145 to historic"
     3454               </li>
     3455               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>&gt;: "augment security considerations with pointers to current research"
    34513456               </li>
    34523457            </ul>
  • draft-ietf-httpbis/latest/p1-messaging.xml

    r2546 r2547  
    38483848   users of known security concerns relevant to HTTP/1.1 message syntax,
    38493849   parsing, and routing.
     3850</t>
     3851<t>
     3852   The list of considerations below is not exhaustive &mdash; security
     3853   analysis in an ongoing activity. Various organizations, such as the
     3854   "Open Web Application Security Project" (OWASP,
     3855   <eref target="https://www.owasp.org/"/>), provide information about current
     3856   research.
    38503857</t>
    38513858
     
    54635470      "moving 2616/2068/2145 to historic"
    54645471    </t>
     5472    <t>
     5473      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>:
     5474      "augment security considerations with pointers to current research"
     5475    </t>
    54655476  </list>
    54665477</t>
  • draft-ietf-httpbis/latest/p2-semantics.html

    r2542 r2547  
    448448  }
    449449  @bottom-center {
    450        content: "Expires July 12, 2014";
     450       content: "Expires July 19, 2014";
    451451  }
    452452  @bottom-right {
     
    493493      <meta name="dct.creator" content="Reschke, J. F.">
    494494      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p2-semantics-latest">
    495       <meta name="dct.issued" scheme="ISO8601" content="2014-01-08">
     495      <meta name="dct.issued" scheme="ISO8601" content="2014-01-15">
    496496      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    497497      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines the semantics of HTTP/1.1 messages, as expressed by request methods, request header fields, response status codes, and response header fields, along with the payload of messages (metadata and body content) and mechanisms for content negotiation.">
     
    521521            <tr>
    522522               <td class="left">Intended status: Standards Track</td>
    523                <td class="right">January 8, 2014</td>
     523               <td class="right">January 15, 2014</td>
    524524            </tr>
    525525            <tr>
    526                <td class="left">Expires: July 12, 2014</td>
     526               <td class="left">Expires: July 19, 2014</td>
    527527               <td class="right"></td>
    528528            </tr>
     
    553553            in progress”.
    554554         </p>
    555          <p>This Internet-Draft will expire on July 12, 2014.</p>
     555         <p>This Internet-Draft will expire on July 19, 2014.</p>
    556556      </div>
    557557      <div id="rfc.copyrightnotice">
     
    859859         <p id="rfc.section.3.p.3">An origin server might be provided with, or capable of generating, multiple representations that are each intended to reflect
    860860            the current state of a <a href="#resources" class="smpl">target resource</a>. In such cases, some algorithm is used by the origin server to select one of those representations as most applicable to
    861             a given request, usually based on <a href="#content.negotiation" class="smpl">content negotiation</a>. We refer to that one representation as the "<dfn>selected representation</dfn>" and use its particular data and metadata for evaluating conditional requests <a href="#Part4" id="rfc.xref.Part4.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a> and constructing the payload for <a href="#status.200" class="smpl">200 (OK)</a> and <a href="p4-conditional.html#status.304" class="smpl">304 (Not Modified)</a> responses to GET (<a href="#GET" id="rfc.xref.GET.1" title="GET">Section&nbsp;4.3.1</a>).
     861            a given request, usually based on <a href="#content.negotiation" class="smpl">content negotiation</a>. We refer to that one representation as the "<dfn>selected representation</dfn>" and use its particular data and metadata for evaluating conditional requests <a href="#Part4" id="rfc.xref.Part4.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a> and constructing the payload for <a href="#status.200" class="smpl">200 (OK)</a> and
     862            <div class="error">ERROR: Anchor '304 (Not Modified)' not found in source file 'p4-conditional.xml'. (at line 325)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">304 (Not Modified)</a> responses to GET (<a href="#GET" id="rfc.xref.GET.1" title="GET">Section&nbsp;4.3.1</a>).
    862863         </p>
    863864         <div id="representation.metadata">
     
    965966                  <p id="rfc.section.3.1.1.4.p.2">HTTP message framing does not use the multipart boundary as an indicator of message body length, though it might be used by
    966967                     implementations that generate or process the payload. For example, the "multipart/form-data" type is often used for carrying
    967                      form data in a request, as described in <a href="#RFC2388" id="rfc.xref.RFC2388.1"><cite title="Returning Values from Forms: multipart/form-data">[RFC2388]</cite></a>, and the "multipart/byteranges" type is defined by this specification for use in some <a href="p5-range.html#status.206" class="smpl">206 (Partial Content)</a> responses <a href="#Part5" id="rfc.xref.Part5.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>.
     968                     form data in a request, as described in <a href="#RFC2388" id="rfc.xref.RFC2388.1"><cite title="Returning Values from Forms: multipart/form-data">[RFC2388]</cite></a>, and the "multipart/byteranges" type is defined by this specification for use in some
     969                     <div class="error">ERROR: Anchor '206 (Partial Content)' not found in source file 'p5-range.xml'. (at line 478)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">206 (Partial Content)</a> responses <a href="#Part5" id="rfc.xref.Part5.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>.
    968970                  </p>
    969971               </div>
     
    11131115                  <p id="rfc.section.3.1.4.1.p.3">For a response message, the following rules are applied in order until a match is found: </p>
    11141116                  <ol>
    1115                      <li>If the request is GET or HEAD and the response status code is <a href="#status.200" class="smpl">200 (OK)</a>, <a href="#status.204" class="smpl">204 (No Content)</a>, <a href="p5-range.html#status.206" class="smpl">206 (Partial Content)</a>, or <a href="p4-conditional.html#status.304" class="smpl">304 (Not Modified)</a>, the payload is a representation of the resource identified by the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>).
     1117                     <li>If the request is GET or HEAD and the response status code is <a href="#status.200" class="smpl">200 (OK)</a>, <a href="#status.204" class="smpl">204 (No Content)</a>,
     1118                        <div class="error">ERROR: Anchor '206 (Partial Content)' not found in source file 'p5-range.xml'. (at line 743)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">206 (Partial Content)</a>, or
     1119                        <div class="error">ERROR: Anchor '304 (Not Modified)' not found in source file 'p4-conditional.xml'. (at line 744)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">304 (Not Modified)</a>, the payload is a representation of the resource identified by the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>).
    11161120                     </li>
    11171121                     <li>If the request is GET or HEAD and the response status code is <a href="#status.203" class="smpl">203 (Non-Authoritative Information)</a>, the payload is a potentially modified or enhanced representation of the <a href="#resources" class="smpl">target resource</a> as provided by an intermediary.
     
