idnits 2.17.1
draft-ietf-httpbis-client-hints-09.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The abstract seems to contain references ([2], [3], [1]), which it
shouldn't. Please replace those with straight textual mentions of the
documents in question.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (February 18, 2020) is 1529 days in the past. Is this
intentional?
Checking references for intended status: Experimental
----------------------------------------------------------------------------
-- Looks like a reference, but probably isn't: '1' on line 469
-- Looks like a reference, but probably isn't: '2' on line 471
-- Looks like a reference, but probably isn't: '3' on line 473
== Unused Reference: 'RFC6265' is defined on line 458, but no explicit
reference was found in the text
== Outdated reference: A later version (-19) exists of
draft-ietf-httpbis-header-structure-15
** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112)
** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110)
** Obsolete normative reference: RFC 7234 (Obsoleted by RFC 9111)
Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 4 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 HTTP Working Group I. Grigorik
3 Internet-Draft Y. Weiss
4 Intended status: Experimental Google
5 Expires: August 21, 2020 February 18, 2020
7 HTTP Client Hints
8 draft-ietf-httpbis-client-hints-09
10 Abstract
12 HTTP defines proactive content negotiation to allow servers to select
13 the appropriate response for a given request, based upon the user
14 agent's characteristics, as expressed in request headers. In
15 practice, clients are often unwilling to send those request headers,
16 because it is not clear whether they will be used, and sending them
17 impacts both performance and privacy.
19 This document defines an Accept-CH response header that servers can
20 use to advertise their use of request headers for proactive content
21 negotiation, along with a set of guidelines for the creation of such
22 headers, colloquially known as "Client Hints."
24 Note to Readers
26 Discussion of this draft takes place on the HTTP working group
27 mailing list (ietf-http-wg@w3.org), which is archived at
28 https://lists.w3.org/Archives/Public/ietf-http-wg/ [1].
30 Working Group information can be found at http://httpwg.github.io/
31 [2]; source code and issues list for this draft can be found at
32 https://github.com/httpwg/http-extensions/labels/client-hints [3].
34 Status of This Memo
36 This Internet-Draft is submitted in full conformance with the
37 provisions of BCP 78 and BCP 79.
39 Internet-Drafts are working documents of the Internet Engineering
40 Task Force (IETF). Note that other groups may also distribute
41 working documents as Internet-Drafts. The list of current Internet-
42 Drafts is at https://datatracker.ietf.org/drafts/current/.
44 Internet-Drafts are draft documents valid for a maximum of six months
45 and may be updated, replaced, or obsoleted by other documents at any
46 time. It is inappropriate to use Internet-Drafts as reference
47 material or to cite them other than as "work in progress."
48 This Internet-Draft will expire on August 21, 2020.
50 Copyright Notice
52 Copyright (c) 2020 IETF Trust and the persons identified as the
53 document authors. All rights reserved.
55 This document is subject to BCP 78 and the IETF Trust's Legal
56 Provisions Relating to IETF Documents
57 (https://trustee.ietf.org/license-info) in effect on the date of
58 publication of this document. Please review these documents
59 carefully, as they describe your rights and restrictions with respect
60 to this document. Code Components extracted from this document must
61 include Simplified BSD License text as described in Section 4.e of
62 the Trust Legal Provisions and are provided without warranty as
63 described in the Simplified BSD License.
