idnits 2.17.00 (12 Aug 2021) /tmp/idnits53371/draft-nottingham-rfc5785bis-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([2], [3], [4], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. -- The draft header indicates that this document obsoletes RFC5785, but the abstract doesn't seem to directly say this. It does mention RFC5785 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 5, 2018) is 1506 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 399 -- Looks like a reference, but probably isn't: '2' on line 401 -- Looks like a reference, but probably isn't: '3' on line 403 -- Looks like a reference, but probably isn't: '4' on line 405 -- Looks like a reference, but probably isn't: '5' on line 407 -- Obsolete informational reference (is this intentional?): RFC 5785 (Obsoleted by RFC 8615) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Nottingham 3 Internet-Draft April 5, 2018 4 Obsoletes: 5785 (if approved) 5 Intended status: Standards Track 6 Expires: October 7, 2018 8 Defining Well-Known Uniform Resource Identifiers (URIs) 9 draft-nottingham-rfc5785bis-05 11 Abstract 13 This memo defines a path prefix for "well-known locations", "/.well- 14 known/", in selected Uniform Resource Identifier (URI) schemes. 16 Note to Readers 18 _RFC EDITOR: please remove this section before publication_ 20 This draft is a proposed revision of RFC5875. 22 The issues list for this draft can be found at 23 https://github.com/mnot/I-D/labels/rfc5785bis [1]. 25 The most recent (often, unpublished) draft is at 26 https://mnot.github.io/I-D/rfc5785bis/ [2]. 28 Recent changes are listed at https://github.com/mnot/I-D/commits/gh- 29 pages/rfc5785bis [3]. 31 See also the draft's current status in the IETF datatracker, at 32 https://datatracker.ietf.org/doc/draft-nottingham-rfc5785bis/ [4]. 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at https://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on October 7, 2018. 50 Copyright Notice 52 Copyright (c) 2018 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (https://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 68 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 3 69 3. Well-Known URIs . . . . . . . . . . . . . . . . . . . . . . . 3 70 3.1. Registering Well-Known URIs . . . . . . . . . . . . . . . 4 71 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 72 4.1. Interaction with the Web . . . . . . . . . . . . . . . . 5 73 4.2. Scoping Applications . . . . . . . . . . . . . . . . . . 6 74 4.3. Hidden Capabilities . . . . . . . . . . . . . . . . . . . 7 75 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 76 5.1. The Well-Known URI Registry . . . . . . . . . . . . . . . 7 77 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 78 6.1. Normative References . . . . . . . . . . . . . . . . . . 7 79 6.2. Informative References . . . . . . . . . . . . . . . . . 8 80 6.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9 81 Appendix A. Frequently Asked Questions . . . . . . . . . . . . . 9 82 Appendix B. Changes from RFC5785 . . . . . . . . . . . . . . . . 10 83 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 85 1. Introduction 87 Some applications on the Web require the discovery of information 88 about an origin [RFC6454] (sometimes called "site-wide metadata") 89 before making a request. For example, the Robots Exclusion Protocol 90 (http://www.robotstxt.org/ [5]) specifies a way for automated 91 processes to obtain permission to access resources; likewise, the 92 Platform for Privacy Preferences [W3C.REC-P3P-20020416] tells user- 93 agents how to discover privacy policy before interacting with an 94 origin server. 96 While there are several ways to access per-resource metadata (e.g., 97 HTTP headers, WebDAV's PROPFIND [RFC4918]), the perceived overhead 98 (either in terms of client-perceived latency and/or deployment 99 difficulties) associated with them often precludes their use in these 100 scenarios. 102 When this happens, one solution is designating a "well-known 103 location" for data or services related to the origin overall, so that 104 it can be easily located. However, this approach has the drawback of 105 risking collisions, both with other such designated "well-known 106 locations" and with resources that the origin has created (or wishes 107 to create). 