    11901194            <h2 id="rfc.section.3.3"><a href="#rfc.section.3.3">3.3</a>&nbsp;<a href="#payload">Payload Semantics</a></h2>
    11911195            <p id="rfc.section.3.3.p.1">Some HTTP messages transfer a complete or partial representation as the message "<dfn>payload</dfn>". In some cases, a payload might contain only the associated representation's header fields (e.g., responses to HEAD) or
    1192                only some part(s) of the representation data (e.g., the <a href="p5-range.html#status.206" class="smpl">206 (Partial Content)</a> status code).
     1196               only some part(s) of the representation data (e.g., the
     1197               <div class="error">ERROR: Anchor '206 (Partial Content)' not found in source file 'p5-range.xml'. (at line 884)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">206 (Partial Content)</a> status code).
    11931198            </p>
    11941199            <p id="rfc.section.3.3.p.2">The purpose of a payload in a request is defined by the method semantics. For example, a representation in the payload of
     
    12191224                     <tr>
    12201225                        <td class="left">Content-Range</td>
    1221                         <td class="left"><a href="p5-range.html#header.content-range" title="Content-Range">Section 4.2</a> of <a href="#Part5" id="rfc.xref.Part5.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
     1226                        <td class="left"><a href="p5-range.html#header.content-range" title="ERROR: Anchor 'header.content-range' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.content-range' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
    12221227                     </tr>
    12231228                     <tr>
     
    14751480               </p>
    14761481               <p id="rfc.section.4.3.1.p.3">A client can alter the semantics of GET to be a "range request", requesting transfer of only some part(s) of the selected
    1477                   representation, by sending a <a href="p5-range.html#header.range" class="smpl">Range</a> header field in the request (<a href="#Part5" id="rfc.xref.Part5.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>).
     1482                  representation, by sending a
     1483                  <div class="error">ERROR: Anchor 'Range' not found in source file 'p5-range.xml'. (at line 1318)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">Range</a> header field in the request (<a href="#Part5" id="rfc.xref.Part5.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>).
    14781484               </p>
    14791485               <p id="rfc.section.4.3.1.p.4">A payload within a GET request message has no defined semantics; sending a payload body on a GET request might cause some
     
    15621568                  the server.
    15631569               </p>
    1564                <p id="rfc.section.4.3.4.p.7">An origin server <em class="bcp14">MUST NOT</em> send a validator header field (<a href="#response.validator" title="Validator Header Fields">Section&nbsp;7.2</a>), such as an <a href="p4-conditional.html#header.etag" class="smpl">ETag</a> or <a href="p4-conditional.html#header.last-modified" class="smpl">Last-Modified</a> field, in a successful response to PUT unless the request's representation data was saved without any transformation applied
     1570               <p id="rfc.section.4.3.4.p.7">An origin server <em class="bcp14">MUST NOT</em> send a validator header field (<a href="#response.validator" title="Validator Header Fields">Section&nbsp;7.2</a>), such as an
     1571                  <div class="error">ERROR: Anchor 'ETag' not found in source file 'p4-conditional.xml'. (at line 1491)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">ETag</a> or
     1572                  <div class="error">ERROR: Anchor 'Last-Modified' not found in source file 'p4-conditional.xml'. (at line 1492)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">Last-Modified</a> field, in a successful response to PUT unless the request's representation data was saved without any transformation applied
    15651573                  to the body (i.e., the resource's new representation data is identical to the representation data received in the PUT request)
    15661574                  and the validator field value reflects the new representation. This requirement allows a user agent to know when the representation
     
    15851593                  and might also cause links to be added between the related resources.
    15861594               </p>
    1587                <p id="rfc.section.4.3.4.p.11">An origin server that allows PUT on a given target resource <em class="bcp14">MUST</em> send a <a href="#status.400" class="smpl">400 (Bad Request)</a> response to a PUT request that contains a <a href="p5-range.html#header.content-range" class="smpl">Content-Range</a> header field (<a href="p5-range.html#header.content-range" title="Content-Range">Section 4.2</a> of <a href="#Part5" id="rfc.xref.Part5.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>), since the payload is likely to be partial content that has been mistakenly PUT as a full representation. Partial content
     1595               <p id="rfc.section.4.3.4.p.11">An origin server that allows PUT on a given target resource <em class="bcp14">MUST</em> send a <a href="#status.400" class="smpl">400 (Bad Request)</a> response to a PUT request that contains a
     1596                  <div class="error">ERROR: Anchor 'Content-Range' not found in source file 'p5-range.xml'. (at line 1539)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">Content-Range</a> header field (<a href="p5-range.html#header.content-range" title="ERROR: Anchor 'header.content-range' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.content-range' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>), since the payload is likely to be partial content that has been mistakenly PUT as a full representation. Partial content
    15881597                  updates are possible by targeting a separately identified resource with state that overlaps a portion of the larger resource,
    15891598                  or by using a different method that has been specifically defined for partial updates (for example, the PATCH method defined
     
