idnits 2.17.1 draft-ietf-httpbis-p2-semantics-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 30. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 2125. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 2136. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 2143. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 2149. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 24, 2008) is 5906 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p1-messaging-02 == Outdated reference: A later version (-20) exists of draft-ietf-httpbis-p3-payload-02 == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p4-conditional-02 == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p5-range-02 == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p6-cache-02 == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p7-auth-02 -- Obsolete informational reference (is this intentional?): RFC 2068 (Obsoleted by RFC 2616) -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 2822 (Obsoleted by RFC 5322) Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Fielding, Ed. 3 Internet-Draft Day Software 4 Obsoletes: 2616 (if approved) J. Gettys 5 Intended status: Standards Track One Laptop per Child 6 Expires: August 27, 2008 J. Mogul 7 HP 8 H. Frystyk 9 Microsoft 10 L. Masinter 11 Adobe Systems 12 P. Leach 13 Microsoft 14 T. Berners-Lee 15 W3C/MIT 16 Y. Lafon, Ed. 17 W3C 18 J. Reschke, Ed. 19 greenbytes 20 February 24, 2008 22 HTTP/1.1, part 2: Message Semantics 23 draft-ietf-httpbis-p2-semantics-02 25 Status of this Memo 27 By submitting this Internet-Draft, each author represents that any 28 applicable patent or other IPR claims of which he or she is aware 29 have been or will be disclosed, and any of which he or she becomes 30 aware will be disclosed, in accordance with Section 6 of BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF), its areas, and its working groups. Note that 34 other groups may also distribute working documents as Internet- 35 Drafts. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 The list of current Internet-Drafts can be accessed at 43 http://www.ietf.org/ietf/1id-abstracts.txt. 45 The list of Internet-Draft Shadow Directories can be accessed at 46 http://www.ietf.org/shadow.html. 48 This Internet-Draft will expire on August 27, 2008. 50 Copyright Notice 52 Copyright (C) The IETF Trust (2008). 54 Abstract 56 The Hypertext Transfer Protocol (HTTP) is an application-level 57 protocol for distributed, collaborative, hypermedia information 58 systems. HTTP has been in use by the World Wide Web global 59 information initiative since 1990. This document is Part 2 of the 60 seven-part specification that defines the protocol referred to as 61 "HTTP/1.1" and, taken together, obsoletes RFC 2616. Part 2 defines 62 the semantics of HTTP messages as expressed by request methods, 63 request-header fields, response status codes, and response-header 64 fields. 66 Editorial Note (To be removed by RFC Editor) 68 Discussion of this draft should take place on the HTTPBIS working 69 group mailing list (ietf-http-wg@w3.org). The current issues list is 70 at and related 71 documents (including fancy diffs) can be found at 72 . 74 This draft incorporates those issue resolutions that were either 75 collected in the original RFC2616 errata list 76 (), or which were agreed upon on the 77 mailing list between October 2006 and November 2007 (as published in 78 "draft-lafon-rfc2616bis-03"). 80 Table of Contents 82 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 6 83 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 6 84 2. Notational Conventions and Generic Grammar . . . . . . . . . . 6 85 3. Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 86 4. Request Header Fields . . . . . . . . . . . . . . . . . . . . 8 87 5. Status Code and Reason Phrase . . . . . . . . . . . . . . . . 9 88 6. Response Header Fields . . . . . . . . . . . . . . . . . . . . 11 89 7. Entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 90 8. Method Definitions . . . . . . . . . . . . . . . . . . . . . . 12 91 8.1. Safe and Idempotent Methods . . . . . . . . . . . . . . . 12 92 8.1.1. Safe Methods . . . . . . . . . . . . . . . . . . . . . 12 93 8.1.2. Idempotent Methods . . . . . . . . . . . . . . . . . . 12 94 8.2. OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . 13 95 8.3. GET . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 96 8.4. HEAD . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 97 8.5. POST . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 98 8.6. PUT . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 99 8.7. DELETE . . . . . . . . . . . . . . . . . . . . . . . . . . 17 100 8.8. TRACE . . . . . . . . . . . . . . . . . . . . . . . . . . 17 101 8.9. CONNECT . . . . . . . . . . . . . . . . . . . . . . . . . 18 102 9. Status Code Definitions . . . . . . . . . . . . . . . . . . . 18 103 9.1. Informational 1xx . . . . . . . . . . . . . . . . . . . . 18 104 9.1.1. 100 Continue . . . . . . . . . . . . . . . . . . . . . 18 105 9.1.2. 101 Switching Protocols . . . . . . . . . . . . . . . 19 106 9.2. Successful 2xx . . . . . . . . . . . . . . . . . . . . . . 19 107 9.2.1. 200 OK . . . . . . . . . . . . . . . . . . . . . . . . 19 108 9.2.2. 201 Created . . . . . . . . . . . . . . . . . . . . . 19 109 9.2.3. 202 Accepted . . . . . . . . . . . . . . . . . . . . . 20 110 9.2.4. 203 Non-Authoritative Information . . . . . . . . . . 20 111 9.2.5. 204 No Content . . . . . . . . . . . . . . . . . . . . 20 112 9.2.6. 205 Reset Content . . . . . . . . . . . . . . . . . . 21 113 9.2.7. 206 Partial Content . . . . . . . . . . . . . . . . . 21 114 9.3. Redirection 3xx . . . . . . . . . . . . . . . . . . . . . 21 115 9.3.1. 300 Multiple Choices . . . . . . . . . . . . . . . . . 21 116 9.3.2. 301 Moved Permanently . . . . . . . . . . . . . . . . 22 117 9.3.3. 302 Found . . . . . . . . . . . . . . . . . . . . . . 22 118 9.3.4. 303 See Other . . . . . . . . . . . . . . . . . . . . 23 119 9.3.5. 304 Not Modified . . . . . . . . . . . . . . . . . . . 23 120 9.3.6. 305 Use Proxy . . . . . . . . . . . . . . . . . . . . 23 121 9.3.7. 306 (Unused) . . . . . . . . . . . . . . . . . . . . . 24 122 9.3.8. 307 Temporary Redirect . . . . . . . . . . . . . . . . 24 123 9.4. Client Error 4xx . . . . . . . . . . . . . . . . . . . . . 24 124 9.4.1. 400 Bad Request . . . . . . . . . . . . . . . . . . . 25 125 9.4.2. 401 Unauthorized . . . . . . . . . . . . . . . . . . . 25 126 9.4.3. 402 Payment Required . . . . . . . . . . . . . . . . . 25 127 9.4.4. 403 Forbidden . . . . . . . . . . . . . . . . . . . . 25 128 9.4.5. 404 Not Found . . . . . . . . . . . . . . . . . . . . 25 129 9.4.6. 405 Method Not Allowed . . . . . . . . . . . . . . . . 25 130 9.4.7. 406 Not Acceptable . . . . . . . . . . . . . . . . . . 25 131 9.4.8. 407 Proxy Authentication Required . . . . . . . . . . 26 132 9.4.9. 408 Request Timeout . . . . . . . . . . . . . . . . . 26 133 9.4.10. 409 Conflict . . . . . . . . . . . . . . . . . . . . . 26 134 9.4.11. 410 Gone . . . . . . . . . . . . . . . . . . . . . . . 27 135 9.4.12. 411 Length Required . . . . . . . . . . . . . . . . . 27 136 9.4.13. 412 Precondition Failed . . . . . . . . . . . . . . . 27 137 9.4.14. 413 Request Entity Too Large . . . . . . . . . . . . . 27 138 9.4.15. 414 Request-URI Too Long . . . . . . . . . . . . . . . 28 139 9.4.16. 415 Unsupported Media Type . . . . . . . . . . . . . . 28 140 9.4.17. 416 Requested Range Not Satisfiable . . . . . . . . . 28 141 9.4.18. 417 Expectation Failed . . . . . . . . . . . . . . . . 28 142 9.5. Server Error 5xx . . . . . . . . . . . . . . . . . . . . . 28 143 9.5.1. 500 Internal Server Error . . . . . . . . . . . . . . 28 144 9.5.2. 501 Not Implemented . . . . . . . . . . . . . . . . . 29 145 9.5.3. 502 Bad Gateway . . . . . . . . . . . . . . . . . . . 29 146 9.5.4. 503 Service Unavailable . . . . . . . . . . . . . . . 29 147 9.5.5. 504 Gateway Timeout . . . . . . . . . . . . . . . . . 29 148 9.5.6. 505 HTTP Version Not Supported . . . . . . . . . . . . 29 149 10. Header Field Definitions . . . . . . . . . . . . . . . . . . . 30 150 10.1. Allow . . . . . . . . . . . . . . . . . . . . . . . . . . 30 151 10.2. Expect . . . . . . . . . . . . . . . . . . . . . . . . . . 30 152 10.3. From . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 153 10.4. Location . . . . . . . . . . . . . . . . . . . . . . . . . 32 154 10.5. Max-Forwards . . . . . . . . . . . . . . . . . . . . . . . 33 155 10.6. Referer . . . . . . . . . . . . . . . . . . . . . . . . . 33 156 10.7. Retry-After . . . . . . . . . . . . . . . . . . . . . . . 34 157 10.8. Server . . . . . . . . . . . . . . . . . . . . . . . . . . 34 158 10.9. User-Agent . . . . . . . . . . . . . . . . . . . . . . . . 35 159 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 160 12. Security Considerations . . . . . . . . . . . . . . . . . . . 35 161 12.1. Transfer of Sensitive Information . . . . . . . . . . . . 35 162 12.2. Encoding Sensitive Information in URIs . . . . . . . . . . 36 163 12.3. Location Headers and Spoofing . . . . . . . . . . . . . . 37 164 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 165 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 37 166 14.1. Normative References . . . . . . . . . . . . . . . . . . . 37 167 14.2. Informative References . . . . . . . . . . . . . . . . . . 38 168 Appendix A. Compatibility with Previous Versions . . . . . . . . 38 169 A.1. Changes from RFC 2068 . . . . . . . . . . . . . . . . . . 38 170 A.2. Changes from RFC 2616 . . . . . . . . . . . . . . . . . . 39 171 Appendix B. Change Log (to be removed by RFC Editor before 172 publication) . . . . . . . . . . . . . . . . . . . . 40 173 B.1. Since RFC2616 . . . . . . . . . . . . . . . . . . . . . . 40 174 B.2. Since draft-ietf-httpbis-p2-semantics-00 . . . . . . . . . 40 175 B.3. Since draft-ietf-httpbis-p2-semantics-01 . . . . . . . . . 41 177 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 178 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 45 179 Intellectual Property and Copyright Statements . . . . . . . . . . 48 181 1. Introduction 183 This document defines HTTP/1.1 request and response semantics. Each 184 HTTP message, as defined in [Part1], is in the form of either a 185 request or a response. An HTTP server listens on a connection for 186 HTTP requests and responds to each request, in the order received on 187 that connection, with one or more HTTP response messages. This 188 document defines the commonly agreed upon semantics of the HTTP 189 uniform interface, the intentions defined by each request method, and 190 the various response messages that might be expected as a result of 191 applying that method for the requested resource. 193 This document is currently disorganized in order to minimize the 194 changes between drafts and enable reviewers to see the smaller errata 195 changes. The next draft will reorganize the sections to better 196 reflect the content. In particular, the sections will be ordered 197 according to the typical processing of an HTTP request message (after 198 message parsing): resource mapping, general header fields, methods, 199 request modifiers, response status, and resource metadata. The 200 current mess reflects how widely dispersed these topics and 201 associated requirements had become in [RFC2616]. 