| draft-ietf-httpbis-cache-17.txt | draft-ietf-httpbis-cache-latest.txt | |||
|---|---|---|---|---|
| HTTP Working Group R. Fielding, Ed. | HTTP Working Group R. Fielding, Ed. | |||
| Internet-Draft Adobe | Internet-Draft Adobe | |||
| Obsoletes: 7234 (if approved) M. Nottingham, Ed. | Obsoletes: 7234 (if approved) M. Nottingham, Ed. | |||
| Intended status: Standards Track Fastly | Intended status: Standards Track Fastly | |||
| Expires: January 27, 2022 J. Reschke, Ed. | Expires: January 28, 2022 J. Reschke, Ed. | |||
| greenbytes | greenbytes | |||
| July 26, 2021 | July 27, 2021 | |||
| HTTP Caching | HTTP Caching | |||
| draft-ietf-httpbis-cache-17 | draft-ietf-httpbis-cache-latest | |||
| Abstract | Abstract | |||
| The Hypertext Transfer Protocol (HTTP) is a stateless application- | The Hypertext Transfer Protocol (HTTP) is a stateless application- | |||
| level protocol for distributed, collaborative, hypertext information | level protocol for distributed, collaborative, hypertext information | |||
| systems. This document defines HTTP caches and the associated header | systems. This document defines HTTP caches and the associated header | |||
| fields that control cache behavior or indicate cacheable response | fields that control cache behavior or indicate cacheable response | |||
| messages. | messages. | |||
| This document obsoletes RFC 7234. | This document obsoletes RFC 7234. | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| This note is to be removed before publishing as an RFC. | This note is to be removed before publishing as an RFC. | |||
| Discussion of this draft takes place on the HTTP working group | Discussion of this draft takes place on the HTTP working group | |||
| mailing list (ietf-http-wg@w3.org), which is archived at | mailing list (ietf-http-wg@w3.org), which is archived at | |||
| <https://lists.w3.org/Archives/Public/ietf-http-wg/>. | <https://lists.w3.org/Archives/Public/ietf-http-wg/>. | |||
| Working Group information can be found at <https://httpwg.org/>; | Working Group information can be found at <https://httpwg.org/>; | |||
| source code and issues list for this draft can be found at | source code and issues list for this draft can be found at | |||
| <https://github.com/httpwg/http-core>. | <https://github.com/httpwg/http-core>. | |||
| The changes in this draft are summarized in Appendix C.18. | The changes in this draft are summarized in Appendix C.19. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 27, 2022. | This Internet-Draft will expire on January 28, 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 4, line 12 ¶ | skipping to change at page 4, line 12 ¶ | |||
| 8.1. Field Name Registration . . . . . . . . . . . . . . . . . 36 | 8.1. Field Name Registration . . . . . . . . . . . . . . . . . 36 | |||
| 8.2. Cache Directive Registration . . . . . . . . . . . . . . 37 | 8.2. Cache Directive Registration . . . . . . . . . . . . . . 37 | |||
| 8.3. Warn Code Registry . . . . . . . . . . . . . . . . . . . 37 | 8.3. Warn Code Registry . . . . . . . . . . . . . . . . . . . 37 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 37 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 37 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 37 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 37 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 38 | 9.2. Informative References . . . . . . . . . . . . . . . . . 38 | |||
| Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 39 | Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 39 | |||
| Appendix B. Changes from RFC 7234 . . . . . . . . . . . . . . . 39 | Appendix B. Changes from RFC 7234 . . . . . . . . . . . . . . . 39 | |||
| Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 40 | Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 40 | |||
| C.1. Between RFC7234 and draft 00 . . . . . . . . . . . . . . 40 | C.1. Between RFC7234 and draft 00 . . . . . . . . . . . . . . 40 | |||
| C.2. Since draft-ietf-httpbis-cache-00 . . . . . . . . . . . . 40 | C.2. Since draft-ietf-httpbis-cache-00 . . . . . . . . . . . . 41 | |||
| C.3. Since draft-ietf-httpbis-cache-01 . . . . . . . . . . . . 41 | C.3. Since draft-ietf-httpbis-cache-01 . . . . . . . . . . . . 41 | |||
| C.4. Since draft-ietf-httpbis-cache-02 . . . . . . . . . . . . 41 | C.4. Since draft-ietf-httpbis-cache-02 . . . . . . . . . . . . 41 | |||
| C.5. Since draft-ietf-httpbis-cache-03 . . . . . . . . . . . . 41 | C.5. Since draft-ietf-httpbis-cache-03 . . . . . . . . . . . . 41 | |||
