idnits 2.17.00 (12 Aug 2021) /tmp/idnits35511/draft-ietf-appsawg-json-patch-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 5, 2012) is 3453 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: draft-ietf-appsawg-json-pointer has been published as RFC 6901 ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Applications Area Working Group P. Bryan, Ed. 3 Internet-Draft Salesforce.com 4 Intended status: Informational M. Nottingham, Ed. 5 Expires: June 8, 2013 Akamai 6 December 5, 2012 8 JSON Patch 9 draft-ietf-appsawg-json-patch-07 11 Abstract 13 JSON Patch defines the media type "application/json-patch", a JSON 14 document structure for expressing a sequence of operations to apply 15 to a JSON document. 17 Status of this Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on June 8, 2013. 34 Copyright Notice 36 Copyright (c) 2012 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 3. Document Structure . . . . . . . . . . . . . . . . . . . . . . 3 54 4. Operations . . . . . . . . . . . . . . . . . . . . . . . . . . 4 55 4.1. add . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 56 4.2. remove . . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 4.3. replace . . . . . . . . . . . . . . . . . . . . . . . . . 5 58 4.4. move . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 59 4.5. copy . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 60 4.6. test . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 61 5. Error Handling . . . . . . . . . . . . . . . . . . . . . . . . 7 62 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 63 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 64 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 65 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 66 9.1. Normative References . . . . . . . . . . . . . . . . . . . 10 67 9.2. Informative References . . . . . . . . . . . . . . . . . . 10 68 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 10 69 A.1. Adding an Object Member . . . . . . . . . . . . . . . . . 10 70 A.2. Adding an Array Element . . . . . . . . . . . . . . . . . 11 71 A.3. Removing an Object Member . . . . . . . . . . . . . . . . 11 72 A.4. Removing an Array Element . . . . . . . . . . . . . . . . 12 73 A.5. Replacing a Value . . . . . . . . . . . . . . . . . . . . 12 74 A.6. Moving a Value . . . . . . . . . . . . . . . . . . . . . . 12 75 A.7. Moving an Array Element . . . . . . . . . . . . . . . . . 13 76 A.8. Testing a Value: Success . . . . . . . . . . . . . . . . . 14 77 A.9. Testing a Value: Error . . . . . . . . . . . . . . . . . . 14 78 A.10. Adding a nested Member Object . . . . . . . . . . . . . . 14 79 A.11. Ignoring Unrecognized Elements . . . . . . . . . . . . . . 15 80 A.12. Adding to a Non-existant Target . . . . . . . . . . . . . 15 81 A.13. Invalid JSON Patch Document . . . . . . . . . . . . . . . 16 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 84 1. Introduction 86 JavaScript Object Notation (JSON) [RFC4627] is a common format for 87 the exchange and storage of structured data. HTTP PATCH [RFC5789] 88 extends the Hypertext Transfer Protocol (HTTP) [RFC2616] with a 89 method to perform partial modifications to resources. 91 JSON Patch is a format (identified by the media type "application/ 92 json-patch") for expressing a sequence of operations to apply to a 93 target JSON document, suitable for use with the HTTP PATCH method. 95 This format is also potentially useful in other cases when it's 96 necessary to make partial updates to a JSON document. 98 2. Conventions 100 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 101 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 102 document are to be interpreted as described in RFC 2119 [RFC2119]. 104 See Section 5 for information about handling errors. 106 3. Document Structure 108 A JSON Patch document is a JSON [RFC4627] document that represents an 109 array of objects. Each object represents a single operation to be 110 applied to the target JSON document. 112 An example JSON Patch document: 114 [ 115 { "op": "test", "path": "/a/b/c", "value": "foo" }, 116 { "op": "remove", "path": "/a/b/c" }, 117 { "op": "add", "path": "/a/b/c", "value": [ "foo", "bar" ] }, 118 { "op": "replace", "path": "/a/b/c", "value": 42 }, 119 { "op": "move", "from": "/a/b/c", "path": "/a/b/d" }, 120 { "op": "copy", "from": "/a/b/d", "path": "/a/b/e" } 121 ] 123 Evaluation of a JSON Patch document begins with a target JSON 124 document. Operations are applied sequentially in the order they 125 appear in the array. Each operation in the sequence is applied to 126 the target document; the resulting document becomes the target of the 127 next operation. Evaluation continues until all operations are 128 successfully applied, or an error condition is encountered. 130 4. Operations 132 Operation objects MUST have exactly one "op" member, whose value 133 indicates the operation to perform. Its value MUST be one of "add", 134 "remove", "replace", "move", "copy" or "test". The semantics of each 135 is defined below. 