rfc9512.original   rfc9512.txt 
HTTPAPI R. Polli Internet Engineering Task Force (IETF) R. Polli
Internet-Draft Digital Transformation Department, Italian Government Request for Comments: 9512 DTD, Italian Government
Intended status: Informational E. Wilde Category: Informational E. Wilde
Expires: 2 March 2024 Axway ISSN: 2070-1721 Axway
E. Aro E. Aro
Mozilla Mozilla
30 August 2023 February 2024
YAML Media Type YAML Media Type
draft-ietf-httpapi-yaml-mediatypes-10
Abstract Abstract
This document registers the application/yaml media type and the +yaml This document registers the application/yaml media type and the +yaml
structured syntax suffix on the IANA Media Types registry, intended structured syntax suffix with IANA. Both identify document
to be used to identify document components serialized according to components that are serialized according to the YAML specification.
the YAML specification.
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-ietf-httpapi-yaml-mediatypes/.
Discussion of this document takes place on the HTTPAPI Working Group
mailing list (mailto:httpapi@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/httpapi/. Subscribe at
https://www.ietf.org/mailman/listinfo/httpapi/. Working Group
information can be found at https://datatracker.ietf.org/wg/httpapi/
about/.
Source for this draft and an issue tracker can be found at
https://github.com/ietf-wg-httpapi/mediatypes/labels/yaml.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
This Internet-Draft will expire on 2 March 2024. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9512.
Copyright Notice Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 1.1. Notational Conventions
1.2. Fragment identification . . . . . . . . . . . . . . . . . 4 1.2. Fragment Identification
1.2.1. Fragment identification via alias nodes . . . . . . . 4 1.2.1. Fragment Identification via Alias Nodes
2. Media Type and Structured Syntax Suffix registrations . . . . 5 2. Media Type and Structured Syntax Suffix Registrations
2.1. Media Type application/yaml . . . . . . . . . . . . . . . 5 2.1. Media Type application/yaml
2.2. The +yaml Structured Syntax Suffix . . . . . . . . . . . 6 2.2. The +yaml Structured Syntax Suffix
3. Interoperability Considerations . . . . . . . . . . . . . . . 7 3. Interoperability Considerations
3.1. YAML is an Evolving Language . . . . . . . . . . . . . . 7 3.1. YAML Is an Evolving Language
3.2. YAML streams . . . . . . . . . . . . . . . . . . . . . . 7 3.2. YAML Streams
3.3. Filename extension . . . . . . . . . . . . . . . . . . . 8 3.3. Filename Extension
3.4. YAML and JSON . . . . . . . . . . . . . . . . . . . . . . 8 3.4. YAML and JSON
3.5. Fragment identifiers . . . . . . . . . . . . . . . . . . 9 3.5. Fragment Identifiers
4. Security Considerations . . . . . . . . . . . . . . . . . . . 10 4. Security Considerations
4.1. Arbitrary Code Execution . . . . . . . . . . . . . . . . 10 4.1. Arbitrary Code Execution
4.2. Resource Exhaustion . . . . . . . . . . . . . . . . . . . 10 4.2. Resource Exhaustion
4.3. YAML streams . . . . . . . . . . . . . . . . . . . . . . 11 4.3. YAML Streams
4.4. Expressing booleans . . . . . . . . . . . . . . . . . . . 11 4.4. Expressing Booleans
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 5. IANA Considerations
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 6. References
6.1. Normative References . . . . . . . . . . . . . . . . . . 12 6.1. Normative References
6.2. Informative References . . . . . . . . . . . . . . . . . 13 6.2. Informative References
Appendix A. Examples related to fragment identifier Appendix A. Examples Related to Fragment Identifier
interoperability . . . . . . . . . . . . . . . . . . . . 13 Interoperability
A.1. Unreferenceable nodes . . . . . . . . . . . . . . . . . . 14 A.1. Unreferenceable Nodes
A.2. Referencing a missing node . . . . . . . . . . . . . . . 14 A.2. Referencing a Missing Node
A.3. Representation graph with anchors and cyclic A.3. Representation Graph with Anchors and Cyclic References
references . . . . . . . . . . . . . . . . . . . . . . . 14 Acknowledgements
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses
FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Since draft-ietf-httpapi-yaml-mediatypes-02 . . . . . . . . . . 17
Since draft-ietf-httpapi-yaml-mediatypes-01 . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
YAML [YAML] is a data serialization format that is capable of YAML [YAML] is a data serialization format that is capable of
conveying one or multiple documents in a single presentation stream conveying one or multiple documents in a single presentation stream
(e.g., a file or a network resource). It is widely used on the (e.g., a file or a network resource). It is widely used on the
Internet, including in the API sector (e.g., see [OAS]), but a Internet, including in the API sector (e.g., see [OAS]), but a
corresponding media type and structured syntax suffix had not corresponding media type and structured syntax suffix had not
previously been registered by IANA. previously been registered by IANA.
