W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

#446: alt-svc header field syntax

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 01 Apr 2014 10:04:06 +0200
Message-ID: <533A72F6.8090609@gmx.de>
To: HTTP Working Group <ietf-http-wg@w3.org>
On 2014-03-05 20:59, Julian Reschke wrote:
> So,
>
>>  Alt-Svc     = 1#( alternate *( OWS ";" OWS parameter ) )
>>    alternate   = <"> protocol-id <"> "=" port
>
> <"> can be written better as DQUOTE.
>
> That being said, HTTPbis P2 has this advice:
>
> "Note that double-quote delimiters almost always are used with the
> quoted-string production; using a different syntax inside double-quotes
> will likely cause unnecessary confusion."
>
> So I'd propose to either make it a full blown quoted-string, or to use a
> different quote character ("<" and ">"?).
>
>>    Finally, note that while it may be technically possible to put
>>    content other than printable ASCII in a HTTP header, some
>>    implementations only support ASCII (or a superset of it) in header
>>    field values.  Therefore, this field SHOULD NOT be used to convey
>>    protocol identifiers that are not printable ASCII, or those that
>>    contain quote characters.
>
> The note wrt to quote characters is either a statement of fact (can't),
> or should be a MUST.
>
> A simpler way out of this might be to say:
>
>    alternate   = alt-token "=" port
>    alt-token   = token ; alpn protocol identifier where non-token octets
> are uri-percent-escaped
>
> That (1) avoids quoting, (2) makes it possible to use all syntactically
> valid protocol identifiers, and last but not least (3) makes the common
> case simpler.
>
> Best regards, Julian

So I have made this change in the editor's copy of the spec. The change 
makes the description of the field slightly more complex, but I claim 
actual implementations will simpler.

The field description now reads:

3.  The Alt-Svc HTTP Header Field

    An HTTP(S) origin server can advertise the availability of
    alternative services to clients by adding an Alt-Svc header field to
    responses.

    Alt-Svc     = 1#( alternative *( OWS ";" OWS parameter ) )
    alternative = protocol-id "=" port
    protocol-id = token ; percent-encoded ALPN protocol identifier

    ALPN protocol names are octet sequences with no additional
    constraints on format.  Octets not allowed in tokens ([HTTP-p1],
    Section 3.2.6) MUST be percent-encoded as per Section 2.1 of
    [RFC3986].  Consequently, the octet representing the percent
    character "%" (hex 25) MUST be percent-encoded as well.

    In order to have precisely one way to represent any ALPN protocol
    name, the following additional constraints apply:

    1.  Octets in the ALPN protocol MUST NOT be percent-encoded if they
        are valid token characters except "%", and

    2.  When using percent-encoding, uppercase hex digits MUST be used.

    With these constraints, recipients can apply simple string comparison
    to match protocol identifiers.

    For example:

    Alt-Svc: http2=8000

    This indicates that the "http2" protocol on the same host using the
    indicated port (in this case, 8000).

    Examples for protocol name escaping:

    +--------------------+-------------+---------------------+
    | ALPN protocol name | protocol-id | Note                |
    +--------------------+-------------+---------------------+
    | http2              | http2       | No escaping needed  |
    +--------------------+-------------+---------------------+
    | w=x:y#z            | w%3Dx%3Ay#z | "=" and ":" escaped |
    +--------------------+-------------+---------------------+
    | x%y                | x%25y       | "%" needs escaping  |
    +--------------------+-------------+---------------------+

    Alt-Svc MAY occur in any HTTP response message, regardless of the
    status code.

    Alt-Svc does not allow advertisement of alternative services on other
    hosts, to protect against various header-based attacks.

    It can, however, have multiple values:

    Alt-Svc: h2c=8000, h2=443

    The value(s) advertised by Alt-Svc can be used by clients to open a
    new connection to one or more alternative services immediately, or
    simultaneously with subsequent requests on the same connection.

    Intermediaries MUST NOT change or append Alt-Svc field values.


Best regards, Julian
Received on Tuesday, 1 April 2014 08:04:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:29 UTC