idnits 2.17.1 draft-luff-json-hyper-schema-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 1, 2013) is 4099 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 5988 (Obsoleted by RFC 8288) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force G. Luff, Ed. 3 Internet-Draft 4 Intended status: Informational K. Zyp 5 Expires: August 5, 2013 SitePen (USA) 6 G. Court 7 February 1, 2013 9 JSON Hyper-Schema: Hypertext definitions for JSON Schema 10 draft-luff-json-hyper-schema-00 12 Abstract 14 JSON Schema is a JSON based format for defining the structure of JSON 15 data. This document specifies hyperlink- and hypermedia-related 16 keywords of JSON Schema. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on August 5, 2013. 35 Copyright Notice 37 Copyright (c) 2013 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. Conventions and Terminology . . . . . . . . . . . . . . . . . 3 54 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 3.1. Design Considerations . . . . . . . . . . . . . . . . . . 5 56 4. Schema keywords . . . . . . . . . . . . . . . . . . . . . . . 5 57 4.1. links . . . . . . . . . . . . . . . . . . . . . . . . . . 5 58 4.1.1. Multiple links per URI . . . . . . . . . . . . . . . . 6 59 4.2. fragmentResolution . . . . . . . . . . . . . . . . . . . . 8 60 4.2.1. json-pointer fragment resolution . . . . . . . . . . . 8 61 4.3. media . . . . . . . . . . . . . . . . . . . . . . . . . . 8 62 4.3.1. Properties of "media" . . . . . . . . . . . . . . . . 9 63 4.3.2. Example . . . . . . . . . . . . . . . . . . . . . . . 9 64 4.4. readOnly . . . . . . . . . . . . . . . . . . . . . . . . . 10 65 4.5. pathStart . . . . . . . . . . . . . . . . . . . . . . . . 10 66 5. Link Description Object . . . . . . . . . . . . . . . . . . . 10 67 5.1. href . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 68 5.1.1. URI Templating . . . . . . . . . . . . . . . . . . . . 11 69 5.2. rel . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 70 5.2.1. Fragment resolution with "root" links . . . . . . . . 16 71 5.2.2. Security Considerations for "self" links . . . . . . . 17 72 5.3. title . . . . . . . . . . . . . . . . . . . . . . . . . . 18 73 5.4. targetSchema . . . . . . . . . . . . . . . . . . . . . . . 18 74 5.4.1. Security Considerations for "targetSchema" . . . . . . 19 75 5.5. mediaType . . . . . . . . . . . . . . . . . . . . . . . . 20 76 5.5.1. Security concerns for "mediaType" . . . . . . . . . . 21 77 5.6. Submission Link Properties . . . . . . . . . . . . . . . . 22 78 5.6.1. method . . . . . . . . . . . . . . . . . . . . . . . . 22 79 5.6.2. encType . . . . . . . . . . . . . . . . . . . . . . . 22 80 5.6.3. schema . . . . . . . . . . . . . . . . . . . . . . . . 23 81 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 82 6.1. Registry of Link Relations . . . . . . . . . . . . . . . . 23 83 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 84 7.1. Normative References . . . . . . . . . . . . . . . . . . . 24 85 7.2. Informative References . . . . . . . . . . . . . . . . . . 24 86 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 25 88 1. Introduction 90 JSON Schema is a JSON based format for defining the structure of JSON 91 data. This document specifies hyperlink- and hypermedia-related 92 keywords of JSON Schema. 94 The term JSON Hyper-Schema is used to refer to a JSON Schema that 95 uses these keywords. 97 This specification will use the terminology defined by the JSON 98 Schema core specification [json-schema-core]. It is advised that 99 readers have a copy of this specification. 101 2. Conventions and Terminology 103 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 104 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 105 document are to be interpreted as described in RFC 2119 [RFC2119]. 107 The terms "schema", "instance", "property" and "item" are to be 108 interpreted as defined in the JSON Schema core specification 109 [json-schema-core]. 111 3. Overview 113 This document describes how JSON Schema can be used to define 114 hyperlinks on instance data. It also defines how to provide 115 additional information required to interpret JSON data as rich 116 multimedia documents. 118 Just as with the core JSON schema keywords, all the keywords 119 described in the "Schema Keywords" section are optional. 121 Here is an example JSON Schema defining hyperlinks, and providing a 122 multimedia interpretation for the "imgData" property: 124 { 125 "title": "Written Article", 126 "type": "object", 127 "properties": { 128 "id": { 129 "title": "Article Identifier", 130 "type": "number" 131 }, 132 "title": { 133 "title": "Article Title", 134 "type": "string" 135 }, 136 "authorId": { 137 "type": "integer" 138 }, 139 "imgData": { 140 "title": "Article Illustration (small)", 141 "type": "string", 142 "media": { 143 "binaryEncoding": "base64", 144 "type": "image/png" 145 } 146 } 147 }, 148 "required" : ["id", "title", "authorId"], 149 "links": [ 150 { 151 "rel": "full", 152 "href": "{id}" 153 }, 154 { 155 "rel": "author", 156 "href": "/user?id={authorId}" 157 } 158 ] 159 } 161 This example schema defines the properties of the instance. For the 162 "imgData" property, it specifies that that it should be base64- 163 decoded and the resulting binary data treated as a PNG image. It 164 also defines link relations for the instance, with URIs incorporating 165 values from the instance. 