137 Additionally, operation objects MUST have exactly one "path" member, 138 whose value MUST be a string containing a [JSON-Pointer] value that 139 references a location within the target document to perform the 140 operation (the "target location"). 142 Other members of operation objects MUST be ignored, unless they are 143 explicitly allowed by the definition of the operation. 145 Note that the ordering of members in JSON objects is not significant; 146 therefore, the following operation objects are equivalent: 148 { "op": "add", "path": "/a/b/c", "value": "foo" } 149 { "path": "/a/b/c", "op": "add", "value": "foo" } 150 { "value": "foo", "path": "/a/b/c", "op": "add" } 152 Operations are applied to the data structures represented by a JSON 153 document; i.e., after unescaping takes place. 155 4.1. add 157 The "add" operation adds a new value at the target location. The 158 operation object MUST contain a "value" member that specifies the 159 value to be added. 161 For example: 163 { "op": "add", "path": "/a/b/c", "value": [ "foo", "bar" ] } 165 When the operation is applied, the target location MUST reference one 166 of: 168 o The root of the target document - whereupon the specified value 169 becomes the entire content of the target document. 171 o A member to add to an existing object - whereupon the supplied 172 value is added to that object at the indicated location. If the 173 member already exists, it is replaced by the specified value. 175 o An element to add to an existing array - whereupon the supplied 176 value is added to the array at the indicated location. Any 177 elements at or above the specified index are shifted one position 178 to the right. The specified index MUST NOT be greater than the 179 number of elements in the array. If the "-" character is used to 180 index the end of the array, this has the effect of appending the 181 value to the array. 183 Note that this operation can, in common use, have a target location 184 that does not resolve to an existing value, resulting in the 185 pointer's error handling algorithm being invoked. This specification 186 defines the error handling algorithm for "add" pointers to explicitly 187 ignore the error and perform the operation as specified. 189 However, if the object or array containing it does not exist, it is 190 an error. 192 For example, "add"ing to the path "/a/b" to this document: 194 { "a": { "foo": 1 } } 196 is not an error, because "a" exists, and "b" will be added to its 197 value. It is an error in this document: 199 { "q": { "bar": 2 } } 201 because "a" does not exist. 203 4.2. remove 205 The "remove" operation removes the value at the target location. 207 The target location MUST exist for the operation to be successful. 209 For example: 211 { "op": "remove", "path": "/a/b/c" } 213 If removing an element from an array, any elements above the 214 specified index are shifted one position to the left. 216 4.3. replace 218 The "replace" operation replaces the value at the target location 219 with a new value. The operation object MUST contain a "value" member 220 that specifies the replacement value. 222 The target location MUST exist for the operation to be successful. 224 For example: 226 { "op": "replace", "path": "/a/b/c", "value": 42 } 228 This operation is functionally identical to a "remove" operation for 229 a value, followed immediately by an "add" operation at the same 230 location with the replacement value. 232 4.4. move 234 The "move" operation removes the value at a specified location and 235 adds it to the target location. 237 The operation object MUST contain a "from" member, a string 238 containing a JSON Pointer value that references the location in the 239 target document to move the value from. 241 The "from" location MUST exist for the operation to be successful. 243 For example: 245 { "op": "move", "from": "/a/b/c", "path": "/a/b/d" } 247 This operation is functionally identical to a "remove" operation on 248 the "from" location, followed immediately by an "add" operation at 249 the target location with the value that was just removed. 251 The target location MUST NOT be part of the location defined by 252 "from"; i.e., a location cannot be moved into one of its children. 254 4.5. copy 256 The "copy" operation copies the value at a specified location to the 257 target location. 259 The operation object MUST contain a "from" member, a string 260 containing a JSON Pointer value that references the location in the 261 target document to copy the value from. 263 The "from" location MUST exist for the operation to be successful. 265 For example: 267 { "op": "copy", "from": "/a/b/c", "path": "/a/b/e" } 269 This operation is functionally identical to an "add" operation at the 270 target location using the value specified in the "from". 