idnits 2.17.1
draft-ietf-httpbis-client-hints-12.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The abstract seems to contain references ([2], [3], [1]), which it
shouldn't. Please replace those with straight textual mentions of the
documents in question.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (March 11, 2020) is 1500 days in the past. Is this
intentional?
Checking references for intended status: Experimental
----------------------------------------------------------------------------
-- Looks like a reference, but probably isn't: '1' on line 449
-- Looks like a reference, but probably isn't: '2' on line 451
-- Looks like a reference, but probably isn't: '3' on line 453
== Outdated reference: A later version (-19) exists of
draft-ietf-httpbis-header-structure-16
** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110)
** Obsolete normative reference: RFC 7234 (Obsoleted by RFC 9111)
Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 4 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 HTTP Working Group I. Grigorik
3 Internet-Draft Y. Weiss
4 Intended status: Experimental Google
5 Expires: September 12, 2020 March 11, 2020
7 HTTP Client Hints
8 draft-ietf-httpbis-client-hints-12
10 Abstract
12 HTTP defines proactive content negotiation to allow servers to select
13 the appropriate response for a given request, based upon the user
14 agent's characteristics, as expressed in request headers. In
15 practice, clients are often unwilling to send those request headers,
16 because it is not clear whether they will be used, and sending them
17 impacts both performance and privacy.
19 This document defines an Accept-CH response header that servers can
20 use to advertise their use of request headers for proactive content
21 negotiation, along with a set of guidelines for the creation of such
22 headers, colloquially known as "Client Hints."
24 Note to Readers
26 Discussion of this draft takes place on the HTTP working group
27 mailing list (ietf-http-wg@w3.org), which is archived at
28 https://lists.w3.org/Archives/Public/ietf-http-wg/ [1].
30 Working Group information can be found at http://httpwg.github.io/
31 [2]; source code and issues list for this draft can be found at
32 https://github.com/httpwg/http-extensions/labels/client-hints [3].
34 Status of This Memo
36 This Internet-Draft is submitted in full conformance with the
37 provisions of BCP 78 and BCP 79.
39 Internet-Drafts are working documents of the Internet Engineering
40 Task Force (IETF). Note that other groups may also distribute
41 working documents as Internet-Drafts. The list of current Internet-
42 Drafts is at https://datatracker.ietf.org/drafts/current/.
44 Internet-Drafts are draft documents valid for a maximum of six months
45 and may be updated, replaced, or obsoleted by other documents at any
46 time. It is inappropriate to use Internet-Drafts as reference
47 material or to cite them other than as "work in progress."
48 This Internet-Draft will expire on September 12, 2020.
50 Copyright Notice
52 Copyright (c) 2020 IETF Trust and the persons identified as the
53 document authors. All rights reserved.
55 This document is subject to BCP 78 and the IETF Trust's Legal
56 Provisions Relating to IETF Documents
57 (https://trustee.ietf.org/license-info) in effect on the date of
58 publication of this document. Please review these documents
59 carefully, as they describe your rights and restrictions with respect
60 to this document. Code Components extracted from this document must
61 include Simplified BSD License text as described in Section 4.e of
62 the Trust Legal Provisions and are provided without warranty as
63 described in the Simplified BSD License.
