In [section
13.5.1], which describes End-to-End and Hop-by-Hop headers, the text
says:
The following HTTP/1.1 headers are hop-by-hop headers:
- Connection
- Keep-Alive
- Proxy-Authenticate
- Proxy-Authorization
- TE
- Trailer<span class='diff'>s</span>
- Transfer-Encoding
- Upgrade</pre>
<p>
But the correct header name is 'Trailer' (no 's'):
</p>
The following HTTP/1.1 headers are hop-by-hop headers:
- Connection
- Keep-Alive
- Proxy-Authenticate
- Proxy-Authorization
- TE
- Trailer
- Transfer-Encoding
- Upgrade
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/9
2616 Section 3.7.1 states;
<blockquote><p>
When no explicit charset parameter is provided by the sender, media
subtypes of the "text" type are defined to have a default charset
value of "ISO-8859-1" when received via HTTP.</p></blockquote>
<p>However, many, if not all, of the text/* media types define their own
defaults; text/plain (RFC2046), for example, defaults to ASCII, as
does text/xml (RFC3023).</p>
<p>How do these format-specific defaults interact with HTTP's default?
Is HTTP really overriding them?</p>
<p>I'm far from the first to be confused by this text, and I'm sure it's
been asked before, but I haven't been able to find a definitive
answer. If errata are still being considered, perhaps removing/
modifying this line would be a good start...</p>
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/20
Section 10.3.2 (301 Moved Permanently) contains the paragraph
If the 301 status code is received in response to a request other
than GET or HEAD, the user agent MUST NOT automatically redirect the
request unless it can be confirmed by the user, since this might
change the conditions under which the request was issued.
which fails to consider that there are many other request methods
that are safe to automatically redirect, and further that the user agent
is able to make that determination based on the request method semantics.
In particular, the OPTIONS method is always safe to automatically redirect.
Unfortunately, the paragraph was written long before there was OPTIONS,
and was never updated to reflect the extensibility of methods. The
same problem paragraph is found in sections 10.3.3 and 10.3.8.
The above should be replaced with
If the 301 status code is received in response to a request method
that is known to be "safe", as defined in section 9.1.1, then the
request MAY be automatically redirected by the user agent without
confirmation. Otherwise, the user agent MUST NOT automatically
redirect the request unless it is confirmed by the user, since the
new URI might change the conditions under which the request was issued.
along with similar changes for sections 10.3.3 and 10.3.8.
It would also be helpful for each of the method definition sections
to specifically define whether or not the method is safe.
OPTIONS, GET, and HEAD are all safe in RFC 2616.
HTTP extensions like WebDAV define additional safe methods.
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/10
There is an HTTP-related security violation approach found/researched
by White Hat Security:
<p>
PR: <a href="http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt">http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt</a><br/>
Details: <a href="http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdf">http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdf</a>
</p>
<p>I bet many of you have seen the related advisories/PR. For those who
have not, here is the gist:</p>
<p>Modern browsers usually do not allow scripts embedded in
HTML to access cookies and authentication information
exchanged between HTTP client and server. However, a
script can get access to that info by sending a
simple HTTP TRACE request to the originating (innocent)
server. The user agent will auto-include current
authentication info in such request. The server will echo all
the authentication information back, for script to read and
[mis]use. Apparently, sending an HTTP request is possible via
many scripting methods like ActiveX. See the URL above for
details.</p>
<p>With numerous XSS (cross-site-scripting) vulnerabilities in user
agents, this seems like a real and nasty problem. TRACE method support
is optional per RFC 2616, but many popular servers support it. White
Hat Security advises server administrators to disable support for
TRACE.</p>
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/33
In RFC 2616, section 10.4.6 405 Method Not Allowed:
<blockquote><p>The method specified in the Request-Line is not allowed for the
resource identified by the Request-URI. The response MUST include an
Allow header containing a list of valid methods for the requested
resource.</p></blockquote>
<p>which has the effect of requiring that a server advertise all
methods to a resource. In some cases, method implementation is
implemented across several (extensible) parts of a server and
thus not known. In other cases, it may not be prudent to tell
an unauthenticated client all of the methods that might be
available to other clients.</p>
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/24
RFC1700 ("ASSIGNED NUMBERS") has been obsoleted by RFC3232 ("Assigned Numbers: RFC 1700 is Replaced by an On-line Database").
