Changeset 647 for draft-ietf-httpbis/latest/p1-messaging.xml

Timestamp:

28/07/09 15:02:09 (13 years ago)

Author:

fielding@…

Message:

first pass at cleaning up message parsing definition: header fields.

File:

• draft-ietf-httpbis/latest/p1-messaging.xml (modified) (14 diffs)

draft-ietf-httpbis/latest/p1-messaging.xml

@@ -427 +427 @@
                  ; "bad" whitespace
   <x:ref>obs-fold</x:ref>       = <x:ref>CRLF</x:ref>
-                 ; see <xref target="message.headers"/>
+                 ; see <xref target="header.fields"/>
 </artwork></figure>
 <t anchor="rule.token.separators">
@@ -1019 +1019 @@
 
 <section title="HTTP Message" anchor="http.message">
-
-<section title="Message Types" anchor="message.types">
-  <x:anchor-alias value="generic-message"/>
-  <x:anchor-alias value="HTTP-message"/>
-  <x:anchor-alias value="start-line"/>
-<t>
-   HTTP messages consist of requests from client to server and responses
-   from server to client.
+<x:anchor-alias value="generic-message"/>
+<x:anchor-alias value="message.types"/>
+<x:anchor-alias value="HTTP-message"/>
+<x:anchor-alias value="start-line"/>
+<iref item="header section"/>
+<iref item="headers"/>
+<iref item="header field"/>
+<t>
+   All HTTP/1.1 messages consist of a start-line followed by a sequence of
+   characters in a format similar to the Internet Message Format
+   <xref target="RFC5322"/>: zero or more header fields (collectively
+   referred to as the "headers" or the "header section"), an empty line
+   indicating the end of the header section, and an optional message-body.
+</t>
+<t>
+   An HTTP message can either be a request from client to server or a
+   response from server to client.  Syntactically, the two types of message
+   differ only in the start-line, which is either a Request-Line (for requests)
+   or a Status-Line (for responses), and in the algorithm for determining
+   the length of the message-body (<xref target="message.length"/>).
+   In theory, a client could receive requests and a server could receive
+   responses, distinguishing them by their different start-line formats,
+   but in practice servers are implemented to only expect a request
+   (a response is interpreted as an unknown or invalid request method)
+   and clients are implemented to only expect a response.
 </t>
 <figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="HTTP-message"/>
-  <x:ref>HTTP-message</x:ref>   = <x:ref>Request</x:ref> / <x:ref>Response</x:ref>     ; HTTP/1.1 messages
-</artwork></figure>
-<t>
-   Request (<xref target="request"/>) and Response (<xref target="response"/>) messages use the generic
-   message format of <xref target="RFC5322"/> for transferring entities (the payload
-   of the message). Both types of message consist of a start-line, zero
-   or more header fields (also known as "headers"), an empty line (i.e.,
-   a line with nothing preceding the CRLF) indicating the end of the
-   header fields, and possibly a message-body.
-</t>
-<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="generic-message"/><iref primary="true" item="Grammar" subitem="start-line"/>
-  <x:ref>generic-message</x:ref> = <x:ref>start-line</x:ref>
-                    *( <x:ref>message-header</x:ref> <x:ref>CRLF</x:ref> )
+  <x:ref>HTTP-message</x:ref>    = <x:ref>start-line</x:ref>
+                    *( <x:ref>header-field</x:ref> <x:ref>CRLF</x:ref> )
                     <x:ref>CRLF</x:ref>
                     [ <x:ref>message-body</x:ref> ]
   <x:ref>start-line</x:ref>      = <x:ref>Request-Line</x:ref> / <x:ref>Status-Line</x:ref>
 </artwork></figure>
-<t>
-   In the interest of robustness, servers &SHOULD; ignore any empty
-   line(s) received where a Request-Line is expected. In other words, if
-   the server is reading the protocol stream at the beginning of a
-   message and receives a CRLF first, it should ignore the CRLF.
-</t>
-<t>
-   Certain buggy HTTP/1.0 client implementations generate extra CRLF's
-   after a POST request. To restate what is explicitly forbidden by the
-   BNF, an HTTP/1.1 client &MUST-NOT; preface or follow a request with an
-   extra CRLF.
-</t>
 <t>
    Whitespace (WSP) &MUST-NOT; be sent between the start-line and the first
@@ -1067 +1061 @@
    with a 400 (Bad Request) response.
 </t>
-</section>
-
-<section title="Message Headers" anchor="message.headers">
+
+<section title="Message Parsing Robustness" anchor="message.robustness">
+<t>
+   In the interest of robustness, servers &SHOULD; ignore at least one
+   empty line received where a Request-Line is expected. In other words, if
+   the server is reading the protocol stream at the beginning of a
+   message and receives a CRLF first, it should ignore the CRLF.