    17511760                     <tr>
    17521761                        <td class="left">Range</td>
    1753                         <td class="left"><a href="p5-range.html#header.range" title="Range">Section 3.1</a> of <a href="#Part5" id="rfc.xref.Part5.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
     1762                        <td class="left"><a href="p5-range.html#header.range" title="ERROR: Anchor 'header.range' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.range' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
    17541763                     </tr>
    17551764                     <tr>
     
    18511860               of a comparison between a set of validators obtained from prior representations of the target resource to the current state
    18521861               of validators for the <a href="#representations" class="smpl">selected representation</a> (<a href="#response.validator" title="Validator Header Fields">Section&nbsp;7.2</a>). Hence, these preconditions evaluate whether the state of the target resource has changed since a given state known by the
    1853                client. The effect of such an evaluation depends on the method semantics and choice of conditional, as defined in <a href="p4-conditional.html#evaluation" title="Evaluation">Section 5</a> of <a href="#Part4" id="rfc.xref.Part4.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a>.
     1862               client. The effect of such an evaluation depends on the method semantics and choice of conditional, as defined in <a href="p4-conditional.html#evaluation" title="ERROR: Anchor 'evaluation' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'evaluation' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a>.
    18541863            </p>
    18551864            <div id="rfc.table.u.4">
     
    18641873                     <tr>
    18651874                        <td class="left">If-Match</td>
    1866                         <td class="left"><a href="p4-conditional.html#header.if-match" title="If-Match">Section 3.1</a> of <a href="#Part4" id="rfc.xref.Part4.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
     1875                        <td class="left"><a href="p4-conditional.html#header.if-match" title="ERROR: Anchor 'header.if-match' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.if-match' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
    18671876                     </tr>
    18681877                     <tr>
    18691878                        <td class="left">If-None-Match</td>
    1870                         <td class="left"><a href="p4-conditional.html#header.if-none-match" title="If-None-Match">Section 3.2</a> of <a href="#Part4" id="rfc.xref.Part4.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
     1879                        <td class="left"><a href="p4-conditional.html#header.if-none-match" title="ERROR: Anchor 'header.if-none-match' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.if-none-match' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
    18711880                     </tr>
    18721881                     <tr>
    18731882                        <td class="left">If-Modified-Since</td>
    1874                         <td class="left"><a href="p4-conditional.html#header.if-modified-since" title="If-Modified-Since">Section 3.3</a> of <a href="#Part4" id="rfc.xref.Part4.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
     1883                        <td class="left"><a href="p4-conditional.html#header.if-modified-since" title="ERROR: Anchor 'header.if-modified-since' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.if-modified-since' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
    18751884                     </tr>
    18761885                     <tr>
    18771886                        <td class="left">If-Unmodified-Since</td>
    1878                         <td class="left"><a href="p4-conditional.html#header.if-unmodified-since" title="If-Unmodified-Since">Section 3.4</a> of <a href="#Part4" id="rfc.xref.Part4.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
     1887                        <td class="left"><a href="p4-conditional.html#header.if-unmodified-since" title="ERROR: Anchor 'header.if-unmodified-since' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.if-unmodified-since' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
    18791888                     </tr>
    18801889                     <tr>
    18811890                        <td class="left">If-Range</td>
    1882                         <td class="left"><a href="p5-range.html#header.if-range" title="If-Range">Section 3.2</a> of <a href="#Part5" id="rfc.xref.Part5.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
     1891                        <td class="left"><a href="p5-range.html#header.if-range" title="ERROR: Anchor 'header.if-range' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.if-range' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
    18831892                     </tr>
    18841893                  </tbody>
     
    23072316         <div id="overview.of.status.codes">
    23082317            <h2 id="rfc.section.6.1"><a href="#rfc.section.6.1">6.1</a>&nbsp;<a href="#overview.of.status.codes">Overview of Status Codes</a></h2>
    2309             <p id="rfc.section.6.1.p.1">The status codes listed below are defined in this specification, <a href="p4-conditional.html#status.code.definitions" title="Status Code Definitions">Section 4</a> of <a href="#Part4" id="rfc.xref.Part4.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a>, <a href="p5-range.html#range.response" title="Responses to a Range Request">Section 4</a> of <a href="#Part5" id="rfc.xref.Part5.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>, and <a href="p7-auth.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part7" id="rfc.xref.Part7.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a>. The reason phrases listed here are only recommendations — they can be replaced by local equivalents without affecting the
     2318            <p id="rfc.section.6.1.p.1">The status codes listed below are defined in this specification, <a href="p4-conditional.html#status.code.definitions" title="ERROR: Anchor 'status.code.definitions' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'status.code.definitions' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a>, <a href="p5-range.html#range.response" title="ERROR: Anchor 'range.response' not found in p5-range.xml.">Appendix ERROR: Anchor 'range.response' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>, and <a href="p7-auth.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part7" id="rfc.xref.Part7.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Authentication">[Part7]</cite></a>. The reason phrases listed here are only recommendations — they can be replaced by local equivalents without affecting the
    23102319               protocol.
    23112320            </p>
     
    23672376                        <td class="left">206</td>
    23682377                        <td class="left">Partial Content</td>
    2369                         <td id="status.206" class="left"><a href="p5-range.html#status.206" title="206 Partial Content">Section 4.1</a> of <a href="#Part5" id="rfc.xref.Part5.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
     2378                        <td id="status.206" class="left"><a href="p5-range.html#status.206" title="ERROR: Anchor 'status.206' not found in p5-range.xml.">Appendix ERROR: Anchor 'status.206' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
    23702379                     </tr>
    23712380                     <tr>
     
    23922401                        <td class="left">304</td>
    23932402                        <td class="left">Not Modified</td>
    2394                         <td id="status.304" class="left"><a href="p4-conditional.html#status.304" title="304 Not Modified">Section 4.1</a> of <a href="#Part4" id="rfc.xref.Part4.10"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
     2403                        <td id="status.304" class="left"><a href="p4-conditional.html#status.304" title="ERROR: Anchor 'status.304' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'status.304' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.10"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
    23952404                     </tr>
    23962405                     <tr>
     
