idnits 2.17.00 (12 Aug 2021) /tmp/idnits14249/draft-ietf-httpapi-rfc7807bis-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC7807, but the abstract doesn't seem to directly say this. It does mention RFC7807 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 691 has weird spacing: '...element type ...' == Line 692 has weird spacing: '...element title...' == Line 693 has weird spacing: '...element detai...' == Line 694 has weird spacing: '...element statu...' == Line 695 has weird spacing: '...element insta...' == (1 more instance...) -- The document date (16 April 2022) is 28 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC4918' is defined on line 601, but no explicit reference was found in the text -- Possible downref: Normative reference to a draft: ref. 'HTTP' -- Possible downref: Non-RFC (?) normative reference: ref. 'XML' Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTPAPI M. Nottingham 3 Internet-Draft 4 Obsoletes: 7807 (if approved) E. Wilde 5 Intended status: Standards Track 6 Expires: 18 October 2022 S. Dalal 7 16 April 2022 9 Problem Details for HTTP APIs 10 draft-ietf-httpapi-rfc7807bis-02 12 Abstract 14 This document defines a "problem detail" to carry machine-readable 15 details of errors in a HTTP response to avoid the need to define new 16 error response formats for HTTP APIs. 18 Discussion Venues 20 This note is to be removed before publishing as an RFC. 22 Source for this draft and an issue tracker can be found at 23 https://github.com/ietf-wg-httpapi/rfc7807bis. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at https://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on 18 October 2022. 42 Copyright Notice 44 Copyright (c) 2022 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 49 license-info) in effect on the date of publication of this document. 50 Please review these documents carefully, as they describe your rights 51 and restrictions with respect to this document. Code Components 52 extracted from this document must include Revised BSD License text as 53 described in Section 4.e of the Trust Legal Provisions and are 54 provided without warranty as described in the Revised BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. The Problem Details JSON Object . . . . . . . . . . . . . . . 4 61 3.1. Members of a Problem Details Object . . . . . . . . . . . 5 62 3.1.1. "type" . . . . . . . . . . . . . . . . . . . . . . . 5 63 3.1.2. "status" . . . . . . . . . . . . . . . . . . . . . . 6 64 3.1.3. "title" . . . . . . . . . . . . . . . . . . . . . . . 7 65 3.1.4. "detail" . . . . . . . . . . . . . . . . . . . . . . 7 66 3.1.5. "instance" . . . . . . . . . . . . . . . . . . . . . 7 67 3.2. Extension Members . . . . . . . . . . . . . . . . . . . . 8 68 4. Defining New Problem Types . . . . . . . . . . . . . . . . . 8 69 4.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 10 70 4.2. Registered Problem Types . . . . . . . . . . . . . . . . 10 71 4.2.1. about:blank . . . . . . . . . . . . . . . . . . . . . 11 72 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 73 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 74 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 75 7.1. Normative References . . . . . . . . . . . . . . . . . . 12 76 7.2. Informative References . . . . . . . . . . . . . . . . . 13 77 Appendix A. JSON Schema for HTTP Problems . . . . . . . . . . . 14 78 Appendix B. HTTP Problems and XML . . . . . . . . . . . . . . . 15 79 Appendix C. Using Problem Details with Other Formats . . . . . . 17 80 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 18 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 83 1. Introduction 85 HTTP status codes (Section 15 of [HTTP]) cannot always convey enough 86 information about errors to be helpful. While humans using Web 87 browsers can often understand an HTML [HTML5] response body, non- 88 human consumers of HTTP APIs have difficulty doing so. 90 To address that shortcoming, this specification defines simple JSON 91 [RFC8259] and XML [XML] document formats to describe the specifics of 92 problem(s) encountered -- "problem details". 94 For example, consider a response indicating that the client's account 95 doesn't have enough credit. The API's designer might decide to use 96 the 403 Forbidden status code to inform HTTP-generic software (such 97 as client libraries, caches, and proxies) of the response's general 98 semantics. API-specific problem details (such as the why the server 99 refused the request and the applicable account balance) can be 100 carried in the response content, so that the client can act upon them 101 appropriately (for example, triggering a transfer of more credit into 102 the account). 