idnits 2.17.1 

draft-ietf-httpbis-messaging-07.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  -- The draft header indicates that this document obsoletes RFC7230, but the
     abstract doesn't seem to directly say this.  It does mention RFC7230
     though, so this could be OK.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == The document seems to contain a disclaimer for pre-RFC5378 work, but was
     first submitted on or after 10 November 2008.  The disclaimer is usually
     necessary only for documents that revise or obsolete older RFCs, and that
     take significant amounts of text from those RFCs.  If you can contact all
     authors of the source material and they are willing to grant the BCP78
     rights to the IETF Trust, you can and should remove the disclaimer. 
     Otherwise, the disclaimer is needed and you can ignore this comment. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (March 7, 2020) is 1510 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: 'RFC3986' is defined on line 2070, but no explicit
     reference was found in the text

  == Unused Reference: 'RFC7231' is defined on line 2157, but no explicit
     reference was found in the text

  == Outdated reference: A later version (-19) exists of
     draft-ietf-httpbis-cache-07

  -- Possible downref: Normative reference to a draft: ref. 'Caching' 

  ** Downref: Normative reference to an Informational RFC: RFC 1950

  ** Downref: Normative reference to an Informational RFC: RFC 1951

  ** Downref: Normative reference to an Informational RFC: RFC 1952

  == Outdated reference: A later version (-19) exists of
     draft-ietf-httpbis-semantics-07

  -- Possible downref: Normative reference to a draft: ref. 'Semantics' 

  -- Possible downref: Non-RFC (?) normative reference: ref. 'USASCII'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'Welch'

  -- Obsolete informational reference (is this intentional?): RFC 7230 (ref.
     'Err4667') (Obsoleted by RFC 9110, RFC 9112)

  -- Obsolete informational reference (is this intentional?): RFC 2068
     (Obsoleted by RFC 2616)

  -- Duplicate reference: RFC7230, mentioned in 'RFC7230', was also mentioned
     in 'Err4667'.

  -- Obsolete informational reference (is this intentional?): RFC 7230
     (Obsoleted by RFC 9110, RFC 9112)

  -- Obsolete informational reference (is this intentional?): RFC 7231
     (Obsoleted by RFC 9110)


     Summary: 3 errors (**), 0 flaws (~~), 6 warnings (==), 11 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	HTTP Working Group                                      R. Fielding, Ed.
3	Internet-Draft                                                     Adobe
4	Obsoletes: 7230 (if approved)                         M. Nottingham, Ed.
5	Intended status: Standards Track                                  Fastly
6	Expires: September 8, 2020                               J. Reschke, Ed.
7	                                                              greenbytes
8	                                                           March 7, 2020

10	                           HTTP/1.1 Messaging
11	                    draft-ietf-httpbis-messaging-07

13	Abstract

15	   The Hypertext Transfer Protocol (HTTP) is a stateless application-
16	   level protocol for distributed, collaborative, hypertext information
17	   systems.  This document specifies the HTTP/1.1 message syntax,
18	   message parsing, connection management, and related security
19	   concerns.

21	   This document obsoletes portions of RFC 7230.

23	Editorial Note

25	   This note is to be removed before publishing as an RFC.

27	   Discussion of this draft takes place on the HTTP working group
28	   mailing list (ietf-http-wg@w3.org), which is archived at
29	   <https://lists.w3.org/Archives/Public/ietf-http-wg/>.

31	   Working Group information can be found at <https://httpwg.org/>;
32	   source code and issues list for this draft can be found at
33	   <https://github.com/httpwg/http-core>.

35	   The changes in this draft are summarized in Appendix D.8.

37	Status of This Memo

39	   This Internet-Draft is submitted in full conformance with the
40	   provisions of BCP 78 and BCP 79.

42	   Internet-Drafts are working documents of the Internet Engineering
43	   Task Force (IETF).  Note that other groups may also distribute
44	   working documents as Internet-Drafts.  The list of current Internet-
45	   Drafts is at https://datatracker.ietf.org/drafts/current/.

47	   Internet-Drafts are draft documents valid for a maximum of six months
48	   and may be updated, replaced, or obsoleted by other documents at any
49	   time.  It is inappropriate to use Internet-Drafts as reference
50	   material or to cite them other than as "work in progress."

52	   This Internet-Draft will expire on September 8, 2020.

54	Copyright Notice

56	   Copyright (c) 2020 IETF Trust and the persons identified as the
57	   document authors.  All rights reserved.

59	   This document is subject to BCP 78 and the IETF Trust's Legal
60	   Provisions Relating to IETF Documents
61	   (https://trustee.ietf.org/license-info) in effect on the date of
62	   publication of this document.  Please review these documents
63	   carefully, as they describe your rights and restrictions with respect
64	   to this document.  Code Components extracted from this document must
65	   include Simplified BSD License text as described in Section 4.e of
66	   the Trust Legal Provisions and are provided without warranty as
67	   described in the Simplified BSD License.

69	   This document may contain material from IETF Documents or IETF
70	   Contributions published or made publicly available before November
71	   10, 2008.  The person(s) controlling the copyright in some of this
72	   material may not have granted the IETF Trust the right to allow
73	   modifications of such material outside the IETF Standards Process.
74	   Without obtaining an adequate license from the person(s) controlling
75	   the copyright in such materials, this document may not be modified
76	   outside the IETF Standards Process, and derivative works of it may
77	   not be created outside the IETF Standards Process, except to format
78	   it for publication as an RFC or to translate it into languages other
79	   than English.

81	Table of Contents

83	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
84	     1.1.  Requirements Notation . . . . . . . . . . . . . . . . . .   5
85	     1.2.  Syntax Notation . . . . . . . . . . . . . . . . . . . . .   5
86	   2.  Message . . . . . . . . . . . . . . . . . . . . . . . . . . .   6
87	     2.1.  Message Format  . . . . . . . . . . . . . . . . . . . . .   6
88	     2.2.  Message Parsing . . . . . . . . . . . . . . . . . . . . .   7
89	     2.3.  HTTP Version  . . . . . . . . . . . . . . . . . . . . . .   8
90	   3.  Request Line  . . . . . . . . . . . . . . . . . . . . . . . .   9
91	     3.1.  Method  . . . . . . . . . . . . . . . . . . . . . . . . .   9
92	     3.2.  Request Target  . . . . . . . . . . . . . . . . . . . . .  10
93	       3.2.1.  origin-form . . . . . . . . . . . . . . . . . . . . .  10
94	       3.2.2.  absolute-form . . . . . . . . . . . . . . . . . . . .  11
95	       3.2.3.  authority-form  . . . . . . . . . . . . . . . . . . .  11
96	       3.2.4.  asterisk-form . . . . . . . . . . . . . . . . . . . .  11

98	     3.3.  Effective Request URI . . . . . . . . . . . . . . . . . .  12
99	   4.  Status Line . . . . . . . . . . . . . . . . . . . . . . . . .  13
100	   5.  Field Syntax  . . . . . . . . . . . . . . . . . . . . . . . .  14
101	     5.1.  Field Line Parsing  . . . . . . . . . . . . . . . . . . .  15
102	     5.2.  Obsolete Line Folding . . . . . . . . . . . . . . . . . .  16
103	   6.  Message Body  . . . . . . . . . . . . . . . . . . . . . . . .  16
104	     6.1.  Transfer-Encoding . . . . . . . . . . . . . . . . . . . .  17
105	     6.2.  Content-Length  . . . . . . . . . . . . . . . . . . . . .  18
106	     6.3.  Message Body Length . . . . . . . . . . . . . . . . . . .  19
107	   7.  Transfer Codings  . . . . . . . . . . . . . . . . . . . . . .  21
108	     7.1.  Chunked Transfer Coding . . . . . . . . . . . . . . . . .  22
109	       7.1.1.  Chunk Extensions  . . . . . . . . . . . . . . . . . .  23
110	       7.1.2.  Chunked Trailer Section . . . . . . . . . . . . . . .  23
111	       7.1.3.  Decoding Chunked  . . . . . . . . . . . . . . . . . .  24
112	     7.2.  Transfer Codings for Compression  . . . . . . . . . . . .  24
113	     7.3.  Transfer Coding Registry  . . . . . . . . . . . . . . . .  25
114	     7.4.  TE  . . . . . . . . . . . . . . . . . . . . . . . . . . .  25
115	   8.  Handling Incomplete Messages  . . . . . . . . . . . . . . . .  27
116	   9.  Connection Management . . . . . . . . . . . . . . . . . . . .  27
117	     9.1.  Connection  . . . . . . . . . . . . . . . . . . . . . . .  28
118	     9.2.  Establishment . . . . . . . . . . . . . . . . . . . . . .  29
119	     9.3.  Associating a Response to a Request . . . . . . . . . . .  29
120	     9.4.  Persistence . . . . . . . . . . . . . . . . . . . . . . .  30
121	       9.4.1.  Retrying Requests . . . . . . . . . . . . . . . . . .  31
122	       9.4.2.  Pipelining  . . . . . . . . . . . . . . . . . . . . .  31
123	     9.5.  Concurrency . . . . . . . . . . . . . . . . . . . . . . .  32
124	     9.6.  Failures and Timeouts . . . . . . . . . . . . . . . . . .  32
125	     9.7.  Tear-down . . . . . . . . . . . . . . . . . . . . . . . .  33
126	     9.8.  TLS Connection Closure  . . . . . . . . . . . . . . . . .  34
127	     9.9.  Upgrade . . . . . . . . . . . . . . . . . . . . . . . . .  35
128	       9.9.1.  Upgrade Protocol Names  . . . . . . . . . . . . . . .  37
129	       9.9.2.  Upgrade Token Registry  . . . . . . . . . . . . . . .  37
130	   10. Enclosing Messages as Data  . . . . . . . . . . . . . . . . .  38
131	     10.1.  Media Type message/http  . . . . . . . . . . . . . . . .  38
132	     10.2.  Media Type application/http  . . . . . . . . . . . . . .  39
133	   11. Security Considerations . . . . . . . . . . . . . . . . . . .  41
134	     11.1.  Response Splitting . . . . . . . . . . . . . . . . . . .  41
135	     11.2.  Request Smuggling  . . . . . . . . . . . . . . . . . . .  42
136	     11.3.  Message Integrity  . . . . . . . . . . . . . . . . . . .  42
137	     11.4.  Message Confidentiality  . . . . . . . . . . . . . . . .  42
138	   12. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  43
139	     12.1.  Field Name Registration  . . . . . . . . . . . . . . . .  43
140	     12.2.  Media Type Registration  . . . . . . . . . . . . . . . .  43
141	     12.3.  Transfer Coding Registration . . . . . . . . . . . . . .  43
142	     12.4.  Upgrade Token Registration . . . . . . . . . . . . . . .  43
143	     12.5.  ALPN Protocol ID Registration  . . . . . . . . . . . . .  43
144	   13. References  . . . . . . . . . . . . . . . . . . . . . . . . .  44
145	     13.1.  Normative References . . . . . . . . . . . . . . . . . .  44
146	     13.2.  Informative References . . . . . . . . . . . . . . . . .  45
147	   Appendix A.  Collected ABNF . . . . . . . . . . . . . . . . . . .  47
148	   Appendix B.  Differences between HTTP and MIME  . . . . . . . . .  48
149	     B.1.  MIME-Version  . . . . . . . . . . . . . . . . . . . . . .  49
150	     B.2.  Conversion to Canonical Form  . . . . . . . . . . . . . .  49
151	     B.3.  Conversion of Date Formats  . . . . . . . . . . . . . . .  49
152	     B.4.  Conversion of Content-Encoding  . . . . . . . . . . . . .  50
153	     B.5.  Conversion of Content-Transfer-Encoding . . . . . . . . .  50
154	     B.6.  MHTML and Line Length Limitations . . . . . . . . . . . .  50
155	   Appendix C.  HTTP Version History . . . . . . . . . . . . . . . .  50
156	     C.1.  Changes from HTTP/1.0 . . . . . . . . . . . . . . . . . .  51
157	       C.1.1.  Multihomed Web Servers  . . . . . . . . . . . . . . .  51
158	       C.1.2.  Keep-Alive Connections  . . . . . . . . . . . . . . .  52
159	       C.1.3.  Introduction of Transfer-Encoding . . . . . . . . . .  52
160	     C.2.  Changes from RFC 7230 . . . . . . . . . . . . . . . . . .  52
161	   Appendix D.  Change Log . . . . . . . . . . . . . . . . . . . . .  53
162	     D.1.  Between RFC7230 and draft 00  . . . . . . . . . . . . . .  53
163	     D.2.  Since draft-ietf-httpbis-messaging-00 . . . . . . . . . .  53
164	     D.3.  Since draft-ietf-httpbis-messaging-01 . . . . . . . . . .  54
165	     D.4.  Since draft-ietf-httpbis-messaging-02 . . . . . . . . . .  55
166	     D.5.  Since draft-ietf-httpbis-messaging-03 . . . . . . . . . .  55
167	     D.6.  Since draft-ietf-httpbis-messaging-04 . . . . . . . . . .  55
168	     D.7.  Since draft-ietf-httpbis-messaging-05 . . . . . . . . . .  55
169	     D.8.  Since draft-ietf-httpbis-messaging-06 . . . . . . . . . .  56
170	   Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  56
171	   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  59
172	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  59

174	1.  Introduction

176	   The Hypertext Transfer Protocol (HTTP) is a stateless application-
177	   level request/response protocol that uses extensible semantics and
178	   self-descriptive messages for flexible interaction with network-based
179	   hypertext information systems.  HTTP is defined by a series of
180	   documents that collectively form the HTTP/1.1 specification:

182	   o  "HTTP Semantics" [Semantics]

184	   o  "HTTP Caching" [Caching]

186	   o  "HTTP/1.1 Messaging" (this document)

188	   This document defines HTTP/1.1 message syntax and framing
189	   requirements and their associated connection management.  Our goal is
190	   to define all of the mechanisms necessary for HTTP/1.1 message
191	   handling that are independent of message semantics, thereby defining
192	   the complete set of requirements for message parsers and message-
193	   forwarding intermediaries.

195	   This document obsoletes the portions of RFC 7230 related to HTTP/1.1
196	   messaging and connection management, with the changes being
197	   summarized in Appendix C.2.  The other parts of RFC 7230 are
198	   obsoleted by "HTTP Semantics" [Semantics].

200	1.1.  Requirements Notation

202	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
203	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
204	   "OPTIONAL" in this document are to be interpreted as described in BCP
205	   14 [RFC2119] [RFC8174] when, and only when, they appear in all
206	   capitals, as shown here.

208	   Conformance criteria and considerations regarding error handling are
209	   defined in Section 3 of [Semantics].

211	1.2.  Syntax Notation

213	   This specification uses the Augmented Backus-Naur Form (ABNF)
214	   notation of [RFC5234], extended with the notation for case-
215	   sensitivity in strings defined in [RFC7405].

217	   It also uses a list extension, defined in Section 4.5 of [Semantics],
218	   that allows for compact definition of comma-separated lists using a
219	   '#' operator (similar to how the '*' operator indicates repetition).
220	   Appendix A shows the collected grammar with all list operators
221	   expanded to standard ABNF notation.