167 An example of a JSON instance described by the above schema might be: 169 { 170 "id": 15, 171 "title": "Example data", 172 "authorId": 105, 173 "imgData": "iVBORw...kJggg==" 174 } 176 The base-64 data has been abbreviated for readability. 178 3.1. Design Considerations 180 The purpose of this document is to define keywords for the JSON 181 Schema that allow JSON data to be understood as hyper-text. 183 JSON data on its own requires special knowledge from the client about 184 the format in order to be interpretable as hyper-text. This document 185 proposes a way to describe the hyper-text and hyper-media 186 interpretation of such JSON formats, without defining reserved 187 keywords or otherwise restricting the structure of the JSON data. 189 4. Schema keywords 191 4.1. links 193 The "links" property of schemas is used to associate Link Description 194 Objects with instances. The value of this property MUST be an array, 195 and the items in the array must be Link Description Objects, as 196 defined below. 198 An example schema using the "links" keyword could be: 200 { 201 "title": "Schema defining links", 202 "links": [ 203 { 204 "rel": "full", 205 "href": "{id}" 206 }, 207 { 208 "rel": "parent", 209 "href": "{parent}" 210 } 211 ] 212 } 214 4.1.1. Multiple links per URI 216 A single URI might have more than one role with relation to an 217 instance. This is not a problem - the same URI can be used in more 218 than one Link Description Object. 220 For example, this schema describes a format for blog posts, accessed 221 via HTTP. The links describe how to access the comments for the 222 post, how to search the comments, and how to submit new comments, all 223 with the same URI: 225 { 226 "title": "News post", 227 ... 228 "links": [ 229 { 230 "rel": "comments", 231 "href": "/{id}/comments" 232 }, 233 { 234 "rel": "search", 235 "href": "/{id}/comments", 236 "schema": { 237 "type": "object", 238 "properties": { 239 "searchTerm": { 240 "type": "string" 241 }, 242 "itemsPerPage": { 243 "type": "integer", 244 "minimum": 10, 245 "multipleOf": 10, 246 "default": 20 247 } 248 }, 249 "required": ["searchTerm"] 250 } 251 }, 252 { 253 "title": "Post a comment", 254 "rel": "create", 255 "href": "/{id}/comments", 256 "method": "POST", 257 "schema": { 258 "type": "object", 259 "properties": { 260 "message": { 261 "type": "string" 262 } 263 }, 264 "required": ["message"] 265 } 266 } 267 ] 269 } 271 If the client follows the first link, the URI might be expanded to 272 "/15/comments". For the second link, the method is "GET" (the 273 default for HTTP) so a client following this link would add the 274 parameters to the URL to produce something like: "/15/ 275 comments?searchTerm=JSON&itemsPerPage=50". The third link defines a 276 possible interaction where a client would POST to a URI (such as 277 "/15/comments"), where the post-data was a JSON representation of the 278 new comment, for example: 280 { 281 "message": "This is an example comment" 282 } 284 4.2. fragmentResolution 286 When addressing a JSON document, the fragment part of the URI may be 287 used to refer to a particular instance within the document. 289 This keyword indicates the method to use for finding the appropriate 290 instance within a document, given the fragment part. The default 291 fragment resolution protocol is "json-pointer", which is defined 292 below. Other fragment resolution protocols MAY be used, but are not 293 defined in this document. 295 If the instance is described by a schema providing the a link with 296 "root" relation, or such a link is provided in using the HTTP Link 297 header [RFC5988], then the target of the "root" link should be 298 considered the document root for the purposes of all fragment 299 resolution methods that use the document structure (such as "json- 300 pointer"). The only exception to this is the resolution of "root" 301 links themselves. 303 4.2.1. json-pointer fragment resolution 305 The "json-pointer" fragment resolution protocol uses a JSON Pointer 306 [json-pointer] to resolve fragment identifiers in URIs within 307 instance representations. 309 4.3. media 311 The "media" property indicates that this instance contains non-JSON 312 data encoded in a JSON string. It describes the type of content and 313 how it is encoded. 