idnits 2.17.1
draft-ietf-httpbis-client-hints-11.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The abstract seems to contain references ([2], [3], [1]), which it
shouldn't. Please replace those with straight textual mentions of the
documents in question.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (March 11, 2020) is 1506 days in the past. Is this
intentional?
Checking references for intended status: Experimental
----------------------------------------------------------------------------
-- Looks like a reference, but probably isn't: '1' on line 527
-- Looks like a reference, but probably isn't: '2' on line 529
-- Looks like a reference, but probably isn't: '3' on line 531
== Outdated reference: A later version (-19) exists of
draft-ietf-httpbis-header-structure-16
** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110)
** Obsolete normative reference: RFC 7234 (Obsoleted by RFC 9111)
Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 4 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 HTTP Working Group I. Grigorik
3 Internet-Draft Y. Weiss
4 Intended status: Experimental Google
5 Expires: September 12, 2020 March 11, 2020
7 HTTP Client Hints
8 draft-ietf-httpbis-client-hints-11
10 Abstract
12 HTTP defines proactive content negotiation to allow servers to select
13 the appropriate response for a given request, based upon the user
14 agent's characteristics, as expressed in request headers. In
15 practice, clients are often unwilling to send those request headers,
16 because it is not clear whether they will be used, and sending them
17 impacts both performance and privacy.
19 This document defines an Accept-CH response header that servers can
20 use to advertise their use of request headers for proactive content
21 negotiation, along with a set of guidelines for the creation of such
22 headers, colloquially known as "Client Hints."
24 Note to Readers
26 Discussion of this draft takes place on the HTTP working group
27 mailing list (ietf-http-wg@w3.org), which is archived at
28 https://lists.w3.org/Archives/Public/ietf-http-wg/ [1].
30 Working Group information can be found at http://httpwg.github.io/
31 [2]; source code and issues list for this draft can be found at
32 https://github.com/httpwg/http-extensions/labels/client-hints [3].
34 Status of This Memo
36 This Internet-Draft is submitted in full conformance with the
37 provisions of BCP 78 and BCP 79.
39 Internet-Drafts are working documents of the Internet Engineering
40 Task Force (IETF). Note that other groups may also distribute
41 working documents as Internet-Drafts. The list of current Internet-
42 Drafts is at https://datatracker.ietf.org/drafts/current/.
44 Internet-Drafts are draft documents valid for a maximum of six months
45 and may be updated, replaced, or obsoleted by other documents at any
46 time. It is inappropriate to use Internet-Drafts as reference
47 material or to cite them other than as "work in progress."
48 This Internet-Draft will expire on September 12, 2020.
50 Copyright Notice
52 Copyright (c) 2020 IETF Trust and the persons identified as the
53 document authors. All rights reserved.
55 This document is subject to BCP 78 and the IETF Trust's Legal
56 Provisions Relating to IETF Documents
57 (https://trustee.ietf.org/license-info) in effect on the date of
58 publication of this document. Please review these documents
59 carefully, as they describe your rights and restrictions with respect
60 to this document. Code Components extracted from this document must
61 include Simplified BSD License text as described in Section 4.e of
62 the Trust Legal Provisions and are provided without warranty as
63 described in the Simplified BSD License.