<p>draft-gettys-http-v11-spec-rev-00 just updates the reference, which I think is a bug.</p>
<p>In fact, RFC2616 refers to RCF1700:</p>
<ol>
<li>for the definition of the default TCP port, </li>
<li>for a reference to the character set registry, and</li>
<li>for a reference to the media type registry.</li>
</ol>
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/46
Section
5.1.2 defines a Request-URI as:
Request-URI = "*" | absoluteURI | abs_path | authority
where it gets abs_path by reference to RFC 2396; however, the
abs_path in RFC 2396 doesn't include a possible query part:
hier_part = ( net_path | abs_path ) [ "?" query ]
net_path = "//" authority [ abs_path ]
abs_path = "/" path_segments
The definition of Request-URI should be:
Request-URI = "*" | absoluteURI | abs_path [ "?" query ] | authority
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/11
When an origin server selects the response by looking at a request
header, and the header does not exist, is it correct for the server to
add the name of that header to Vary?
<p>For example, suppose a server's logic is like this pseudo-code:</p>
reponse_headers (Vary) = "Accept-Language"
IF request_headers (Accept-Language) contains "ja" THEN
serve the japanese page
ELSE
serve the english page
ENDIF
<p>What is the correct HTTP response when the request doesn't have an
Accept-Language header?</p>
<p>I would guess that the correct response is to "include Vary:
Accept-Language", but that begs the next question:</p>
</li>
<li>
<p>How should a cache treat missing requests headers which are
mentioned in Vary, when deciding if a stored entity matches a
request?</p>
<ul>
<li>a. If the stored entity was requested _without_ the header mentioned
in Vary, and the new request is also _without_ the header, does
the stored entity match? (This would come from scenario 1 above).</li>
<li>b. If the stored entity was requested _without_ the header mentioned
in Vary, and the new request is _with_ the header, does the
stored entity match?</li>
<li>c. If the stored entity was requested _with_ the header mentioned
in Vary, and the new request is _without_ the header, does the
stored entity match?</li>
</ul>
<p>I would imagine that in case a, the entity matches, and in cases b and
c, the entity doesn't match and must be revalidated.</p>
<p>But the language of RFC 2616 is a unclear:</p>
<blockquote><p>When the cache receives a subsequent request whose Request-URI
specifies one or more cache entries including a Vary header field,
the cache MUST NOT use such a cache entry to construct a response to
the new request unless all of the selecting request-headers present
in the new request match the corresponding stored request-headers in
the original request.</p></blockquote>
<p>Can the selecting request-headers "match" if they are absent? What
about case a?</p>
<blockquote><p>The selecting request-headers from two requests are defined to match
if and only if the selecting request-headers in the first request can
be transformed to the selecting request-headers in the second request
by adding or removing linear white space (LWS) at places where this
is allowed by the corresponding BNF, and/or combining multiple
message-header fields with the same field name following the rules
about message headers in section 4.2.</p></blockquote>
<p>Is this supposed to mean that an absent header is equivalent to an
empty header, or that an absent header is semantically a distinct
value from an empty header, or that an absent header is not considered
at all in the decision, or that an absent header cannot be matched
even with an absent header in the original request for the cached
entity?</p>
</li>
<li>
<p>Does this mean that server code which inspects a header value, and
finds the header missing, should look like this instead?</p>
IF exists request_headers (Accept-Language) THEN
reponse_headers (Vary) = "Accept-Language"
ELSE
response_headers (Vary) = "*"
ENDIF
IF request_headers (Accept-Language) contains "ja" THEN
serve the japanese page
ELSE
serve the english page
ENDIF
<p>The conservative thing to do is to disable cacheing when an examined
request-header is absent, but that seems excessively pessimistic.</p>
</li>
</ul>
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/37
In the description of the Server header [section 14.38], the Via field is
described as a SHOULD:
<blockquote class='error'><p>
If the response is being forwarded through a proxy, the proxy
application MUST NOT modify the Server response-header. Instead, it
<span class='diff'>SHOULD</span> include a Via field (as described in
section 14.45).</p>
</blockquote>
<p>It should be a MUST:</p>
<blockquote class='correct'><p>
If the response is being forwarded through a proxy, the proxy
application MUST NOT modify the Server response-header. Instead, it
<span class='diff'>MUST</span> include a Via field (as described in
section 14.45).</p>
</blockquote>
<p>The requirement is stated correctly in the description of the Via header, <a
href='http://www.apps.ietf.org/rfc/rfc2616.html#sec-14.45'> [section 14.45]</a>.</p>
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/5
In Section
10.2.7 the spec implies that it may be ok to use a weak cache
validator in a 206 response. The correct language is more
restrictive.
