idnits 2.17.1
draft-ietf-httpbis-client-hints-10.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The abstract seems to contain references ([2], [3], [1]), which it
shouldn't. Please replace those with straight textual mentions of the
documents in question.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (February 18, 2020) is 1529 days in the past. Is this
intentional?
Checking references for intended status: Experimental
----------------------------------------------------------------------------
-- Looks like a reference, but probably isn't: '1' on line 470
-- Looks like a reference, but probably isn't: '2' on line 472
-- Looks like a reference, but probably isn't: '3' on line 474
== Unused Reference: 'RFC6265' is defined on line 459, but no explicit
reference was found in the text
== Outdated reference: A later version (-19) exists of
draft-ietf-httpbis-header-structure-15
** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112)
** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110)
** Obsolete normative reference: RFC 7234 (Obsoleted by RFC 9111)
Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 4 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 HTTP Working Group I. Grigorik
3 Internet-Draft Y. Weiss
4 Intended status: Experimental Google
5 Expires: August 21, 2020 February 18, 2020
7 HTTP Client Hints
8 draft-ietf-httpbis-client-hints-10
10 Abstract
12 HTTP defines proactive content negotiation to allow servers to select
13 the appropriate response for a given request, based upon the user
14 agent's characteristics, as expressed in request headers. In
15 practice, clients are often unwilling to send those request headers,
16 because it is not clear whether they will be used, and sending them
17 impacts both performance and privacy.
19 This document defines an Accept-CH response header that servers can
20 use to advertise their use of request headers for proactive content
21 negotiation, along with a set of guidelines for the creation of such
22 headers, colloquially known as "Client Hints."
24 Note to Readers
26 Discussion of this draft takes place on the HTTP working group
27 mailing list (ietf-http-wg@w3.org), which is archived at
28 https://lists.w3.org/Archives/Public/ietf-http-wg/ [1].
30 Working Group information can be found at http://httpwg.github.io/
31 [2]; source code and issues list for this draft can be found at
32 https://github.com/httpwg/http-extensions/labels/client-hints [3].
34 Status of This Memo
36 This Internet-Draft is submitted in full conformance with the
37 provisions of BCP 78 and BCP 79.
39 Internet-Drafts are working documents of the Internet Engineering
40 Task Force (IETF). Note that other groups may also distribute
41 working documents as Internet-Drafts. The list of current Internet-
42 Drafts is at https://datatracker.ietf.org/drafts/current/.
44 Internet-Drafts are draft documents valid for a maximum of six months
45 and may be updated, replaced, or obsoleted by other documents at any
46 time. It is inappropriate to use Internet-Drafts as reference
47 material or to cite them other than as "work in progress."
48 This Internet-Draft will expire on August 21, 2020.
50 Copyright Notice
52 Copyright (c) 2020 IETF Trust and the persons identified as the
53 document authors. All rights reserved.
55 This document is subject to BCP 78 and the IETF Trust's Legal
56 Provisions Relating to IETF Documents
57 (https://trustee.ietf.org/license-info) in effect on the date of
58 publication of this document. Please review these documents
59 carefully, as they describe your rights and restrictions with respect
60 to this document. Code Components extracted from this document must
61 include Simplified BSD License text as described in Section 4.e of
62 the Trust Legal Provisions and are provided without warranty as
63 described in the Simplified BSD License.