To increase interoperability when exchanging YAML streams, and To increase interoperability when exchanging YAML streams and
leverage content negotiation mechanisms when exchanging YAML leverage content negotiation mechanisms when exchanging YAML
resources, this specification registers the application/yaml media resources, this specification registers the application/yaml media
type and the +yaml structured syntax suffix [MEDIATYPE]. type and the +yaml structured syntax suffix [MEDIATYPE].
Moreover, it provides security considerations and interoperability Moreover, it provides security considerations and interoperability
considerations related to [YAML], including its relation with [JSON]. considerations related to [YAML], including its relation with [JSON].
1.1. Notational Conventions 1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. These words may also appear in this capitals, as shown here.
document in lower case as plain English words, absent their normative
meanings.
The terms "content", "content negotiation", "resource", and "user The terms "content negotiation" and "resource" in this document are
agent" in this document are to be interpreted as in [HTTP]. to be interpreted as in [HTTP].
The terms "fragment" and "fragment identifier" in this document are The terms "fragment" and "fragment identifier" in this document are
to be interpreted as in [URI]. to be interpreted as in [URI].
The terms "presentation", "stream", "YAML document", "representation The terms "presentation", "stream", "YAML document", "representation
graph", "tag", "serialization detail", "node", "alias node", "anchor" graph", "tag", "serialization detail", "node", "alias node",
and "anchor name" in this document are to be interpreted as in "anchor", and "anchor name" in this document are to be interpreted as
[YAML]. in [YAML].
Figures containing YAML code always start with the "%YAML 1.2" Figures containing YAML code always start with the %YAML directive to
directive to improve readability. improve readability.
1.2. Fragment identification 1.2. Fragment Identification
A fragment identifies a node in a stream. A fragment identifies a node in a stream.
A fragment identifier starting with "*" is to be interpreted as a A fragment identifier starting with "*" is to be interpreted as a
YAML alias node (see Section 1.2.1). YAML alias node (see Section 1.2.1).
For single-document YAML streams, a fragment identifier that is empty For single-document YAML streams, a fragment identifier that is empty
or that starts with "/" is to be interpreted as a JSON Pointer or that starts with "/" is to be interpreted as a JSON Pointer
[JSON-POINTER] and is evaluated on the YAML representation graph, [JSON-POINTER] and is evaluated on the YAML representation graph,
walking through alias nodes; in particular, the empty fragment traversing alias nodes; in particular, the empty fragment identifier
identifier references the root node. This syntax can only reference references the root node. This syntax can only reference the YAML
the YAML nodes that are on a path that is made up of nodes nodes that are on a path that is made up of nodes interoperable with
interoperable with the JSON data model (see Section 3.4). the JSON data model (see Section 3.4).
A fragment identifier is not guaranteed to reference an existing A fragment identifier is not guaranteed to reference an existing
node. Therefore, applications SHOULD define how an unresolved alias node. Therefore, applications SHOULD define how an unresolved alias
node ought to be handled. node ought to be handled.
1.2.1. Fragment identification via alias nodes 1.2.1. Fragment Identification via Alias Nodes
This section describes how to use alias nodes (see Section 3.2.2.2 This section describes how to use alias nodes (see Sections 3.2.2.2
and 7.1 of [YAML]) as fragment identifiers to designate nodes. and 7.1 of [YAML]) as fragment identifiers to designate nodes.