65 Table of Contents
67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
68 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 4
69 2. Client Hint Request Header Fields . . . . . . . . . . . . . . 4
70 2.1. Sending Client Hints . . . . . . . . . . . . . . . . . . 4
71 2.2. Server Processing of Client Hints . . . . . . . . . . . . 5
72 3. Advertising Server Support . . . . . . . . . . . . . . . . . 5
73 3.1. The Accept-CH Response Header Field . . . . . . . . . . . 5
74 3.2. Interaction with Caches . . . . . . . . . . . . . . . . . 6
75 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6
76 4.1. Information Exposure . . . . . . . . . . . . . . . . . . 6
77 4.2. Deployment and Security Risks . . . . . . . . . . . . . . 8
78 4.3. Abuse Detection . . . . . . . . . . . . . . . . . . . . . 8
79 5. Cost of Sending Hints . . . . . . . . . . . . . . . . . . . . 8
80 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
81 6.1. Accept-CH . . . . . . . . . . . . . . . . . . . . . . . . 9
82 7. Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
83 7.1. Since -00 . . . . . . . . . . . . . . . . . . . . . . . . 9
84 7.2. Since -01 . . . . . . . . . . . . . . . . . . . . . . . . 9
85 7.3. Since -02 . . . . . . . . . . . . . . . . . . . . . . . . 9
86 7.4. Since -03 . . . . . . . . . . . . . . . . . . . . . . . . 9
87 7.5. Since -04 . . . . . . . . . . . . . . . . . . . . . . . . 10
88 7.6. Since -05 . . . . . . . . . . . . . . . . . . . . . . . . 10
89 7.7. Since -06 . . . . . . . . . . . . . . . . . . . . . . . . 10
90 7.8. Since -07 . . . . . . . . . . . . . . . . . . . . . . . . 10
91 7.9. Since -08 . . . . . . . . . . . . . . . . . . . . . . . . 10
92 7.10. Since -09 . . . . . . . . . . . . . . . . . . . . . . . . 10
93 7.11. Since -10 . . . . . . . . . . . . . . . . . . . . . . . . 10
94 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 10
95 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
96 9.1. Normative References . . . . . . . . . . . . . . . . . . 11
97 9.2. Informative References . . . . . . . . . . . . . . . . . 11
98 9.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 12
99 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
101 1. Introduction
103 There are thousands of different devices accessing the web, each with
104 different device capabilities and preference information. These
105 device capabilities include hardware and software characteristics, as
106 well as dynamic user and client preferences. Historically,
107 applications that wanted to allow the server to optimize content
108 delivery and user experience based on such capabilities had to rely
109 on passive identification (e.g., by matching User-Agent
110 (Section 5.5.3 of [RFC7231]) header field against an established
111 database of client signatures), used HTTP cookies [RFC6265] and URL
112 parameters, or use some combination of these and similar mechanisms
113 to enable ad hoc content negotiation.
115 Such techniques are expensive to setup and maintain, and are not
116 portable across both applications and servers. They also make it
117 hard for both client and server to reason about which data is
118 required and is in use during the negotiation:
120 o User agent detection cannot reliably identify all static
121 variables, cannot infer dynamic client preferences, requires
122 external device database, is not cache friendly, and is reliant on
123 a passive fingerprinting surface.
124 o Cookie based approaches are not portable across applications and
125 servers, impose additional client-side latency by requiring
126 JavaScript execution, and are not cache friendly.
127 o URL parameters, similar to cookie based approaches, suffer from
128 lack of portability, and are hard to deploy due to a requirement
129 to encode content negotiation data inside of the URL of each
130 resource.
132 Proactive content negotiation (Section 3.4.1 of [RFC7231]) offers an
133 alternative approach; user agents use specified, well-defined request
134 headers to advertise their capabilities and characteristics, so that
135 servers can select (or formulate) an appropriate response.
137 However, traditional proactive content negotiation techniques often
138 mean that clients send these request headers prolifically. This
139 causes performance concerns (because it creates "bloat" in requests),
140 as well as privacy issues; passively providing such information
141 allows servers to silently fingerprint the user agent.
143 This document defines a new response header, Accept-CH, that allows
144 an origin server to explicitly ask that clients send these headers in
145 requests. It also defines guidelines for content negotiation
146 mechanisms that use it, colloquially referred to as Client Hints.
148 Client Hints mitigate performance concerns by assuring that clients
149 will only send the request headers when they're actually going to be
150 used, and privacy concerns of passive fingerprinting by requiring
151 explicit opt-in and disclosure of required headers by the server
152 through the use of the Accept-CH response header.
154 This document defines Client Hints, a framework that enables servers
155 to opt-in to specific proactive content negotiation features,
156 adapting their content accordingly. However, it does not define any
157 specific features that will use that infrastructure. Those features
158 will be defined in their respective specifications.
160 One example of such a feature is the User Agent Client Hints feature
161 [UA-CH].
163 1.1. Notational Conventions
165 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
166 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
167 "OPTIONAL" in this document are to be interpreted as described in BCP
168 14 [RFC2119] [RFC8174] when, and only when, they appear in all
169 capitals, as shown here.
171 This document uses the Augmented Backus-Naur Form (ABNF) notation of
172 [RFC5234].