109 At the same time, it has become more popular to use HTTP as a 110 substrate for non-Web protocols. Sometimes, such protocols need a 111 way to locate one or more resources on a given host. 113 To address these uses, this memo defines a path prefix in HTTP(S) 114 URIs for these "well-known locations", "/.well-known/". Future 115 specifications that need to define a resource for such metadata can 116 register their use to avoid collisions and minimise impingement upon 117 origins' URI space. 119 Well-known URIs can also be used with other URI schemes, but only 120 when those schemes' definitions explicitly allow it. 122 2. Notational Conventions 124 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 125 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 126 document are to be interpreted as described in RFC 2119 [RFC2119]. 128 3. Well-Known URIs 130 A well-known URI is a URI [RFC3986] whose path component begins with 131 the characters "/.well-known/", and whose scheme is "HTTP", "HTTPS", 132 or another scheme that has explicitly been specified to use well- 133 known URIs. 135 Applications that wish to mint new well-known URIs MUST register 136 them, following the procedures in Section 5.1. 138 For example, if an application registers the name 'example', the 139 corresponding well-known URI on 'http://www.example.com/' would be 140 'http://www.example.com/.well-known/example'. 142 Registered names MUST conform to the segment-nz production in 143 [RFC3986]. This means they cannot contain the "/" character. 145 Registered names for a specific application SHOULD be correspondingly 146 precise; "squatting" on generic terms is not encouraged. For 147 example, if the Example application wants a well-known location for 148 metadata, an appropriate registered name might be "example-metadata" 149 or even "example.com-metadata", not "metadata". 151 At a minimum, a registration will reference a specification that 152 defines the format and associated media type to be obtained by 153 dereferencing the well-known URI, along with the URI scheme(s) that 154 the well-known URI can be used with. If no URI schemes are 155 explicitly specified, "HTTP" and "HTTPS" are assumed. 157 It MAY also contain additional information, such as the syntax of 158 additional path components, query strings and/or fragment identifiers 159 to be appended to the well-known URI, or protocol-specific details 160 (e.g., HTTP [RFC7231] method handling). 162 Note that this specification defines neither how to determine the 163 hostname to use to find the well-known URI for a particular 164 application, nor the scope of the metadata discovered by 165 dereferencing the well-known URI; both should be defined by the 166 application itself. 168 Also, this specification does not define a format or media-type for 169 the resource located at "/.well-known/" and clients should not expect 170 a resource to exist at that location. 172 Well-known URIs are only valid when rooted in the top of the path's 173 hierarchy; they MUST NOT be used in other parts of the path. For 174 example, "/.well-known/example" is a valid use, but "/foo/.well- 175 known/example" is not. 177 See also Section 4 for Security Considerations regarding well-known 178 locations. 180 3.1. Registering Well-Known URIs 182 The "Well-Known URIs" registry is located at 183 "https://www.iana.org/assignments/well-known-uris/". Registration 184 requests can be made by following the instructions located there or 185 by sending an email to the "wellknown-uri-review@ietf.org" mailing 186 list. 188 Registration requests consist of at least the following information: 190 URI suffix: The name requested for the well-known URI, relative to 191 "/.well-known/"; e.g., "example". 193 Change controller: For Standards-Track RFCs, state "IETF". For 194 others, give the name of the responsible party. Other details 195 (e.g., postal address, e-mail address, home page URI) may also be 196 included. 198 Specification document(s): Reference to the document that specifies 199 the field, preferably including a URI that can be used to retrieve 200 a copy of the document. An indication of the relevant sections 201 may also be included, but is not required. 203 Related information: Optionally, citations to additional documents 204 containing further relevant information. 206 General requirements for registered relation types are described in 207 Section 3. 209 Registrations MUST reference a freely available, stable 210 specification. 