223	   As a convention, ABNF rule names prefixed with "obs-" denote
224	   "obsolete" grammar rules that appear for historical reasons.

226	   The following core rules are included by reference, as defined in
227	   [RFC5234], Appendix B.1: ALPHA (letters), CR (carriage return), CRLF
228	   (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double quote),
229	   HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF (line
230	   feed), OCTET (any 8-bit sequence of data), SP (space), and VCHAR (any
231	   visible [USASCII] character).

233	   The rules below are defined in [Semantics]:

235	     BWS           = <BWS, see [Semantics], Section 1.2.1>
236	     OWS           = <OWS, see [Semantics], Section 1.2.1>
237	     RWS           = <RWS, see [Semantics], Section 1.2.1>
238	     absolute-URI  = <absolute-URI, see [RFC3986], Section 4.3>
239	     absolute-path = <absolute-path, see [Semantics], Section 2.4>
240	     authority     = <authority, see [RFC3986], Section 3.2>
241	     comment       = <comment, see [Semantics], Section 4.4.1.3>
242	     field-name    = <field-name, see [Semantics], Section 4.3>
243	     field-value   = <field-value, see [Semantics], Section 4.4>
244	     obs-text      = <obs-text, see [Semantics], Section 4.4.1.2>
245	     port          = <port, see [RFC3986], Section 3.2.3>
246	     query         = <query, see [RFC3986], Section 3.4>
247	     quoted-string = <quoted-string, see [Semantics], Section 4.4.1.2>
248	     token         = <token, see [Semantics], Section 4.4.1.1>
249	     uri-host      = <host, see [RFC3986], Section 3.2.2>

251	2.  Message

253	2.1.  Message Format

255	   An HTTP/1.1 message consists of a start-line followed by a CRLF and a
256	   sequence of octets in a format similar to the Internet Message Format
257	   [RFC5322]: zero or more header field lines (collectively referred to
258	   as the "headers" or the "header section"), an empty line indicating
259	   the end of the header section, and an optional message body.

261	     HTTP-message   = start-line CRLF
262	                      *( field-line CRLF )
263	                      CRLF
264	                      [ message-body ]

266	   A message can be either a request from client to server or a response
267	   from server to client.  Syntactically, the two types of message
268	   differ only in the start-line, which is either a request-line (for
269	   requests) or a status-line (for responses), and in the algorithm for
270	   determining the length of the message body (Section 6).

272	     start-line     = request-line / status-line

274	   In theory, a client could receive requests and a server could receive
275	   responses, distinguishing them by their different start-line formats.
276	   In practice, servers are implemented to only expect a request (a
277	   response is interpreted as an unknown or invalid request method) and
278	   clients are implemented to only expect a response.

280	   Although HTTP makes use of some protocol elements similar to the
281	   Multipurpose Internet Mail Extensions (MIME) [RFC2045], see
282	   Appendix B for the differences between HTTP and MIME messages.

284	2.2.  Message Parsing

286	   The normal procedure for parsing an HTTP message is to read the
287	   start-line into a structure, read each header field line into a hash
288	   table by field name until the empty line, and then use the parsed
289	   data to determine if a message body is expected.  If a message body
290	   has been indicated, then it is read as a stream until an amount of
291	   octets equal to the message body length is read or the connection is
292	   closed.

294	   A recipient MUST parse an HTTP message as a sequence of octets in an
295	   encoding that is a superset of US-ASCII [USASCII].  Parsing an HTTP
296	   message as a stream of Unicode characters, without regard for the
297	   specific encoding, creates security vulnerabilities due to the
298	   varying ways that string processing libraries handle invalid
299	   multibyte character sequences that contain the octet LF (%x0A).
300	   String-based parsers can only be safely used within protocol elements
301	   after the element has been extracted from the message, such as within
302	   a header field line value after message parsing has delineated the
303	   individual field lines.

305	   Although the line terminator for the start-line and header fields is
306	   the sequence CRLF, a recipient MAY recognize a single LF as a line
307	   terminator and ignore any preceding CR.

309	   Older HTTP/1.0 user agent implementations might send an extra CRLF
310	   after a POST request as a workaround for some early server
311	   applications that failed to read message body content that was not
312	   terminated by a line-ending.  An HTTP/1.1 user agent MUST NOT preface
313	   or follow a request with an extra CRLF.  If terminating the request
314	   message body with a line-ending is desired, then the user agent MUST
315	   count the terminating CRLF octets as part of the message body length.

317	   In the interest of robustness, a server that is expecting to receive
318	   and parse a request-line SHOULD ignore at least one empty line (CRLF)
319	   received prior to the request-line.

321	   A sender MUST NOT send whitespace between the start-line and the
322	   first header field.  A recipient that receives whitespace between the
323	   start-line and the first header field MUST either reject the message
324	   as invalid or consume each whitespace-preceded line without further
325	   processing of it (i.e., ignore the entire line, along with any
326	   subsequent lines preceded by whitespace, until a properly formed
327	   header field is received or the header section is terminated).

329	   The presence of such whitespace in a request might be an attempt to
330	   trick a server into ignoring that field line or processing the line
331	   after it as a new request, either of which might result in a security
332	   vulnerability if other implementations within the request chain
333	   interpret the same message differently.  Likewise, the presence of
334	   such whitespace in a response might be ignored by some clients or
335	   cause others to cease parsing.

337	   When a server listening only for HTTP request messages, or processing
338	   what appears from the start-line to be an HTTP request message,
339	   receives a sequence of octets that does not match the HTTP-message
340	   grammar aside from the robustness exceptions listed above, the server
341	   SHOULD respond with a 400 (Bad Request) response.

343	2.3.  HTTP Version

345	   HTTP uses a "<major>.<minor>" numbering scheme to indicate versions
346	   of the protocol.  This specification defines version "1.1".
347	   Section 3.5 of [Semantics] specifies the semantics of HTTP version
348	   numbers.

350	   The version of an HTTP/1.x message is indicated by an HTTP-version
351	   field in the start-line.  HTTP-version is case-sensitive.

353	     HTTP-version  = HTTP-name "/" DIGIT "." DIGIT
354	     HTTP-name     = %s"HTTP"

356	   When an HTTP/1.1 message is sent to an HTTP/1.0 recipient [RFC1945]
357	   or a recipient whose version is unknown, the HTTP/1.1 message is
358	   constructed such that it can be interpreted as a valid HTTP/1.0
359	   message if all of the newer features are ignored.  This specification
360	   places recipient-version requirements on some new features so that a
361	   conformant sender will only use compatible features until it has
362	   determined, through configuration or the receipt of a message, that
363	   the recipient supports HTTP/1.1.

365	   Intermediaries that process HTTP messages (i.e., all intermediaries
366	   other than those acting as tunnels) MUST send their own HTTP-version
367	   in forwarded messages.  In other words, they are not allowed to
368	   blindly forward the start-line without ensuring that the protocol
369	   version in that message matches a version to which that intermediary
370	   is conformant for both the receiving and sending of messages.
371	   Forwarding an HTTP message without rewriting the HTTP-version might
372	   result in communication errors when downstream recipients use the
373	   message sender's version to determine what features are safe to use
374	   for later communication with that sender.

376	   A server MAY send an HTTP/1.0 response to an HTTP/1.1 request if it
377	   is known or suspected that the client incorrectly implements the HTTP
378	   specification and is incapable of correctly processing later version
379	   responses, such as when a client fails to parse the version number
380	   correctly or when an intermediary is known to blindly forward the
381	   HTTP-version even when it doesn't conform to the given minor version
382	   of the protocol.  Such protocol downgrades SHOULD NOT be performed
383	   unless triggered by specific client attributes, such as when one or
384	   more of the request header fields (e.g., User-Agent) uniquely match
385	   the values sent by a client known to be in error.

387	3.  Request Line

389	   A request-line begins with a method token, followed by a single space
390	   (SP), the request-target, another single space (SP), and ends with
391	   the protocol version.

393	     request-line   = method SP request-target SP HTTP-version

395	   Although the request-line grammar rule requires that each of the
396	   component elements be separated by a single SP octet, recipients MAY
397	   instead parse on whitespace-delimited word boundaries and, aside from
398	   the CRLF terminator, treat any form of whitespace as the SP separator
399	   while ignoring preceding or trailing whitespace; such whitespace
400	   includes one or more of the following octets: SP, HTAB, VT (%x0B), FF
401	   (%x0C), or bare CR.  However, lenient parsing can result in request
402	   smuggling security vulnerabilities if there are multiple recipients
403	   of the message and each has its own unique interpretation of
404	   robustness (see Section 11.2).

406	   HTTP does not place a predefined limit on the length of a request-
407	   line, as described in Section 3 of [Semantics].  A server that
408	   receives a method longer than any that it implements SHOULD respond
409	   with a 501 (Not Implemented) status code.  A server that receives a
410	   request-target longer than any URI it wishes to parse MUST respond
411	   with a 414 (URI Too Long) status code (see Section 9.5.15 of
412	   [Semantics]).

414	   Various ad hoc limitations on request-line length are found in
415	   practice.  It is RECOMMENDED that all HTTP senders and recipients
416	   support, at a minimum, request-line lengths of 8000 octets.

418	3.1.  Method

420	   The method token indicates the request method to be performed on the
421	   target resource.  The request method is case-sensitive.

423	     method         = token

425	   The request methods defined by this specification can be found in
426	   Section 7 of [Semantics], along with information regarding the HTTP
427	   method registry and considerations for defining new methods.

429	3.2.  Request Target

431	   The request-target identifies the target resource upon which to apply
432	   the request.  The client derives a request-target from its desired
433	   target URI.  There are four distinct formats for the request-target,
434	   depending on both the method being requested and whether the request
435	   is to a proxy.

437	     request-target = origin-form
438	                    / absolute-form
439	                    / authority-form
440	                    / asterisk-form

442	   No whitespace is allowed in the request-target.  Unfortunately, some
443	   user agents fail to properly encode or exclude whitespace found in
444	   hypertext references, resulting in those disallowed characters being
445	   sent as the request-target in a malformed request-line.

447	   Recipients of an invalid request-line SHOULD respond with either a
448	   400 (Bad Request) error or a 301 (Moved Permanently) redirect with
449	   the request-target properly encoded.  A recipient SHOULD NOT attempt
450	   to autocorrect and then process the request without a redirect, since
451	   the invalid request-line might be deliberately crafted to bypass
452	   security filters along the request chain.

454	3.2.1.  origin-form

456	   The most common form of request-target is the origin-form.

458	     origin-form    = absolute-path [ "?" query ]

460	   When making a request directly to an origin server, other than a
461	   CONNECT or server-wide OPTIONS request (as detailed below), a client
462	   MUST send only the absolute path and query components of the target
463	   URI as the request-target.  If the target URI's path component is
464	   empty, the client MUST send "/" as the path within the origin-form of
465	   request-target.  A Host header field is also sent, as defined in
466	   Section 5.6 of [Semantics].

468	   For example, a client wishing to retrieve a representation of the
469	   resource identified as

471	     http://www.example.org/where?q=now

473	   directly from the origin server would open (or reuse) a TCP
474	   connection to port 80 of the host "www.example.org" and send the
475	   lines:

477	     GET /where?q=now HTTP/1.1
478	     Host: www.example.org

480	   followed by the remainder of the request message.

482	3.2.2.  absolute-form

484	   When making a request to a proxy, other than a CONNECT or server-wide
485	   OPTIONS request (as detailed below), a client MUST send the target
486	   URI in absolute-form as the request-target.

488	     absolute-form  = absolute-URI

490	   The proxy is requested to either service that request from a valid
491	   cache, if possible, or make the same request on the client's behalf
492	   to either the next inbound proxy server or directly to the origin
493	   server indicated by the request-target.  Requirements on such
494	   "forwarding" of messages are defined in Section 5.7 of [Semantics].

496	   An example absolute-form of request-line would be:

498	     GET http://www.example.org/pub/WWW/TheProject.html HTTP/1.1

500	   To allow for transition to the absolute-form for all requests in some
501	   future version of HTTP, a server MUST accept the absolute-form in
502	   requests, even though HTTP/1.1 clients will only send them in
503	   requests to proxies.

505	3.2.3.  authority-form

507	   The authority-form of request-target is only used for CONNECT
508	   requests (Section 7.3.6 of [Semantics]).

510	     authority-form = authority

512	   When making a CONNECT request to establish a tunnel through one or
513	   more proxies, a client MUST send only the target URI's authority
514	   component (excluding any userinfo and its "@" delimiter) as the
515	   request-target.  For example,

517	     CONNECT www.example.com:80 HTTP/1.1

519	3.2.4.  asterisk-form

521	   The asterisk-form of request-target is only used for a server-wide
522	   OPTIONS request (Section 7.3.7 of [Semantics]).

524	     asterisk-form  = "*"

526	   When a client wishes to request OPTIONS for the server as a whole, as
527	   opposed to a specific named resource of that server, the client MUST
528	   send only "*" (%x2A) as the request-target.  For example,

530	     OPTIONS * HTTP/1.1

532	   If a proxy receives an OPTIONS request with an absolute-form of
533	   request-target in which the URI has an empty path and no query
534	   component, then the last proxy on the request chain MUST send a
535	   request-target of "*" when it forwards the request to the indicated
536	   origin server.

538	   For example, the request

540	     OPTIONS http://www.example.org:8001 HTTP/1.1

542	   would be forwarded by the final proxy as

544	     OPTIONS * HTTP/1.1
545	     Host: www.example.org:8001

547	   after connecting to port 8001 of host "www.example.org".

549	3.3.  Effective Request URI

551	   Since the request-target often contains only part of the user agent's
552	   target URI, a server reconstructs the intended target as an effective
553	   request URI to properly service the request (Section 5.5 of
554	   [Semantics]).

556	   If the request-target is in absolute-form, the effective request URI
557	   is the same as the request-target.  Otherwise, the effective request
558	   URI is constructed as follows:

560	      If the server's configuration (or outbound gateway) provides a
561	      fixed URI scheme, that scheme is used for the effective request
562	      URI.  Otherwise, if the request is received over a TLS-secured TCP
563	      connection, the effective request URI's scheme is "https"; if not,
564	      the scheme is "http".

566	      If the server's configuration (or outbound gateway) provides a
567	      fixed URI authority component, that authority is used for the
568	      effective request URI.  If not, then if the request-target is in
569	      authority-form, the effective request URI's authority component is
570	      the same as the request-target.  If not, then if a Host header
571	      field is supplied with a non-empty field-value, the authority
572	      component is the same as the Host field-value.  Otherwise, the
573	      authority component is assigned the default name configured for
574	      the server and, if the connection's incoming TCP port number
575	      differs from the default port for the effective request URI's
576	      scheme, then a colon (":") and the incoming port number (in
577	      decimal form) are appended to the authority component.

579	      If the request-target is in authority-form or asterisk-form, the
580	      effective request URI's combined path and query component is
581	      empty.  Otherwise, the combined path and query component is the
582	      same as the request-target.

584	      The components of the effective request URI, once determined as
585	      above, can be combined into absolute-URI form by concatenating the
586	      scheme, "://", authority, and combined path and query component.