174 2. Client Hint Request Header Fields
176 A Client Hint request header field is a HTTP header field that is
177 used by HTTP clients to indicate data that can be used by the server
178 to select an appropriate response. Each one conveys client
179 preferences that the server can use to adapt and optimize the
180 response.
182 2.1. Sending Client Hints
184 Clients choose what Client Hints to send in a request based on their
185 default settings, user configuration, and server preferences
186 expressed in "Accept-CH". The client and server can use an opt-in
187 mechanism outlined below to negotiate which header fields need to be
188 sent to allow for efficient content adaption, and optionally use
189 additional mechanisms to negotiate delegation policies that control
190 access of third parties to same header fields.
192 Implementers SHOULD be aware of the passive fingerprinting
193 implications when implementing support for Client Hints, and follow
194 the considerations outlined in the Security Considerations
195 (Section 4) section of this document.
197 2.2. Server Processing of Client Hints
199 When presented with a request that contains one or more client hint
200 header fields, servers can optimize the response based upon the
201 information in them. When doing so, and if the resource is
202 cacheable, the server MUST also generate a Vary response header field
203 (Section 7.1.4 of [RFC7231]) to indicate which hints can affect the
204 selected response and whether the selected response is appropriate
205 for a later request.
207 Furthermore, the server can generate additional response header
208 fields (as specified by the hint or hints in use) that convey related
209 values to aid client processing.
211 3. Advertising Server Support
213 Servers can advertise support for Client Hints using the mechanism
214 described below.
216 3.1. The Accept-CH Response Header Field
218 The Accept-CH response header field indicates server support for the
219 hints indicated in its value.
221 Accept-CH is a Structured Header [I-D.ietf-httpbis-header-structure].
222 Its value MUST be an sh-list (Section 3.1 of
223 [I-D.ietf-httpbis-header-structure]) whose members are tokens
224 (Section 3.3.4 of [I-D.ietf-httpbis-header-structure]). Its ABNF is:
226 Accept-CH = sh-list
228 For example:
230 Accept-CH: Sec-CH-Example, Sec-CH-Example-2
232 When a client receives an HTTP response containing "Accept-CH", it
233 indicates that the origin opts-in to receive the indicated request
234 header fields for subsequent same-origin requests. The opt-in MUST
235 be ignored if delivered over non-secure transport or for an origin
236 with a scheme different from HTTPS. It SHOULD be persisted and bound
237 to the origin to enable delivery of Client Hints on subsequent
238 requests to the server's origin.
240 For example:
242 Accept-CH: Sec-CH-Example, Sec-CH-Example-2
243 Accept-CH: Sec-CH-Example-3
245 Based on the Accept-CH example above, which is received in response
246 to a user agent navigating to "https://example.com", and delivered
247 over a secure transport: a user agent will have to persist an Accept-
248 CH preference bound to "https://example.com" and use it for user
249 agent navigations to "https://example.com" and any same-origin
250 resource requests initiated by the page constructed from the
251 navigation's response. This preference will not extend to resource
252 requests initiated to "https://example.com" from other origins.
254 3.2. Interaction with Caches
256 When selecting a response based on one or more Client Hints, and if
257 the resource is cacheable, the server needs to generate a Vary
258 response header field ([RFC7234]) to indicate which hints can affect
259 the selected response and whether the selected response is
260 appropriate for a later request.
262 Vary: Sec-CH-Example
264 Above example indicates that the cache key needs to include the Sec-
265 CH-Example header field.
267 Vary: Sec-CH-Example, Sec-CH-Example-2
269 Above example indicates that the cache key needs to include the Sec-
270 CH-Example and Sec-CH-Example-2 header fields.
272 4. Security Considerations
274 4.1. Information Exposure
276 Request header fields used in features relying on this document
277 expose information about the user's environment to enable proactive
278 content negotiation. Such information might reveal new information
279 about the user and implementers ought to consider the following
280 considerations, recommendations, and best practices.
282 The underlying assumption is that exposing information about the user
283 as a request header is equivalent to the capability of that request's
284 origin to access that information by other means and transmit it to
285 itself.
287 Therefore, features relying on this document to define Client Hint
288 headers MUST NOT provide new information that is otherwise not
289 available to the application via other means, such as existing
290 request headers, HTML, CSS, or JavaScript.
292 Such features SHOULD take into account the following aspects of the
293 information exposed:
295 o Entropy - Exposing highly granular data can be used to help
296 identify users across multiple requests to different origins.
