idnits 2.17.1 draft-ietf-appsawg-json-patch-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 20, 2013) is 4106 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-09) exists of draft-ietf-appsawg-json-pointer-07 ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Applications Area Working Group P. Bryan, Ed. 3 Internet-Draft Salesforce.com 4 Intended status: Standards Track M. Nottingham, Ed. 5 Expires: July 24, 2013 Akamai 6 January 20, 2013 8 JSON Patch 9 draft-ietf-appsawg-json-patch-10 11 Abstract 13 JSON Patch defines a JSON document structure for expressing a 14 sequence of operations to apply to a JavaScript Object Notation 15 (JSON) document, suitable for use with the HTTP PATCH method. The 16 "application/json-patch" media type is used to identify such patch 17 documents. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on July 24, 2013. 36 Copyright Notice 38 Copyright (c) 2013 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 3. Document Structure . . . . . . . . . . . . . . . . . . . . . . 3 56 4. Operations . . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 4.1. add . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 58 4.2. remove . . . . . . . . . . . . . . . . . . . . . . . . . . 6 59 4.3. replace . . . . . . . . . . . . . . . . . . . . . . . . . 6 60 4.4. move . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 61 4.5. copy . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 62 4.6. test . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 63 5. Error Handling . . . . . . . . . . . . . . . . . . . . . . . . 8 64 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 65 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 66 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 67 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 68 9.1. Normative References . . . . . . . . . . . . . . . . . . . 10 69 9.2. Informative References . . . . . . . . . . . . . . . . . . 10 70 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 11 71 A.1. Adding an Object Member . . . . . . . . . . . . . . . . . 11 72 A.2. Adding an Array Element . . . . . . . . . . . . . . . . . 11 73 A.3. Removing an Object Member . . . . . . . . . . . . . . . . 12 74 A.4. Removing an Array Element . . . . . . . . . . . . . . . . 12 75 A.5. Replacing a Value . . . . . . . . . . . . . . . . . . . . 12 76 A.6. Moving a Value . . . . . . . . . . . . . . . . . . . . . . 13 77 A.7. Moving an Array Element . . . . . . . . . . . . . . . . . 13 78 A.8. Testing a Value: Success . . . . . . . . . . . . . . . . . 14 79 A.9. Testing a Value: Error . . . . . . . . . . . . . . . . . . 14 80 A.10. Adding a nested Member Object . . . . . . . . . . . . . . 14 81 A.11. Ignoring Unrecognized Elements . . . . . . . . . . . . . . 15 82 A.12. Adding to a Non-existant Target . . . . . . . . . . . . . 15 83 A.13. Invalid JSON Patch Document . . . . . . . . . . . . . . . 16 84 A.14. ~ Escape Ordering . . . . . . . . . . . . . . . . . . . . 16 85 A.15. Comparing Strings and Numbers . . . . . . . . . . . . . . 16 86 A.16. Adding an Array Value . . . . . . . . . . . . . . . . . . 17 87 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 89 1. Introduction 91 JavaScript Object Notation (JSON) [RFC4627] is a common format for 92 the exchange and storage of structured data. HTTP PATCH [RFC5789] 93 extends the Hypertext Transfer Protocol (HTTP) [RFC2616] with a 94 method to perform partial modifications to resources. 96 JSON Patch is a format (identified by the media type "application/ 97 json-patch") for expressing a sequence of operations to apply to a 98 target JSON document, suitable for use with the HTTP PATCH method. 100 This format is also potentially useful in other cases where necessary 101 to make partial updates to a JSON document, or to a data structure 102 that has similar constraints (i.e., they can be serialised as an 103 object or an array using the JSON grammar). 105 2. Conventions 107 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 108 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 109 document are to be interpreted as described in RFC 2119 [RFC2119]. 111 See Section 5 for information about handling errors. 113 3. Document Structure 115 A JSON Patch document is a JSON [RFC4627] document that represents an 116 array of objects. Each object represents a single operation to be 117 applied to the target JSON document. 