588	   Example 1: the following message received over an insecure TCP
589	   connection

591	     GET /pub/WWW/TheProject.html HTTP/1.1
592	     Host: www.example.org:8080

594	   has an effective request URI of

596	     http://www.example.org:8080/pub/WWW/TheProject.html

598	   Example 2: the following message received over a TLS-secured TCP
599	   connection

601	     OPTIONS * HTTP/1.1
602	     Host: www.example.org

604	   has an effective request URI of

606	     https://www.example.org

608	   Recipients of an HTTP/1.0 request that lacks a Host header field
609	   might need to use heuristics (e.g., examination of the URI path for
610	   something unique to a particular host) in order to guess the
611	   effective request URI's authority component.

613	4.  Status Line

615	   The first line of a response message is the status-line, consisting
616	   of the protocol version, a space (SP), the status code, another
617	   space, and ending with an OPTIONAL textual phrase describing the
618	   status code.

620	     status-line = HTTP-version SP status-code SP [reason-phrase]

622	   Although the status-line grammar rule requires that each of the
623	   component elements be separated by a single SP octet, recipients MAY
624	   instead parse on whitespace-delimited word boundaries and, aside from
625	   the line terminator, treat any form of whitespace as the SP separator
626	   while ignoring preceding or trailing whitespace; such whitespace
627	   includes one or more of the following octets: SP, HTAB, VT (%x0B), FF
628	   (%x0C), or bare CR.  However, lenient parsing can result in response
629	   splitting security vulnerabilities if there are multiple recipients
630	   of the message and each has its own unique interpretation of
631	   robustness (see Section 11.1).

633	   The status-code element is a 3-digit integer code describing the
634	   result of the server's attempt to understand and satisfy the client's
635	   corresponding request.  The rest of the response message is to be
636	   interpreted in light of the semantics defined for that status code.
637	   See Section 9 of [Semantics] for information about the semantics of
638	   status codes, including the classes of status code (indicated by the
639	   first digit), the status codes defined by this specification,
640	   considerations for the definition of new status codes, and the IANA
641	   registry.

643	     status-code    = 3DIGIT

645	   The reason-phrase element exists for the sole purpose of providing a
646	   textual description associated with the numeric status code, mostly
647	   out of deference to earlier Internet application protocols that were
648	   more frequently used with interactive text clients.

650	     reason-phrase  = 1*( HTAB / SP / VCHAR / obs-text )

652	   A client SHOULD ignore the reason-phrase content because it is not a
653	   reliable channel for information (it might be translated for a given
654	   locale, overwritten by intermediaries, or discarded when the message
655	   is forwarded via other versions of HTTP).  A server MUST send the
656	   space that separates status-code from the reason-phrase even when the
657	   reason-phrase is absent (i.e., the status-line would end with the
658	   three octets SP CR LF).

660	5.  Field Syntax

662	   Each field line consists of a case-insensitive field name followed by
663	   a colon (":"), optional leading whitespace, the field line value, and
664	   optional trailing whitespace.

666	     field-line   = field-name ":" OWS field-value OWS

668	   Most HTTP field names and the rules for parsing within field values
669	   are defined in Section 4 of [Semantics].  This section covers the
670	   generic syntax for header field inclusion within, and extraction
671	   from, HTTP/1.1 messages.  In addition, the following header fields
672	   are defined by this document because they are specific to HTTP/1.1
673	   message processing:

675	   +-------------------+----------+---------------+
676	   | Field Name        | Status   | Reference     |
677	   +-------------------+----------+---------------+
678	   | Connection        | standard | Section 9.1   |
679	   | MIME-Version      | standard | Appendix B.1  |
680	   | TE                | standard | Section 7.4   |
681	   | Transfer-Encoding | standard | Section 6.1   |
682	   | Upgrade           | standard | Section 9.9   |
683	   +-------------------+----------+---------------+

685	                                  Table 1

687	   Furthermore, the field name "Close" is reserved, since using that
688	   name as an HTTP header field might conflict with the "close"
689	   connection option of the Connection header field (Section 9.1).

691	   +-------------------+----------+----------+------------+
692	   | Header Field Name | Protocol | Status   | Reference  |
693	   +-------------------+----------+----------+------------+
694	   | Close             | http     | reserved | Section 5  |
695	   +-------------------+----------+----------+------------+

697	5.1.  Field Line Parsing

699	   Messages are parsed using a generic algorithm, independent of the
700	   individual field names.  The contents within a given field line value
701	   are not parsed until a later stage of message interpretation (usually
702	   after the message's entire header section has been processed).

704	   No whitespace is allowed between the field name and colon.  In the
705	   past, differences in the handling of such whitespace have led to
706	   security vulnerabilities in request routing and response handling.  A
707	   server MUST reject any received request message that contains
708	   whitespace between a header field name and colon with a response
709	   status code of 400 (Bad Request).  A proxy MUST remove any such
710	   whitespace from a response message before forwarding the message
711	   downstream.

713	   A field line value might be preceded and/or followed by optional
714	   whitespace (OWS); a single SP preceding the field line value is
715	   preferred for consistent readability by humans.  The field line value
716	   does not include any leading or trailing whitespace: OWS occurring
717	   before the first non-whitespace octet of the field line value or
718	   after the last non-whitespace octet of the field line value ought to
719	   be excluded by parsers when extracting the field line value from a
720	   header field line.

722	5.2.  Obsolete Line Folding

724	   Historically, HTTP header field line values could be extended over
725	   multiple lines by preceding each extra line with at least one space
726	   or horizontal tab (obs-fold).  This specification deprecates such
727	   line folding except within the message/http media type
728	   (Section 10.1).

730	     obs-fold     = OWS CRLF RWS
731	                  ; obsolete line folding

733	   A sender MUST NOT generate a message that includes line folding
734	   (i.e., that has any field line value that contains a match to the
735	   obs-fold rule) unless the message is intended for packaging within
736	   the message/http media type.

738	   A server that receives an obs-fold in a request message that is not
739	   within a message/http container MUST either reject the message by
740	   sending a 400 (Bad Request), preferably with a representation
741	   explaining that obsolete line folding is unacceptable, or replace
742	   each received obs-fold with one or more SP octets prior to
743	   interpreting the field value or forwarding the message downstream.

745	   A proxy or gateway that receives an obs-fold in a response message
746	   that is not within a message/http container MUST either discard the
747	   message and replace it with a 502 (Bad Gateway) response, preferably
748	   with a representation explaining that unacceptable line folding was
749	   received, or replace each received obs-fold with one or more SP
750	   octets prior to interpreting the field value or forwarding the
751	   message downstream.

753	   A user agent that receives an obs-fold in a response message that is
754	   not within a message/http container MUST replace each received obs-
755	   fold with one or more SP octets prior to interpreting the field
756	   value.

758	6.  Message Body

760	   The message body (if any) of an HTTP message is used to carry the
761	   payload body (Section 6.3.3 of [Semantics]) of that request or
762	   response.  The message body is identical to the payload body unless a
763	   transfer coding has been applied, as described in Section 6.1.

765	     message-body = *OCTET

767	   The rules for determining when a message body is present in an
768	   HTTP/1.1 message differ for requests and responses.

770	   The presence of a message body in a request is signaled by a Content-
771	   Length or Transfer-Encoding header field.  Request message framing is
772	   independent of method semantics, even if the method does not define
773	   any use for a message body.

775	   The presence of a message body in a response depends on both the
776	   request method to which it is responding and the response status code
777	   (Section 4), and corresponds to when a payload body is allowed; see
778	   Section 6.3.3 of [Semantics].

780	6.1.  Transfer-Encoding

782	   The Transfer-Encoding header field lists the transfer coding names
783	   corresponding to the sequence of transfer codings that have been (or
784	   will be) applied to the payload body in order to form the message
785	   body.  Transfer codings are defined in Section 7.

787	     Transfer-Encoding = 1#transfer-coding

789	   Transfer-Encoding is analogous to the Content-Transfer-Encoding field
790	   of MIME, which was designed to enable safe transport of binary data
791	   over a 7-bit transport service ([RFC2045], Section 6).  However, safe
792	   transport has a different focus for an 8bit-clean transfer protocol.
793	   In HTTP's case, Transfer-Encoding is primarily intended to accurately
794	   delimit a dynamically generated payload and to distinguish payload
795	   encodings that are only applied for transport efficiency or security
796	   from those that are characteristics of the selected resource.

798	   A recipient MUST be able to parse the chunked transfer coding
799	   (Section 7.1) because it plays a crucial role in framing messages
800	   when the payload body size is not known in advance.  A sender MUST
801	   NOT apply chunked more than once to a message body (i.e., chunking an
802	   already chunked message is not allowed).  If any transfer coding
803	   other than chunked is applied to a request payload body, the sender
804	   MUST apply chunked as the final transfer coding to ensure that the
805	   message is properly framed.  If any transfer coding other than
806	   chunked is applied to a response payload body, the sender MUST either
807	   apply chunked as the final transfer coding or terminate the message
808	   by closing the connection.

810	   For example,

812	     Transfer-Encoding: gzip, chunked

814	   indicates that the payload body has been compressed using the gzip
815	   coding and then chunked using the chunked coding while forming the
816	   message body.

818	   Unlike Content-Encoding (Section 6.1.2 of [Semantics]), Transfer-
819	   Encoding is a property of the message, not of the representation, and
820	   any recipient along the request/response chain MAY decode the
821	   received transfer coding(s) or apply additional transfer coding(s) to
822	   the message body, assuming that corresponding changes are made to the
823	   Transfer-Encoding field value.  Additional information about the
824	   encoding parameters can be provided by other header fields not
825	   defined by this specification.

827	   Transfer-Encoding MAY be sent in a response to a HEAD request or in a
828	   304 (Not Modified) response (Section 9.4.5 of [Semantics]) to a GET
829	   request, neither of which includes a message body, to indicate that
830	   the origin server would have applied a transfer coding to the message
831	   body if the request had been an unconditional GET.  This indication
832	   is not required, however, because any recipient on the response chain
833	   (including the origin server) can remove transfer codings when they
834	   are not needed.

836	   A server MUST NOT send a Transfer-Encoding header field in any
837	   response with a status code of 1xx (Informational) or 204 (No
838	   Content).  A server MUST NOT send a Transfer-Encoding header field in
839	   any 2xx (Successful) response to a CONNECT request (Section 7.3.6 of
840	   [Semantics]).

842	   Transfer-Encoding was added in HTTP/1.1.  It is generally assumed
843	   that implementations advertising only HTTP/1.0 support will not
844	   understand how to process a transfer-encoded payload.  A client MUST
845	   NOT send a request containing Transfer-Encoding unless it knows the
846	   server will handle HTTP/1.1 (or later) requests; such knowledge might
847	   be in the form of specific user configuration or by remembering the
848	   version of a prior received response.  A server MUST NOT send a
849	   response containing Transfer-Encoding unless the corresponding
850	   request indicates HTTP/1.1 (or later).

852	   A server that receives a request message with a transfer coding it
853	   does not understand SHOULD respond with 501 (Not Implemented).

855	6.2.  Content-Length

857	   When a message does not have a Transfer-Encoding header field, a
858	   Content-Length header field can provide the anticipated size, as a
859	   decimal number of octets, for a potential payload body.  For messages
860	   that do include a payload body, the Content-Length field value
861	   provides the framing information necessary for determining where the
862	   body (and message) ends.  For messages that do not include a payload
863	   body, the Content-Length indicates the size of the selected
864	   representation (Section 6.2.4 of [Semantics]).

866	      Note: HTTP's use of Content-Length for message framing differs
867	      significantly from the same field's use in MIME, where it is an
868	      optional field used only within the "message/external-body" media-
869	      type.

871	6.3.  Message Body Length

873	   The length of a message body is determined by one of the following
874	   (in order of precedence):

876	   1.  Any response to a HEAD request and any response with a 1xx
877	       (Informational), 204 (No Content), or 304 (Not Modified) status
878	       code is always terminated by the first empty line after the
879	       header fields, regardless of the header fields present in the
880	       message, and thus cannot contain a message body.

882	   2.  Any 2xx (Successful) response to a CONNECT request implies that
883	       the connection will become a tunnel immediately after the empty
884	       line that concludes the header fields.  A client MUST ignore any
885	       Content-Length or Transfer-Encoding header fields received in
886	       such a message.

888	   3.  If a Transfer-Encoding header field is present and the chunked
889	       transfer coding (Section 7.1) is the final encoding, the message
890	       body length is determined by reading and decoding the chunked
891	       data until the transfer coding indicates the data is complete.

893	       If a Transfer-Encoding header field is present in a response and
894	       the chunked transfer coding is not the final encoding, the
895	       message body length is determined by reading the connection until
896	       it is closed by the server.  If a Transfer-Encoding header field
897	       is present in a request and the chunked transfer coding is not
898	       the final encoding, the message body length cannot be determined
899	       reliably; the server MUST respond with the 400 (Bad Request)
900	       status code and then close the connection.

902	       If a message is received with both a Transfer-Encoding and a
903	       Content-Length header field, the Transfer-Encoding overrides the
904	       Content-Length.  Such a message might indicate an attempt to
905	       perform request smuggling (Section 11.2) or response splitting
906	       (Section 11.1) and ought to be handled as an error.  A sender
907	       MUST remove the received Content-Length field prior to forwarding
908	       such a message downstream.

910	   4.  If a message is received without Transfer-Encoding and with
911	       either multiple Content-Length header fields having differing
912	       field values or a single Content-Length header field having an
913	       invalid value, then the message framing is invalid and the
914	       recipient MUST treat it as an unrecoverable error.  If this is a
915	       request message, the server MUST respond with a 400 (Bad Request)
916	       status code and then close the connection.  If this is a response
917	       message received by a proxy, the proxy MUST close the connection
918	       to the server, discard the received response, and send a 502 (Bad
919	       Gateway) response to the client.  If this is a response message
920	       received by a user agent, the user agent MUST close the
921	       connection to the server and discard the received response.

923	   5.  If a valid Content-Length header field is present without
924	       Transfer-Encoding, its decimal value defines the expected message
925	       body length in octets.  If the sender closes the connection or
926	       the recipient times out before the indicated number of octets are
927	       received, the recipient MUST consider the message to be
928	       incomplete and close the connection.

930	   6.  If this is a request message and none of the above are true, then
931	       the message body length is zero (no message body is present).

933	   7.  Otherwise, this is a response message without a declared message
934	       body length, so the message body length is determined by the
935	       number of octets received prior to the server closing the
936	       connection.

938	   Since there is no way to distinguish a successfully completed, close-
939	   delimited message from a partially received message interrupted by
940	   network failure, a server SHOULD generate encoding or length-
941	   delimited messages whenever possible.  The close-delimiting feature
942	   exists primarily for backwards compatibility with HTTP/1.0.

944	   A server MAY reject a request that contains a message body but not a
945	   Content-Length by responding with 411 (Length Required).

947	   Unless a transfer coding other than chunked has been applied, a
948	   client that sends a request containing a message body SHOULD use a
949	   valid Content-Length header field if the message body length is known
950	   in advance, rather than the chunked transfer coding, since some
951	   existing services respond to chunked with a 411 (Length Required)
952	   status code even though they understand the chunked transfer coding.
953	   This is typically because such services are implemented via a gateway
954	   that requires a content-length in advance of being called and the
955	   server is unable or unwilling to buffer the entire request before
956	   processing.