65 Table of Contents
67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
68 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 4
69 2. Client Hint Request Header Fields . . . . . . . . . . . . . . 4
70 2.1. Sending Client Hints . . . . . . . . . . . . . . . . . . 4
71 2.2. Server Processing of Client Hints . . . . . . . . . . . . 5
72 3. Advertising Server Support . . . . . . . . . . . . . . . . . 5
73 3.1. The Accept-CH Response Header Field . . . . . . . . . . . 5
74 3.1.1. Interaction with Caches . . . . . . . . . . . . . . . 6
75 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6
76 4.1. Information Exposure . . . . . . . . . . . . . . . . . . 6
77 4.2. Deployment and Security Risks . . . . . . . . . . . . . . 8
78 4.3. Abuse Detection . . . . . . . . . . . . . . . . . . . . . 8
79 5. Cost of Sending Hints . . . . . . . . . . . . . . . . . . . . 9
80 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
81 6.1. Accept-CH . . . . . . . . . . . . . . . . . . . . . . . . 9
82 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
83 7.1. Normative References . . . . . . . . . . . . . . . . . . 9
84 7.2. Informative References . . . . . . . . . . . . . . . . . 10
85 7.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 10
86 Appendix A. Interaction with Variants Response Header Field . . 11
87 Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . 11
88 B.1. Since -00 . . . . . . . . . . . . . . . . . . . . . . . . 11
89 B.2. Since -01 . . . . . . . . . . . . . . . . . . . . . . . . 11
90 B.3. Since -02 . . . . . . . . . . . . . . . . . . . . . . . . 11
91 B.4. Since -03 . . . . . . . . . . . . . . . . . . . . . . . . 11
92 B.5. Since -04 . . . . . . . . . . . . . . . . . . . . . . . . 11
93 B.6. Since -05 . . . . . . . . . . . . . . . . . . . . . . . . 11
94 B.7. Since -06 . . . . . . . . . . . . . . . . . . . . . . . . 12
95 B.8. Since -07 . . . . . . . . . . . . . . . . . . . . . . . . 12
96 B.9. Since -08 . . . . . . . . . . . . . . . . . . . . . . . . 12
97 B.10. Since -09 . . . . . . . . . . . . . . . . . . . . . . . . 12
98 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12
99 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
101 1. Introduction
103 There are thousands of different devices accessing the web, each with
104 different device capabilities and preference information. These
105 device capabilities include hardware and software characteristics, as
106 well as dynamic user and client preferences. Applications that want
107 to allow the server to optimize content delivery and user experience
108 based on such capabilities have, historically, had to rely on passive
109 identification (e.g., by matching User-Agent (Section 5.5.3 of
110 [RFC7231]) header field against an established database of client
111 signatures), used HTTP cookies and URL parameters, or use some
112 combination of these and similar mechanisms to enable ad hoc content
113 negotiation.
115 Such techniques are expensive to setup and maintain, are not portable
116 across both applications and servers, and make it hard to reason for
117 both client and server about which data is required and is in use
118 during the negotiation:
120 o User agent detection cannot reliably identify all static
121 variables, cannot infer dynamic client preferences, requires
122 external device database, is not cache friendly, and is reliant on
123 a passive fingerprinting surface.
124 o Cookie based approaches are not portable across applications and
125 servers, impose additional client-side latency by requiring
126 JavaScript execution, and are not cache friendly.
127 o URL parameters, similar to cookie based approaches, suffer from
128 lack of portability, and are hard to deploy due to a requirement
129 to encode content negotiation data inside of the URL of each
130 resource.
132 Proactive content negotiation (Section 3.4.1 of [RFC7231]) offers an
133 alternative approach; user agents use specified, well-defined request
134 headers to advertise their capabilities and characteristics, so that
135 servers can select (or formulate) an appropriate response.
137 However, proactive content negotiation requires clients to send these
138 request headers prolifically. This causes performance concerns
139 (because it creates "bloat" in requests), as well as privacy issues;
140 passively providing such information allows servers to silently
141 fingerprint the user agent.
143 This document defines a new response header, Accept-CH, that allows
144 an origin server to explicitly ask that clients send these headers in
145 requests. It also defines guidelines for content negotiation
146 mechanisms that use it, colloquially referred to as Client Hints.
148 Client Hints mitigate the performance concerns by assuring that
149 clients will only send the request headers when they're actually
150 going to be used, and the privacy concerns of passive fingerprinting
151 by requiring explicit opt-in and disclosure of required headers by
152 the server through the use of the Accept-CH response header.
154 This document defines the Client Hints infrastructure, a framework
155 that enables servers to opt-in to specific proactive content
156 negotiation features, which will enable them to adapt their content
157 accordingly. However, it does not define any specific features that
158 will use that infrastructure. Those features will be defined in
159 their respective specifications.
161 1.1. Notational Conventions
163 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
164 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
165 "OPTIONAL" in this document are to be interpreted as described in BCP
166 14 [RFC2119] [RFC8174] when, and only when, they appear in all
167 capitals, as shown here.
169 This document uses the Augmented Backus-Naur Form (ABNF) notation of
170 [RFC5234] with the list rule extension defined in [RFC7230],
171 Appendix B. It includes by reference the DIGIT rule from [RFC5234]
172 and the OWS and field-name rules from [RFC7230].
174 2. Client Hint Request Header Fields
176 A Client Hint request header field is a HTTP header field that is
177 used by HTTP clients to indicate configuration data that can be used
178 by the server to select an appropriate response. Each one conveys
179 client preferences that the server can use to adapt and optimize the
180 response.
