idnits 2.17.1 draft-ietf-httpbis-header-structure-19.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([2], [3], [4], [5], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 3, 2020) is 1423 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 1619 -- Looks like a reference, but probably isn't: '2' on line 1621 -- Looks like a reference, but probably isn't: '3' on line 1623 -- Looks like a reference, but probably isn't: '4' on line 1625 -- Looks like a reference, but probably isn't: '5' on line 1627 == Missing Reference: 'RFCxxxx' is mentioned on line 333, but not defined == Missing Reference: 'RFC3986' is mentioned on line 339, but not defined -- Looks like a reference, but probably isn't: '6' on line 1680 ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) -- Obsolete informational reference (is this intentional?): RFC 7231 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7540 (Obsoleted by RFC 9113) Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP M. Nottingham 3 Internet-Draft Fastly 4 Intended status: Standards Track P-H. Kamp 5 Expires: December 5, 2020 The Varnish Cache Project 6 June 3, 2020 8 Structured Field Values for HTTP 9 draft-ietf-httpbis-header-structure-19 11 Abstract 13 This document describes a set of data types and associated algorithms 14 that are intended to make it easier and safer to define and handle 15 HTTP header and trailer fields, known as "Structured Fields", 16 "Structured Headers", or "Structured Trailers". It is intended for 17 use by specifications of new HTTP fields that wish to use a common 18 syntax that is more restrictive than traditional HTTP field values. 20 Note to Readers 22 _RFC EDITOR: please remove this section before publication_ 24 Discussion of this draft takes place on the HTTP working group 25 mailing list (ietf-http-wg@w3.org), which is archived at 26 https://lists.w3.org/Archives/Public/ietf-http-wg/ [1]. 28 Working Group information can be found at https://httpwg.github.io/ 29 [2]; source code and issues list for this draft can be found at 30 https://github.com/httpwg/http-extensions/labels/header-structure 31 [3]. 33 Tests for implementations are collected at https://github.com/httpwg/ 34 structured-field-tests [4]. 36 Implementations are tracked at https://github.com/httpwg/wiki/wiki/ 37 Structured-Headers [5]. 39 Status of This Memo 41 This Internet-Draft is submitted in full conformance with the 42 provisions of BCP 78 and BCP 79. 44 Internet-Drafts are working documents of the Internet Engineering 45 Task Force (IETF). Note that other groups may also distribute 46 working documents as Internet-Drafts. The list of current Internet- 47 Drafts is at https://datatracker.ietf.org/drafts/current/. 49 Internet-Drafts are draft documents valid for a maximum of six months 50 and may be updated, replaced, or obsoleted by other documents at any 51 time. It is inappropriate to use Internet-Drafts as reference 52 material or to cite them other than as "work in progress." 54 This Internet-Draft will expire on December 5, 2020. 56 Copyright Notice 58 Copyright (c) 2020 IETF Trust and the persons identified as the 59 document authors. All rights reserved. 61 This document is subject to BCP 78 and the IETF Trust's Legal 62 Provisions Relating to IETF Documents 63 (https://trustee.ietf.org/license-info) in effect on the date of 64 publication of this document. Please review these documents 65 carefully, as they describe your rights and restrictions with respect 66 to this document. Code Components extracted from this document must 67 include Simplified BSD License text as described in Section 4.e of 68 the Trust Legal Provisions and are provided without warranty as 69 described in the Simplified BSD License. 71 Table of Contents 73 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 74 1.1. Intentionally Strict Processing . . . . . . . . . . . . . 4 75 1.2. Notational Conventions . . . . . . . . . . . . . . . . . 5 76 2. Defining New Structured Fields . . . . . . . . . . . . . . . 5 77 3. Structured Data Types . . . . . . . . . . . . . . . . . . . . 8 78 3.1. Lists . . . . . . . . . . . . . . . . . . . . . . . . . . 9 79 3.1.1. Inner Lists . . . . . . . . . . . . . . . . . . . . . 9 80 3.1.2. Parameters . . . . . . . . . . . . . . . . . . . . . 10 81 3.2. Dictionaries . . . . . . . . . . . . . . . . . . . . . . 11 82 3.3. Items . . . . . . . . . . . . . . . . . . . . . . . . . . 12 83 3.3.1. Integers . . . . . . . . . . . . . . . . . . . . . . 13 84 3.3.2. Decimals . . . . . . . . . . . . . . . . . . . . . . 13 85 3.3.3. Strings . . . . . . . . . . . . . . . . . . . . . . . 14 86 3.3.4. Tokens . . . . . . . . . . . . . . . . . . . . . . . 15 87 3.3.5. Byte Sequences . . . . . . . . . . . . . . . . . . . 15 88 3.3.6. Booleans . . . . . . . . . . . . . . . . . . . . . . 15 89 4. Working With Structured Fields in HTTP . . . . . . . . . . . 16 90 4.1. Serializing Structured Fields . . . . . . . . . . . . . . 16 91 4.1.1. Serializing a List . . . . . . . . . . . . . . . . . 16 92 4.1.2. Serializing a Dictionary . . . . . . . . . . . . . . 18 93 4.1.3. Serializing an Item . . . . . . . . . . . . . . . . . 19 94 4.1.4. Serializing an Integer . . . . . . . . . . . . . . . 20 95 4.1.5. Serializing a Decimal . . . . . . . . . . . . . . . . 20 96 4.1.6. Serializing a String . . . . . . . . . . . . . . . . 21 97 4.1.7. Serializing a Token . . . . . . . . . . . . . . . . . 22 98 4.1.8. Serializing a Byte Sequence . . . . . . . . . . . . . 22 99 4.1.9. Serializing a Boolean . . . . . . . . . . . . . . . . 22 100 4.2. Parsing Structured Fields . . . . . . . . . . . . . . . . 23 101 4.2.1. Parsing a List . . . . . . . . . . . . . . . . . . . 24 102 4.2.2. Parsing a Dictionary . . . . . . . . . . . . . . . . 26 103 4.2.3. Parsing an Item . . . . . . . . . . . . . . . . . . . 27 104 4.2.4. Parsing an Integer or Decimal . . . . . . . . . . . . 29 105 4.2.5. Parsing a String . . . . . . . . . . . . . . . . . . 30 106 4.2.6. Parsing a Token . . . . . . . . . . . . . . . . . . . 31 107 4.2.7. Parsing a Byte Sequence . . . . . . . . . . . . . . . 32 108 4.2.8. Parsing a Boolean . . . . . . . . . . . . . . . . . . 33 109 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 110 6. Security Considerations . . . . . . . . . . . . . . . . . . . 33 111 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 33 112 7.1. Normative References . . . . . . . . . . . . . . . . . . 33 113 7.2. Informative References . . . . . . . . . . . . . . . . . 34 114 7.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 35 115 Appendix A. Frequently Asked Questions . . . . . . . . . . . . . 35 116 A.1. Why not JSON? . . . . . . . . . . . . . . . . . . . . . . 35 117 Appendix B. Implementation Notes . . . . . . . . . . . . . . . . 36 118 Appendix C. Changes . . . . . . . . . . . . . . . . . . . . . . 36 119 C.1. Since draft-ietf-httpbis-header-structure-18 . . . . . . 37 120 C.2. Since draft-ietf-httpbis-header-structure-17 . . . . . . 37 121 C.3. Since draft-ietf-httpbis-header-structure-16 . . . . . . 37 122 C.4. Since draft-ietf-httpbis-header-structure-15 . . . . . . 37 123 C.5. Since draft-ietf-httpbis-header-structure-14 . . . . . . 38 124 C.6. Since draft-ietf-httpbis-header-structure-13 . . . . . . 38 125 C.7. Since draft-ietf-httpbis-header-structure-12 . . . . . . 39 126 C.8. Since draft-ietf-httpbis-header-structure-11 . . . . . . 39 127 C.9. Since draft-ietf-httpbis-header-structure-10 . . . . . . 39 128 C.10. Since draft-ietf-httpbis-header-structure-09 . . . . . . 39 129 C.11. Since draft-ietf-httpbis-header-structure-08 . . . . . . 40 130 C.12. Since draft-ietf-httpbis-header-structure-07 . . . . . . 40 131 C.13. Since draft-ietf-httpbis-header-structure-06 . . . . . . 41 132 C.14. Since draft-ietf-httpbis-header-structure-05 . . . . . . 41 133 C.15. Since draft-ietf-httpbis-header-structure-04 . . . . . . 41 134 C.16. Since draft-ietf-httpbis-header-structure-03 . . . . . . 41 135 C.17. Since draft-ietf-httpbis-header-structure-02 . . . . . . 41 136 C.18. Since draft-ietf-httpbis-header-structure-01 . . . . . . 42 137 C.19. Since draft-ietf-httpbis-header-structure-00 . . . . . . 42 138 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 42 139 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42 141 1. Introduction 143 Specifying the syntax of new HTTP header (and trailer) fields is an 144 onerous task; even with the guidance in Section 8.3.1 of [RFC7231], 145 there are many decisions - and pitfalls - for a prospective HTTP 146 field author. 148 Once a field is defined, bespoke parsers and serializers often need 149 to be written, because each field value has slightly different 150 handling of what looks like common syntax. 