65 Table of Contents
67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
68 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 4
69 2. Client Hint Request Header Fields . . . . . . . . . . . . . . 4
70 2.1. Sending Client Hints . . . . . . . . . . . . . . . . . . 4
71 2.2. Server Processing of Client Hints . . . . . . . . . . . . 5
72 3. Advertising Server Support . . . . . . . . . . . . . . . . . 5
73 3.1. The Accept-CH Response Header Field . . . . . . . . . . . 5
74 3.2. Interaction with Caches . . . . . . . . . . . . . . . . . 6
75 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6
76 4.1. Information Exposure . . . . . . . . . . . . . . . . . . 6
77 4.2. Deployment and Security Risks . . . . . . . . . . . . . . 8
78 4.3. Abuse Detection . . . . . . . . . . . . . . . . . . . . . 8
79 5. Cost of Sending Hints . . . . . . . . . . . . . . . . . . . . 8
80 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
81 6.1. Accept-CH . . . . . . . . . . . . . . . . . . . . . . . . 9
82 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
83 7.1. Normative References . . . . . . . . . . . . . . . . . . 9
84 7.2. Informative References . . . . . . . . . . . . . . . . . 10
85 7.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 10
86 Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 10
87 A.1. Since -00 . . . . . . . . . . . . . . . . . . . . . . . . 10
88 A.2. Since -01 . . . . . . . . . . . . . . . . . . . . . . . . 10
89 A.3. Since -02 . . . . . . . . . . . . . . . . . . . . . . . . 10
90 A.4. Since -03 . . . . . . . . . . . . . . . . . . . . . . . . 11
91 A.5. Since -04 . . . . . . . . . . . . . . . . . . . . . . . . 11
92 A.6. Since -05 . . . . . . . . . . . . . . . . . . . . . . . . 11
93 A.7. Since -06 . . . . . . . . . . . . . . . . . . . . . . . . 11
94 A.8. Since -07 . . . . . . . . . . . . . . . . . . . . . . . . 11
95 A.9. Since -08 . . . . . . . . . . . . . . . . . . . . . . . . 11
96 A.10. Since -09 . . . . . . . . . . . . . . . . . . . . . . . . 11
97 A.11. Since -10 . . . . . . . . . . . . . . . . . . . . . . . . 11
98 A.12. Since -11 . . . . . . . . . . . . . . . . . . . . . . . . 12
99 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12
100 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
102 1. Introduction
104 There are thousands of different devices accessing the web, each with
105 different device capabilities and preference information. These
106 device capabilities include hardware and software characteristics, as
107 well as dynamic user and client preferences. Historically,
108 applications that wanted to allow the server to optimize content
109 delivery and user experience based on such capabilities had to rely
110 on passive identification (e.g., by matching User-Agent
111 (Section 5.5.3 of [RFC7231]) header field against an established
112 database of client signatures), used HTTP cookies [RFC6265] and URL
113 parameters, or use some combination of these and similar mechanisms
114 to enable ad hoc content negotiation.
116 Such techniques are expensive to setup and maintain, and are not
117 portable across both applications and servers. They also make it
118 hard for both client and server to reason about which data is
119 required and is in use during the negotiation:
121 o User agent detection cannot reliably identify all static
122 variables, cannot infer dynamic client preferences, requires
123 external device database, is not cache friendly, and is reliant on
124 a passive fingerprinting surface.
125 o Cookie based approaches are not portable across applications and
126 servers, impose additional client-side latency by requiring
127 JavaScript execution, and are not cache friendly.
128 o URL parameters, similar to cookie based approaches, suffer from
129 lack of portability, and are hard to deploy due to a requirement
130 to encode content negotiation data inside of the URL of each
131 resource.
133 Proactive content negotiation (Section 3.4.1 of [RFC7231]) offers an
134 alternative approach; user agents use specified, well-defined request
135 headers to advertise their capabilities and characteristics, so that
136 servers can select (or formulate) an appropriate response.
138 However, traditional proactive content negotiation techniques often
139 mean that clients send these request headers prolifically. This
140 causes performance concerns (because it creates "bloat" in requests),
141 as well as privacy issues; passively providing such information
142 allows servers to silently fingerprint the user agent.
144 This document defines a new response header, Accept-CH, that allows
145 an origin server to explicitly ask that clients send these headers in
146 requests. It also defines guidelines for content negotiation
147 mechanisms that use it, colloquially referred to as Client Hints.
149 Client Hints mitigate performance concerns by assuring that clients
150 will only send the request headers when they're actually going to be
151 used, and privacy concerns of passive fingerprinting by requiring
152 explicit opt-in and disclosure of required headers by the server
153 through the use of the Accept-CH response header.
155 This document defines Client Hints, a framework that enables servers
156 to opt-in to specific proactive content negotiation features,
157 adapting their content accordingly. However, it does not define any
158 specific features that will use that infrastructure. Those features
159 will be defined in their respective specifications.
161 One example of such a feature is the User Agent Client Hints feature
162 [UA-CH].
164 1.1. Notational Conventions
166 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
167 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
168 "OPTIONAL" in this document are to be interpreted as described in BCP
169 14 [RFC2119] [RFC8174] when, and only when, they appear in all
170 capitals, as shown here.
172 This document uses the Augmented Backus-Naur Form (ABNF) notation of
173 [RFC5234].