If the 206 response is the result of an If-Range request that used a
strong cache validator (see section 13.3.3), the response SHOULD NOT
include other entity-headers. If the response is the result of an
If-Range request that used a weak validator, the response MUST NOT
include other entity-headers; this prevents inconsistencies between
cached entity-bodies and updated headers. Otherwise, the response
MUST include all of the entity-headers that would have been returned
with a 200 (OK) response to the same request.
should be:
If the 206 response is the result of an If-Range request, the
response SHOULD NOT include other entity-headers. Otherwise, the
response MUST include all of the entity-headers that would have been
returned with a 200 (OK) response to the same request.
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/18
In section 14.3, the definition of Accept-Encoding is given as follows:
Accept-Encoding = "Accept-Encoding" ":"
1#( codings [ ";" "q" "=" qvalue ] )
<p>This definition implies that there must be at least one non-null
codings. However, just below this definition, one of the examples given
has an empty Accept-Encoding field-value:</p>
<p>
Accept-Encoding: compress, gzip<br/>
Accept-Encoding:<br/>
Accept-Encoding: *<br/>
Accept-Encoding: compress;q=0.5, gzip;q=1.0<br/>
Accept-Encoding: gzip;q=1.0, identity; q=0.5, *;q=0</p>
<p>Furthermore, the fourth rule for testing whether a content-coding is
acceptable mentions the possibility that the field-value may be empty.</p>
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/25
It *appears* that RFC3253 changes the idempotency of PUT; is this
allowed? RFC3253 doesn't update or obsolete 2616...
<p>I can see a situation where a 3253-naive client decides to retry a
timed-out PUT (after all, it's idempotent) and gets some side effects
it didn't bargain for.</p>
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/27
In the description of Internet Media Types in [section 3.7],
the wrong RFC is cited for the media type registration process. The text
says:
Media-type values are registered with the Internet Assigned Number
Authority (IANA [19](../commit/19)). The media type registration process is
outlined in RFC 4288 [17](../commit/17). Use of non-registered media types is
discouraged.
But should be:
Media-type values are registered with the Internet Assigned Number
Authority (IANA [19](../commit/19)). The media type registration process is
outlined in RFC 2048 [17](../commit/17). Use of non-registered media types is
discouraged.
The cited Reference [section 17] is also incorrect; it is:
[17](../commit/17) Postel, J., "Media Type Registration Procedure", RFC 1590,
November 1996.
(oddly, the date cited is wrong for that RFC and correct for the right one)
It should be:
[17](../commit/17) Freed, N., Klensin, J., and Postel, J., "Mulitpurpose Internet Mail
Extensions (MIME) Part Four: Registration Procedure", RFC 2048,
November 1996.