119 An example JSON Patch document, transferred in a HTTP PATCH request: 121 PATCH /my/data HTTP/1.1 122 Host: example.org 123 Content-Length: 326 124 Content-Type: application/json-patch 125 If-Match: "abc123" 127 [ 128 { "op": "test", "path": "/a/b/c", "value": "foo" }, 129 { "op": "remove", "path": "/a/b/c" }, 130 { "op": "add", "path": "/a/b/c", "value": [ "foo", "bar" ] }, 131 { "op": "replace", "path": "/a/b/c", "value": 42 }, 132 { "op": "move", "from": "/a/b/c", "path": "/a/b/d" }, 133 { "op": "copy", "from": "/a/b/d", "path": "/a/b/e" } 134 ] 135 Evaluation of a JSON Patch document begins against a target JSON 136 document. Operations are applied sequentially in the order they 137 appear in the array. Each operation in the sequence is applied to 138 the target document; the resulting document becomes the target of the 139 next operation. Evaluation continues until all operations are 140 successfully applied, or an error condition is encountered. 142 4. Operations 144 Operation objects MUST have exactly one "op" member, whose value 145 indicates the operation to perform. Its value MUST be one of "add", 146 "remove", "replace", "move", "copy" or "test"; other values are 147 errors. The semantics of each is defined below. 149 Additionally, operation objects MUST have exactly one "path" member. 150 That member's value is a string containing a [JSON-Pointer] value 151 that references a location within the target document (the "target 152 location") where the operation is performed. 154 The meanings of other members of operation objects are defined by 155 operation (see the subsections below). Members that are not 156 explicitly defined for the operation in question MUST be ignored 157 (i.e., the operation will complete as if the undefined member did not 158 appear in the object). 160 Note that the ordering of members in JSON objects is not significant; 161 therefore, the following operation objects are equivalent: 163 { "op": "add", "path": "/a/b/c", "value": "foo" } 164 { "path": "/a/b/c", "op": "add", "value": "foo" } 165 { "value": "foo", "path": "/a/b/c", "op": "add" } 167 Operations are applied to the data structures represented by a JSON 168 document; i.e., after any unescaping (see [RFC4627], Section 2.5) 169 takes place. 171 4.1. add 173 The "add" operation performs the following function, depending upon 174 what the target location references: 176 o If the target location specifies an array index, a new value is 177 inserted into the array at the specified index. 179 o If the target location specifies an object member that does not 180 already exist, a new member is added to the object. 182 o If the target location specifies an object member that does exist, 183 that member's value is replaced. 185 The operation object MUST contain a "value" member whose content 186 specifies the value to be added. 188 For example: 190 { "op": "add", "path": "/a/b/c", "value": [ "foo", "bar" ] } 192 When the operation is applied, the target location MUST reference one 193 of: 195 o The root of the target document - whereupon the specified value 196 becomes the entire content of the target document. 198 o A member to add to an existing object - whereupon the supplied 199 value is added to that object at the indicated location. If the 200 member already exists, it is replaced by the specified value. 202 o An element to add to an existing array - whereupon the supplied 203 value is added to the array at the indicated location. Any 204 elements at or above the specified index are shifted one position 205 to the right. The specified index MUST NOT be greater than the 206 number of elements in the array. If the "-" character is used to 207 index the end of the array (see [JSON-Pointer]), this has the 208 effect of appending the value to the array. 210 Because this operation is designed to add to existing objects and 211 arrays, its target location will often not exist. Although the 212 pointer's error handling algorithm will thus be invoked, this 213 specification defines the error handling behaviour for "add" pointers 214 to ignore that error and add the value as specified. 