draft-ietf-httpbis-cache-17.txt   draft-ietf-httpbis-cache-latest.txt 
HTTP Working Group R. Fielding, Ed. HTTP Working Group R. Fielding, Ed.
Internet-Draft Adobe Internet-Draft Adobe
Obsoletes: 7234 (if approved) M. Nottingham, Ed. Obsoletes: 7234 (if approved) M. Nottingham, Ed.
Intended status: Standards Track Fastly Intended status: Standards Track Fastly
Expires: January 27, 2022 J. Reschke, Ed. Expires: January 28, 2022 J. Reschke, Ed.
greenbytes greenbytes
July 26, 2021 July 27, 2021
HTTP Caching HTTP Caching
draft-ietf-httpbis-cache-17 draft-ietf-httpbis-cache-latest
Abstract Abstract
The Hypertext Transfer Protocol (HTTP) is a stateless application- The Hypertext Transfer Protocol (HTTP) is a stateless application-
level protocol for distributed, collaborative, hypertext information level protocol for distributed, collaborative, hypertext information
systems. This document defines HTTP caches and the associated header systems. This document defines HTTP caches and the associated header
fields that control cache behavior or indicate cacheable response fields that control cache behavior or indicate cacheable response
messages. messages.
This document obsoletes RFC 7234. This document obsoletes RFC 7234.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
This note is to be removed before publishing as an RFC. This note is to be removed before publishing as an RFC.
Discussion of this draft takes place on the HTTP working group Discussion of this draft takes place on the HTTP working group
mailing list (ietf-http-wg@w3.org), which is archived at mailing list (ietf-http-wg@w3.org), which is archived at
<https://lists.w3.org/Archives/Public/ietf-http-wg/>. <https://lists.w3.org/Archives/Public/ietf-http-wg/>.
Working Group information can be found at <https://httpwg.org/>; Working Group information can be found at <https://httpwg.org/>;
source code and issues list for this draft can be found at source code and issues list for this draft can be found at
<https://github.com/httpwg/http-core>. <https://github.com/httpwg/http-core>.
The changes in this draft are summarized in Appendix C.18. The changes in this draft are summarized in Appendix C.19.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 27, 2022. This Internet-Draft will expire on January 28, 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 4, line 12 skipping to change at page 4, line 12
8.1. Field Name Registration . . . . . . . . . . . . . . . . . 36 8.1. Field Name Registration . . . . . . . . . . . . . . . . . 36
8.2. Cache Directive Registration . . . . . . . . . . . . . . 37 8.2. Cache Directive Registration . . . . . . . . . . . . . . 37
8.3. Warn Code Registry . . . . . . . . . . . . . . . . . . . 37 8.3. Warn Code Registry . . . . . . . . . . . . . . . . . . . 37
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 37 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 37
9.1. Normative References . . . . . . . . . . . . . . . . . . 37 9.1. Normative References . . . . . . . . . . . . . . . . . . 37
9.2. Informative References . . . . . . . . . . . . . . . . . 38 9.2. Informative References . . . . . . . . . . . . . . . . . 38
Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 39 Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 39
Appendix B. Changes from RFC 7234 . . . . . . . . . . . . . . . 39 Appendix B. Changes from RFC 7234 . . . . . . . . . . . . . . . 39
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 40 Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 40
C.1. Between RFC7234 and draft 00 . . . . . . . . . . . . . . 40 C.1. Between RFC7234 and draft 00 . . . . . . . . . . . . . . 40
C.2. Since draft-ietf-httpbis-cache-00 . . . . . . . . . . . . 40 C.2. Since draft-ietf-httpbis-cache-00 . . . . . . . . . . . . 41
C.3. Since draft-ietf-httpbis-cache-01 . . . . . . . . . . . . 41 C.3. Since draft-ietf-httpbis-cache-01 . . . . . . . . . . . . 41
C.4. Since draft-ietf-httpbis-cache-02 . . . . . . . . . . . . 41 C.4. Since draft-ietf-httpbis-cache-02 . . . . . . . . . . . . 41