65 Table of Contents
67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
68 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 4
69 2. Client Hint Request Header Fields . . . . . . . . . . . . . . 4
70 2.1. Sending Client Hints . . . . . . . . . . . . . . . . . . 4
71 2.2. Server Processing of Client Hints . . . . . . . . . . . . 5
72 3. Advertising Server Support . . . . . . . . . . . . . . . . . 5
73 3.1. The Accept-CH Response Header Field . . . . . . . . . . . 5
74 3.1.1. Interaction with Caches . . . . . . . . . . . . . . . 6
75 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6
76 4.1. Information Exposure . . . . . . . . . . . . . . . . . . 6
77 5. Cost of Sending Hints . . . . . . . . . . . . . . . . . . . . 8
78 5.1. Deployment and Security Risks . . . . . . . . . . . . . . 8
79 5.2. Abuse Detection . . . . . . . . . . . . . . . . . . . . . 9
80 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
81 6.1. Accept-CH . . . . . . . . . . . . . . . . . . . . . . . . 9
82 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
83 7.1. Normative References . . . . . . . . . . . . . . . . . . 9
84 7.2. Informative References . . . . . . . . . . . . . . . . . 10
85 7.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 10
86 Appendix A. Interaction with Variants Response Header Field . . 11
87 Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . 11
88 B.1. Since -00 . . . . . . . . . . . . . . . . . . . . . . . . 11
89 B.2. Since -01 . . . . . . . . . . . . . . . . . . . . . . . . 11
90 B.3. Since -02 . . . . . . . . . . . . . . . . . . . . . . . . 11
91 B.4. Since -03 . . . . . . . . . . . . . . . . . . . . . . . . 11
92 B.5. Since -04 . . . . . . . . . . . . . . . . . . . . . . . . 11
93 B.6. Since -05 . . . . . . . . . . . . . . . . . . . . . . . . 11
94 B.7. Since -06 . . . . . . . . . . . . . . . . . . . . . . . . 12
95 B.8. Since -07 . . . . . . . . . . . . . . . . . . . . . . . . 12
96 B.9. Since -08 . . . . . . . . . . . . . . . . . . . . . . . . 12
97 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12
98 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
100 1. Introduction
102 There are thousands of different devices accessing the web, each with
103 different device capabilities and preference information. These
104 device capabilities include hardware and software characteristics, as
105 well as dynamic user and client preferences. Applications that want
106 to allow the server to optimize content delivery and user experience
107 based on such capabilities have, historically, had to rely on passive
108 identification (e.g., by matching User-Agent (Section 5.5.3 of
109 [RFC7231]) header field against an established database of client
110 signatures), used HTTP cookies and URL parameters, or use some
111 combination of these and similar mechanisms to enable ad hoc content
112 negotiation.
114 Such techniques are expensive to setup and maintain, are not portable
115 across both applications and servers, and make it hard to reason for
116 both client and server about which data is required and is in use
117 during the negotiation:
119 o User agent detection cannot reliably identify all static
120 variables, cannot infer dynamic client preferences, requires
121 external device database, is not cache friendly, and is reliant on
122 a passive fingerprinting surface.
123 o Cookie based approaches are not portable across applications and
124 servers, impose additional client-side latency by requiring
125 JavaScript execution, and are not cache friendly.
126 o URL parameters, similar to cookie based approaches, suffer from
127 lack of portability, and are hard to deploy due to a requirement
128 to encode content negotiation data inside of the URL of each
129 resource.
131 Proactive content negotiation (Section 3.4.1 of [RFC7231]) offers an
132 alternative approach; user agents use specified, well-defined request
133 headers to advertise their capabilities and characteristics, so that
134 servers can select (or formulate) an appropriate response.
136 However, proactive content negotiation requires clients to send these
137 request headers prolifically. This causes performance concerns
138 (because it creates "bloat" in requests), as well as privacy issues;
139 passively providing such information allows servers to silently
140 fingerprint the user agent.
142 This document defines a new response header, Accept-CH, that allows
143 an origin server to explicitly ask that clients send these headers in
144 requests. It also defines guidelines for content negotiation
145 mechanisms that use it, colloquially referred to as Client Hints.
147 Client Hints mitigate the performance concerns by assuring that
148 clients will only send the request headers when they're actually
149 going to be used, and the privacy concerns of passive fingerprinting
150 by requiring explicit opt-in and disclosure of required headers by
151 the server through the use of the Accept-CH response header.
153 This document defines the Client Hints infrastructure, a framework
154 that enables servers to opt-in to specific proactive content
155 negotiation features, which will enable them to adapt their content
156 accordingly. However, it does not define any specific features that
157 will use that infrastructure. Those features will be defined in
158 their respective specifications.
160 1.1. Notational Conventions
162 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
163 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
164 "OPTIONAL" in this document are to be interpreted as described in BCP
165 14 [RFC2119] [RFC8174] when, and only when, they appear in all
166 capitals, as shown here.
168 This document uses the Augmented Backus-Naur Form (ABNF) notation of
169 [RFC5234] with the list rule extension defined in [RFC7230],
170 Appendix B. It includes by reference the DIGIT rule from [RFC5234]
171 and the OWS and field-name rules from [RFC7230].
173 2. Client Hint Request Header Fields
175 A Client Hint request header field is a HTTP header field that is
176 used by HTTP clients to indicate configuration data that can be used
177 by the server to select an appropriate response. Each one conveys
178 client preferences that the server can use to adapt and optimize the
179 response.
