-
Notifications
You must be signed in to change notification settings - Fork 2
/
draft-reschke-http-oob-encoding.xml
executable file
·1378 lines (1292 loc) · 50.9 KB
/
draft-reschke-http-oob-encoding.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc subcompact="no"?>
<?rfc rfcedstyle="yes"?>
<?rfc-ext allow-markup-in-artwork="yes" ?>
<?rfc-ext html-pretty-print="prettyprint https://cdn.rawgit.com/google/code-prettify/master/loader/run_prettify.js"?>
<!DOCTYPE rfc [
<!ENTITY mdash "—">
<!ENTITY Note "<x:h xmlns:x='http://purl.org/net/xml2rfc/ext'>Note:</x:h>">
<!ENTITY MAY "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>MAY</bcp14>">
<!ENTITY MUST "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>MUST</bcp14>">
<!ENTITY MUST-NOT "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>MUST NOT</bcp14>">
<!ENTITY OPTIONAL "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>OPTIONAL</bcp14>">
<!ENTITY RECOMMENDED "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>RECOMMENDED</bcp14>">
<!ENTITY REQUIRED "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>REQUIRED</bcp14>">
<!ENTITY SHALL "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>SHALL</bcp14>">
<!ENTITY SHALL-NOT "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>SHALL NOT</bcp14>">
<!ENTITY SHOULD "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>SHOULD</bcp14>">
<!ENTITY SHOULD-NOT "<bcp14 xmlns='http://purl.org/net/xml2rfc/ext'>SHOULD NOT</bcp14>">
]>
<rfc xmlns:x="http://purl.org/net/xml2rfc/ext" xmlns:ed="http://greenbytes.de/2002/rfcedit" ipr="trust200902" docName="draft-reschke-http-oob-encoding-latest" category="std" xml:lang="en" x:maturity-level="proposed">
<x:feedback template="mailto:[email protected]?subject={docname},%20%22{section}%22&body=<{ref}>:"/>
<front>
<title>'Out-Of-Band' Content Coding for HTTP</title>
<author initials="J. F." surname="Reschke" fullname="Julian F. Reschke">
<organization abbrev="greenbytes">greenbytes GmbH</organization>
<address>
<postal>
<street>Hafenweg 16</street>
<city>Muenster</city><region>NW</region><code>48155</code>
<country>Germany</country>
</postal>
<email>[email protected]</email>
<uri>http://greenbytes.de/tech/webdav/</uri>
</address>
</author>
<author initials="S." surname="Loreto" fullname="Salvatore Loreto">
<organization>Ericsson</organization>
<address>
<postal>
<street>Torshamnsgatan 21</street>
<code>16483</code>
<city>Stochholm</city>
<country>Sweden</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<date/>
<area>Applications and Real-Time</area>
<keyword>HTTP</keyword>
<keyword>content coding</keyword>
<keyword>ouf-of-band</keyword>
<abstract>
<t>
This document describes an Hypertext Transfer Protocol (HTTP) content
coding that can be used to describe the location of a secondary resource
that contains the payload.
</t>
</abstract>
<note title="Editorial Note (To be removed by RFC Editor before publication)">
<t>
Distribution of this document is unlimited. Although this is not a work
item of the HTTPbis Working Group, comments should be sent to the
Hypertext Transfer Protocol (HTTP) mailing list at <eref target="mailto:[email protected]">[email protected]</eref>,
which may be joined by sending a message with subject
"subscribe" to <eref target="mailto:[email protected]?subject=subscribe">[email protected]</eref>.
</t>
<t>
Discussions of the HTTPbis Working Group are archived at
<eref target="http://lists.w3.org/Archives/Public/ietf-http-wg/"/>.
</t>
<t>
XML versions, latest edits, and issue tracking for this document
are available from <eref target="https://github.com/EricssonResearch/Blind-Cache-Drafts"/> and
<eref target="http://greenbytes.de/tech/webdav/#draft-reschke-http-oob-encoding"/>.
</t>
<t>
The changes in this draft are summarized in <xref target="changes.since.12"/>.
</t>
</note>
</front>
<middle>
<section title="Introduction" anchor="introduction">
<t>
This document describes an Hypertext Transfer Protocol (HTTP) content
coding (<xref target="RFC7231" x:rel="#content.codings"/>) that can be used
to describe the location of a secondary resource that contains the payload.
</t>
<t>
The primary use case for this content coding is to enable origin servers
to securely delegate the delivery of content to a secondary server that might
be "closer" to the client (with respect to network topology) and/or
able to cache content (<xref target="SCD"/>), leveraging content encryption
(<xref target="RFC8188"/>).