104 This specification identifies the specific "problem type" (e.g., "out 105 of credit") with a URI [RFC3986]. HTTP APIs can use URIs under their 106 control to identify problems specific to them, or can reuse existing 107 ones to facilitate interoperability and leverage common semantics 108 (see Section 4.2). 110 Problem details can contain other information, such as a URI 111 identifying the problem's specific occurrence (effectively giving an 112 identifier to the concept "The time Joe didn't have enough credit 113 last Thursday"), which can be useful for support or forensic 114 purposes. 116 The data model for problem details is a JSON [RFC8259] object; when 117 serialized as a JSON document, it uses the "application/problem+json" 118 media type. Appendix B defines an equivalent XML format, which uses 119 the "application/problem+xml" media type. 121 Note that problem details are (naturally) not the only way to convey 122 the details of a problem in HTTP. If the response is still a 123 representation of a resource, for example, it's often preferable to 124 describe the relevant details in that application's format. 125 Likewise, defined HTTP status codes cover many situations with no 126 need to convey extra detail. 128 This specification's aim is to define common error formats for 129 applications that need one so that they aren't required to define 130 their own, or worse, tempted to redefine the semantics of existing 131 HTTP status codes. Even if an application chooses not to use it to 132 convey errors, reviewing its design can help guide the design 133 decisions faced when conveying errors in an existing format. 135 2. Requirements 137 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 138 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 139 "OPTIONAL" in this document are to be interpreted as described in BCP 140 14 [RFC2119] [RFC8174] when, and only when, they appear in all 141 capitals, as shown here. 143 3. The Problem Details JSON Object 145 The canonical model for problem details is a JSON [RFC8259] object. 147 When serialized as a JSON document, that format is identified with 148 the "application/problem+json" media type. 150 For example, an HTTP response carrying JSON problem details: 152 HTTP/1.1 403 Forbidden 153 Content-Type: application/problem+json 154 Content-Language: en 156 { 157 "type": "https://example.com/probs/out-of-credit", 158 "title": "You do not have enough credit.", 159 "detail": "Your current balance is 30, but that costs 50.", 160 "instance": "/account/12345/msgs/abc", 161 "balance": 30, 162 "accounts": ["/account/12345", 163 "/account/67890"] 164 } 166 Here, the out-of-credit problem (identified by its type) indicates 167 the reason for the 403 in "title", identifies the specific problem 168 occurrence with "instance", gives occurrence-specific details in 169 "detail", and adds two extensions; "balance" conveys the account's 170 balance, and "accounts" lists links where the account can be topped 171 up. 173 When designed to accommodate it, problem-specific extensions can 174 allow more than one instance of the same problem type to be conveyed. 175 For example: 177 HTTP/1.1 400 Bad Request 178 Content-Type: application/problem+json 179 Content-Language: en 181 { 182 "type": "https://example.net/validation-error", 183 "title": "Your request is not valid.", 184 "causes": [ 185 { 186 "detail": "must be a positive integer", 187 "problem-pointer": "#/age" 188 }, 189 { 190 "detail": "must be 'green', 'red' or 'blue'", 191 "problem-pointer": "#/profile/color" 192 } 193 ] 194 } 196 The fictional problem type here defines the "causes" extension, an 197 array that describes the details of multiple occurrences. Each 198 member is an object containing "detail" to describe the issue, and 199 "problem-pointer" to locate the problem within the request's content 200 using a JSON Pointer [RFC6901]. 202 When an API encounters multiple problems that do not share the same 203 type, it is RECOMMENDED that the most relevant or urgent problem be 204 represented in the response. While it is possible to create generic 205 "batch" problem types that convey multiple, disparate types, they do 206 not map well into HTTP semantics. 208 3.1. Members of a Problem Details Object 210 Problem detail objects can have the following members. If a member's 211 value type does not match the specified type, the member MUST be 212 ignored -- i.e., processing will continue as if the member had not 213 been present. 