    24672476                        <td class="left">412</td>
    24682477                        <td class="left">Precondition Failed</td>
    2469                         <td id="status.412" class="left"><a href="p4-conditional.html#status.412" title="412 Precondition Failed">Section 4.2</a> of <a href="#Part4" id="rfc.xref.Part4.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
     2478                        <td id="status.412" class="left"><a href="p4-conditional.html#status.412" title="ERROR: Anchor 'status.412' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'status.412' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
    24702479                     </tr>
    24712480                     <tr>
     
    24872496                        <td class="left">416</td>
    24882497                        <td class="left">Range Not Satisfiable</td>
    2489                         <td id="status.416" class="left"><a href="p5-range.html#status.416" title="416 Range Not Satisfiable">Section 4.4</a> of <a href="#Part5" id="rfc.xref.Part5.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
     2498                        <td id="status.416" class="left"><a href="p5-range.html#status.416" title="ERROR: Anchor 'status.416' not found in p5-range.xml.">Appendix ERROR: Anchor 'status.416' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
    24902499                     </tr>
    24912500                     <tr>
     
    26142623                  primary resource created by the request is identified by either a <a href="#header.location" class="smpl">Location</a> header field in the response or, if no <a href="#header.location" class="smpl">Location</a> field is received, by the effective request URI.
    26152624               </p>
    2616                <p id="rfc.section.6.3.2.p.2">The 201 response payload typically describes and links to the resource(s) created. See <a href="#response.validator" title="Validator Header Fields">Section&nbsp;7.2</a> for a discussion of the meaning and purpose of validator header fields, such as <a href="p4-conditional.html#header.etag" class="smpl">ETag</a> and <a href="p4-conditional.html#header.last-modified" class="smpl">Last-Modified</a>, in a 201 response.
     2625               <p id="rfc.section.6.3.2.p.2">The 201 response payload typically describes and links to the resource(s) created. See <a href="#response.validator" title="Validator Header Fields">Section&nbsp;7.2</a> for a discussion of the meaning and purpose of validator header fields, such as
     2626                  <div class="error">ERROR: Anchor 'ETag' not found in source file 'p4-conditional.xml'. (at line 2866)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">ETag</a> and
     2627                  <div class="error">ERROR: Anchor 'Last-Modified' not found in source file 'p4-conditional.xml'. (at line 2866)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">Last-Modified</a>, in a 201 response.
    26172628               </p>
    26182629            </div>
     
    26502661                  in the response payload body. Metadata in the response header fields refer to the <a href="#resources" class="smpl">target resource</a> and its <a href="#representations" class="smpl">selected representation</a> after the requested action was applied.
    26512662               </p>
    2652                <p id="rfc.section.6.3.5.p.2">For example, if a 204 status code is received in response to a PUT request and the response contains an <a href="p4-conditional.html#header.etag" class="smpl">ETag</a> header field, then the PUT was successful and the ETag field-value contains the entity-tag for the new representation of that
     2663               <p id="rfc.section.6.3.5.p.2">For example, if a 204 status code is received in response to a PUT request and the response contains an
     2664                  <div class="error">ERROR: Anchor 'ETag' not found in source file 'p4-conditional.xml'. (at line 2929)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">ETag</a> header field, then the PUT was successful and the ETag field-value contains the entity-tag for the new representation of that
    26532665                  target resource.
    26542666               </p>
     
    27052717               </li>
    27062718               <li>
    2707                   <p>Redirection to a previously cached result, as in the <a href="p4-conditional.html#status.304" class="smpl">304 (Not Modified)</a> status code.
     2719                  <p>Redirection to a previously cached result, as in the
     2720                     <div class="error">ERROR: Anchor '304 (Not Modified)' not found in source file 'p4-conditional.xml'. (at line 3036)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional-latest" class="smpl">304 (Not Modified)</a> status code.
    27082721                  </p>
    27092722               </li>
     
    33383351                     <tr>
    33393352                        <td class="left">ETag</td>
    3340                         <td class="left"><a href="p4-conditional.html#header.etag" title="ETag">Section 2.3</a> of <a href="#Part4" id="rfc.xref.Part4.13"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
     3353                        <td class="left"><a href="p4-conditional.html#header.etag" title="ERROR: Anchor 'header.etag' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.etag' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.13"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
    33413354                     </tr>
    33423355                     <tr>
    33433356                        <td class="left">Last-Modified</td>
    3344                         <td class="left"><a href="p4-conditional.html#header.last-modified" title="Last-Modified">Section 2.2</a> of <a href="#Part4" id="rfc.xref.Part4.14"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
     3357                        <td class="left"><a href="p4-conditional.html#header.last-modified" title="ERROR: Anchor 'header.last-modified' not found in p4-conditional.xml.">Appendix ERROR: Anchor 'header.last-modified' in Part4 not found in source file 'p4-conditional.xml'.</a> of <a href="#Part4" id="rfc.xref.Part4.14"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests">[Part4]</cite></a></td>
    33453358                     </tr>
    33463359                  </tbody>
     
    33893402                     <tr>
    33903403                        <td class="left">Accept-Ranges</td>
    3391                         <td class="left"><a href="p5-range.html#header.accept-ranges" title="Accept-Ranges">Section 2.3</a> of <a href="#Part5" id="rfc.xref.Part5.10"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
     3404                        <td class="left"><a href="p5-range.html#header.accept-ranges" title="ERROR: Anchor 'header.accept-ranges' not found in p5-range.xml.">Appendix ERROR: Anchor 'header.accept-ranges' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.10"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a></td>
    33923405                     </tr>
    33933406                     <tr>
     