A YAML alias node can be represented in a URI fragment identifier by A YAML alias node can be represented in a URI fragment identifier by
encoding it into bytes using UTF-8 [UTF-8], but percent-encoding of encoding it into bytes using UTF-8 [UTF-8], but percent-encoding of
those characters is not allowed by the fragment rule in Section 3.5 those characters is not allowed by the fragment rule in Section 3.5
of [URI]. of [URI].
If multiple nodes would match a fragment identifier, the first If multiple nodes match a fragment identifier, the first occurrence
occurrence of such match is selected. of such a match is selected.
Users concerned with interoperability of fragment identifiers: Users concerned with interoperability of fragment identifiers:
* SHOULD limit alias nodes to a set of characters that do not * SHOULD limit alias nodes to a set of characters that do not
require encoding to be expressed as URI fragment identifiers: this require encoding to be expressed as URI fragment identifiers (this
is generally possible since anchor names are a serialization is generally possible since anchor names are a serialization
detail; detail), and
* SHOULD NOT use alias nodes that match multiple nodes. * SHOULD NOT use alias nodes that match multiple nodes.
In the example resource below, the relative reference (see In the example resource below, the relative reference (see
Section 4.2 of [URI]) file.yaml#*foo identifies the first alias node Section 4.2 of [URI]) file.yaml#*foo identifies the first alias node
*foo pointing to the node with value scalar and not the one in the *foo pointing to the node with value scalar and not to the one in the
second document; whereas the relative reference file.yaml#*document_2 second document, whereas the relative reference file.yaml#*document_2
identifies the root node of the second document {one: [a, sequence]}. identifies the root node of the second document {one: [a, sequence]}.
%YAML 1.2 %YAML 1.2
--- ---
one: &foo scalar one: &foo scalar
two: &bar two: &bar
- some - some
- sequence - sequence
- items - items
... ...
%YAML 1.2 %YAML 1.2
--- ---
&document_2 &document_2
one: &foo [a, sequence] one: &foo [a, sequence]
Figure 1: A YAML stream containing two YAML documents. Figure 1: A YAML Stream Containing Two YAML Documents
2. Media Type and Structured Syntax Suffix registrations 2. Media Type and Structured Syntax Suffix Registrations
This section describes the information required to register the above This section includes the information required for IANA to register
media type according to [MEDIATYPE] the application/yaml media type and the +yaml structured syntax
suffix per [MEDIATYPE].
2.1. Media Type application/yaml 2.1. Media Type application/yaml
The media type for YAML text is application/yaml; the following The media type for YAML is application/yaml; the following
information serves as the registration form for this media type. information serves as the registration form for this media type.
Type name: application Type name: application
Subtype name: yaml Subtype name: yaml
Required parameters: N/A Required parameters: N/A
Optional parameters: N/A; unrecognized parameters should be ignored Optional parameters: N/A; unrecognized parameters should be ignored.
Encoding considerations: binary Encoding considerations: binary
Security considerations: see Section 4 of this document Security considerations: See Section 4 of this document.
Interoperability considerations: see Section 3 of this document Interoperability considerations: See Section 3 of this document.
Published specification: [YAML], this document Published specification: [YAML], this document
Applications that use this media type: Applications that need a Applications that use this media type: Applications that need a
human-friendly, cross language, Unicode based data serialization human-friendly, cross-language, and Unicode-based data
language designed around the common native data types of dynamic serialization language designed around the common data types of
programming languages. dynamic programming languages.
Fragment identifier considerations: See Section 1.2 of this document Fragment identifier considerations: See Section 1.2 of this
document.
Additional information: Additional information:
* Deprecated alias names for this type: application/x-yaml, text/ Deprecated alias names for this type: application/x-yaml, text/
yaml, text/x-yaml. These names are used, but not registered. yaml, and text/x-yaml. These names are used but are not
registered.
* Magic number(s) N/A Magic number(s): N/A
File extension(s): "yaml" (preferred) and "yml". See Section 3.3
* File extension(s): "yaml" (preferred), "yml". See Section 3.3 of of this document.
this document. Macintosh file type code(s): N/A
Windows Clipboard Name: YAML
* Macintosh file type code(s): N/A
* Windows Clipboard Name: YAML
Person and email address to contact for further information: See the Person and email address to contact for further information: See the
Authors' Addresses section of this document. Authors' Addresses section of this document.