203 1.1. Requirements 205 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 206 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 207 document are to be interpreted as described in [RFC2119]. 209 An implementation is not compliant if it fails to satisfy one or more 210 of the MUST or REQUIRED level requirements for the protocols it 211 implements. An implementation that satisfies all the MUST or 212 REQUIRED level and all the SHOULD level requirements for its 213 protocols is said to be "unconditionally compliant"; one that 214 satisfies all the MUST level requirements but not all the SHOULD 215 level requirements for its protocols is said to be "conditionally 216 compliant." 218 2. Notational Conventions and Generic Grammar 220 This specification uses the ABNF syntax defined in Section 2.1 of 221 [Part1] and the core rules defined in Section 2.2 of [Part1]: 222 [[abnf.dep: ABNF syntax and basic rules will be adopted from RFC 223 5234, see .]] 225 DIGIT = 226 comment = 227 quoted-string = 228 token = 230 The ABNF rules below are defined in other parts: 232 absoluteURI = 233 fragment = 234 Host = 235 HTTP-date = 236 product = 237 relativeURI = 238 TE = 240 Accept = 241 Accept-Charset = 242 243 Accept-Encoding = 244 245 Accept-Language = 246 248 ETag = 249 If-Match = 250 If-Modified-Since = 251 252 If-None-Match = 253 If-Unmodified-Since = 254 256 Accept-Ranges = 257 If-Range = 258 Range = 260 Age = 261 Vary = 263 Authorization = 264 Proxy-Authenticate = 265 266 Proxy-Authorization = 267 268 WWW-Authenticate = 269 271 3. Method 273 The Method token indicates the method to be performed on the resource 274 identified by the Request-URI. The method is case-sensitive. 276 Method = "OPTIONS" ; Section 8.2 277 | "GET" ; Section 8.3 278 | "HEAD" ; Section 8.4 279 | "POST" ; Section 8.5 280 | "PUT" ; Section 8.6 281 | "DELETE" ; Section 8.7 282 | "TRACE" ; Section 8.8 283 | "CONNECT" ; Section 8.9 284 | extension-method 285 extension-method = token 287 The list of methods allowed by a resource can be specified in an 288 Allow header field (Section 10.1). The return code of the response 289 always notifies the client whether a method is currently allowed on a 290 resource, since the set of allowed methods can change dynamically. 291 An origin server SHOULD return the status code 405 (Method Not 292 Allowed) if the method is known by the origin server but not allowed 293 for the requested resource, and 501 (Not Implemented) if the method 294 is unrecognized or not implemented by the origin server. The methods 295 GET and HEAD MUST be supported by all general-purpose servers. All 296 other methods are OPTIONAL; however, if the above methods are 297 implemented, they MUST be implemented with the same semantics as 298 those specified in Section 8. 300 4. Request Header Fields 302 The request-header fields allow the client to pass additional 303 information about the request, and about the client itself, to the 304 server. These fields act as request modifiers, with semantics 305 equivalent to the parameters on a programming language method 306 invocation. 308 request-header = Accept ; [Part3], Section 6.1 309 | Accept-Charset ; [Part3], Section 6.2 310 | Accept-Encoding ; [Part3], Section 6.3 311 | Accept-Language ; [Part3], Section 6.4 312 | Authorization ; [Part7], Section 4.1 313 | Expect ; Section 10.2 314 | From ; Section 10.3 315 | Host ; [Part1], Section 8.4 316 | If-Match ; [Part4], Section 7.2 317 | If-Modified-Since ; [Part4], Section 7.3 318 | If-None-Match ; [Part4], Section 7.4 319 | If-Range ; [Part5], Section 6.3 320 | If-Unmodified-Since ; [Part4], Section 7.5 321 | Max-Forwards ; Section 10.5 322 | Proxy-Authorization ; [Part7], Section 4.3 323 | Range ; [Part5], Section 6.4 324 | Referer ; Section 10.6 325 | TE ; [Part1], Section 8.8 326 | User-Agent ; Section 10.9 328 Request-header field names can be extended reliably only in 329 combination with a change in the protocol version. However, new or 330 experimental header fields MAY be given the semantics of request- 331 header fields if all parties in the communication recognize them to 332 be request-header fields. Unrecognized header fields are treated as 333 entity-header fields. 335 5. Status Code and Reason Phrase 337 The Status-Code element is a 3-digit integer result code of the 338 attempt to understand and satisfy the request. The status codes 339 listed below are defined in Section 9. The Reason-Phrase is intended 340 to give a short textual description of the Status-Code. The Status- 341 Code is intended for use by automata and the Reason-Phrase is 342 intended for the human user. The client is not required to examine 343 or display the Reason-Phrase. 345 The individual values of the numeric status codes defined for 346 HTTP/1.1, and an example set of corresponding Reason-Phrase's, are 347 presented below. The reason phrases listed here are only 348 recommendations -- they MAY be replaced by local equivalents without 349 affecting the protocol. 351 Status-Code = 352 "100" ; Section 9.1.1: Continue 353 | "101" ; Section 9.1.2: Switching Protocols 354 | "200" ; Section 9.2.1: OK 355 | "201" ; Section 9.2.2: Created 356 | "202" ; Section 9.2.3: Accepted 357 | "203" ; Section 9.2.4: Non-Authoritative Information 358 | "204" ; Section 9.2.5: No Content 359 | "205" ; Section 9.2.6: Reset Content 360 | "206" ; Section 9.2.7: Partial Content 361 | "300" ; Section 9.3.1: Multiple Choices 362 | "301" ; Section 9.3.2: Moved Permanently 363 | "302" ; Section 9.3.3: Found 364 | "303" ; Section 9.3.4: See Other 365 | "304" ; Section 9.3.5: Not Modified 366 | "305" ; Section 9.3.6: Use Proxy 367 | "307" ; Section 9.3.8: Temporary Redirect 368 | "400" ; Section 9.4.1: Bad Request 369 | "401" ; Section 9.4.2: Unauthorized 370 | "402" ; Section 9.4.3: Payment Required 371 | "403" ; Section 9.4.4: Forbidden 372 | "404" ; Section 9.4.5: Not Found 373 | "405" ; Section 9.4.6: Method Not Allowed 374 | "406" ; Section 9.4.7: Not Acceptable 375 | "407" ; Section 9.4.8: Proxy Authentication Required 376 | "408" ; Section 9.4.9: Request Time-out 377 | "409" ; Section 9.4.10: Conflict 378 | "410" ; Section 9.4.11: Gone 379 | "411" ; Section 9.4.12: Length Required 380 | "412" ; Section 9.4.13: Precondition Failed 381 | "413" ; Section 9.4.14: Request Entity Too Large 382 | "414" ; Section 9.4.15: Request-URI Too Large 383 | "415" ; Section 9.4.16: Unsupported Media Type 384 | "416" ; Section 9.4.17: Requested range not satisfiable 385 | "417" ; Section 9.4.18: Expectation Failed 386 | "500" ; Section 9.5.1: Internal Server Error 387 | "501" ; Section 9.5.2: Not Implemented 388 | "502" ; Section 9.5.3: Bad Gateway 389 | "503" ; Section 9.5.4: Service Unavailable 390 | "504" ; Section 9.5.5: Gateway Time-out 391 | "505" ; Section 9.5.6: HTTP Version not supported 392 | extension-code 394 extension-code = 3DIGIT 395 Reason-Phrase = * 397 HTTP status codes are extensible. HTTP applications are not required 398 to understand the meaning of all registered status codes, though such 399 understanding is obviously desirable. However, applications MUST 400 understand the class of any status code, as indicated by the first 401 digit, and treat any unrecognized response as being equivalent to the 402 x00 status code of that class, with the exception that an 403 unrecognized response MUST NOT be cached. For example, if an 404 unrecognized status code of 431 is received by the client, it can 405 safely assume that there was something wrong with its request and 406 treat the response as if it had received a 400 status code. In such 407 cases, user agents SHOULD present to the user the entity returned 408 with the response, since that entity is likely to include human- 409 readable information which will explain the unusual status. 411 6. Response Header Fields 413 The response-header fields allow the server to pass additional 414 information about the response which cannot be placed in the Status- 415 Line. These header fields give information about the server and 416 about further access to the resource identified by the Request-URI. 418 response-header = Accept-Ranges ; [Part5], Section 6.1 419 | Age ; [Part6], Section 16.1 420 | ETag ; [Part4], Section 7.1 421 | Location ; Section 10.4 422 | Proxy-Authenticate ; [Part7], Section 4.2 423 | Retry-After ; Section 10.7 424 | Server ; Section 10.8 425 | Vary ; [Part6], Section 16.5 426 | WWW-Authenticate ; [Part7], Section 4.4 428 Response-header field names can be extended reliably only in 429 combination with a change in the protocol version. However, new or 430 experimental header fields MAY be given the semantics of response- 431 header fields if all parties in the communication recognize them to 432 be response-header fields. Unrecognized header fields are treated as 433 entity-header fields. 435 7. Entity 437 Request and Response messages MAY transfer an entity if not otherwise 438 restricted by the request method or response status code. An entity 439 consists of entity-header fields and an entity-body, although some 440 responses will only include the entity-headers. HTTP entity-body and 441 entity-header fields are defined in [Part3]. 443 An entity-body is only present in a message when a message-body is 444 present, as described in Section 4.3 of [Part1]. The entity-body is 445 obtained from the message-body by decoding any Transfer-Encoding that 446 might have been applied to ensure safe and proper transfer of the 447 message. 449 8. Method Definitions 451 The set of common methods for HTTP/1.1 is defined below. Although 452 this set can be expanded, additional methods cannot be assumed to 453 share the same semantics for separately extended clients and servers. 455 8.1. Safe and Idempotent Methods 457 8.1.1. Safe Methods 459 Implementors should be aware that the software represents the user in 460 their interactions over the Internet, and should be careful to allow 461 the user to be aware of any actions they might take which may have an 462 unexpected significance to themselves or others. 464 In particular, the convention has been established that the GET and 465 HEAD methods SHOULD NOT have the significance of taking an action 466 other than retrieval. These methods ought to be considered "safe". 467 This allows user agents to represent other methods, such as POST, PUT 468 and DELETE, in a special way, so that the user is made aware of the 469 fact that a possibly unsafe action is being requested. 471 Naturally, it is not possible to ensure that the server does not 472 generate side-effects as a result of performing a GET request; in 473 fact, some dynamic resources consider that a feature. The important 474 distinction here is that the user did not request the side-effects, 475 so therefore cannot be held accountable for them. 477 8.1.2. Idempotent Methods 479 Methods can also have the property of "idempotence" in that (aside 480 from error or expiration issues) the side-effects of N > 0 identical 481 requests is the same as for a single request. The methods GET, HEAD, 482 PUT and DELETE share this property. Also, the methods OPTIONS and 483 TRACE SHOULD NOT have side effects, and so are inherently idempotent. 485 However, it is possible that a sequence of several requests is non- 486 idempotent, even if all of the methods executed in that sequence are 487 idempotent. (A sequence is idempotent if a single execution of the 488 entire sequence always yields a result that is not changed by a 489 reexecution of all, or part, of that sequence.) For example, a 490 sequence is non-idempotent if its result depends on a value that is 491 later modified in the same sequence. 