216 However, the object itself or an array containing it does need to 217 exist, and it remains an error for that not to be the case. For 218 example, an "add" with a target location of "/a/b" starting with this 219 document: 221 { "a": { "foo": 1 } } 223 is not an error, because "a" exists, and "b" will be added to its 224 value. It is an error in this document: 226 { "q": { "bar": 2 } } 228 because "a" does not exist. 230 4.2. remove 232 The "remove" operation removes the value at the target location. 234 The target location MUST exist for the operation to be successful. 236 For example: 238 { "op": "remove", "path": "/a/b/c" } 240 If removing an element from an array, any elements above the 241 specified index are shifted one position to the left. 243 4.3. replace 245 The "replace" operation replaces the value at the target location 246 with a new value. The operation object MUST contain a "value" member 247 whose content specifies the replacement value. 249 The target location MUST exist for the operation to be successful. 251 For example: 253 { "op": "replace", "path": "/a/b/c", "value": 42 } 255 This operation is functionally identical to a "remove" operation for 256 a value, followed immediately by an "add" operation at the same 257 location with the replacement value. 259 4.4. move 261 The "move" operation removes the value at a specified location and 262 adds it to the target location. 264 The operation object MUST contain a "from" member, a string 265 containing a JSON Pointer value that references the location in the 266 target document to move the value from. 268 The "from" location MUST exist for the operation to be successful. 270 For example: 272 { "op": "move", "from": "/a/b/c", "path": "/a/b/d" } 274 This operation is functionally identical to a "remove" operation on 275 the "from" location, followed immediately by an "add" operation at 276 the target location with the value that was just removed. 278 The "from" location MUST NOT be a proper prefix of the "path" 279 location; i.e., a location cannot be moved into one of its children. 281 4.5. copy 283 The "copy" operation copies the value at a specified location to the 284 target location. 286 The operation object MUST contain a "from" member, a string 287 containing a JSON Pointer value that references the location in the 288 target document to copy the value from. 290 The "from" location MUST exist for the operation to be successful. 292 For example: 294 { "op": "copy", "from": "/a/b/c", "path": "/a/b/e" } 296 This operation is functionally identical to an "add" operation at the 297 target location using the value specified in the "from" member. 299 4.6. test 301 The "test" operation tests that a value at the target location is 302 equal to a specified value. 304 The operation object MUST contain a "value" member that conveys the 305 value to be compared to that at the target location. 307 The target location MUST be equal to the "value" value for the 308 operation to be considered successful. 310 Here, "equal" means that the value at the target location and that 311 conveyed by "value" are of the same JSON type, and considered equal 312 by the following rules for that type: 314 o strings: are considered equal if they contain the same number of 315 Unicode characters and their code points are position-wise equal. 317 o numbers: are considered equal if their values are numerically 318 equal. 320 o arrays: are considered equal if they contain the same number of 321 values, and each value can be considered equal to the value at the 322 corresponding position in the other array, using this list of 323 type-specific rules. 325 o objects: are considered equal if they contain the same number of 326 members, and each member can be considered equal to a member in 327 the other object, by comparing their keys as strings, and values 328 using this list of type-specific rules. 330 o literals (false, true and null): are considered equal if they are 331 the same. 333 Note that this is a logical comparison; e.g., whitespace between the 334 member values of an array is not significant. 336 Also, note that ordering of the serialisation of object members is 337 not significant. 339 For example: 341 { "op": "test", "path": "/a/b/c", "value": "foo" } 343 5. Error Handling 345 If a normative requirement is violated by a JSON Patch document, or 346 if an operation is not successful, evaluation of the JSON Patch 347 document SHOULD terminate and application of the entire patch 348 document SHALL NOT be deemed successful. 