</t>
</section>
<section title="Notational Conventions" anchor="notational.conventions">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119"/>.
</t>
<t>
This document reuses terminology used in the base HTTP specifications,
namely <xref target="RFC7230" x:fmt="of" x:rel="#architecture"/> and
<xref target="RFC7231" x:fmt="of" x:rel="#representations"/>.
</t>
</section>
<section title="'Out-Of-Band' Content Coding" anchor="ouf-of-band.content.coding">
<section title="Overview">
<t>
The 'Out-Of-Band' content coding is used to direct the recipient to retrieve the
actual message representation (<xref target="RFC7231" x:rel="#representations"/>)
from a secondary resource, such as a public cache:
</t>
<ol>
<li anchor="flow.get.request">Client performs a request</li>
<li anchor="flow.get.response">Received response specifies the 'out-of-band' content coding; the payload
of the response contains additional meta data, plus the location of the secondary
resource</li>
<li anchor="flow.get.request2">Client performs GET request on secondary resource (usually again via HTTP(s))</li>
<li anchor="flow.get.response2">Secondary server provides payload</li>
<li anchor="flow.combine">Client combines above representation with additional representation metadata
obtained from the primary resource</li>
</ol>
<figure><artwork type="drawing">
Client Secondary Server Origin Server
sends GET request with Accept-Encoding: out-of-band
(<xref target="flow.get.request" format="counter"
/>) |---------------------------------------------------------\
status 200 and Content-Coding: out-of-band |
(<xref target="flow.get.response" format="counter"
/>) <---------------------------------------------------------/
GET to secondary server
(<xref target="flow.get.request2" format="counter"
/>) |---------------------------\
payload |
(<xref target="flow.get.response2" format="counter"
/>) <---------------------------/
(<xref target="flow.combine" format="counter"/>)
Client and combines payload received in (<xref target="flow.get.response2" format="counter"
/>)
with metadata received in (<xref target="flow.get.response" format="counter"
/>).</artwork></figure>
</section>
<section title="Definitions">
<t>
The name of the content coding is "out-of-band".
</t>
<t>
The payload format uses JavaScript Object Notation (JSON, <xref target="RFC7159"/>),
describing an object describing secondary resources; currently only defining
one member<!-- plus &OPTIONAL; additional
metadata-->:
</t>
<dl>
<dt>'sr'</dt>
<dd>
<t>
A &REQUIRED; array of JSON objects.
</t>
<t>
Objects having a member named 'r'
describe a secondary resource, with the member's string value containing
a URI reference (<xref target="RFC3986" x:sec="4.1"/>) of the secondary
resource (URI references that are relative references are resolved against
the URI of the primary resource).
</t>
<t>
An &OPTIONAL; member 'crypto-key'
carries an array of strings, each of which specifying keying material
for use in encryption encodings such as the 'aes128gcm' encoding
defined in <xref target="RFC8188"/>. Values consist of the
name of the content coding, a "=", and the base64url encoded keying
material (see <xref target="RFC4648" x:fmt="of" x:sec="5"/>).
</t>
</dd>
<!-- <dt>'fallback'</dt>
<dd>
An &OPTIONAL; string containing a URI reference of a fallback resource (see <xref target="fallback"/>).
This URI reference, after resolution against the URI of the primary resource, &MUST; identify
a resource on the same server as the primary resource.
</dd>-->
<!--<dt>'metadata'</dt>
<dd>
An &OPTIONAL; object containing additional members, representing header field values
which can not appear as header fields in the response message itself
(header fields that occur multiple times need to be combined into a single field value as
per <xref target="RFC7230" x:rel="#field.order"/>; header field names are lower-cased).
</dd>-->
</dl>
<t>
The payload format uses an array so that the origin server can specify
multiple secondary resources. The ordering within the array reflects the
origin server's preference (if any), with the most preferred secondary
resource location being first. Clients receiving a response containing
multiple entries are free to choose which of these to use.
</t>
<t>
In some cases, the origin server might want to specify a "fallback URI"; identifying
a secondary resource served by the origin server itself, but otherwise
equivalent "regular" secondary resources. Any secondary resource hosted
by the origin server can be considered to be a "fallback"; origin servers
will usually list them last in the "sr" array so that they only will be
used by clients when there is no other choice.
</t>
<t>
New specifications can define new &OPTIONAL; member fields, thus clients &MUST;
ignore unknown fields. Furthermore, new specifications can define new object
formats for the 'sr' array; however, they &MUST-NOT; use a member named 'r'
unless the semantics are compatible with those defined above.