958	   A user agent that sends a request containing a message body MUST send
959	   a valid Content-Length header field if it does not know the server
960	   will handle HTTP/1.1 (or later) requests; such knowledge can be in
961	   the form of specific user configuration or by remembering the version
962	   of a prior received response.

964	   If the final response to the last request on a connection has been
965	   completely received and there remains additional data to read, a user
966	   agent MAY discard the remaining data or attempt to determine if that
967	   data belongs as part of the prior response body, which might be the
968	   case if the prior message's Content-Length value is incorrect.  A
969	   client MUST NOT process, cache, or forward such extra data as a
970	   separate response, since such behavior would be vulnerable to cache
971	   poisoning.

973	7.  Transfer Codings

975	   Transfer coding names are used to indicate an encoding transformation
976	   that has been, can be, or might need to be applied to a payload body
977	   in order to ensure "safe transport" through the network.  This
978	   differs from a content coding in that the transfer coding is a
979	   property of the message rather than a property of the representation
980	   that is being transferred.

982	     transfer-coding = token *( OWS ";" OWS transfer-parameter )

984	   Parameters are in the form of a name=value pair.

986	     transfer-parameter = token BWS "=" BWS ( token / quoted-string )

988	   All transfer-coding names are case-insensitive and ought to be
989	   registered within the HTTP Transfer Coding registry, as defined in
990	   Section 7.3.  They are used in the TE (Section 7.4) and Transfer-
991	   Encoding (Section 6.1) header fields.

993	   +------------+------------------------------------------+-----------+
994	   | Name       | Description                              | Reference |
995	   +------------+------------------------------------------+-----------+
996	   | chunked    | Transfer in a series of chunks           | Section 7 |
997	   |            |                                          | .1        |
998	   | compress   | UNIX "compress" data format [Welch]      | Section 7 |
999	   |            |                                          | .2        |
1000	   | deflate    | "deflate" compressed data ([RFC1951])    | Section 7 |
1001	   |            | inside the "zlib" data format            | .2        |
1002	   |            | ([RFC1950])                              |           |
1003	   | gzip       | GZIP file format [RFC1952]               | Section 7 |
1004	   |            |                                          | .2        |
1005	   | trailers   | (reserved)                               | Section 7 |
1006	   | x-compress | Deprecated (alias for compress)          | Section 7 |
1007	   |            |                                          | .2        |
1008	   | x-gzip     | Deprecated (alias for gzip)              | Section 7 |
1009	   |            |                                          | .2        |
1010	   +------------+------------------------------------------+-----------+

1012	                                  Table 2

1014	      Note: the coding name "trailers" is reserved because its use would
1015	      conflict with the keyword "trailers" in the TE header field
1016	      (Section 7.4).

1018	7.1.  Chunked Transfer Coding

1020	   The chunked transfer coding wraps the payload body in order to
1021	   transfer it as a series of chunks, each with its own size indicator,
1022	   followed by an OPTIONAL trailer section containing trailer fields.
1023	   Chunked enables content streams of unknown size to be transferred as
1024	   a sequence of length-delimited buffers, which enables the sender to
1025	   retain connection persistence and the recipient to know when it has
1026	   received the entire message.

1028	     chunked-body   = *chunk
1029	                      last-chunk
1030	                      trailer-section
1031	                      CRLF

1033	     chunk          = chunk-size [ chunk-ext ] CRLF
1034	                      chunk-data CRLF
1035	     chunk-size     = 1*HEXDIG
1036	     last-chunk     = 1*("0") [ chunk-ext ] CRLF

1038	     chunk-data     = 1*OCTET ; a sequence of chunk-size octets

1040	   The chunk-size field is a string of hex digits indicating the size of
1041	   the chunk-data in octets.  The chunked transfer coding is complete
1042	   when a chunk with a chunk-size of zero is received, possibly followed
1043	   by a trailer section, and finally terminated by an empty line.

1045	   A recipient MUST be able to parse and decode the chunked transfer
1046	   coding.

1048	   The chunked encoding does not define any parameters.  Their presence
1049	   SHOULD be treated as an error.

1051	7.1.1.  Chunk Extensions

1053	   The chunked encoding allows each chunk to include zero or more chunk
1054	   extensions, immediately following the chunk-size, for the sake of
1055	   supplying per-chunk metadata (such as a signature or hash), mid-
1056	   message control information, or randomization of message body size.

1058	     chunk-ext      = *( BWS ";" BWS chunk-ext-name
1059	                         [ BWS "=" BWS chunk-ext-val ] )

1061	     chunk-ext-name = token
1062	     chunk-ext-val  = token / quoted-string

1064	   The chunked encoding is specific to each connection and is likely to
1065	   be removed or recoded by each recipient (including intermediaries)
1066	   before any higher-level application would have a chance to inspect
1067	   the extensions.  Hence, use of chunk extensions is generally limited
1068	   to specialized HTTP services such as "long polling" (where client and
1069	   server can have shared expectations regarding the use of chunk
1070	   extensions) or for padding within an end-to-end secured connection.

1072	   A recipient MUST ignore unrecognized chunk extensions.  A server
1073	   ought to limit the total length of chunk extensions received in a
1074	   request to an amount reasonable for the services provided, in the
1075	   same way that it applies length limitations and timeouts for other
1076	   parts of a message, and generate an appropriate 4xx (Client Error)
1077	   response if that amount is exceeded.

1079	7.1.2.  Chunked Trailer Section

1081	   A trailer section allows the sender to include additional fields at
1082	   the end of a chunked message in order to supply metadata that might
1083	   be dynamically generated while the message body is sent, such as a
1084	   message integrity check, digital signature, or post-processing
1085	   status.  The proper use and limitations of trailer fields are defined
1086	   in Section 4.6 of [Semantics].

1088	     trailer-section   = *( field-line CRLF )

1090	   A recipient that decodes and removes the chunked encoding from a
1091	   message (e.g., for storage or forwarding to a non-HTTP/1.1 peer) MUST
1092	   discard any received trailer fields, store/forward them separately
1093	   from the header fields, or selectively merge into the header section
1094	   only those trailer fields corresponding to header field definitions
1095	   that are understood by the recipient to explicitly permit and define
1096	   how their corresponding trailer field value can be safely merged.

1098	7.1.3.  Decoding Chunked

1100	   A process for decoding the chunked transfer coding can be represented
1101	   in pseudo-code as:

1103	     length := 0
1104	     read chunk-size, chunk-ext (if any), and CRLF
1105	     while (chunk-size > 0) {
1106	        read chunk-data and CRLF
1107	        append chunk-data to decoded-body
1108	        length := length + chunk-size
1109	        read chunk-size, chunk-ext (if any), and CRLF
1110	     }
1111	     read trailer field
1112	     while (trailer field is not empty) {
1113	        if (trailer fields are stored/forwarded separately) {
1114	            append trailer field to existing trailer fields
1115	        }
1116	        else if (trailer field is understood and defined as mergeable) {
1117	            merge trailer field with existing header fields
1118	        }
1119	        else {
1120	            discard trailer field
1121	        }
1122	        read trailer field
1123	     }
1124	     Content-Length := length
1125	     Remove "chunked" from Transfer-Encoding
1126	     Remove Trailer from existing header fields

1128	7.2.  Transfer Codings for Compression

1130	   The following transfer coding names for compression are defined by
1131	   the same algorithm as their corresponding content coding:

1133	   compress (and x-compress)
1134	      See Section 6.1.2.1 of [Semantics].

1136	   deflate
1137	      See Section 6.1.2.2 of [Semantics].

1139	   gzip (and x-gzip)
1140	      See Section 6.1.2.3 of [Semantics].

1142	   The compression codings do not define any parameters.  Their presence
1143	   SHOULD be treated as an error.

1145	7.3.  Transfer Coding Registry

1147	   The "HTTP Transfer Coding Registry" defines the namespace for
1148	   transfer coding names.  It is maintained at
1149	   <https://www.iana.org/assignments/http-parameters>.

1151	   Registrations MUST include the following fields:

1153	   o  Name

1155	   o  Description

1157	   o  Pointer to specification text

1159	   Names of transfer codings MUST NOT overlap with names of content
1160	   codings (Section 6.1.2 of [Semantics]) unless the encoding
1161	   transformation is identical, as is the case for the compression
1162	   codings defined in Section 7.2.

1164	   The TE header field (Section 7.4) uses a pseudo parameter named "q"
1165	   as rank value when multiple transfer codings are acceptable.  Future
1166	   registrations of transfer codings SHOULD NOT define parameters called
1167	   "q" (case-insensitively) in order to avoid ambiguities.

1169	   Values to be added to this namespace require IETF Review (see
1170	   Section 4.8 of [RFC8126]), and MUST conform to the purpose of
1171	   transfer coding defined in this specification.

1173	   Use of program names for the identification of encoding formats is
1174	   not desirable and is discouraged for future encodings.

1176	7.4.  TE

1178	   The "TE" header field in a request indicates what transfer codings,
1179	   besides chunked, the client is willing to accept in response, and
1180	   whether or not the client is willing to accept trailer fields in a
1181	   chunked transfer coding.

1183	   The TE field-value consists of a list of transfer coding names, each
1184	   allowing for optional parameters (as described in Section 7), and/or
1185	   the keyword "trailers".  A client MUST NOT send the chunked transfer
1186	   coding name in TE; chunked is always acceptable for HTTP/1.1
1187	   recipients.

1189	     TE        = #t-codings
1190	     t-codings = "trailers" / ( transfer-coding [ t-ranking ] )
1191	     t-ranking = OWS ";" OWS "q=" rank
1192	     rank      = ( "0" [ "." 0*3DIGIT ] )
1193	                / ( "1" [ "." 0*3("0") ] )

1195	   Three examples of TE use are below.

1197	     TE: deflate
1198	     TE:
1199	     TE: trailers, deflate;q=0.5

1201	   The presence of the keyword "trailers" indicates that the client is
1202	   willing to accept trailer fields in a chunked transfer coding, as
1203	   defined in Section 7.1.2, on behalf of itself and any downstream
1204	   clients.  For requests from an intermediary, this implies that
1205	   either: (a) all downstream clients are willing to accept trailer
1206	   fields in the forwarded response; or, (b) the intermediary will
1207	   attempt to buffer the response on behalf of downstream recipients.
1208	   Note that HTTP/1.1 does not define any means to limit the size of a
1209	   chunked response such that an intermediary can be assured of
1210	   buffering the entire response.

1212	   When multiple transfer codings are acceptable, the client MAY rank
1213	   the codings by preference using a case-insensitive "q" parameter
1214	   (similar to the qvalues used in content negotiation fields,
1215	   Section 8.4.1 of [Semantics]).  The rank value is a real number in
1216	   the range 0 through 1, where 0.001 is the least preferred and 1 is
1217	   the most preferred; a value of 0 means "not acceptable".

1219	   If the TE field value is empty or if no TE field is present, the only
1220	   acceptable transfer coding is chunked.  A message with no transfer
1221	   coding is always acceptable.

1223	   Since the TE header field only applies to the immediate connection, a
1224	   sender of TE MUST also send a "TE" connection option within the
1225	   Connection header field (Section 9.1) in order to prevent the TE
1226	   field from being forwarded by intermediaries that do not support its
1227	   semantics.

1229	8.  Handling Incomplete Messages

1231	   A server that receives an incomplete request message, usually due to
1232	   a canceled request or a triggered timeout exception, MAY send an
1233	   error response prior to closing the connection.

1235	   A client that receives an incomplete response message, which can
1236	   occur when a connection is closed prematurely or when decoding a
1237	   supposedly chunked transfer coding fails, MUST record the message as
1238	   incomplete.  Cache requirements for incomplete responses are defined
1239	   in Section 3 of [Caching].

1241	   If a response terminates in the middle of the header section (before
1242	   the empty line is received) and the status code might rely on header
1243	   fields to convey the full meaning of the response, then the client
1244	   cannot assume that meaning has been conveyed; the client might need
1245	   to repeat the request in order to determine what action to take next.

1247	   A message body that uses the chunked transfer coding is incomplete if
1248	   the zero-sized chunk that terminates the encoding has not been
1249	   received.  A message that uses a valid Content-Length is incomplete
1250	   if the size of the message body received (in octets) is less than the
1251	   value given by Content-Length.  A response that has neither chunked
1252	   transfer coding nor Content-Length is terminated by closure of the
1253	   connection and, thus, is considered complete regardless of the number
1254	   of message body octets received, provided that the header section was
1255	   received intact.

1257	9.  Connection Management

1259	   HTTP messaging is independent of the underlying transport- or
1260	   session-layer connection protocol(s).  HTTP only presumes a reliable
1261	   transport with in-order delivery of requests and the corresponding
1262	   in-order delivery of responses.  The mapping of HTTP request and
1263	   response structures onto the data units of an underlying transport
1264	   protocol is outside the scope of this specification.

1266	   As described in Section 5.3 of [Semantics], the specific connection
1267	   protocols to be used for an HTTP interaction are determined by client
1268	   configuration and the target URI.  For example, the "http" URI scheme
1269	   (Section 2.5.1 of [Semantics]) indicates a default connection of TCP
1270	   over IP, with a default TCP port of 80, but the client might be
1271	   configured to use a proxy via some other connection, port, or
1272	   protocol.

1274	   HTTP implementations are expected to engage in connection management,
1275	   which includes maintaining the state of current connections,
1276	   establishing a new connection or reusing an existing connection,
1277	   processing messages received on a connection, detecting connection
1278	   failures, and closing each connection.  Most clients maintain
1279	   multiple connections in parallel, including more than one connection
1280	   per server endpoint.  Most servers are designed to maintain thousands
1281	   of concurrent connections, while controlling request queues to enable
1282	   fair use and detect denial-of-service attacks.

1284	9.1.  Connection

1286	   The "Connection" header field allows the sender to list desired
1287	   control options for the current connection.  In order to avoid
1288	   confusing downstream recipients, a proxy or gateway MUST remove or
1289	   replace any received connection options before forwarding the
1290	   message.

1292	   When a field aside from Connection is used to supply control
1293	   information for or about the current connection, the sender MUST list
1294	   the corresponding field name within the Connection header field.  A
1295	   proxy or gateway MUST parse a received Connection header field before
1296	   a message is forwarded and, for each connection-option in this field,
1297	   remove any header or trailer field(s) from the message with the same
1298	   name as the connection-option, and then remove the Connection header
1299	   field itself (or replace it with the intermediary's own connection
1300	   options for the forwarded message).

1302	   Hence, the Connection header field provides a declarative way of
1303	   distinguishing fields that are only intended for the immediate
1304	   recipient ("hop-by-hop") from those fields that are intended for all
1305	   recipients on the chain ("end-to-end"), enabling the message to be
1306	   self-descriptive and allowing future connection-specific extensions
1307	   to be deployed without fear that they will be blindly forwarded by
1308	   older intermediaries.