181 2.1. Sending Client Hints
183 Clients control which Client Hints are sent in requests, based on
184 their default settings, user configuration, and server preferences.
185 The client and server can use an opt-in mechanism outlined below to
186 negotiate which fields should be sent to allow for efficient content
187 adaption, and optionally use additional mechanisms to negotiate
188 delegation policies that control access of third parties to same
189 fields.
191 Implementers should be aware of the passive fingerprinting
192 implications when implementing support for Client Hints, and follow
193 the considerations outlined in "Security Considerations" section of
194 this document.
196 2.2. Server Processing of Client Hints
198 When presented with a request that contains one or more client hint
199 header fields, servers can optimize the response based upon the
200 information in them. When doing so, and if the resource is
201 cacheable, the server MUST also generate a Vary response header field
202 (Section 7.1.4 of [RFC7231]) to indicate which hints can affect the
203 selected response and whether the selected response is appropriate
204 for a later request.
206 Further, depending on the hint used, the server can generate
207 additional response header fields to convey related values to aid
208 client processing.
210 3. Advertising Server Support
212 Servers can advertise support for Client Hints using the mechnisms
213 described below.
215 3.1. The Accept-CH Response Header Field
217 The Accept-CH response header field or the equivalent HTML meta
218 element with http-equiv attribute ([HTML]) indicate server support
219 for particular hints indicated in its value.
221 Accept-CH is a Structured Header [I-D.ietf-httpbis-header-structure].
222 Its value MUST be an sh-list (Section 3.1 of
223 [I-D.ietf-httpbis-header-structure]) whose members are tokens
224 (Section 3.7 of [I-D.ietf-httpbis-header-structure]). Its ABNF is:
226 Accept-CH = sh-list
228 For example:
230 Accept-CH: Sec-CH-Example, Sec-CH-Example-2
232 When a client receives an HTTP response advertising support for
233 provided list of Clients Hints, it SHOULD process it as origin
234 ([RFC6454]) opt-in to receive Client Hint header fields advertised in
235 the field-value, for subsequent same-origin requests.
237 o The opt-in MUST be delivered over a secure transport.
239 o The opt-in SHOULD be persisted and bound to the origin to enable
240 delivery of Client Hints on subsequent requests to the server's
241 origin, and MUST NOT be persisted for an origin that isn't HTTPS.
243 Accept-CH: Sec-CH-Example, Sec-CH-Example-2
244 Accept-CH: Sec-CH-Example-3
246 For example, based on the Accept-CH example above, which is received
247 in response to a user agent navigating to "https://example.com", and
248 delivered over a secure transport: a user agent SHOULD persist an
249 Accept-CH preference bound to "https://example.com" and use it for
250 user agent navigations to "https://example.com" and any same-origin
251 resource requests initiated by the page constructed from the
252 navigation's response. This preference SHOULD NOT extend to resource
253 requests initiated to "https://example.com" from other origins.
255 3.1.1. Interaction with Caches
257 When selecting an optimized response based on one or more Client
258 Hints, and if the resource is cacheable, the server needs to generate
259 a Vary response header field ([RFC7234]) to indicate which hints can
260 affect the selected response and whether the selected response is
261 appropriate for a later request.
263 Vary: Sec-CH-Example
265 Above example indicates that the cache key needs to include the Sec-
266 CH-Example header field.
268 Vary: Sec-CH-Example, Sec-CH-Example-2
270 Above example indicates that the cache key needs to include the Sec-
271 CH-Example and Sec-CH-Example-2 header fields.
273 4. Security Considerations
275 4.1. Information Exposure
277 Request header fields used in features relying on this document
278 expose information about the user's environment to enable proactive
279 content negotiation. Such information may reveal new information
280 about the user and implementers ought to consider the following
281 considerations, recommendations, and best practices.
283 The underlying assumption is that exposing information about the user
284 as a request header is equivalent to the capability of that request's
285 origin to access that information by other means and transmit it to
286 itself.
288 Therefore, features relying on this document to define Client Hint
289 headers MUST NOT provide new information that is otherwise not
290 available to the application via other means, such as existing
291 request headers, HTML, CSS, or JavaScript.
293 Such features SHOULD take into account the following aspects of the
294 information exposed:
296 o Entropy
298 * Exposing highly granular data may help identify users across
299 multiple requests to different origins. Reducing the set of
300 field values that can be expressed, or restricting them to an
301 enumerated range where the advertised value is close but is not
302 an exact representation of the current value, can improve
303 privacy and reduce risk of linkability by ensuring that the
304 same value is sent by multiple users.