</t>
<t>
Extension specifications will have to update this specification.
</t>
</section>
<section title="Processing Steps" anchor="processing">
<t>
Upon receipt of an 'out-of-band' encoded response, a client first needs to
obtain the secondary resource's presentation. This is done using
an HTTP GET request (independently of the original request method).
</t>
<t>
In order to prevent any leakage of information, the GET request for
the secondary resource &MUST; only contain information provided by
the origin server or the secondary server itself, namely HTTP authentication
credentials (<xref target="RFC7235"/>) and cookies (<xref target="RFC6265"/>).
</t>
<t>
Furthermore, the request &MUST; include an "Origin" header field indicating
the origin of the original resource (<xref target="RFC6454" x:fmt="," x:sec="7"/>).
The secondary server &MUST; verify that the specified origin is
authorized to retrieve the given payload (or otherwise return an
appropriate 4xx status code).
</t>
<t>
In addition to that, the secondary server's response &MUST; include a
"Content-Type" header field indicating an Internet media type
of "application/oob-stream". Clients &MUST; check for this media type
and abort out-of-band processing if no media type is specified, or if it
doesn't match this value.
</t>
<t>
After receipt of the secondary resource's payload, the client then
reconstructs the original message by:
</t>
<ol>
<li>
Unwrapping the encapsulated HTTP message by removing any transfer and content codings.
</li>
<li>
Replacing/setting any response header fields from the primary
response except for framing-related information such as
Content-Length, Transfer-Encoding and Content-Encoding.
</li>
<!--<li>
Replacing/setting any header fields with those present as members
in the "metadata" object.
<cref>Do we have a use case for this?</cref>
</li>-->
</ol>
<t>
If the client is unable to retrieve the secondary resource's representation
(host can't be reached, non 2xx response status code, payload failing
integrity check, etc.), it can choose
an alternate secondary resource (if specified), try the fallback URI (if
given), or simply retry the
request to the origin server without including 'out-of-band' in the
Accept-Encoding request header field. In the latter case, it can be useful
to inform the origin server about what problems were encountered
when trying to access the secondary resource; see <xref target="problem.reporting"/>
for details.
</t>
<t>
Note that although this mechanism causes the inclusion of external
content, it will not affect the application-level security properties
of the reconstructed message, such as its web origin (<xref target="RFC6454"/>).
</t>
<t>
The cacheability of the response for the secondary resource does not affect
the cacheability of the reconstructed response message, which is the same as
for the origin server's response.
</t>
<t>
Use of the 'out-of-band' coding is similar to HTTP redirects (<xref target="RFC7231" x:fmt="," x:rel="#status.3xx"/>)
in that it can lead to cycles. Unless with HTTP redirects, the client however
is in full control: it does not need to advertise support for the 'out-of-band'
coding in requests for secondary resources. Alternatively, it can protect itself
just like for HTTP redirects -- by limiting the number of indirections it supports.
</t>
<t>
Note that because the server's response depends on the request's Accept-Encoding
header field, the response usually will need to be declared to vary on that. See
<xref target="RFC7231" x:fmt="of" x:rel="#header.vary"/> and
<xref target="RFC7232" x:fmt="of" x:rel="#header.etag"/> for details.
</t>
</section>
<section title="Examples">
<section title="Basic Example" anchor="basic.example">
<figure>
<preamble>Client request of primary resource at https://www.example.com/test:</preamble>
<artwork type="message/http; msgtype="request"" x:indent-with=" ">
GET /test HTTP/1.1
Host: www.example.com
Accept-Encoding: gzip, out-of-band
</artwork></figure>
<figure>
<preamble>Response:</preamble>
<artwork type="message/http; msgtype="request"" x:indent-with=" ">
HTTP/1.1 200 OK
Date: Thu, 14 May 2015 18:52:00 GMT
Content-Type: text/plain
Cache-Control: max-age=10, public
Content-Encoding: out-of-band
Content-Length: <x:length-of target="exbody"/>
Vary: Accept-Encoding
<x:span anchor="exbody" x:lang="">{
"sr": [
{ "r" :
"http://example.net/bae27c36-fa6a-11e4-ae5d-00059a3c7a00"},
{ "r" :
"/c/bae27c36-fa6a-11e4-ae5d-00059a3c7a00"}
]
}
</x:span></artwork>
<postamble>
(note that the Content-Type header field describes the media type of the
secondary's resource representation, and the origin server supplied
a fallback URI)
</postamble>
</figure>
<figure>
<preamble>Client request for secondary resource:</preamble>
<artwork type="message/http; msgtype="request"" x:indent-with=" ">
GET /bae27c36-fa6a-11e4-ae5d-00059a3c7a00 HTTP/1.1
Host: example.net
Origin: https://www.example.com
</artwork></figure>
<figure>
<preamble>Response:</preamble>
<artwork type="message/http; msgtype="request"" x:indent-with=" ">
HTTP/1.1 200 OK
Date: Thu, 14 May 2015 18:52:10 GMT
Cache-Control: private
Content-Type: application/oob-stream
Content-Length: <x:length-of target="exbody2"/>
<x:span anchor="exbody2">Hello, world.
