The ORIGIN Extension in HTTP/3Akamaimbishop@evequefou.be
art
httpbisThe ORIGIN frame for HTTP/2 is equally applicable to HTTP/3, but it
needs to be separately registered. This document describes the ORIGIN
frame for HTTP/3.Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.
Table of Contents
. Introduction
. Notational Conventions
. The ORIGIN HTTP/3 Frame
. Frame Layout
. Security Considerations
. IANA Considerations
. References
. Normative References
. Informative References
Author's Address
IntroductionExisting RFCs define extensions to HTTP/2 that remain useful in
HTTP/3. describes the required updates for HTTP/2
frames to be used with HTTP/3. defines the HTTP/2 ORIGIN frame, which indicates what
origins are available on a given connection. It defines a single HTTP/2 frame
type.Notational ConventionsThe key words "MUST", "MUST NOT",
"REQUIRED", "SHALL",
"SHALL NOT", "SHOULD",
"SHOULD NOT",
"RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document
are to be interpreted as described in BCP 14
when, and only
when, they appear in all capitals, as shown here.The frame diagram in this document uses the format defined in to illustrate the order and size of fields.The ORIGIN HTTP/3 FrameThe ORIGIN HTTP/3 frame allows a server to indicate what origin or origins
the server would like the client to consider as one or more members of the
Origin Set () for the connection within which it
occurs.The semantics of the frame payload are identical to those of the HTTP/2 frame
defined in . Where HTTP/2 reserves stream 0 for frames related to the
state of the connection, HTTP/3 defines a pair of unidirectional streams called
"control streams" for this purpose.Where indicates that the ORIGIN
frame is sent on stream 0, this should be interpreted to mean the HTTP/3
control stream: that is, the ORIGIN frame is sent from servers to clients on the
server's control stream.HTTP/3 does not define a Flags field in the generic frame layout. As no flags
have been defined for the ORIGIN frame, this specification does not define a
mechanism for communicating such flags in HTTP/3.Frame LayoutThe ORIGIN frame has a layout that is nearly identical to the layout used in HTTP/2; the information is restated
here for clarity. The ORIGIN frame type is 0x0c (decimal 12), as in HTTP/2. The
payload contains zero or more instances of the Origin-Entry field.ORIGIN Frame Layout
HTTP/3 Origin-Entry {
Origin-Len (16),
ASCII-Origin (..),
}
HTTP/3 ORIGIN Frame {
Type (i) = 0x0c,
Length (i),
Origin-Entry (..) ...,
}
An Origin-Entry is a length-delimited string. Specifically, it contains two
fields:
Origin-Len:
An unsigned, 16-bit integer indicating the length, in octets, of
the ASCII-Origin field.
ASCII-Origin:
An OPTIONAL sequence of characters containing the ASCII serialization of an
origin () that the sender asserts this connection is
or could be authoritative for.
Security ConsiderationsThis document introduces no new security considerations beyond those discussed
in and .IANA ConsiderationsThis document registers a frame type in the "HTTP/3 Frame Types"
registry defined by , located at .
Value:
0x0c
Frame Type:
ORIGIN
Status:
permanent
Reference:
Date:
2023-03-14
Change Controller:
IETF
Contact:
HTTP WG <ietf-http-wg@w3.org>
ReferencesNormative ReferencesHTTP/2This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced latency by introducing field compression and allowing multiple concurrent exchanges on the same connection.This document obsoletes RFCs 7540 and 8740.HTTP/3The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3.The ORIGIN HTTP/2 FrameThis document specifies the ORIGIN frame for HTTP/2, to indicate what origins are available on a given connection.Key words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.Informative ReferencesQUIC: A UDP-Based Multiplexed and Secure TransportThis document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.The Web Origin ConceptThis document defines the concept of an "origin", which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document details how to determine the origin of a URI and how to serialize an origin into a string. It also defines an HTTP header field, named "Origin", that indicates which origins are associated with an HTTP request. [STANDARDS-TRACK]Author's AddressAkamaimbishop@evequefou.be