175 2. Client Hint Request Header Fields
177 A Client Hint request header field is a HTTP header field that is
178 used by HTTP clients to indicate data that can be used by the server
179 to select an appropriate response. Each one conveys client
180 preferences that the server can use to adapt and optimize the
181 response.
183 2.1. Sending Client Hints
185 Clients choose what Client Hints to send in a request based on their
186 default settings, user configuration, and server preferences
187 expressed in "Accept-CH". The client and server can use an opt-in
188 mechanism outlined below to negotiate which header fields need to be
189 sent to allow for efficient content adaption, and optionally use
190 additional mechanisms to negotiate delegation policies that control
191 access of third parties to same header fields.
193 Implementers SHOULD be aware of the passive fingerprinting
194 implications when implementing support for Client Hints, and follow
195 the considerations outlined in the Security Considerations
196 (Section 4) section of this document.
198 2.2. Server Processing of Client Hints
200 When presented with a request that contains one or more client hint
201 header fields, servers can optimize the response based upon the
202 information in them. When doing so, and if the resource is
203 cacheable, the server MUST also generate a Vary response header field
204 (Section 7.1.4 of [RFC7231]) to indicate which hints can affect the
205 selected response and whether the selected response is appropriate
206 for a later request.
208 Furthermore, the server can generate additional response header
209 fields (as specified by the hint or hints in use) that convey related
210 values to aid client processing.
212 3. Advertising Server Support
214 Servers can advertise support for Client Hints using the mechanism
215 described below.
217 3.1. The Accept-CH Response Header Field
219 The Accept-CH response header field indicates server support for the
220 hints indicated in its value.
222 Accept-CH is a Structured Header [I-D.ietf-httpbis-header-structure].
223 Its value MUST be an sh-list (Section 3.1 of
224 [I-D.ietf-httpbis-header-structure]) whose members are tokens
225 (Section 3.3.4 of [I-D.ietf-httpbis-header-structure]). Its ABNF is:
227 Accept-CH = sh-list
229 For example:
231 Accept-CH: Sec-CH-Example, Sec-CH-Example-2
233 When a client receives an HTTP response containing "Accept-CH", it
234 indicates that the origin opts-in to receive the indicated request
235 header fields for subsequent same-origin requests. The opt-in MUST
236 be ignored if delivered over non-secure transport or for an origin
237 with a scheme different from HTTPS. It SHOULD be persisted and bound
238 to the origin to enable delivery of Client Hints on subsequent
239 requests to the server's origin.
241 For example:
243 Accept-CH: Sec-CH-Example, Sec-CH-Example-2
244 Accept-CH: Sec-CH-Example-3
246 Based on the Accept-CH example above, which is received in response
247 to a user agent navigating to "https://example.com", and delivered
248 over a secure transport: a user agent will have to persist an Accept-
249 CH preference bound to "https://example.com" and use it for user
250 agent navigations to "https://example.com" and any same-origin
251 resource requests initiated by the page constructed from the
252 navigation's response. This preference will not extend to resource
253 requests initiated to "https://example.com" from other origins.
255 3.2. Interaction with Caches
257 When selecting a response based on one or more Client Hints, and if
258 the resource is cacheable, the server needs to generate a Vary
259 response header field ([RFC7234]) to indicate which hints can affect
260 the selected response and whether the selected response is
261 appropriate for a later request.
263 Vary: Sec-CH-Example
265 Above example indicates that the cache key needs to include the Sec-
266 CH-Example header field.
268 Vary: Sec-CH-Example, Sec-CH-Example-2
270 Above example indicates that the cache key needs to include the Sec-
271 CH-Example and Sec-CH-Example-2 header fields.
273 4. Security Considerations
275 4.1. Information Exposure
277 Request header fields used in features relying on this document
278 expose information about the user's environment to enable proactive
279 content negotiation. Such information might reveal new information
280 about the user and implementers ought to consider the following
281 considerations, recommendations, and best practices.
283 The underlying assumption is that exposing information about the user
284 as a request header is equivalent to the capability of that request's
285 origin to access that information by other means and transmit it to
286 itself.
288 Therefore, features relying on this document to define Client Hint
289 headers MUST NOT provide new information that is otherwise not
290 available to the application via other means, such as existing
291 request headers, HTML, CSS, or JavaScript.
293 Such features SHOULD take into account the following aspects of the
294 information exposed:
296 o Entropy - Exposing highly granular data can be used to help
297 identify users across multiple requests to different origins.