1310	   The Connection header field's value has the following grammar:

1312	     Connection        = 1#connection-option
1313	     connection-option = token

1315	   Connection options are case-insensitive.

1317	   A sender MUST NOT send a connection option corresponding to a field
1318	   that is intended for all recipients of the payload.  For example,
1319	   Cache-Control is never appropriate as a connection option
1320	   (Section 5.2 of [Caching]).

1322	   The connection options do not always correspond to a field present in
1323	   the message, since a connection-specific field might not be needed if
1324	   there are no parameters associated with a connection option.  In
1325	   contrast, a connection-specific field that is received without a
1326	   corresponding connection option usually indicates that the field has
1327	   been improperly forwarded by an intermediary and ought to be ignored
1328	   by the recipient.

1330	   When defining new connection options, specification authors ought to
1331	   document it as reserved field name and register that definition in
1332	   the Hypertext Transfer Protocol (HTTP) Field Name Registry
1333	   (Section 4.3.2 of [Semantics]), to avoid collisions.

1335	   The "close" connection option is defined for a sender to signal that
1336	   this connection will be closed after completion of the response.  For
1337	   example,

1339	     Connection: close

1341	   in either the request or the response header fields indicates that
1342	   the sender is going to close the connection after the current
1343	   request/response is complete (Section 9.7).

1345	   A client that does not support persistent connections MUST send the
1346	   "close" connection option in every request message.

1348	   A server that does not support persistent connections MUST send the
1349	   "close" connection option in every response message that does not
1350	   have a 1xx (Informational) status code.

1352	9.2.  Establishment

1354	   It is beyond the scope of this specification to describe how
1355	   connections are established via various transport- or session-layer
1356	   protocols.  Each connection applies to only one transport link.

1358	9.3.  Associating a Response to a Request

1360	   HTTP/1.1 does not include a request identifier for associating a
1361	   given request message with its corresponding one or more response
1362	   messages.  Hence, it relies on the order of response arrival to
1363	   correspond exactly to the order in which requests are made on the
1364	   same connection.  More than one response message per request only
1365	   occurs when one or more informational responses (1xx, see Section 9.2
1366	   of [Semantics]) precede a final response to the same request.

1368	   A client that has more than one outstanding request on a connection
1369	   MUST maintain a list of outstanding requests in the order sent and
1370	   MUST associate each received response message on that connection to
1371	   the highest ordered request that has not yet received a final (non-
1372	   1xx) response.

1374	   If an HTTP/1.1 client receives data on a connection that doesn't have
1375	   any outstanding requests, it MUST NOT consider them to be a response
1376	   to a not-yet-issued request; it SHOULD close the connection, since
1377	   message delimitation is now ambiguous, unless the data consists only
1378	   of one or more CRLF (which can be discarded, as per Section 2.2).

1380	9.4.  Persistence

1382	   HTTP/1.1 defaults to the use of "persistent connections", allowing
1383	   multiple requests and responses to be carried over a single
1384	   connection.  The "close" connection option is used to signal that a
1385	   connection will not persist after the current request/response.  HTTP
1386	   implementations SHOULD support persistent connections.

1388	   A recipient determines whether a connection is persistent or not
1389	   based on the most recently received message's protocol version and
1390	   Connection header field (if any):

1392	   o  If the "close" connection option is present, the connection will
1393	      not persist after the current response; else,

1395	   o  If the received protocol is HTTP/1.1 (or later), the connection
1396	      will persist after the current response; else,

1398	   o  If the received protocol is HTTP/1.0, the "keep-alive" connection
1399	      option is present, either the recipient is not a proxy or the
1400	      message is a response, and the recipient wishes to honor the
1401	      HTTP/1.0 "keep-alive" mechanism, the connection will persist after
1402	      the current response; otherwise,

1404	   o  The connection will close after the current response.

1406	   A client MAY send additional requests on a persistent connection
1407	   until it sends or receives a "close" connection option or receives an
1408	   HTTP/1.0 response without a "keep-alive" connection option.

1410	   In order to remain persistent, all messages on a connection need to
1411	   have a self-defined message length (i.e., one not defined by closure
1412	   of the connection), as described in Section 6.  A server MUST read
1413	   the entire request message body or close the connection after sending
1414	   its response, since otherwise the remaining data on a persistent
1415	   connection would be misinterpreted as the next request.  Likewise, a
1416	   client MUST read the entire response message body if it intends to
1417	   reuse the same connection for a subsequent request.

1419	   A proxy server MUST NOT maintain a persistent connection with an
1420	   HTTP/1.0 client (see Section 19.7.1 of [RFC2068] for information and
1421	   discussion of the problems with the Keep-Alive header field
1422	   implemented by many HTTP/1.0 clients).

1424	   See Appendix C.1.2 for more information on backwards compatibility
1425	   with HTTP/1.0 clients.

1427	9.4.1.  Retrying Requests

1429	   Connections can be closed at any time, with or without intention.
1430	   Implementations ought to anticipate the need to recover from
1431	   asynchronous close events.  The conditions under which a client can
1432	   automatically retry a sequence of outstanding requests are defined in
1433	   Section 7.2.2 of [Semantics].

1435	9.4.2.  Pipelining

1437	   A client that supports persistent connections MAY "pipeline" its
1438	   requests (i.e., send multiple requests without waiting for each
1439	   response).  A server MAY process a sequence of pipelined requests in
1440	   parallel if they all have safe methods (Section 7.2.1 of
1441	   [Semantics]), but it MUST send the corresponding responses in the
1442	   same order that the requests were received.

1444	   A client that pipelines requests SHOULD retry unanswered requests if
1445	   the connection closes before it receives all of the corresponding
1446	   responses.  When retrying pipelined requests after a failed
1447	   connection (a connection not explicitly closed by the server in its
1448	   last complete response), a client MUST NOT pipeline immediately after
1449	   connection establishment, since the first remaining request in the
1450	   prior pipeline might have caused an error response that can be lost
1451	   again if multiple requests are sent on a prematurely closed
1452	   connection (see the TCP reset problem described in Section 9.7).

1454	   Idempotent methods (Section 7.2.2 of [Semantics]) are significant to
1455	   pipelining because they can be automatically retried after a
1456	   connection failure.  A user agent SHOULD NOT pipeline requests after
1457	   a non-idempotent method, until the final response status code for
1458	   that method has been received, unless the user agent has a means to
1459	   detect and recover from partial failure conditions involving the
1460	   pipelined sequence.

1462	   An intermediary that receives pipelined requests MAY pipeline those
1463	   requests when forwarding them inbound, since it can rely on the
1464	   outbound user agent(s) to determine what requests can be safely
1465	   pipelined.  If the inbound connection fails before receiving a
1466	   response, the pipelining intermediary MAY attempt to retry a sequence
1467	   of requests that have yet to receive a response if the requests all
1468	   have idempotent methods; otherwise, the pipelining intermediary
1469	   SHOULD forward any received responses and then close the
1470	   corresponding outbound connection(s) so that the outbound user
1471	   agent(s) can recover accordingly.

1473	9.5.  Concurrency

1475	   A client ought to limit the number of simultaneous open connections
1476	   that it maintains to a given server.

1478	   Previous revisions of HTTP gave a specific number of connections as a
1479	   ceiling, but this was found to be impractical for many applications.
1480	   As a result, this specification does not mandate a particular maximum
1481	   number of connections but, instead, encourages clients to be
1482	   conservative when opening multiple connections.

1484	   Multiple connections are typically used to avoid the "head-of-line
1485	   blocking" problem, wherein a request that takes significant server-
1486	   side processing and/or has a large payload blocks subsequent requests
1487	   on the same connection.  However, each connection consumes server
1488	   resources.  Furthermore, using multiple connections can cause
1489	   undesirable side effects in congested networks.

1491	   Note that a server might reject traffic that it deems abusive or
1492	   characteristic of a denial-of-service attack, such as an excessive
1493	   number of open connections from a single client.

1495	9.6.  Failures and Timeouts

1497	   Servers will usually have some timeout value beyond which they will
1498	   no longer maintain an inactive connection.  Proxy servers might make
1499	   this a higher value since it is likely that the client will be making
1500	   more connections through the same proxy server.  The use of
1501	   persistent connections places no requirements on the length (or
1502	   existence) of this timeout for either the client or the server.

1504	   A client or server that wishes to time out SHOULD issue a graceful
1505	   close on the connection.  Implementations SHOULD constantly monitor
1506	   open connections for a received closure signal and respond to it as
1507	   appropriate, since prompt closure of both sides of a connection
1508	   enables allocated system resources to be reclaimed.

1510	   A client, server, or proxy MAY close the transport connection at any
1511	   time.  For example, a client might have started to send a new request
1512	   at the same time that the server has decided to close the "idle"
1513	   connection.  From the server's point of view, the connection is being
1514	   closed while it was idle, but from the client's point of view, a
1515	   request is in progress.

1517	   A server SHOULD sustain persistent connections, when possible, and
1518	   allow the underlying transport's flow-control mechanisms to resolve
1519	   temporary overloads, rather than terminate connections with the
1520	   expectation that clients will retry.  The latter technique can
1521	   exacerbate network congestion.

1523	   A client sending a message body SHOULD monitor the network connection
1524	   for an error response while it is transmitting the request.  If the
1525	   client sees a response that indicates the server does not wish to
1526	   receive the message body and is closing the connection, the client
1527	   SHOULD immediately cease transmitting the body and close its side of
1528	   the connection.

1530	9.7.  Tear-down

1532	   The Connection header field (Section 9.1) provides a "close"
1533	   connection option that a sender SHOULD send when it wishes to close
1534	   the connection after the current request/response pair.

1536	   A client that sends a "close" connection option MUST NOT send further
1537	   requests on that connection (after the one containing "close") and
1538	   MUST close the connection after reading the final response message
1539	   corresponding to this request.

1541	   A server that receives a "close" connection option MUST initiate a
1542	   close of the connection (see below) after it sends the final response
1543	   to the request that contained "close".  The server SHOULD send a
1544	   "close" connection option in its final response on that connection.
1545	   The server MUST NOT process any further requests received on that
1546	   connection.

1548	   A server that sends a "close" connection option MUST initiate a close
1549	   of the connection (see below) after it sends the response containing
1550	   "close".  The server MUST NOT process any further requests received
1551	   on that connection.

1553	   A client that receives a "close" connection option MUST cease sending
1554	   requests on that connection and close the connection after reading
1555	   the response message containing the "close"; if additional pipelined
1556	   requests had been sent on the connection, the client SHOULD NOT
1557	   assume that they will be processed by the server.

1559	   If a server performs an immediate close of a TCP connection, there is
1560	   a significant risk that the client will not be able to read the last
1561	   HTTP response.  If the server receives additional data from the
1562	   client on a fully closed connection, such as another request that was
1563	   sent by the client before receiving the server's response, the
1564	   server's TCP stack will send a reset packet to the client;
1565	   unfortunately, the reset packet might erase the client's
1566	   unacknowledged input buffers before they can be read and interpreted
1567	   by the client's HTTP parser.

1569	   To avoid the TCP reset problem, servers typically close a connection
1570	   in stages.  First, the server performs a half-close by closing only
1571	   the write side of the read/write connection.  The server then
1572	   continues to read from the connection until it receives a
1573	   corresponding close by the client, or until the server is reasonably
1574	   certain that its own TCP stack has received the client's
1575	   acknowledgement of the packet(s) containing the server's last
1576	   response.  Finally, the server fully closes the connection.

1578	   It is unknown whether the reset problem is exclusive to TCP or might
1579	   also be found in other transport connection protocols.

1581	9.8.  TLS Connection Closure

1583	   TLS provides a facility for secure connection closure.  When a valid
1584	   closure alert is received, an implementation can be assured that no
1585	   further data will be received on that connection.  TLS
1586	   implementations MUST initiate an exchange of closure alerts before
1587	   closing a connection.  A TLS implementation MAY, after sending a
1588	   closure alert, close the connection without waiting for the peer to
1589	   send its closure alert, generating an "incomplete close".  Note that
1590	   an implementation which does this MAY choose to reuse the session.
1591	   This SHOULD only be done when the application knows (typically
1592	   through detecting HTTP message boundaries) that it has received all
1593	   the message data that it cares about.

1595	   As specified in [RFC8446], any implementation which receives a
1596	   connection close without first receiving a valid closure alert (a
1597	   "premature close") MUST NOT reuse that session.  Note that a
1598	   premature close does not call into question the security of the data
1599	   already received, but simply indicates that subsequent data might
1600	   have been truncated.  Because TLS is oblivious to HTTP request/
1601	   response boundaries, it is necessary to examine the HTTP data itself
1602	   (specifically the Content-Length header) to determine whether the
1603	   truncation occurred inside a message or between messages.

1605	   When encountering a premature close, a client SHOULD treat as
1606	   completed all requests for which it has received as much data as
1607	   specified in the Content-Length header.

1609	   A client detecting an incomplete close SHOULD recover gracefully.  It
1610	   MAY resume a TLS session closed in this fashion.

1612	   Clients MUST send a closure alert before closing the connection.
1613	   Clients which are unprepared to receive any more data MAY choose not
1614	   to wait for the server's closure alert and simply close the
1615	   connection, thus generating an incomplete close on the server side.

1617	   Servers SHOULD be prepared to receive an incomplete close from the
1618	   client, since the client can often determine when the end of server
1619	   data is.  Servers SHOULD be willing to resume TLS sessions closed in
1620	   this fashion.

1622	   Servers MUST attempt to initiate an exchange of closure alerts with
1623	   the client before closing the connection.  Servers MAY close the
1624	   connection after sending the closure alert, thus generating an
1625	   incomplete close on the client side.

1627	9.9.  Upgrade

1629	   The "Upgrade" header field is intended to provide a simple mechanism
1630	   for transitioning from HTTP/1.1 to some other protocol on the same
1631	   connection.

1633	   A client MAY send a list of protocol names in the Upgrade header
1634	   field of a request to invite the server to switch to one or more of
1635	   the named protocols, in order of descending preference, before
1636	   sending the final response.  A server MAY ignore a received Upgrade
1637	   header field if it wishes to continue using the current protocol on
1638	   that connection.  Upgrade cannot be used to insist on a protocol
1639	   change.

1641	     Upgrade          = 1#protocol

1643	     protocol         = protocol-name ["/" protocol-version]
1644	     protocol-name    = token
1645	     protocol-version = token

1647	   Although protocol names are registered with a preferred case,
1648	   recipients SHOULD use case-insensitive comparison when matching each
1649	   protocol-name to supported protocols.

1651	   A server that sends a 101 (Switching Protocols) response MUST send an
1652	   Upgrade header field to indicate the new protocol(s) to which the
1653	   connection is being switched; if multiple protocol layers are being
1654	   switched, the sender MUST list the protocols in layer-ascending
1655	   order.  A server MUST NOT switch to a protocol that was not indicated
1656	   by the client in the corresponding request's Upgrade header field.  A
1657	   server MAY choose to ignore the order of preference indicated by the
1658	   client and select the new protocol(s) based on other factors, such as
1659	   the nature of the request or the current load on the server.

1661	   A server that sends a 426 (Upgrade Required) response MUST send an
1662	   Upgrade header field to indicate the acceptable protocols, in order
1663	   of descending preference.