152 This document introduces a set of common data structures for use in 153 definitions of new HTTP field values to address these problems. In 154 particular, it defines a generic, abstract model for them, along with 155 a concrete serialization for expressing that model in HTTP [RFC7230] 156 header and trailer fields. 158 A HTTP field that is defined as a "Structured Header" or "Structured 159 Trailer" (if the field can be either, it is a "Structured Field") 160 uses the types defined in this specification to define its syntax and 161 basic handling rules, thereby simplifying both its definition by 162 specification writers and handling by implementations. 164 Additionally, future versions of HTTP can define alternative 165 serializations of the abstract model of these structures, allowing 166 fields that use that model to be transmitted more efficiently without 167 being redefined. 169 Note that it is not a goal of this document to redefine the syntax of 170 existing HTTP fields; the mechanisms described herein are only 171 intended to be used with fields that explicitly opt into them. 173 Section 2 describes how to specify a Structured Field. 175 Section 3 defines a number of abstract data types that can be used in 176 Structured Fields. 178 Those abstract types can be serialized into and parsed from HTTP 179 field values using the algorithms described in Section 4. 181 1.1. Intentionally Strict Processing 183 This specification intentionally defines strict parsing and 184 serialization behaviors using step-by-step algorithms; the only error 185 handling defined is to fail the operation altogether. 187 It is designed to encourage faithful implementation and therefore 188 good interoperability. Therefore, an implementation that tried to be 189 helpful by being more tolerant of input would make interoperability 190 worse, since that would create pressure on other implementations to 191 implement similar (but likely subtly different) workarounds. 193 In other words, strict processing is an intentional feature of this 194 specification; it allows non-conformant input to be discovered and 195 corrected by the producer early, and avoids both interoperability and 196 security issues that might otherwise result. 198 Note that as a result of this strictness, if a field is appended to 199 by multiple parties (e.g., intermediaries, or different components in 200 the sender), an error in one party's value is likely to cause the 201 entire field value to fail parsing. 203 1.2. Notational Conventions 205 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 206 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 207 "OPTIONAL" in this document are to be interpreted as described in BCP 208 14 [RFC2119] [RFC8174] when, and only when, they appear in all 209 capitals, as shown here. 211 This document uses algorithms to specify parsing and serialization 212 behaviors, and the Augmented Backus-Naur Form (ABNF) notation of 213 [RFC5234] to illustrate expected syntax in HTTP header fields. In 214 doing so, it uses the VCHAR, SP, DIGIT, ALPHA and DQUOTE rules from 215 [RFC5234]. It also includes the tchar and OWS rules from [RFC7230]. 217 When parsing from HTTP fields, implementations MUST have behavior 218 that is indistinguishable from following the algorithms. If there is 219 disagreement between the parsing algorithms and ABNF, the specified 220 algorithms take precedence. 222 For serialization to HTTP fields, the ABNF illustrates their expected 223 wire representations, and the algorithms define the recommended way 224 to produce them. Implementations MAY vary from the specified 225 behavior so long as the output is still correctly handled by the 226 parsing algorithm. 228 2. Defining New Structured Fields 230 To specify a HTTP field as a Structured Field, its authors needs to: 232 o Normatively reference this specification. Recipients and 233 generators of the field need to know that the requirements of this 234 document are in effect. 236 o Identify whether the field is a Structured Header (i.e., it can 237 only be used in the header section - the common case), a 238 Structured Trailer (only in the trailer section), or a Structured 239 Field (both). 241 o Specify the type of the field value; either List (Section 3.1), 242 Dictionary (Section 3.2), or Item (Section 3.3). 244 o Define the semantics of the field value. 246 o Specify any additional constraints upon the field value, as well 247 as the consequences when those constraints are violated. 249 Typically, this means that a field definition will specify the top- 250 level type - List, Dictionary or Item - and then define its allowable 251 types, and constraints upon them. For example, a header defined as a 252 List might have all Integer members, or a mix of types; a header 253 defined as an Item might allow only Strings, and additionally only 254 strings beginning with the letter "Q", or strings in lowercase. 255 Likewise, Inner Lists (Section 3.1.1) are only valid when a field 256 definition explicitly allows them. 258 When parsing fails, the entire field is ignored (see Section 4.2); in 259 most situations, violating field-specific constraints should have the 260 same effect. Thus, if a header is defined as an Item and required to 261 be an Integer, but a String is received, the field will by default be 262 ignored. If the field requires different error handling, this should 263 be explicitly specified. 265 Both Items and Inner Lists allow parameters as an extensibility 266 mechanism; this means that values can later be extended to 267 accommodate more information, if need be. To preserve forward 268 compatibility, field specifications are discouraged from defining the 269 presence of an unrecognized Parameter as an error condition. 271 To further assure that this extensibility is available in the future, 272 and to encourage consumers to use a complete parser implementation, a 273 field definition can specify that "grease" Parameters be added by 274 senders. A specification could stipulate that all Parameters that 275 fit a defined pattern are reserved for this use and then encourage 276 them to be sent on some portion of requests. This helps to 277 discourage recipients from writing a parser that does not account for 278 Parameters. 280 Specifications that use Dictionaries can also allow for forward 281 compatibility by requiring that the presence of - as well as value 282 and type associated with - unknown members be ignored. Later 283 specifications can then add additional members, specifying 284 constraints on them as appropriate. 286 An extension to a structured field can then require that an entire 287 field value be ignored by a recipient that understands the extension 288 if constraints on the value it defines are not met. 290 A field definition cannot relax the requirements of this 291 specification because doing so would preclude handling by generic 292 software; they can only add additional constraints (for example, on 293 the numeric range of Integers and Decimals, the format of Strings and 294 Tokens, the types allowed in a Dictionary's values, or the number of 295 Items in a List). Likewise, field definitions can only use this 296 specification for the entire field value, not a portion thereof. 298 This specification defines minimums for the length or number of 299 various structures supported by implementations. It does not specify 300 maximum sizes in most cases, but authors should be aware that HTTP 301 implementations do impose various limits on the size of individual 302 fields, the total number of fields, and/or the size of the entire 303 header or trailer section. 305 Specifications can refer to a field name as a "structured header 306 name", "structured trailer name" or "structured field name" as 307 appropriate. Likewise, they can refer its field value as a 308 "structured header value", "structured trailer value" or "structured 309 field value" as necessary. Field definitions are encouraged to use 310 the ABNF rules beginning with "sf-" defined in this specification; 311 other rules in this specification are not intended for their use. 313 For example, a fictitious Foo-Example header field might be specified 314 as: 316 --8<-- 317 42. Foo-Example Header 319 The Foo-Example HTTP header field conveys information about how 320 much Foo the message has. 322 Foo-Example is a Item Structured Header [RFCxxxx]. Its value MUST be 323 an Integer (Section Y.Y of [RFCxxxx]). Its ABNF is: 325 Foo-Example = sf-integer 327 Its value indicates the amount of Foo in the message, and MUST 328 be between 0 and 10, inclusive; other values MUST cause 329 the entire header field to be ignored. 331 The following parameters are defined: 332 * A Parameter whose name is "foourl", and whose value is a String 333 (Section Y.Y of [RFCxxxx]), conveying the Foo URL 334 for the message. See below for processing requirements. 