Intended usage: COMMON Intended usage: COMMON
Restrictions on usage: None. Restrictions on usage: None
Author: See the Authors' Addresses section of this document. Author: See the Authors' Addresses section of this document.
Change controller: IETF Change controller: IETF
2.2. The +yaml Structured Syntax Suffix 2.2. The +yaml Structured Syntax Suffix
The suffix +yaml MAY be used with any media type whose representation The suffix +yaml MAY be used with any media type whose representation
follows that established for application/yaml. The media type follows that established for application/yaml. The structured syntax
structured syntax suffix registration form follows. See [MEDIATYPE] suffix registration form follows. See [MEDIATYPE] for definitions of
for definitions of each of the registration form headings. each part of the registration form.
Name: YAML Ain't Markup Language (YAML) Name: YAML Ain't Markup Language (YAML)
+suffix: +yaml +suffix: +yaml
References: [YAML], this document References: [YAML], this document
Encoding considerations: Same as "application/yaml" Encoding considerations: Same as application/yaml
Fragment identifier considerations: Differently from application/ Interoperability considerations: Same as application/yaml
yaml, there is no fragment identification syntax defined for
+yaml. Fragment identifier considerations: Unlike application/yaml, there
is no fragment identification syntax defined for +yaml.
A specific xxx/yyy+yaml media type needs to define the syntax and A specific xxx/yyy+yaml media type needs to define the syntax and
semantics for fragment identifiers because the ones defined for semantics for fragment identifiers because the ones defined for
"application/yaml" do not apply unless explicitly expressed. application/yaml do not apply unless explicitly expressed.
Interoperability considerations: Same as "application/yaml"
Security considerations: Same as "application/yaml" Security considerations: Same as application/yaml
Contact: httpapi@ietf.org or art@ietf.org Contact: httpapi@ietf.org or art@ietf.org
Author: See the Authors' Addresses section of this document Author: See the Authors' Addresses section of this document.
Change controller: IETF Change controller: IETF
3. Interoperability Considerations 3. Interoperability Considerations
3.1. YAML is an Evolving Language 3.1. YAML Is an Evolving Language
YAML is an evolving language and, over time, some features have been YAML is an evolving language, and over time, some features have been
added and others removed. added and others removed.
This [YAML] media type registration is independent of YAML version. The application/yaml media type registration is independent of the
This allows content negotiation of version-independent YAML YAML version. This allows content negotiation of version-independent
resources. YAML resources.
Implementers concerned about features related to a specific YAML Implementers concerned about features related to a specific YAML
version can specify it in YAML documents using the %YAML directive version can specify it in YAML documents using the %YAML directive
(see Section 6.8.1 of [YAML]). (see Section 6.8.1 of [YAML]).
3.2. YAML streams 3.2. YAML Streams
A YAML stream can contain zero or more YAML documents. A YAML stream can contain zero or more YAML documents.
When receiving a multi-document stream, an application that only When receiving a multi-document stream, an application that only
expects one-document streams, ought to signal an error instead of expects single-document streams should signal an error instead of
ignoring the extra documents. ignoring the extra documents.
Current implementations consider different documents in a stream Current implementations consider different documents in a stream
independent, similarly to JSON Text Sequences (see [RFC7464]); independent, similarly to JSON text sequences (see [RFC7464]);
elements such as anchors are not guaranteed to be referenceable elements such as anchors are not guaranteed to be referenceable
across different documents. across different documents.
3.3. Filename extension 3.3. Filename Extension
The "yaml" filename extension is the preferred one; it is the most The "yaml" filename extension is the preferred one; it is the most
popular and widely used on the web. The "yml" filename extension is popular and widely used on the web. The "yml" filename extension is
still used. The simultaneous usage of two filename extensions in the still used. The simultaneous usage of two filename extensions in the
same context might cause interoperability issues (e.g., when both a same context might cause interoperability issues (e.g., when both a
"config.yaml" and a "config.yml" are present). "config.yaml" and a "config.yml" are present).
3.4. YAML and JSON 3.4. YAML and JSON
When using flow collection styles (see Section 7.4 of [YAML]) a YAML When using flow collection styles (see Section 7.4 of [YAML]), a YAML
document could look like JSON [JSON], thus similar interoperability document could look like JSON [JSON]; thus, similar interoperability
considerations apply. considerations apply.