    41384151            semantics and its use for transferring information over the Internet. Considerations related to message syntax, parsing, and
    41394152            routing are discussed in <a href="p1-messaging.html#security.considerations" title="Security Considerations">Section 9</a> of <a href="#Part1" id="rfc.xref.Part1.42"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>.
     4153         </p>
     4154         <p id="rfc.section.9.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
     4155            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
    41404156         </p>
    41414157         <div id="attack.pathname">
     
    44984514               fold long lines. MHTML messages being transported by HTTP follow all conventions of MHTML, including line length limitations
    44994515               and folding, canonicalization, etc., since HTTP transfers message-bodies as payload and, aside from the "multipart/byteranges"
    4500                type (<a href="p5-range.html#internet.media.type.multipart.byteranges" title="Internet Media Type multipart/byteranges">Appendix A</a> of <a href="#Part5" id="rfc.xref.Part5.12"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>), does not interpret the content or any MIME header lines that might be contained therein.
     4516               type (<a href="p5-range.html#internet.media.type.multipart.byteranges" title="ERROR: Anchor 'internet.media.type.multipart.byteranges' not found in p5-range.xml.">Appendix ERROR: Anchor 'internet.media.type.multipart.byteranges' in Part5 not found in source file 'p5-range.xml'.</a> of <a href="#Part5" id="rfc.xref.Part5.12"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Range Requests">[Part5]</cite></a>), does not interpret the content or any MIME header lines that might be contained therein.
    45014517            </p>
    45024518         </div>
     
    45224538         <p id="rfc.section.B.p.6">To be consistent with the method-neutral parsing algorithm of <a href="#Part1" id="rfc.xref.Part1.45"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>, the definition of GET has been relaxed so that requests can have a body, even though a body has no meaning for GET. (<a href="#GET" id="rfc.xref.GET.5" title="GET">Section&nbsp;4.3.1</a>)
    45234539         </p>
    4524          <p id="rfc.section.B.p.7">Servers are no longer required to handle all Content-* header fields and use of <a href="p5-range.html#header.content-range" class="smpl">Content-Range</a> has been explicitly banned in PUT requests. (<a href="#PUT" id="rfc.xref.PUT.4" title="PUT">Section&nbsp;4.3.4</a>)
     4540         <p id="rfc.section.B.p.7">Servers are no longer required to handle all Content-* header fields and use of
     4541            <div class="error">ERROR: Anchor 'Content-Range' not found in source file 'p5-range.xml'. (at line 5924)</div><a href="http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-latest" class="smpl">Content-Range</a> has been explicitly banned in PUT requests. (<a href="#PUT" id="rfc.xref.PUT.4" title="PUT">Section&nbsp;4.3.4</a>)
    45254542         </p>
    45264543         <p id="rfc.section.B.p.8">Definition of the CONNECT method has been moved from <a href="#RFC2817" id="rfc.xref.RFC2817.2"><cite title="Upgrading to TLS Within HTTP/1.1">[RFC2817]</cite></a> to this specification. (<a href="#CONNECT" id="rfc.xref.CONNECT.3" title="CONNECT">Section&nbsp;4.3.6</a>)
     
    47594776               </li>
    47604777               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/546">http://tools.ietf.org/wg/httpbis/trac/ticket/546</a>&gt;: "considerations for new headers: privacy"
     4778               </li>
     4779               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>&gt;: "augment security considerations with pointers to current research"
    47614780               </li>
    47624781            </ul>
     
    49905009                  </li>
    49915010                  <li><em>Part4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.1">3</a>, <a href="#rfc.xref.Part4.2">4.1</a>, <a href="#rfc.xref.Part4.3">5.2</a>, <a href="#rfc.xref.Part4.4">5.2</a>, <a href="#rfc.xref.Part4.5">5.2</a>, <a href="#rfc.xref.Part4.6">5.2</a>, <a href="#rfc.xref.Part4.7">5.2</a>, <a href="#rfc.xref.Part4.8">5.2</a>, <a href="#rfc.xref.Part4.9">6.1</a>, <a href="#rfc.xref.Part4.10">6.1</a>, <a href="#rfc.xref.Part4.11">6.1</a>, <a href="#rfc.xref.Part4.12">7.2</a>, <a href="#rfc.xref.Part4.13">7.2</a>, <a href="#rfc.xref.Part4.14">7.2</a>, <a href="#Part4"><b>11.1</b></a><ul>
    4992                         <li><em>Section 2.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.14">7.2</a></li>
    4993                         <li><em>Section 2.3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.13">7.2</a></li>
    4994                         <li><em>Section 3.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.5">5.2</a></li>
    4995                         <li><em>Section 3.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.6">5.2</a></li>
    4996                         <li><em>Section 3.3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.7">5.2</a></li>
    4997                         <li><em>Section 3.4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.8">5.2</a></li>
    4998                         <li><em>Section 4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.9">6.1</a></li>
    4999                         <li><em>Section 4.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.10">6.1</a></li>
    5000                         <li><em>Section 4.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.11">6.1</a></li>
    5001                         <li><em>Section 5</em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.4">5.2</a></li>
     5011                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.4">5.2</a></li>
     5012                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.5">5.2</a></li>
     5013                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.6">5.2</a></li>
     5014                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.7">5.2</a></li>
     5015                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.8">5.2</a></li>
     5016                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.9">6.1</a></li>
     5017                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.10">6.1</a></li>
     5018                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.11">6.1</a></li>
     5019                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.13">7.2</a></li>
     5020                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part4.14">7.2</a></li>
    50025021                     </ul>
    50035022                  </li>
    50045023                  <li><em>Part5</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.1">3.1.1.4</a>, <a href="#rfc.xref.Part5.2">3.3</a>, <a href="#rfc.xref.Part5.3">4.3.1</a>, <a href="#rfc.xref.Part5.4">4.3.4</a>, <a href="#rfc.xref.Part5.5">5.1</a>, <a href="#rfc.xref.Part5.6">5.2</a>, <a href="#rfc.xref.Part5.7">6.1</a>, <a href="#rfc.xref.Part5.8">6.1</a>, <a href="#rfc.xref.Part5.9">6.1</a>, <a href="#rfc.xref.Part5.10">7.4</a>, <a href="#rfc.xref.Part5.11">8.1.2</a>, <a href="#Part5"><b>11.1</b></a>, <a href="#rfc.xref.Part5.12">A.6</a><ul>
    5005                         <li><em>Section 2.3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.10">7.4</a></li>
    5006                         <li><em>Section 3.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.5">5.1</a></li>
    5007                         <li><em>Section 3.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.6">5.2</a></li>
    5008                         <li><em>Section 4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.7">6.1</a></li>
    5009                         <li><em>Section 4.1</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.8">6.1</a></li>
    5010                         <li><em>Section 4.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.2">3.3</a>, <a href="#rfc.xref.Part5.4">4.3.4</a></li>
    5011                         <li><em>Section 4.4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.9">6.1</a></li>
    5012                         <li><em>Appendix A</em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.12">A.6</a></li>
     5024                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.2">3.3</a>, <a href="#rfc.xref.Part5.4">4.3.4</a></li>
     5025                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.5">5.1</a></li>
     5026                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.6">5.2</a></li>
     5027                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.7">6.1</a></li>
     5028                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.8">6.1</a></li>
     5029                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.9">6.1</a></li>
     5030                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.10">7.4</a></li>
     5031                        <li><em>Appendix </em>&nbsp;&nbsp;<a href="#rfc.xref.Part5.12">A.6</a></li>
    50135032                     </ul>
    50145033                  </li>
  • draft-ietf-httpbis/latest/p2-semantics.xml