</x:span></artwork>
</figure>
<figure>
<preamble>Final message after recombining header fields:</preamble>
<artwork type="message/http; msgtype="request"" x:indent-with=" ">
HTTP/1.1 200 OK
Date: Thu, 14 May 2015 18:52:00 GMT
Content-Length: <x:length-of target="exbody5"/>
Cache-Control: max-age=10, public
Content-Type: text/plain
<x:span anchor="exbody5">Hello, world.
</x:span></artwork>
</figure>
</section>
<section title="Example for an attempt to use 'out-of-band' cross-origin">
<t>
<xref target="processing"/> requires the client to include an "Origin"
header field in the request to a secondary server. The example below
shows how the server for the secondary resource would respond to a request
which contains an "Origin" header field identifying an unauthorized origin.
</t>
<t>
Continuing with the example from <xref target="basic.example"/>,
and a secondary server that is configured to allow only access for requests
initiated by "https://www.example.org":
</t>
<figure>
<preamble>Client request for secondary resource:</preamble>
<artwork type="message/http; msgtype="request"" x:indent-with=" ">
GET /bae27c36-fa6a-11e4-ae5d-00059a3c7a00 HTTP/1.1
Host: example.net
Origin: https://www.example.com
</artwork></figure>
<figure>
<preamble>Response:</preamble>
<artwork type="message/http; msgtype="request"" x:indent-with=" ">
HTTP/1.1 403 Forbidden
Date: Thu, 14 May 2015 18:52:10 GMT
</artwork>
<postamble>Note that a request missing the "Origin" header field would be
treated the same way.
</postamble>
</figure>
<t>
<cref>Any reason why to *mandate* a specific 4xx code?</cref>
</t>
</section>
<section title="Example involving an encrypted resource">
<t>
Given the example HTTP message from <xref target="RFC8188" x:sec="3.1"/>,
a primary resource could use the 'out-of-band' coding to specify just
the location of the secondary resource plus the keying material
needed to decrypt the payload:
</t>
<figure>
<preamble>Response:</preamble>
<artwork type="message/http; msgtype="request"" x:indent-with=" ">
HTTP/1.1 200 OK
Date: Thu, 14 May 2015 18:52:00 GMT
Content-Encoding: aes128gcm, out-of-band
Content-Type: text/plain
Content-Length: <x:length-of target="exbody4"/>
Vary: Accept-Encoding
<x:span anchor="exbody4" x:lang="">{
"sr": [
{ "r" :
"http://example.net/bae27c36-fa6a-11e4-ae5d-00059a3c7a00",
"crypto-key" :
[ "aes128gcm=yqdlZ-tYemfogSmv7Ws5PQ" ] }
]
}
</x:span></artwork>
<postamble>
(note that the Content-Type header field describes the media type of the
secondary's resource representation)
</postamble>
</figure>
<figure>
<preamble>Response for secondary resource:</preamble>
<artwork type="message/http; msgtype="request"" x:indent-with=" ">
HTTP/1.1 200 OK
Date: Thu, 14 May 2015 18:52:10 GMT
Content-Type: application/oob-stream
Content-Length: 54
I1BsxtFttlv3u_Oo94xnmwAAEAAA-NAVub2qFgBEuQKRapoZu-IxkIva3MEB1PD-
ly8Thjg</artwork>
<postamble>(payload body shown in base64 for presentation purposes)</postamble>
</figure>
<figure>
<preamble>Final message undoing all content codings:</preamble>
<artwork type="message/http; msgtype="request"" x:indent-with=" ">
HTTP/1.1 200 OK
Date: Thu, 14 May 2015 18:52:00 GMT
Content-Length: <x:length-of target="exbody8"/>
Content-Type: text/plain
<x:span anchor="exbody8">I am the walrus</x:span></artwork>
</figure>
<x:note>
<t>
<x:h>Note:</x:h> in this case, the ability to undo the 'aes128gcm' is needed
to process the response. If 'aes128gcm' wasn't listed as acceptable content coding
in the request, the origin server wouldn't be able to use the 'out-of-band'
mechanism.