When using YAML as a more efficient format to serialize information When using YAML as a more efficient format to serialize information
intended to be consumed as JSON, information not reflected in the intended to be consumed as JSON, information not reflected in the
representation graph and classified as presentation or serialization representation graph and classified as presentation or serialization
detail (see Section 3.2 of [YAML]) can be discarded. This includes details (see Section 3.2 of [YAML]) can be discarded. This includes
comments (see Section 3.2.3.3 of [YAML]), directives, and alias nodes comments (see Section 3.2.3.3 of [YAML]), directives, and alias nodes
(see Section 7.1 of [YAML]) that do not have a JSON counterpart. (see Section 7.1 of [YAML]) that do not have a JSON counterpart.
%YAML 1.2 %YAML 1.2
--- ---
# This comment will be lost # This comment will be lost
# when serializing in JSON. # when serializing in JSON.
Title: Title:
type: string type: string
maxLength: &text_limit 64 maxLength: &text_limit 64
Name: Name:
type: string type: string
maxLength: *text_limit # Replaced by the value 64. maxLength: *text_limit # Replaced by the value 64.
Figure 2: JSON replaces alias nodes with static values. Figure 2: JSON Replaces Alias Nodes with Static Values
Implementers need to ensure that relevant information will not be Implementers need to ensure that relevant information will not be
lost during the processing. For example, they might consider lost during processing. For example, they might consider alias nodes
acceptable that alias nodes are replaced by static values. being replaced by static values as acceptable.
In some cases an implementer may want to define a list of allowed In some cases, an implementer may want to define a list of allowed
YAML features, taking into account that the following ones might have YAML features, taking into account that the following features might
interoperability issues with [JSON]: have interoperability issues with [JSON]:
* multi-document YAML streams; * multi-document YAML streams
* non UTF-8 encoding. Before encoding YAML streams in UTF-16 or
* non-UTF-8 encoding. Before encoding YAML streams in UTF-16 or
UTF-32, it is important to note that Section 8.1 of [JSON] UTF-32, it is important to note that Section 8.1 of [JSON]
mandates the use of UTF-8 when exchanging JSON texts between mandates the use of UTF-8 when exchanging JSON texts between
systems that are not part of a closed ecosystem, and that systems that are not part of a closed ecosystem and that
Section 5.2 of [YAML] recommends the use of UTF-8; Section 5.2 of [YAML] recommends the use of UTF-8.
* mapping keys that are not strings; * mapping keys that are not strings
* circular references represented using anchor (see Section 4.2 and * cyclic references represented using anchors (see Section 4.2 and
Figure 4); Figure 4)
* .inf and .nan float values, since JSON does not support them; * .inf and .nan float values, since JSON does not support them
* non-JSON types, including the ones associated with tags like * non-JSON types, including the ones associated with tags like
!!timestamp that were included in the default schema of older YAML !!timestamp that were included in the default schema of older YAML
versions; versions
* tags in general, and specifically the ones that do not map to JSON * tags in general, specifically ones that do not map to JSON types,
types like custom and local tags such as !!python/object and e.g., custom and local tags such as !!python/object and !mytag
!mytag (see Section 2.4 of [YAML]); (see Section 2.4 of [YAML])
%YAML 1.2 %YAML 1.2
--- ---
non-json-keys: non-json-keys:
0: a number 0: a number
[0, 1]: a sequence [0, 1]: a sequence
? {k: v} ? {k: v}
: a map : a map
--- ---
non-json-keys: non-json-keys:
!date 2020-01-01: a timestamp !date 2020-01-01: a timestamp
non-json-value: !date 2020-01-01 non-json-value: !date 2020-01-01
... ...
Figure 3: Example of mapping keys and values not supported in Figure 3: Example of Mapping Keys and Values Not Supported in
JSON in a multi- document YAML stream JSON in a Multi-Document YAML Stream
3.5. Fragment identifiers 3.5. Fragment Identifiers
To allow fragment identifiers to traverse alias nodes, the YAML To allow fragment identifiers to traverse alias nodes, the YAML
representation graph needs to be generated before the fragment representation graph needs to be generated before the fragment
identifier evaluation. It is important that this evaluation will not identifier evaluation. It is important that this evaluation does not
cause the issues mentioned in Section 3.4 and in Security cause the issues mentioned in Sections 3.4 and 4, such as infinite
considerations (Section 4) such as infinite loops and unexpected code loops and unexpected code execution.
execution.