298 Reducing the set of header field values that can be expressed, or
299 restricting them to an enumerated range where the advertised value
300 is close but is not an exact representation of the current value,
301 can improve privacy and reduce risk of linkability by ensuring
302 that the same value is sent by multiple users.
303 o Sensitivity - The feature SHOULD NOT expose user sensitive
304 information. To that end, information available to the
305 application, but gated behind specific user actions (e.g. a
306 permission prompt or user activation) SHOULD NOT be exposed as a
307 Client Hint.
308 o Change over time - The feature SHOULD NOT expose user information
309 that changes over time, unless the state change itself is also
310 exposed (e.g. through JavaScript callbacks).
312 Different features will be positioned in different points in the
313 space between low-entropy, non-sensitive and static information (e.g.
314 user agent information), and high-entropy, sensitive and dynamic
315 information (e.g. geolocation). User agents SHOULD consider the
316 value provided by a particular feature vs these considerations, and
317 MAY have different policies regarding that tradeoff on a per-feature
318 basis.
320 Implementers ought to consider both user and server controlled
321 mechanisms and policies to control which Client Hints header fields
322 are advertised:
324 o Implementers SHOULD restrict delivery of some or all Client Hints
325 header fields to the opt-in origin only, unless the opt-in origin
326 has explicitly delegated permission to another origin to request
327 Client Hints header fields.
328 o Implementers MAY provide user choice mechanisms so that users can
329 balance privacy concerns with bandwidth limitations. However,
330 implementers SHOULD also be aware that explaining the privacy
331 implications of passive fingerprinting to users can be
332 challenging.
333 o Implementations specific to certain use cases or threat models MAY
334 avoid transmitting some or all of Client Hints header fields. For
335 example, avoid transmission of header fields that can carry higher
336 risks of linkability.
338 Implementers SHOULD support Client Hints opt-in mechanisms and MUST
339 clear persisted opt-in preferences when any one of site data,
340 browsing history, browsing cache, cookies, or similar, are cleared.
342 4.2. Deployment and Security Risks
344 Deployment of new request headers requires several considerations:
346 o Potential conflicts due to existing use of header field name
347 o Properties of the data communicated in header field value
349 Authors of new Client Hints are advised to carefully consider whether
350 they need to be able to be added by client-side content (e.g.,
351 scripts), or whether they need to be exclusively set by the user
352 agent. In the latter case, the Sec- prefix on the header field name
353 has the effect of preventing scripts and other application content
354 from setting them in user agents. Using the "Sec-" prefix signals to
355 servers that the user agent - and not application content - generated
356 the values. See [FETCH] for more information.
358 By convention, request headers that are client hints are encouraged
359 to use a CH- prefix, to make them easier to identify as using this
360 framework; for example, CH-Foo or, with a "Sec-" prefix, Sec-CH-Foo.
361 Doing so makes them easier to identify programmatically (e.g., for
362 stripping unrecognised hints from requests by privacy filters).
364 4.3. Abuse Detection
366 A user agent that tracks access to active fingerprinting information
367 SHOULD consider emission of Client Hints headers similarly to the way
368 it would consider access to the equivalent API.
370 Research into abuse of Client Hints might look at how HTTP responses
371 that contain Client Hints differ from those with different values,
372 and from those without. This might be used to reveal which Client
373 Hints are in use, allowing researchers to further analyze that use.
375 5. Cost of Sending Hints
377 While HTTP header compression schemes reduce the cost of adding HTTP
378 header fields, sending Client Hints to the server incurs an increase
379 in request byte size. Servers SHOULD take that into account when
380 opting in to receive Client Hints, and SHOULD NOT opt-in to receive
381 hints unless they are to be used for content adaptation purposes.
383 Due to request byte size increase, features relying on this document
384 to define Client Hints MAY consider restricting sending those hints
385 to certain request destinations [FETCH], where they are more likely
386 to be useful.
388 6. IANA Considerations
390 This document defines the "Accept-CH" HTTP response header field, and
391 registers it in the Permanent Message Header Fields registry.
393 6.1. Accept-CH
395 o Header field name: Accept-CH
396 o Applicable protocol: HTTP
397 o Status: standard
398 o Author/Change controller: IETF
399 o Specification document(s): Section 3.1 of this document
400 o Related information: for Client Hints
402 7. References
404 7.1. Normative References
406 [FETCH] van Kesteren, A., "Fetch", n.d.,
407 .