212 Note that well-known URIs can be registered by third parties 213 (including the expert(s)), if the expert(s) determines that an 214 unregistered well-known URI is widely deployed and not likely to be 215 registered in a timely manner otherwise. Such registrations still 216 are subject to the requirements defined, including the need to 217 reference a specification. 219 4. Security Considerations 221 Applications minting new well-known URIs, as well as administrators 222 deploying them, will need to consider several security-related 223 issues, including (but not limited to) exposure of sensitive data, 224 denial-of-service attacks (in addition to normal load issues), server 225 and client authentication, vulnerability to DNS rebinding attacks, 226 and attacks where limited access to a server grants the ability to 227 affect how well-known URIs are served. 229 4.1. Interaction with the Web 231 In particular, applications using well-known URIs for HTTP or HTTPS 232 URLs need to be aware that well-known resources will be accessible to 233 Web browsers, and therefore is potentially able to be manipulated by 234 content obtained from other parts of that origin. If an attacker is 235 able to inject content (e.g., through a Cross-Site Scripting 236 vulnerability), they will be able to make potentially arbitrary 237 requests to the well-known resource. 239 HTTP and HTTPS also use origins as a security boundary for many other 240 mechanisms, including (but not limited to) Cookies [RFC6265], Web 241 Storage [W3C.REC-webstorage-20160419] and many capabilities. 242 Applications defining well-known locations should not assume that 243 they have sole access to these mechanisms. 245 Applications defining well-known URIs should not assume or require 246 that they are the only application using the origin, since this is a 247 common deployment pattern; instead, they should use appropriate 248 mechanisms to mitigate the risks of co-existing with Web 249 applications, such as (but not limited to): 251 o Using Strict Transport Security [RFC6797] to assure that HTTPS is 252 used 254 o Using Content-Security-Policy [W3C.WD-CSP3-20160913] to constrain 255 the capabilities of content, thereby mitigating Cross-Site 256 Scripting attacks (which are possible if client-provided data is 257 exposed in any part of a response in the application) 259 o Using X-Frame-Options [RFC7034] to prevent content from being 260 included in a HTML frame from another origin, thereby enabling 261 "clickjacking" 263 o Using Referrer-Policy [W3C.CR-referrer-policy-20170126] to prevent 264 sensitive data in URLs from being leaked in the Referer request 265 header 267 o Using the 'HttpOnly' flag on Cookies to assure that cookies are 268 not exposed to browser scripting languages [RFC6265] 270 4.2. Scoping Applications 272 This memo does not specify the scope of applicability of metadata or 273 policy obtained from a well-known URI, and does not specify how to 274 discover a well-known URI for a particular application. 276 Individual applications using this mechanism must define both 277 aspects; if this is not specified, security issues can arise from 278 implementation deviations and confusion about boundaries between 279 applications. 281 Applying metadata discovered in a well-known URI to resources other 282 than those co-located on the same origin risks administrative as well 283 as security issues. For example, allowing 284 "https://example.com/.well-known/example" to apply policy to 285 "https://department.example.com", "https://www.example.com" or even 286 "https://www.example.com:8000" assumes a relationship between hosts 287 where there may be none, or there may be conflicting motivations. 289 4.3. Hidden Capabilities 291 Applications using well-known locations should consider that some 292 server administrators might be unaware of its existence (especially 293 on operating systems that hide directories whose names begin with 294 "."). This means that if an attacker has write access to the .well- 295 known directory, they would be able to control its contents, possibly 296 without the administrator realising it. 298 5. IANA Considerations 300 5.1. The Well-Known URI Registry 302 This specification updates the registration procedures for the "Well- 303 Known URI" registry, first defined in [RFC5785]; see Section 3.1. 