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/8
In order to clarify when charset values may be quoted, the following
is added to section 3.4:
HTTP uses charset in two contexts:
within an Accept-Charset request header (in which the charset value
is an unquoted token) and as the value of a parameter in a Content-type
header (within a request or response), in which case the parameter
value of the charset parameter may be quoted.
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/14
I'd like to see a clarification about what clients can expect upon OPTIONS
*. In particular, can they expect to find out about *any* method name
supported on that server? I'm asking because this doesn't seem to be the
case for at least two major server bases, being:
- Apache (for instance, additional method names supported by mod_dav aren't
listed) and
- generic Java servlet engines (servlet API does not support delegation of
requests against "*" to all installed web applications)
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/32
Responses to HTTP requests with "Cache-control: no-store" are not
cachable. Recently, we came across a cache that does not cache responses
to no-store requests but also does not invalidate an older cached entity
with the same URL. When future requests stop using no-store, the old
cached entity is served.
<p>For example, the following happens in our test case:</p>
<ol>
<li>Client requests an entity A without using no-store.</li>
<li>Cache proxies the transaction and caches the response (entity A).</li>
<li>Client requests the same entity A using "Cache-control: no-store".</li>
<li>Cache proxies the transaction and does NOT cache the response.</li>
<li>Client requests the same entity A again, without using no-store.</li>
<li>Cache serves the "old" entity A cached in step #2 above.</li>
</ol>
<p>Does the cache violate the intent of RFC 2616 in step #6? If yes, should
that intent be made explicit (I cannot find any explicit rules
prohibiting the above behavior).</p>
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/23
In the discussion of how to determine the message length [section 4.4], the fourth possibility
somehow lost a number of characters. The spec says:
4.If the message uses the media type "multipart/byteranges", and the
ransfer-length is not otherwise specified, then this self-
elimiting media type defines the transfer-length. This media type
UST NOT be used unless the sender knows that the recipient can arse
it; the presence in a request of a Range header with ultiple byte-
range specifiers from a 1.1 client implies that the lient can parse
multipart/byteranges responses.
It should read:
4.If the message uses the media type "multipart/byteranges", and the
transfer-length is not otherwise specified, then this self-
delimiting media type defines the transfer-length. This media type
MUST NOT be used unless the sender knows that the recipient can parse
it; the presence in a request of a Range header with multiple byte-
range specifiers from a 1.1 client implies that the client can parse
multipart/byteranges responses.
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/4
In the description of the Location header [section 14.30], the ABNF for the
Location header is given as:
Location = "Location" ":" absoluteURI
This and the accompanying text are incorrect because the definition of
'absoluteURI', given in RFC
2396 does not include fragment identifiers. The correct syntax for
the Location header is:
Location = "Location" ":" absoluteURI [ "#" fragment ]
There are circumstances in which a fragment identifier in a Location URL
would not be appropriate:
- With a 201 Created response, because in this usage the Location header
specifies the URL for the entire created resource.
<li>With a 300 Multiple Choices, since the choice decision is intended to
be made on resource characteristics and not fragment characteristics.</li>
<li>With 305 Use Proxy.</li>
</ul>
<p>
At present, the behavior in the case where
there was a fragment with the original URI, e.g.:
http://host1.example.com/resource1#fragment1
where /resource1 redirects to
http://host2.example.com/resource2#fragment2
is 'fragment1' discarded? Do you find fragment2 and then
find fragment1 within it? We don't have fragment combination rules.
</p>
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/6
In the description of chunked transfer encoding [section 3.6.1],
the syntax for a chunk is given as:
chunk = chunk-size [ chunk-extension ] CRLF
chunk-data CRLF
The accompanying text defines chunk-size incorrectly as:
The chunk-size field is a string of hex digits indicating the size of the
chunk.
This doesn't correctly describe what octets the chunk-size field is
counting; it should be:
The chunk-size field is a string of hex digits indicating the size of the
chunk-data in octets.
(in other words, the chunk length does not include the count of the octets
in the chunk header and trailer).