+</t>
+<t>
+   Some old HTTP/1.0 client implementations generate an extra CRLF
+   after a POST request as a lame workaround for some early server
+   applications that failed to read message-body content that was
+   not terminated by a line-ending. An HTTP/1.1 client &MUST-NOT;
+   preface or follow a request with an extra CRLF.  If terminating
+   the request message-body with a line-ending is desired, then the
+   client &MUST; include the terminating CRLF octets as part of the
+   message-body length. 
+</t>
+<t>
+   The normal procedure for parsing an HTTP message is to read the
+   start-line into a structure, read each header field into a hash
+   table by field name until the empty line, and then use the parsed
+   data to determine if a message-body is expected.  If a message-body
+   has been indicated, then it is read as a stream until an amount
+   of OCTETs equal to the message-length is read or the connection
+   is closed.  Care must be taken to parse an HTTP message as a sequence
+   of OCTETs in an encoding that is a superset of US-ASCII.  Attempting
+   to parse HTTP as a stream of Unicode characters in a character encoding
+   like UTF-16 may introduce security flaws due to the differing ways
+   that such parsers interpret invalid characters.
+</t>
+</section>
+
+<section title="Header Fields" anchor="header.fields">
+  <x:anchor-alias value="header-field"/>
   <x:anchor-alias value="field-content"/>
   <x:anchor-alias value="field-name"/>
   <x:anchor-alias value="field-value"/>
-  <x:anchor-alias value="message-header"/>
-<t>
-   HTTP header fields follow the same general format as Internet messages in
-   <xref target="RFC5322" x:fmt="of" x:sec="2.1"/>. Each header field consists
-   of a name followed by a colon (":"), optional whitespace, and the field
-   value. Field names are case-insensitive.
-</t>
-<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="message-header"/><iref primary="true" item="Grammar" subitem="field-name"/><iref primary="true" item="Grammar" subitem="field-value"/><iref primary="true" item="Grammar" subitem="field-content"/>
-  <x:ref>message-header</x:ref> = <x:ref>field-name</x:ref> ":" OWS [ <x:ref>field-value</x:ref> ] OWS
+  <x:anchor-alias value="OWS"/>
+<t>
+   Each HTTP header field consists of a case-insensitive field name
+   followed by a colon (":"), optional whitespace, and the field value.
+</t>
+<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="header-field"/><iref primary="true" item="Grammar" subitem="field-name"/><iref primary="true" item="Grammar" subitem="field-value"/><iref primary="true" item="Grammar" subitem="field-content"/>
+  <x:ref>header-field</x:ref>   = <x:ref>field-name</x:ref> ":" OWS [ <x:ref>field-value</x:ref> ] OWS
   <x:ref>field-name</x:ref>     = <x:ref>token</x:ref>
   <x:ref>field-value</x:ref>    = *( <x:ref>field-content</x:ref> / <x:ref>OWS</x:ref> )
@@ -1087 +1111 @@
 </artwork></figure>
 <t>
-   Historically, HTTP has allowed field-content with text in the ISO-8859-1
-   <xref target="ISO-8859-1"/> character encoding (allowing other character sets
-   through use of <xref target="RFC2047"/> encoding). In practice, most HTTP
-   header field-values use only a subset of the US-ASCII charset
-   <xref target="USASCII"/>. Newly defined header fields &SHOULD; constrain
-   their field-values to US-ASCII characters. Recipients &SHOULD; treat other
-   (obs-text) octets in field-content as opaque data.
-</t>
-<t>
-   No whitespace is allowed between the header field-name and colon. For
+   No whitespace is allowed between the header field name and colon. For
    security reasons, any request message received containing such whitespace
-   &MUST; be rejected with a response code of 400 (Bad Request) and any such
-   whitespace in a response message &MUST; be removed.
-</t>
-<t>
-   The field value &MAY; be preceded by optional whitespace; a single SP is
-   preferred. The field-value does not include any leading or trailing white
+   &MUST; be rejected with a response code of 400 (Bad Request). A proxy
+   &MUST; remove any such whitespace from a response message before
+   forwarding the message downstream.
+</t>
+<t>
+   A field value &MAY; be preceded by optional whitespace (OWS); a single SP is
+   preferred. The field value does not include any leading or trailing white
    space: OWS occurring before the first non-whitespace character of the
-   field-value or after the last non-whitespace character of the field-value
-   is ignored and &MAY; be removed without changing the meaning of the header
+   field value or after the last non-whitespace character of the field value