| C.6. Since draft-ietf-httpbis-cache-04 . . . . . . . . . . . . 42 | C.6. Since draft-ietf-httpbis-cache-04 . . . . . . . . . . . . 42 | |||
| C.7. Since draft-ietf-httpbis-cache-05 . . . . . . . . . . . . 42 | C.7. Since draft-ietf-httpbis-cache-05 . . . . . . . . . . . . 42 | |||
| C.8. Since draft-ietf-httpbis-cache-06 . . . . . . . . . . . . 42 | C.8. Since draft-ietf-httpbis-cache-06 . . . . . . . . . . . . 42 | |||
| C.9. Since draft-ietf-httpbis-cache-07 . . . . . . . . . . . . 43 | C.9. Since draft-ietf-httpbis-cache-07 . . . . . . . . . . . . 43 | |||
| C.10. Since draft-ietf-httpbis-cache-08 . . . . . . . . . . . . 43 | C.10. Since draft-ietf-httpbis-cache-08 . . . . . . . . . . . . 43 | |||
| C.11. Since draft-ietf-httpbis-cache-09 . . . . . . . . . . . . 43 | C.11. Since draft-ietf-httpbis-cache-09 . . . . . . . . . . . . 43 | |||
| C.12. Since draft-ietf-httpbis-cache-10 . . . . . . . . . . . . 43 | C.12. Since draft-ietf-httpbis-cache-10 . . . . . . . . . . . . 43 | |||
| C.13. Since draft-ietf-httpbis-cache-11 . . . . . . . . . . . . 43 | C.13. Since draft-ietf-httpbis-cache-11 . . . . . . . . . . . . 44 | |||
| C.14. Since draft-ietf-httpbis-cache-12 . . . . . . . . . . . . 43 | C.14. Since draft-ietf-httpbis-cache-12 . . . . . . . . . . . . 44 | |||
| C.15. Since draft-ietf-httpbis-cache-13 . . . . . . . . . . . . 45 | C.15. Since draft-ietf-httpbis-cache-13 . . . . . . . . . . . . 45 | |||
| C.16. Since draft-ietf-httpbis-cache-14 . . . . . . . . . . . . 45 | C.16. Since draft-ietf-httpbis-cache-14 . . . . . . . . . . . . 45 | |||
| C.17. Since draft-ietf-httpbis-cache-15 . . . . . . . . . . . . 46 | C.17. Since draft-ietf-httpbis-cache-15 . . . . . . . . . . . . 46 | |||
| C.18. Since draft-ietf-httpbis-cache-16 . . . . . . . . . . . . 46 | C.18. Since draft-ietf-httpbis-cache-16 . . . . . . . . . . . . 46 | |||
| C.19. Since draft-ietf-httpbis-cache-17 . . . . . . . . . . . . 46 | ||||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 46 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 46 | |||
| Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 | Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48 | |||
| 1. Introduction | 1. Introduction | |||
| The Hypertext Transfer Protocol (HTTP) is a stateless application- | The Hypertext Transfer Protocol (HTTP) is a stateless application- | |||
| level request/response protocol that uses extensible semantics and | level request/response protocol that uses extensible semantics and | |||
| self-descriptive messages for flexible interaction with network-based | self-descriptive messages for flexible interaction with network-based | |||
| hypertext information systems. It is typically used for distributed | hypertext information systems. It is typically used for distributed | |||
| skipping to change at page 35, line 22 ¶ | skipping to change at page 35, line 22 ¶ | |||
| Caches expose an additional attack surface, since the contents of the | Caches expose an additional attack surface, since the contents of the | |||
| cache represent an attractive target for malicious exploitation. | cache represent an attractive target for malicious exploitation. | |||
| Because cache contents persist after an HTTP request is complete, an | Because cache contents persist after an HTTP request is complete, an | |||
| attack on the cache can reveal information long after a user believes | attack on the cache can reveal information long after a user believes | |||
| that the information has been removed from the network. Therefore, | that the information has been removed from the network. Therefore, | |||
| cache contents need to be protected as sensitive information. | cache contents need to be protected as sensitive information. | |||
| In particular, because private caches are restricted to a single | In particular, because private caches are restricted to a single | |||
| user, they can be used to reconstruct a user's activity. As a | user, they can be used to reconstruct a user's activity. As a | |||
| result, is important for user agents to allow end users to control | result, it is important for user agents to allow end users to control | |||
| them; for example, allowing stored responses to be removed for some | them; for example, allowing stored responses to be removed for some | |||
| or all origin servers. | or all origin servers. | |||
| 7.1. Cache Poisoning | 7.1. Cache Poisoning | |||
| Storing a malicious payload in a cache can extend the reach of an | Storing a malicious payload in a cache can extend the reach of an | |||