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/3
Currently, RFC2616 says about the date format for the "Date" header:
"The field value is an HTTP-date, as described in section 3.3.1; it MUST be sent in RFC 1123 8-date format."
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/48
RFC2616 refers to RFC2396, RFC1630, RFC1738, and RFC1808, all of which have been obsoleted by RFC3986.
If the reference is changed, it will important to remember to make a
decision about the "mark" production in the former (which are unreserved
characters) which have been moved to have reserved status in the latter.
By referencing 2396, HTTP allows these characters unescaped in path
segments, etc. If 3986 is referenced as-is, they will be effectively
disallowed, thereby effectively making a number of existing HTTP URIs invalid.
This includes the exclamation mark ("!"), asterisk ("*"), single-quote ("'"),
and open and close parentheses ("(" and ")").
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/34
In general, quoted string literals in the spec are defined to be case insensitive, but the HTTP Version token should be case sensitive. In [http://www.apps.ietf.org/rfc/rfc2616.html#sec-3.1 section 3.1] it says:
The version of an HTTP message is indicated by an HTTP-Version field
in the first line of the message.
HTTP-Version = "HTTP" "/" 1*DIGIT "." 1*DIGIT
It should add:
The version of an HTTP message is indicated by an HTTP-Version field
in the first line of the message. HTTP-Version is case-sensitive.
HTTP-Version = "HTTP" "/" 1*DIGIT "." 1*DIGIT
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/1
The description of POST was broadened over time, and is not clear. It
is clarified by the following changes in Section 9.5:
The POST method is used to request that the origin server accept the
entity enclosed in the request as a new subordinate of the resource
identified by the Request-URI in the Request-Line.
should be:
The POST method is used to request that the origin
server accept the entity enclosed in the request as data to be
processed by the resource identified by the Request-URI in the
Request-Line.
Likewise:
The actual function performed by the POST method is determined by the
server and is usually dependent on the Request-URI. The posted entity
is subordinate to that URI in the same way that a file is subordinate
to a directory containing it, a news article is subordinate to a
newsgroup to which it is posted, or a record is subordinate to a
database.
should be:
The actual function performed by the POST method is determined by the
server and is usually dependent on the Request-URI.
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/17
There is some ambiguity in Section13.10
as to how the word 'only' binds here:
In order to prevent denial of service attacks, an invalidation
based on the URI in a Location or Content-Location header MUST
only be performed if the host part is the same as in the Request-URI.
The following clarification, along with separating the clause
explaining the rationale for the rule, is suggested:
An invalidation based on the URI in a Location or Content-Location header MUST
NOT be performed if the host part of that URI differs from the
host part in the Request-URI. This helps
prevent denial of service attacks.
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/12
In section 3.2.2, http_URL is defined as follows:
<blockquote><p>http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]</p></blockquote>
<p>However, RFC 2616 does not contain a rule called "query". I assume this is
meant to be the same "query" that is defined in RFC 2396, since section 3.2.1
incorporates "URI-reference", "absoluteURI", "relativeURI", "port", "host",
"abs_path", "rel_path", and "authority" from that specification (but "query" is
missing from this list).</p>
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/26
RFC 2616 reads:
<p>A string of text is parsed as a single word if it is quoted using
double-quote marks.</p>
quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
qdtext = <any TEXT except <">>
<p>The backslash character ("\") MAY be used as a single-character
quoting mechanism only within quoted-string and comment constructs.</p>
quoted-pair = "\" CHAR
<p>I wrote a regular
expression based on the RFC 2616 definition, and that allows "foo\"
as a quoted-string. That's not intended, is it?</p>
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/31
RFC 1766, which is referenced by RFC 2616 section 3.10 as the source
for its definition of language tags has a BNF has been updated
by RFC3066 (a BCP).