</t>
</x:note>
</section>
<section title="Relation to Content Negotiation" anchor="relation.to.content.negotiation">
<t>
Use of the 'out-of-band' encoding is a case of "proactive content negotiation",
as defined in <xref target="RFC7231" x:fmt="of" x:rel="#content.negotiation"/>.
</t>
<t>
This however does not rule out combining it with other content codings. As an example, the
possible iteractions with the 'gzip' content coding (<xref target="RFC7230" x:fmt="," x:rel="#gzip.coding"/>)
are described below:
</t>
<t>
<x:h>Case 1: Primary resource does not support 'gzip' encoding</x:h>
</t>
<t>
In this case, the response for the primary resource will never include
'gzip' in the Content-Encoding header field. The secondary resource
however might support it, in which case the client could negotiate
compression by including "Accept-Encoding: gzip" in the request to the
secondary resource.
</t>
<t>
<x:h>Case 2: Primary resource does support 'gzip' encoding</x:h>
</t>
<t>
Here, the origin server would actually use two different secondary resources,
one of them being gzip-compressed. For instance — going back to the first
example in <xref target="basic.example"/> — it might reply with:
</t>
<figure>
<artwork type="message/http; msgtype="request"" x:indent-with=" ">
HTTP/1.1 200 OK
Date: Thu, 14 May 2015 18:52:00 GMT
Content-Type: text/plain
Cache-Control: max-age=10, public
Content-Encoding: gzip, out-of-band
Content-Length: <x:length-of target="exbodygz"/>
Vary: Accept-Encoding
<x:span anchor="exbodygz" x:lang="">{
"sr": [
{ "r" :
"http://example.net/bae27c36-fa6a-11e4-ae5d-00059a3c7a01"},
{ "r" :
"/c/bae27c36-fa6a-11e4-ae5d-00059a3c7a01"}
]
}
</x:span></artwork>
</figure>
<t>
which would mean that the payload for the secondary resource already is
gzip-compressed.
</t>
<aside>
<t>
<x:h>Note:</x:h> The origin server could also apply gzip
compression to the out-of-band payload, in which case the Content-Encoding
field value would become: "gzip, out-of-band, gzip".
</t>
</aside>
</section>
</section>
</section>
<section title="Content Codings and Range Requests">
<t>
The combination of content codings (<xref target="RFC7231" x:fmt="," x:rel="#data.encoding"/> with
range requests (<xref target="RFC7233"/>) can lead to surprising results, as
applying the range request happens after applying content codings.
</t>
<figure>
<preamble>
Thus, for a request for the bytes starting at position 100000 of a video:
</preamble>
<artwork type="message/http; msgtype="request"" x:indent-with=" ">
GET /test.mp4 HTTP/1.1
Host: www.example.com
Range: bytes=100000-
Accept-Encoding: identity
</artwork></figure>
<figure>
<preamble>
...a successful response would use status code 206 (Partial Content) and
have a payload containing the octets starting at position 100000.
</preamble>
<artwork type="message/http; msgtype="response"" x:indent-with=" ">
HTTP/1.1 206 Partial Content
Date: Thu, 08 September 2015 16:49:00 GMT
Content-Type: video/mp4
Content-Length: 134567
Content-Range: bytes 100000-234566/234567
<em>(binary data)</em></artwork>
</figure>
<figure>
<preamble>
However, if the request would have allowed the use of 'out-of-band' coding:
</preamble>
<artwork type="message/http; msgtype="request"" x:indent-with=" ">
GET /test.mp4 HTTP/1.1
Host: www.example.com
Range: bytes=100000-
Accept-Encoding: out-of-band
</artwork>
<postamble>...a server might return an empty payload (if the out-of-band
coded response body would be shorter than 100000 bytes, as would be usually the case).</postamble>
</figure>
<t>
Thus, in order to avoid unnecessary network traffic, servers &SHOULD-NOT;
apply range request processing to responses using ouf-of-band content coding
(or, in other words: ignore "Range" request header fields in this case).
</t>
</section>
<section title="Feature Discovery" anchor="feature.discovery">
<t>
New content codings can be deployed easily, as the client can use
the "Accept-Encoding" header field (<xref target="RFC7231" x:rel="#header.accept-encoding"/>)
to signal which content codings are supported.
