|Network Working Group||J. Reschke|
|Intended status: Standards Track||October 2, 2008|
|Expires: April 5, 2009|
By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress”.
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 5, 2009.
The Hypertext Transfer Protocol (HTTP) Extensions for the Web Distributed Authoring and Versioning (WebDAV) do not define the behavior for the "POST" method when applied to collections, as the base specification (HTTP) leaves implementers lots of freedom for the semantics of "POST".
This has lead to a situation where many WebDAV servers do not implement POST for collections at all, although it is well suited to be used for the purpose of adding new members to a collection, where the server remains in control of the newly assigned URL. As a matter of fact, the Atom Publishing Protocol (AtomPub) uses POST exactly for that purpose. On the other hand, WebDAV-based protocols such as the Calendar Extensions to WebDAV (CalDAV) frequently require clients to pick a unique URL, although the server could easily perform that task.
This specification defines a discovery mechanism through which servers can advertise support for POST requests with the aforementioned "add collection member" semantics.
Please send comments to the Distributed Authoring and Versioning (WebDAV) working group at <mailto:firstname.lastname@example.org>, which may be joined by sending a message with subject "subscribe" to <mailto:email@example.com>. Discussions of the WEBDAV working group are archived at <http://lists.w3.org/Archives/Public/w3c-dist-auth/>.
Note that although discussion takes place on the WebDAV working group's mailing list, this is not a working group document.
XML versions, latest edits and the issues list for this document are available from <http://greenbytes.de/tech/webdav/#draft-reschke-webdav-post>.
|I edit (type: edit, status: open)|
|firstname.lastname@example.org||2008-09-22||Umbrella issue for editorial fixes/enhancements.|
|Associated changes in this document: <#rfc.change.edit.1>, 3, 3, 3.1, 3.1, 3.2.2, 3.2.3, 3.2.3, 3.2.3, 3.4, <#rfc.change.edit.11>, <#rfc.change.edit.12>.|
The Hypertext Transfer Protocol (HTTP) Extensions for the Web Distributed Authoring and Versioning (WebDAV) ([RFC4918], Section 9.5) do not define the behavior for the "POST" method when applied to collections, as the base specification (HTTP) leaves implementers lots of freedom for the semantics of "POST":¶
9.5 POST for Collections
Since by definition the actual function performed by POST is determined by the server and often depends on the particular resource, the behavior of POST when applied to collections cannot be meaningfully modified because it is largely undefined. Thus, the semantics of POST are unmodified when applied to a collection.
This has lead to a situation where many WebDAV servers do not implement POST for collections at all, although it is well suited to be used for the purpose of adding new members to a collection, where the server remains in control of the newly assigned URL. As a matter of fact, the Atom Publishing Protocol (AtomPub) uses POST exactly for that purpose ([RFC5023], Section 9.2):¶
9.2 Creating Resources with POST
To add members to a Collection, clients send POST requests to the URI of the Collection.
On the other hand, WebDAV-based protocols such as Calendaring Extensions to WebDAV (CalDAV) frequently require clients to pick a unique URL, although the server could easily perform that task ([RFC4791], Section 5.3.2):¶
5.3.2 Creating Calendar Object Resources
When servers create new resources, it's not hard for the server to choose an unmapped URI. It's slightly tougher for clients, because a client might not want to examine all resources in the collection and might not want to lock the entire collection to ensure that a new resource isn't created with a name collision. (...)
|I rational-server-uri (type: change, status: closed)|
|email@example.com||2008-09-22||One thing this reminds me of: another reason why this POST may be needed is if the server enforces a particular naming scheme on members. e.g., a CalDAV server may require that all member path segments match the UID in the calendar data, or match a record-id in its data store etc. In this case the add-member behavior is required. So its not just the case of "the client doesn't care to name members itself", but also this other one. Probably worth adding a comment on this.|
|2008-09-23||Resolution: Mention that this can simplify the server by not having to persist a client-supplied name.|
|Associated changes in this document: 1.|
This specification defines a discovery mechanism through which servers can advertise support for POST requests with the aforementioned "add collection member" semantics.¶
Due to the reasons stated in Section 1, clients can not rely on a specific server behavior when POST is applied to a collection. This problem is addressed by this specification by allowing servers to advertise a URI that has the desired "add member" semantics.¶
Note that ↑↓ervers that already use POST for a different purpose can just expose a different URI for that purpose. Other servers can just advertise the collection's own URI, thus avoiding ↑↓
to mint another URI for a limited purpose.¶
|I remote-uri (type: change, status: closed)|
|firstname.lastname@example.org||2008-09-30||Explicitly forbid Add-Member URIs pointing to other servers, mainly for reasons of security (DOS), but also for practical reasons (authentication).|
|2008-10-01||Resolution: Require that the "Add-Member" URI points to the same server.|
|Associated changes in this document: 3.1.|
The "Add-Member" URI of a WebDAV collection is a URI that will accept HTTP POST requests, and will interpret these as requests to store the enclosed entity as a new internal member of the collection.↑↓
The URI of the newly created resource is returned in the HTTP Location response header ([RFC2616], Section 14.30). ¶
|I post-error-semantics (type: change, status: closed)|