493 A sequence that never has side effects is idempotent, by definition 494 (provided that no concurrent operations are being executed on the 495 same set of resources). 497 8.2. OPTIONS 499 The OPTIONS method represents a request for information about the 500 communication options available on the request/response chain 501 identified by the Request-URI. This method allows the client to 502 determine the options and/or requirements associated with a resource, 503 or the capabilities of a server, without implying a resource action 504 or initiating a resource retrieval. 506 Responses to this method are not cacheable. 508 If the OPTIONS request includes an entity-body (as indicated by the 509 presence of Content-Length or Transfer-Encoding), then the media type 510 MUST be indicated by a Content-Type field. Although this 511 specification does not define any use for such a body, future 512 extensions to HTTP might use the OPTIONS body to make more detailed 513 queries on the server. A server that does not support such an 514 extension MAY discard the request body. 516 If the Request-URI is an asterisk ("*"), the OPTIONS request is 517 intended to apply to the server in general rather than to a specific 518 resource. Since a server's communication options typically depend on 519 the resource, the "*" request is only useful as a "ping" or "no-op" 520 type of method; it does nothing beyond allowing the client to test 521 the capabilities of the server. For example, this can be used to 522 test a proxy for HTTP/1.1 compliance (or lack thereof). 524 If the Request-URI is not an asterisk, the OPTIONS request applies 525 only to the options that are available when communicating with that 526 resource. 528 A 200 response SHOULD include any header fields that indicate 529 optional features implemented by the server and applicable to that 530 resource (e.g., Allow), possibly including extensions not defined by 531 this specification. The response body, if any, SHOULD also include 532 information about the communication options. The format for such a 533 body is not defined by this specification, but might be defined by 534 future extensions to HTTP. Content negotiation MAY be used to select 535 the appropriate response format. If no response body is included, 536 the response MUST include a Content-Length field with a field-value 537 of "0". 539 The Max-Forwards request-header field MAY be used to target a 540 specific proxy in the request chain. When a proxy receives an 541 OPTIONS request on an absoluteURI for which request forwarding is 542 permitted, the proxy MUST check for a Max-Forwards field. If the 543 Max-Forwards field-value is zero ("0"), the proxy MUST NOT forward 544 the message; instead, the proxy SHOULD respond with its own 545 communication options. If the Max-Forwards field-value is an integer 546 greater than zero, the proxy MUST decrement the field-value when it 547 forwards the request. If no Max-Forwards field is present in the 548 request, then the forwarded request MUST NOT include a Max-Forwards 549 field. 551 8.3. GET 553 The GET method means retrieve whatever information (in the form of an 554 entity) is identified by the Request-URI. If the Request-URI refers 555 to a data-producing process, it is the produced data which shall be 556 returned as the entity in the response and not the source text of the 557 process, unless that text happens to be the output of the process. 559 The semantics of the GET method change to a "conditional GET" if the 560 request message includes an If-Modified-Since, If-Unmodified-Since, 561 If-Match, If-None-Match, or If-Range header field. A conditional GET 562 method requests that the entity be transferred only under the 563 circumstances described by the conditional header field(s). The 564 conditional GET method is intended to reduce unnecessary network 565 usage by allowing cached entities to be refreshed without requiring 566 multiple requests or transferring data already held by the client. 568 The semantics of the GET method change to a "partial GET" if the 569 request message includes a Range header field. A partial GET 570 requests that only part of the entity be transferred, as described in 571 Section 6.4 of [Part5]. The partial GET method is intended to reduce 572 unnecessary network usage by allowing partially-retrieved entities to 573 be completed without transferring data already held by the client. 575 The response to a GET request is cacheable if and only if it meets 576 the requirements for HTTP caching described in [Part6]. 578 See Section 12.2 for security considerations when used for forms. 580 8.4. HEAD 582 The HEAD method is identical to GET except that the server MUST NOT 583 return a message-body in the response. The metainformation contained 584 in the HTTP headers in response to a HEAD request SHOULD be identical 585 to the information sent in response to a GET request. This method 586 can be used for obtaining metainformation about the entity implied by 587 the request without transferring the entity-body itself. This method 588 is often used for testing hypertext links for validity, 589 accessibility, and recent modification. 591 The response to a HEAD request MAY be cacheable in the sense that the 592 information contained in the response MAY be used to update a 593 previously cached entity from that resource. If the new field values 594 indicate that the cached entity differs from the current entity (as 595 would be indicated by a change in Content-Length, Content-MD5, ETag 596 or Last-Modified), then the cache MUST treat the cache entry as 597 stale. 599 8.5. POST 601 The POST method is used to request that the origin server accept the 602 entity enclosed in the request as data to be processed by the 603 resource identified by the Request-URI in the Request-Line. POST is 604 designed to allow a uniform method to cover the following functions: 606 o Annotation of existing resources; 608 o Posting a message to a bulletin board, newsgroup, mailing list, or 609 similar group of articles; 611 o Providing a block of data, such as the result of submitting a 612 form, to a data-handling process; 614 o Extending a database through an append operation. 616 The actual function performed by the POST method is determined by the 617 server and is usually dependent on the Request-URI. 619 The action performed by the POST method might not result in a 620 resource that can be identified by a URI. In this case, either 200 621 (OK) or 204 (No Content) is the appropriate response status, 622 depending on whether or not the response includes an entity that 623 describes the result. 625 If a resource has been created on the origin server, the response 626 SHOULD be 201 (Created) and contain an entity which describes the 627 status of the request and refers to the new resource, and a Location 628 header (see Section 10.4). 630 Responses to this method are not cacheable, unless the response 631 includes appropriate Cache-Control or Expires header fields. 632 However, the 303 (See Other) response can be used to direct the user 633 agent to retrieve a cacheable resource. 635 8.6. PUT 637 The PUT method requests that the enclosed entity be stored under the 638 supplied Request-URI. If the Request-URI refers to an already 639 existing resource, the enclosed entity SHOULD be considered as a 640 modified version of the one residing on the origin server. If the 641 Request-URI does not point to an existing resource, and that URI is 642 capable of being defined as a new resource by the requesting user 643 agent, the origin server can create the resource with that URI. If a 644 new resource is created at the Request-URI, the origin server MUST 645 inform the user agent via the 201 (Created) response. If an existing 646 resource is modified, either the 200 (OK) or 204 (No Content) 647 response codes SHOULD be sent to indicate successful completion of 648 the request. If the resource could not be created or modified with 649 the Request-URI, an appropriate error response SHOULD be given that 650 reflects the nature of the problem. The recipient of the entity MUST 651 NOT ignore any Content-* (e.g. Content-Range) headers that it does 652 not understand or implement and MUST return a 501 (Not Implemented) 653 response in such cases. 655 If the request passes through a cache and the Request-URI identifies 656 one or more currently cached entities, those entries SHOULD be 657 treated as stale. Responses to this method are not cacheable. 659 The fundamental difference between the POST and PUT requests is 660 reflected in the different meaning of the Request-URI. The URI in a 661 POST request identifies the resource that will handle the enclosed 662 entity. That resource might be a data-accepting process, a gateway 663 to some other protocol, or a separate entity that accepts 664 annotations. In contrast, the URI in a PUT request identifies the 665 entity enclosed with the request -- the user agent knows what URI is 666 intended and the server MUST NOT attempt to apply the request to some 667 other resource. If the server desires that the request be applied to 668 a different URI, it MUST send a 301 (Moved Permanently) response; the 669 user agent MAY then make its own decision regarding whether or not to 670 redirect the request. 672 A single resource MAY be identified by many different URIs. For 673 example, an article might have a URI for identifying "the current 674 version" which is separate from the URI identifying each particular 675 version. In this case, a PUT request on a general URI might result 676 in several other URIs being defined by the origin server. 678 HTTP/1.1 does not define how a PUT method affects the state of an 679 origin server. 681 Unless otherwise specified for a particular entity-header, the 682 entity-headers in the PUT request SHOULD be applied to the resource 683 created or modified by the PUT. 685 8.7. DELETE 687 The DELETE method requests that the origin server delete the resource 688 identified by the Request-URI. This method MAY be overridden by 689 human intervention (or other means) on the origin server. The client 690 cannot be guaranteed that the operation has been carried out, even if 691 the status code returned from the origin server indicates that the 692 action has been completed successfully. However, the server SHOULD 693 NOT indicate success unless, at the time the response is given, it 694 intends to delete the resource or move it to an inaccessible 695 location. 697 A successful response SHOULD be 200 (OK) if the response includes an 698 entity describing the status, 202 (Accepted) if the action has not 699 yet been enacted, or 204 (No Content) if the action has been enacted 700 but the response does not include an entity. 702 If the request passes through a cache and the Request-URI identifies 703 one or more currently cached entities, those entries SHOULD be 704 treated as stale. Responses to this method are not cacheable. 