+   is ignored and &SHOULD; be removed without changing the meaning of the header
    field.
 </t>
+<t>
+   The order in which header fields with differing field names are
+   received is not significant. However, it is "good practice" to send
+   header fields that contain control data first, such as Host on
+   requests and Date on responses, so that implementations can decide
+   when not to handle a message as early as possible.  A server &MUST;
+   wait until the entire header section is received before interpreting
+   a request message, since later header fields might include conditionals,
+   authentication credentials, or deliberately misleading duplicate
+   header fields that would impact request processing.
+</t>
+<t>
+   Multiple header fields with the same field name &MAY; be
+   sent in a message if and only if the entire field value for that
+   header field is defined as a comma-separated list [i.e., #(values)].
+   Multiple header fields with the same field name can be combined into
+   one "field-name: field-value" pair, without changing the semantics of the
+   message, by appending each subsequent field value to the combined
+   field value in order, separated by a comma. The order in which
+   header fields with the same field name are received is therefore
+   significant to the interpretation of the combined field value;
+   a proxy &MUST-NOT; change the order of these field values when
+   forwarding a message.
+</t>
+<x:note>
+  <t>
+   <x:h>Note:</x:h> the "Set-Cookie" header as implemented in
+   practice (as opposed to how it is specified in <xref target="RFC2109"/>)
+   can occur multiple times, but does not use the list syntax, and thus cannot
+   be combined into a single line. (See Appendix A.2.3 of <xref target="Kri2001"/>
+   for details.) Also note that the Set-Cookie2 header specified in
+   <xref target="RFC2965"/> does not share this problem. 
+  </t>
+</x:note>
 <t>
    Historically, HTTP header field values could be extended over multiple
@@ -1122 +1172 @@
    or forwarding the message downstream.
 </t>
+<t>
+   Historically, HTTP has allowed field content with text in the ISO-8859-1
+   <xref target="ISO-8859-1"/> character encoding and supported other
+   character sets only through use of <xref target="RFC2047"/> encoding.
+   In practice, most HTTP header field values use only a subset of the
+   US-ASCII character encoding <xref target="USASCII"/>. Newly defined
+   header fields &SHOULD; limit their field values to US-ASCII characters.
+   Recipients &SHOULD; treat other (obs-text) octets in field content as
+   opaque data.
+</t>
 <t anchor="rule.comment">
   <x:anchor-alias value="comment"/>
@@ -1128 +1188 @@
    the comment text with parentheses. Comments are only allowed in
    fields containing "comment" as part of their field value definition.
-   In all other fields, parentheses are considered part of the field
-   value.
 </t>
 <figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="comment"/><iref primary="true" item="Grammar" subitem="ctext"/>
@@ -1136 +1194 @@
                  ; <x:ref>OWS</x:ref> / &lt;<x:ref>VCHAR</x:ref> except "(", ")", and "\"&gt; / <x:ref>obs-text</x:ref>
 </artwork></figure>
-<t>
-   The order in which header fields with differing field names are
-   received is not significant. However, it is "good practice" to send
-   general-header fields first, followed by request-header or response-header
-   fields, and ending with the entity-header fields.
-</t>
-<t>
-   Multiple message-header fields with the same field-name &MAY; be
-   present in a message if and only if the entire field-value for that
-   header field is defined as a comma-separated list [i.e., #(values)].
-   It &MUST; be possible to combine the multiple header fields into one
-   "field-name: field-value" pair, without changing the semantics of the
-   message, by appending each subsequent field-value to the first, each
-   separated by a comma. The order in which header fields with the same
-   field-name are received is therefore significant to the
-   interpretation of the combined field value, and thus a proxy &MUST-NOT;
-   change the order of these field values when a message is forwarded.
-</t>
-<x:note>
-  <t>
-   <x:h>Note:</x:h> the "Set-Cookie" header as implemented in
-   practice (as opposed to how it is specified in <xref target="RFC2109"/>)
-   can occur multiple times, but does not use the list syntax, and thus cannot
-   be combined into a single line. (See Appendix A.2.3 of <xref target="Kri2001"/>
-   for details.) Also note that the Set-Cookie2 header specified in
-   <xref target="RFC2965"/> does not share this problem. 
-  </t>
-</x:note>
   
