idnits 2.17.1 draft-ietf-httpbis-client-hints-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 11, 2019) is 1866 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) ** Obsolete normative reference: RFC 7234 (Obsoleted by RFC 9111) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP Working Group I. Grigorik 3 Internet-Draft Google 4 Intended status: Experimental March 11, 2019 5 Expires: September 12, 2019 7 HTTP Client Hints 8 draft-ietf-httpbis-client-hints-07 10 Abstract 12 HTTP defines proactive content negotiation to allow servers to select 13 the appropriate response for a given request, based upon the user 14 agent's characteristics, as expressed in request headers. In 15 practice, clients are often unwilling to send those request headers, 16 because it is not clear whether they will be used, and sending them 17 impacts both performance and privacy. 19 This document defines two response headers, Accept-CH and Accept-CH- 20 Lifetime, that servers can use to advertise their use of request 21 headers for proactive content negotiation, along with a set of 22 guidelines for the creation of such headers, colloquially known as 23 "Client Hints." 25 It also defines an initial set of Client Hints. 27 Note to Readers 29 Discussion of this draft takes place on the HTTP working group 30 mailing list (ietf-http-wg@w3.org), which is archived at 31 https://lists.w3.org/Archives/Public/ietf-http-wg/. 33 Working Group information can be found at http://httpwg.github.io/; 34 source code and issues list for this draft can be found at 35 https://github.com/httpwg/http-extensions/labels/client-hints. 37 Status of This Memo 39 This Internet-Draft is submitted in full conformance with the 40 provisions of BCP 78 and BCP 79. 42 Internet-Drafts are working documents of the Internet Engineering 43 Task Force (IETF). Note that other groups may also distribute 44 working documents as Internet-Drafts. The list of current Internet- 45 Drafts is at https://datatracker.ietf.org/drafts/current/. 47 Internet-Drafts are draft documents valid for a maximum of six months 48 and may be updated, replaced, or obsoleted by other documents at any 49 time. It is inappropriate to use Internet-Drafts as reference 50 material or to cite them other than as "work in progress." 52 This Internet-Draft will expire on September 12, 2019. 54 Copyright Notice 56 Copyright (c) 2019 IETF Trust and the persons identified as the 57 document authors. All rights reserved. 59 This document is subject to BCP 78 and the IETF Trust's Legal 60 Provisions Relating to IETF Documents 61 (https://trustee.ietf.org/license-info) in effect on the date of 62 publication of this document. Please review these documents 63 carefully, as they describe your rights and restrictions with respect 64 to this document. Code Components extracted from this document must 65 include Simplified BSD License text as described in Section 4.e of 66 the Trust Legal Provisions and are provided without warranty as 67 described in the Simplified BSD License. 69 Table of Contents 71 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 72 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 4 73 2. Client Hint Request Header Fields . . . . . . . . . . . . . . 4 74 2.1. Sending Client Hints . . . . . . . . . . . . . . . . . . 4 75 2.2. Server Processing of Client Hints . . . . . . . . . . . . 5 76 2.2.1. Advertising Support via Accept-CH Header Field . . . 5 77 2.2.2. The Accept-CH-Lifetime Header Field . . . . . . . . . 5 78 2.2.3. Interaction with Caches . . . . . . . . . . . . . . . 6 79 3. Security Considerations . . . . . . . . . . . . . . . . . . . 7 80 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 81 4.1. Accept-CH . . . . . . . . . . . . . . . . . . . . . . . . 8 82 4.2. Accept-CH-Lifetime . . . . . . . . . . . . . . . . . . . 8 83 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 84 5.1. Normative References . . . . . . . . . . . . . . . . . . 8 85 5.2. Informative References . . . . . . . . . . . . . . . . . 9 86 5.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9 87 Appendix A. Interaction with Key Response Header Field . . . . . 9 88 Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . 10 89 B.1. Since -00 . . . . . . . . . . . . . . . . . . . . . . . . 10 90 B.2. Since -01 . . . . . . . . . . . . . . . . . . . . . . . . 10 91 B.3. Since -02 . . . . . . . . . . . . . . . . . . . . . . . . 10 92 B.4. Since -03 . . . . . . . . . . . . . . . . . . . . . . . . 10 93 B.5. Since -04 . . . . . . . . . . . . . . . . . . . . . . . . 10 94 B.6. Since -05 . . . . . . . . . . . . . . . . . . . . . . . . 10 95 B.7. Since -06 . . . . . . . . . . . . . . . . . . . . . . . . 10 96 B.8. Since -07 . . . . . . . . . . . . . . . . . . . . . . . . 11 98 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 11 99 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 101 1. Introduction 103 There are thousands of different devices accessing the web, each with 104 different device capabilities and preference information. These 105 device capabilities include hardware and software characteristics, as 106 well as dynamic user and client preferences. 