706 8.8. TRACE 708 The TRACE method is used to invoke a remote, application-layer loop- 709 back of the request message. The final recipient of the request 710 SHOULD reflect the message received back to the client as the entity- 711 body of a 200 (OK) response. The final recipient is either the 712 origin server or the first proxy or gateway to receive a Max-Forwards 713 value of zero (0) in the request (see Section 10.5). A TRACE request 714 MUST NOT include an entity. 716 TRACE allows the client to see what is being received at the other 717 end of the request chain and use that data for testing or diagnostic 718 information. The value of the Via header field (Section 8.9 of 719 [Part1]) is of particular interest, since it acts as a trace of the 720 request chain. Use of the Max-Forwards header field allows the 721 client to limit the length of the request chain, which is useful for 722 testing a chain of proxies forwarding messages in an infinite loop. 724 If the request is valid, the response SHOULD contain the entire 725 request message in the entity-body, with a Content-Type of "message/ 726 http". Responses to this method MUST NOT be cached. 728 8.9. CONNECT 730 This specification reserves the method name CONNECT for use with a 731 proxy that can dynamically switch to being a tunnel (e.g. SSL 732 tunneling [Luo1998]). 734 9. Status Code Definitions 736 Each Status-Code is described below, including a description of which 737 method(s) it can follow and any metainformation required in the 738 response. 740 9.1. Informational 1xx 742 This class of status code indicates a provisional response, 743 consisting only of the Status-Line and optional headers, and is 744 terminated by an empty line. There are no required headers for this 745 class of status code. Since HTTP/1.0 did not define any 1xx status 746 codes, servers MUST NOT send a 1xx response to an HTTP/1.0 client 747 except under experimental conditions. 749 A client MUST be prepared to accept one or more 1xx status responses 750 prior to a regular response, even if the client does not expect a 100 751 (Continue) status message. Unexpected 1xx status responses MAY be 752 ignored by a user agent. 754 Proxies MUST forward 1xx responses, unless the connection between the 755 proxy and its client has been closed, or unless the proxy itself 756 requested the generation of the 1xx response. (For example, if a 757 proxy adds a "Expect: 100-continue" field when it forwards a request, 758 then it need not forward the corresponding 100 (Continue) 759 response(s).) 761 9.1.1. 100 Continue 763 The client SHOULD continue with its request. This interim response 764 is used to inform the client that the initial part of the request has 765 been received and has not yet been rejected by the server. The 766 client SHOULD continue by sending the remainder of the request or, if 767 the request has already been completed, ignore this response. The 768 server MUST send a final response after the request has been 769 completed. See Section 7.2.3 of [Part1] for detailed discussion of 770 the use and handling of this status code. 772 9.1.2. 101 Switching Protocols 774 The server understands and is willing to comply with the client's 775 request, via the Upgrade message header field (Section 6.4 of 776 [Part5]), for a change in the application protocol being used on this 777 connection. The server will switch protocols to those defined by the 778 response's Upgrade header field immediately after the empty line 779 which terminates the 101 response. 781 The protocol SHOULD be switched only when it is advantageous to do 782 so. For example, switching to a newer version of HTTP is 783 advantageous over older versions, and switching to a real-time, 784 synchronous protocol might be advantageous when delivering resources 785 that use such features. 787 9.2. Successful 2xx 789 This class of status code indicates that the client's request was 790 successfully received, understood, and accepted. 792 9.2.1. 200 OK 794 The request has succeeded. The information returned with the 795 response is dependent on the method used in the request, for example: 797 GET an entity corresponding to the requested resource is sent in the 798 response; 800 HEAD the entity-header fields corresponding to the requested 801 resource are sent in the response without any message-body; 803 POST an entity describing or containing the result of the action; 805 TRACE an entity containing the request message as received by the 806 end server. 808 9.2.2. 201 Created 810 The request has been fulfilled and resulted in a new resource being 811 created. The newly created resource can be referenced by the URI(s) 812 returned in the entity of the response, with the most specific URI 813 for the resource given by a Location header field. The response 814 SHOULD include an entity containing a list of resource 815 characteristics and location(s) from which the user or user agent can 816 choose the one most appropriate. The entity format is specified by 817 the media type given in the Content-Type header field. The origin 818 server MUST create the resource before returning the 201 status code. 819 If the action cannot be carried out immediately, the server SHOULD 820 respond with 202 (Accepted) response instead. 822 A 201 response MAY contain an ETag response header field indicating 823 the current value of the entity tag for the requested variant just 824 created, see Section 7.1 of [Part4]. 826 9.2.3. 202 Accepted 828 The request has been accepted for processing, but the processing has 829 not been completed. The request might or might not eventually be 830 acted upon, as it might be disallowed when processing actually takes 831 place. There is no facility for re-sending a status code from an 832 asynchronous operation such as this. 834 The 202 response is intentionally non-committal. Its purpose is to 835 allow a server to accept a request for some other process (perhaps a 836 batch-oriented process that is only run once per day) without 837 requiring that the user agent's connection to the server persist 838 until the process is completed. The entity returned with this 839 response SHOULD include an indication of the request's current status 840 and either a pointer to a status monitor or some estimate of when the 841 user can expect the request to be fulfilled. 843 9.2.4. 203 Non-Authoritative Information 845 The returned metainformation in the entity-header is not the 846 definitive set as available from the origin server, but is gathered 847 from a local or a third-party copy. The set presented MAY be a 848 subset or superset of the original version. For example, including 849 local annotation information about the resource might result in a 850 superset of the metainformation known by the origin server. Use of 851 this response code is not required and is only appropriate when the 852 response would otherwise be 200 (OK). 854 9.2.5. 204 No Content 856 The server has fulfilled the request but does not need to return an 857 entity-body, and might want to return updated metainformation. The 858 response MAY include new or updated metainformation in the form of 859 entity-headers, which if present SHOULD be associated with the 860 requested variant. 862 If the client is a user agent, it SHOULD NOT change its document view 863 from that which caused the request to be sent. This response is 864 primarily intended to allow input for actions to take place without 865 causing a change to the user agent's active document view, although 866 any new or updated metainformation SHOULD be applied to the document 867 currently in the user agent's active view. 869 The 204 response MUST NOT include a message-body, and thus is always 870 terminated by the first empty line after the header fields. 872 9.2.6. 205 Reset Content 874 The server has fulfilled the request and the user agent SHOULD reset 875 the document view which caused the request to be sent. This response 876 is primarily intended to allow input for actions to take place via 877 user input, followed by a clearing of the form in which the input is 878 given so that the user can easily initiate another input action. The 879 response MUST NOT include an entity. 881 9.2.7. 206 Partial Content 883 The server has fulfilled the partial GET request for the resource and 884 the enclosed entity is a partial representation as defined in 885 [Part5]. 887 9.3. Redirection 3xx 889 This class of status code indicates that further action needs to be 890 taken by the user agent in order to fulfill the request. The action 891 required MAY be carried out by the user agent without interaction 892 with the user if and only if the method used in the second request is 893 GET or HEAD. A client SHOULD detect infinite redirection loops, 894 since such loops generate network traffic for each redirection. 896 Note: previous versions of this specification recommended a 897 maximum of five redirections. Content developers should be aware 898 that there might be clients that implement such a fixed 899 limitation. 901 9.3.1. 300 Multiple Choices 903 The requested resource corresponds to any one of a set of 904 representations, each with its own specific location, and agent- 905 driven negotiation information (Section 5 of [Part3]) is being 906 provided so that the user (or user agent) can select a preferred 907 representation and redirect its request to that location. 909 Unless it was a HEAD request, the response SHOULD include an entity 910 containing a list of resource characteristics and location(s) from 911 which the user or user agent can choose the one most appropriate. 912 The entity format is specified by the media type given in the 913 Content-Type header field. Depending upon the format and the 914 capabilities of the user agent, selection of the most appropriate 915 choice MAY be performed automatically. However, this specification 916 does not define any standard for such automatic selection. 918 If the server has a preferred choice of representation, it SHOULD 919 include the specific URI for that representation in the Location 920 field; user agents MAY use the Location field value for automatic 921 redirection. This response is cacheable unless indicated otherwise. 923 9.3.2. 301 Moved Permanently 925 The requested resource has been assigned a new permanent URI and any 926 future references to this resource SHOULD use one of the returned 927 URIs. Clients with link editing capabilities ought to automatically 928 re-link references to the Request-URI to one or more of the new 929 references returned by the server, where possible. This response is 930 cacheable unless indicated otherwise. 932 The new permanent URI SHOULD be given by the Location field in the 933 response. Unless the request method was HEAD, the entity of the 934 response SHOULD contain a short hypertext note with a hyperlink to 935 the new URI(s). 937 If the 301 status code is received in response to a request method 938 that is known to be "safe", as defined in Section 8.1.1, then the 939 request MAY be automatically redirected by the user agent without 940 confirmation. Otherwise, the user agent MUST NOT automatically 941 redirect the request unless it can be confirmed by the user, since 942 this might change the conditions under which the request was issued. 944 Note: When automatically redirecting a POST request after 945 receiving a 301 status code, some existing HTTP/1.0 user agents 946 will erroneously change it into a GET request. 948 9.3.3. 