336 "foourl" contains a URI-reference (Section 4.1 of [RFC3986]). If 337 its value is not a valid URI-reference, the entire header field 338 MUST be ignored. If its value is a relative reference (Section 4.2 339 of [RFC3986]), it MUST be resolved (Section 5 of [RFC3986]) before 340 being used. 342 For example: 344 Foo-Example: 2; foourl="https://foo.example.com/" 345 -->8-- 347 3. Structured Data Types 349 This section defines the abstract types for Structured Fields. The 350 ABNF provided represents the on-wire format in HTTP field values. 352 In summary: 354 o There are three top-level types that a HTTP field can be defined 355 as: Lists, Dictionaries, and Items. 357 o Lists and Dictionaries are containers; their members can be Items 358 or Inner Lists (which are themselves arrays of Items). 360 o Both Items and Inner Lists can be parameterized with key/value 361 pairs. 363 3.1. Lists 365 Lists are arrays of zero or more members, each of which can be an 366 Item (Section 3.3) or an Inner List (Section 3.1.1), both of which 367 can be Parameterized (Section 3.1.2). 369 The ABNF for Lists in HTTP fields is: 371 sf-list = list-member *( OWS "," OWS list-member ) 372 list-member = sf-item / inner-list 374 Each member is separated by a comma and optional whitespace. For 375 example, a field whose value is defined as a List of Strings could 376 look like: 378 Example-StrList: "foo", "bar", "It was the best of times." 380 An empty List is denoted by not serializing the field at all. This 381 implies that fields defined as Lists have a default empty value. 383 Note that Lists can have their members split across multiple lines 384 inside a header or trailer section, as per Section 3.2.2 of 385 [RFC7230]; for example, the following are equivalent: 387 Example-Hdr: foo, bar 389 and 391 Example-Hdr: foo 392 Example-Hdr: bar 394 However, individual members of a List cannot be safely split between 395 across lines; see Section 4.2 for details. 397 Parsers MUST support Lists containing at least 1024 members. Field 398 specifications can constrain the types and cardinality of individual 399 List values as they require. 401 3.1.1. Inner Lists 403 An Inner List is an array of zero or more Items (Section 3.3). Both 404 the individual Items and the Inner List itself can be Parameterized 405 (Section 3.1.2). 407 The ABNF for Inner Lists is: 409 inner-list = "(" *SP [ sf-item *( 1*SP sf-item ) *SP ] ")" 410 parameters 412 Inner Lists are denoted by surrounding parenthesis, and have their 413 values delimited by one or more spaces. A field whose value is 414 defined as a List of Inner Lists of Strings could look like: 416 Example-StrListList: ("foo" "bar"), ("baz"), ("bat" "one"), () 418 Note that the last member in this example is an empty Inner List. 420 A header field whose value is defined as a List of Inner Lists with 421 Parameters at both levels could look like: 423 Example-ListListParam: ("foo"; a=1;b=2);lvl=5, ("bar" "baz");lvl=1 425 Parsers MUST support Inner Lists containing at least 256 members. 426 Field specifications can constrain the types and cardinality of 427 individual Inner List members as they require. 429 3.1.2. Parameters 431 Parameters are an ordered map of key-value pairs that are associated 432 with an Item (Section 3.3) or Inner List (Section 3.1.1). The keys 433 are unique within the scope the Parameters they occur within, and the 434 values are bare items (i.e., they themselves cannot be parameterized; 435 see Section 3.3). 437 The ABNF for Parameters is: 439 parameters = *( ";" *SP parameter ) 440 parameter = param-name [ "=" param-value ] 441 param-name = key 442 key = ( lcalpha / "*" ) 443 *( lcalpha / DIGIT / "_" / "-" / "." / "*" ) 444 lcalpha = %x61-7A ; a-z 445 param-value = bare-item 447 Note that Parameters are ordered as serialized, and Parameter keys 448 cannot contain uppercase letters. A parameter is separated from its 449 Item or Inner List and other parameters by a semicolon. For example: 451 Example-ParamList: abc;a=1;b=2; cde_456, (ghi;jk=4 l);q="9";r=w 453 Parameters whose value is Boolean (see Section 3.3.6) true MUST omit 454 that value when serialized. For example, the "a" parameter here is 455 true, while the "b" parameter is false: 457 Example-Int: 1; a; b=?0 458 Note that this requirement is only on serialization; parsers are 459 still required to correctly handle the true value when it appears in 460 a parameter. 462 Parsers MUST support at least 256 parameters on an Item or Inner 463 List, and support parameter keys with at least 64 characters. Field 464 specifications can constrain the order of individual Parameters, as 465 well as their values' types as required. 467 3.2. Dictionaries 469 Dictionaries are ordered maps of name-value pairs, where the names 470 are short textual strings and the values are Items (Section 3.3) or 471 arrays of Items, both of which can be Parameterized (Section 3.1.2). 472 There can be zero or more members, and their names are unique in the 473 scope of the Dictionary they occur within. 475 Implementations MUST provide access to Dictionaries both by index and 476 by name. Specifications MAY use either means of accessing the 477 members. 479 The ABNF for Dictionaries is: 481 sf-dictionary = dict-member *( OWS "," OWS dict-member ) 482 dict-member = member-name [ "=" member-value ] 483 member-name = key 484 member-value = sf-item / inner-list 486 Members are ordered as serialized, and separated by a comma with 487 optional whitespace. Member names cannot contain uppercase 488 characters. Names and values are separated by "=" (without 489 whitespace). For example: 491 Example-Dict: en="Applepie", da=:w4ZibGV0w6ZydGU=: 493 Note that in this example, the final "=" is due to the inclusion of a 494 Byte Sequence; see Section 3.3.5. 496 Members whose value is Boolean (see Section 3.3.6) true MUST omit 497 that value when serialized. For example, here both "b" and "c" are 498 true: 500 Example-Dict: a=?0, b, c; foo=bar 502 Note that this requirement is only on serialization; parsers are 503 still required to correctly handle the true Boolean value when it 504 appears in Dictionary values. 506 A Dictionary with a member whose value is an Inner List of Tokens: 508 Example-DictList: rating=1.5, feelings=(joy sadness) 510 A Dictionary with a mix of Items and Inner Lists, some with 511 Parameters: 513 Example-MixDict: a=(1 2), b=3, c=4;aa=bb, d=(5 6);valid 515 As with lists, an empty Dictionary is represented by omitting the 516 entire field. This implies that fields defined as Dictionaries have 517 a default empty value. 519 Typically, a field specification will define the semantics of 520 Dictionaries by specifying the allowed type(s) for individual members 521 by their names, as well as whether their presence is required or 522 optional. Recipients MUST ignore names that are undefined or 523 unknown, unless the field's specification specifically disallows 524 them. 526 Note that Dictionaries can have their members split across multiple 527 lines inside a header or trailer section; for example, the following 528 are equivalent: 530 Example-Hdr: foo=1, bar=2 532 and 534 Example-Hdr: foo=1 535 Example-Hdr: bar=2 537 However, individual members of a Dictionary cannot be safely split 538 between lines; see Section 4.2 for details. 540 Parsers MUST support Dictionaries containing at least 1024 name/value 541 pairs, and names with at least 64 characters. Field specifications 542 can constrain the order of individual Dictionary members, as well as 543 their values' types as required. 545 3.3. Items 547 An Item can be a Integer (Section 3.3.1), Decimal (Section 3.3.2), 548 String (Section 3.3.3), Token (Section 3.3.4), Byte Sequence 549 (Section 3.3.5), or Boolean (Section 3.3.6). It can have associated 550 Parameters (Section 3.1.2). 552 The ABNF for Items is: 554 sf-item = bare-item parameters 555 bare-item = sf-integer / sf-decimal / sf-string / sf-token 556 / sf-binary / sf-boolean 558 For example, a header field that is defined to be an Item that is an 559 Integer might look like: 561 Example-IntItemHeader: 5 563 or with Parameters: 565 Example-IntItem: 5; foo=bar 567 3.3.1. Integers 569 Integers have a range of -999,999,999,999,999 to 999,999,999,999,999 570 inclusive (i.e., up to fifteen digits, signed), for IEEE 754 571 compatibility ([IEEE754]). 573 The ABNF for Integers is: 575 sf-integer = ["-"] 1*15DIGIT 577 For example: 579 Example-Integer: 42 581 Integers larger than 15 digits can be supported in a variety of ways; 582 for example, by using a String (Section 3.3.3), Byte Sequence 583 (Section 3.3.5), or a parameter on an Integer that acts as a scaling 584 factor. 586 While it is possible to serialise Integers with leading zeros (e.g., 587 "0002", "-01") and signed zero ("-0"), these distinctions may not be 588 preserved by implementations. 