idnits 2.17.1 draft-ietf-httpbis-client-hints-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([2], [3], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 18, 2019) is 1593 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 387 -- Looks like a reference, but probably isn't: '2' on line 389 -- Looks like a reference, but probably isn't: '3' on line 391 == Unused Reference: 'KEY' is defined on line 373, but no explicit reference was found in the text == Unused Reference: 'RFC6265' is defined on line 377, but no explicit reference was found in the text == Outdated reference: A later version (-19) exists of draft-ietf-httpbis-header-structure-14 ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) ** Obsolete normative reference: RFC 7234 (Obsoleted by RFC 9111) == Outdated reference: A later version (-06) exists of draft-ietf-httpbis-variants-05 Summary: 4 errors (**), 0 flaws (~~), 5 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP Working Group I. Grigorik 3 Internet-Draft Y. Weiss 4 Intended status: Experimental Google 5 Expires: May 21, 2020 November 18, 2019 7 HTTP Client Hints 8 draft-ietf-httpbis-client-hints-08 10 Abstract 12 HTTP defines proactive content negotiation to allow servers to select 13 the appropriate response for a given request, based upon the user 14 agent's characteristics, as expressed in request headers. In 15 practice, clients are often unwilling to send those request headers, 16 because it is not clear whether they will be used, and sending them 17 impacts both performance and privacy. 19 This document defines an Accept-CH response header that servers can 20 use to advertise their use of request headers for proactive content 21 negotiation, along with a set of guidelines for the creation of such 22 headers, colloquially known as "Client Hints." 24 Note to Readers 26 Discussion of this draft takes place on the HTTP working group 27 mailing list (ietf-http-wg@w3.org), which is archived at 28 https://lists.w3.org/Archives/Public/ietf-http-wg/ [1]. 30 Working Group information can be found at http://httpwg.github.io/ 31 [2]; source code and issues list for this draft can be found at 32 https://github.com/httpwg/http-extensions/labels/client-hints [3]. 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at https://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on May 21, 2020. 50 Copyright Notice 52 Copyright (c) 2019 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (https://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 68 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 4 69 2. Client Hint Request Header Fields . . . . . . . . . . . . . . 4 70 2.1. Sending Client Hints . . . . . . . . . . . . . . . . . . 4 71 2.2. Server Processing of Client Hints . . . . . . . . . . . . 5 72 3. Advertising Server Support . . . . . . . . . . . . . . . . . 5 73 3.1. The Accept-CH Response Header Field . . . . . . . . . . . 5 74 3.1.1. Interaction with Caches . . . . . . . . . . . . . . . 6 75 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 76 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 77 5.1. Accept-CH . . . . . . . . . . . . . . . . . . . . . . . . 7 78 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 79 6.1. Normative References . . . . . . . . . . . . . . . . . . 7 80 6.2. Informative References . . . . . . . . . . . . . . . . . 8 81 6.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9 82 Appendix A. Interaction with Variants Response Header Field . . 9 83 Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . 9 84 B.1. Since -00 . . . . . . . . . . . . . . . . . . . . . . . . 9 85 B.2. Since -01 . . . . . . . . . . . . . . . . . . . . . . . . 9 86 B.3. Since -02 . . . . . . . . . . . . . . . . . . . . . . . . 9 87 B.4. Since -03 . . . . . . . . . . . . . . . . . . . . . . . . 9 88 B.5. Since -04 . . . . . . . . . . . . . . . . . . . . . . . . 10 89 B.6. Since -05 . . . . . . . . . . . . . . . . . . . . . . . . 10 90 B.7. Since -06 . . . . . . . . . . . . . . . . . . . . . . . . 10 91 B.8. Since -07 . . . . . . . . . . . . . . . . . . . . . . . . 10 92 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 10 93 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 95 1. Introduction 97 There are thousands of different devices accessing the web, each with 98 different device capabilities and preference information. These 99 device capabilities include hardware and software characteristics, as 100 well as dynamic user and client preferences. Applications that want 101 to allow the server to optimize content delivery and user experience 102 based on such capabilities have, historically, had to rely on passive 103 identification (e.g., by matching User-Agent (Section 5.5.3 of 104 [RFC7231]) header field against an established database of client 105 signatures), used HTTP cookies and URL parameters, or use some 106 combination of these and similar mechanisms to enable ad hoc content 107 negotiation. 