215 3.1.1. "type" 217 The "type" member is a JSON string containing a URI reference 218 [RFC3986] that identifies the problem type. Consumers MUST use the 219 "type" URI (after resolution, if necessary) problem's primary 220 identifier. 222 When this member is not present, its value is assumed to be 223 "about:blank". 225 If the type URI is a locator (e.g., those with a "http" or "https" 226 scheme), dereferencing it SHOULD provide human-readable documentation 227 for the problem type (e.g., using HTML [HTML5]). However, consumers 228 SHOULD NOT automatically dereference the type URI, unless they do so 229 when providing information to developers (e.g., when a debugging tool 230 is in use). 232 When "type" contains a relative URI, it is resolved relative to the 233 document's base URI, as per [RFC3986], Section 5. However, using 234 relative URIs can cause confusion, and they might not be handled 235 correctly by all implementations. 237 For example, if the two resources "https://api.example.org/foo/ 238 bar/123" and "https://api.example.org/widget/456" both respond with a 239 "type" equal to the relative URI reference "example-problem", when 240 resolved they will identify different resources 241 ("https://api.example.org/foo/bar/example-problem" and 242 "https://api.example.org/widget/example-problem" respectively). As a 243 result, it is RECOMMENDED that absolute URIs be used in "type" when 244 possible, and that when relative URIs are used, they include the full 245 path (e.g., "/types/123"). 247 The type URI can also be a non-resolvable URI. For example, the tag 248 URI scheme [RFC4151] can be used to uniquely identify problem types: 250 tag:mnot@mnot.net,2021-09-17:OutOfLuck 252 Non-resolvable URIs ought not be used when there is some future 253 possibility that it might become desirable to do so. For example, if 254 an API designer used the URI above and later adopted a tool that 255 resolves type URIs to discover information about the error, taking 256 advantage of that capability would require switching to a resolvable 257 URI, creating a new identity for the problem type and thus 258 introducing a breaking change. 260 3.1.2. "status" 262 The "status" member is a JSON number indicating the HTTP status code 263 ([HTTP], Section 15) generated by the origin server for this 264 occurrence of the problem. 266 The "status" member, if present, is only advisory; it conveys the 267 HTTP status code used for the convenience of the consumer. 268 Generators MUST use the same status code in the actual HTTP response, 269 to assure that generic HTTP software that does not understand this 270 format still behaves correctly. See Section 5 for further caveats 271 regarding its use. 273 Consumers can use the status member to determine what the original 274 status code used by the generator was, in cases where it has been 275 changed (e.g., by an intermediary or cache), and when message bodies 276 persist without HTTP information. Generic HTTP software will still 277 use the HTTP status code. 279 3.1.3. "title" 281 The "title" member is a JSON string containing a short, human- 282 readable summary of the problem type. 284 It SHOULD NOT change from occurrence to occurrence of the problem, 285 except for localization (e.g., using proactive content negotiation; 286 see [HTTP], Section 12.1). 288 The "title" string is advisory and included only for users who are 289 not aware of the semantics of the URI and can not discover them 290 (e.g., during offline log analysis). 292 3.1.4. "detail" 294 The "detail" member is a JSON string containing a human-readable 295 explanation specific to this occurrence of the problem. 297 The "detail" member, if present, ought to focus on helping the client 298 correct the problem, rather than giving debugging information. 300 Consumers SHOULD NOT parse the "detail" member for information; 301 extensions are more suitable and less error-prone ways to obtain such 302 information. 304 3.1.5. "instance" 306 The "instance" member is a JSON string containing a URI reference 307 that identifies the specific occurrence of the problem. 309 When the "instance" URI is dereferenceable, the problem details 310 object can be fetched from it. It might also return information 311 about the problem occurrence in other formats through use of 312 proactive content negotiation (see [HTTP], Section 12.5.1). 