182 2.1. Sending Client Hints
184 Clients control which Client Hints are sent in requests, based on
185 their default settings, user configuration, and server preferences.
186 The client and server can use an opt-in mechanism outlined below to
187 negotiate which fields should be sent to allow for efficient content
188 adaption, and optionally use additional mechanisms to negotiate
189 delegation policies that control access of third parties to same
190 fields.
192 Implementers should be aware of the passive fingerprinting
193 implications when implementing support for Client Hints, and follow
194 the considerations outlined in "Security Considerations" section of
195 this document.
197 2.2. Server Processing of Client Hints
199 When presented with a request that contains one or more client hint
200 header fields, servers can optimize the response based upon the
201 information in them. When doing so, and if the resource is
202 cacheable, the server MUST also generate a Vary response header field
203 (Section 7.1.4 of [RFC7231]) to indicate which hints can affect the
204 selected response and whether the selected response is appropriate
205 for a later request.
207 Further, depending on the hint used, the server can generate
208 additional response header fields to convey related values to aid
209 client processing.
211 3. Advertising Server Support
213 Servers can advertise support for Client Hints using the mechnisms
214 described below.
216 3.1. The Accept-CH Response Header Field
218 The Accept-CH response header field or the equivalent HTML meta
219 element with http-equiv attribute ([HTML]) indicate server support
220 for particular hints indicated in its value.
222 Accept-CH is a Structured Header [I-D.ietf-httpbis-header-structure].
223 Its value MUST be an sh-list (Section 3.1 of
224 [I-D.ietf-httpbis-header-structure]) whose members are tokens
225 (Section 3.7 of [I-D.ietf-httpbis-header-structure]). Its ABNF is:
227 Accept-CH = sh-list
229 For example:
231 Accept-CH: Sec-CH-Example, Sec-CH-Example-2
233 When a client receives an HTTP response advertising support for
234 provided list of Clients Hints, it SHOULD process it as origin
235 ([RFC6454]) opt-in to receive Client Hint header fields advertised in
236 the field-value, for subsequent same-origin requests.
238 o The opt-in MUST be delivered over a secure transport.
240 o The opt-in SHOULD be persisted and bound to the origin to enable
241 delivery of Client Hints on subsequent requests to the server's
242 origin, and MUST NOT be persisted for an origin that isn't HTTPS.
244 Accept-CH: Sec-CH-Example, Sec-CH-Example-2
245 Accept-CH: Sec-CH-Example-3
247 For example, based on the Accept-CH example above, which is received
248 in response to a user agent navigating to "https://example.com", and
249 delivered over a secure transport: a user agent SHOULD persist an
250 Accept-CH preference bound to "https://example.com" and use it for
251 user agent navigations to "https://example.com" and any same-origin
252 resource requests initiated by the page constructed from the
253 navigation's response. This preference SHOULD NOT extend to resource
254 requests initiated to "https://example.com" from other origins.
256 3.1.1. Interaction with Caches
258 When selecting an optimized response based on one or more Client
259 Hints, and if the resource is cacheable, the server needs to generate
260 a Vary response header field ([RFC7234]) to indicate which hints can
261 affect the selected response and whether the selected response is
262 appropriate for a later request.
264 Vary: Sec-CH-Example
266 Above example indicates that the cache key needs to include the Sec-
267 CH-Example header field.
269 Vary: Sec-CH-Example, Sec-CH-Example-2
271 Above example indicates that the cache key needs to include the Sec-
272 CH-Example and Sec-CH-Example-2 header fields.
274 4. Security Considerations
276 4.1. Information Exposure
278 Request header fields used in features relying on this document
279 expose information about the user's environment to enable proactive
280 content negotiation. Such information may reveal new information
281 about the user and implementers ought to consider the following
282 considerations, recommendations, and best practices.
284 The underlying assumption is that exposing information about the user
285 as a request header is equivalent to the capability of that request's
286 origin to access that information by other means and transmit it to
287 itself.
289 Therefore, features relying on this document to define Client Hint
290 headers MUST NOT provide new information that is otherwise not
291 available to the application via other means, such as existing
292 request headers, HTML, CSS, or JavaScript.
294 Such features SHOULD take into account the following aspects of the
295 information exposed:
297 o Entropy
299 * Exposing highly granular data may help identify users across
300 multiple requests to different origins. Reducing the set of
301 field values that can be expressed, or restricting them to an
302 enumerated range where the advertised value is close but is not
303 an exact representation of the current value, can improve
304 privacy and reduce risk of linkability by ensuring that the
305 same value is sent by multiple users.