109 Such techniques are expensive to setup and maintain, are not portable 110 across both applications and servers, and make it hard to reason for 111 both client and server about which data is required and is in use 112 during the negotiation: 114 o User agent detection cannot reliably identify all static 115 variables, cannot infer dynamic client preferences, requires 116 external device database, is not cache friendly, and is reliant on 117 a passive fingerprinting surface. 118 o Cookie based approaches are not portable across applications and 119 servers, impose additional client-side latency by requiring 120 JavaScript execution, and are not cache friendly. 121 o URL parameters, similar to cookie based approaches, suffer from 122 lack of portability, and are hard to deploy due to a requirement 123 to encode content negotiation data inside of the URL of each 124 resource. 126 Proactive content negotiation (Section 3.4.1 of [RFC7231]) offers an 127 alternative approach; user agents use specified, well-defined request 128 headers to advertise their capabilities and characteristics, so that 129 servers can select (or formulate) an appropriate response. 131 However, proactive content negotiation requires clients to send these 132 request headers prolifically. This causes performance concerns 133 (because it creates "bloat" in requests), as well as privacy issues; 134 passively providing such information allows servers to silently 135 fingerprint the user agent. 137 This document defines a new response header, Accept-CH, that allows 138 an origin server to explicitly ask that clients send these headers in 139 requests. It also defines guidelines for content negotiation 140 mechanisms that use it, colloquially referred to as Client Hints. 142 Client Hints mitigate the performance concerns by assuring that 143 clients will only send the request headers when they're actually 144 going to be used, and the privacy concerns of passive fingerprinting 145 by requiring explicit opt-in and disclosure of required headers by 146 the server through the use of the Accept-CH response header. 148 This document defines the Client Hints infrastructure, a framework 149 that enables servers to opt-in to specific proactive content 150 negotiation features, which will enable them to adapt their content 151 accordingly. However, it does not define any specific features that 152 will use that infrastructure. Those features will be defined in 153 their respective specifications. 155 1.1. Notational Conventions 157 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 158 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 159 "OPTIONAL" in this document are to be interpreted as described in BCP 160 14 [RFC2119] [RFC8174] when, and only when, they appear in all 161 capitals, as shown here. 163 This document uses the Augmented Backus-Naur Form (ABNF) notation of 164 [RFC5234] with the list rule extension defined in [RFC7230], 165 Appendix B. It includes by reference the DIGIT rule from [RFC5234] 166 and the OWS and field-name rules from [RFC7230]. 168 2. Client Hint Request Header Fields 170 A Client Hint request header field is a HTTP header field that is 171 used by HTTP clients to indicate configuration data that can be used 172 by the server to select an appropriate response. Each one conveys 173 client preferences that the server can use to adapt and optimize the 174 response. 176 2.1. Sending Client Hints 178 Clients control which Client Hints are sent in requests, based on 179 their default settings, user configuration, and server preferences. 180 The client and server can use an opt-in mechanism outlined below to 181 negotiate which fields should be sent to allow for efficient content 182 adaption, and optionally use additional mechanisms to negotiate 183 delegation policies that control access of third parties to same 184 fields. 186 Implementers should be aware of the passive fingerprinting 187 implications when implementing support for Client Hints, and follow 188 the considerations outlined in "Security Considerations" section of 189 this document. 191 2.2. Server Processing of Client Hints 193 When presented with a request that contains one or more client hint 194 header fields, servers can optimize the response based upon the 195 information in them. When doing so, and if the resource is 196 cacheable, the server MUST also generate a Vary response header field 197 (Section 7.1.4 of [RFC7231]) to indicate which hints can affect the 198 selected response and whether the selected response is appropriate 199 for a later request. 201 Further, depending on the hint used, the server can generate 202 additional response header fields to convey related values to aid 203 client processing. 