314 When the "instance" URI is not dereferenceable, it serves as a unique 315 identifier for the problem occurrence that may be of significance to 316 the server, but is opaque to the client. 318 When "instance" contains a relative URI, it is resolved relative to 319 the document's base URI, as per [RFC3986], Section 5. However, using 320 relative URIs can cause confusion, and they might not be handled 321 correctly by all implementations. 323 For example, if the two resources "https://api.example.org/foo/ 324 bar/123" and "https://api.example.org/widget/456" both respond with 325 an "instance" equal to the relative URI reference "example-instance", 326 when resolved they will identify different resources 327 ("https://api.example.org/foo/bar/example-instance" and 328 "https://api.example.org/widget/example-instance" respectively). As 329 a result, it is RECOMMENDED that absolute URIs be used in "instance" 330 when possible, and that when relative URIs are used, they include the 331 full path (e.g., "/instances/123"). 333 3.2. Extension Members 335 Problem type definitions MAY extend the problem details object with 336 additional members. 338 For example, our "out of credit" problem above defines two such 339 extensions -- "balance" and "accounts" to convey additional, problem- 340 specific information. 342 Similarly, the "Multi-Status" example defines two extensions -- 343 "causes" and "problem-pointer". Extensions like "problem-pointer" 344 are more appropriate to use for problems associated with client side 345 errors 4xx only. 347 Clients consuming problem details MUST ignore any such extensions 348 that they don't recognize; this allows problem types to evolve and 349 include additional information in the future. 351 Note that because extensions are effectively put into a namespace by 352 the problem type, it is not possible to define new "standard" members 353 without defining a new media type. 355 4. Defining New Problem Types 357 When an HTTP API needs to define a response that indicates an error 358 condition, it might be appropriate to do so by defining a new problem 359 type. 361 Before doing so, it's important to understand what they are good for, 362 and what's better left to other mechanisms. 364 Problem details are not a debugging tool for the underlying 365 implementation; rather, they are a way to expose greater detail about 366 the HTTP interface itself. Designers of new problem types need to 367 carefully consider the Security Considerations (Section 5), in 368 particular, the risk of exposing attack vectors by exposing 369 implementation internals through error messages. 371 Likewise, truly generic problems -- i.e., conditions that might apply 372 to any resource on the Web -- are usually better expressed as plain 373 status codes. For example, a "write access disallowed" problem is 374 probably unnecessary, since a 403 Forbidden status code in response 375 to a PUT request is self-explanatory. 377 Finally, an application might have a more appropriate way to carry an 378 error in a format that it already defines. Problem details are 379 intended to avoid the necessity of establishing new "fault" or 380 "error" document formats, not to replace existing domain-specific 381 formats. 383 That said, it is possible to add support for problem details to 384 existing HTTP APIs using HTTP content negotiation (e.g., using the 385 Accept request header to indicate a preference for this format; see 386 [HTTP], Section 12.5.1). 388 New problem type definitions MUST document: 390 1. a type URI (typically, with the "http" or "https" scheme), 392 2. a title that appropriately describes it (think short), and 394 3. the HTTP status code for it to be used with. 396 Problem type definitions MAY specify the use of the Retry-After 397 response header ([HTTP], Section 10.2.3) in appropriate 398 circumstances. 400 A problem's type URI SHOULD resolve to HTML [HTML5] documentation 401 that explains how to resolve the problem. 403 A problem type definition MAY specify additional members on the 404 problem details object. For example, an extension might use typed 405 links [RFC8288] to another resource that machines can use to resolve 406 the problem. 408 If such additional members are defined, their names SHOULD start with 409 a letter (ALPHA, as per [RFC5234], Appendix B.1) and SHOULD comprise 410 characters from ALPHA, DIGIT ([RFC5234], Appendix B.1), and "_" (so 411 that it can be serialized in formats other than JSON), and they 412 SHOULD be three characters or longer. 