| attacker to affect multiple users. Such "cache poisoning" attacks | attacker to affect multiple users. Such "cache poisoning" attacks | |||
| happen when an attacker uses implementation flaws, elevated | happen when an attacker uses implementation flaws, elevated | |||
| privileges, or other techniques to insert a response into a cache. | privileges, or other techniques to insert a response into a cache. | |||
| This is especially effective when shared caches are used to | This is especially effective when shared caches are used to | |||
| skipping to change at page 37, line 48 ¶ | skipping to change at page 37, line 48 ¶ | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | [HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | |||
| Ed., "HTTP Semantics", Work in Progress, Internet-Draft, | Ed., "HTTP Semantics", Work in Progress, Internet-Draft, | |||
| draft-ietf-httpbis-semantics-latest, July 2021, | draft-ietf-httpbis-semantics-latest, July 2021, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- | <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- | |||
| semantics-latest>. | semantics-latest>. | |||
| [HTTP/1.1] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | ||||
| Ed., "HTTP/1.1", Work in Progress, Internet-Draft, draft- | ||||
| ietf-httpbis-messaging-latest, July 2021, | ||||
| <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- | ||||
| messaging-latest>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax | [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax | |||
| Specifications: ABNF", STD 68, RFC 5234, | Specifications: ABNF", STD 68, RFC 5234, | |||
| DOI 10.17487/RFC5234, January 2008, | DOI 10.17487/RFC5234, January 2008, | |||
| <https://www.rfc-editor.org/info/rfc5234>. | <https://www.rfc-editor.org/info/rfc5234>. | |||
| skipping to change at page 38, line 29 ¶ | skipping to change at page 38, line 24 ¶ | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [COOKIE] Barth, A., "HTTP State Management Mechanism", RFC 6265, | [COOKIE] Barth, A., "HTTP State Management Mechanism", RFC 6265, | |||
| DOI 10.17487/RFC6265, April 2011, | DOI 10.17487/RFC6265, April 2011, | |||
| <https://www.rfc-editor.org/info/rfc6265>. | <https://www.rfc-editor.org/info/rfc6265>. | |||
| [HTTP/1.1] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | ||||
| Ed., "HTTP/1.1", Work in Progress, Internet-Draft, draft- | ||||
| ietf-httpbis-messaging-latest, July 2021, | ||||
| <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- | ||||
| messaging-latest>. | ||||
| [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | |||
| Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | |||
| Transfer Protocol -- HTTP/1.1", RFC 2616, | Transfer Protocol -- HTTP/1.1", RFC 2616, | |||
| DOI 10.17487/RFC2616, June 1999, | DOI 10.17487/RFC2616, June 1999, | |||
| <https://www.rfc-editor.org/info/rfc2616>. | <https://www.rfc-editor.org/info/rfc2616>. | |||
| [RFC5861] Nottingham, M., "HTTP Cache-Control Extensions for Stale | [RFC5861] Nottingham, M., "HTTP Cache-Control Extensions for Stale | |||
| Content", RFC 5861, DOI 10.17487/RFC5861, April 2010, | Content", RFC 5861, DOI 10.17487/RFC5861, April 2010, | |||
| <https://www.rfc-editor.org/info/rfc5861>. | <https://www.rfc-editor.org/info/rfc5861>. | |||
| skipping to change at page 46, line 27 ¶ | skipping to change at page 46, line 33 ¶ | |||
| issues?q=label%3Acaching+created%3A%3E2021-05-26> for a summary. | issues?q=label%3Acaching+created%3A%3E2021-05-26> for a summary. | |||
| Furthermore: | Furthermore: | |||
| o Addressed Genart last call review comments | o Addressed Genart last call review comments | |||
| (<https://github.com/httpwg/http-core/issues/847>) | (<https://github.com/httpwg/http-core/issues/847>) | |||
| o In Section 4.3.4, clarify that only selectable responses are | o In Section 4.3.4, clarify that only selectable responses are | |||
| updated (<https://github.com/httpwg/http-core/issues/839>) | updated (<https://github.com/httpwg/http-core/issues/839>) | |||
| C.19. Since draft-ietf-httpbis-cache-17 | ||||
| o Made reference to [HTTP/1.1] informative only | ||||
| (<https://github.com/httpwg/http-core/issues/911>) | ||||
| Acknowledgements | Acknowledgements | |||
| See Appendix "Acknowledgements" of [HTTP]. | See Appendix "Acknowledgements" of [HTTP]. | |||
| Index | Index | |||
| A C E F G H M N O P S V W | A C E F G H M N O P S V W | |||
| A | A | |||
| End of changes. 12 change blocks. | ||||
| 15 lines changed or deleted | 21 lines changed or added | |||
This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||