350 See [RFC5789], Section 2.2 for considerations regarding handling 351 errors when JSON Patch is used with the HTTP PATCH method, including 352 suggested status codes to use to indicate various conditions. 354 Note that the HTTP PATCH method is atomic, as per [RFC5789]. 355 Therefore, the following patch would result in no changes being made 356 to the document at all (because the "test" operation results in an 357 error). 359 [ 360 { "op": "replace", "path": "/a/b/c", "value": 42 }, 361 { "op": "test", "path": "/a/b/c", "value": "C" } 362 ] 364 6. IANA Considerations 366 The Internet media type for a JSON Patch document is application/ 367 json-patch. 369 Type name: application 371 Subtype name: json-patch 373 Required parameters: none 375 Optional parameters: none 377 Encoding considerations: binary 379 Security considerations: 380 See Security Considerations in section 7. 382 Interoperability considerations: N/A 384 Published specification: 385 [this memo] 387 Applications that use this media type: 388 Applications that manipulate JSON documents. 390 Additional information: 392 Magic number(s): N/A 394 File extension(s): .json-patch 396 Macintosh file type code(s): TEXT 398 Person & email address to contact for further information: 399 Paul C. Bryan 401 Intended usage: COMMON 403 Restrictions on usage: none 405 Author: Paul C. Bryan 407 Change controller: IETF 409 7. Security Considerations 411 This specification has the same security considerations as JSON 412 [RFC4627] and [JSON-Pointer]. 414 A few older Web browsers can be coerced into loading an arbitrary 415 JSON document whose root is an array, leading to a situation where a 416 JSON Patch document containing sensitive information could be exposed 417 to attackers, even if access is authenticated. This is known as a 418 Cross-Site Request Forgery (CSRF) attack [CSRF]. 420 However, such browsers are not widely used ( estimated to comprise 421 less than 1% of the market, at the time of writing). Publishers who 422 are nevertheless concerned about this attack are advised to avoid 423 making such documents available with HTTP GET. 425 8. Acknowledgements 427 The following individuals contributed ideas, feedback and wording to 428 this specification: 430 Mike Acar, Mike Amundsen, Cyrus Daboo, Paul Davis, Stefan Koegl, 431 Murray S. Kucherawy, Dean Landolt, Randall Leeds, James Manger, 432 Julian Reschke, James Snell, Eli Stevens and Henry S. Thompson. 434 The structure of a JSON Patch document was influenced by the XML 435 Patch document [RFC5261] specification. 437 9. References 439 9.1. Normative References 441 [JSON-Pointer] 442 Bryan, P., Zyp, K., and M. Nottingham, "JSON Pointer", 443 draft-ietf-appsawg-json-pointer-07 (work in progress), 444 November 2012. 446 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 447 Requirement Levels", BCP 14, RFC 2119, March 1997. 449 [RFC4627] Crockford, D., "The application/json Media Type for 450 JavaScript Object Notation (JSON)", RFC 4627, July 2006. 452 9.2. Informative References 454 [CSRF] Barth, A., Jackson, C., and J. Mitchell, "Robust Defenses 455 for Cross-Site Request Forgery". 457 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 458 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 459 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. 461 [RFC5261] Urpalainen, J., "An Extensible Markup Language (XML) Patch 462 Operations Framework Utilizing XML Path Language (XPath) 463 Selectors", RFC 5261, September 2008. 465 [RFC5789] Dusseault, L. and J. Snell, "PATCH Method for HTTP", 466 RFC 5789, March 2010. 468 Appendix A. Examples 470 A.1. Adding an Object Member 472 An example target JSON document: 474 { "foo": "bar"} 476 A JSON Patch document: 478 [ 479 { "op": "add", "path": "/baz", "value": "qux" } 480 ] 482 The resulting JSON document: 484 { 485 "baz": "qux", 486 "foo": "bar" 487 } 489 A.2. Adding an Array Element 491 An example target JSON document: 493 { "foo": [ "bar", "baz" ] } 495 A JSON Patch document: 497 [ 498 { "op": "add", "path": "/foo/1", "value": "qux" } 499 ] 501 The resulting JSON document: 503 { "foo": [ "bar", "qux", "baz" ] } 505 A.3. Removing an Object Member 507 An example target JSON document: 509 { 510 "baz": "qux", 511 "foo": "bar" 512 } 514 A JSON Patch document: 516 [ 517 { "op": "remove", "path": "/baz" } 518 ] 520 The resulting JSON document: 