108 One way to infer some of these capabilities is through User-Agent 109 (Section 5.5.3 of [RFC7231]) header field detection against an 110 established database of client signatures. However, this technique 111 requires acquiring such a database, integrating it into the serving 112 path, and keeping it up to date. However, even once this 113 infrastructure is deployed, user agent sniffing has numerous 114 limitations: 116 o User agent detection cannot reliably identify all static variables 117 o User agent detection cannot infer any dynamic client preferences 118 o User agent detection requires an external device database 119 o User agent detection is not cache friendly 121 A popular alternative strategy is to use HTTP cookies ([RFC6265]) to 122 communicate some information about the user agent. However, this 123 approach is also not cache friendly, bound by same origin policy, and 124 often imposes additional client-side latency by requiring JavaScript 125 execution to create and manage HTTP cookies. 127 Proactive content negotiation (Section 3.4.1 of [RFC7231]) offers an 128 alternative approach; user agents use specified, well-defined request 129 headers to advertise their capabilities and characteristics, so that 130 servers can select (or formulate) an appropriate response. 132 However, proactive content negotiation requires clients to send these 133 request headers prolifically. This causes performance concerns 134 (because it creates "bloat" in requests), as well as privacy issues; 135 passively providing such information allows servers to silently 136 fingerprint the user agent. 138 This document defines a new response header, Accept-CH, that allows 139 an origin server to explicitly ask that clients send these headers in 140 requests, for a period of time bounded by the Accept-CH-Lifetime 141 response header. It also defines guidelines for content negotiation 142 mechanisms that use it, colloquially referred to as Client Hints. 144 Client Hints mitigate the performance concerns by assuring that 145 clients will only send the request headers when they're actually 146 going to be used, and the privacy concerns of passive fingerprinting 147 by requiring explicit opt-in and disclosure of required headers by 148 the server through the use of the Accept-CH response header. 150 This document defines the Client Hints infrastructure, a framework 151 that enables servers to opt-in to specific proactive content 152 negotiation features, which will enable them to adapt their content 153 accordingly. However, it does not define any specific features that 154 will use that infrastructure. Those features will be defined in 155 their respective specifications. 157 This document does not supersede or replace the User-Agent header 158 field. Existing device detection mechanisms can continue to use both 159 mechanisms if necessary. By advertising user agent capabilities 160 within a request header field, Client Hints allow for cache friendly 161 and proactive content negotiation. 163 1.1. Notational Conventions 165 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 166 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 167 "OPTIONAL" in this document are to be interpreted as described in BCP 168 14 [RFC2119] [RFC8174] when, and only when, they appear in all 169 capitals, as shown here. 171 This document uses the Augmented Backus-Naur Form (ABNF) notation of 172 [RFC5234] with the list rule extension defined in [RFC7230], 173 Appendix B. It includes by reference the DIGIT rule from [RFC5234] 174 and the OWS and field-name rules from [RFC7230]. 176 2. Client Hint Request Header Fields 178 A Client Hint request header field is a HTTP header field that is 179 used by HTTP clients to indicate configuration data that can be used 180 by the server to select an appropriate response. Each one conveys 181 client preferences that the server can use to adapt and optimize the 182 response. 184 2.1. Sending Client Hints 186 Clients control which Client Hints are sent in requests, based on 187 their default settings, user configuration, and server preferences. 188 The client and server can use an opt-in mechanism outlined below to 189 negotiate which fields should be sent to allow for efficient content 190 adaption, and optionally use additional mechanisms to negotiate 191 delegation policies that control access of third parties to same 192 fields. 194 Implementers should be aware of the passive fingerprinting 195 implications when implementing support for Client Hints, and follow 196 the considerations outlined in "Security Considerations" section of 197 this document. 199 2.2. Server Processing of Client Hints 201 When presented with a request that contains one or more client hint 202 header fields, servers can optimize the response based upon the 203 information in them. When doing so, and if the resource is 204 cacheable, the server MUST also generate a Vary response header field 205 (Section 7.1.4 of [RFC7231]) to indicate which hints can affect the 206 selected response and whether the selected response is appropriate 207 for a later request. 