1665	   A server MAY send an Upgrade header field in any other response to
1666	   advertise that it implements support for upgrading to the listed
1667	   protocols, in order of descending preference, when appropriate for a
1668	   future request.

1670	   The following is a hypothetical example sent by a client:

1672	     GET /hello HTTP/1.1
1673	     Host: www.example.com
1674	     Connection: upgrade
1675	     Upgrade: websocket, IRC/6.9, RTA/x11

1677	   The capabilities and nature of the application-level communication
1678	   after the protocol change is entirely dependent upon the new
1679	   protocol(s) chosen.  However, immediately after sending the 101
1680	   (Switching Protocols) response, the server is expected to continue
1681	   responding to the original request as if it had received its
1682	   equivalent within the new protocol (i.e., the server still has an
1683	   outstanding request to satisfy after the protocol has been changed,
1684	   and is expected to do so without requiring the request to be
1685	   repeated).

1687	   For example, if the Upgrade header field is received in a GET request
1688	   and the server decides to switch protocols, it first responds with a
1689	   101 (Switching Protocols) message in HTTP/1.1 and then immediately
1690	   follows that with the new protocol's equivalent of a response to a
1691	   GET on the target resource.  This allows a connection to be upgraded
1692	   to protocols with the same semantics as HTTP without the latency cost
1693	   of an additional round trip.  A server MUST NOT switch protocols
1694	   unless the received message semantics can be honored by the new
1695	   protocol; an OPTIONS request can be honored by any protocol.

1697	   The following is an example response to the above hypothetical
1698	   request:

1700	     HTTP/1.1 101 Switching Protocols
1701	     Connection: upgrade
1702	     Upgrade: websocket

1704	     [... data stream switches to websocket with an appropriate response
1705	     (as defined by new protocol) to the "GET /hello" request ...]

1707	   When Upgrade is sent, the sender MUST also send a Connection header
1708	   field (Section 9.1) that contains an "upgrade" connection option, in
1709	   order to prevent Upgrade from being accidentally forwarded by
1710	   intermediaries that might not implement the listed protocols.  A
1711	   server MUST ignore an Upgrade header field that is received in an
1712	   HTTP/1.0 request.

1714	   A client cannot begin using an upgraded protocol on the connection
1715	   until it has completely sent the request message (i.e., the client
1716	   can't change the protocol it is sending in the middle of a message).
1717	   If a server receives both an Upgrade and an Expect header field with
1718	   the "100-continue" expectation (Section 8.1.1 of [Semantics]), the
1719	   server MUST send a 100 (Continue) response before sending a 101
1720	   (Switching Protocols) response.

1722	   The Upgrade header field only applies to switching protocols on top
1723	   of the existing connection; it cannot be used to switch the
1724	   underlying connection (transport) protocol, nor to switch the
1725	   existing communication to a different connection.  For those
1726	   purposes, it is more appropriate to use a 3xx (Redirection) response
1727	   (Section 9.4 of [Semantics]).

1729	9.9.1.  Upgrade Protocol Names

1731	   This specification only defines the protocol name "HTTP" for use by
1732	   the family of Hypertext Transfer Protocols, as defined by the HTTP
1733	   version rules of Section 3.5 of [Semantics] and future updates to
1734	   this specification.  Additional protocol names ought to be registered
1735	   using the registration procedure defined in Section 9.9.2.

1737	   +------+-------------------+--------------------+-------------------+
1738	   | Name | Description       | Expected Version   | Reference         |
1739	   |      |                   | Tokens             |                   |
1740	   +------+-------------------+--------------------+-------------------+
1741	   | HTTP | Hypertext         | any DIGIT.DIGIT    | Section 3.5 of    |
1742	   |      | Transfer Protocol | (e.g, "2.0")       | [Semantics]       |
1743	   +------+-------------------+--------------------+-------------------+

1745	9.9.2.  Upgrade Token Registry

1747	   The "Hypertext Transfer Protocol (HTTP) Upgrade Token Registry"
1748	   defines the namespace for protocol-name tokens used to identify
1749	   protocols in the Upgrade header field.  The registry is maintained at
1750	   <https://www.iana.org/assignments/http-upgrade-tokens>.

1752	   Each registered protocol name is associated with contact information
1753	   and an optional set of specifications that details how the connection
1754	   will be processed after it has been upgraded.

1756	   Registrations happen on a "First Come First Served" basis (see
1757	   Section 4.4 of [RFC8126]) and are subject to the following rules:

1759	   1.  A protocol-name token, once registered, stays registered forever.

1761	   2.  A protocol-name token is case-insensitive and registered with the
1762	       preferred case to be generated by senders.

1764	   3.  The registration MUST name a responsible party for the
1765	       registration.

1767	   4.  The registration MUST name a point of contact.

1769	   5.  The registration MAY name a set of specifications associated with
1770	       that token.  Such specifications need not be publicly available.

1772	   6.  The registration SHOULD name a set of expected "protocol-version"
1773	       tokens associated with that token at the time of registration.

1775	   7.  The responsible party MAY change the registration at any time.
1776	       The IANA will keep a record of all such changes, and make them
1777	       available upon request.

1779	   8.  The IESG MAY reassign responsibility for a protocol token.  This
1780	       will normally only be used in the case when a responsible party
1781	       cannot be contacted.

1783	10.  Enclosing Messages as Data

1785	10.1.  Media Type message/http

1787	   The message/http media type can be used to enclose a single HTTP
1788	   request or response message, provided that it obeys the MIME
1789	   restrictions for all "message" types regarding line length and
1790	   encodings.

1792	   Type name:  message

1794	   Subtype name:  http

1796	   Required parameters:  N/A

1798	   Optional parameters:  version, msgtype
1799	      version:  The HTTP-version number of the enclosed message (e.g.,
1800	         "1.1").  If not present, the version can be determined from the
1801	         first line of the body.

1803	      msgtype:  The message type -- "request" or "response".  If not
1804	         present, the type can be determined from the first line of the
1805	         body.

1807	   Encoding considerations:  only "7bit", "8bit", or "binary" are
1808	      permitted

1810	   Security considerations:  see Section 11

1812	   Interoperability considerations:  N/A

1814	   Published specification:  This specification (see Section 10.1).

1816	   Applications that use this media type:  N/A

1818	   Fragment identifier considerations:  N/A

1820	   Additional information:

1822	      Magic number(s):  N/A

1824	      Deprecated alias names for this type:  N/A

1826	      File extension(s):  N/A

1828	      Macintosh file type code(s):  N/A

1830	   Person and email address to contact for further information:
1831	      See Authors' Addresses section.

1833	   Intended usage:  COMMON

1835	   Restrictions on usage:  N/A

1837	   Author:  See Authors' Addresses section.

1839	   Change controller:  IESG

1841	10.2.  Media Type application/http

1843	   The application/http media type can be used to enclose a pipeline of
1844	   one or more HTTP request or response messages (not intermixed).

1846	   Type name:  application
1847	   Subtype name:  http

1849	   Required parameters:  N/A

1851	   Optional parameters:  version, msgtype

1853	      version:  The HTTP-version number of the enclosed messages (e.g.,
1854	         "1.1").  If not present, the version can be determined from the
1855	         first line of the body.

1857	      msgtype:  The message type -- "request" or "response".  If not
1858	         present, the type can be determined from the first line of the
1859	         body.

1861	   Encoding considerations:  HTTP messages enclosed by this type are in
1862	      "binary" format; use of an appropriate Content-Transfer-Encoding
1863	      is required when transmitted via email.

1865	   Security considerations:  see Section 11

1867	   Interoperability considerations:  N/A

1869	   Published specification:  This specification (see Section 10.2).

1871	   Applications that use this media type:  N/A

1873	   Fragment identifier considerations:  N/A

1875	   Additional information:

1877	      Deprecated alias names for this type:  N/A

1879	      Magic number(s):  N/A

1881	      File extension(s):  N/A

1883	      Macintosh file type code(s):  N/A

1885	   Person and email address to contact for further information:
1886	      See Authors' Addresses section.

1888	   Intended usage:  COMMON

1890	   Restrictions on usage:  N/A

1892	   Author:  See Authors' Addresses section.

1894	   Change controller:  IESG

1896	11.  Security Considerations

1898	   This section is meant to inform developers, information providers,
1899	   and users of known security considerations relevant to HTTP message
1900	   syntax, parsing, and routing.  Security considerations about HTTP
1901	   semantics and payloads are addressed in [Semantics].

1903	11.1.  Response Splitting

1905	   Response splitting (a.k.a, CRLF injection) is a common technique,
1906	   used in various attacks on Web usage, that exploits the line-based
1907	   nature of HTTP message framing and the ordered association of
1908	   requests to responses on persistent connections [Klein].  This
1909	   technique can be particularly damaging when the requests pass through
1910	   a shared cache.

1912	   Response splitting exploits a vulnerability in servers (usually
1913	   within an application server) where an attacker can send encoded data
1914	   within some parameter of the request that is later decoded and echoed
1915	   within any of the response header fields of the response.  If the
1916	   decoded data is crafted to look like the response has ended and a
1917	   subsequent response has begun, the response has been split and the
1918	   content within the apparent second response is controlled by the
1919	   attacker.  The attacker can then make any other request on the same
1920	   persistent connection and trick the recipients (including
1921	   intermediaries) into believing that the second half of the split is
1922	   an authoritative answer to the second request.

1924	   For example, a parameter within the request-target might be read by
1925	   an application server and reused within a redirect, resulting in the
1926	   same parameter being echoed in the Location header field of the
1927	   response.  If the parameter is decoded by the application and not
1928	   properly encoded when placed in the response field, the attacker can
1929	   send encoded CRLF octets and other content that will make the
1930	   application's single response look like two or more responses.

1932	   A common defense against response splitting is to filter requests for
1933	   data that looks like encoded CR and LF (e.g., "%0D" and "%0A").
1934	   However, that assumes the application server is only performing URI
1935	   decoding, rather than more obscure data transformations like charset
1936	   transcoding, XML entity translation, base64 decoding, sprintf
1937	   reformatting, etc.  A more effective mitigation is to prevent
1938	   anything other than the server's core protocol libraries from sending
1939	   a CR or LF within the header section, which means restricting the
1940	   output of header fields to APIs that filter for bad octets and not
1941	   allowing application servers to write directly to the protocol
1942	   stream.

1944	11.2.  Request Smuggling

1946	   Request smuggling ([Linhart]) is a technique that exploits
1947	   differences in protocol parsing among various recipients to hide
1948	   additional requests (which might otherwise be blocked or disabled by
1949	   policy) within an apparently harmless request.  Like response
1950	   splitting, request smuggling can lead to a variety of attacks on HTTP
1951	   usage.

1953	   This specification has introduced new requirements on request
1954	   parsing, particularly with regard to message framing in Section 6.3,
1955	   to reduce the effectiveness of request smuggling.

1957	11.3.  Message Integrity

1959	   HTTP does not define a specific mechanism for ensuring message
1960	   integrity, instead relying on the error-detection ability of
1961	   underlying transport protocols and the use of length or chunk-
1962	   delimited framing to detect completeness.  Additional integrity
1963	   mechanisms, such as hash functions or digital signatures applied to
1964	   the content, can be selectively added to messages via extensible
1965	   metadata fields.  Historically, the lack of a single integrity
1966	   mechanism has been justified by the informal nature of most HTTP
1967	   communication.  However, the prevalence of HTTP as an information
1968	   access mechanism has resulted in its increasing use within
1969	   environments where verification of message integrity is crucial.

1971	   User agents are encouraged to implement configurable means for
1972	   detecting and reporting failures of message integrity such that those
1973	   means can be enabled within environments for which integrity is
1974	   necessary.  For example, a browser being used to view medical history
1975	   or drug interaction information needs to indicate to the user when
1976	   such information is detected by the protocol to be incomplete,
1977	   expired, or corrupted during transfer.  Such mechanisms might be
1978	   selectively enabled via user agent extensions or the presence of
1979	   message integrity metadata in a response.  At a minimum, user agents
1980	   ought to provide some indication that allows a user to distinguish
1981	   between a complete and incomplete response message (Section 8) when
1982	   such verification is desired.

1984	11.4.  Message Confidentiality

1986	   HTTP relies on underlying transport protocols to provide message
1987	   confidentiality when that is desired.  HTTP has been specifically
1988	   designed to be independent of the transport protocol, such that it
1989	   can be used over many different forms of encrypted connection, with
1990	   the selection of such transports being identified by the choice of
1991	   URI scheme or within user agent configuration.

1993	   The "https" scheme can be used to identify resources that require a
1994	   confidential connection, as described in Section 2.5.2 of
1995	   [Semantics].

1997	12.  IANA Considerations

1999	   The change controller for the following registrations is: "IETF
2000	   (iesg@ietf.org) - Internet Engineering Task Force".

2002	12.1.  Field Name Registration

2004	   Please update the "Hypertext Transfer Protocol (HTTP) Field Name
2005	   Registry" at <https://www.iana.org/assignments/http-fields> with the
2006	   field names listed in the two tables of Section 5.

2008	12.2.  Media Type Registration

2010	   Please update the "Media Types" registry at
2011	   <https://www.iana.org/assignments/media-types> with the registration
2012	   information in Section 10.1 and Section 10.2 for the media types
2013	   "message/http" and "application/http", respectively.

2015	12.3.  Transfer Coding Registration

2017	   Please update the "HTTP Transfer Coding Registry" at
2018	   <https://www.iana.org/assignments/http-parameters/> with the
2019	   registration procedure of Section 7.3 and the content coding names
2020	   summarized in the table of Section 7.

2022	12.4.  Upgrade Token Registration

2024	   Please update the "Hypertext Transfer Protocol (HTTP) Upgrade Token
2025	   Registry" at <https://www.iana.org/assignments/http-upgrade-tokens>
2026	   with the registration procedure of Section 9.9.2 and the upgrade
2027	   token names summarized in the table of Section 9.9.1.

2029	12.5.  ALPN Protocol ID Registration

2031	   Please update the "TLS Application-Layer Protocol Negotiation (ALPN)
2032	   Protocol IDs" registry at <https://www.iana.org/assignments/tls-
2033	   extensiontype-values/tls-extensiontype-values.xhtml> with the
2034	   registration below:

2036	   +----------+--------------------------------------+-----------------+
2037	   | Protocol | Identification Sequence              | Reference       |
2038	   +----------+--------------------------------------+-----------------+
2039	   | HTTP/1.1 | 0x68 0x74 0x74 0x70 0x2f 0x31 0x2e   | (this           |
2040	   |          | 0x31 ("http/1.1")                    | specification)  |
2041	   +----------+--------------------------------------+-----------------+

2043	13.  References

2045	13.1.  Normative References

2047	   [Caching]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
2048	              Ed., "HTTP Caching", draft-ietf-httpbis-cache-07 (work in
2049	              progress), March 2020.

2051	   [RFC1950]  Deutsch, L. and J-L. Gailly, "ZLIB Compressed Data Format
2052	              Specification version 3.3", RFC 1950,
2053	              DOI 10.17487/RFC1950, May 1996,
2054	              <https://www.rfc-editor.org/info/rfc1950>.