315 The value of this property MUST be an object, and SHOULD be ignored 316 for any instance that is not a string. 318 4.3.1. Properties of "media" 320 The value of the "media" keyword MAY contain any of the following 321 properties: 323 4.3.1.1. binaryEncoding 325 If the instance value is a string, this property defines that the 326 string SHOULD be interpreted as binary data and decoded using the 327 encoding named by this property. RFC 2045, Sec 6.1 [RFC2045] lists 328 the possible values for this property. 330 4.3.1.2. type 332 The value of this property must be a media type, as defined by RFC 333 2046 [RFC2046]. This property defines the media type of instances 334 which this schema defines. 336 If the "binaryEncoding" property is not set, but the instance value 337 is a string, then the value of this property SHOULD specify a text 338 document type, and the character set SHOULD be the character set into 339 which the JSON string value was decoded (for which the default is 340 Unicode). 342 4.3.2. Example 344 Here is an example schema, illustrating the use of "media": 346 { 347 "type": "string", 348 "media": { 349 "binaryEncoding": "base64", 350 "type": "image/png" 351 } 352 } 354 Instances described by this schema should be strings, and their 355 values should be interpretable as base64-encoded PNG images. 357 Another example: 359 { 360 "type": "string", 361 "media": { 362 "mediaType": "text/html" 363 } 364 } 366 Instances described by this schema should be strings containing HTML, 367 using whatever character set the JSON string was decoded into 368 (default is Unicode). 370 4.4. readOnly 372 If it has a value of boolean true, this keyword indicates that the 373 instance property SHOULD NOT be changed, and attempts by a user agent 374 to modify the value of this property are expected to be rejected by a 375 server. 377 The value of this keyword MUST be a boolean. The default value is 378 false. 380 4.5. pathStart 382 This property is a URI that defines what the instance's URI MUST 383 start with in order to validate. The value of the "pathStart" 384 property MUST be resolved relative to the closest URI Resolution 385 Scope (as defined in the JSON Schema core specification 386 [json-schema-core]), using the rules from RFC 3986, Sec 5 [RFC3986]. 388 When multiple schemas have been referenced for an instance, the user 389 agent can determine if this schema is applicable for a particular 390 instance by determining if the URI of the instance begins with the 391 the value of the "pathStart" property. If the URI of the instance 392 does not start with this URI, or if another schema specifies a 393 starting URI that is longer and also matches the instance, this 394 schema SHOULD NOT be considered to describe the instance. Any schema 395 that does not have a pathStart property SHOULD be considered 396 applicable to all the instances for which it is referenced. 398 5. Link Description Object 400 A Link Description Object (LDO) is used to describe a single link 401 relation. In the context of a schema, it defines the link relations 402 of the instances of the schema, and can be parameterized by the 403 instance values. A Link Description Object (LDO) must be an object. 405 The link description format can be used without JSON Schema, and use 406 of this format can be declared by referencing the normative link 407 description schema as the schema for the data structure that uses the 408 links. The URI of the normative link description schema is: 409 http://json-schema.org/links (latest version) or 410 http://json-schema.org/draft-04/links (draft-04 version). 412 "Form"-like functionality can be defined by use of the "schema" 413 keyword, which supplies a schema describing the data to supply to the 414 server. 416 5.1. href 418 The value of the "href" link description property is a template used 419 to determine the target URI of the related resource. The value of 420 the instance property SHOULD be resolved as a URI-Reference per RFC 421 3986 [RFC3986] and MAY be a relative reference to a URI. The base 422 URI to be used for relative URI resolution SHOULD be the URI used to 423 retrieve the instance object (not the schema). 425 The base URI to be used for relative URI resolution SHOULD is defined 426 as follows: 428 if the data has a link defined, with a relation of "self", then 429 the "href" value of that link is used, unless the relation of the 430 link being resolved is also "self" 432 otherwise, the URI should be resolved against the link with 433 relation "self" belonging to the closest parent node in the JSON 434 document, if it exists 436 otherwise, the URI used to fetch the document should be used. 438 This property is not optional. 