</t>
</section>
<section title="Security Considerations" anchor="security.considerations">
<section title="Content Modifications">
<t>
This specification does not define means to verify that the payload
obtained from the secondary resource really is what the origin server
expects it to be. Content signatures can address this concern
(see <xref target="CONTENTSIG"/> and <xref target="MICE"/>).
</t>
</section>
<section title="Content Stealing">
<t>
The 'out-of-band' content coding could be used to circumvent the same-origin
policy (<xref target="RFC6454" x:fmt="," x:sec="3"/>) of user agents: an
attacking site which knows the URI of a secondary resource would use the
'out-of-band' coding to trick the user agent to read the contents of the secondary resource,
which then, due to the security properties of this coding, would be
handled as if it originated from the origin's resource.
</t>
<t>
This scenario is addressed by the client requirement to include
the "Origin" request header field and the server requirement to verify
that the request was initiated by an authorized origin. In addition,
the restriction of the secondary server response's media type
to "application/oob-stream" protects existing content on "regular"
servers not implementing this specification.
</t>
<aside>
<t>
<x:h>Note:</x:h> similarities with the "Cross-Origin Resource Sharing"
protocol (<xref target="CORS"/>) are intentional.
</t>
</aside>
<t>
Requiring the secondary resource's payload to be encrypted (<xref target="RFC8188"/>)
is an additional mitigation.
</t>
</section>
<section title="Use in Requests">
<t>
In general, content codings can be used in both requests and responses. This particular
content coding has been designed for responses. When supported in requests, it
creates a new attack vector where the receiving server can be tricked into
including content that the client might not have access to otherwise
(such as HTTP resources behind a firewall).
</t>
</section>
</section>
<section title="IANA Considerations" anchor="iana.considerations">
<section title="Content Coding: out-of-band" anchor="iana.considerations.content-coding">
<t>
The IANA "HTTP Content Coding Registry", located at <eref target="http://www.iana.org/assignments/http-parameters"/>,
needs to be updated with the registration below:
</t>
<dl>
<dt>Name:</dt>
<dd>
out-of-band
</dd>
<dt>Description:</dt>
<dd>
Payload needs to be retrieved from a secondary resource
</dd>
<dt>Reference:</dt>
<dd>
<xref target="ouf-of-band.content.coding"/> of this document
</dd>
</dl>
</section>
<section title="Internet Media Type: application/oob-stream" anchor="iana.considerations.media-type">
<t>
IANA maintains the registry of Internet media types <xref target="BCP13"/> at
<eref target="http://www.iana.org/assignments/media-types"/>.
</t>
<t>
This document serves as the specification for the Internet media type
"application/oob-stream". The following is to be registered with
IANA.
</t>
<t>
The "application/oob-stream" media type represents a sequence of octets sent as part
of the "out-of-band" content coding protocol exchange. The sender does
not have any further information about the type of the enclosed data.
This type is different from "application/octet-stream" as it is known
not to be in use for pre-existing content.
</t>
<dl>
<dt>Type name:</dt>
<dd>application</dd>
<dt>Subtype name:</dt>
<dd>oob-stream</dd>
<dt>Required parameters:</dt>
<dd>N/A</dd>
<dt>Optional parameters:</dt>
<dd>N/A</dd>
<dt>Encoding considerations:</dt>
<dd>always "binary"</dd>
<dt>Security considerations:</dt>
<dd>see <xref target="security.considerations"/></dd>
<dt>Interoperability considerations:</dt>
<dd>N/A</dd>
<dt>Published specification:</dt>
<dd>This specification (see <xref target="iana.considerations.media-type"/>).</dd>
<dt>Applications that use this media type:</dt>
<dd>HTTP servers for secondary resources as defined by this specification.</dd>
<dt>Fragment identifier considerations:</dt>
<dd>N/A</dd>
<dt>Additional information:</dt>
<dd>
<dl>
<dt>Magic number(s):</dt>
<dd>N/A</dd>
<dt>Deprecated alias names for this type:</dt>
<dd>N/A</dd>
<dt>File extension(s):</dt>
<dd>N/A</dd>
<dt>Macintosh file type code(s):</dt>
<dd>N/A</dd>
</dl>
</dd>
<dt>Person and email address to contact for further information:</dt>
<dd>See Authors' Addresses section.</dd>
<dt>Intended usage:</dt>