590 Note that commas in Integers are used in this section's prose only 591 for readability; they are not valid in the wire format. 593 3.3.2. Decimals 595 Decimals are numbers with an integer and a fractional component. The 596 integer component has at most 12 digits; the fractional component has 597 at most three digits. 599 The ABNF for decimals is: 601 sf-decimal = ["-"] 1*12DIGIT "." 1*3DIGIT 602 For example, a header whose value is defined as a Decimal could look 603 like: 605 Example-Decimal: 4.5 607 While it is possible to serialise Decimals with leading zeros (e.g., 608 "0002.5", "-01.334"), trailing zeros (e.g., "5.230", "-0.40"), and 609 signed zero (e.g., "-0.0"), these distinctions may not be preserved 610 by implementations. 612 Note that the serialisation algorithm (Section 4.1.5) rounds input 613 with more than three digits of precision in the fractional component. 614 If an alternative rounding strategy is desired, this should be 615 specified by the header definition to occur before serialisation. 617 3.3.3. Strings 619 Strings are zero or more printable ASCII [RFC0020] characters (i.e., 620 the range %x20 to %x7E). Note that this excludes tabs, newlines, 621 carriage returns, etc. 623 The ABNF for Strings is: 625 sf-string = DQUOTE *chr DQUOTE 626 chr = unescaped / escaped 627 unescaped = %x20-21 / %x23-5B / %x5D-7E 628 escaped = "\" ( DQUOTE / "\" ) 630 Strings are delimited with double quotes, using a backslash ("\") to 631 escape double quotes and backslashes. For example: 633 Example-String: "hello world" 635 Note that Strings only use DQUOTE as a delimiter; single quotes do 636 not delimit Strings. Furthermore, only DQUOTE and "\" can be 637 escaped; other characters after "\" MUST cause parsing to fail. 639 Unicode is not directly supported in Strings, because it causes a 640 number of interoperability issues, and - with few exceptions - field 641 values do not require it. 643 When it is necessary for a field value to convey non-ASCII content, a 644 Byte Sequence (Section 3.3.5) can be specified, along with a 645 character encoding (preferably [UTF-8]). 647 Parsers MUST support Strings (after any decoding) with at least 1024 648 characters. 650 3.3.4. Tokens 652 Tokens are short textual words; their abstract model is identical to 653 their expression in the HTTP field value serialization. 655 The ABNF for Tokens is: 657 sf-token = ( ALPHA / "*" ) *( tchar / ":" / "/" ) 659 For example: 661 Example-Token: foo123/456 663 Parsers MUST support Tokens with at least 512 characters. 665 Note that Token allows the same characters as the "token" ABNF rule 666 defined in [RFC7230], with the exceptions that the first character is 667 required to be either ALPHA or "*", and ":" and "/" are also allowed 668 in subsequent characters. 670 3.3.5. Byte Sequences 672 Byte Sequences can be conveyed in Structured Fields. 674 The ABNF for a Byte Sequence is: 676 sf-binary = ":" *(base64) ":" 677 base64 = ALPHA / DIGIT / "+" / "/" / "=" 679 A Byte Sequence is delimited with colons and encoded using base64 680 ([RFC4648], Section 4). For example: 682 Example-Binary: :cHJldGVuZCB0aGlzIGlzIGJpbmFyeSBjb250ZW50Lg==: 684 Parsers MUST support Byte Sequences with at least 16384 octets after 685 decoding. 687 3.3.6. Booleans 689 Boolean values can be conveyed in Structured Fields. 691 The ABNF for a Boolean is: 693 sf-boolean = "?" boolean 694 boolean = "0" / "1" 696 A Boolean is indicated with a leading "?" character followed by a "1" 697 for a true value or "0" for false. For example: 699 Example-Bool: ?1 701 Note that in Dictionary (Section 3.2) and Parameter (Section 3.1.2) 702 values, Boolean true is indicated by omitting the value. 704 4. Working With Structured Fields in HTTP 706 This section defines how to serialize and parse Structured Fields in 707 textual HTTP field values and other encodings compatible with them 708 (e.g., in HTTP/2 [RFC7540] before compression with HPACK [RFC7541]). 710 4.1. Serializing Structured Fields 712 Given a structure defined in this specification, return an ASCII 713 string suitable for use in a HTTP field value. 715 1. If the structure is a Dictionary or List and its value is empty 716 (i.e., it has no members), do not serialize the field at all 717 (i.e., omit both the field-name and field-value). 719 2. If the structure is a List, let output_string be the result of 720 running Serializing a List (Section 4.1.1) with the structure. 722 3. Else if the structure is a Dictionary, let output_string be the 723 result of running Serializing a Dictionary (Section 4.1.2) with 724 the structure. 726 4. Else if the structure is an Item, let output_string be the result 727 of running Serializing an Item (Section 4.1.3) with the 728 structure. 730 5. Else, fail serialization. 732 6. Return output_string converted into an array of bytes, using 733 ASCII encoding [RFC0020]. 735 4.1.1. Serializing a List 737 Given an array of (member_value, parameters) tuples as input_list, 738 return an ASCII string suitable for use in a HTTP field value. 740 1. Let output be an empty string. 742 2. For each (member_value, parameters) of input_list: 744 1. If member_value is an array, append the result of running 745 Serializing an Inner List (Section 4.1.1.1) with 746 (member_value, parameters) to output. 748 2. Otherwise, append the result of running Serializing an Item 749 (Section 4.1.3) with (member_value, parameters) to output. 751 3. If more member_values remain in input_list: 753 1. Append "," to output. 755 2. Append a single SP to output. 757 3. Return output. 759 4.1.1.1. Serializing an Inner List 761 Given an array of (member_value, parameters) tuples as inner_list, 762 and parameters as list_parameters, return an ASCII string suitable 763 for use in a HTTP field value. 765 1. Let output be the string "(". 767 2. For each (member_value, parameters) of inner_list: 769 1. Append the result of running Serializing an Item 770 (Section 4.1.3) with (member_value, parameters) to output. 772 2. If more values remain in inner_list, append a single SP to 773 output. 775 3. Append ")" to output. 777 4. Append the result of running Serializing Parameters 778 (Section 4.1.1.2) with list_parameters to output. 780 5. Return output. 782 4.1.1.2. Serializing Parameters 784 Given an ordered Dictionary as input_parameters (each member having a 785 param_name and a param_value), return an ASCII string suitable for 786 use in a HTTP field value. 788 1. Let output be an empty string. 790 2. For each param_name with a value of param_value in 791 input_parameters: 793 1. Append ";" to output. 795 2. Append the result of running Serializing a Key 796 (Section 4.1.1.3) with param_name to output. 798 3. If param_value is not Boolean true: 800 1. Append "=" to output. 802 2. Append the result of running Serializing a bare Item 803 (Section 4.1.3.1) with param_value to output. 805 3. Return output. 807 4.1.1.3. Serializing a Key 809 Given a key as input_key, return an ASCII string suitable for use in 810 a HTTP field value. 812 1. Convert input_key into a sequence of ASCII characters; if 813 conversion fails, fail serialization. 815 2. If input_key contains characters not in lcalpha, DIGIT, "_", "-", 816 ".", or "*" fail serialization. 818 3. If the first character of input_key is not lcalpha or "*", fail 819 serialization. 821 4. Let output be an empty string. 823 5. Append input_key to output. 825 6. Return output. 827 4.1.2. Serializing a Dictionary 829 Given an ordered Dictionary as input_dictionary (each member having a 830 member_name and a tuple value of (member_value, parameters)), return 831 an ASCII string suitable for use in a HTTP field value. 833 1. Let output be an empty string. 835 2. For each member_name with a value of (member_value, parameters) 836 in input_dictionary: 838 1. Append the result of running Serializing a Key 839 (Section 4.1.1.3) with member's member_name to output. 841 2. If member_value is Boolean true: 843 1. Append the result of running Serializing Parameters 844 (Section 4.1.1.2) with parameters to output. 846 3. Otherwise: 848 1. Append "=" to output. 850 2. If member_value is an array, append the result of running 851 Serializing an Inner List (Section 4.1.1.1) with 852 (member_value, parameters) to output. 854 3. Otherwise, append the result of running Serializing an 855 Item (Section 4.1.3) with (member_value, parameters) to 856 output. 858 4. If more members remain in input_dictionary: 860 1. Append "," to output. 862 2. Append a single SP to output. 864 3. Return output. 866 4.1.3. Serializing an Item 868 Given an Item as bare_item and Parameters as item_parameters, return 869 an ASCII string suitable for use in a HTTP field value. 871 1. Let output be an empty string. 873 2. Append the result of running Serializing a Bare Item 874 Section 4.1.3.1 with bare_item to output. 