    r2542 r2547  
    49154915   &p1-security-considerations;.
    49164916</t>
     4917<t>
     4918   The list of considerations below is not exhaustive &mdash; security
     4919   analysis in an ongoing activity. Various organizations, such as the
     4920   "Open Web Application Security Project" (OWASP,
     4921   <eref target="https://www.owasp.org/"/>), provide information about current
     4922   research.
     4923</t>
    49174924
    49184925<section title="Attacks Based On File and Path Names" anchor="attack.pathname">
     
    62786285      "considerations for new headers: privacy"
    62796286    </t>
     6287    <t>
     6288      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>:
     6289      "augment security considerations with pointers to current research"
     6290    </t>
    62806291  </list>
    62816292</t>
  • draft-ietf-httpbis/latest/p4-conditional.html

    r2531 r2547  
    448448  }
    449449  @bottom-center {
    450        content: "Expires July 7, 2014";
     450       content: "Expires July 19, 2014";
    451451  }
    452452  @bottom-right {
     
    491491      <meta name="dct.creator" content="Reschke, J. F.">
    492492      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p4-conditional-latest">
    493       <meta name="dct.issued" scheme="ISO8601" content="2014-01-03">
     493      <meta name="dct.issued" scheme="ISO8601" content="2014-01-15">
    494494      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    495495      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP/1.1 conditional requests, including metadata header fields for indicating state changes, request header fields for making preconditions on such state, and rules for constructing the responses to a conditional request when one or more preconditions evaluate to false.">
     
    517517            </tr>
    518518            <tr>
    519                <td class="left">Expires: July 7, 2014</td>
    520                <td class="right">January 3, 2014</td>
     519               <td class="left">Expires: July 19, 2014</td>
     520               <td class="right">January 15, 2014</td>
    521521            </tr>
    522522         </tbody>
     
    546546            in progress”.
    547547         </p>
    548          <p>This Internet-Draft will expire on July 7, 2014.</p>
     548         <p>This Internet-Draft will expire on July 19, 2014.</p>
    549549      </div>
    550550      <div id="rfc.copyrightnotice">
     
    13111311            conditional request mechanisms. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
    13121312         </p>
    1313          <p id="rfc.section.8.p.2">The validators defined by this specification are not intended to ensure the validity of a representation, guard against malicious
     1313         <p id="rfc.section.8.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
     1314            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
     1315         </p>
     1316         <p id="rfc.section.8.p.3">The validators defined by this specification are not intended to ensure the validity of a representation, guard against malicious
    13141317            changes, or detect man-in-the-middle attacks. At best, they enable more efficient cache updates and optimistic concurrent
    13151318            writes when all participants are behaving nicely. At worst, the conditions will fail and the client will receive a response
    13161319            that is no more harmful than an HTTP exchange without conditional requests.
    13171320         </p>
    1318          <p id="rfc.section.8.p.3">An entity-tag can be abused in ways that create privacy risks. For example, a site might deliberately construct a semantically
     1321         <p id="rfc.section.8.p.4">An entity-tag can be abused in ways that create privacy risks. For example, a site might deliberately construct a semantically
    13191322            invalid entity-tag that is unique to the user or user agent, send it in a cacheable response with a long freshness time, and
    13201323            then read that entity-tag in later conditional requests as a means of re-identifying that user or user agent. Such an identifying
     
    14661469               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/542">http://tools.ietf.org/wg/httpbis/trac/ticket/542</a>&gt;: "improve introduction of list rule"
    14671470               </li>
     1471               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>&gt;: "augment security considerations with pointers to current research"
     1472               </li>
    14681473            </ul>
    14691474         </div>
  • draft-ietf-httpbis/latest/p4-conditional.xml

    r2531 r2547  
    1515  <!ENTITY ID-MONTH "January">
    1616  <!ENTITY ID-YEAR "2014">
     17  <!ENTITY mdash "&#8212;">
    1718  <!ENTITY Note "<x:h xmlns:x='http://purl.org/net/xml2rfc/ext'>Note:</x:h>">
    1819  <!ENTITY architecture               "<xref target='Part1' x:rel='#architecture' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
     