302 Found 950 The requested resource resides temporarily under a different URI. 951 Since the redirection might be altered on occasion, the client SHOULD 952 continue to use the Request-URI for future requests. This response 953 is only cacheable if indicated by a Cache-Control or Expires header 954 field. 956 The temporary URI SHOULD be given by the Location field in the 957 response. Unless the request method was HEAD, the entity of the 958 response SHOULD contain a short hypertext note with a hyperlink to 959 the new URI(s). 961 If the 302 status code is received in response to a request method 962 that is known to be "safe", as defined in Section 8.1.1, then the 963 request MAY be automatically redirected by the user agent without 964 confirmation. Otherwise, the user agent MUST NOT automatically 965 redirect the request unless it can be confirmed by the user, since 966 this might change the conditions under which the request was issued. 968 Note: [RFC1945] and [RFC2068] specify that the client is not 969 allowed to change the method on the redirected request. However, 970 most existing user agent implementations treat 302 as if it were a 971 303 response, performing a GET on the Location field-value 972 regardless of the original request method. The status codes 303 973 and 307 have been added for servers that wish to make 974 unambiguously clear which kind of reaction is expected of the 975 client. 977 9.3.4. 303 See Other 979 The response to the request can be found under a different URI and 980 SHOULD be retrieved using a GET method on that resource. This method 981 exists primarily to allow the output of a POST-activated script to 982 redirect the user agent to a selected resource. The new URI is not a 983 substitute reference for the originally requested resource. The 303 984 response MUST NOT be cached, but the response to the second 985 (redirected) request might be cacheable. 987 The different URI SHOULD be given by the Location field in the 988 response. Unless the request method was HEAD, the entity of the 989 response SHOULD contain a short hypertext note with a hyperlink to 990 the new URI(s). 992 Note: Many pre-HTTP/1.1 user agents do not understand the 303 993 status. When interoperability with such clients is a concern, the 994 302 status code may be used instead, since most user agents react 995 to a 302 response as described here for 303. 997 9.3.5. 304 Not Modified 999 The response to the request has not been modified since the 1000 conditions indicated by the client's conditional GET request, as 1001 defined in [Part4]. 1003 9.3.6. 305 Use Proxy 1005 The requested resource MUST be accessed through the proxy given by 1006 the Location field. The Location field gives the URI of the proxy. 1007 The recipient is expected to repeat this single request via the 1008 proxy. 305 responses MUST only be generated by origin servers. 1010 Note: [RFC2068] was not clear that 305 was intended to redirect a 1011 single request, and to be generated by origin servers only. Not 1012 observing these limitations has significant security consequences. 1014 9.3.7. 306 (Unused) 1016 The 306 status code was used in a previous version of the 1017 specification, is no longer used, and the code is reserved. 1019 9.3.8. 307 Temporary Redirect 1021 The requested resource resides temporarily under a different URI. 1022 Since the redirection MAY be altered on occasion, the client SHOULD 1023 continue to use the Request-URI for future requests. This response 1024 is only cacheable if indicated by a Cache-Control or Expires header 1025 field. 1027 The temporary URI SHOULD be given by the Location field in the 1028 response. Unless the request method was HEAD, the entity of the 1029 response SHOULD contain a short hypertext note with a hyperlink to 1030 the new URI(s) , since many pre-HTTP/1.1 user agents do not 1031 understand the 307 status. Therefore, the note SHOULD contain the 1032 information necessary for a user to repeat the original request on 1033 the new URI. 1035 If the 307 status code is received in response to a request method 1036 that is known to be "safe", as defined in Section 8.1.1, then the 1037 request MAY be automatically redirected by the user agent without 1038 confirmation. Otherwise, the user agent MUST NOT automatically 1039 redirect the request unless it can be confirmed by the user, since 1040 this might change the conditions under which the request was issued. 1042 9.4. Client Error 4xx 1044 The 4xx class of status code is intended for cases in which the 1045 client seems to have erred. Except when responding to a HEAD 1046 request, the server SHOULD include an entity containing an 1047 explanation of the error situation, and whether it is a temporary or 1048 permanent condition. These status codes are applicable to any 1049 request method. User agents SHOULD display any included entity to 1050 the user. 1052 If the client is sending data, a server implementation using TCP 1053 SHOULD be careful to ensure that the client acknowledges receipt of 1054 the packet(s) containing the response, before the server closes the 1055 input connection. If the client continues sending data to the server 1056 after the close, the server's TCP stack will send a reset packet to 1057 the client, which may erase the client's unacknowledged input buffers 1058 before they can be read and interpreted by the HTTP application. 1060 9.4.1. 400 Bad Request 1062 The request could not be understood by the server due to malformed 1063 syntax. The client SHOULD NOT repeat the request without 1064 modifications. 1066 9.4.2. 401 Unauthorized 1068 The request requires user authentication (see [Part7]). 1070 9.4.3. 402 Payment Required 1072 This code is reserved for future use. 1074 9.4.4. 403 Forbidden 1076 The server understood the request, but is refusing to fulfill it. 1077 Authorization will not help and the request SHOULD NOT be repeated. 1078 If the request method was not HEAD and the server wishes to make 1079 public why the request has not been fulfilled, it SHOULD describe the 1080 reason for the refusal in the entity. If the server does not wish to 1081 make this information available to the client, the status code 404 1082 (Not Found) can be used instead. 1084 9.4.5. 404 Not Found 1086 The server has not found anything matching the Request-URI. No 1087 indication is given of whether the condition is temporary or 1088 permanent. The 410 (Gone) status code SHOULD be used if the server 1089 knows, through some internally configurable mechanism, that an old 1090 resource is permanently unavailable and has no forwarding address. 1091 This status code is commonly used when the server does not wish to 1092 reveal exactly why the request has been refused, or when no other 1093 response is applicable. 1095 9.4.6. 405 Method Not Allowed 1097 The method specified in the Request-Line is not allowed for the 1098 resource identified by the Request-URI. The response MUST include an 1099 Allow header containing a list of valid methods for the requested 1100 resource. 1102 9.4.7. 406 Not Acceptable 1104 The resource identified by the request is only capable of generating 1105 response entities which have content characteristics not acceptable 1106 according to the accept headers sent in the request. 1108 Unless it was a HEAD request, the response SHOULD include an entity 1109 containing a list of available entity characteristics and location(s) 1110 from which the user or user agent can choose the one most 1111 appropriate. The entity format is specified by the media type given 1112 in the Content-Type header field. Depending upon the format and the 1113 capabilities of the user agent, selection of the most appropriate 1114 choice MAY be performed automatically. However, this specification 1115 does not define any standard for such automatic selection. 1117 Note: HTTP/1.1 servers are allowed to return responses which are 1118 not acceptable according to the accept headers sent in the 1119 request. In some cases, this may even be preferable to sending a 1120 406 response. User agents are encouraged to inspect the headers 1121 of an incoming response to determine if it is acceptable. 1123 If the response could be unacceptable, a user agent SHOULD 1124 temporarily stop receipt of more data and query the user for a 1125 decision on further actions. 1127 9.4.8. 407 Proxy Authentication Required 1129 This code is similar to 401 (Unauthorized), but indicates that the 1130 client must first authenticate itself with the proxy (see [Part7]). 1132 9.4.9. 408 Request Timeout 1134 The client did not produce a request within the time that the server 1135 was prepared to wait. The client MAY repeat the request without 1136 modifications at any later time. 1138 9.4.10. 409 Conflict 1140 The request could not be completed due to a conflict with the current 1141 state of the resource. This code is only allowed in situations where 1142 it is expected that the user might be able to resolve the conflict 1143 and resubmit the request. The response body SHOULD include enough 1144 information for the user to recognize the source of the conflict. 1145 Ideally, the response entity would include enough information for the 1146 user or user agent to fix the problem; however, that might not be 1147 possible and is not required. 1149 Conflicts are most likely to occur in response to a PUT request. For 1150 example, if versioning were being used and the entity being PUT 1151 included changes to a resource which conflict with those made by an 1152 earlier (third-party) request, the server might use the 409 response 1153 to indicate that it can't complete the request. In this case, the 1154 response entity would likely contain a list of the differences 1155 between the two versions in a format defined by the response Content- 1156 Type. 1158 9.4.11. 410 Gone 1160 The requested resource is no longer available at the server and no 1161 forwarding address is known. This condition is expected to be 1162 considered permanent. Clients with link editing capabilities SHOULD 1163 delete references to the Request-URI after user approval. If the 1164 server does not know, or has no facility to determine, whether or not 1165 the condition is permanent, the status code 404 (Not Found) SHOULD be 1166 used instead. This response is cacheable unless indicated otherwise. 1168 The 410 response is primarily intended to assist the task of web 1169 maintenance by notifying the recipient that the resource is 1170 intentionally unavailable and that the server owners desire that 1171 remote links to that resource be removed. Such an event is common 1172 for limited-time, promotional services and for resources belonging to 1173 individuals no longer working at the server's site. It is not 1174 necessary to mark all permanently unavailable resources as "gone" or 1175 to keep the mark for any length of time -- that is left to the 1176 discretion of the server owner. 1178 9.4.12. 411 Length Required 1180 The server refuses to accept the request without a defined Content- 1181 Length. The client MAY repeat the request if it adds a valid 1182 Content-Length header field containing the length of the message-body 1183 in the request message. 1185 9.4.13. 412 Precondition Failed 1187 The precondition given in one or more of the request-header fields 1188 evaluated to false when it was tested on the server, as defined in 1189 [Part4]. 1191 9.4.14. 