2056	   [RFC1951]  Deutsch, P., "DEFLATE Compressed Data Format Specification
2057	              version 1.3", RFC 1951, DOI 10.17487/RFC1951, May 1996,
2058	              <https://www.rfc-editor.org/info/rfc1951>.

2060	   [RFC1952]  Deutsch, P., Gailly, J-L., Adler, M., Deutsch, L., and G.
2061	              Randers-Pehrson, "GZIP file format specification version
2062	              4.3", RFC 1952, DOI 10.17487/RFC1952, May 1996,
2063	              <https://www.rfc-editor.org/info/rfc1952>.

2065	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
2066	              Requirement Levels", BCP 14, RFC 2119,
2067	              DOI 10.17487/RFC2119, March 1997,
2068	              <https://www.rfc-editor.org/info/rfc2119>.

2070	   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
2071	              Resource Identifier (URI): Generic Syntax", STD 66,
2072	              RFC 3986, DOI 10.17487/RFC3986, January 2005,
2073	              <https://www.rfc-editor.org/info/rfc3986>.

2075	   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
2076	              Specifications: ABNF", STD 68, RFC 5234,
2077	              DOI 10.17487/RFC5234, January 2008,
2078	              <https://www.rfc-editor.org/info/rfc5234>.

2080	   [RFC7405]  Kyzivat, P., "Case-Sensitive String Support in ABNF",
2081	              RFC 7405, DOI 10.17487/RFC7405, December 2014,
2082	              <https://www.rfc-editor.org/info/rfc7405>.

2084	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2085	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
2086	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

2088	   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
2089	              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
2090	              <https://www.rfc-editor.org/info/rfc8446>.

2092	   [Semantics]
2093	              Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
2094	              Ed., "HTTP Semantics", draft-ietf-httpbis-semantics-07
2095	              (work in progress), March 2020.

2097	   [USASCII]  American National Standards Institute, "Coded Character
2098	              Set -- 7-bit American Standard Code for Information
2099	              Interchange", ANSI X3.4, 1986.

2101	   [Welch]    Welch, T., "A Technique for High-Performance Data
2102	              Compression", IEEE Computer 17(6), June 1984.

2104	13.2.  Informative References

2106	   [Err4667]  RFC Errata, Erratum ID 4667, RFC 7230,
2107	              <https://www.rfc-editor.org/errata/eid4667>.

2109	   [Klein]    Klein, A., "Divide and Conquer - HTTP Response Splitting,
2110	              Web Cache Poisoning Attacks, and Related Topics", March
2111	              2004, <http://packetstormsecurity.com/papers/general/
2112	              whitepaper_httpresponse.pdf>.

2114	   [Linhart]  Linhart, C., Klein, A., Heled, R., and S. Orrin, "HTTP
2115	              Request Smuggling", June 2005,
2116	              <http://www.watchfire.com/news/whitepapers.aspx>.

2118	   [RFC1945]  Berners-Lee, T., Fielding, R., and H. Nielsen, "Hypertext
2119	              Transfer Protocol -- HTTP/1.0", RFC 1945,
2120	              DOI 10.17487/RFC1945, May 1996,
2121	              <https://www.rfc-editor.org/info/rfc1945>.

2123	   [RFC2045]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
2124	              Extensions (MIME) Part One: Format of Internet Message
2125	              Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996,
2126	              <https://www.rfc-editor.org/info/rfc2045>.

2128	   [RFC2046]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
2129	              Extensions (MIME) Part Two: Media Types", RFC 2046,
2130	              DOI 10.17487/RFC2046, November 1996,
2131	              <https://www.rfc-editor.org/info/rfc2046>.

2133	   [RFC2049]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
2134	              Extensions (MIME) Part Five: Conformance Criteria and
2135	              Examples", RFC 2049, DOI 10.17487/RFC2049, November 1996,
2136	              <https://www.rfc-editor.org/info/rfc2049>.

2138	   [RFC2068]  Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and T.
2139	              Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1",
2140	              RFC 2068, DOI 10.17487/RFC2068, January 1997,
2141	              <https://www.rfc-editor.org/info/rfc2068>.

2143	   [RFC2557]  Palme, F., Hopmann, A., Shelness, N., and E. Stefferud,
2144	              "MIME Encapsulation of Aggregate Documents, such as HTML
2145	              (MHTML)", RFC 2557, DOI 10.17487/RFC2557, March 1999,
2146	              <https://www.rfc-editor.org/info/rfc2557>.

2148	   [RFC5322]  Resnick, P., "Internet Message Format", RFC 5322,
2149	              DOI 10.17487/RFC5322, October 2008,
2150	              <https://www.rfc-editor.org/info/rfc5322>.

2152	   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
2153	              Protocol (HTTP/1.1): Message Syntax and Routing",
2154	              RFC 7230, DOI 10.17487/RFC7230, June 2014,
2155	              <https://www.rfc-editor.org/info/rfc7230>.

2157	   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
2158	              Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
2159	              DOI 10.17487/RFC7231, June 2014,
2160	              <https://www.rfc-editor.org/info/rfc7231>.

2162	   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
2163	              Writing an IANA Considerations Section in RFCs", BCP 26,
2164	              RFC 8126, DOI 10.17487/RFC8126, June 2017,
2165	              <https://www.rfc-editor.org/info/rfc8126>.

2167	Appendix A.  Collected ABNF

2169	   In the collected ABNF below, list rules are expanded as per
2170	   Section 4.5 of [Semantics].

2172	   BWS = <BWS, see [Semantics], Section 1.2.1>

2174	   Connection = [ connection-option ] *( OWS "," OWS [ connection-option
2175	    ] )

2177	   HTTP-message = start-line CRLF *( field-line CRLF ) CRLF [
2178	    message-body ]
2179	   HTTP-name = %x48.54.54.50 ; HTTP
2180	   HTTP-version = HTTP-name "/" DIGIT "." DIGIT

2182	   OWS = <OWS, see [Semantics], Section 1.2.1>

2184	   RWS = <RWS, see [Semantics], Section 1.2.1>

2186	   TE = [ t-codings ] *( OWS "," OWS [ t-codings ] )
2187	   Transfer-Encoding = [ transfer-coding ] *( OWS "," OWS [
2188	    transfer-coding ] )

2190	   Upgrade = [ protocol ] *( OWS "," OWS [ protocol ] )

2192	   absolute-URI = <absolute-URI, see [RFC3986], Section 4.3>
2193	   absolute-form = absolute-URI
2194	   absolute-path = <absolute-path, see [Semantics], Section 2.4>
2195	   asterisk-form = "*"
2196	   authority = <authority, see [RFC3986], Section 3.2>
2197	   authority-form = authority

2199	   chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF
2200	   chunk-data = 1*OCTET
2201	   chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val
2202	    ] )
2203	   chunk-ext-name = token
2204	   chunk-ext-val = token / quoted-string
2205	   chunk-size = 1*HEXDIG
2206	   chunked-body = *chunk last-chunk trailer-section CRLF
2207	   comment = <comment, see [Semantics], Section 4.4.1.3>
2208	   connection-option = token

2210	   field-line = field-name ":" OWS field-value OWS
2211	   field-name = <field-name, see [Semantics], Section 4.3>
2212	   field-value = <field-value, see [Semantics], Section 4.4>

2214	   last-chunk = 1*"0" [ chunk-ext ] CRLF
2215	   message-body = *OCTET
2216	   method = token

2218	   obs-fold = OWS CRLF RWS
2219	   obs-text = <obs-text, see [Semantics], Section 4.4.1.2>
2220	   origin-form = absolute-path [ "?" query ]

2222	   port = <port, see [RFC3986], Section 3.2.3>
2223	   protocol = protocol-name [ "/" protocol-version ]
2224	   protocol-name = token
2225	   protocol-version = token

2227	   query = <query, see [RFC3986], Section 3.4>
2228	   quoted-string = <quoted-string, see [Semantics], Section 4.4.1.2>

2230	   rank = ( "0" [ "." *3DIGIT ] ) / ( "1" [ "." *3"0" ] )
2231	   reason-phrase = 1*( HTAB / SP / VCHAR / obs-text )
2232	   request-line = method SP request-target SP HTTP-version
2233	   request-target = origin-form / absolute-form / authority-form /
2234	    asterisk-form

2236	   start-line = request-line / status-line
2237	   status-code = 3DIGIT
2238	   status-line = HTTP-version SP status-code SP [ reason-phrase ]

2240	   t-codings = "trailers" / ( transfer-coding [ t-ranking ] )
2241	   t-ranking = OWS ";" OWS "q=" rank
2242	   token = <token, see [Semantics], Section 4.4.1.1>
2243	   trailer-section = *( field-line CRLF )
2244	   transfer-coding = token *( OWS ";" OWS transfer-parameter )
2245	   transfer-parameter = token BWS "=" BWS ( token / quoted-string )

2247	   uri-host = <host, see [RFC3986], Section 3.2.2>

2249	Appendix B.  Differences between HTTP and MIME

2251	   HTTP/1.1 uses many of the constructs defined for the Internet Message
2252	   Format [RFC5322] and the Multipurpose Internet Mail Extensions (MIME)
2253	   [RFC2045] to allow a message body to be transmitted in an open
2254	   variety of representations and with extensible fields.  However, RFC
2255	   2045 is focused only on email; applications of HTTP have many
2256	   characteristics that differ from email; hence, HTTP has features that
2257	   differ from MIME.  These differences were carefully chosen to
2258	   optimize performance over binary connections, to allow greater
2259	   freedom in the use of new media types, to make date comparisons
2260	   easier, and to acknowledge the practice of some early HTTP servers
2261	   and clients.

2263	   This appendix describes specific areas where HTTP differs from MIME.
2264	   Proxies and gateways to and from strict MIME environments need to be
2265	   aware of these differences and provide the appropriate conversions
2266	   where necessary.

2268	B.1.  MIME-Version

2270	   HTTP is not a MIME-compliant protocol.  However, messages can include
2271	   a single MIME-Version header field to indicate what version of the
2272	   MIME protocol was used to construct the message.  Use of the MIME-
2273	   Version header field indicates that the message is in full
2274	   conformance with the MIME protocol (as defined in [RFC2045]).
2275	   Senders are responsible for ensuring full conformance (where
2276	   possible) when exporting HTTP messages to strict MIME environments.

2278	B.2.  Conversion to Canonical Form

2280	   MIME requires that an Internet mail body part be converted to
2281	   canonical form prior to being transferred, as described in Section 4
2282	   of [RFC2049].  Section 6.1.1.2 of [Semantics] describes the forms
2283	   allowed for subtypes of the "text" media type when transmitted over
2284	   HTTP.  [RFC2046] requires that content with a type of "text"
2285	   represent line breaks as CRLF and forbids the use of CR or LF outside
2286	   of line break sequences.  HTTP allows CRLF, bare CR, and bare LF to
2287	   indicate a line break within text content.

2289	   A proxy or gateway from HTTP to a strict MIME environment ought to
2290	   translate all line breaks within text media types to the RFC 2049
2291	   canonical form of CRLF.  Note, however, this might be complicated by
2292	   the presence of a Content-Encoding and by the fact that HTTP allows
2293	   the use of some charsets that do not use octets 13 and 10 to
2294	   represent CR and LF, respectively.

2296	   Conversion will break any cryptographic checksums applied to the
2297	   original content unless the original content is already in canonical
2298	   form.  Therefore, the canonical form is recommended for any content
2299	   that uses such checksums in HTTP.

2301	B.3.  Conversion of Date Formats

2303	   HTTP/1.1 uses a restricted set of date formats (Section 10.1.1.1 of
2304	   [Semantics]) to simplify the process of date comparison.  Proxies and
2305	   gateways from other protocols ought to ensure that any Date header
2306	   field present in a message conforms to one of the HTTP/1.1 formats
2307	   and rewrite the date if necessary.

2309	B.4.  Conversion of Content-Encoding

2311	   MIME does not include any concept equivalent to HTTP/1.1's Content-
2312	   Encoding header field.  Since this acts as a modifier on the media
2313	   type, proxies and gateways from HTTP to MIME-compliant protocols
2314	   ought to either change the value of the Content-Type header field or
2315	   decode the representation before forwarding the message.  (Some
2316	   experimental applications of Content-Type for Internet mail have used
2317	   a media-type parameter of ";conversions=<content-coding>" to perform
2318	   a function equivalent to Content-Encoding.  However, this parameter
2319	   is not part of the MIME standards).

2321	B.5.  Conversion of Content-Transfer-Encoding

2323	   HTTP does not use the Content-Transfer-Encoding field of MIME.
2324	   Proxies and gateways from MIME-compliant protocols to HTTP need to
2325	   remove any Content-Transfer-Encoding prior to delivering the response
2326	   message to an HTTP client.

2328	   Proxies and gateways from HTTP to MIME-compliant protocols are
2329	   responsible for ensuring that the message is in the correct format
2330	   and encoding for safe transport on that protocol, where "safe
2331	   transport" is defined by the limitations of the protocol being used.
2332	   Such a proxy or gateway ought to transform and label the data with an
2333	   appropriate Content-Transfer-Encoding if doing so will improve the
2334	   likelihood of safe transport over the destination protocol.

2336	B.6.  MHTML and Line Length Limitations

2338	   HTTP implementations that share code with MHTML [RFC2557]
2339	   implementations need to be aware of MIME line length limitations.
2340	   Since HTTP does not have this limitation, HTTP does not fold long
2341	   lines.  MHTML messages being transported by HTTP follow all
2342	   conventions of MHTML, including line length limitations and folding,
2343	   canonicalization, etc., since HTTP transfers message-bodies as
2344	   payload and, aside from the "multipart/byteranges" type
2345	   (Section 6.3.5 of [Semantics]), does not interpret the content or any
2346	   MIME header lines that might be contained therein.

2348	Appendix C.  HTTP Version History

2350	   HTTP has been in use since 1990.  The first version, later referred
2351	   to as HTTP/0.9, was a simple protocol for hypertext data transfer
2352	   across the Internet, using only a single request method (GET) and no
2353	   metadata.  HTTP/1.0, as defined by [RFC1945], added a range of
2354	   request methods and MIME-like messaging, allowing for metadata to be
2355	   transferred and modifiers placed on the request/response semantics.
2356	   However, HTTP/1.0 did not sufficiently take into consideration the
2357	   effects of hierarchical proxies, caching, the need for persistent
2358	   connections, or name-based virtual hosts.  The proliferation of
2359	   incompletely implemented applications calling themselves "HTTP/1.0"
2360	   further necessitated a protocol version change in order for two
2361	   communicating applications to determine each other's true
2362	   capabilities.

2364	   HTTP/1.1 remains compatible with HTTP/1.0 by including more stringent
2365	   requirements that enable reliable implementations, adding only those
2366	   features that can either be safely ignored by an HTTP/1.0 recipient
2367	   or only be sent when communicating with a party advertising
2368	   conformance with HTTP/1.1.

2370	   HTTP/1.1 has been designed to make supporting previous versions easy.
2371	   A general-purpose HTTP/1.1 server ought to be able to understand any
2372	   valid request in the format of HTTP/1.0, responding appropriately
2373	   with an HTTP/1.1 message that only uses features understood (or
2374	   safely ignored) by HTTP/1.0 clients.  Likewise, an HTTP/1.1 client
2375	   can be expected to understand any valid HTTP/1.0 response.