 </section>
@@ -1194 +1224 @@
    The presence of a message-body in a request is signaled by the
    inclusion of a Content-Length or Transfer-Encoding header field in
-   the request's message-headers. 
+   the request's header fields. 
    When a request message contains both a message-body of non-zero
    length and a method that does not define any semantics for that
@@ -2371 +2401 @@
 
 
-<section title="Header Field Definitions" anchor="header.fields">
+<section title="Header Field Definitions" anchor="header.field.definitions">
 <t>
    This section defines the syntax and semantics of HTTP/1.1 header fields
@@ -4059 +4089 @@
 </t>
 <t>
-   The line terminator for message-header fields is the sequence CRLF.
+   The line terminator for header fields is the sequence CRLF.
    However, we recommend that applications, when parsing such headers,
    recognize a single LF as a line terminator and ignore the leading CR.
@@ -4297 +4327 @@
 <t>
   Require that invalid whitespace around field-names be rejected.
-  (<xref target="message.headers"/>)
+  (<xref target="header.fields"/>)
 </t>
 <t>
@@ -4387 +4417 @@
 <x:ref>HTTP-Version</x:ref> = HTTP-Prot-Name "/" 1*DIGIT "." 1*DIGIT
 <x:ref>HTTP-date</x:ref> = rfc1123-date / obs-date
-<x:ref>HTTP-message</x:ref> = Request / Response
+<x:ref>HTTP-message</x:ref> = start-line *( header-field CRLF ) CRLF [
+ message-body ]
 <x:ref>Host</x:ref> = "Host:" OWS Host-v
 <x:ref>Host-v</x:ref> = uri-host [ ":" port ]
@@ -4475 +4506 @@
 <x:ref>general-header</x:ref> = Cache-Control / Connection / Date / Pragma / Trailer
  / Transfer-Encoding / Upgrade / Via / Warning
-<x:ref>generic-message</x:ref> = start-line *( message-header CRLF ) CRLF [
- message-body ]
 
 <x:ref>hour</x:ref> = 2DIGIT
@@ -4486 +4515 @@
 <x:ref>message-body</x:ref> = entity-body /
  &lt;entity-body encoded as per Transfer-Encoding&gt;
-<x:ref>message-header</x:ref> = field-name ":" OWS [ field-value ] OWS
+<x:ref>header-field</x:ref> = field-name ":" OWS [ field-value ] OWS
 <x:ref>minute</x:ref> = 2DIGIT
 <x:ref>month</x:ref> = %x4A.61.6E ; Jan