440 5.1.1. URI Templating 442 The value of "href" is to be used as a URI Template, as defined in 443 RFC 6570 [RFC6570]. However, some special considerations apply: 445 5.1.1.1. Pre-processing 447 The URI Template specification [RFC6570] restricts the set of 448 characters available for variable names. Property names in JSON, 449 however, can be any UTF-8 string. 451 To allow the use of any JSON property name in the template, before 452 using the value of "href" as a URI Template, the following pre- 453 processing rules MUST be applied, in order: 455 5.1.1.1.1. Bracket escaping 457 The purpose of this step is to allow the use of brackets to percent- 458 encode variable names inside curly brackets. Variable names to be 459 escaped are enclosed within rounded brackets, with the close-rounded- 460 bracket character ")" being escaped as a pair of close-rounded- 461 brackets "))". Since the empty string is not a valid variable name 462 in RFC 6570, an empty pair of brackets is replaced with "%65mpty". 464 The rules are as follows: 466 Find the largest possible sections of the text such that: 468 do not contain an odd number of close-rounded-bracket characters 469 ")" in sequence in that section of the text 471 are surrounded by a pair of rounded brackets: ( ), where 473 the surrounding rounded brackets are themselves contained within a 474 pair of curly brackets: { } 476 Each of these sections of the text (including the surrounding rounded 477 brackets) MUST be replaced, according to the following rules: 479 If the brackets contained no text (the empty string), then they 480 are replaced with "%65mpty" (which is "empty" with a percent- 481 encoded "e") 483 Otherwise, the enclosing brackets are removed, and the inner text 484 used after the following modifications 486 all pairs of close-brackets "))" are replaced with a single 487 close bracket 489 after that, the text is replaced with its percent-encoded 490 equivalent, such that the result is a valid RFC 6570 variable 491 name (note that this requires encoding characters such as "*" 492 and "!") 494 5.1.1.1.2. Replacing $ 496 After the above substitutions, if the character "$" (dollar sign) 497 appears within a pair of curly brackets, then it MUST be replaced 498 with the text "%73elf" (which is "self" with a percent-encoded "s"). 500 The purpose of this stage is to allow the use of the instance value 501 itself (instead of its object properties or array items) in the URI 502 Template, by the special value "%73elf". 504 5.1.1.1.3. Choice of special-case values 506 The special-case values of "%73elf" and "%65mpty" were chosen because 507 they are unlikely to be accidentally generated by either a human or 508 automated escaping. 510 5.1.1.1.4. Examples 512 For example, here are some possible values for "href", followed by 513 the results after pre-processing: 515 Input Output 516 ----------------------------------------- 517 "no change" "no change" 518 "(no change)" "(no change)" 519 "{(escape space)}" "{escape%20space}" 520 "{(escape+plus)}" "{escape%2Bplus}" 521 "{(escape*asterisk)}" "{escape%2Aasterisk}" 522 "{(escape(bracket)}" "{escape%28bracket}" 523 "{(escape))bracket)}" "{escape%29bracket}" 524 "{(a))b)}" "{a%29b} 525 "{(a (b)))}" "{a%20%28b%29} 526 "{()}" "{%65mpty} 527 "{+$*}" "{+%73elf*} 528 "{+($)*}" "{+%24*} 530 Note that in the final example, because the "+" was outside the 531 brackets, it remained unescaped, whereas in the fourth example the 532 "+" was escaped. 534 5.1.1.2. Values for substitution 536 After pre-processing, the URI Template is filled out using data from 537 the instance. To allow the use of any object property (including the 538 empty string), array index, or the instance value itself, the 539 following rules are defined: 541 For a given variable name in the URI Template, the value to use is 542 determined as follows: 544 If the variable name is "%73elf", then the instance value itself 545 MUST be used. 547 If the variable name is "%65mpty", then the instances's empty- 548 string ("") property MUST be used (if it exists). 550 If the instance is an array, and the variable name is a 551 representation of a non-negative integer, then the value at the 552 corresponding array index MUST be used (if it exists). 554 Otherwise, the variable name should be percent-decoded, and the 555 corresponding object property MUST be used (if it exists). 557 5.1.1.2.1. Converting to strings 559 When any value referenced by the URI template is null, a boolean or a 560 number, then it should first be converted into a string as follows: 562 null values SHOULD be replaced by the text "null" 564 boolean values SHOULD be replaced by their lower-case equivalents: 565 "true" or "false" 567 numbers SHOULD be replaced with their original JSON 568 representation. 570 In some software environments the original JSON representation of a 571 number will not be available (there is no way to tell the difference 572 between 1.0 and 1), so any reasonable representation should be used. 573 Schema and API authors should bear this in mind, and use other types 574 (such as string or boolean) if the exact representation is important. 576 5.1.1.3. Missing values 578 Sometimes, the appropriate values will not be available. For 579 example, the template might specify the use of object properties, but 580 the instance is an array or a string. 582 If any of the values required for the template are not present in the 583 JSON instance, then substitute values MAY be provided from another 584 source (such as default values). Otherwise, the link definition 585 SHOULD be considered not to apply to the instance. 587 5.2. rel 589 The value of the "rel" property indicates the name of the relation to 590 the target resource. This property is not optional. 592 The relation to the target SHOULD be interpreted as specifically from 593 the instance object that the schema (or sub-schema) applies to, not 594 just the top level resource that contains the object within its 595 hierarchy. A link relation from the top level resource to a target 596 MUST be indicated with the schema describing the top level JSON 597 representation. 599 Relationship definitions SHOULD NOT be media type dependent, and 600 users are encouraged to utilize existing accepted relation 601 definitions, including those in existing relation registries (see RFC 602 4287 [RFC4287]). However, we define these relations here for clarity 603 of normative interpretation within the context of JSON Schema defined 604 relations: 606 self If the relation value is "self", when this property is 607 encountered in the instance object, the object represents a 608 resource and the instance object is treated as a full 609 representation of the target resource identified by the specified 610 URI. 612 full This indicates that the target of the link is the full 613 representation for the instance object. The instance that 614 contains this link may not be the full representation. 616 describedBy This indicates the target of the link is a schema 617 describing the instance object. This MAY be used to specifically 618 denote the schemas of objects within a JSON object hierarchy, 619 facilitating polymorphic type data structures. 621 root This relation indicates that the target of the link SHOULD be 622 treated as the root or the body of the representation for the 623 purposes of user agent interaction or fragment resolution. All 624 other data in the document can be regarded as meta-data for the 625 document. The URI of this link MUST refer to a location within 626 the instance document, otherwise the link MUST be ignored. 628 The following relations are applicable for schemas (the schema as the 629 "from" resource in the relation) if they require no parameterization 630 with data from the instance: 632 instances This indicates the target resource that represents a 633 collection of instances of a schema. 635 create This indicates a target to use for creating new instances of 636 a schema. This link definition SHOULD be a submission link with a 637 non-safe method (like POST). 639 For example, if a schema is defined: 641 { 642 "links": [{ 643 "rel": "self", 644 "href": "{id}" 645 }, { 646 "rel": "up", 647 "href": "{upId}" 648 }, { 649 "rel": "children", 650 "href": "?upId={id}" 651 }] 652 } 654 And if a collection of instance resources were retrieved with JSON 655 representation: 657 GET /Resource/ 659 [{ 660 "id": "thing", 661 "upId": "parent" 662 }, { 663 "id": "thing2", 664 "upId": "parent" 665 }] 667 This would indicate that for the first item in the collection, its 668 own (self) URI would resolve to "/Resource/thing" and the first 669 item's "up" relation SHOULD be resolved to the resource at 670 "/Resource/parent". The "children" collection would be located at 671 "/Resource/?upId=thing". 673 Note that these relationship values are case-insensitive, consistent 674 with their use in HTML and the HTTP Link header [RFC5988]. 676 5.2.1. Fragment resolution with "root" links 678 The presence of a link with relation "root" alters what the root of 679 the document is considered to be. For fragment resolution methods 680 (such as JSON Pointer fragments) that navigate through the document, 681 the target of the "root" link should be the starting point for such 682 methods. 684 The only exception is "root" links themselves. When calculating the 685 target of links with relation "root", existing "root" links MUST NOT 686 be taken into consideration. 688 For example, say we have the following schema: 690 { 691 "links": [{ 692 "rel": "root", 693 "href": "#/myRootData" 694 }] 695 } 697 And the following data, returned from the URI: 698 "http://example.com/data/12345": 700 { 701 "myRootData": { 702 "title": "Document title" 703 }, 704 "metaData": { 705 ... 706 } 707 } 709 To correctly resolve the URL "http://example.com/data/12345", we must 710 take the "root" link into account. Here are some example URIs, along 711 with the data they would resolve to: 713 URI Data 714 ----------------------------------------------------------------------- 715 http://example.com/data/12345 {"title": "Document title"} 716 http://example.com/data/12345#/title "Document title" 718 5.2.2. Security Considerations for "self" links 720 When link relation of "self" is used to denote a full representation 721 of an object, the user agent SHOULD NOT consider the representation 722 to be the authoritative representation of the resource denoted by the 723 target URI if the target URI is not equivalent to or a sub-path of 724 the the URI used to request the resource representation which 725 contains the target URI with the "self" link. 727 For example, if a hyper schema was defined: 729 { 730 "links": [{ 731 "rel": "self", 732 "href": "{id}" 733 }] 734 } 736 And a resource was requested from somesite.com: 738 GET /foo/ 740 With a response of: 742 Content-Type: application/json; profile=/schema-for-this-data 744 [{ 745 "id": "bar", 746 "name": "This representation can be safely treated \ 747 as authoritative " 748 }, { 749 "id": "/baz", 750 "name": "This representation should not be treated as \ 751 authoritative the user agent should make request the resource\ 752 from '/baz' to ensure it has the authoritative representation" 753 }, { 754 "id": "http://othersite.com/something", 755 "name": "This representation\ 756 should also not be treated as authoritative and the target\ 757 resource representation should be retrieved for the\ 758 authoritative representation" 759 }] 761 5.3. title 763 This property defines a title for the link. The value must be a 764 string. 766 User agents MAY use this title when presenting the link to the user. 768 5.4. targetSchema 770 This property value is advisory only, and is a schema that defines 771 the expected structure of the JSON representation of the target of 772 the link, if the target of the link is returned using JSON 773 representation. 775 5.4.1. Security Considerations for "targetSchema" 777 This property has similar security concerns to that of "mediaType". 778 Clients MUST NOT use the value of this property to aid in the 779 interpretation of the data received in response to following the 780 link, as this leaves "safe" data open to re-interpretation. 782 For example, suppose two programmers are having a discussion about 783 web security using a text-only message board. Here is some data from 784 that conversation, with a URI of: 785 http://forum.example.com/topics/152/comments/13 787 { 788 "topicId": 152, 789 "commentId": 13, 790 "from": { 791 "name": "Jane", 792 "id": 5 793 }, 794 "to": { 795 "name": "Jason", 796 "id": 8 797 }, 798 "message": "It's easy, you just add some HTML like 799 this: " 800 } 802 The message string was split over two lines for readability. 804 A third party might then write provide the following Link Description 805 Object at another location: 807 { 808 "rel": "evil-attack", 809 "href": "http://forum.example.com/topics/152/comments/13", 810 "targetSchema": { 811 "properties": { 812 "message": { 813 "description": "Re-interpret the message text as HTML", 814 "media": { 815 "type": "text/html" 816 } 817 } 818 } 819 } 820 } 822 If the client used this "targetSchema" value when interpreting the 823 above data, then it might display the contents of "message" as HTML. 824 At this point, the JavaScript embedded in the message might be 825 executed (in the context of the "forum.example.com" domain). 827 5.5. mediaType 829 The value of this property is advisory only, and represents the media 830 type RFC 2046 [RFC2046], that is expected to be returned when 831 fetching this resource. This property value MAY be a media range 832 instead, using the same pattern defined in RFC 2161, section 14.1 - 833 HTTP "Accept" header [RFC2616]. 835 This property is analogous to the "type" property of elements in 836 HTML (advisory content type), or the "type" parameter in the HTTP 837 Link header [RFC5988]. User agents MAY use this information to 838 inform the interface they present to the user before the link is 839 followed, but this information MUST NOT use this information in the 840 interpretation of the resulting data. When deciding how to interpret 841 data obtained through following this link, the behaviour of user 842 agents MUST be identical regardless of the value of the this 843 property. 845 If this property's value is specified, and the link's target is to be 846 obtained using any protocol that supports the HTTP/1.1 "Accept" 847 header RFC 2616, section 14.1 [RFC2616], then user agents MAY use the 848 value of this property to aid in the assembly of that header when 849 making the request to the server. 851 If this property's value is not specified, then the value should be 852 taken to be "application/json". 854 For example, if a schema is defined: 856 { 857 "links": [{ 858 "rel": "self", 859 "href": "/{id}/json" 860 }, { 861 "rel": "alternate", 862 "href": "/{id}/html", 863 "mediaType": "text/html" 864 }, { 865 "rel": "alternate", 866 "href": "/{id}/rss", 867 "mediaType": "application/rss+xml" 868 }, { 869 "rel": "icon", 870 "href": "{id}/icon", 871 "mediaType": "image/*" 872 }] 873 } 875 A suitable instance described by this schema would have four links 876 defined. The link with a "rel" value of "self" would have an 877 expected MIME type of "application/json" (the default). The two 878 links with a "rel" value of "alternate" specify the locations of HTML 879 and RSS versions of the current item. The link with a "rel" value of 880 "icon" links to an image, but does not specify the exact format. 882 A visual user agent displaying the item from the above example might 883 present a button representing an RSS feed, which when pressed passes 884 the target URI (calculated "href" value) to an view more suited to 885 displaying it, such as a news feed aggregator tab. 887 Note that presenting the link in the above manner, or passing the URI 888 to a news feed aggregator view does not constitute interpretation of 889 the data, but an interpretation of the link. The interpretation of 890 the data itself is performed by the news feed aggregator, which 891 SHOULD reject any data that would not have also been interpreted as a 892 news feed, had it been displayed in the main view. 894 5.5.1. Security concerns for "mediaType" 896 The "mediaType" property in link definitions defines the expected 897 format of the link's target. However, this is advisory only, and 898 MUST NOT be considered authoritative. 900 When choosing how to interpret data, the type information provided by 901 the server (or inferred from the filename, or any other usual method) 902 MUST be the only consideration, and the "mediaType" property of the 903 link MUST NOT be used. User agents MAY use this information to 904 determine how they represent the link or where to display it (for 905 example hover-text, opening in a new tab). If user agents decide to 906 pass the link to an external program, they SHOULD first verify that 907 the data is of a type that would normally be passed to that external 908 program. 910 This is to guard against re-interpretation of "safe" data, similar to 911 the precautions for "targetSchema". 913 5.6. Submission Link Properties 915 The following properties also apply to Link Description Objects, and 916 provide functionality analogous to HTML forms, in providing a means 917 for submitting extra (often user supplied) information to send to a 918 server. 920 5.6.1. method 922 This property defines which method can be used to access the target 923 resource. In an HTTP environment, this might be "GET" or "POST" (or 924 other HTTP methods). 926 Some link relation values imply a set of appropriate HTTP methods to 927 be used for the link. For example, a client might assume that a link 928 with a relation of "edit" can be used in conjuction with the "PUT" 929 HTTP method. If the client does not know which methods might be 930 appropriate, then this SHOULD default to "GET". 932 5.6.2. encType 934 If present, this property indicates a query media type format that 935 the server supports for querying or posting to the collection of 936 instances at the target resource. The query can be suffixed to the 937 target URI to query the collection with property-based constraints on 938 the resources that SHOULD be returned from the server or used to post 939 data to the resource (depending on the method). 941 For example, with the following schema: 943 { 944 "links": [{ 945 "encType": "application/x-www-form-urlencoded", 946 "method": "GET", 947 "href": "/Product/", 948 "properties": { 949 "name": { 950 "description": "name of the product" 951 } 952 } 953 }] 954 } 956 This indicates that the client can query the server for instances 957 that have a specific name. 959 For example: 961 /Product/?name=Slinky 963 If no encType or method is specified, only the single URI specified 964 by the href property is defined. If the method is POST, 965 "application/json" is the default media type. 967 5.6.3. schema 969 This property contains a schema which defines the acceptable 970 structure of the submitted request. For a GET request, this schema 971 would define the properties for the query string and for a POST 972 request, this would define the body. 974 Note that this is separate from the URI templating of "href" (which 975 uses data from the instance, not submitted by the user). It is also 976 separate from the "targetSchema" property, which provides a schema 977 for the data that the client should expect to be returned when they 978 follow the link. 980 6. IANA Considerations 982 6.1. Registry of Link Relations 984 This registry is maintained by IANA per RFC 4287 [RFC4287] and this 985 specification adds four values: "full", "create", "instances", 986 "root". New assignments are subject to IESG Approval, as outlined in 987 RFC 5226 [RFC5226]. Requests should be made by email to IANA, which 988 will then forward the request to the IESG, requesting approval. 990 7. References 992 7.1. Normative References 994 [RFC2045] Freed, N. and N. Borenstein, 995 "Multipurpose Internet Mail Extensions 996 (MIME) Part One: Format of Internet 997 Message Bodies", RFC 2045, November 1996. 999 [RFC2119] Bradner, S., "Key words for use in RFCs 1000 to Indicate Requirement Levels", BCP 14, 1001 RFC 2119, March 1997. 1003 [RFC3986] Berners-Lee, T., Fielding, R., and L. 1004 Masinter, "Uniform Resource Identifier 1005 (URI): Generic Syntax", STD 66, RFC 3986, 1006 January 2005. 1008 [RFC4287] Nottingham, M., Ed. and R. Sayre, Ed., 1009 "The Atom Syndication Format", RFC 4287, 1010 December 2005. 1012 [RFC6570] Gregorio, J., Fielding, R., Hadley, M., 1013 Nottingham, M., and D. Orchard, "URI 1014 Template", RFC 6570, March 2012. 1016 [json-pointer] Bryan, P., Zyp, K., and M. Nottingham, 1017 "JSON Pointer", August 2012, . 1021 [json-schema-core] Galiegue, F., Zyp, K., and G. Court, 1022 "JSON Schema: core definitions and 1023 terminology", 2013, . 1027 7.2. Informative References 1029 [RFC2616] Fielding, R., Gettys, J., Mogul, J., 1030 Frystyk, H., Masinter, L., Leach, P., and 1031 T. Berners-Lee, "Hypertext Transfer 1032 Protocol -- HTTP/1.1", RFC 2616, 1033 June 1999. 1035 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines 1036 for Writing an IANA Considerations 1037 Section in RFCs", BCP 26, RFC 5226, 1038 May 2008. 1040 [RFC2046] Freed, N. and N. Borenstein, 1041 "Multipurpose Internet Mail Extensions 1042 (MIME) Part Two: Media Types", RFC 2046, 1043 November 1996. 1045 [RFC5988] Nottingham, M., "Web Linking", RFC 5988, 1046 October 2010. 1048 [W3C.REC-html401-19991224] Hors, A., Raggett, D., and I. Jacobs, 1049 "HTML 4.01 Specification", World Wide Web 1050 Consortium Recommendation REC-html401- 1051 19991224, December 1999, . 1054 Appendix A. Change Log 1056 draft-04 1058 * Resolution of link URIs ("href") is now affected by rel="self" 1059 links on the instance 1061 * Define "title" for LDOs 1063 * Use URI Templates for the "href" property 1065 * Split hyper-schema definition out from main schema. 1067 * Capitalised the T in "encType", and the O in "readOnly" 1069 * Moved "mediaType" and "contentEncoding" to the new "media" 1070 property (renamed "type" and "binaryEncoding") 1072 * Added "mediaType" property to LDOs 1074 * Replaced "slash-delimited" fragment resolution with "json- 1075 pointer". 1077 * Added "template" LDO attribute. 1079 * Improved wording of sections. 1081 * Added example and verbiage to "extends" attribute. 1083 * Defined slash-delimited to use a leading slash. 1085 * Made "root" a relation instead of an attribute. 1087 * Removed address values, and MIME media type from format to 1088 reduce confusion (mediaType already exists, so it can be used 1089 for MIME types). 1091 * Added more explanation of nullability. 1093 * Removed "alternate" attribute. 1095 * Upper cased many normative usages of must, may, and should. 1097 * Replaced the link submission "properties" attribute to "schema" 1098 attribute. 1100 * Replaced "optional" attribute with "required" attribute. 1102 * Replaced "maximumCanEqual" attribute with "exclusiveMaximum" 1103 attribute. 1105 * Replaced "minimumCanEqual" attribute with "exclusiveMinimum" 1106 attribute. 1108 * Replaced "requires" attribute with "dependencies" attribute. 1110 * Moved "contentEncoding" attribute to hyper schema. 1112 * Added "additionalItems" attribute. 1114 * Added "id" attribute. 1116 * Switched self-referencing variable substitution from "-this" to 1117 "@" to align with reserved characters in URI template. 1119 * Added "patternProperties" attribute. 1121 * Schema URIs are now namespace versioned. 1123 * Added "$ref" and "$schema" attributes. 1125 * Replaced "maxDecimal" attribute with "divisibleBy" attribute. 1127 * Added slash-delimited fragment resolution protocol and made it 1128 the default. 1130 * Added language about using links outside of schemas by 1131 referencing its normative URI. 1133 * Added "uniqueItems" attribute. 1135 * Added "targetSchema" attribute to link description object. 1137 draft-01 1139 * Fixed category and updates from template. 1141 draft-00 1143 * Initial draft. 1145 Authors' Addresses 1147 Geraint Luff (editor) 1148 Cambridge 1149 UK 1151 EMail: luffgd@gmail.com 1153 Kris Zyp 1154 SitePen (USA) 1155 530 Lytton Avenue 1156 Palo Alto, CA 94301 1157 USA 1159 Phone: +1 650 968 8787 1160 EMail: kris@sitepen.com 1162 Gary Court 1163 Calgary, AB 1164 Canada 1166 EMail: gary.court@gmail.com