414 4.1. Example 416 For example, if you are publishing an HTTP API to your online 417 shopping cart, you might need to indicate that the user is out of 418 credit (our example from above), and therefore cannot make the 419 purchase. 421 If you already have an application-specific format that can 422 accommodate this information, it's probably best to do that. 423 However, if you don't, you might use one of the problem details 424 formats -- JSON if your API is JSON-based, or XML if it uses that 425 format. 427 To do so, you might look in the registry (Section 4.2) for an 428 already-defined type URI that suits your purposes. If one is 429 available, you can reuse that URI. 431 If one isn't available, you could mint and document a new type URI 432 (which ought to be under your control and stable over time), an 433 appropriate title and the HTTP status code that it will be used with, 434 along with what it means and how it should be handled. 436 4.2. Registered Problem Types 438 This specification defines the HTTP Problem Type registry for common, 439 widely-used problem type URIs, to promote reuse. 441 The policy for this registry is Specification Required, per 442 [RFC8126], Section 4.5. 444 When evaluating requests, the Expert(s) should consider community 445 feedback, how well-defined the problem type is, and this 446 specification's requirements. Vendor-specific, application-specific, 447 and deployment-specific values are not registrable. Specification 448 documents should be published in a stable, freely available manner 449 (ideally located with a URL), but need not be standards. 451 Registrations MAY use the prefix "https://iana.org/assignments/http- 452 problem-types#" for the type URI. 454 Registration requests should use the following template: 456 * Type URI: [a URI for the problem type] 458 * Title: [a short description of the problem type] 460 * Recommended HTTP status code: [what status code is most 461 appropriate to use with the type] 463 * Reference: [to a specification defining the type] 465 See the registry at https://iana.org/assignments/http-problem-types 466 (https://iana.org/assignments/http-problem-types) for details on 467 where to send registration requests. 469 4.2.1. about:blank 471 This specification registers one Problem Type, "about:blank". 473 * Type URI: about:blank 475 * Title: See HTTP Status Code 477 * Recommended HTTP status code: N/A 479 * Reference: [this document] 481 The "about:blank" URI [RFC6694], when used as a problem type, 482 indicates that the problem has no additional semantics beyond that of 483 the HTTP status code. 485 When "about:blank" is used, the title SHOULD be the same as the 486 recommended HTTP status phrase for that code (e.g., "Not Found" for 487 404, and so on), although it MAY be localized to suit client 488 preferences (expressed with the Accept-Language request header). 490 Please note that according to how the "type" member is defined 491 (Section 3.1), the "about:blank" URI is the default value for that 492 member. Consequently, any problem details object not carrying an 493 explicit "type" member implicitly uses this URI. 495 5. Security Considerations 497 When defining a new problem type, the information included must be 498 carefully vetted. Likewise, when actually generating a problem -- 499 however it is serialized -- the details given must also be 500 scrutinized. 502 Risks include leaking information that can be exploited to compromise 503 the system, access to the system, or the privacy of users of the 504 system. 506 Generators providing links to occurrence information are encouraged 507 to avoid making implementation details such as a stack dump available 508 through the HTTP interface, since this can expose sensitive details 509 of the server implementation, its data, and so on. 511 The "status" member duplicates the information available in the HTTP 512 status code itself, bringing the possibility of disagreement between 513 the two. Their relative precedence is not clear, since a 514 disagreement might indicate that (for example) an intermediary has 515 changed the HTTP status code in transit (e.g., by a proxy or cache). 516 Generic HTTP software (such as proxies, load balancers, firewalls, 517 and virus scanners) are unlikely to know of or respect the status 518 code conveyed in this member. 520 6. IANA Considerations 522 Please update the "application/problem+json" and "application/ 523 problem+xml" registrations in the Internet media types registry 524 [RFC6838]. to refer to this document. 