306 o Sensitivity
308 * The feature SHOULD NOT expose user sensitive information. To
309 that end, information available to the application, but gated
310 behind specific user actions (e.g. a permission prompt or user
311 activation) SHOULD NOT be exposed as a Client Hint.
312 o Change over time
314 * The feature SHOULD NOT expose user information that changes
315 over time, unless the state change itself is also exposed (e.g.
316 through JavaScript callbacks).
318 Different features will be positioned in different points in the
319 space between low-entropy, non-sensitive and static information (e.g.
320 user agent information), and high-entropy, sensitive and dynamic
321 information (e.g. geolocation). User agents SHOULD consider the
322 value provided by a particular feature vs these considerations, and
323 MAY have different policies regarding that tradeoff on a per-feature
324 basis.
326 Implementers ought to consider both user and server controlled
327 mechanisms and policies to control which Client Hints header fields
328 are advertised:
330 o Implementers SHOULD restrict delivery of some or all Client Hints
331 header fields to the opt-in origin only, unless the opt-in origin
332 has explicitly delegated permission to another origin to request
333 Client Hints header fields.
334 o Implementers MAY provide user choice mechanisms so that users may
335 balance privacy concerns with bandwidth limitations. However,
336 implementers should also be aware that explaining the privacy
337 implications of passive fingerprinting to users may be
338 challenging.
339 o Implementations specific to certain use cases or threat models MAY
340 avoid transmitting some or all of Client Hints header fields. For
341 example, avoid transmission of header fields that can carry higher
342 risks of linkability.
344 Implementers SHOULD support Client Hints opt-in mechanisms and MUST
345 clear persisted opt-in preferences when any one of site data,
346 browsing history, browsing cache, cookies, or similar, are cleared.
348 4.2. Deployment and Security Risks
350 Deployment of new request headers requires several considerations:
352 o Potential conflicts due to existing use of field name
353 o Properties of the data communicated in field value
355 Authors of new Client Hints are advised to carefully consider whether
356 they should be able to be added by client-side content (e.g.,
357 scripts), or whether they should be exclusively set by the user
358 agent. In the latter case, the Sec- prefix on the header field name
359 has the effect of preventing scripts and other application content
360 from setting them in user agents. Using the "Sec-" prefix signals to
361 servers that the user agent - and not application content - generated
362 the values. See [FETCH] for more information.
364 By convention, request headers that are client hints are encouraged
365 to use a CH- prefix, to make them easier to identify as using this
366 framework; for example, CH-Foo or, with a "Sec-" prefix, Sec-CH-Foo.
367 Doing so makes them easier to identify programmatically (e.g., for
368 stripping unrecognised hints from requests by privacy filters).
370 4.3. Abuse Detection
372 A user agent that tracks access to active fingerprinting information
373 SHOULD consider emission of Client Hints headers similarly to the way
374 it would consider access to the equivalent API.
376 Research into abuse of Client Hints might look at how HTTP responses
377 that contain Client Hints differ from those with different values,
378 and from those without. This might be used to reveal which Client
379 Hints are in use, allowing researchers to further analyze that use.
381 5. Cost of Sending Hints
383 While HTTP header compression schemes reduce the cost of adding HTTP
384 header fields, sending Client Hints to the server incurs an increase
385 in request byte size. Servers SHOULD take that into account when
386 opting in to receive Client Hints, and SHOULD NOT opt-in to receive
387 hints unless they are to be used for content adaptation purposes.
389 Due to request byte size increase, features relying on this document
390 to define Client Hints MAY consider restricting sending those hints
391 to certain request destinations [FETCH], where they are more likely
392 to be useful.
394 6. IANA Considerations
396 This document defines the "Accept-CH" HTTP response field, and
397 registers it in the Permanent Message Header Fields registry.
399 6.1. Accept-CH
401 o Header field name: Accept-CH
402 o Applicable protocol: HTTP
403 o Status: standard
404 o Author/Change controller: IETF
405 o Specification document(s): Section 3.1 of this document
406 o Related information: for Client Hints
408 7. References
410 7.1. Normative References
412 [FETCH] van Kesteren, A., "Fetch", n.d.,
413 .
415 [HTML] Hickson, I., Pieters, S., van Kesteren, A., Jaegenstedt,
416 P., and D. Denicola, "HTML", n.d.,
417 .