876 3. Append the result of running Serializing Parameters 877 Section 4.1.1.2 with item_parameters to output. 879 4. Return output. 881 4.1.3.1. Serializing a Bare Item 883 Given an Item as input_item, return an ASCII string suitable for use 884 in a HTTP field value. 886 1. If input_item is an Integer, return the result of running 887 Serializing an Integer (Section 4.1.4) with input_item. 889 2. If input_item is a Decimal, return the result of running 890 Serializing a Decimal (Section 4.1.5) with input_item. 892 3. If input_item is a String, return the result of running 893 Serializing a String (Section 4.1.6) with input_item. 895 4. If input_item is a Token, return the result of running 896 Serializing a Token (Section 4.1.7) with input_item. 898 5. If input_item is a Boolean, return the result of running 899 Serializing a Boolean (Section 4.1.9) with input_item. 901 6. If input_item is a Byte Sequence, return the result of running 902 Serializing a Byte Sequence (Section 4.1.8) with input_item. 904 7. Otherwise, fail serialization. 906 4.1.4. Serializing an Integer 908 Given an Integer as input_integer, return an ASCII string suitable 909 for use in a HTTP field value. 911 1. If input_integer is not an integer in the range of 912 -999,999,999,999,999 to 999,999,999,999,999 inclusive, fail 913 serialization. 915 2. Let output be an empty string. 917 3. If input_integer is less than (but not equal to) 0, append "-" to 918 output. 920 4. Append input_integer's numeric value represented in base 10 using 921 only decimal digits to output. 923 5. Return output. 925 4.1.5. Serializing a Decimal 927 Given a decimal number as input_decimal, return an ASCII string 928 suitable for use in a HTTP field value. 930 1. If input_decimal is not a decimal number, fail serialization. 932 2. If input_decimal has more than three significant digits to the 933 right of the decimal point, round it to three decimal places, 934 rounding the final digit to the nearest value, or to the even 935 value if it is equidistant. 937 3. If input_decimal has more than 12 significant digits to the left 938 of the decimal point after rounding, fail serialization. 940 4. Let output be an empty string. 942 5. If input_decimal is less than (but not equal to) 0, append "-" 943 to output. 945 6. Append input_decimal's integer component represented in base 10 946 (using only decimal digits) to output; if it is zero, append 947 "0". 949 7. Append "." to output. 951 8. If input_decimal's fractional component is zero, append "0" to 952 output. 954 9. Otherwise, append the significant digits of input_decimal's 955 fractional component represented in base 10 (using only decimal 956 digits) to output. 958 10. Return output. 960 4.1.6. Serializing a String 962 Given a String as input_string, return an ASCII string suitable for 963 use in a HTTP field value. 965 1. Convert input_string into a sequence of ASCII characters; if 966 conversion fails, fail serialization. 968 2. If input_string contains characters in the range %x00-1f or %x7f 969 (i.e., not in VCHAR or SP), fail serialization. 971 3. Let output be the string DQUOTE. 973 4. For each character char in input_string: 975 1. If char is "\" or DQUOTE: 977 1. Append "\" to output. 979 2. Append char to output. 981 5. Append DQUOTE to output. 983 6. Return output. 985 4.1.7. Serializing a Token 987 Given a Token as input_token, return an ASCII string suitable for use 988 in a HTTP field value. 990 1. Convert input_token into a sequence of ASCII characters; if 991 conversion fails, fail serialization. 993 2. If the first character of input_token is not ALPHA or "*", or the 994 remaining portion contains a character not in tchar, ":" or "/", 995 fail serialization. 997 3. Let output be an empty string. 999 4. Append input_token to output. 1001 5. Return output. 1003 4.1.8. Serializing a Byte Sequence 1005 Given a Byte Sequence as input_bytes, return an ASCII string suitable 1006 for use in a HTTP field value. 1008 1. If input_bytes is not a sequence of bytes, fail serialization. 1010 2. Let output be an empty string. 1012 3. Append ":" to output. 1014 4. Append the result of base64-encoding input_bytes as per 1015 [RFC4648], Section 4, taking account of the requirements below. 1017 5. Append ":" to output. 1019 6. Return output. 1021 The encoded data is required to be padded with "=", as per [RFC4648], 1022 Section 3.2. 1024 Likewise, encoded data SHOULD have pad bits set to zero, as per 1025 [RFC4648], Section 3.5, unless it is not possible to do so due to 1026 implementation constraints. 1028 4.1.9. Serializing a Boolean 1030 Given a Boolean as input_boolean, return an ASCII string suitable for 1031 use in a HTTP field value. 1033 1. If input_boolean is not a boolean, fail serialization. 1035 2. Let output be an empty string. 1037 3. Append "?" to output. 1039 4. If input_boolean is true, append "1" to output. 1041 5. If input_boolean is false, append "0" to output. 1043 6. Return output. 1045 4.2. Parsing Structured Fields 1047 When a receiving implementation parses HTTP fields that are known to 1048 be Structured Fields, it is important that care be taken, as there 1049 are a number of edge cases that can cause interoperability or even 1050 security problems. This section specifies the algorithm for doing 1051 so. 1053 Given an array of bytes input_bytes that represents the chosen 1054 field's field-value (which is empty if that field is not present), 1055 and field_type (one of "dictionary", "list", or "item"), return the 1056 parsed header value. 1058 1. Convert input_bytes into an ASCII string input_string; if 1059 conversion fails, fail parsing. 1061 2. Discard any leading SP characters from input_string. 1063 3. If field_type is "list", let output be the result of running 1064 Parsing a List (Section 4.2.1) with input_string. 1066 4. If field_type is "dictionary", let output be the result of 1067 running Parsing a Dictionary (Section 4.2.2) with input_string. 1069 5. If field_type is "item", let output be the result of running 1070 Parsing an Item (Section 4.2.3) with input_string. 1072 6. Discard any leading SP characters from input_string. 1074 7. If input_string is not empty, fail parsing. 1076 8. Otherwise, return output. 1078 When generating input_bytes, parsers MUST combine all field lines in 1079 the same section (header or trailer) that case-insensitively match 1080 the field name into one comma-separated field-value, as per 1082 [RFC7230], Section 3.2.2; this assures that the entire field value is 1083 processed correctly. 1085 For Lists and Dictionaries, this has the effect of correctly 1086 concatenating all of the field's lines, as long as individual members 1087 of the top-level data structure are not split across multiple header 1088 instances. The parsing algorithms for both types allow tab 1089 characters, since these might be used to combine field lines by some 1090 implementations. 1092 Strings split across multiple field lines will have unpredictable 1093 results, because comma(s) and whitespace inserted upon combination 1094 will become part of the string output by the parser. Since 1095 concatenation might be done by an upstream intermediary, the results 1096 are not under the control of the serializer or the parser, even when 1097 they are both under the control of the same party. 1099 Tokens, Integers, Decimals and Byte Sequences cannot be split across 1100 multiple field lines because the inserted commas will cause parsing 1101 to fail. 1103 Parsers MAY fail when processing a field value spread across multiple 1104 field lines, when one of those lines does not parse as that field. 1105 For example, a parsing handling an Example-String field that's 1106 defined as a sf-string is allowed to fail when processing this field 1107 section: 1109 Example-String: "foo 1110 Example-String: bar" 1112 If parsing fails - including when calling another algorithm - the 1113 entire field value MUST be ignored (i.e., treated as if the field 1114 were not present in the section). This is intentionally strict, to 1115 improve interoperability and safety, and specifications referencing 1116 this document are not allowed to loosen this requirement. 1118 Note that this requirement does not apply to an implementation that 1119 is not parsing the field; for example, an intermediary is not 1120 required to strip a failing field from a message before forwarding 1121 it. 1123 4.2.1. Parsing a List 1125 Given an ASCII string as input_string, return an array of 1126 (item_or_inner_list, parameters) tuples. input_string is modified to 1127 remove the parsed value. 1129 1. Let members be an empty array. 1131 2. While input_string is not empty: 1133 1. Append the result of running Parsing an Item or Inner List 1134 (Section 4.2.1.1) with input_string to members. 