526 Please create the HTTP Problem Types Registry, as specified in 527 Section 4.2, and populate it with "about:blank" as per Section 4.2.1. 529 7. References 531 7.1. Normative References 533 [HTTP] Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP 534 Semantics", Work in Progress, Internet-Draft, draft-ietf- 535 httpbis-semantics-19, 12 September 2021, 536 . 539 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 540 Requirement Levels", BCP 14, RFC 2119, 541 DOI 10.17487/RFC2119, March 1997, 542 . 544 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 545 Resource Identifier (URI): Generic Syntax", STD 66, 546 RFC 3986, DOI 10.17487/RFC3986, January 2005, 547 . 549 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 550 Specifications: ABNF", STD 68, RFC 5234, 551 DOI 10.17487/RFC5234, January 2008, 552 . 554 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 555 Writing an IANA Considerations Section in RFCs", BCP 26, 556 RFC 8126, DOI 10.17487/RFC8126, June 2017, 557 . 559 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 560 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 561 May 2017, . 563 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 564 Interchange Format", STD 90, RFC 8259, 565 DOI 10.17487/RFC8259, December 2017, 566 . 568 [XML] Bray, T., Paoli, J., Sperberg-McQueen, M., Maler, E., and 569 F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth 570 Edition)", World Wide Web Consortium Recommendation REC- 571 xml-20081126, 26 November 2008, 572 . 574 7.2. Informative References 576 [HTML5] WHATWG, "HTML - Living Standard", n.d., 577 . 579 [I-D.draft-bhutton-json-schema-00] 580 Wright, A., Andrews, H., Hutton, B., and G. Dennis, "JSON 581 Schema: A Media Type for Describing JSON Documents", Work 582 in Progress, Internet-Draft, draft-bhutton-json-schema-00, 583 8 December 2020, . 586 [ISO-19757-2] 587 International Organization for Standardization, 588 "Information Technology -- Document Schema Definition 589 Languages (DSDL) -- Part 2: Grammar-based Validation -- 590 RELAX NG", ISO/IEC 19757-2, 2003. 592 [RDFA] Adida, B., Birbeck, M., McCarron, S., and I. Herman, "RDFa 593 Core 1.1 - Third Edition", World Wide Web Consortium 594 Recommendation REC-rdfa-core-20150317, 17 March 2015, 595 . 597 [RFC4151] Kindberg, T. and S. Hawke, "The 'tag' URI Scheme", 598 RFC 4151, DOI 10.17487/RFC4151, October 2005, 599 . 601 [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed 602 Authoring and Versioning (WebDAV)", RFC 4918, 603 DOI 10.17487/RFC4918, June 2007, 604 . 606 [RFC6694] Moonesamy, S., Ed., "The "about" URI Scheme", RFC 6694, 607 DOI 10.17487/RFC6694, August 2012, 608 . 610 [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type 611 Specifications and Registration Procedures", BCP 13, 612 RFC 6838, DOI 10.17487/RFC6838, January 2013, 613 . 615 [RFC6901] Bryan, P., Ed., Zyp, K., and M. Nottingham, Ed., 616 "JavaScript Object Notation (JSON) Pointer", RFC 6901, 617 DOI 10.17487/RFC6901, April 2013, 618 . 620 [RFC8288] Nottingham, M., "Web Linking", RFC 8288, 621 DOI 10.17487/RFC8288, October 2017, 622 . 624 [XSLT] Clark, J., Pieters, S., and H. Thompson, "Associating 625 Style Sheets with XML documents 1.0 (Second Edition)", 626 World Wide Web Consortium Recommendation REC-xml- 627 stylesheet-20101028, 28 October 2010, 628 . 630 Appendix A. JSON Schema for HTTP Problems 632 This section presents a non-normative JSON Schema 633 [I-D.draft-bhutton-json-schema-00] for HTTP Problem Details. If 634 there is any disagreement between it and the text of the 635 specification, the latter prevails. 637 # NOTE: '\' line wrapping per RFC 8792 638 { 639 "$schema": "https://json-schema.org/draft/2020-12/schema", 640 "title": "A problem object RFC 7807bis", 641 "type": "object", 642 "properties": { 643 "type": { 644 "type": "string", 645 "format": "uri-reference", 646 "description": "A URI reference RFC3986 that identifies the \ 647 problem type." 648 }, 649 "title": { 650 "type": "string", 651 "description": "A short, human-readable summary of the \ 652 problem type. It SHOULD NOT change from occurrence to occurrence \ 653 of the problem, except for purposes of localization (e.g., using \ 654 proactive content negotiation; see RFC7231, Section 3.4)" 655 }, 656 "status": { 657 "type": "integer", 658 "description": "The HTTP status code (RFC7231, Section 6) \ 659 generated by the origin server for this occurrence of the problem.", 660 "minimum": 100, 661 "maximum": 599 662 }, 663 "detail": { 664 "type": "string", 665 "description": "A human-readable explanation specific to \ 666 this occurrence of the problem." 