<dd>COMMON</dd>
<dt>Restrictions on usage:</dt>
<dd>N/A</dd>
<dt>Author:</dt>
<dd>See Authors' Addresses section.</dd>
<dt>Change controller:</dt>
<dd>IESG</dd>
</dl>
</section>
</section>
</middle>
<back>
<references title="Normative References">
<reference anchor="RFC2119">
<front>
<title>Key words for use in RFCs to Indicate Requirement Levels</title>
<author initials="S." surname="Bradner" fullname="Scott Bradner"/>
<date month="March" year="1997"/>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
</reference>
<reference anchor="RFC3986">
<front>
<title abbrev='URI Generic Syntax'>Uniform Resource Identifier (URI): Generic Syntax</title>
<author initials='T.' surname='Berners-Lee' fullname='Tim Berners-Lee'/>
<author initials='R.' surname='Fielding' fullname='Roy T. Fielding'/>
<author initials='L.' surname='Masinter' fullname='Larry Masinter'/>
<date month='January' year='2005'></date>
</front>
<seriesInfo name="STD" value="66"/>
<seriesInfo name="RFC" value="3986"/>
</reference>
<reference anchor='RFC5988'>
<front>
<title>Web Linking</title>
<author initials='M.' surname='Nottingham' fullname='M. Nottingham'/>
<date year='2010' month='October' />
</front>
<seriesInfo name='RFC' value='5988'/>
</reference>
<reference anchor="RFC6265">
<front>
<title>HTTP State Management Mechanism</title>
<author initials="A." surname="Barth" fullname="Adam Barth"/>
<date year="2011" month="April" />
</front>
<seriesInfo name="RFC" value="6265"/>
</reference>
<reference anchor='RFC7159'>
<front>
<title>The JavaScript Object Notation (JSON) Data Interchange Format</title>
<author initials='T.' surname='Bray' fullname='Tim Bray'/>
<date year='2014' month='March' />
</front>
<seriesInfo name='RFC' value='7159' />
</reference>
<reference anchor="RFC7230">
<front>
<title>Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing</title>
<author initials="R." surname="Fielding" fullname="Roy T. Fielding" role="editor"/>
<author initials="J. F." surname="Reschke" fullname="Julian F. Reschke" role="editor"/>
<date month="June" year="2014"/>
</front>
<seriesInfo name="RFC" value="7230"/>
<x:source href="refs/rfc7230.xml" basename="rfc7230"/>
</reference>
<reference anchor="RFC7231">
<front>
<title>Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</title>
<author initials="R." surname="Fielding" fullname="Roy T. Fielding" role="editor"/>
<author initials="J. F." surname="Reschke" fullname="Julian F. Reschke" role="editor"/>
<date month="June" year="2014"/>
</front>
<seriesInfo name="RFC" value="7231"/>
<x:source href="refs/rfc7231.xml" basename="rfc7231"/>
</reference>
<reference anchor="RFC7235">
<front>
<title>Hypertext Transfer Protocol (HTTP/1.1): Authentication</title>
<author initials="R." surname="Fielding" fullname="Roy T. Fielding" role="editor"/>
<author initials="J. F." surname="Reschke" fullname="Julian F. Reschke" role="editor"/>
<date month="June" year="2014"/>
</front>
<seriesInfo name="RFC" value="7235"/>
<x:source href="refs/rfc7235.xml" basename="rfc7235"/>
</reference>
</references>
<references title="Informative References">
<reference anchor="BCP13">
<front>
<title>Media Type Specifications and Registration Procedures</title>
<author initials="N." surname="Freed" fullname="Ned Freed"/>
<author initials="J." surname="Klensin" fullname="John C. Klensin"/>
<author initials="T." surname="Hansen" fullname="Tony Hansen"/>
<date year="2013" month="January"/>
</front>
<seriesInfo name="BCP" value="13"/>
<seriesInfo name="RFC" value="6838"/>
</reference>
<reference anchor='RFC2017'>
<front>
<title abbrev='URL Access-Type'>Definition of the URL MIME External-Body Access-Type</title>
<author initials='N.' surname='Freed' fullname='Ned Freed'/>
<author initials='K.' surname='Moore' fullname='Keith Moore'/>
<date year='1996' month='October' />
</front>
<seriesInfo name='RFC' value='2017' />
</reference>
<reference anchor='RFC4483'>
<front>
<title>A Mechanism for Content Indirection in Session Initiation Protocol (SIP) Messages</title>
<author initials='E.' surname='Burger' fullname='E. Burger'/>
<date year='2006' month='May' />
</front>
<seriesInfo name='RFC' value='4483' />
</reference>
<reference anchor="RFC4648">
<front>
<title>The Base16, Base32, and Base64 Data Encodings</title>
<author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
<date year="2006" month="October"/>
</front>