305 Well-known URIs are registered on the advice of one or more experts 306 (appointed by the IESG or their delegate), with a Specification 307 Required (using terminology from [RFC8126]). 309 The Experts' primary considerations in evaluating registration 310 requests are: * Conformance to the requirements in Section 3 * The 311 availability and stability of the specifying document * The security 312 considerations outlined in Section 4 314 IANA will direct any incoming requests regarding the registry to this 315 document and, if defined, the processes established by the expert(s); 316 typically, this will mean referring them to the registry Web page. 318 IANA should replace all references to RFC 5988 in that registry have 319 been replaced with references to this document. 321 6. References 323 6.1. Normative References 325 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 326 Requirement Levels", BCP 14, RFC 2119, 327 DOI 10.17487/RFC2119, March 1997, 328 . 330 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 331 Resource Identifier (URI): Generic Syntax", STD 66, 332 RFC 3986, DOI 10.17487/RFC3986, January 2005, 333 . 335 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, 336 DOI 10.17487/RFC6454, December 2011, 337 . 339 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 340 Writing an IANA Considerations Section in RFCs", BCP 26, 341 RFC 8126, DOI 10.17487/RFC8126, June 2017, 342 . 344 6.2. Informative References 346 [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed 347 Authoring and Versioning (WebDAV)", RFC 4918, 348 DOI 10.17487/RFC4918, June 2007, 349 . 351 [RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known 352 Uniform Resource Identifiers (URIs)", RFC 5785, 353 DOI 10.17487/RFC5785, April 2010, 354 . 356 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 357 DOI 10.17487/RFC6265, April 2011, 358 . 360 [RFC6797] Hodges, J., Jackson, C., and A. Barth, "HTTP Strict 361 Transport Security (HSTS)", RFC 6797, 362 DOI 10.17487/RFC6797, November 2012, 363 . 365 [RFC7034] Ross, D. and T. Gondrom, "HTTP Header Field X-Frame- 366 Options", RFC 7034, DOI 10.17487/RFC7034, October 2013, 367 . 369 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 370 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 371 DOI 10.17487/RFC7231, June 2014, 372 . 374 [W3C.CR-referrer-policy-20170126] 375 Eisinger, J. and E. Stark, "Referrer Policy", World Wide 376 Web Consortium CR CR-referrer-policy-20170126, January 377 2017, 378 . 380 [W3C.REC-P3P-20020416] 381 Marchiori, M., "The Platform for Privacy Preferences 1.0 382 (P3P1.0) Specification", World Wide Web Consortium 383 Recommendation REC-P3P-20020416, April 2002, 384 . 386 [W3C.REC-webstorage-20160419] 387 Hickson, I., "Web Storage (Second Edition)", World Wide 388 Web Consortium Recommendation REC-webstorage-20160419, 389 April 2016, 390 . 392 [W3C.WD-CSP3-20160913] 393 West, M., "Content Security Policy Level 3", World Wide 394 Web Consortium WD WD-CSP3-20160913, September 2016, 395 . 397 6.3. URIs 399 [1] https://github.com/mnot/I-D/labels/rfc5785bis 401 [2] https://mnot.github.io/I-D/rfc5785bis/ 403 [3] https://github.com/mnot/I-D/commits/gh-pages/rfc5785bis 405 [4] https://datatracker.ietf.org/doc/draft-nottingham-rfc5785bis/ 407 [5] http://www.robotstxt.org/ 409 Appendix A. Frequently Asked Questions 411 1. Aren't well-known locations bad for the Web? 413 They are, but for various reasons - both technical and social - 414 they are sometimes necessary. This memo defines a "sandbox" for 415 them, to reduce the risks of collision and to minimise the impact 416 upon pre-existing URIs on sites. 418 2. Why /.well-known? 420 It's short, descriptive, and according to search indices, not 421 widely used. 423 3. What impact does this have on existing mechanisms, such as P3P 424 and robots.txt? 426 None, until they choose to use this mechanism. 428 4. Why aren't per-directory well-known locations defined? 430 Allowing every URI path segment to have a well-known location 431 (e.g., "/images/.well-known/") would increase the risks of 432 colliding with a pre-existing URI on a site, and generally these 433 solutions are found not to scale well, because they're too 434 "chatty". 436 Appendix B. Changes from RFC5785 438 o Allow non-Web well-known locations 440 o Adjust IANA instructions 442 o Update references 444 o Various other clarifications 446 Author's Address 448 Mark Nottingham 450 Email: mnot@mnot.net 451 URI: https://www.mnot.net/