667 }, 668 "instance": { 669 "type": "string", 670 "format": "uri-reference", 671 "description": "A URI reference that identifies the \ 672 specific occurrence of the problem. It may or may not yield \ 673 further information if dereferenced." 674 } 675 } 676 } 678 Appendix B. HTTP Problems and XML 680 HTTP-based APIs that use XML [XML] can express problem details using 681 the format defined in this appendix. 683 The RELAX NG schema [ISO-19757-2] for the XML format is: 685 default namespace ns = "urn:ietf:rfc:7807" 687 start = problem 689 problem = 690 element problem { 691 ( element type { xsd:anyURI }? 692 & element title { xsd:string }? 693 & element detail { xsd:string }? 694 & element status { xsd:positiveInteger }? 695 & element instance { xsd:anyURI }? ), 696 anyNsElement 697 } 699 anyNsElement = 700 ( element ns:* { anyNsElement | text } 701 | attribute * { text })* 703 Note that this schema is only intended as documentation, and not as a 704 normative schema that captures all constraints of the XML format. It 705 is possible to use other XML schema languages to define a similar set 706 of constraints (depending on the features of the chosen schema 707 language). 709 The media type for this format is "application/problem+xml". 711 Extension arrays and objects are serialized into the XML format by 712 considering an element containing a child or children to represent an 713 object, except for elements that contain only child element(s) named 714 'i', which are considered arrays. For example, the example above 715 appears in XML as follows: 717 HTTP/1.1 403 Forbidden 718 Content-Type: application/problem+xml 719 Content-Language: en 721 722 723 https://example.com/probs/out-of-credit 724 You do not have enough credit. 725 Your current balance is 30, but that costs 50. 726 https://example.net/account/12345/msgs/abc 727 30 728 729 https://example.net/account/12345 730 https://example.net/account/67890 731 732 733 This format uses an XML namespace, primarily to allow embedding it 734 into other XML-based formats; it does not imply that it can or should 735 be extended with elements or attributes in other namespaces. The 736 RELAX NG schema explicitly only allows elements from the one 737 namespace used in the XML format. Any extension arrays and objects 738 MUST be serialized into XML markup using only that namespace. 740 When using the XML format, it is possible to embed an XML processing 741 instruction in the XML that instructs clients to transform the XML, 742 using the referenced XSLT code [XSLT]. If this code is transforming 743 the XML into (X)HTML, then it is possible to serve the XML format, 744 and yet have clients capable of performing the transformation display 745 human-friendly (X)HTML that is rendered and displayed at the client. 746 Note that when using this method, it is advisable to use XSLT 1.0 in 747 order to maximize the number of clients capable of executing the XSLT 748 code. 750 Appendix C. Using Problem Details with Other Formats 752 In some situations, it can be advantageous to embed problem details 753 in formats other than those described here. For example, an API that 754 uses HTML [HTML5] might want to also use HTML for expressing its 755 problem details. 757 Problem details can be embedded in other formats either by 758 encapsulating one of the existing serializations (JSON or XML) into 759 that format or by translating the model of a problem detail (as 760 specified in Section 3) into the format's conventions. 762 For example, in HTML, a problem could be embedded by encapsulating 763 JSON in a script tag: 765 777 or by inventing a mapping into RDFa [RDFA]. 779 This specification does not make specific recommendations regarding 780 embedding problem details in other formats; the appropriate way to 781 embed them depends both upon the format in use and application of 782 that format. 784 Acknowledgements 786 The authors would like to thank Jan Algermissen, Subbu Allamaraju, 787 Mike Amundsen, Roy Fielding, Eran Hammer, Sam Johnston, Mike McCall, 788 Julian Reschke, and James Snell for review of this specification. 790 Authors' Addresses 792 Mark Nottingham 793 Prahran 794 Australia 795 Email: mnot@mnot.net 796 URI: https://www.mnot.net/ 798 Erik Wilde 799 Email: erik.wilde@dret.net 800 URI: http://dret.net/netdret/ 802 Sanjay Dalal 803 United States of America 804 Email: sanjay.dalal@cal.berkeley.edu 805 URI: https://github.com/sdatspun2