522 { "foo": "bar" } 524 A.4. Removing an Array Element 526 An example target JSON document: 528 { "foo": [ "bar", "qux", "baz" ] } 530 A JSON Patch document: 532 [ 533 { "op": "remove", "path": "/foo/1" } 534 ] 536 The resulting JSON document: 538 { "foo": [ "bar", "baz" ] } 540 A.5. Replacing a Value 542 An example target JSON document: 544 { 545 "baz": "qux", 546 "foo": "bar" 547 } 549 A JSON Patch document: 551 [ 552 { "op": "replace", "path": "/baz", "value": "boo" } 554 ] 556 The resulting JSON document: 558 { 559 "baz": "boo", 560 "foo": "bar" 561 } 563 A.6. Moving a Value 565 An example target JSON document: 567 { 568 "foo": { 569 "bar": "baz", 570 "waldo": "fred" 571 }, 572 "qux": { 573 "corge": "grault" 574 } 575 } 577 A JSON Patch document: 579 [ 580 { "op": "move", "from": "/foo/waldo", "path": "/qux/thud" } 581 ] 583 The resulting JSON document: 585 { 586 "foo": { 587 "bar": "baz" 588 }, 589 "qux": { 590 "corge": "grault", 591 "thud": "fred" 592 } 593 } 595 A.7. Moving an Array Element 597 An example target JSON document: 599 { "foo": [ "all", "grass", "cows", "eat" ] } 601 A JSON Patch document: 603 [ 604 { "op": "move", "from": "/foo/1", "path": "/foo/3" } 605 ] 607 The resulting JSON document: 609 { "foo": [ "all", "cows", "eat", "grass" ] } 611 A.8. Testing a Value: Success 613 An example target JSON document: 615 { 616 "baz": "qux", 617 "foo": [ "a", 2, "c" ] 618 } 620 A JSON Patch document that will result in successful evaluation: 622 [ 623 { "op": "test", "path": "/baz", "value": "qux" }, 624 { "op": "test", "path": "/foo/1", "value": 2 } 625 ] 627 A.9. Testing a Value: Error 629 An example target JSON document: 631 { "baz": "qux" } 633 A JSON Patch document that will result in an error condition: 635 [ 636 { "op": "test", "path": "/baz", "value": "bar" } 637 ] 639 A.10. Adding a nested Member Object 641 An example target JSON document: 643 { "foo": "bar" } 645 A JSON Patch document: 647 [ 648 { "op": "add", "path": "/child", "value": { "grandchild": { } } } 649 ] 650 The resulting JSON document: 652 { 653 "foo": "bar", 654 "child": { 655 "grandchild": { 656 } 657 } 658 } 660 A.11. Ignoring Unrecognized Elements 662 An example target JSON document: 664 { "foo": "bar" } 666 A JSON Patch document: 668 [ 669 { "op": "add", "path": "/baz", "value": "qux", "xyz": 123 } 670 ] 672 The resulting JSON document: 674 { 675 "foo": "bar", 676 "baz": "qux" 677 } 679 A.12. Adding to a Non-existant Target 681 An example target JSON document: 683 { "foo": "bar" } 685 A JSON Patch document: 687 [ 688 { "op": "add", "path": "/baz/bat", "value": "qux" } 689 ] 691 This JSON Patch document, applied to the target JSON document above, 692 would result in an error (therefore not being applied) because the 693 "add" operation's target location that references neither the root of 694 the document, nor a member of an existing object, nor a member of an 695 existing array. 697 A.13. Invalid JSON Patch Document 699 A JSON Patch document: 701 [ 702 { "op": "add", "path": "/baz", "value": "qux", "op": "remove" } 703 ] 705 This JSON Patch document cannot be treated as an "add" operation 706 since there is a later "op":"remove" element. JSON requires that 707 object member names be unique with a "SHOULD" requirement, and there 708 is no standard error handling for duplicates. 710 A.14. ~ Escape Ordering 712 An example target JSON document: 714 { 715 "/": 9, 716 "~1": 10 717 } 719 A JSON Patch document: 721 [ 722 {"op": "test", "path": "/~01", "value": 10} 723 ] 725 The resulting JSON document: 727 { 728 "/": 9, 729 "~1": 10 730 } 732 A.15. Comparing Strings and Numbers 734 An example target JSON document: 736 { 737 "/": 9, 738 "~1": 10 739 } 741 A JSON Patch document: 743 [ 744 {"op": "test", "path": "/~01", "value": "10"} 746 ] 748 This results in an error, because the test fails; the document value 749 is numeric, whereas the value tested for is a string. 751 A.16. Adding an Array Value 753 An example target JSON document: 755 { "foo": ["bar"] } 757 A JSON Patch document: 759 [ 760 { "op": "add", "path": "/foo/-", "value": ["abc", "def"] } 761 ] 763 The resulting JSON document: 765 { "foo": ["bar", ["abc", "def"]] } 767 Authors' Addresses 769 Paul C. Bryan (editor) 770 Salesforce.com 772 Phone: +1 604 783 1481 773 Email: pbryan@anode.ca 775 Mark Nottingham (editor) 776 Akamai 778 Email: mnot@mnot.net