209 Further, depending on the hint used, the server can generate 210 additional response header fields to convey related values to aid 211 client processing. 213 2.2.1. Advertising Support via Accept-CH Header Field 215 Servers can advertise support for Client Hints using the Accept-CH 216 header field or an equivalent HTML meta element with http-equiv 217 attribute ([HTML5]). 219 Accept-CH = #field-name 221 For example: 223 Accept-CH: Sec-CH-Example, Sec-CH-Example-2 225 When a client receives an HTTP response advertising support for 226 Client Hints, it should process it as origin ([RFC6454]) opt-in to 227 receive Client Hint header fields advertised in the field-value. The 228 opt-in MUST be delivered over a secure transport. 230 For example, based on Accept-CH example above, a user agent could 231 append the Sec-CH-Example and Sec-CH-Example-2 header fields to all 232 same-origin resource requests initiated by the page constructed from 233 the response. 235 2.2.2. The Accept-CH-Lifetime Header Field 237 Servers can ask the client to remember the set of Client Hints that 238 the server supports for a specified period of time, to enable 239 delivery of Client Hints on subsequent requests to the server's 240 origin ([RFC6454]). 242 Accept-CH-Lifetime = #delta-seconds 244 When a client receives an HTTP response that contains Accept-CH- 245 Lifetime header field, the field-value indicates that the Accept-CH 246 preference SHOULD be persisted and bound to the origin, and be 247 considered stale after response's age ([RFC7234], section 4.2) is 248 greater than the specified number of seconds. The preference MUST be 249 delivered over a secure transport, and MUST NOT be persisted for an 250 origin that isn't HTTPS. 252 Accept-CH: Sec-CH-Example, Sec-CH-Example-2 253 Accept-CH: Sec-CH-Example-3 254 Accept-CH-Lifetime: 86400 256 For example, based on the Accept-CH and Accept-CH-Lifetime example 257 above, which is received in response to a user agent navigating to 258 "https://example.com", and delivered over a secure transport: a user 259 agent SHOULD persist an Accept-CH preference bound to 260 "https://example.com" for up to 86400 seconds (1 day), and use it for 261 user agent navigations to "https://example.com" and any same-origin 262 resource requests initiated by the page constructed from the 263 navigation's response. This preference SHOULD NOT extend to resource 264 requests initiated to "https://example.com" from other origins. 266 If Accept-CH-Lifetime occurs in a message more than once, the last 267 value overrides all previous occurrences. 269 2.2.3. Interaction with Caches 271 When selecting an optimized response based on one or more Client 272 Hints, and if the resource is cacheable, the server needs to generate 273 a Vary response header field ([RFC7234]) to indicate which hints can 274 affect the selected response and whether the selected response is 275 appropriate for a later request. 277 Vary: Sec-CH-Example 279 Above example indicates that the cache key needs to include the Sec- 280 CH-Example header field. 282 Vary: Sec-CH-Example, Sec-CH-Example-2 284 Above example indicates that the cache key needs to include the Sec- 285 CH-Example and Sec-CH-Example-2 header fields. 287 3. Security Considerations 289 The request header fields defined in this document, and those that 290 extend it, expose information about the user's environment to enable 291 proactive content negotiation. Such information may reveal new 292 information about the user and implementers ought to consider the 293 following considerations, recommendations, and best practices. 295 Transmitted Client Hints header fields SHOULD NOT provide new 296 information that is otherwise not available to the application via 297 other means, such as using HTML, CSS, or JavaScript. Further, 298 sending highly granular data, such as image and viewport width may 299 help identify users across multiple requests. Reducing the set of 300 field values that can be expressed, or restricting them to an 301 enumerated range where the advertised value is close but is not an 302 exact representation of the current value, can improve privacy and 303 reduce risk of linkability by ensuring that the same value is sent by 304 multiple users. However, such precautions can still be insufficient 305 for some types of data, especially data that can change over time. 307 Implementers ought to consider both user and server controlled 308 mechanisms and policies to control which Client Hints header fields 309 are advertised: 311 o Implementers SHOULD restrict delivery of some or all Client Hints 312 header fields to the opt-in origin only, unless the opt-in origin 313 has explicitly delegated permission to another origin to request 314 Client Hints header fields. 315 o Implementers MAY provide user choice mechanisms so that users may 316 balance privacy concerns with bandwidth limitations. However, 317 implementers should also be aware that explaining the privacy 318 implications of passive fingerprinting to users may be 319 challenging. 