419 [I-D.ietf-httpbis-header-structure]
420 Nottingham, M. and P. Kamp, "Structured Headers for HTTP",
421 draft-ietf-httpbis-header-structure-15 (work in progress),
422 January 2020.
424 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
425 Requirement Levels", BCP 14, RFC 2119,
426 DOI 10.17487/RFC2119, March 1997,
427 .
429 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
430 Specifications: ABNF", STD 68, RFC 5234,
431 DOI 10.17487/RFC5234, January 2008,
432 .
434 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454,
435 DOI 10.17487/RFC6454, December 2011,
436 .
438 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
439 Protocol (HTTP/1.1): Message Syntax and Routing",
440 RFC 7230, DOI 10.17487/RFC7230, June 2014,
441 .
443 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
444 Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
445 DOI 10.17487/RFC7231, June 2014,
446 .
448 [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
449 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
450 RFC 7234, DOI 10.17487/RFC7234, June 2014,
451 .
453 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
454 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
455 May 2017, .
457 7.2. Informative References
459 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
460 DOI 10.17487/RFC6265, April 2011,
461 .
463 [VARIANTS]
464 Nottingham, M., "HTTP Representation Variants", draft-
465 ietf-httpbis-variants-06 (work in progress), November
466 2019.
468 7.3. URIs
470 [1] https://lists.w3.org/Archives/Public/ietf-http-wg/
472 [2] http://httpwg.github.io/
474 [3] https://github.com/httpwg/http-extensions/labels/client-hints
476 Appendix A. Interaction with Variants Response Header Field
478 Client Hints may be combined with Variants response header field
479 [VARIANTS] to enable fine-grained control of the cache key for
480 improved cache efficiency. Features that define Client Hints will
481 need to specify the related variants algorithms as described in
482 Section 6 of [VARIANTS].
484 Appendix B. Changes
486 B.1. Since -00
488 o Issue 168 (make Save-Data extensible) updated ABNF.
489 o Issue 163 (CH review feedback) editorial feedback from httpwg
490 list.
491 o Issue 153 (NetInfo API citation) added normative reference.
493 B.2. Since -01
495 o Issue 200: Moved Key reference to informative.
496 o Issue 215: Extended passive fingerprinting and mitigation
497 considerations.
498 o Changed document status to experimental.
500 B.3. Since -02
502 o Issue 239: Updated reference to CR-css-values-3
503 o Issue 240: Updated reference for Network Information API
504 o Issue 241: Consistency in IANA considerations
505 o Issue 250: Clarified Accept-CH
507 B.4. Since -03
509 o Issue 284: Extended guidance for Accept-CH
510 o Issue 308: Editorial cleanup
511 o Issue 306: Define Accept-CH-Lifetime
513 B.5. Since -04
515 o Issue 361: Removed Downlink
516 o Issue 361: Moved Key to appendix, plus other editorial feedback
518 B.6. Since -05
520 o Issue 372: Scoped CH opt-in and delivery to secure transports
521 o Issue 373: Bind CH opt-in to origin
523 B.7. Since -06
525 o Issue 524: Save-Data is now defined by NetInfo spec, dropping
526 o PR 775: Removed specific features to be defined in other
527 specifications
529 B.8. Since -07
531 o Issue 761: Clarified that the defined headers are response
532 headers.
533 o Issue 730: Replaced Key reference with Variants.
534 o Issue 700: Replaced ABNF with structured headers.
535 o PR 878: Removed Accept-CH-Lifetime based on feedback at IETF 105
537 B.9. Since -08
539 o PR 985: Describe the bytesize cost of hints.
540 o PR 776: Add Sec- and CH- prefix considerations.
541 o PR 1001: Clear CH persistence when cookies are cleared.
543 B.10. Since -09
545 o PR 1064: Fix merge issues with "cost of sending hints".
547 Acknowledgements
549 Thanks to Mark Nottingham, Julian Reschke, Chris Bentzel, Ben
550 Greenstein, Tarun Bansal, Roy Fielding, Vasiliy Faronov, Ted Hardie,
551 Jonas Sicking, Martin Thomson, and numerous other members of the IETF
552 HTTP Working Group for invaluable help and feedback.
554 Authors' Addresses
556 Ilya Grigorik
557 Google
559 Email: ilya@igvita.com
560 URI: https://www.igvita.com/
562 Yoav Weiss
563 Google
565 Email: yoav@yoav.ws
566 URI: https://blog.yoav.ws/