C.5. Since draft-ietf-httpbis-cache-03 . . . . . . . . . . . . 41 C.5. Since draft-ietf-httpbis-cache-03 . . . . . . . . . . . . 41
C.6. Since draft-ietf-httpbis-cache-04 . . . . . . . . . . . . 42 C.6. Since draft-ietf-httpbis-cache-04 . . . . . . . . . . . . 42
C.7. Since draft-ietf-httpbis-cache-05 . . . . . . . . . . . . 42 C.7. Since draft-ietf-httpbis-cache-05 . . . . . . . . . . . . 42
C.8. Since draft-ietf-httpbis-cache-06 . . . . . . . . . . . . 42 C.8. Since draft-ietf-httpbis-cache-06 . . . . . . . . . . . . 42
C.9. Since draft-ietf-httpbis-cache-07 . . . . . . . . . . . . 43 C.9. Since draft-ietf-httpbis-cache-07 . . . . . . . . . . . . 43
C.10. Since draft-ietf-httpbis-cache-08 . . . . . . . . . . . . 43 C.10. Since draft-ietf-httpbis-cache-08 . . . . . . . . . . . . 43
C.11. Since draft-ietf-httpbis-cache-09 . . . . . . . . . . . . 43 C.11. Since draft-ietf-httpbis-cache-09 . . . . . . . . . . . . 43
C.12. Since draft-ietf-httpbis-cache-10 . . . . . . . . . . . . 43 C.12. Since draft-ietf-httpbis-cache-10 . . . . . . . . . . . . 43
C.13. Since draft-ietf-httpbis-cache-11 . . . . . . . . . . . . 43 C.13. Since draft-ietf-httpbis-cache-11 . . . . . . . . . . . . 44
C.14. Since draft-ietf-httpbis-cache-12 . . . . . . . . . . . . 43 C.14. Since draft-ietf-httpbis-cache-12 . . . . . . . . . . . . 44
C.15. Since draft-ietf-httpbis-cache-13 . . . . . . . . . . . . 45 C.15. Since draft-ietf-httpbis-cache-13 . . . . . . . . . . . . 45
C.16. Since draft-ietf-httpbis-cache-14 . . . . . . . . . . . . 45 C.16. Since draft-ietf-httpbis-cache-14 . . . . . . . . . . . . 45
C.17. Since draft-ietf-httpbis-cache-15 . . . . . . . . . . . . 46 C.17. Since draft-ietf-httpbis-cache-15 . . . . . . . . . . . . 46
C.18. Since draft-ietf-httpbis-cache-16 . . . . . . . . . . . . 46 C.18. Since draft-ietf-httpbis-cache-16 . . . . . . . . . . . . 46
C.19. Since draft-ietf-httpbis-cache-17 . . . . . . . . . . . . 46
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 46 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 46
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48
1. Introduction 1. Introduction
The Hypertext Transfer Protocol (HTTP) is a stateless application- The Hypertext Transfer Protocol (HTTP) is a stateless application-
level request/response protocol that uses extensible semantics and level request/response protocol that uses extensible semantics and
self-descriptive messages for flexible interaction with network-based self-descriptive messages for flexible interaction with network-based
hypertext information systems. It is typically used for distributed hypertext information systems. It is typically used for distributed
skipping to change at page 35, line 22 skipping to change at page 35, line 22
Caches expose an additional attack surface, since the contents of the Caches expose an additional attack surface, since the contents of the
cache represent an attractive target for malicious exploitation. cache represent an attractive target for malicious exploitation.
Because cache contents persist after an HTTP request is complete, an Because cache contents persist after an HTTP request is complete, an
attack on the cache can reveal information long after a user believes attack on the cache can reveal information long after a user believes
that the information has been removed from the network. Therefore, that the information has been removed from the network. Therefore,
cache contents need to be protected as sensitive information. cache contents need to be protected as sensitive information.
In particular, because private caches are restricted to a single In particular, because private caches are restricted to a single
user, they can be used to reconstruct a user's activity. As a user, they can be used to reconstruct a user's activity. As a
result, is important for user agents to allow end users to control result, it is important for user agents to allow end users to control
them; for example, allowing stored responses to be removed for some them; for example, allowing stored responses to be removed for some
or all origin servers. or all origin servers.