409 [I-D.ietf-httpbis-header-structure]
410 Nottingham, M. and P. Kamp, "Structured Field Values for
411 HTTP", draft-ietf-httpbis-header-structure-16 (work in
412 progress), March 2020.
414 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
415 Requirement Levels", BCP 14, RFC 2119,
416 DOI 10.17487/RFC2119, March 1997,
417 .
419 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
420 Specifications: ABNF", STD 68, RFC 5234,
421 DOI 10.17487/RFC5234, January 2008,
422 .
424 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
425 Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
426 DOI 10.17487/RFC7231, June 2014,
427 .
429 [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
430 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
431 RFC 7234, DOI 10.17487/RFC7234, June 2014,
432 .
434 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
435 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
436 May 2017, .
438 7.2. Informative References
440 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
441 DOI 10.17487/RFC6265, April 2011,
442 .
444 [UA-CH] West, M. and Y. Weiss, "User Agent Client Hints", n.d.,
445 .
447 7.3. URIs
449 [1] https://lists.w3.org/Archives/Public/ietf-http-wg/
451 [2] http://httpwg.github.io/
453 [3] https://github.com/httpwg/http-extensions/labels/client-hints
455 Appendix A. Changes
457 A.1. Since -00
459 o Issue 168 (make Save-Data extensible) updated ABNF.
460 o Issue 163 (CH review feedback) editorial feedback from httpwg
461 list.
462 o Issue 153 (NetInfo API citation) added normative reference.
464 A.2. Since -01
466 o Issue 200: Moved Key reference to informative.
467 o Issue 215: Extended passive fingerprinting and mitigation
468 considerations.
469 o Changed document status to experimental.
471 A.3. Since -02
473 o Issue 239: Updated reference to CR-css-values-3
474 o Issue 240: Updated reference for Network Information API
475 o Issue 241: Consistency in IANA considerations
476 o Issue 250: Clarified Accept-CH
478 A.4. Since -03
480 o Issue 284: Extended guidance for Accept-CH
481 o Issue 308: Editorial cleanup
482 o Issue 306: Define Accept-CH-Lifetime
484 A.5. Since -04
486 o Issue 361: Removed Downlink
487 o Issue 361: Moved Key to appendix, plus other editorial feedback
489 A.6. Since -05
491 o Issue 372: Scoped CH opt-in and delivery to secure transports
492 o Issue 373: Bind CH opt-in to origin
494 A.7. Since -06
496 o Issue 524: Save-Data is now defined by NetInfo spec, dropping
497 o PR 775: Removed specific features to be defined in other
498 specifications
500 A.8. Since -07
502 o Issue 761: Clarified that the defined headers are response
503 headers.
504 o Issue 730: Replaced Key reference with Variants.
505 o Issue 700: Replaced ABNF with structured headers.
506 o PR 878: Removed Accept-CH-Lifetime based on feedback at IETF 105
508 A.9. Since -08
510 o PR 985: Describe the bytesize cost of hints.
511 o PR 776: Add Sec- and CH- prefix considerations.
512 o PR 1001: Clear CH persistence when cookies are cleared.
514 A.10. Since -09
516 o PR 1064: Fix merge issues with "cost of sending hints".
518 A.11. Since -10
520 o PR 1072: LC feedback from Julian Reschke.
521 o PR 1080: Improve list style.
522 o PR 1082: Remove section mentioning Variants.
523 o PR 1097: Editorial feedback from mnot.
524 o PR 1131: Remove unused references.
525 o PR 1132: Remove nested list.
527 A.12. Since -11
529 o PR 1134: Re-insert back section.
531 Acknowledgements
533 Thanks to Mark Nottingham, Julian Reschke, Chris Bentzel, Ben
534 Greenstein, Tarun Bansal, Roy Fielding, Vasiliy Faronov, Ted Hardie,
535 Jonas Sicking, Martin Thomson, and numerous other members of the IETF
536 HTTP Working Group for invaluable help and feedback.
538 Authors' Addresses
540 Ilya Grigorik
541 Google
543 Email: ilya@igvita.com
544 URI: https://www.igvita.com/
546 Yoav Weiss
547 Google
549 Email: yoav@yoav.ws
550 URI: https://blog.yoav.ws/