413 Request Entity Too Large 1193 The server is refusing to process a request because the request 1194 entity is larger than the server is willing or able to process. The 1195 server MAY close the connection to prevent the client from continuing 1196 the request. 1198 If the condition is temporary, the server SHOULD include a Retry- 1199 After header field to indicate that it is temporary and after what 1200 time the client MAY try again. 1202 9.4.15. 414 Request-URI Too Long 1204 The server is refusing to service the request because the Request-URI 1205 is longer than the server is willing to interpret. This rare 1206 condition is only likely to occur when a client has improperly 1207 converted a POST request to a GET request with long query 1208 information, when the client has descended into a URI "black hole" of 1209 redirection (e.g., a redirected URI prefix that points to a suffix of 1210 itself), or when the server is under attack by a client attempting to 1211 exploit security holes present in some servers using fixed-length 1212 buffers for reading or manipulating the Request-URI. 1214 9.4.16. 415 Unsupported Media Type 1216 The server is refusing to service the request because the entity of 1217 the request is in a format not supported by the requested resource 1218 for the requested method. 1220 9.4.17. 416 Requested Range Not Satisfiable 1222 The request included a Range request-header field (Section 6.4 of 1223 [Part5]) and none of the range-specifier values in this field overlap 1224 the current extent of the selected resource. 1226 9.4.18. 417 Expectation Failed 1228 The expectation given in an Expect request-header field (see 1229 Section 10.2) could not be met by this server, or, if the server is a 1230 proxy, the server has unambiguous evidence that the request could not 1231 be met by the next-hop server. 1233 9.5. Server Error 5xx 1235 Response status codes beginning with the digit "5" indicate cases in 1236 which the server is aware that it has erred or is incapable of 1237 performing the request. Except when responding to a HEAD request, 1238 the server SHOULD include an entity containing an explanation of the 1239 error situation, and whether it is a temporary or permanent 1240 condition. User agents SHOULD display any included entity to the 1241 user. These response codes are applicable to any request method. 1243 9.5.1. 500 Internal Server Error 1245 The server encountered an unexpected condition which prevented it 1246 from fulfilling the request. 1248 9.5.2. 501 Not Implemented 1250 The server does not support the functionality required to fulfill the 1251 request. This is the appropriate response when the server does not 1252 recognize the request method and is not capable of supporting it for 1253 any resource. 1255 9.5.3. 502 Bad Gateway 1257 The server, while acting as a gateway or proxy, received an invalid 1258 response from the upstream server it accessed in attempting to 1259 fulfill the request. 1261 9.5.4. 503 Service Unavailable 1263 The server is currently unable to handle the request due to a 1264 temporary overloading or maintenance of the server. The implication 1265 is that this is a temporary condition which will be alleviated after 1266 some delay. If known, the length of the delay MAY be indicated in a 1267 Retry-After header. If no Retry-After is given, the client SHOULD 1268 handle the response as it would for a 500 response. 1270 Note: The existence of the 503 status code does not imply that a 1271 server must use it when becoming overloaded. Some servers may 1272 wish to simply refuse the connection. 1274 9.5.5. 504 Gateway Timeout 1276 The server, while acting as a gateway or proxy, did not receive a 1277 timely response from the upstream server specified by the URI (e.g. 1278 HTTP, FTP, LDAP) or some other auxiliary server (e.g. DNS) it needed 1279 to access in attempting to complete the request. 1281 Note: Note to implementors: some deployed proxies are known to 1282 return 400 or 500 when DNS lookups time out. 1284 9.5.6. 505 HTTP Version Not Supported 1286 The server does not support, or refuses to support, the protocol 1287 version that was used in the request message. The server is 1288 indicating that it is unable or unwilling to complete the request 1289 using the same major version as the client, as described in Section 1290 3.1 of [Part1], other than with this error message. The response 1291 SHOULD contain an entity describing why that version is not supported 1292 and what other protocols are supported by that server. 1294 10. Header Field Definitions 1296 This section defines the syntax and semantics of HTTP/1.1 header 1297 fields related to request and response semantics. 1299 For entity-header fields, both sender and recipient refer to either 1300 the client or the server, depending on who sends and who receives the 1301 entity. 1303 10.1. Allow 1305 The Allow entity-header field lists the set of methods supported by 1306 the resource identified by the Request-URI. The purpose of this 1307 field is strictly to inform the recipient of valid methods associated 1308 with the resource. An Allow header field MUST be present in a 405 1309 (Method Not Allowed) response. 1311 Allow = "Allow" ":" #Method 1313 Example of use: 1315 Allow: GET, HEAD, PUT 1317 This field cannot prevent a client from trying other methods. 1318 However, the indications given by the Allow header field value SHOULD 1319 be followed. The actual set of allowed methods is defined by the 1320 origin server at the time of each request. 1322 The Allow header field MAY be provided with a PUT request to 1323 recommend the methods to be supported by the new or modified 1324 resource. The server is not required to support these methods and 1325 SHOULD include an Allow header in the response giving the actual 1326 supported methods. 1328 A proxy MUST NOT modify the Allow header field even if it does not 1329 understand all the methods specified, since the user agent might have 1330 other means of communicating with the origin server. 1332 10.2. Expect 1334 The Expect request-header field is used to indicate that particular 1335 server behaviors are required by the client. 1337 Expect = "Expect" ":" 1#expectation 1339 expectation = "100-continue" | expectation-extension 1340 expectation-extension = token [ "=" ( token | quoted-string ) 1341 *expect-params ] 1343 expect-params = ";" token [ "=" ( token | quoted-string ) ] 1345 A server that does not understand or is unable to comply with any of 1346 the expectation values in the Expect field of a request MUST respond 1347 with appropriate error status. The server MUST respond with a 417 1348 (Expectation Failed) status if any of the expectations cannot be met 1349 or, if there are other problems with the request, some other 4xx 1350 status. 1352 This header field is defined with extensible syntax to allow for 1353 future extensions. If a server receives a request containing an 1354 Expect field that includes an expectation-extension that it does not 1355 support, it MUST respond with a 417 (Expectation Failed) status. 1357 Comparison of expectation values is case-insensitive for unquoted 1358 tokens (including the 100-continue token), and is case-sensitive for 1359 quoted-string expectation-extensions. 1361 The Expect mechanism is hop-by-hop: that is, an HTTP/1.1 proxy MUST 1362 return a 417 (Expectation Failed) status if it receives a request 1363 with an expectation that it cannot meet. However, the Expect 1364 request-header itself is end-to-end; it MUST be forwarded if the 1365 request is forwarded. 1367 Many older HTTP/1.0 and HTTP/1.1 applications do not understand the 1368 Expect header. 1370 See Section 7.2.3 of [Part1] for the use of the 100 (Continue) 1371 status. 1373 10.3. From 1375 The From request-header field, if given, SHOULD contain an Internet 1376 e-mail address for the human user who controls the requesting user 1377 agent. The address SHOULD be machine-usable, as defined by "mailbox" 1378 in Section 3.4 of [RFC2822]: 1380 From = "From" ":" mailbox 1382 mailbox = 1384 An example is: 1386 From: webmaster@example.org 1388 This header field MAY be used for logging purposes and as a means for 1389 identifying the source of invalid or unwanted requests. It SHOULD 1390 NOT be used as an insecure form of access protection. The 1391 interpretation of this field is that the request is being performed 1392 on behalf of the person given, who accepts responsibility for the 1393 method performed. In particular, robot agents SHOULD include this 1394 header so that the person responsible for running the robot can be 1395 contacted if problems occur on the receiving end. 1397 The Internet e-mail address in this field MAY be separate from the 1398 Internet host which issued the request. For example, when a request 1399 is passed through a proxy the original issuer's address SHOULD be 1400 used. 1402 The client SHOULD NOT send the From header field without the user's 1403 approval, as it might conflict with the user's privacy interests or 1404 their site's security policy. It is strongly recommended that the 1405 user be able to disable, enable, and modify the value of this field 1406 at any time prior to a request. 1408 10.4. Location 1410 The Location response-header field is used to redirect the recipient 1411 to a location other than the Request-URI for completion of the 1412 request or identification of a new resource. For 201 (Created) 1413 responses, the Location is that of the new resource which was created 1414 by the request. For 3xx responses, the location SHOULD indicate the 1415 server's preferred URI for automatic redirection to the resource. 1416 The field value consists of a single absolute URI. 1418 Location = "Location" ":" absoluteURI [ "#" fragment ] 1420 An example is: 1422 Location: http://www.example.org/pub/WWW/People.html 1424 Note: The Content-Location header field (Section 6.7 of [Part3]) 1425 differs from Location in that the Content-Location identifies the 1426 original location of the entity enclosed in the request. It is 1427 therefore possible for a response to contain header fields for 1428 both Location and Content-Location. 1430 There are circumstances in which a fragment identifier in a Location 1431 URL would not be appropriate: 1433 o With a 201 Created response, because in this usage the Location 1434 header specifies the URL for the entire created resource. 1436 o With a 300 Multiple Choices, since the choice decision is intended 1437 to be made on resource characteristics and not fragment 1438 characteristics. 1440 o With 305 Use Proxy. 1442 10.5. Max-Forwards 1444 The Max-Forwards request-header field provides a mechanism with the 1445 TRACE (Section 8.8) and OPTIONS (Section 8.2) methods to limit the 1446 number of proxies or gateways that can forward the request to the 1447 next inbound server. This can be useful when the client is 1448 attempting to trace a request chain which appears to be failing or 1449 looping in mid-chain. 1451 Max-Forwards = "Max-Forwards" ":" 1*DIGIT 1453 The Max-Forwards value is a decimal integer indicating the remaining 1454 number of times this request message may be forwarded. 