|email@example.com||2008-09-22||Something needs to be stated about error handling: e.g., "If there are pre-conditions related to creating a resource in the collection using a PUT request, then those same pre-conditions apply to the new POST request behavior, and the same DAV:error response body returned on failure". This would be a "catch-all" to allow protocols such as CalDAV, which restrict certain aspects of the data stored in collections, to simply return the same pre-condition failure information for POST as for PUT.|
|2008-09-23||Resolution: Adopt most of the proposed text, except for saying "HTTP response" to make it more generic (for instance, there may be no DAV:error entity body involved).|
|Associated changes in this document: 3.1.|
|I uri-uniqueness (type: change, status: closed)|
|firstname.lastname@example.org||2008-09-22||Is the server allowed to re-use new member URIs? i.e. /a/b.txt exists at some point, then is deleted. Is the server then allowed to use b.txt as a new member of /a/, or does the new member path segment have to be unique for the entire existence of that collection? If the member path segment is expected to be unique there should be some guidance to servers on how they might implement that (uuid's for instance).|
|2008-09-23||Resolution: Clarified that this specification doesn't make any additional requirements on the collection semantics.|
|Associated changes in this document: 3.1.|
|I uri-format (type: change, status: closed)|
|email@example.com||2008-09-23||Another question: there is no restriction on what p:add-member URI can be? e.g. if I have the collection "/a/b/" can the p:add-member be another resource entirely, e.g. "/a/use-c-to-create-in-b/"? If this is possible it should be called out, as the behavior might be somewhat unexpected for clients. It might even be the case that the p:add-member URI is on a different server (e.g. new member items in a collection need "approval" from some other service). The interaction with WebDAV ACL in this case would need to be clear - i.e. what privileges are required on the p:add-member URI?|
|2008-09-30||Resolution: Add a set of examples, and use "/collection;add-member/" in subsequent examples.|
|Associated changes in this document: 3.1, 3.2.2, 3.2.3, 3.2.3, 3.4, 4.2.|
The p:add-member property is defined on WebDAV collections, and contains the "Add-Member" URI for that collection (embedded inside a DAV:href element).¶
|I property-trust (type: change, status: closed)|
|firstname.lastname@example.org||2008-10-01||An attacker could set p:add-member as dead property and thus trick clients into POSTing new content somewhere else.|
|2008-10-01||Resolution: (1) Require server support for DAV:supported-live-property-set; (2) mention issue in security considerations.|
|Associated changes in this document: 3.2.1, 8, 10.1.|
HTTP/1.1 207 Multi-Status Content-Type: application/xml; charset="utf-8" Content-Length: 402 <?xml version="1.0" encoding="utf-8" ?> <multistatus xmlns="DAV:" xmlns:p="http://purl.org/NET/webdav/post#"> <response> <href>/collection/</href> <propstat> <prop> <p:add-member> <href>/collection↑↓
/;add-member</href> </p:add-member> </prop> <status>HTTP/1.1 200 OK</status> </propstat> </response> </multistatus>
Note that in this case, the server has minted a separate URI for the purpose of adding new content.
There may be cases in which it is more efficient to expose the Add-Member URI in HTTP headers or in (X)HTML content. For this use case, this specification defines a new link relation with the name:¶
...and in (X)HTML content:¶
In the AtomPub protocol, clients can use the entity header "Slug" to suggest parts of the URI to be created (see [RFC5023], Section 9.7). Note that servers are free to ignore this suggestion, or to use whatever algorithm that makes sense to generate the new URI.¶
The same applies to the extension defined here: clients can use the "Slug" header as by its definition of a generic HTTP header. Servers should process it exactly the way defined by AtomPub.¶
|I forbidden-put (type: change, status: closed)|
|email@example.com||2008-09-23||So one option for the server to enforce its naming scheme would be to require POST by the client to create new resources rather than allowing PUT/COPY/MOVE to do so. However there is no way fort a client to discover that such a restriction might be in place other than getting a 403. How about a new pre-condition code for that so that the server can indicate "DAV:only-post-allowed-to-create-new-members" to the client? With perhaps a more compact name!|
|2008-09-30||Resolution: Mention the use case, define the precondition, add example.|
|Associated changes in this document: <#rfc.change.forbidden-put.1>.|
|I acl (type: change, status: closed)|
|firstname.lastname@example.org||2008-09-23||This brings up another question: presumably the DAV:bind privilege is required on the collection for the new POST ;add-member behavior to be allowed (just as it would be required for PUT creating a new member). I think we therefore need a statement in Security Considerations: "When a server supports WebDAV ACL [RFC3744], the DAV:bind privilege is required to be granted on the collection resource in which the new member resource is being created. If this privilege is denied or not present, the POST request MUST fail."|
|2008-09-25||Resolution: Add "relation to ACL" section; required DAV:bind privilege on associated WebDAV collection.|
|Associated changes in this document: <#rfc.change.acl.1>, 10.1.|
|I member-uri-content (type: change, status: closed)|
|email@example.com||2008-09-22||Security consideration: "Servers MUST NOT derive the member path segment from the data being stored in the resource". This is important because you don't want server's leaking information in the URI that would not otherwise be visible (e.g. a user can PROPFIND the members but cannot read the content of the members - leaking content in the URI would be bad). Note this impacts how the server generates the member path segment. e.g. an md5 hash of the data only may not be appropriate.|
|2008-09-23||Resolution: State the problem, but do not make a requirement (for instance, the server could be entirely public in which case this wouldn't be an issue at all).|
|Associated changes in this document: 8.|
Copyright © The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an “AS IS” basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at firstname.lastname@example.org.