297 Reducing the set of header field values that can be expressed, or
298 restricting them to an enumerated range where the advertised value
299 is close but is not an exact representation of the current value,
300 can improve privacy and reduce risk of linkability by ensuring
301 that the same value is sent by multiple users.
302 o Sensitivity - The feature SHOULD NOT expose user sensitive
303 information. To that end, information available to the
304 application, but gated behind specific user actions (e.g. a
305 permission prompt or user activation) SHOULD NOT be exposed as a
306 Client Hint.
307 o Change over time - The feature SHOULD NOT expose user information
308 that changes over time, unless the state change itself is also
309 exposed (e.g. through JavaScript callbacks).
311 Different features will be positioned in different points in the
312 space between low-entropy, non-sensitive and static information (e.g.
313 user agent information), and high-entropy, sensitive and dynamic
314 information (e.g. geolocation). User agents SHOULD consider the
315 value provided by a particular feature vs these considerations, and
316 MAY have different policies regarding that tradeoff on a per-feature
317 basis.
319 Implementers ought to consider both user and server controlled
320 mechanisms and policies to control which Client Hints header fields
321 are advertised:
323 o Implementers SHOULD restrict delivery of some or all Client Hints
324 header fields to the opt-in origin only, unless the opt-in origin
325 has explicitly delegated permission to another origin to request
326 Client Hints header fields.
327 o Implementers MAY provide user choice mechanisms so that users can
328 balance privacy concerns with bandwidth limitations. However,
329 implementers SHOULD also be aware that explaining the privacy
330 implications of passive fingerprinting to users can be
331 challenging.
332 o Implementations specific to certain use cases or threat models MAY
333 avoid transmitting some or all of Client Hints header fields. For
334 example, avoid transmission of header fields that can carry higher
335 risks of linkability.
337 Implementers SHOULD support Client Hints opt-in mechanisms and MUST
338 clear persisted opt-in preferences when any one of site data,
339 browsing history, browsing cache, cookies, or similar, are cleared.
341 4.2. Deployment and Security Risks
343 Deployment of new request headers requires several considerations:
345 o Potential conflicts due to existing use of header field name
346 o Properties of the data communicated in header field value
348 Authors of new Client Hints are advised to carefully consider whether
349 they need to be able to be added by client-side content (e.g.,
350 scripts), or whether they need to be exclusively set by the user
351 agent. In the latter case, the Sec- prefix on the header field name
352 has the effect of preventing scripts and other application content
353 from setting them in user agents. Using the "Sec-" prefix signals to
354 servers that the user agent - and not application content - generated
355 the values. See [FETCH] for more information.
357 By convention, request headers that are client hints are encouraged
358 to use a CH- prefix, to make them easier to identify as using this
359 framework; for example, CH-Foo or, with a "Sec-" prefix, Sec-CH-Foo.
360 Doing so makes them easier to identify programmatically (e.g., for
361 stripping unrecognised hints from requests by privacy filters).
363 4.3. Abuse Detection
365 A user agent that tracks access to active fingerprinting information
366 SHOULD consider emission of Client Hints headers similarly to the way
367 it would consider access to the equivalent API.
369 Research into abuse of Client Hints might look at how HTTP responses
370 that contain Client Hints differ from those with different values,
371 and from those without. This might be used to reveal which Client
372 Hints are in use, allowing researchers to further analyze that use.
374 5. Cost of Sending Hints
376 While HTTP header compression schemes reduce the cost of adding HTTP
377 header fields, sending Client Hints to the server incurs an increase
378 in request byte size. Servers SHOULD take that into account when
379 opting in to receive Client Hints, and SHOULD NOT opt-in to receive
380 hints unless they are to be used for content adaptation purposes.
382 Due to request byte size increase, features relying on this document
383 to define Client Hints MAY consider restricting sending those hints
384 to certain request destinations [FETCH], where they are more likely
385 to be useful.
387 6. IANA Considerations
389 This document defines the "Accept-CH" HTTP response header field, and
390 registers it in the Permanent Message Header Fields registry.
392 6.1. Accept-CH
394 o Header field name: Accept-CH
395 o Applicable protocol: HTTP
396 o Status: standard
397 o Author/Change controller: IETF
398 o Specification document(s): Section 3.1 of this document
399 o Related information: for Client Hints
401 7. Changes
403 7.1. Since -00
405 o Issue 168 (make Save-Data extensible) updated ABNF.