1456 Each proxy or gateway recipient of a TRACE or OPTIONS request 1457 containing a Max-Forwards header field MUST check and update its 1458 value prior to forwarding the request. If the received value is zero 1459 (0), the recipient MUST NOT forward the request; instead, it MUST 1460 respond as the final recipient. If the received Max-Forwards value 1461 is greater than zero, then the forwarded message MUST contain an 1462 updated Max-Forwards field with a value decremented by one (1). 1464 The Max-Forwards header field MAY be ignored for all other methods 1465 defined by this specification and for any extension methods for which 1466 it is not explicitly referred to as part of that method definition. 1468 10.6. Referer 1470 The Referer[sic] request-header field allows the client to specify, 1471 for the server's benefit, the address (URI) of the resource from 1472 which the Request-URI was obtained (the "referrer", although the 1473 header field is misspelled.) The Referer request-header allows a 1474 server to generate lists of back-links to resources for interest, 1475 logging, optimized caching, etc. It also allows obsolete or mistyped 1476 links to be traced for maintenance. The Referer field MUST NOT be 1477 sent if the Request-URI was obtained from a source that does not have 1478 its own URI, such as input from the user keyboard. 1480 Referer = "Referer" ":" ( absoluteURI | relativeURI ) 1482 Example: 1484 Referer: http://www.example.org/hypertext/Overview.html 1486 If the field value is a relative URI, it SHOULD be interpreted 1487 relative to the Request-URI. The URI MUST NOT include a fragment. 1489 See Section 12.2 for security considerations. 1491 10.7. Retry-After 1493 The Retry-After response-header field can be used with a 503 (Service 1494 Unavailable) response to indicate how long the service is expected to 1495 be unavailable to the requesting client. This field MAY also be used 1496 with any 3xx (Redirection) response to indicate the minimum time the 1497 user-agent is asked wait before issuing the redirected request. The 1498 value of this field can be either an HTTP-date or an integer number 1499 of seconds (in decimal) after the time of the response. 1501 Retry-After = "Retry-After" ":" ( HTTP-date | delta-seconds ) 1503 Time spans are non-negative decimal integers, representing time in 1504 seconds. 1506 delta-seconds = 1*DIGIT 1508 Two examples of its use are 1510 Retry-After: Fri, 31 Dec 1999 23:59:59 GMT 1511 Retry-After: 120 1513 In the latter example, the delay is 2 minutes. 1515 10.8. Server 1517 The Server response-header field contains information about the 1518 software used by the origin server to handle the request. The field 1519 can contain multiple product tokens (Section 3.5 of [Part1]) and 1520 comments identifying the server and any significant subproducts. The 1521 product tokens are listed in order of their significance for 1522 identifying the application. 1524 Server = "Server" ":" 1*( product | comment ) 1526 Example: 1528 Server: CERN/3.0 libwww/2.17 1530 If the response is being forwarded through a proxy, the proxy 1531 application MUST NOT modify the Server response-header. Instead, it 1532 MUST include a Via field (as described in Section 8.9 of [Part1]). 1534 Note: Revealing the specific software version of the server might 1535 allow the server machine to become more vulnerable to attacks 1536 against software that is known to contain security holes. Server 1537 implementors are encouraged to make this field a configurable 1538 option. 1540 10.9. User-Agent 1542 The User-Agent request-header field contains information about the 1543 user agent originating the request. This is for statistical 1544 purposes, the tracing of protocol violations, and automated 1545 recognition of user agents for the sake of tailoring responses to 1546 avoid particular user agent limitations. User agents SHOULD include 1547 this field with requests. The field can contain multiple product 1548 tokens (Section 3.5 of [Part1]) and comments identifying the agent 1549 and any subproducts which form a significant part of the user agent. 1550 By convention, the product tokens are listed in order of their 1551 significance for identifying the application. 1553 User-Agent = "User-Agent" ":" 1*( product | comment ) 1555 Example: 1557 User-Agent: CERN-LineMode/2.15 libwww/2.17b3 1559 11. IANA Considerations 1561 [[anchor1: TBD.]] 1563 12. Security Considerations 1565 This section is meant to inform application developers, information 1566 providers, and users of the security limitations in HTTP/1.1 as 1567 described by this document. The discussion does not include 1568 definitive solutions to the problems revealed, though it does make 1569 some suggestions for reducing security risks. 1571 12.1. Transfer of Sensitive Information 1573 Like any generic data transfer protocol, HTTP cannot regulate the 1574 content of the data that is transferred, nor is there any a priori 1575 method of determining the sensitivity of any particular piece of 1576 information within the context of any given request. Therefore, 1577 applications SHOULD supply as much control over this information as 1578 possible to the provider of that information. Four header fields are 1579 worth special mention in this context: Server, Via, Referer and From. 1581 Revealing the specific software version of the server might allow the 1582 server machine to become more vulnerable to attacks against software 1583 that is known to contain security holes. Implementors SHOULD make 1584 the Server header field a configurable option. 1586 Proxies which serve as a portal through a network firewall SHOULD 1587 take special precautions regarding the transfer of header information 1588 that identifies the hosts behind the firewall. In particular, they 1589 SHOULD remove, or replace with sanitized versions, any Via fields 1590 generated behind the firewall. 1592 The Referer header allows reading patterns to be studied and reverse 1593 links drawn. Although it can be very useful, its power can be abused 1594 if user details are not separated from the information contained in 1595 the Referer. Even when the personal information has been removed, 1596 the Referer header might indicate a private document's URI whose 1597 publication would be inappropriate. 1599 The information sent in the From field might conflict with the user's 1600 privacy interests or their site's security policy, and hence it 1601 SHOULD NOT be transmitted without the user being able to disable, 1602 enable, and modify the contents of the field. The user MUST be able 1603 to set the contents of this field within a user preference or 1604 application defaults configuration. 1606 We suggest, though do not require, that a convenient toggle interface 1607 be provided for the user to enable or disable the sending of From and 1608 Referer information. 1610 The User-Agent (Section 10.9) or Server (Section 10.8) header fields 1611 can sometimes be used to determine that a specific client or server 1612 have a particular security hole which might be exploited. 1613 Unfortunately, this same information is often used for other valuable 1614 purposes for which HTTP currently has no better mechanism. 1616 12.2. Encoding Sensitive Information in URIs 1618 Because the source of a link might be private information or might 1619 reveal an otherwise private information source, it is strongly 1620 recommended that the user be able to select whether or not the 1621 Referer field is sent. For example, a browser client could have a 1622 toggle switch for browsing openly/anonymously, which would 1623 respectively enable/disable the sending of Referer and From 1624 information. 1626 Clients SHOULD NOT include a Referer header field in a (non-secure) 1627 HTTP request if the referring page was transferred with a secure 1628 protocol. 1630 Authors of services should not use GET-based forms for the submission 1631 of sensitive data because that data will be encoded in the Request- 1632 URI. Many existing servers, proxies, and user agents log or display 1633 the Request-URI in places where it might be visible to third parties. 1634 Such services can use POST-based form submission instead. 1636 12.3. Location Headers and Spoofing 1638 If a single server supports multiple organizations that do not trust 1639 one another, then it MUST check the values of Location and Content- 1640 Location headers in responses that are generated under control of 1641 said organizations to make sure that they do not attempt to 1642 invalidate resources over which they have no authority. 1644 13. Acknowledgments 1646 14. References 1648 14.1. Normative References 1650 [Part1] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., 1651 Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., 1652 and J. Reschke, Ed., "HTTP/1.1, part 1: URIs, Connections, 1653 and Message Parsing", draft-ietf-httpbis-p1-messaging-02 1654 (work in progress), February 2008. 1656 [Part3] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., 1657 Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., 1658 and J. Reschke, Ed., "HTTP/1.1, part 3: Message Payload 1659 and Content Negotiation", draft-ietf-httpbis-p3-payload-02 1660 (work in progress), February 2008. 1662 [Part4] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., 1663 Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., 1664 and J. Reschke, Ed., "HTTP/1.1, part 4: Conditional 1665 Requests", draft-ietf-httpbis-p4-conditional-02 (work in 1666 progress), February 2008. 1668 [Part5] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., 1669 Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., 1670 and J. Reschke, Ed., "HTTP/1.1, part 5: Range Requests and 1671 Partial Responses", draft-ietf-httpbis-p5-range-02 (work 1672 in progress), February 2008. 1674 [Part6] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., 1675 Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., 1676 and J. Reschke, Ed., "HTTP/1.1, part 6: Caching", 1677 draft-ietf-httpbis-p6-cache-02 (work in progress), 1678 February 2008. 1680 [Part7] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., 1681 Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., 1682 and J. Reschke, Ed., "HTTP/1.1, part 7: Authentication", 1683 draft-ietf-httpbis-p7-auth-02 (work in progress), 1684 February 2008. 1686 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1687 Requirement Levels", BCP 14, RFC 2119, March 1997. 1689 14.2. Informative References 1691 [Luo1998] Luotonen, A., "Tunneling TCP based protocols through Web 1692 proxy servers", draft-luotonen-web-proxy-tunneling-01 1693 (work in progress), August 1998. 1695 [RFC1945] Berners-Lee, T., Fielding, R., and H. Nielsen, "Hypertext 1696 Transfer Protocol -- HTTP/1.0", RFC 1945, May 1996. 1698 [RFC2068] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and T. 1699 Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", 1700 RFC 2068, January 1997. 1702 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 1703 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 1704 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. 1706 [RFC2822] Resnick, P., "Internet Message Format", RFC 2822, 1707 April 2001. 1709 Appendix A. Compatibility with Previous Versions 1711 A.1. Changes from RFC 2068 1713 Clarified which error code should be used for inbound server failures 1714 (e.g. DNS failures). (Section 9.5.5). 1716 201 (Created) had a race that required an Etag be sent when a 1717 resource is first created. (Section 9.2.2). 