320 o Implementations specific to certain use cases or threat models MAY 321 avoid transmitting some or all of Client Hints header fields. For 322 example, avoid transmission of header fields that can carry higher 323 risks of linkability. 325 Implementers SHOULD support Client Hints opt-in mechanisms and MUST 326 clear persisted opt-in preferences when any one of site data, 327 browsing history, browsing cache, or similar, are cleared. 329 4. IANA Considerations 331 This document defines the "Accept-CH" and "Accept-CH-Lifetime" HTTP 332 response fields, and registers them in the Permanent Message Header 333 Fields registry. 335 4.1. Accept-CH 337 o Header field name: Accept-CH 338 o Applicable protocol: HTTP 339 o Status: standard 340 o Author/Change controller: IETF 341 o Specification document(s): Section 2.2.1 of this document 342 o Related information: for Client Hints 344 4.2. Accept-CH-Lifetime 346 o Header field name: Accept-CH-Lifetime 347 o Applicable protocol: HTTP 348 o Status: standard 349 o Author/Change controller: IETF 350 o Specification document(s): Section 2.2.2 of this document 351 o Related information: for Client Hints 353 5. References 355 5.1. Normative References 357 [HTML5] Hickson, I., Berjon, R., Faulkner, S., Leithead, T., 358 Navara, E., O'Connor, T., and S. Pfeiffer, "HTML5", 359 World Wide Web Consortium Recommendation REC- 360 html5-20141028, October 2014, 361 . 363 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 364 Requirement Levels", BCP 14, RFC 2119, 365 DOI 10.17487/RFC2119, March 1997, 366 . 368 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 369 Specifications: ABNF", STD 68, RFC 5234, 370 DOI 10.17487/RFC5234, January 2008, 371 . 373 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, 374 DOI 10.17487/RFC6454, December 2011, 375 . 377 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 378 Protocol (HTTP/1.1): Message Syntax and Routing", 379 RFC 7230, DOI 10.17487/RFC7230, June 2014, 380 . 382 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 383 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 384 DOI 10.17487/RFC7231, June 2014, 385 . 387 [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 388 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", 389 RFC 7234, DOI 10.17487/RFC7234, June 2014, 390 . 392 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 393 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 394 May 2017, . 396 5.2. Informative References 398 [KEY] Fielding, R. and M. Nottingham, "The Key HTTP Response 399 Header Field", draft-ietf-httpbis-key-01 (work in 400 progress), March 2016. 402 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 403 DOI 10.17487/RFC6265, April 2011, 404 . 406 Appendix A. Interaction with Key Response Header Field 408 Client Hints may be combined with Key response header field ([KEY]) 409 to enable fine-grained control of the cache key for improved cache 410 efficiency. For example, the server can return the following set of 411 instructions: 413 Key: Sec-CH-Example;partition=1.5:2.5:4.0 415 Above example indicates that the cache key needs to include the value 416 of the Sec-CH-Example header field with three segments: less than 417 1.5, 1.5 to less than 2.5, and 4.0 or greater. 419 Key: Width;Sec-CH-Example=320 421 Above example indicates that the cache key needs to include the value 422 of the Sec-CH-Example header field and be partitioned into groups of 423 320: 0-320, 320-640, and so on. 425 Appendix B. Changes 427 B.1. Since -00 429 o Issue 168 (make Save-Data extensible) updated ABNF. 430 o Issue 163 (CH review feedback) editorial feedback from httpwg 431 list. 432 o Issue 153 (NetInfo API citation) added normative reference. 434 B.2. Since -01 436 o Issue 200: Moved Key reference to informative. 437 o Issue 215: Extended passive fingerprinting and mitigation 438 considerations. 439 o Changed document status to experimental. 441 B.3. Since -02 443 o Issue 239: Updated reference to CR-css-values-3 444 o Issue 240: Updated reference for Network Information API 445 o Issue 241: Consistency in IANA considerations 446 o Issue 250: Clarified Accept-CH 448 B.4. Since -03 450 o Issue 284: Extended guidance for Accept-CH 451 o Issue 308: Editorial cleanup 452 o Issue 306: Define Accept-CH-Lifetime 454 B.5. Since -04 456 o Issue 361: Removed Downlink 457 o Issue 361: Moved Key to appendix, plus other editorial feedback 459 B.6. Since -05 461 o Issue 372: Scoped CH opt-in and delivery to secure transports 462 o Issue 373: Bind CH opt-in to origin 464 B.7. Since -06 466 o Issue 524: Save-Data is now defined by NetInfo spec, dropping 468 B.8. Since -07 470 o Removed specific features to be defined in other specifications 472 Acknowledgements 474 Thanks to Mark Nottingham, Julian Reschke, Chris Bentzel, Yoav Weiss, 475 Ben Greenstein, Tarun Bansal, Roy Fielding, Vasiliy Faronov, Ted 476 Hardie, Jonas Sicking, and numerous other members of the IETF HTTP 477 Working Group for invaluable help and feedback. 479 Author's Address 481 Ilya Grigorik 482 Google 484 Email: ilya@igvita.com 485 URI: https://www.igvita.com/