RFC 3066 defines these as:
Language-Tag = Primary-subtag *( "-" Subtag )
Primary-subtag = 1*8ALPHA
Subtag = 1*8(ALPHA / DIGIT)
HTTP/1.1 RFC 2616 defines these as:
language-tag = primary-tag *( "-" subtag )
primary-tag = 1*8ALPHA
subtag = 1*8ALPHA
In the meantime, RFC3066 has been obsoleted by RFC4646, and the original grammar production defining subtags seems to be gone:
Language-Tag = langtag
/ privateuse ; private use tag
/ grandfathered ; grandfathered registrations
langtag = (language
["-" script]
["-" region]
*("-" variant)
*("-" extension)
["-" privateuse])
language = (23ALPHA [ extlang ]) ; shortest ISO 639 code
/ 4ALPHA ; reserved for future use
/ 58ALPHA ; registered language subtag
extlang = *3("-" 3ALPHA) ; reserved for future use
script = 4ALPHA ; ISO 15924 code
region = 2ALPHA ; ISO 3166 code
/ 3DIGIT ; UN M.49 code
variant = 5*8alphanum ; registered variants
/ (DIGIT 3alphanum)
extension = singleton 1*("-" (2*8alphanum))
singleton = %x41-57 / %x59-5A / %x61-77 / %x79-7A / DIGIT
; "a"-"w" / "y"-"z" / "A"-"W" / "Y"-"Z" / "0"-"9"
; Single letters: x/X is reserved for private use
privateuse = ("x"/"X") 1*("-" (1*8alphanum))
grandfathered = 13ALPHA 12("-" (2*8alphanum))
; grandfathered registration
; Note: i is the only singleton
; that starts a grandfathered tag
alphanum = (ALPHA / DIGIT) ; letters and numbers
So shouldn't RFC2616 (Section 3.10) stop defining these things, and just normatively refer to RFC4626 for the definition of "Language-Tag"?
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/13
In the rules for comparison of URIs [section 3.2.3],
it says:
Characters other than those in the "reserved" and "unsafe"
sets (see RFC 2396 [42](../commit/42)) are equivalent to their ""%" HEX HEX" encoding.
but RFC 2396 has no definition of a character set called "unsafe".
The paragraph should read:
Characters other than those in the "reserved" set (see
RFC 2396 [42](../commit/42)) are equivalent to their ""%" HEX HEX" encoding.
This was an historical artifact. An earlier HTTP draft had defined a set
of 'unsafe' characters, but they were characters that were not valid in a
URI, so making a special case in the comparison rule was not needed.
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/2
<style type="text/css">
.error {background-color: red}
.correct {background-color: green}
</style>
The "identity" transfer coding was removed, but some references to it were not.
In section
3.6, remove reference to non-existant section
The Internet Assigned Numbers Authority (IANA) acts as a registry for
transfer-coding value tokens. Initially, the registry contains the
following tokens: "chunked" (section 3.6.1), "identity" (section
3.6.2), "gzip" (section 3.5), "compress" (section 3.5), and "deflate"
(section 3.5).
It should be:
The Internet Assigned Numbers Authority (IANA) acts as a registry for
transfer-coding value tokens. Initially, the registry contains the
following tokens: "chunked" (section 3.6.1), "gzip" (section 3.5),
"compress" (section 3.5), and "deflate" (section 3.5).
In section
4.4 remove 'other than identity' for Transfer-Encoding case
since identity is not a valid value.
2.If a Transfer-Encoding header field (section 14.41) is present
and
has any value other than "identity", then the transfer-length is
defined by use of the "chunked" transfer-coding (section 3.6),
unless the message is terminated by closing the connection.
It should be:
2.If a Transfer-Encoding header field (section 14.41) is present,
then the transfer-length is defined by use of the "chunked"
transfer-coding (section 3.6), unless the message is terminated
by closing the connection.
Messages MUST NOT include both a Content-Length header field and a
non-identity transfer-coding. If the message does include a
non-identity transfer-coding, the Content-Length MUST be ignored.
It should be:
Messages MUST NOT include both a Content-Length header field and a
transfer-coding. If the message does include a transfer-coding,
the Content-Length MUST be ignored.