406 o Issue 163 (CH review feedback) editorial feedback from httpwg
407 list.
408 o Issue 153 (NetInfo API citation) added normative reference.
410 7.2. Since -01
412 o Issue 200: Moved Key reference to informative.
413 o Issue 215: Extended passive fingerprinting and mitigation
414 considerations.
415 o Changed document status to experimental.
417 7.3. Since -02
419 o Issue 239: Updated reference to CR-css-values-3
420 o Issue 240: Updated reference for Network Information API
421 o Issue 241: Consistency in IANA considerations
422 o Issue 250: Clarified Accept-CH
424 7.4. Since -03
426 o Issue 284: Extended guidance for Accept-CH
427 o Issue 308: Editorial cleanup
428 o Issue 306: Define Accept-CH-Lifetime
430 7.5. Since -04
432 o Issue 361: Removed Downlink
433 o Issue 361: Moved Key to appendix, plus other editorial feedback
435 7.6. Since -05
437 o Issue 372: Scoped CH opt-in and delivery to secure transports
438 o Issue 373: Bind CH opt-in to origin
440 7.7. Since -06
442 o Issue 524: Save-Data is now defined by NetInfo spec, dropping
443 o PR 775: Removed specific features to be defined in other
444 specifications
446 7.8. Since -07
448 o Issue 761: Clarified that the defined headers are response
449 headers.
450 o Issue 730: Replaced Key reference with Variants.
451 o Issue 700: Replaced ABNF with structured headers.
452 o PR 878: Removed Accept-CH-Lifetime based on feedback at IETF 105
454 7.9. Since -08
456 o PR 985: Describe the bytesize cost of hints.
457 o PR 776: Add Sec- and CH- prefix considerations.
458 o PR 1001: Clear CH persistence when cookies are cleared.
460 7.10. Since -09
462 o PR 1064: Fix merge issues with "cost of sending hints".
464 7.11. Since -10
466 o PR 1072: LC feedback from Julian Reschke.
467 o PR 1080: Improve list style.
468 o PR 1082: Remove section mentioning Variants.
469 o PR 1097: Editorial feedback from mnot.
470 o PR 1131: Remove unused references.
471 o PR 1132: Remove nested list.
473 Acknowledgements
475 Thanks to Mark Nottingham, Julian Reschke, Chris Bentzel, Ben
476 Greenstein, Tarun Bansal, Roy Fielding, Vasiliy Faronov, Ted Hardie,
477 Jonas Sicking, Martin Thomson, and numerous other members of the IETF
478 HTTP Working Group for invaluable help and feedback.
480 9. References
482 9.1. Normative References
484 [FETCH] van Kesteren, A., "Fetch", n.d.,
485 .
487 [I-D.ietf-httpbis-header-structure]
488 Nottingham, M. and P. Kamp, "Structured Field Values for
489 HTTP", draft-ietf-httpbis-header-structure-16 (work in
490 progress), March 2020.
492 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
493 Requirement Levels", BCP 14, RFC 2119,
494 DOI 10.17487/RFC2119, March 1997,
495 .
497 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
498 Specifications: ABNF", STD 68, RFC 5234,
499 DOI 10.17487/RFC5234, January 2008,
500 .
502 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
503 Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
504 DOI 10.17487/RFC7231, June 2014,
505 .
507 [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
508 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
509 RFC 7234, DOI 10.17487/RFC7234, June 2014,
510 .
512 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
513 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
514 May 2017, .
516 9.2. Informative References
518 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
519 DOI 10.17487/RFC6265, April 2011,
520 .
522 [UA-CH] West, M. and Y. Weiss, "User Agent Client Hints", n.d.,
523 .
525 9.3. URIs
527 [1] https://lists.w3.org/Archives/Public/ietf-http-wg/
529 [2] http://httpwg.github.io/
531 [3] https://github.com/httpwg/http-extensions/labels/client-hints
533 Authors' Addresses
535 Ilya Grigorik
536 Google
538 Email: ilya@igvita.com
539 URI: https://www.igvita.com/
541 Yoav Weiss
542 Google
544 Email: yoav@yoav.ws
545 URI: https://blog.yoav.ws/