272 4.6. test 274 The "test" operation tests that a value at the target location is 275 equal to a specified value. 277 The operation object MUST contain a "value" member that conveys the 278 value to be compared to that at the target location. 280 The target location MUST be equal to the "value" value for the 281 operation to be considered successful. 283 Here, "equal" means that the value at the target location and the 284 value conveyed by "value" are of the same JSON type, and considered 285 equal by the following rules for that type: 287 o strings: are considered equal if they contain the same number of 288 Unicode characters and their code points are position-wise equal. 290 o numbers: are considered equal if their values are numerically 291 equal. 293 o arrays: are considered equal if they contain the same number of 294 values, and each value can be considered equal to the value at the 295 corresponding position in the other array. 297 o objects: are considered equal if they contain the same number of 298 members, and each member can be considered equal to a member in 299 the other object, by comparing their keys as strings, and values 300 using this list of type-specific rules. 302 o literals (false, true and null): are considered equal if they are 303 the same. 305 Note that this is a logical comparison; e.g., whitespace between the 306 member values of an array is not significant. 308 Also, note that ordering of the serialisation of object members is 309 not significant. 311 For example: 313 { "op": "test", "path": "/a/b/c", "value": "foo" } 315 5. Error Handling 317 If a RFC2119 [RFC2119] requirement is violated by a JSON Patch 318 document, or if an operation is not successful, evaluation of the 319 JSON Patch document SHOULD terminate and application of the entire 320 patch document SHALL NOT be deemed successful. 322 See [RFC5789], Section 2.2 for considerations regarding handling 323 errors when JSON Patch is used with the HTTP PATCH method, including 324 suggested status codes to use to indicate various conditions. 326 Note that the HTTP PATCH method is atomic, as per [RFC5789]. 327 Therefore, the following patch would result in no changes being made 328 to the document at all (because the "test" operation results in an 329 error). 331 [ 332 { "op": "replace", "path": "/a/b/c", "value": 42 }, 333 { "op": "test", "path": "/a/b/c", "value": "C" } 334 ] 336 6. IANA Considerations 338 The Internet media type for a JSON Patch document is application/ 339 json-patch. 341 Type name: application 343 Subtype name: json-patch 345 Required parameters: none 347 Optional parameters: none 349 Encoding considerations: binary 351 Security considerations: 352 See Security Considerations in section 7. 354 Interoperability considerations: N/A 356 Published specification: 357 [this memo] 359 Applications that use this media type: 360 Applications that manipulate JSON documents. 362 Additional information: 364 Magic number(s): N/A 366 File extension(s): .json-patch 368 Macintosh file type code(s): TEXT 370 Person & email address to contact for further information: 371 Paul C. Bryan 373 Intended usage: COMMON 375 Restrictions on usage: none 377 Author: Paul C. Bryan 379 Change controller: IETF 381 7. Security Considerations 383 This specification has the same security considerations as JSON 384 [RFC4627] and [JSON-Pointer]. 386 A few older Web browsers can be coerced into loading an arbitrary 387 JSON document whose root is an array, leading to a situation where a 388 JSON Patch document containing sensitive information could be exposed 389 to attackers, even if access is authenticated. This is known as a 390 Cross-Site Request Forgery (CSRF) attack [CSRF]. 392 However, such browsers are not widely used ( estimated to comprise 393 less than 1% of the market, at the time of writing). Publishers who 394 are nevertheless concerned about this attack are advised to avoid 395 making such documents available with HTTP GET. 397 8. Acknowledgements 399 The following individuals contributed ideas, feedback and wording to 400 this specification: 402 Mike Acar, Mike Amundsen, Cyrus Daboo, Paul Davis, Murray S. 403 Kucherawy, Dean Landolt, Randall Leeds, James Manger, Julian 404 Reschke, James Snell, Eli Stevens and Henry S. Thompson. 406 The structure of a JSON Patch document was influenced by the XML 407 Patch document [RFC5261] specification. 409 9. References 411 9.1. Normative References 413 [JSON-Pointer] 414 Bryan, P., Zyp, K., and M. Nottingham, "JSON Pointer", 415 draft-ietf-appsawg-json-pointer-06 (work in progress), 416 November 2012. 418 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 419 Requirement Levels", BCP 14, RFC 2119, March 1997. 421 [RFC4627] Crockford, D., "The application/json Media Type for 422 JavaScript Object Notation (JSON)", RFC 4627, July 2006. 424 9.2. Informative References 426 [CSRF] Barth, A., Jackson, C., and J. Mitchell, "Robust Defenses 427 for Cross-Site Request Forgery". 