305 o Sensitivity
307 * The feature SHOULD NOT expose user sensitive information. To
308 that end, information available to the application, but gated
309 behind specific user actions (e.g. a permission prompt or user
310 activation) SHOULD NOT be exposed as a Client Hint.
311 o Change over time
313 * The feature SHOULD NOT expose user information that changes
314 over time, unless the state change itself is also exposed (e.g.
315 through JavaScript callbacks).
317 Different features will be positioned in different points in the
318 space between low-entropy, non-sensitive and static information (e.g.
319 user agent information), and high-entropy, sensitive and dynamic
320 information (e.g. geolocation). User agents SHOULD consider the
321 value provided by a particular feature vs these considerations, and
322 MAY have different policies regarding that tradeoff on a per-feature
323 basis.
325 Implementers ought to consider both user and server controlled
326 mechanisms and policies to control which Client Hints header fields
327 are advertised:
329 o Implementers SHOULD restrict delivery of some or all Client Hints
330 header fields to the opt-in origin only, unless the opt-in origin
331 has explicitly delegated permission to another origin to request
332 Client Hints header fields.
333 o Implementers MAY provide user choice mechanisms so that users may
334 balance privacy concerns with bandwidth limitations. However,
335 implementers should also be aware that explaining the privacy
336 implications of passive fingerprinting to users may be
337 challenging.
338 o Implementations specific to certain use cases or threat models MAY
339 avoid transmitting some or all of Client Hints header fields. For
340 example, avoid transmission of header fields that can carry higher
341 risks of linkability.
343 Implementers SHOULD support Client Hints opt-in mechanisms and MUST
344 clear persisted opt-in preferences when any one of site data,
345 browsing history, browsing cache, cookies, or similar, are cleared.
347 5. Cost of Sending Hints
349 While HTTP header compression schemes reduce the cost of adding HTTP
350 header fields, sending Client Hints to the server incurs an increase
351 in request byte size. Servers SHOULD take that into account when
352 opting in to receive Client Hints, and SHOULD NOT opt-in to receive
353 hints unless they are to be used for content adaptation purposes.
355 Due to request byte size increase, features relying on this document
356 to define Client Hints MAY consider restricting sending those hints
357 to certain request destinations [FETCH], where they are more likely
358 to be useful.
360 5.1. Deployment and Security Risks
362 Deployment of new request headers requires several considerations:
364 o Potential conflicts due to existing use of field name
365 o Properties of the data communicated in field value
367 Authors of new Client Hints are advised to carefully consider whether
368 they should be able to be added by client-side content (e.g.,
369 scripts), or whether they should be exclusively set by the user
370 agent. In the latter case, the Sec- prefix on the header field name
371 has the effect of preventing scripts and other application content
372 from setting them in user agents. Using the "Sec-" prefix signals to
373 servers that the user agent - and not application content - generated
374 the values. See [FETCH] for more information.
376 By convention, request headers that are client hints are encouraged
377 to use a CH- prefix, to make them easier to identify as using this
378 framework; for example, CH-Foo or, with a "Sec-" prefix, Sec-CH-Foo.
379 Doing so makes them easier to identify programmatically (e.g., for
380 stripping unrecognised hints from requests by privacy filters).
382 5.2. Abuse Detection
384 A user agent that tracks access to active fingerprinting information
385 SHOULD consider emission of Client Hints headers similarly to the way
386 it would consider access to the equivalent API.
388 Research into abuse of Client Hints might look at how HTTP responses
389 that contain Client Hints differ from those with different values,
390 and from those without. This might be used to reveal which Client
391 Hints are in use, allowing researchers to further analyze that use.
393 6. IANA Considerations
395 This document defines the "Accept-CH" HTTP response field, and
396 registers it in the Permanent Message Header Fields registry.
398 6.1. Accept-CH
400 o Header field name: Accept-CH
401 o Applicable protocol: HTTP
402 o Status: standard
403 o Author/Change controller: IETF
404 o Specification document(s): Section 3.1 of this document
405 o Related information: for Client Hints
407 7. References
409 7.1. Normative References
411 [FETCH] van Kesteren, A., "Fetch", n.d.,
412 .
414 [HTML] Hickson, I., Pieters, S., van Kesteren, A., Jaegenstedt,
415 P., and D. Denicola, "HTML", n.d.,
416 .