205 3. Advertising Server Support 207 Servers can advertise support for Client Hints using the mechnisms 208 described below. 210 3.1. The Accept-CH Response Header Field 212 The Accept-CH response header field or the equivalent HTML meta 213 element with http-equiv attribute ([HTML5]) indicate server support 214 for particular hints indicated in its value. 216 Accept-CH is a Structured Header [I-D.ietf-httpbis-header-structure]. 217 Its value MUST be an sh-list (Section 3.1 of 218 [I-D.ietf-httpbis-header-structure]) whose members are tokens 219 (Section 3.7 of [I-D.ietf-httpbis-header-structure]). Its ABNF is: 221 Accept-CH = sh-list 223 For example: 225 Accept-CH: Sec-CH-Example, Sec-CH-Example-2 227 When a client receives an HTTP response advertising support for 228 provided list of Clients Hints, it SHOULD process it as origin 229 ([RFC6454]) opt-in to receive Client Hint header fields advertised in 230 the field-value, for subsequent same-origin requests. 232 o The opt-in MUST be delivered over a secure transport. 233 o The opt-in SHOULD be persisted and bound to the origin to enable 234 delivery of Client Hints on subsequent requests to the server's 235 origin, and MUST NOT be persisted for an origin that isn't HTTPS. 237 Accept-CH: Sec-CH-Example, Sec-CH-Example-2 238 Accept-CH: Sec-CH-Example-3 240 For example, based on the Accept-CH example above, which is received 241 in response to a user agent navigating to "https://example.com", and 242 delivered over a secure transport: a user agent SHOULD persist an 243 Accept-CH preference bound to "https://example.com" and use it for 244 user agent navigations to "https://example.com" and any same-origin 245 resource requests initiated by the page constructed from the 246 navigation's response. This preference SHOULD NOT extend to resource 247 requests initiated to "https://example.com" from other origins. 249 3.1.1. Interaction with Caches 251 When selecting an optimized response based on one or more Client 252 Hints, and if the resource is cacheable, the server needs to generate 253 a Vary response header field ([RFC7234]) to indicate which hints can 254 affect the selected response and whether the selected response is 255 appropriate for a later request. 257 Vary: Sec-CH-Example 259 Above example indicates that the cache key needs to include the Sec- 260 CH-Example header field. 262 Vary: Sec-CH-Example, Sec-CH-Example-2 264 Above example indicates that the cache key needs to include the Sec- 265 CH-Example and Sec-CH-Example-2 header fields. 267 4. Security Considerations 269 The request header fields defined in this document, and those that 270 extend it, expose information about the user's environment to enable 271 proactive content negotiation. Such information may reveal new 272 information about the user and implementers ought to consider the 273 following considerations, recommendations, and best practices. 275 Transmitted Client Hints header fields SHOULD NOT provide new 276 information that is otherwise not available to the application via 277 other means, such as using HTML, CSS, or JavaScript. Further, 278 sending highly granular data, such as image and viewport width may 279 help identify users across multiple requests. Reducing the set of 280 field values that can be expressed, or restricting them to an 281 enumerated range where the advertised value is close but is not an 282 exact representation of the current value, can improve privacy and 283 reduce risk of linkability by ensuring that the same value is sent by 284 multiple users. However, such precautions can still be insufficient 285 for some types of data, especially data that can change over time. 287 Implementers ought to consider both user and server controlled 288 mechanisms and policies to control which Client Hints header fields 289 are advertised: 291 o Implementers SHOULD restrict delivery of some or all Client Hints 292 header fields to the opt-in origin only, unless the opt-in origin 293 has explicitly delegated permission to another origin to request 294 Client Hints header fields. 295 o Implementers MAY provide user choice mechanisms so that users may 296 balance privacy concerns with bandwidth limitations. However, 297 implementers should also be aware that explaining the privacy 298 implications of passive fingerprinting to users may be 299 challenging. 300 o Implementations specific to certain use cases or threat models MAY 301 avoid transmitting some or all of Client Hints header fields. For 302 example, avoid transmission of header fields that can carry higher 303 risks of linkability. 305 Implementers SHOULD support Client Hints opt-in mechanisms and MUST 306 clear persisted opt-in preferences when any one of site data, 307 browsing history, browsing cache, or similar, are cleared. 