In section 19.4.5 remove 'identity' CTE.
HTTP does not use the Content-Transfer-Encoding (CTE) field of RFC
2045. Proxies and gateways from MIME-compliant protocols to HTTP MUST
remove any non-identity CTE ("quoted-printable" or "base64") encoding
prior to delivering the response message to an HTTP client.
It should be:
HTTP does not use the Content-Transfer-Encoding field of RFC
2045. Proxies and gateways from MIME-compliant protocols to HTTP MUST
remove any Content-Transfer-Encoding prior to delivering the response message to
an HTTP client.
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/16
What work needs to be done to the Security Considerations section
of RFC2616 to allow publication of a revision? E.g., does HTTP need to specify
a Mandatory To Implement mechanism?
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/41
From experience I think it's also worthwhile to further stress the
importance of ETag uniqueness among variants of a URI. Very few
implementations get this part correct. In fact most major web servers
have issues here...
<p>Some even strongly believe that entities with different Content-Encoding
is the same entity, arguing that since most encoding (at least the
standardized ones) can be converted to the same identity encoding so
they are in fact the same entity and should have the same strong ETag.</p>
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/39
RFC 2616 says:
Because the request that resulted in the returned Age value must have
been initiated prior to that Age value's generation, we can correct
for delays imposed by the network by recording the time at which the
request was initiated. Then, when an Age value is received, it MUST
be interpreted relative to the time the request was initiated...
So, we compute:
<p>corrected_initial_age = corrected_received_age
+ (now - request_time)</p>
</blockquote>
<p>I suspect the formula does not match the true intent of the RFC
authors. I believe that corrected_initial_age formula counts
server-to-client delays twice. It does that because the
corrected_received_age component already accounts for one
server-to-client delay. Here is an annotated definition from the RFC:</p>
corrected_received_age = max(
now - date_value, # trust the clock (includes server-to-client delay!)
age_value) # all-HTTP/1.1 paths (no server-to-client delay)
<p>I think it is possible to fix the corrected_initial_age formula to
match the intent (note this is the *initial* not *received* age):</p>
corrected_initial_age = max(
now - date_value, # trust the clock (includes delays)
age_value + now - request_time) # trust Age, add network delays
<p>There is no need for corrected_received_age.</p>
<p>Moreover, it looks ALL the formulas computing current_age go away with
the above new corrected_initial_age definition as long as "now" is
still defined as "the current time" (i.e., the time when current_age
is calculated):</p>
<pre>current_age = corrected_initial_age</pre>
<p>So, we end up with a single formula for all cases and all times:</p>
<p>current_age = max(now - date_value, age_value + now - request_time) =
= now - min(date_value, request_time - age_value)</p>
<p>It even has a clear physical meaning -- the min() part is the conservative
estimate of object creation time.</p>
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/29
Section 14.10 says:
HTTP/1.1 applications that do not support persistent connections MUST
include the "close" connection option in every message.
it should say:
An HTTP/1.1 client that does not support persistent connections MUST
include the "close" connection option in every request message.
An HTTP/1.1 server that does not support persistent connections MUST
include the "close" connection option in every response message
that does not have a 1xx (informational) status code.
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/15
A revision of RFC2616 should mention BCP 90 (Registration Procedures for Message Header Fields) and should take over as the authoritative reference for the headers it contains.
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/40
Recommend Projects
-
-
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
An Open Source Machine Learning Framework for Everyone
-
The Web framework for perfectionists with deadlines.
-
A PHP framework for web artisans
-
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
Some thing interesting about web. New door for the world.
-
A server is a program made to process requests and deliver data to clients.
-
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Some thing interesting about visualization, use data art
-
Some thing interesting about game, make everyone happy.
-
Recommend Org
-
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Open source projects and samples from Microsoft.
-
Google โค๏ธ Open Source for everyone.
-
Alibaba Open Source for everyone
-
Data-Driven Documents codes.
-
China tencent open source team.
-