Implementers need to consider that the YAML version and supported Implementers need to consider that the YAML version and supported
features (e.g., merge keys) can affect the generation of the features (e.g., merge keys) can affect the generation of the
representation graph (see Figure 9). representation graph (see Figure 9).
In Section 2.1, this document extends the use of specifications based In Section 1.2, this document extends the use of specifications based
on the JSON data model with support for YAML fragment identifiers. on the JSON data model with support for YAML fragment identifiers.
This is to improve the interoperability of already consolidated This is to improve the interoperability of already-consolidated
practices, such as the one of writing OpenAPI documents [OAS] in practices, such as writing OpenAPI documents [OAS] in YAML.
YAML.
Appendix A provides a non-exhaustive list of examples that could help Appendix A provides a non-exhaustive list of examples to help readers
understand interoperability issues related to fragment identifiers. understand interoperability issues related to fragment identifiers.
4. Security Considerations 4. Security Considerations
Security requirements for both media type and media type suffix Security requirements for both media types and media type suffixes
registrations are discussed in Section 4.6 of [MEDIATYPE]. are discussed in Section 4.6 of [MEDIATYPE].
4.1. Arbitrary Code Execution 4.1. Arbitrary Code Execution
Care should be used when using YAML tags, because their resolution Care should be used when using YAML tags because their resolution
might trigger unexpected code execution. might trigger unexpected code execution.
Code execution in deserializers should be disabled by default, and Code execution in deserializers should be disabled by default and
only be enabled explicitly. In those cases, the implementation only be enabled explicitly. In the latter case, the implementation
should ensure - for example, via specific functions - that the code should ensure (for example, via specific functions) that the code
execution results in strictly bounded time/memory limits. execution results in strictly bounded time/memory limits.
Many implementations provide safe deserializers addressing these Many implementations provide safe deserializers that address these
issues. issues.
4.2. Resource Exhaustion 4.2. Resource Exhaustion
YAML documents are rooted, connected, directed graphs and can contain YAML documents are rooted, connected, directed graphs and can contain
reference cycles, so they can't be treated as simple trees (see reference cycles, so they can't be treated as simple trees (see
Section 3.2.1 of [YAML]). An implementation that treats them as Section 3.2.1 of [YAML]). An implementation that treats them as
simple trees risks going into an infinite loop while traversing the simple trees risks going into an infinite loop while traversing the
YAML representation graph. This can happen: YAML representation graph. This can happen:
* when trying to serialize it as JSON; * when trying to serialize it as JSON or
* or when searching/identifying nodes using specifications based on * when searching/identifying nodes using specifications based on the
the JSON data model (e.g., [JSON-POINTER]). JSON data model (e.g., [JSON-POINTER]).
%YAML 1.2 %YAML 1.2
--- ---
x: &x x: &x
y: *x y: *x
Figure 4: A cyclic document
Figure 4: A Cyclic Document
Even if a representation graph is not cyclic, treating it as a simple Even if a representation graph is not cyclic, treating it as a simple
tree could lead to improper behaviors (such as the "billion laughs" tree could lead to improper behaviors, such as triggering an
or "Exponential Entity Expansion" problem). Exponential Data Expansion (e.g., a Billion Laughs Attack).
%YAML 1.2 %YAML 1.2
--- ---
x1: &a1 ["a", "a"] x1: &a1 ["a", "a"]
x2: &a2 [*a1, *a1] x2: &a2 [*a1, *a1]
x3: &a3 [*a2, *a2] x3: &a3 [*a2, *a2]
Figure 5: A billion laughs document Figure 5: A Billion Laughs Document
This can be addressed using processors limiting the anchor recursion This can be addressed using processors that limit the anchor
depth and validating the input before processing it; even in these recursion depth and validate the input before processing it; even in
cases it is important to carefully test the implementation you are these cases, it is important to carefully test the implementation you
going to use. The same considerations apply when serializing a YAML are going to use. The same considerations apply when serializing a
representation graph in a format that does not support reference YAML representation graph in a format that does not support reference
cycles (see Section 3.4). cycles (see Section 3.4).