1136 2. Discard any leading OWS characters from input_string. 1138 3. If input_string is empty, return members. 1140 4. Consume the first character of input_string; if it is not 1141 ",", fail parsing. 1143 5. Discard any leading OWS characters from input_string. 1145 6. If input_string is empty, there is a trailing comma; fail 1146 parsing. 1148 3. No structured data has been found; return members (which is 1149 empty). 1151 4.2.1.1. Parsing an Item or Inner List 1153 Given an ASCII string as input_string, return the tuple 1154 (item_or_inner_list, parameters), where item_or_inner_list can be 1155 either a single bare item, or an array of (bare_item, parameters) 1156 tuples. input_string is modified to remove the parsed value. 1158 1. If the first character of input_string is "(", return the result 1159 of running Parsing an Inner List (Section 4.2.1.2) with 1160 input_string. 1162 2. Return the result of running Parsing an Item (Section 4.2.3) with 1163 input_string. 1165 4.2.1.2. Parsing an Inner List 1167 Given an ASCII string as input_string, return the tuple (inner_list, 1168 parameters), where inner_list is an array of (bare_item, parameters) 1169 tuples. input_string is modified to remove the parsed value. 1171 1. Consume the first character of input_string; if it is not "(", 1172 fail parsing. 1174 2. Let inner_list be an empty array. 1176 3. While input_string is not empty: 1178 1. Discard any leading SP characters from input_string. 1180 2. If the first character of input_string is ")": 1182 1. Consume the first character of input_string. 1184 2. Let parameters be the result of running Parsing 1185 Parameters (Section 4.2.3.2) with input_string. 1187 3. Return the tuple (inner_list, parameters). 1189 3. Let item be the result of running Parsing an Item 1190 (Section 4.2.3) with input_string. 1192 4. Append item to inner_list. 1194 5. If the first character of input_string is not SP or ")", fail 1195 parsing. 1197 4. The end of the inner list was not found; fail parsing. 1199 4.2.2. Parsing a Dictionary 1201 Given an ASCII string as input_string, return an ordered map whose 1202 values are (item_or_inner_list, parameters) tuples. input_string is 1203 modified to remove the parsed value. 1205 1. Let dictionary be an empty, ordered map. 1207 2. While input_string is not empty: 1209 1. Let this_key be the result of running Parsing a Key 1210 (Section 4.2.3.3) with input_string. 1212 2. If the first character of input_string is "=": 1214 1. Consume the first character of input_string. 1216 2. Let member be the result of running Parsing an Item or 1217 Inner List (Section 4.2.1.1) with input_string. 1219 3. Otherwise: 1221 1. Let value be Boolean true. 1223 2. Let parameters be the result of running Parsing 1224 Parameters Section 4.2.3.2 with input_string. 1226 3. Let member be the tuple (value, parameters). 1228 4. Add name this_key with value member to dictionary. If 1229 dictionary already contains a name this_key (comparing 1230 character-for-character), overwrite its value. 1232 5. Discard any leading OWS characters from input_string. 1234 6. If input_string is empty, return dictionary. 1236 7. Consume the first character of input_string; if it is not 1237 ",", fail parsing. 1239 8. Discard any leading OWS characters from input_string. 1241 9. If input_string is empty, there is a trailing comma; fail 1242 parsing. 1244 3. No structured data has been found; return dictionary (which is 1245 empty). 1247 Note that when duplicate Dictionary keys are encountered, this has 1248 the effect of ignoring all but the last instance. 1250 4.2.3. Parsing an Item 1252 Given an ASCII string as input_string, return a (bare_item, 1253 parameters) tuple. input_string is modified to remove the parsed 1254 value. 1256 1. Let bare_item be the result of running Parsing a Bare Item 1257 (Section 4.2.3.1) with input_string. 1259 2. Let parameters be the result of running Parsing Parameters 1260 (Section 4.2.3.2) with input_string. 1262 3. Return the tuple (bare_item, parameters). 1264 4.2.3.1. Parsing a Bare Item 1266 Given an ASCII string as input_string, return a bare Item. 1267 input_string is modified to remove the parsed value. 1269 1. If the first character of input_string is a "-" or a DIGIT, 1270 return the result of running Parsing an Integer or Decimal 1271 (Section 4.2.4) with input_string. 1273 2. If the first character of input_string is a DQUOTE, return the 1274 result of running Parsing a String (Section 4.2.5) with 1275 input_string. 1277 3. If the first character of input_string is ":", return the result 1278 of running Parsing a Byte Sequence (Section 4.2.7) with 1279 input_string. 1281 4. If the first character of input_string is "?", return the result 1282 of running Parsing a Boolean (Section 4.2.8) with input_string. 1284 5. If the first character of input_string is an ALPHA or "*", return 1285 the result of running Parsing a Token (Section 4.2.6) with 1286 input_string. 1288 6. Otherwise, the item type is unrecognized; fail parsing. 1290 4.2.3.2. Parsing Parameters 1292 Given an ASCII string as input_string, return an ordered map whose 1293 values are bare Items. input_string is modified to remove the parsed 1294 value. 1296 1. Let parameters be an empty, ordered map. 1298 2. While input_string is not empty: 1300 1. If the first character of input_string is not ";", exit the 1301 loop. 1303 2. Consume a ";" character from the beginning of input_string. 1305 3. Discard any leading SP characters from input_string. 1307 4. let param_name be the result of running Parsing a Key 1308 (Section 4.2.3.3) with input_string. 1310 5. Let param_value be Boolean true. 1312 6. If the first character of input_string is "=": 1314 1. Consume the "=" character at the beginning of 1315 input_string. 1317 2. Let param_value be the result of running Parsing a Bare 1318 Item (Section 4.2.3.1) with input_string. 1320 7. Append key param_name with value param_value to parameters. 1321 If parameters already contains a name param_name (comparing 1322 character-for-character), overwrite its value. 1324 3. Return parameters. 1326 Note that when duplicate Parameter keys are encountered, this has the 1327 effect of ignoring all but the last instance. 1329 4.2.3.3. Parsing a Key 1331 Given an ASCII string as input_string, return a key. input_string is 1332 modified to remove the parsed value. 1334 1. If the first character of input_string is not lcalpha or "*", 1335 fail parsing. 1337 2. Let output_string be an empty string. 1339 3. While input_string is not empty: 1341 1. If the first character of input_string is not one of lcalpha, 1342 DIGIT, "_", "-", ".", or "*", return output_string. 1344 2. Let char be the result of consuming the first character of 1345 input_string. 1347 3. Append char to output_string. 1349 4. Return output_string. 1351 4.2.4. Parsing an Integer or Decimal 1353 Given an ASCII string as input_string, return an Integer or Decimal. 1354 input_string is modified to remove the parsed value. 1356 NOTE: This algorithm parses both Integers (Section 3.3.1) and 1357 Decimals (Section 3.3.2), and returns the corresponding structure. 1359 1. Let type be "integer". 1361 2. Let sign be 1. 1363 3. Let input_number be an empty string. 1365 4. If the first character of input_string is "-", consume it and 1366 set sign to -1. 1368 5. If input_string is empty, there is an empty integer; fail 1369 parsing. 1371 6. If the first character of input_string is not a DIGIT, fail 1372 parsing. 1374 7. While input_string is not empty: 1376 1. Let char be the result of consuming the first character of 1377 input_string. 1379 2. If char is a DIGIT, append it to input_number. 1381 3. Else, if type is "integer" and char is ".": 1383 1. If input_number contains more than 12 characters, fail 1384 parsing. 1386 2. Otherwise, append char to input_number and set type to 1387 "decimal". 1389 4. Otherwise, prepend char to input_string, and exit the loop. 1391 5. If type is "integer" and input_number contains more than 15 1392 characters, fail parsing. 1394 6. If type is "decimal" and input_number contains more than 16 1395 characters, fail parsing. 1397 8. If type is "integer": 1399 1. Parse input_number as an integer and let output_number be 1400 the product of the result and sign. 1402 2. If output_number is outside the range -999,999,999,999,999 1403 to 999,999,999,999,999 inclusive, fail parsing. 1405 9. Otherwise: 1407 1. If the final character of input_number is ".", fail parsing. 1409 2. If the number of characters after "." in input_number is 1410 greater than three, fail parsing. 1412 3. Parse input_number as a decimal number and let output_number 1413 be the product of the result and sign. 1415 10. Return output_number. 