309 5. IANA Considerations 311 This document defines the "Accept-CH" HTTP response field, and 312 registers it in the Permanent Message Header Fields registry. 314 5.1. Accept-CH 316 o Header field name: Accept-CH 317 o Applicable protocol: HTTP 318 o Status: standard 319 o Author/Change controller: IETF 320 o Specification document(s): Section 3.1 of this document 321 o Related information: for Client Hints 323 6. References 325 6.1. Normative References 327 [HTML5] Hickson, I., Berjon, R., Faulkner, S., Leithead, T., 328 Navara, E., O'Connor, T., and S. Pfeiffer, "HTML5", 329 World Wide Web Consortium Recommendation REC- 330 html5-20141028, October 2014, 331 . 333 [I-D.ietf-httpbis-header-structure] 334 Nottingham, M. and P. Kamp, "Structured Headers for HTTP", 335 draft-ietf-httpbis-header-structure-14 (work in progress), 336 October 2019. 338 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 339 Requirement Levels", BCP 14, RFC 2119, 340 DOI 10.17487/RFC2119, March 1997, 341 . 343 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 344 Specifications: ABNF", STD 68, RFC 5234, 345 DOI 10.17487/RFC5234, January 2008, 346 . 348 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, 349 DOI 10.17487/RFC6454, December 2011, 350 . 352 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 353 Protocol (HTTP/1.1): Message Syntax and Routing", 354 RFC 7230, DOI 10.17487/RFC7230, June 2014, 355 . 357 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 358 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 359 DOI 10.17487/RFC7231, June 2014, 360 . 362 [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 363 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", 364 RFC 7234, DOI 10.17487/RFC7234, June 2014, 365 . 367 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 368 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 369 May 2017, . 371 6.2. Informative References 373 [KEY] Fielding, R. and M. Nottingham, "The Key HTTP Response 374 Header Field", draft-ietf-httpbis-key-01 (work in 375 progress), March 2016. 377 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 378 DOI 10.17487/RFC6265, April 2011, 379 . 381 [VARIANTS] 382 Nottingham, M., "HTTP Representation Variants", draft- 383 ietf-httpbis-variants-05 (work in progress), March 2019. 385 6.3. URIs 387 [1] https://lists.w3.org/Archives/Public/ietf-http-wg/ 389 [2] http://httpwg.github.io/ 391 [3] https://github.com/httpwg/http-extensions/labels/client-hints 393 Appendix A. Interaction with Variants Response Header Field 395 Client Hints may be combined with Variants response header field 396 [VARIANTS] to enable fine-grained control of the cache key for 397 improved cache efficiency. Features that define Client Hints will 398 need to specify the related variants algorithms as described in 399 Section 6 of [VARIANTS]. 401 Appendix B. Changes 403 B.1. Since -00 405 o Issue 168 (make Save-Data extensible) updated ABNF. 406 o Issue 163 (CH review feedback) editorial feedback from httpwg 407 list. 408 o Issue 153 (NetInfo API citation) added normative reference. 410 B.2. Since -01 412 o Issue 200: Moved Key reference to informative. 413 o Issue 215: Extended passive fingerprinting and mitigation 414 considerations. 415 o Changed document status to experimental. 417 B.3. Since -02 419 o Issue 239: Updated reference to CR-css-values-3 420 o Issue 240: Updated reference for Network Information API 421 o Issue 241: Consistency in IANA considerations 422 o Issue 250: Clarified Accept-CH 424 B.4. Since -03 426 o Issue 284: Extended guidance for Accept-CH 427 o Issue 308: Editorial cleanup 428 o Issue 306: Define Accept-CH-Lifetime 430 B.5. Since -04 432 o Issue 361: Removed Downlink 433 o Issue 361: Moved Key to appendix, plus other editorial feedback 435 B.6. Since -05 437 o Issue 372: Scoped CH opt-in and delivery to secure transports 438 o Issue 373: Bind CH opt-in to origin 440 B.7. Since -06 442 o Issue 524: Save-Data is now defined by NetInfo spec, dropping 443 o PR 775: Removed specific features to be defined in other 444 specifications 446 B.8. Since -07 448 o Issue 761: Clarified that the defined headers are response 449 headers. 450 o Issue 730: Replaced Key reference with Variants. 451 o Issue 700: Replaced ABNF with structured headers. 452 o PR 878: Removed Accept-CH-Lifetime based on feedback at IETF 105 454 Acknowledgements 456 Thanks to Mark Nottingham, Julian Reschke, Chris Bentzel, Ben 457 Greenstein, Tarun Bansal, Roy Fielding, Vasiliy Faronov, Ted Hardie, 458 Jonas Sicking, Martin Thomson, and numerous other members of the IETF 459 HTTP Working Group for invaluable help and feedback. 461 Authors' Addresses 463 Ilya Grigorik 464 Google 466 Email: ilya@igvita.com 467 URI: https://www.igvita.com/ 469 Yoav Weiss 470 Google 472 Email: yoav@yoav.ws 473 URI: https://blog.yoav.ws/