418 [I-D.ietf-httpbis-header-structure]
419 Nottingham, M. and P. Kamp, "Structured Headers for HTTP",
420 draft-ietf-httpbis-header-structure-15 (work in progress),
421 January 2020.
423 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
424 Requirement Levels", BCP 14, RFC 2119,
425 DOI 10.17487/RFC2119, March 1997,
426 .
428 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
429 Specifications: ABNF", STD 68, RFC 5234,
430 DOI 10.17487/RFC5234, January 2008,
431 .
433 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454,
434 DOI 10.17487/RFC6454, December 2011,
435 .
437 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
438 Protocol (HTTP/1.1): Message Syntax and Routing",
439 RFC 7230, DOI 10.17487/RFC7230, June 2014,
440 .
442 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
443 Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
444 DOI 10.17487/RFC7231, June 2014,
445 .
447 [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
448 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
449 RFC 7234, DOI 10.17487/RFC7234, June 2014,
450 .
452 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
453 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
454 May 2017, .
456 7.2. Informative References
458 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
459 DOI 10.17487/RFC6265, April 2011,
460 .
462 [VARIANTS]
463 Nottingham, M., "HTTP Representation Variants", draft-
464 ietf-httpbis-variants-06 (work in progress), November
465 2019.
467 7.3. URIs
469 [1] https://lists.w3.org/Archives/Public/ietf-http-wg/
471 [2] http://httpwg.github.io/
473 [3] https://github.com/httpwg/http-extensions/labels/client-hints
475 Appendix A. Interaction with Variants Response Header Field
477 Client Hints may be combined with Variants response header field
478 [VARIANTS] to enable fine-grained control of the cache key for
479 improved cache efficiency. Features that define Client Hints will
480 need to specify the related variants algorithms as described in
481 Section 6 of [VARIANTS].
483 Appendix B. Changes
485 B.1. Since -00
487 o Issue 168 (make Save-Data extensible) updated ABNF.
488 o Issue 163 (CH review feedback) editorial feedback from httpwg
489 list.
490 o Issue 153 (NetInfo API citation) added normative reference.
492 B.2. Since -01
494 o Issue 200: Moved Key reference to informative.
495 o Issue 215: Extended passive fingerprinting and mitigation
496 considerations.
497 o Changed document status to experimental.
499 B.3. Since -02
501 o Issue 239: Updated reference to CR-css-values-3
502 o Issue 240: Updated reference for Network Information API
503 o Issue 241: Consistency in IANA considerations
504 o Issue 250: Clarified Accept-CH
506 B.4. Since -03
508 o Issue 284: Extended guidance for Accept-CH
509 o Issue 308: Editorial cleanup
510 o Issue 306: Define Accept-CH-Lifetime
512 B.5. Since -04
514 o Issue 361: Removed Downlink
515 o Issue 361: Moved Key to appendix, plus other editorial feedback
517 B.6. Since -05
519 o Issue 372: Scoped CH opt-in and delivery to secure transports
520 o Issue 373: Bind CH opt-in to origin
522 B.7. Since -06
524 o Issue 524: Save-Data is now defined by NetInfo spec, dropping
525 o PR 775: Removed specific features to be defined in other
526 specifications
528 B.8. Since -07
530 o Issue 761: Clarified that the defined headers are response
531 headers.
532 o Issue 730: Replaced Key reference with Variants.
533 o Issue 700: Replaced ABNF with structured headers.
534 o PR 878: Removed Accept-CH-Lifetime based on feedback at IETF 105
536 B.9. Since -08
538 o PR 985: Describe the bytesize cost of hints.
539 o PR 776: Add Sec- and CH- prefix considerations.
540 o PR 1001: Clear CH persistence when cookies are cleared.
542 Acknowledgements
544 Thanks to Mark Nottingham, Julian Reschke, Chris Bentzel, Ben
545 Greenstein, Tarun Bansal, Roy Fielding, Vasiliy Faronov, Ted Hardie,
546 Jonas Sicking, Martin Thomson, and numerous other members of the IETF
547 HTTP Working Group for invaluable help and feedback.
549 Authors' Addresses
551 Ilya Grigorik
552 Google
554 Email: ilya@igvita.com
555 URI: https://www.igvita.com/
557 Yoav Weiss
558 Google
560 Email: yoav@yoav.ws
561 URI: https://blog.yoav.ws/