1417 4.2.5. Parsing a String 1419 Given an ASCII string as input_string, return an unquoted String. 1420 input_string is modified to remove the parsed value. 1422 1. Let output_string be an empty string. 1424 2. If the first character of input_string is not DQUOTE, fail 1425 parsing. 1427 3. Discard the first character of input_string. 1429 4. While input_string is not empty: 1431 1. Let char be the result of consuming the first character of 1432 input_string. 1434 2. If char is a backslash ("\"): 1436 1. If input_string is now empty, fail parsing. 1438 2. Let next_char be the result of consuming the first 1439 character of input_string. 1441 3. If next_char is not DQUOTE or "\", fail parsing. 1443 4. Append next_char to output_string. 1445 3. Else, if char is DQUOTE, return output_string. 1447 4. Else, if char is in the range %x00-1f or %x7f (i.e., is not 1448 in VCHAR or SP), fail parsing. 1450 5. Else, append char to output_string. 1452 5. Reached the end of input_string without finding a closing DQUOTE; 1453 fail parsing. 1455 4.2.6. Parsing a Token 1457 Given an ASCII string as input_string, return a Token. input_string 1458 is modified to remove the parsed value. 1460 1. If the first character of input_string is not ALPHA or "*", fail 1461 parsing. 1463 2. Let output_string be an empty string. 1465 3. While input_string is not empty: 1467 1. If the first character of input_string is not in tchar, ":" 1468 or "/", return output_string. 1470 2. Let char be the result of consuming the first character of 1471 input_string. 1473 3. Append char to output_string. 1475 4. Return output_string. 1477 4.2.7. Parsing a Byte Sequence 1479 Given an ASCII string as input_string, return a Byte Sequence. 1480 input_string is modified to remove the parsed value. 1482 1. If the first character of input_string is not ":", fail parsing. 1484 2. Discard the first character of input_string. 1486 3. If there is not a ":" character before the end of input_string, 1487 fail parsing. 1489 4. Let b64_content be the result of consuming content of 1490 input_string up to but not including the first instance of the 1491 character ":". 1493 5. Consume the ":" character at the beginning of input_string. 1495 6. If b64_content contains a character not included in ALPHA, DIGIT, 1496 "+", "/" and "=", fail parsing. 1498 7. Let binary_content be the result of Base 64 Decoding [RFC4648] 1499 b64_content, synthesizing padding if necessary (note the 1500 requirements about recipient behavior below). 1502 8. Return binary_content. 1504 Because some implementations of base64 do not allow rejection of 1505 encoded data that is not properly "=" padded (see [RFC4648], 1506 Section 3.2), parsers SHOULD NOT fail when "=" padding is not 1507 present, unless they cannot be configured to do so. 1509 Because some implementations of base64 do not allow rejection of 1510 encoded data that has non-zero pad bits (see [RFC4648], Section 3.5), 1511 parsers SHOULD NOT fail when non-zero pad bits are present, unless 1512 they cannot be configured to do so. 1514 This specification does not relax the requirements in [RFC4648], 1515 Section 3.1 and 3.3; therefore, parsers MUST fail on characters 1516 outside the base64 alphabet, and on line feeds in encoded data. 1518 4.2.8. Parsing a Boolean 1520 Given an ASCII string as input_string, return a Boolean. input_string 1521 is modified to remove the parsed value. 1523 1. If the first character of input_string is not "?", fail parsing. 1525 2. Discard the first character of input_string. 1527 3. If the first character of input_string matches "1", discard the 1528 first character, and return true. 1530 4. If the first character of input_string matches "0", discard the 1531 first character, and return false. 1533 5. No value has matched; fail parsing. 1535 5. IANA Considerations 1537 This document has no actions for IANA. 1539 6. Security Considerations 1541 The size of most types defined by Structured Fields is not limited; 1542 as a result, extremely large fields could be an attack vector (e.g., 1543 for resource consumption). Most HTTP implementations limit the sizes 1544 of individual fields as well as the overall header or trailer section 1545 size to mitigate such attacks. 1547 It is possible for parties with the ability to inject new HTTP fields 1548 to change the meaning of a Structured Field. In some circumstances, 1549 this will cause parsing to fail, but it is not possible to reliably 1550 fail in all such circumstances. 1552 7. References 1554 7.1. Normative References 1556 [RFC0020] Cerf, V., "ASCII format for network interchange", STD 80, 1557 RFC 20, DOI 10.17487/RFC0020, October 1969, 1558 . 1560 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1561 Requirement Levels", BCP 14, RFC 2119, 1562 DOI 10.17487/RFC2119, March 1997, 1563 . 1565 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 1566 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 1567 . 1569 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 1570 Specifications: ABNF", STD 68, RFC 5234, 1571 DOI 10.17487/RFC5234, January 2008, 1572 . 1574 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 1575 Protocol (HTTP/1.1): Message Syntax and Routing", 1576 RFC 7230, DOI 10.17487/RFC7230, June 2014, 1577 . 1579 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1580 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1581 May 2017, . 1583 7.2. Informative References 1585 [IEEE754] IEEE, "IEEE Standard for Floating-Point Arithmetic", 1586 IEEE 754-2019, DOI 10.1109/IEEESTD.2019.8766229, 1587 ISBN 978-1-5044-5924-2, July 2019, 1588 . 1590 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 1591 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 1592 DOI 10.17487/RFC7231, June 2014, 1593 . 1595 [RFC7493] Bray, T., Ed., "The I-JSON Message Format", RFC 7493, 1596 DOI 10.17487/RFC7493, March 2015, 1597 . 1599 [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext 1600 Transfer Protocol Version 2 (HTTP/2)", RFC 7540, 1601 DOI 10.17487/RFC7540, May 2015, 1602 . 1604 [RFC7541] Peon, R. and H. Ruellan, "HPACK: Header Compression for 1605 HTTP/2", RFC 7541, DOI 10.17487/RFC7541, May 2015, 1606 . 1608 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 1609 Interchange Format", STD 90, RFC 8259, 1610 DOI 10.17487/RFC8259, December 2017, 1611 . 1613 [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 1614 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 1615 2003, . 1617 7.3. URIs 1619 [1] https://lists.w3.org/Archives/Public/ietf-http-wg/ 1621 [2] https://httpwg.github.io/ 1623 [3] https://github.com/httpwg/http-extensions/labels/header-structure 1625 [4] https://github.com/httpwg/structured-field-tests 1627 [5] https://github.com/httpwg/wiki/wiki/Structured-Headers 1629 [6] https://github.com/httpwg/structured-field-tests 1631 Appendix A. Frequently Asked Questions 1633 A.1. Why not JSON? 1635 Earlier proposals for Structured Fields were based upon JSON 1636 [RFC8259]. However, constraining its use to make it suitable for 1637 HTTP header fields required senders and recipients to implement 1638 specific additional handling. 1640 For example, JSON has specification issues around large numbers and 1641 objects with duplicate members. Although advice for avoiding these 1642 issues is available (e.g., [RFC7493]), it cannot be relied upon. 1644 Likewise, JSON strings are by default Unicode strings, which have a 1645 number of potential interoperability issues (e.g., in comparison). 1646 Although implementers can be advised to avoid non-ASCII content where 1647 unnecessary, this is difficult to enforce. 1649 Another example is JSON's ability to nest content to arbitrary 1650 depths. Since the resulting memory commitment might be unsuitable 1651 (e.g., in embedded and other limited server deployments), it's 1652 necessary to limit it in some fashion; however, existing JSON 1653 implementations have no such limits, and even if a limit is 1654 specified, it's likely that some field definition will find a need to 1655 violate it. 1657 Because of JSON's broad adoption and implementation, it is difficult 1658 to impose such additional constraints across all implementations; 1659 some deployments would fail to enforce them, thereby harming 1660 interoperability. In short, if it looks like JSON, people will be 1661 tempted to use a JSON parser / serializer on field values. 1663 Since a major goal for Structured Fields is to improve 1664 interoperability and simplify implementation, these concerns led to a 1665 format that requires a dedicated parser and serializer. 1667 Additionally, there were widely shared feelings that JSON doesn't 1668 "look right" in HTTP fields. 1670 Appendix B. Implementation Notes 1672 A generic implementation of this specification should expose the top- 1673 level serialize (Section 4.1) and parse (Section 4.2) functions. 