<seriesInfo value="4648" name="RFC"/>
</reference>
<reference anchor="RFC5246">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.2</title>
<author initials="T." surname="Dierks" fullname="T. Dierks"/>
<author initials="E." surname="Rescorla" fullname="E. Rescorla"/>
<date year="2008" month="August"/>
</front>
<seriesInfo name="RFC" value="5246"/>
</reference>
<reference anchor="RFC6454">
<front>
<title>The Web Origin Concept</title>
<author initials="A." surname="Barth" fullname="A. Barth"/>
<date year="2011" month="December"/>
</front>
<seriesInfo name="RFC" value="6454"/>
</reference>
<reference anchor="RFC7232">
<front>
<title>Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests</title>
<author initials="R." surname="Fielding" fullname="Roy T. Fielding" role="editor"/>
<author initials="J. F." surname="Reschke" fullname="Julian F. Reschke" role="editor"/>
<date month="June" year="2014"/>
</front>
<seriesInfo name="RFC" value="7232"/>
<x:source href="refs/rfc7232.xml" basename="rfc7232"/>
</reference>
<reference anchor="RFC7233">
<front>
<title>Hypertext Transfer Protocol (HTTP/1.1): Range Requests</title>
<author initials="R." surname="Fielding" fullname="Roy T. Fielding" role="editor"/>
<author initials="Y." surname="Lafon" fullname="Yves Lafon" role="editor"/>
<author initials="J. F." surname="Reschke" fullname="Julian F. Reschke" role="editor"/>
<date month="June" year="2014"/>
</front>
<seriesInfo name="RFC" value="7233"/>
<x:source href="refs/rfc7233.xml" basename="rfc7233"/>
</reference>
<reference anchor='RFC8188'>
<front>
<title>Encrypted Content-Encoding for HTTP</title>
<author initials="M." surname="Thomson" fullname="Martin Thomson"/>
<date month="June" year="2017"/>
</front>
<seriesInfo name="RFC" value="8188"/>
</reference>
<reference anchor='CONTENTSIG'>
<front>
<title>Content-Signature Header Field for HTTP</title>
<author initials="M." surname="Thomson" fullname="Martin Thomson"/>
<date month="July" year="2015"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-thomson-http-content-signature-00"/>
</reference>
<reference anchor='MICE'>
<front>
<title>Merkle Integrity Content Encoding</title>
<author initials="M." surname="Thomson" fullname="Martin Thomson"/>
<date month="October" year="2016"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-thomson-http-mice-02"/>
</reference>
<reference anchor='RMAP'>
<front>
<title>Resource Maps</title>
<author initials='G' surname='Eriksson' fullname='Goran Eriksson'/>
<author initials='C' surname='Holmberg' fullname='Christer Holmberg'/>
<author initials='Z' surname='Sarker' fullname='Zaheduzzaman Sarker'/>
<author initials='J' surname='Reschke' fullname='Julian Reschke'/>
<date month='October' day='31' year='2016' />
</front>
<seriesInfo name='Internet-Draft' value='draft-eriksson-http-resource-map-00' />
</reference>
<reference anchor='SCD'>
<front>
<title>An Architecture for Secure Content Delegation using HTTP</title>
<author initials='M.' surname='Thomson' fullname='Martin Thomson'/>
<author initials='G.' surname='Eriksson' fullname='Goran Eriksson'/>
<author initials='C.' surname='Holmberg' fullname='Christer Holmberg'/>
<date month='October' year='2016' />
</front>
<seriesInfo name='Internet-Draft' value='draft-thomson-http-scd-02' />
</reference>
<reference anchor='CORS'
target='http://www.w3.org/TR/2014/REC-cors-20140116/'>
<front>
<title>Cross-Origin Resource Sharing</title>
<author fullname='Anne van Kesteren' surname='van Kesteren' initials='A.'/>
<date year='2014' month='January' day='16'/>
</front>
<seriesInfo name='W3C Recommendation' value='REC-cors-20140116'/>
<annotation>
Latest version available at
<eref target='http://www.w3.org/TR/cors/'/>.
</annotation>
</reference>
</references>
<section title="Problem Reporting" anchor="problem.reporting">
<t>
<cref anchor="erwip">This is a rough proposal for an error reporting mechanism. Is it good enough? Is it needed at all?
Note that Alt-Svc doesn't have anything like this.</cref>
</t>
<t>
When the client fails to obtain the secondary resource, it can be useful
to inform the origin server about the condition. This can be accomplished
by adding a "Link" header field (<xref target="RFC5988"/>) to a subsequent request to the origin server,
detailing the URI of the secondary resource and the failure reason.
</t>
<t>
The following link extension relations are defined: