idnits 2.17.1 draft-salgado-hxxp-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 8, 2017) is 2537 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force H. Salgado 3 Internet-Draft NIC Chile 4 Intended status: Informational May 8, 2017 5 Expires: November 9, 2017 7 The "hxxp" and "hxxps" URI Schemes 8 draft-salgado-hxxp-01 10 Abstract 12 This document describes the "hxxp" and "hxxps" URI schemes, which are 13 widely used by the security community to obfuscate an http or https 14 URI to avoid being accidentaly interpreted and loaded by a web 15 browser or user-agent. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on November 9, 2017. 34 Copyright Notice 36 Copyright (c) 2017 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 53 2. URI Scheme Specification . . . . . . . . . . . . . . . . . . 3 54 2.1. URI Scheme Syntax . . . . . . . . . . . . . . . . . . . . 3 55 2.2. URI Scheme Semantics . . . . . . . . . . . . . . . . . . 3 56 2.3. Encoding Considerations . . . . . . . . . . . . . . . . . 3 57 3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 3 58 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 59 4.1. URI Scheme Registration . . . . . . . . . . . . . . . . . 4 60 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 61 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 63 6.2. Informative References . . . . . . . . . . . . . . . . . 5 64 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 66 1. Introduction 68 This document describes the "hxxp" and "hxxps" URI schemes, which are 69 widely used by the security community to obfuscate an http or https 70 URI to avoid being accidentaly interpreted and loaded by a web 71 browser or user-agent. 73 These schemes are used in case the resource is dangerous and there is 74 security risks on being automatically processed by an application, 75 such a pre-loading mechanism in web user agents. It also prevents 76 the creation of "clickables" areas in user interfaces, which could 77 detect http or https URIs automatically. 79 The purpose of this registration is to document its use, prevent any 80 registration of this scheme in the future, explicitly recommend to 81 web application developers to never act with this URI schemes in any 82 way, and provide a safe method for the security community to share 83 malicious information. These schemes must not be treated as an http 84 or https schemes, and must not be identified as web resources. Its 85 consumption is only for humans and documentation, and should be 86 handled with caution by security professionals. 88 1.1. Requirements Language 90 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 91 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 92 document are to be interpreted as described in RFC 2119 [RFC2119]. 94 2. URI Scheme Specification 96 2.1. URI Scheme Syntax 98 The "hxxp" URI syntactically conforms to the rule below, 99 expressed using the Augmented Backus-Naur Form (ABNF) [RFC5234]: 101 hxxp-uri = "hxxp:" hxxp-token [ hxxp-query ] [ hxxp-fragment ] 102 hxxp-token = *pchar 103 hxxp-query = "?" query 104 hxxp-fragment = "#" fragment 105 pchar = 106 query = 107 fragment = 109 The "hxxps" URI syntactically conforms to the rule below, 110 expressed using the Augmented Backus-Naur Form (ABNF) [RFC5234]: 112 hxxps-uri = "hxxps:" hxxps-token [ hxxps-query ] [ hxxps-fragment ] 113 hxxps-token = *pchar 114 hxxps-query = "?" query 115 hxxps-fragment = "#" fragment 116 pchar = 117 query = 118 fragment = 120 2.2. URI Scheme Semantics 122 The resource that is referenced by a particular "hxxp" or "hxxps" URI 123 is NOT meant to be interpreted or parsed in any way for applications, 124 or any automated means. The resource MUST be interpreted and 125 consumed by human security professionals. 127 2.3. Encoding Considerations 129 "hxxp" and "hxxps" URIs are subject to encoding rules as defined in 130 RFC 3986 [RFC3986]. 132 3. Acknowledgements 134 The author acknowledges the suggestions and comments made by Fernando 135 Gont and Harlan Lieberman-Berg, for the first revision. 137 4. IANA Considerations 139 4.1. URI Scheme Registration 141 The IANA is requested to register "hxxp" and "hxxps" URI schemes in 142 the "Provisional URI Schemes" registry. The information below is 143 provided according to the guidelines from RFC 7595 [RFC7595]: 145 ----- 147 Scheme name: hxxp 149 Status: Provisional 151 Applications/protocols that use this scheme name: "hxxp" URIs are 152 forbidden to be used by applications. 154 Contact: Hugo Salgado 156 Change controller: Hugo Salgado 158 References: "The "hxxp" and "hxxps" URI Schemes" Internet Draft, 159 https://datatracker.ietf.org/doc/draft-salgado-hxxp/ 161 ----- 163 ----- 165 Scheme name: hxxps 167 Status: Provisional 169 Applications/protocols that use this scheme name: "hxxps" URIs are 170 forbidden to be used by applications. 172 Contact: Hugo Salgado 174 Change controller: Hugo Salgado 176 References: "The "hxxp" and "hxxps" URI Schemes" Internet Draft, 177 https://datatracker.ietf.org/doc/draft-salgado-hxxp/ 179 ----- 181 5. Security Considerations 183 As stated in the Introduction, the "hxxp" and "hxxps" schemes are 184 forbidden to be used or interpreted by applications. These schemes 185 must be consumed only by humans. 187 Application developers are encouraged to forbid "hxxp" and "hxxps" 188 schemes URIs inside HTML anchors or tags. 190 6. References 192 6.1. Normative References 194 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 195 Requirement Levels", BCP 14, RFC 2119, 196 DOI 10.17487/RFC2119, March 1997, 197 . 199 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 200 Resource Identifier (URI): Generic Syntax", STD 66, 201 RFC 3986, DOI 10.17487/RFC3986, January 2005, 202 . 204 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 205 Specifications: ABNF", STD 68, RFC 5234, 206 DOI 10.17487/RFC5234, January 2008, 207 . 209 6.2. Informative References 211 [RFC7595] Thaler, D., Ed., Hansen, T., and T. Hardie, "Guidelines 212 and Registration Procedures for URI Schemes", BCP 35, 213 RFC 7595, DOI 10.17487/RFC7595, June 2015, 214 . 216 Author's Address 218 Hugo Salgado 219 NIC Chile 220 Miraflores 222, piso 14 221 Santiago CP 8320198 222 CL 224 Phone: +56 2 29407700 225 Email: hsalgado@nic.cl