1674 They need not be functions; for example, it could be implemented as 1675 an object, with methods for each of the different top-level types. 1677 For interoperability, it's important that generic implementations be 1678 complete and follow the algorithms closely; see Section 1.1. To aid 1679 this, a common test suite is being maintained by the community at 1680 https://github.com/httpwg/structured-field-tests [6]. 1682 Implementers should note that Dictionaries and Parameters are order- 1683 preserving maps. Some fields may not convey meaning in the ordering 1684 of these data types, but it should still be exposed so that 1685 applications which need to use it will have it available. 1687 Likewise, implementations should note that it's important to preserve 1688 the distinction between Tokens and Strings. While most programming 1689 languages have native types that map to the other types well, it may 1690 be necessary to create a wrapper "token" object or use a parameter on 1691 functions to assure that these types remain separate. 1693 The serialization algorithm is defined in a way that it is not 1694 strictly limited to the data types defined in Section 3 in every 1695 case. For example, Decimals are designed to take broader input and 1696 round to allowed values. 1698 Implementations are allowed to limit the allowed size of different 1699 structures, subject to the minimums defined for each type. When a 1700 structure exceeds an implementation limit, that structure fails 1701 parsing or serialisation. 1703 Appendix C. Changes 1705 _RFC Editor: Please remove this section before publication._ 1707 C.1. Since draft-ietf-httpbis-header-structure-18 1709 o Use "sf-" prefix for ABNF, not "sh-". 1711 o Fix indentation in Dictionary serialisation (#1164). 1713 o Add example for Token; tweak example field names (#1147). 1715 o Editorial improvements. 1717 o Note that exceeding implementation limits implies failure. 1719 o Talk about specifying order of Dictionary members and Parameters, 1720 not cardinality. 1722 o Allow (but don't require) parsers to fail when a single field line 1723 isn't valid. 1725 o Note that some aspects of Integers and Decimals are not 1726 necessarily preserved. 1728 o Allow Lists and Dictionaries to be delimited by OWS, rather than 1729 *SP, to make parsing more robust. 1731 C.2. Since draft-ietf-httpbis-header-structure-17 1733 o Editorial improvements. 1735 C.3. Since draft-ietf-httpbis-header-structure-16 1737 o Editorial improvements. 1739 o Discussion on forwards compatibility. 1741 C.4. Since draft-ietf-httpbis-header-structure-15 1743 o Editorial improvements. 1745 o Use HTTP field terminology more consistently, in line with recent 1746 changes to HTTP-core. 1748 o String length requirements apply to decoded strings (#1051). 1750 o Correctly round decimals in serialisation (#1043). 1752 o Clarify input to serialisation algorithms (#1055). 1754 o Omitted True dictionary value can have parameters (#1083). 1756 o Keys can now start with '*' (#1068). 1758 C.5. Since draft-ietf-httpbis-header-structure-14 1760 o Editorial improvements. 1762 o Allow empty dictionary values (#992). 1764 o Change value of omitted parameter value to True (#995). 1766 o Explain more about splitting dictionaries and lists across header 1767 instances (#997). 1769 o Disallow HTAB, replace OWS with spaces (#998). 1771 o Change byte sequence delimiters from "*" to ":" (#991). 1773 o Allow tokens to start with "*" (#991). 1775 o Change Floats to fixed-precision Decimals (#982). 1777 o Round the fractional component of decimal, rather than truncating 1778 it (#982). 1780 o Handle duplicate dictionary and parameter keys by overwriting 1781 their values, rather than failing (#997). 1783 o Allow "." in key (#1027). 1785 o Check first character of key in serialisation (#1037). 1787 o Talk about greasing headers (#1015). 1789 C.6. Since draft-ietf-httpbis-header-structure-13 1791 o Editorial improvements. 1793 o Define "structured header name" and "structured header value" 1794 terms (#908). 1796 o Corrected text about valid characters in strings (#931). 1798 o Removed most instances of the word "textual", as it was redundant 1799 (#915). 1801 o Allowed parameters on Items and Inner Lists (#907). 1803 o Expand the range of characters in token (#961). 1805 o Disallow OWS before ";" delimiter in parameters (#961). 1807 C.7. Since draft-ietf-httpbis-header-structure-12 1809 o Editorial improvements. 1811 o Reworked float serialisation (#896). 1813 o Don't add a trailing space in inner-list (#904). 1815 C.8. Since draft-ietf-httpbis-header-structure-11 1817 o Allow * in key (#844). 1819 o Constrain floats to six digits of precision (#848). 1821 o Allow dictionary members to have parameters (#842). 1823 C.9. Since draft-ietf-httpbis-header-structure-10 1825 o Update abstract (#799). 1827 o Input and output are now arrays of bytes (#662). 1829 o Implementations need to preserve difference between token and 1830 string (#790). 1832 o Allow empty dictionaries and lists (#781). 1834 o Change parameterized lists to have primary items (#797). 1836 o Allow inner lists in both dictionaries and lists; removes lists of 1837 lists (#816). 1839 o Subsume Parameterised Lists into Lists (#839). 1841 C.10. Since draft-ietf-httpbis-header-structure-09 1843 o Changed Boolean from T/F to 1/0 (#784). 1845 o Parameters are now ordered maps (#765). 1847 o Clamp integers to 15 digits (#737). 1849 C.11. Since draft-ietf-httpbis-header-structure-08 1851 o Disallow whitespace before items properly (#703). 1853 o Created "key" for use in dictionaries and parameters, rather than 1854 relying on identifier (#702). Identifiers have a separate minimum 1855 supported size. 1857 o Expanded the range of special characters allowed in identifier to 1858 include all of ALPHA, ".", ":", and "%" (#702). 1860 o Use "?" instead of "!" to indicate a Boolean (#719). 1862 o Added "Intentionally Strict Processing" (#684). 1864 o Gave better names for referring specs to use in Parameterised 1865 Lists (#720). 1867 o Added Lists of Lists (#721). 1869 o Rename Identifier to Token (#725). 1871 o Add implementation guidance (#727). 1873 C.12. Since draft-ietf-httpbis-header-structure-07 1875 o Make Dictionaries ordered mappings (#659). 1877 o Changed "binary content" to "byte sequence" to align with Infra 1878 specification (#671). 1880 o Changed "mapping" to "map" for #671. 1882 o Don't fail if byte sequences aren't "=" padded (#658). 1884 o Add Booleans (#683). 1886 o Allow identifiers in items again (#629). 1888 o Disallowed whitespace before items (#703). 1890 o Explain the consequences of splitting a string across multiple 1891 headers (#686). 1893 C.13. Since draft-ietf-httpbis-header-structure-06 1895 o Add a FAQ. 1897 o Allow non-zero pad bits. 1899 o Explicitly check for integers that violate constraints. 1901 C.14. Since draft-ietf-httpbis-header-structure-05 1903 o Reorganise specification to separate parsing out. 1905 o Allow referencing specs to use ABNF. 1907 o Define serialisation algorithms. 1909 o Refine relationship between ABNF, parsing and serialisation 1910 algorithms. 1912 C.15. Since draft-ietf-httpbis-header-structure-04 1914 o Remove identifiers from item. 1916 o Remove most limits on sizes. 1918 o Refine number parsing. 1920 C.16. Since draft-ietf-httpbis-header-structure-03 1922 o Strengthen language around failure handling. 1924 C.17. Since draft-ietf-httpbis-header-structure-02 1926 o Split Numbers into Integers and Floats. 1928 o Define number parsing. 1930 o Tighten up binary parsing and give it an explicit end delimiter. 1932 o Clarify that mappings are unordered. 1934 o Allow zero-length strings. 1936 o Improve string parsing algorithm. 1938 o Improve limits in algorithms. 1940 o Require parsers to combine header fields before processing. 1942 o Throw an error on trailing garbage. 1944 C.18. Since draft-ietf-httpbis-header-structure-01 1946 o Replaced with draft-nottingham-structured-headers. 1948 C.19. Since draft-ietf-httpbis-header-structure-00 1950 o Added signed 64bit integer type. 1952 o Drop UTF8, and settle on BCP137 ::EmbeddedUnicodeChar for h1- 1953 unicode-string. 1955 o Change h1_blob delimiter to ":" since "'" is valid t_char 1957 Acknowledgements 1959 Many thanks to Matthew Kerwin for his detailed feedback and careful 1960 consideration during the development of this specification. 1962 Thanks also to Ian Clelland, Roy Fielding, Anne van Kesteren, Kazuho 1963 Oku, Evert Pot, Julian Reschke, Martin Thomson, Mike West, and 1964 Jeffrey Yasskin for their contributions. 1966 Authors' Addresses 1968 Mark Nottingham 1969 Fastly 1971 Email: mnot@mnot.net 1972 URI: https://www.mnot.net/ 1974 Poul-Henning Kamp 1975 The Varnish Cache Project 1977 Email: phk@varnish-cache.org