429 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 430 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 431 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. 433 [RFC5261] Urpalainen, J., "An Extensible Markup Language (XML) Patch 434 Operations Framework Utilizing XML Path Language (XPath) 435 Selectors", RFC 5261, September 2008. 437 [RFC5789] Dusseault, L. and J. Snell, "PATCH Method for HTTP", 438 RFC 5789, March 2010. 440 Appendix A. Examples 442 A.1. Adding an Object Member 444 An example target JSON document: 446 { 447 "foo": "bar" 448 } 450 A JSON Patch document: 452 [ 453 { "op": "add", "path": "/baz", "value": "qux" } 454 ] 455 The resulting JSON document: 457 { 458 "baz": "qux", 459 "foo": "bar" 460 } 462 A.2. Adding an Array Element 464 An example target JSON document: 466 { 467 "foo": [ "bar", "baz" ] 468 } 470 A JSON Patch document: 472 [ 473 { "op": "add", "path": "/foo/1", "value": "qux" } 474 ] 476 The resulting JSON document: 478 { 479 "foo": [ "bar", "qux", "baz" ] 480 } 482 A.3. Removing an Object Member 484 An example target JSON document: 486 { 487 "baz": "qux", 488 "foo": "bar" 489 } 491 A JSON Patch document: 493 [ 494 { "op": "remove", "path": "/baz" } 495 ] 497 The resulting JSON document: 499 { 500 "foo": "bar" 501 } 503 A.4. Removing an Array Element 505 An example target JSON document: 507 { 508 "foo": [ "bar", "qux", "baz" ] 509 } 511 A JSON Patch document: 513 [ 514 { "op": "remove", "path": "/foo/1" } 515 ] 517 The resulting JSON document: 519 { 520 "foo": [ "bar", "baz" ] 521 } 523 A.5. Replacing a Value 525 An example target JSON document: 527 { 528 "baz": "qux", 529 "foo": "bar" 530 } 532 A JSON Patch document: 534 [ 535 { "op": "replace", "path": "/baz", "value": "boo" } 536 ] 538 The resulting JSON document: 540 { 541 "baz": "boo", 542 "foo": "bar" 543 } 545 A.6. Moving a Value 547 An example target JSON document: 549 { 550 "foo": { 551 "bar": "baz", 552 "waldo": "fred" 553 }, 554 "qux": { 555 "corge": "grault" 556 } 557 } 559 A JSON Patch document: 561 [ 562 { "op": "move", "from": "/foo/waldo", "path": "/qux/thud" } 563 ] 565 The resulting JSON document: 567 { 568 "foo": { 569 "bar": "baz" 570 }, 571 "qux": { 572 "corge": "grault", 573 "thud": "fred" 574 } 575 } 577 A.7. Moving an Array Element 579 An example target JSON document: 581 { 582 "foo": [ "all", "grass", "cows", "eat" ] 583 } 585 A JSON Patch document: 587 [ 588 { "op": "move", "from": "/foo/1", "path": "/foo/3" } 589 ] 591 The resulting JSON document: 593 { 594 "foo": [ "all", "cows", "eat", "grass" ] 595 } 597 A.8. Testing a Value: Success 599 An example target JSON document: 601 { 602 "baz": "qux", 603 "foo": [ "a", 2, "c" ] 604 } 606 A JSON Patch document that will result in successful evaluation: 608 [ 609 { "op": "test", "path": "/baz", "value": "qux" }, 610 { "op": "test", "path": "/foo/1", "value": 2 } 611 ] 613 A.9. Testing a Value: Error 615 An example target JSON document: 617 { 618 "baz": "qux" 619 } 621 A JSON Patch document that will result in an error condition: 623 [ 624 { "op": "test", "path": "/baz", "value": "bar" } 625 ] 627 A.10. Adding a nested Member Object 629 An example target JSON document: 631 { 632 "foo": "bar" 633 } 635 A JSON Patch document: 637 [ 638 { "op": "add", "path": "/child", "value": { "grandchild": { } } } 639 ] 641 The resulting JSON document: 643 { 644 "foo": "bar", 645 "child": { 646 "grandchild": { 647 } 648 } 649 } 651 A.11. Ignoring Unrecognized Elements 653 An example target JSON document: 655 { 656 "foo":"bar" 657 } 659 A JSON Patch document: 661 [ 662 { "op": "add", "path": "/baz", "value": "qux", "xyz": 123 } 663 ] 665 The resulting JSON document: 667 { 668 "foo":"bar", 669 "baz":"qux" 670 } 672 A.12. Adding to a Non-existant Target 674 An example target JSON document: 676 { 677 "foo": "bar" 678 } 680 A JSON Patch document: 682 [ 683 { "op": "add", "path": "/baz/bat", "value": "qux" } 684 ] 686 This JSON Patch document, applied to the target JSON document above, 687 would result in an error (therefore not being applied) because the 688 "add" operation's target location that references neither the root of 689 the document, nor a member of an existing object, nor a member of an 690 existing array. 692 A.13. Invalid JSON Patch Document 694 A JSON Patch document: 696 [ 697 { "op": "add", "path": "/baz", "value": "qux", "op": "remove" } 698 ] 700 This JSON Patch document cannot be treated as an "add" operation 701 since there is a later "op":"remove" element. A JSON parser that 702 hides such duplicate element names therefore cannot be used unless it 703 always exposes only the last element with a given name (eg 704 "op":"remove" in this example). 706 Authors' Addresses 708 Paul C. Bryan (editor) 709 Salesforce.com 711 Phone: +1 604 783 1481 712 Email: pbryan@anode.ca 714 Mark Nottingham (editor) 715 Akamai 717 Email: mnot@mnot.net