1719 Rewrite of message transmission requirements to make it much harder 1720 for implementors to get it wrong, as the consequences of errors here 1721 can have significant impact on the Internet, and to deal with the 1722 following problems: 1724 1. Changing "HTTP/1.1 or later" to "HTTP/1.1", in contexts where 1725 this was incorrectly placing a requirement on the behavior of an 1726 implementation of a future version of HTTP/1.x 1728 2. Made it clear that user-agents should retry requests, not 1729 "clients" in general. 1731 3. Converted requirements for clients to ignore unexpected 100 1732 (Continue) responses, and for proxies to forward 100 responses, 1733 into a general requirement for 1xx responses. 1735 4. Modified some TCP-specific language, to make it clearer that non- 1736 TCP transports are possible for HTTP. 1738 5. Require that the origin server MUST NOT wait for the request body 1739 before it sends a required 100 (Continue) response. 1741 6. Allow, rather than require, a server to omit 100 (Continue) if it 1742 has already seen some of the request body. 1744 7. Allow servers to defend against denial-of-service attacks and 1745 broken clients. 1747 This change adds the Expect header and 417 status code. 1749 Clean up confusion between 403 and 404 responses. (Section 9.4.4, 1750 9.4.5, and 9.4.11) 1752 The PATCH, LINK, UNLINK methods were defined but not commonly 1753 implemented in previous versions of this specification. See 1754 [RFC2068]. 1756 A.2. Changes from RFC 2616 1758 Clarify definition of POST. (Section 8.5) 1760 Failed to consider that there are many other request methods that are 1761 safe to automatically redirect, and further that the user agent is 1762 able to make that determination based on the request method 1763 semantics. (Sections 9.3.2, 9.3.3 and 9.3.8 ) 1765 Correct syntax of Location header to allow fragment, as referred 1766 symbol wasn't what was expected, and add some clarifications as to 1767 when it would not be appropriate. (Section 10.4) 1769 In the description of the Server header, the Via field was described 1770 as a SHOULD. The requirement was and is stated correctly in the 1771 description of the Via header in Section 8.9 of [Part1]. 1773 (Section 10.8) 1775 Appendix B. Change Log (to be removed by RFC Editor before publication) 1777 B.1. Since RFC2616 1779 Extracted relevant partitions from [RFC2616]. 1781 B.2. Since draft-ietf-httpbis-p2-semantics-00 1783 Closed issues: 1785 o : "Via is a 1786 MUST" () 1788 o : "Fragments 1789 allowed in Location" 1790 () 1792 o : "Safe 1793 Methods vs Redirection" 1794 () 1796 o : "Revise 1797 description of the POST method" 1798 () 1800 o : "Normative 1801 and Informative references" 1803 o : "RFC2606 1804 Compliance" 1806 o : 1807 "Informative references" 1809 o : "Redundant 1810 cross-references" 1812 Other changes: 1814 o Move definitions of 304 and 412 condition codes to [Part4] 1816 B.3. Since draft-ietf-httpbis-p2-semantics-01 1818 Closed issues: 1820 o : "PUT side 1821 effects" 1823 o : "Duplicate 1824 Host header requirements" 1826 Ongoing work on ABNF conversion 1827 (): 1829 o Move "Product Tokens" section (back) into Part 1, as "token" is 1830 used in the definition of the Upgrade header. 1832 o Add explicit references to BNF syntax and rules imported from 1833 other parts of the specification. 1835 o Copy definition of delta-seconds from Part6 instead of referencing 1836 it. 1838 Index 1840 1 1841 100 Continue (status code) 18 1842 101 Switching Protocols (status code) 19 1844 2 1845 200 OK (status code) 19 1846 201 Created (status code) 19 1847 202 Accepted (status code) 20 1848 203 Non-Authoritative Information (status code) 20 1849 204 No Content (status code) 20 1850 205 Reset Content (status code) 21 1851 206 Partial Content (status code) 21 1853 3 1854 300 Multiple Choices (status code) 21 1855 301 Moved Permanently (status code) 22 1856 302 Found (status code) 22 1857 303 See Other (status code) 23 1858 304 Not Modified (status code) 23 1859 305 Use Proxy (status code) 23 1860 306 (Unused) (status code) 24 1861 307 Temporary Redirect (status code) 24 1863 4 1864 400 Bad Request (status code) 25 1865 401 Unauthorized (status code) 25 1866 402 Payment Required (status code) 25 1867 403 Forbidden (status code) 25 1868 404 Not Found (status code) 25 1869 405 Method Not Allowed (status code) 25 1870 406 Not Acceptable (status code) 25 1871 407 Proxy Authentication Required (status code) 26 1872 408 Request Timeout (status code) 26 1873 409 Conflict (status code) 26 1874 410 Gone (status code) 27 1875 411 Length Required (status code) 27 1876 412 Precondition Failed (status code) 27 1877 413 Request Entity Too Large (status code) 27 1878 414 Request-URI Too Long (status code) 28 1879 415 Unsupported Media Type (status code) 28 1880 416 Requested Range Not Satisfiable (status code) 28 1881 417 Expectation Failed (status code) 28 1883 5 1884 500 Internal Server Error (status code) 28 1885 501 Not Implemented (status code) 29 1886 502 Bad Gateway (status code) 29 1887 503 Service Unavailable (status code) 29 1888 504 Gateway Timeout (status code) 29 1889 505 HTTP Version Not Supported (status code) 29 1891 A 1892 Allow header 30 1894 C 1895 CONNECT method 18 1897 D 1898 DELETE method 17 1900 E 1901 Expect header 30 1903 F 1904 From header 31 1906 G 1907 GET method 14 1908 Grammar 1909 Allow 30 1910 delta-seconds 34 1911 Expect 30 1912 expect-params 30 1913 expectation 30 1914 expectation-extension 30 1915 extension-code 10 1916 extension-method 8 1917 From 31 1918 Location 32 1919 Max-Forwards 33 1920 Method 8 1921 Reason-Phrase 10 1922 Referer 33 1923 request-header 9 1924 response-header 11 1925 Retry-After 34 1926 Server 34 1927 Status-Code 10 1928 User-Agent 35 1930 H 1931 HEAD method 14 1932 Headers 1933 Allow 30 1934 Expect 30 1935 From 31 1936 Location 32 1937 Max-Forwards 33 1938 Referer 33 1939 Retry-After 34 1940 Server 34 1941 User-Agent 35 1943 L 1944 LINK method 39 1945 Location header 32 1947 M 1948 Max-Forwards header 33 1949 Methods 1950 CONNECT 18 1951 DELETE 17 1952 GET 14 1953 HEAD 14 1954 LINK 39 1955 OPTIONS 13 1956 PATCH 39 1957 POST 15 1958 PUT 16 1959 TRACE 17 1960 UNLINK 39 1962 O 1963 OPTIONS method 13 1965 P 1966 PATCH method 39 1967 POST method 15 1968 PUT method 16 1970 R 1971 Referer header 33 1972 Retry-After header 34 1974 S 1975 Server header 34 1976 Status Codes 1977 100 Continue 18 1978 101 Switching Protocols 19 1979 200 OK 19 1980 201 Created 19 1981 202 Accepted 20 1982 203 Non-Authoritative Information 20 1983 204 No Content 20 1984 205 Reset Content 21 1985 206 Partial Content 21 1986 300 Multiple Choices 21 1987 301 Moved Permanently 22 1988 302 Found 22 1989 303 See Other 23 1990 304 Not Modified 23 1991 305 Use Proxy 23 1992 306 (Unused) 24 1993 307 Temporary Redirect 24 1994 400 Bad Request 25 1995 401 Unauthorized 25 1996 402 Payment Required 25 1997 403 Forbidden 25 1998 404 Not Found 25 1999 405 Method Not Allowed 25 2000 406 Not Acceptable 25 2001 407 Proxy Authentication Required 26 2002 408 Request Timeout 26 2003 409 Conflict 26 2004 410 Gone 27 2005 411 Length Required 27 2006 412 Precondition Failed 27 2007 413 Request Entity Too Large 27 2008 414 Request-URI Too Long 28 2009 415 Unsupported Media Type 28 2010 416 Requested Range Not Satisfiable 28 2011 417 Expectation Failed 28 2012 500 Internal Server Error 28 2013 501 Not Implemented 29 2014 502 Bad Gateway 29 2015 503 Service Unavailable 29 2016 504 Gateway Timeout 29 2017 505 HTTP Version Not Supported 29 2019 T 2020 TRACE method 17 2022 U 2023 UNLINK method 39 2024 User-Agent header 35 2026 Authors' Addresses 2028 Roy T. Fielding (editor) 2029 Day Software 2030 23 Corporate Plaza DR, Suite 280 2031 Newport Beach, CA 92660 2032 USA 2034 Phone: +1-949-706-5300 2035 Fax: +1-949-706-5305 2036 Email: fielding@gbiv.com 2037 URI: http://roy.gbiv.com/ 2039 Jim Gettys 2040 One Laptop per Child 2041 21 Oak Knoll Road 2042 Carlisle, MA 01741 2043 USA 2045 Email: jg@laptop.org 2046 URI: http://www.laptop.org/ 2047 Jeffrey C. Mogul 2048 Hewlett-Packard Company 2049 HP Labs, Large Scale Systems Group 2050 1501 Page Mill Road, MS 1177 2051 Palo Alto, CA 94304 2052 USA 2054 Email: JeffMogul@acm.org 2056 Henrik Frystyk Nielsen 2057 Microsoft Corporation 2058 1 Microsoft Way 2059 Redmond, WA 98052 2060 USA 2062 Email: henrikn@microsoft.com 2064 Larry Masinter 2065 Adobe Systems, Incorporated 2066 345 Park Ave 2067 San Jose, CA 95110 2068 USA 2070 Email: LMM@acm.org 2071 URI: http://larry.masinter.net/ 2073 Paul J. Leach 2074 Microsoft Corporation 2075 1 Microsoft Way 2076 Redmond, WA 98052 2078 Email: paulle@microsoft.com 2080 Tim Berners-Lee 2081 World Wide Web Consortium 2082 MIT Computer Science and Artificial Intelligence Laboratory 2083 The Stata Center, Building 32 2084 32 Vassar Street 2085 Cambridge, MA 02139 2086 USA 2088 Email: timbl@w3.org 2089 URI: http://www.w3.org/People/Berners-Lee/ 2090 Yves Lafon (editor) 2091 World Wide Web Consortium 2092 W3C / ERCIM 2093 2004, rte des Lucioles 2094 Sophia-Antipolis, AM 06902 2095 France 2097 Email: ylafon@w3.org 2098 URI: http://www.raubacapeu.net/people/yves/ 2100 Julian F. Reschke (editor) 2101 greenbytes GmbH 2102 Hafenweg 16 2103 Muenster, NW 48155 2104 Germany 2106 Phone: +49 251 2807760 2107 Fax: +49 251 2807761 2108 Email: julian.reschke@greenbytes.de 2109 URI: http://greenbytes.de/tech/webdav/ 2111 Full Copyright Statement 2113 Copyright (C) The IETF Trust (2008). 2115 This document is subject to the rights, licenses and restrictions 2116 contained in BCP 78, and except as set forth therein, the authors 2117 retain all their rights. 2119 This document and the information contained herein are provided on an 2120 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 2121 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 2122 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 2123 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 2124 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 2125 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2127 Intellectual Property 2129 The IETF takes no position regarding the validity or scope of any 2130 Intellectual Property Rights or other rights that might be claimed to 2131 pertain to the implementation or use of the technology described in 2132 this document or the extent to which any license under such rights 2133 might or might not be available; nor does it represent that it has 2134 made any independent effort to identify any such rights. Information 2135 on the procedures with respect to rights in RFC documents can be 2136 found in BCP 78 and BCP 79. 2138 Copies of IPR disclosures made to the IETF Secretariat and any 2139 assurances of licenses to be made available, or the result of an 2140 attempt made to obtain a general license or permission for the use of 2141 such proprietary rights by implementers or users of this 2142 specification can be obtained from the IETF on-line IPR repository at 2143 http://www.ietf.org/ipr. 2145 The IETF invites any interested party to bring to its attention any 2146 copyrights, patents or patent applications, or other proprietary 2147 rights that may cover technology that may be required to implement 2148 this standard. Please address the information to the IETF at 2149 ietf-ipr@ietf.org. 2151 Acknowledgment 2153 Funding for the RFC Editor function is provided by the IETF 2154 Administrative Support Activity (IASA).