    12391240</t>
    12401241<t>
     1242   The list of considerations below is not exhaustive &mdash; security
     1243   analysis in an ongoing activity. Various organizations, such as the
     1244   "Open Web Application Security Project" (OWASP,
     1245   <eref target="https://www.owasp.org/"/>), provide information about current
     1246   research.
     1247</t>
     1248<t>
    12411249   The validators defined by this specification are not intended to ensure
    12421250   the validity of a representation, guard against malicious changes, or
     
    15971605      "improve introduction of list rule"
    15981606    </t>
     1607    <t>
     1608      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>:
     1609      "augment security considerations with pointers to current research"
     1610    </t>
    15991611  </list>
    16001612</t>
  • draft-ietf-httpbis/latest/p5-range.html

    r2531 r2547  
    448448  }
    449449  @bottom-center {
    450        content: "Expires July 7, 2014";
     450       content: "Expires July 19, 2014";
    451451  }
    452452  @bottom-right {
     
    491491      <meta name="dct.creator" content="Reschke, J. F.">
    492492      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p5-range-latest">
    493       <meta name="dct.issued" scheme="ISO8601" content="2014-01-03">
     493      <meta name="dct.issued" scheme="ISO8601" content="2014-01-15">
    494494      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    495495      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines range requests and the rules for constructing and combining responses to those requests.">
     
    517517            </tr>
    518518            <tr>
    519                <td class="left">Expires: July 7, 2014</td>
     519               <td class="left">Expires: July 19, 2014</td>
    520520               <td class="right">J. Reschke, Editor</td>
    521521            </tr>
     
    526526            <tr>
    527527               <td class="left"></td>
    528                <td class="right">January 3, 2014</td>
     528               <td class="right">January 15, 2014</td>
    529529            </tr>
    530530         </tbody>
     
    552552            in progress”.
    553553         </p>
    554          <p>This Internet-Draft will expire on July 7, 2014.</p>
     554         <p>This Internet-Draft will expire on July 19, 2014.</p>
    555555      </div>
    556556      <div id="rfc.copyrightnotice">
     
    11671167         <p id="rfc.section.6.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP/1.1
    11681168            range request mechanisms. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
     1169         </p>
     1170         <p id="rfc.section.6.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
     1171            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
    11691172         </p>
    11701173         <div id="overlapping.ranges">
     
    14051408               </li>
    14061409               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/542">http://tools.ietf.org/wg/httpbis/trac/ticket/542</a>&gt;: "improve introduction of list rule"
     1410               </li>
     1411               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>&gt;: "augment security considerations with pointers to current research"
    14071412               </li>
    14081413            </ul>
  • draft-ietf-httpbis/latest/p5-range.xml

    r2531 r2547  
    1515  <!ENTITY ID-MONTH "January">
    1616  <!ENTITY ID-YEAR "2014">
     17  <!ENTITY mdash "&#8212;">
    1718  <!ENTITY Note "<x:h xmlns:x='http://purl.org/net/xml2rfc/ext'>Note:</x:h>">
    1819  <!ENTITY architecture               "<xref target='Part1' x:rel='#architecture' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
     
    10481049   in HTTP messaging &messaging; and semantics &semantics;.
    10491050</t>
     1051<t>
     1052   The list of considerations below is not exhaustive &mdash; security
     1053   analysis in an ongoing activity. Various organizations, such as the
     1054   "Open Web Application Security Project" (OWASP,
     1055   <eref target="https://www.owasp.org/"/>), provide information about current
     1056   research.
     1057</t>
    10501058
    10511059<section title="Denial of Service Attacks using Range" anchor="overlapping.ranges">
     
    15491557      "improve introduction of list rule"
    15501558    </t>
     1559    <t>
     1560      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>:
     1561      "augment security considerations with pointers to current research"
     1562    </t>
    15511563  </list>
    15521564</t>
  • draft-ietf-httpbis/latest/p6-cache.html

    r2531 r2547  
    451451  }
    452452  @bottom-center {
    453        content: "Expires July 7, 2014";
     453       content: "Expires July 19, 2014";
    454454  }
    455455  @bottom-right {
     
    495495      <meta name="dct.creator" content="Reschke, J. F.">
    496496      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p6-cache-latest">
    497       <meta name="dct.issued" scheme="ISO8601" content="2014-01-03">
     497      <meta name="dct.issued" scheme="ISO8601" content="2014-01-15">
    498498      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    499499      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.">
     
    521521            </tr>
    522522            <tr>
    523                <td class="left">Expires: July 7, 2014</td>
     523               <td class="left">Expires: July 19, 2014</td>
    524524               <td class="right">J. Reschke, Editor</td>
    525525            </tr>
     
    530530            <tr>
    531531               <td class="left"></td>
    532                <td class="right">January 3, 2014</td>
     532               <td class="right">January 15, 2014</td>
    533533            </tr>
    534534         </tbody>
     
    557557            in progress”.
    558558         </p>
    559          <p>This Internet-Draft will expire on July 7, 2014.</p>
     559         <p>This Internet-Draft will expire on July 19, 2014.</p>
    560560      </div>
    561561      <div id="rfc.copyrightnotice">
     