7.1. Cache Poisoning 7.1. Cache Poisoning
Storing a malicious payload in a cache can extend the reach of an Storing a malicious payload in a cache can extend the reach of an
attacker to affect multiple users. Such "cache poisoning" attacks attacker to affect multiple users. Such "cache poisoning" attacks
happen when an attacker uses implementation flaws, elevated happen when an attacker uses implementation flaws, elevated
privileges, or other techniques to insert a response into a cache. privileges, or other techniques to insert a response into a cache.
This is especially effective when shared caches are used to This is especially effective when shared caches are used to
skipping to change at page 37, line 48 skipping to change at page 37, line 48
9. References 9. References
9.1. Normative References 9.1. Normative References
[HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, [HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", Work in Progress, Internet-Draft, Ed., "HTTP Semantics", Work in Progress, Internet-Draft,
draft-ietf-httpbis-semantics-latest, July 2021, draft-ietf-httpbis-semantics-latest, July 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-
semantics-latest>. semantics-latest>.
[HTTP/1.1] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP/1.1", Work in Progress, Internet-Draft, draft-
ietf-httpbis-messaging-latest, July 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-
messaging-latest>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008, DOI 10.17487/RFC5234, January 2008,
<https://www.rfc-editor.org/info/rfc5234>. <https://www.rfc-editor.org/info/rfc5234>.
skipping to change at page 38, line 29 skipping to change at page 38, line 24
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
9.2. Informative References 9.2. Informative References
[COOKIE] Barth, A., "HTTP State Management Mechanism", RFC 6265, [COOKIE] Barth, A., "HTTP State Management Mechanism", RFC 6265,
DOI 10.17487/RFC6265, April 2011, DOI 10.17487/RFC6265, April 2011,
<https://www.rfc-editor.org/info/rfc6265>. <https://www.rfc-editor.org/info/rfc6265>.
[HTTP/1.1] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP/1.1", Work in Progress, Internet-Draft, draft-
ietf-httpbis-messaging-latest, July 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-
messaging-latest>.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, Transfer Protocol -- HTTP/1.1", RFC 2616,
DOI 10.17487/RFC2616, June 1999, DOI 10.17487/RFC2616, June 1999,
<https://www.rfc-editor.org/info/rfc2616>. <https://www.rfc-editor.org/info/rfc2616>.
[RFC5861] Nottingham, M., "HTTP Cache-Control Extensions for Stale [RFC5861] Nottingham, M., "HTTP Cache-Control Extensions for Stale
Content", RFC 5861, DOI 10.17487/RFC5861, April 2010, Content", RFC 5861, DOI 10.17487/RFC5861, April 2010,
<https://www.rfc-editor.org/info/rfc5861>. <https://www.rfc-editor.org/info/rfc5861>.
skipping to change at page 46, line 27 skipping to change at page 46, line 33
issues?q=label%3Acaching+created%3A%3E2021-05-26> for a summary. issues?q=label%3Acaching+created%3A%3E2021-05-26> for a summary.
Furthermore: Furthermore:
o Addressed Genart last call review comments o Addressed Genart last call review comments
(<https://github.com/httpwg/http-core/issues/847>) (<https://github.com/httpwg/http-core/issues/847>)
o In Section 4.3.4, clarify that only selectable responses are o In Section 4.3.4, clarify that only selectable responses are
updated (<https://github.com/httpwg/http-core/issues/839>) updated (<https://github.com/httpwg/http-core/issues/839>)
C.19. Since draft-ietf-httpbis-cache-17
o Made reference to [HTTP/1.1] informative only
(<https://github.com/httpwg/http-core/issues/911>)
Acknowledgements Acknowledgements
See Appendix "Acknowledgements" of [HTTP]. See Appendix "Acknowledgements" of [HTTP].
Index Index
A C E F G H M N O P S V W A C E F G H M N O P S V W
A A
 End of changes. 12 change blocks. 
15 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/