2377	   Since HTTP/0.9 did not support header fields in a request, there is
2378	   no mechanism for it to support name-based virtual hosts (selection of
2379	   resource by inspection of the Host header field).  Any server that
2380	   implements name-based virtual hosts ought to disable support for
2381	   HTTP/0.9.  Most requests that appear to be HTTP/0.9 are, in fact,
2382	   badly constructed HTTP/1.x requests caused by a client failing to
2383	   properly encode the request-target.

2385	C.1.  Changes from HTTP/1.0

2387	   This section summarizes major differences between versions HTTP/1.0
2388	   and HTTP/1.1.

2390	C.1.1.  Multihomed Web Servers

2392	   The requirements that clients and servers support the Host header
2393	   field (Section 5.6 of [Semantics]), report an error if it is missing
2394	   from an HTTP/1.1 request, and accept absolute URIs (Section 3.2) are
2395	   among the most important changes defined by HTTP/1.1.

2397	   Older HTTP/1.0 clients assumed a one-to-one relationship of IP
2398	   addresses and servers; there was no other established mechanism for
2399	   distinguishing the intended server of a request than the IP address
2400	   to which that request was directed.  The Host header field was
2401	   introduced during the development of HTTP/1.1 and, though it was
2402	   quickly implemented by most HTTP/1.0 browsers, additional
2403	   requirements were placed on all HTTP/1.1 requests in order to ensure
2404	   complete adoption.  At the time of this writing, most HTTP-based
2405	   services are dependent upon the Host header field for targeting
2406	   requests.

2408	C.1.2.  Keep-Alive Connections

2410	   In HTTP/1.0, each connection is established by the client prior to
2411	   the request and closed by the server after sending the response.
2412	   However, some implementations implement the explicitly negotiated
2413	   ("Keep-Alive") version of persistent connections described in
2414	   Section 19.7.1 of [RFC2068].

2416	   Some clients and servers might wish to be compatible with these
2417	   previous approaches to persistent connections, by explicitly
2418	   negotiating for them with a "Connection: keep-alive" request header
2419	   field.  However, some experimental implementations of HTTP/1.0
2420	   persistent connections are faulty; for example, if an HTTP/1.0 proxy
2421	   server doesn't understand Connection, it will erroneously forward
2422	   that header field to the next inbound server, which would result in a
2423	   hung connection.

2425	   One attempted solution was the introduction of a Proxy-Connection
2426	   header field, targeted specifically at proxies.  In practice, this
2427	   was also unworkable, because proxies are often deployed in multiple
2428	   layers, bringing about the same problem discussed above.

2430	   As a result, clients are encouraged not to send the Proxy-Connection
2431	   header field in any requests.

2433	   Clients are also encouraged to consider the use of Connection: keep-
2434	   alive in requests carefully; while they can enable persistent
2435	   connections with HTTP/1.0 servers, clients using them will need to
2436	   monitor the connection for "hung" requests (which indicate that the
2437	   client ought stop sending the header field), and this mechanism ought
2438	   not be used by clients at all when a proxy is being used.

2440	C.1.3.  Introduction of Transfer-Encoding

2442	   HTTP/1.1 introduces the Transfer-Encoding header field (Section 6.1).
2443	   Transfer codings need to be decoded prior to forwarding an HTTP
2444	   message over a MIME-compliant protocol.

2446	C.2.  Changes from RFC 7230

2448	   Most of the sections introducing HTTP's design goals, history,
2449	   architecture, conformance criteria, protocol versioning, URIs,
2450	   message routing, and header fields have been moved to [Semantics].
2451	   This document has been reduced to just the messaging syntax and
2452	   connection management requirements specific to HTTP/1.1.

2454	   In the ABNF for chunked extensions, re-introduced (bad) whitespace
2455	   around ";" and "=".  Whitespace was removed in [RFC7230], but that
2456	   change was found to break existing implementations (see [Err4667]).
2457	   (Section 7.1.1)

2459	   Trailer field semantics now transcend the specifics of chunked
2460	   encoding.  The decoding algorithm for chunked (Section 7.1.3) has
2461	   been updated to encourage storage/forwarding of trailer fields
2462	   separately from the header section, to only allow merging into the
2463	   header section if the recipient knows the corresponding field
2464	   definition permits and defines how to merge, and otherwise to discard
2465	   the trailer fields instead of merging.  The trailer part is now
2466	   called the trailer section to be more consistent with the header
2467	   section and more distinct from a body part.  (Section 7.1.2)

2469	   Disallowed transfer coding parameters called "q" in order to avoid
2470	   conflicts with the use of ranks in the TE header field.
2471	   (Section 7.3)

2473	Appendix D.  Change Log

2475	   This section is to be removed before publishing as an RFC.

2477	D.1.  Between RFC7230 and draft 00

2479	   The changes were purely editorial:

2481	   o  Change boilerplate and abstract to indicate the "draft" status,
2482	      and update references to ancestor specifications.

2484	   o  Adjust historical notes.

2486	   o  Update links to sibling specifications.

2488	   o  Replace sections listing changes from RFC 2616 by new empty
2489	      sections referring to RFC 723x.

2491	   o  Remove acknowledgements specific to RFC 723x.

2493	   o  Move "Acknowledgements" to the very end and make them unnumbered.

2495	D.2.  Since draft-ietf-httpbis-messaging-00

2497	   The changes in this draft are editorial, with respect to HTTP as a
2498	   whole, to move all core HTTP semantics into [Semantics]:

2500	   o  Moved introduction, architecture, conformance, and ABNF extensions
2501	      from RFC 7230 (Messaging) to semantics [Semantics].

2503	   o  Moved discussion of MIME differences from RFC 7231 (Semantics) to
2504	      Appendix B since they mostly cover transforming 1.1 messages.

2506	   o  Moved all extensibility tips, registration procedures, and
2507	      registry tables from the IANA considerations to normative
2508	      sections, reducing the IANA considerations to just instructions
2509	      that will be removed prior to publication as an RFC.

2511	D.3.  Since draft-ietf-httpbis-messaging-01

2513	   o  Cite RFC 8126 instead of RFC 5226 (<https://github.com/httpwg/
2514	      http-core/issues/75>)

2516	   o  Resolved erratum 4779, no change needed here
2517	      (<https://github.com/httpwg/http-core/issues/87>,
2518	      <https://www.rfc-editor.org/errata/eid4779>)

2520	   o  In Section 7, fixed prose claiming transfer parameters allow bare
2521	      names (<https://github.com/httpwg/http-core/issues/88>,
2522	      <https://www.rfc-editor.org/errata/eid4839>)

2524	   o  Resolved erratum 4225, no change needed here
2525	      (<https://github.com/httpwg/http-core/issues/90>,
2526	      <https://www.rfc-editor.org/errata/eid4225>)

2528	   o  Replace "response code" with "response status code"
2529	      (<https://github.com/httpwg/http-core/issues/94>,
2530	      <https://www.rfc-editor.org/errata/eid4050>)

2532	   o  In Section 9.4, clarify statement about HTTP/1.0 keep-alive
2533	      (<https://github.com/httpwg/http-core/issues/96>,
2534	      <https://www.rfc-editor.org/errata/eid4205>)

2536	   o  In Section 7.1.1, re-introduce (bad) whitespace around ";" and "="
2537	      (<https://github.com/httpwg/http-core/issues/101>,
2538	      <https://www.rfc-editor.org/errata/eid4667>, <https://www.rfc-
2539	      editor.org/errata/eid4825>)

2541	   o  In Section 7.3, state that transfer codings should not use
2542	      parameters named "q" (<https://github.com/httpwg/http-core/
2543	      issues/15>, <https://www.rfc-editor.org/errata/eid4683>)

2545	   o  In Section 7, mark coding name "trailers" as reserved in the IANA
2546	      registry (<https://github.com/httpwg/http-core/issues/108>)

2548	D.4.  Since draft-ietf-httpbis-messaging-02

2550	   o  In Section 4, explain why the reason phrase should be ignored by
2551	      clients (<https://github.com/httpwg/http-core/issues/60>).

2553	   o  Add Section 9.3 to explain how request/response correlation is
2554	      performed (<https://github.com/httpwg/http-core/issues/145>)

2556	D.5.  Since draft-ietf-httpbis-messaging-03

2558	   o  In Section 9.3, caution against treating data on a connection as
2559	      part of a not-yet-issued request (<https://github.com/httpwg/http-
2560	      core/issues/26>)

2562	   o  In Section 7, remove the predefined codings from the ABNF and make
2563	      it generic instead (<https://github.com/httpwg/http-core/
2564	      issues/66>)

2566	   o  Use RFC 7405 ABNF notation for case-sensitive string constants
2567	      (<https://github.com/httpwg/http-core/issues/133>)

2569	D.6.  Since draft-ietf-httpbis-messaging-04

2571	   o  In Section 9.9, clarify that protocol-name is to be matched case-
2572	      insensitively (<https://github.com/httpwg/http-core/issues/8>)

2574	   o  In Section 5.2, add leading optional whitespace to obs-fold ABNF
2575	      (<https://github.com/httpwg/http-core/issues/19>,
2576	      <https://www.rfc-editor.org/errata/eid4189>)

2578	   o  In Section 4, add clarifications about empty reason phrases
2579	      (<https://github.com/httpwg/http-core/issues/197>)

2581	   o  Move discussion of retries from Section 9.4.1 into [Semantics]
2582	      (<https://github.com/httpwg/http-core/issues/230>)

2584	D.7.  Since draft-ietf-httpbis-messaging-05

2586	   o  In Section 7.1.2, the trailer part has been renamed the trailer
2587	      section (for consistency with the header section) and trailers are
2588	      no longer merged as header fields by default, but rather can be
2589	      discarded, kept separate from header fields, or merged with header
2590	      fields only if understood and defined as being mergeable
2591	      (<https://github.com/httpwg/http-core/issues/16>)

2593	   o  In Section 2.1 and related Sections, move the trailing CRLF from
2594	      the line grammars into the message format
2595	      (<https://github.com/httpwg/http-core/issues/62>)

2597	   o  Moved Section 2.3 down (<https://github.com/httpwg/http-core/
2598	      issues/68>)

2600	   o  In Section 9.9, use 'websocket' instead of 'HTTP/2.0' in examples
2601	      (<https://github.com/httpwg/http-core/issues/112>)

2603	   o  Move version non-specific text from Section 6 into semantics as
2604	      "payload body" (<https://github.com/httpwg/http-core/issues/159>)

2606	   o  In Section 9.8, add text from RFC 2818
2607	      (<https://github.com/httpwg/http-core/issues/236>)

2609	D.8.  Since draft-ietf-httpbis-messaging-06

2611	   o  In Section 12.5, update the APLN protocol id for HTTP/1.1
2612	      (<https://github.com/httpwg/http-core/issues/49>)

2614	   o  In Section 5, align with updates to field terminology in semantics
2615	      (<https://github.com/httpwg/http-core/issues/111>)

2617	   o  In Section 9.1, clarify that new connection options indeed need to
2618	      be registered (<https://github.com/httpwg/http-core/issues/285>)

2620	   o  In Section 1.1, reference RFC 8174 as well
2621	      (<https://github.com/httpwg/http-core/issues/303>)

2623	Index

2625	   A
2626	      absolute-form (of request-target)  11
2627	      application/http Media Type  39
2628	      asterisk-form (of request-target)  11
2629	      authority-form (of request-target)  11

2631	   C
2632	      Connection header field  28, 33
2633	      Content-Length header field  18
2634	      Content-Transfer-Encoding header field  50
2635	      chunked (Coding Format)  17, 19
2636	      chunked (transfer coding)  22
2637	      close  28, 33
2638	      compress (transfer coding)  24

2640	   D
2641	      deflate (transfer coding)  24

2643	   E
2644	      effective request URI  12

2646	   F
2647	      Fields
2648	         Connection  28
2649	         MIME-Version  49
2650	         TE  25
2651	         Transfer-Encoding  17
2652	         Upgrade  35

2654	   G
2655	      Grammar
2656	         absolute-form  10-11
2657	         ALPHA  5
2658	         asterisk-form  10-11
2659	         authority-form  10-11
2660	         chunk  22
2661	         chunk-data  22
2662	         chunk-ext  22-23
2663	         chunk-ext-name  23
2664	         chunk-ext-val  23
2665	         chunk-size  22
2666	         chunked-body  22
2667	         Connection  28
2668	         connection-option  28
2669	         CR  5
2670	         CRLF  5
2671	         CTL  5
2672	         DIGIT  5
2673	         DQUOTE  5
2674	         field-line  14, 24
2675	         field-name  14
2676	         field-value  14
2677	         HEXDIG  5
2678	         HTAB  5
2679	         HTTP-message  6
2680	         HTTP-name  8
2681	         HTTP-version  8
2682	         last-chunk  22
2683	         LF  5
2684	         message-body  16
2685	         method  9
2686	         obs-fold  16
2687	         OCTET  5
2688	         origin-form  10
2689	         rank  26
2690	         reason-phrase  14
2691	         request-line  9
2692	         request-target  10
2693	         SP  5
2694	         start-line  6
2695	         status-code  14
2696	         status-line  13
2697	         t-codings  26
2698	         t-ranking  26
2699	         TE  26
2700	         trailer-section  22, 24
2701	         transfer-coding  21
2702	         Transfer-Encoding  17
2703	         transfer-parameter  21
2704	         Upgrade  35
2705	         VCHAR  5
2706	      gzip (transfer coding)  24

2708	   H
2709	      Header Fields
2710	         Connection  28
2711	         MIME-Version  49
2712	         TE  25
2713	         Transfer-Encoding  17
2714	         Upgrade  35
2715	      header line  6
2716	      header section  6
2717	      headers  6

2719	   M
2720	      MIME-Version header field  49
2721	      Media Type
2722	         application/http  39
2723	         message/http  38
2724	      message/http Media Type  38
2725	      method  9

2727	   O
2728	      origin-form (of request-target)  10

2730	   R
2731	      request-target  10

2733	   T
2734	      TE header field  25
2735	      Transfer-Encoding header field  17

2737	   U
2738	      Upgrade header field  35

2740	   X
2741	      x-compress (transfer coding)  24
2742	      x-gzip (transfer coding)  24

2744	Acknowledgments

2746	   See Appendix "Acknowledgments" of [Semantics].

2748	Authors' Addresses

2750	   Roy T. Fielding (editor)
2751	   Adobe
2752	   345 Park Ave
2753	   San Jose, CA  95110
2754	   United States of America

2756	   EMail: fielding@gbiv.com
2757	   URI:   https://roy.gbiv.com/

2759	   Mark Nottingham (editor)
2760	   Fastly

2762	   EMail: mnot@mnot.net
2763	   URI:   https://www.mnot.net/

2765	   Julian F. Reschke (editor)
2766	   greenbytes GmbH
2767	   Hafenweg 16
2768	   Muenster  48155
2769	   Germany

2771	   EMail: julian.reschke@greenbytes.de
2772	   URI:   https://greenbytes.de/tech/webdav/