    19301930            caching. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
    19311931         </p>
    1932          <p id="rfc.section.8.p.2">Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious
     1932         <p id="rfc.section.8.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
     1933            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
     1934         </p>
     1935         <p id="rfc.section.8.p.3">Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious
    19331936            exploitation. Because cache contents persist after an HTTP request is complete, an attack on the cache can reveal information
    19341937            long after a user believes that the information has been removed from the network. Therefore, cache contents need to be protected
    19351938            as sensitive information.
    19361939         </p>
    1937          <p id="rfc.section.8.p.3">In particular, various attacks might be amplified by being stored in a shared cache; such "cache poisoning" attacks use the
     1940         <p id="rfc.section.8.p.4">In particular, various attacks might be amplified by being stored in a shared cache; such "cache poisoning" attacks use the
    19381941            cache to distribute a malicious payload to many clients, and are especially effective when an attacker can use implmentation
    19391942            flaws, elevated priviledges or other techniques to insert such a response into a cache. One common attack vector for cache
    19401943            poisoning is to exploit differences in message parsing on proxies and in user agents; see <a href="p1-messaging.html#message.body.length" title="Message Body Length">Section 3.3.3</a> of <a href="#Part1" id="rfc.xref.Part1.12"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> for the relevant requirements.
    19411944         </p>
    1942          <p id="rfc.section.8.p.4">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information
     1945         <p id="rfc.section.8.p.5">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information
    19431946            (e.g., authentication credentials) that is thought to be private, exposing it to unauthorized parties.
    19441947         </p>
    1945          <p id="rfc.section.8.p.5">Furthermore, the very use of a cache can bring about privacy concerns. For example, if two users share a cache, and the first
     1948         <p id="rfc.section.8.p.6">Furthermore, the very use of a cache can bring about privacy concerns. For example, if two users share a cache, and the first
    19461949            one browses to a site, the second may be able to detect that the other has been to that site, because the resources from it
    19471950            load more quickly, thanks to the cache.
    19481951         </p>
    1949          <p id="rfc.section.8.p.6">Note that the Set-Cookie response header field <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header field can be (and often is) used to satisfy subsequent
     1952         <p id="rfc.section.8.p.7">Note that the Set-Cookie response header field <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header field can be (and often is) used to satisfy subsequent
    19501953            requests to caches. Servers who wish to control caching of these responses are encouraged to emit appropriate Cache-Control
    19511954            response header fields.
     
    21732176               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/542">http://tools.ietf.org/wg/httpbis/trac/ticket/542</a>&gt;: "improve introduction of list rule"
    21742177               </li>
     2178               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>&gt;: "augment security considerations with pointers to current research"
     2179               </li>
    21752180            </ul>
    21762181            <p id="rfc.section.D.2.p.2">Partly closed issues: </p>
  • draft-ietf-httpbis/latest/p6-cache.xml

    r2531 r2547  
    21622162</t>
    21632163<t>
     2164   The list of considerations below is not exhaustive &mdash; security
     2165   analysis in an ongoing activity. Various organizations, such as the
     2166   "Open Web Application Security Project" (OWASP,
     2167   <eref target="https://www.owasp.org/"/>), provide information about current
     2168   research.
     2169</t>
     2170<t>
    21642171   Caches expose additional potential vulnerabilities, since the contents of
    21652172   the cache represent an attractive target for malicious exploitation.
     
    27102717      "improve introduction of list rule"
    27112718    </t>
     2719    <t>
     2720      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>:
     2721      "augment security considerations with pointers to current research"
     2722    </t>
    27122723  </list>
    27132724</t>
  • draft-ietf-httpbis/latest/p7-auth.html

    r2531 r2547  
    448448  }
    449449  @bottom-center {
    450        content: "Expires July 7, 2014";
     450       content: "Expires July 19, 2014";
    451451  }
    452452  @bottom-right {
     
    488488      <meta name="dct.creator" content="Reschke, J. F.">
    489489      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest">
    490       <meta name="dct.issued" scheme="ISO8601" content="2014-01-03">
     490      <meta name="dct.issued" scheme="ISO8601" content="2014-01-15">
    491491      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    492492      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. This document defines the HTTP Authentication framework.">
     
    516516            <tr>
    517517               <td class="left">Intended status: Standards Track</td>
    518                <td class="right">January 3, 2014</td>
     518               <td class="right">January 15, 2014</td>
    519519            </tr>
    520520            <tr>
    521                <td class="left">Expires: July 7, 2014</td>
     521               <td class="left">Expires: July 19, 2014</td>
    522522               <td class="right"></td>
    523523            </tr>
     
    546546            in progress”.
    547547         </p>
    548          <p>This Internet-Draft will expire on July 7, 2014.</p>
     548         <p>This Internet-Draft will expire on July 19, 2014.</p>
    549549      </div>
    550550      <div id="rfc.copyrightnotice">
     
    975975         <p id="rfc.section.6.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to HTTP/1.1
    976976            authentication. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
     977         </p>
     978         <p id="rfc.section.6.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
     979            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
    977980         </p>
    978981         <div id="auth.credentials.and.idle.clients">
     
    11771180               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/542">http://tools.ietf.org/wg/httpbis/trac/ticket/542</a>&gt;: "improve introduction of list rule"
    11781181               </li>
     1182               <li>&lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/549">http://tools.ietf.org/wg/httpbis/trac/ticket/549</a>&gt;: "augment security considerations with pointers to current research"
     1183               </li>
    11791184            </ul>
    11801185         </div>
  • draft-ietf-httpbis/latest/p7-auth.xml

    r2531 r2547  
    680680   &messaging; and semantics &semantics;.
    681681</t>
     682<t>
     683   The list of considerations below is not exhaustive &mdash; security
     684   analysis in an ongoing activity. Various organizations, such as the
     685   "Open Web Application Security Project" (OWASP,
     686   <eref target="https://www.owasp.org/"/>), provide information about current
     687   research.
     688</t>
    682689
    683690<section title="Authentication Credentials and Idle Clients" anchor="auth.credentials.and.idle.clients">
     
    11281135      "improve introduction of list rule"
    11291136    </t>
     1137    <t>
     1138      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/549"/>:
     1139      "augment security considerations with pointers to current research"
     1140    </t>
    11301141  </list>
    11311142</t>
Note: See TracChangeset for help on using the changeset viewer.