4.3. YAML streams 4.3. YAML Streams
Incremental parsing and processing of a YAML stream can produce Incremental parsing and processing of a YAML stream can produce
partial results and later indicate failure to parse the remainder of partial results and later indicate failure to parse the remainder of
the stream; to prevent partial processing, implementers might prefer the stream; to prevent partial processing, implementers might prefer
validating and processing all the documents in a stream at the same validating and processing all the documents in a stream at the same
time. time.
Repeated parsing and re-encoding of a YAML stream can result in the Repeated parsing and re-encoding of a YAML stream can result in the
addition or removal of document delimiters (e.g., --- or ...) as well addition or removal of document delimiters (e.g., --- or ...) as well
as the modification of anchor names and other serialization details, as the modification of anchor names and other serialization details
which can break signature validation. that can break signature validation.
4.4. Expressing booleans 4.4. Expressing Booleans
Section 10.3.2 of [YAML] specifies that only the scalars matching the Section 10.3.2 of [YAML] specifies that only the scalars matching the
regular expression true|True|TRUE|false|False|FALSE are interpreted regular expression true|True|TRUE|false|False|FALSE are interpreted
as booleans. Older YAML versions were more tolerant (e.g., as booleans. Older YAML versions were more tolerant (e.g.,
interpreting NO and N as False, and YES and Y as True). When the interpreting NO and N as False and interpreting YES and Y as True).
older syntax is used, a YAML implementation could then interpret When the older syntax is used, a YAML implementation could then
{insecure: n} as {insecure: "n"} instead of {insecure: false}. Using interpret {insecure: n} as {insecure: "n"} instead of {insecure:
the syntax defined in Section 10.3.2 of [YAML] prevents these issues. false}. Using the syntax defined in Section 10.3.2 of [YAML] prevents
these issues.
5. IANA Considerations 5. IANA Considerations
This specification defines the following new Internet media type IANA has updated the "Media Types" registry
[MEDIATYPE].
IANA is asked to update the "Media Types" registry at
https://www.iana.org/assignments/media-types
(https://www.iana.org/assignments/media-types) with the registration (https://www.iana.org/assignments/media-types) with the registration
information provided in the section below. information in Section 2.1 for the media type application/yaml.
+==================+==================================+
| Media Type | Registration information section |
+==================+==================================+
| application/yaml | Section 2.1 of this document |
+------------------+----------------------------------+
Table 1
IANA is asked to update the "Structured Syntax Suffixes" registry at IANA has updated the "Structured Syntax Suffixes" registry
https://www.iana.org/assignments/media-type-structured-suffix
(https://www.iana.org/assignments/media-type-structured-suffix) with (https://www.iana.org/assignments/media-type-structured-suffix) with
the registration information provided in the section below. the registration information in Section 2.2 for the structured syntax
suffix +yaml.
+========+==================================+
| Suffix | Registration information section |
+========+==================================+
| +yaml | Section 2.2 of this document |
+--------+----------------------------------+
Table 2
6. References 6. References
6.1. Normative References 6.1. Normative References
[HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, [HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", STD 97, RFC 9110, Ed., "HTTP Semantics", STD 97, RFC 9110,
DOI 10.17487/RFC9110, June 2022, DOI 10.17487/RFC9110, June 2022,
<https://www.rfc-editor.org/rfc/rfc9110>. <https://www.rfc-editor.org/info/rfc9110>.
[JSON] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data [JSON] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259, Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017, DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/rfc/rfc8259>. <https://www.rfc-editor.org/info/rfc8259>.
[JSON-POINTER] [JSON-POINTER]
Bryan, P., Ed., Zyp, K., and M. Nottingham, Ed., Bryan, P., Ed., Zyp, K., and M. Nottingham, Ed.,
"JavaScript Object Notation (JSON) Pointer", RFC 6901, "JavaScript Object Notation (JSON) Pointer", RFC 6901,
DOI 10.17487/RFC6901, April 2013, DOI 10.17487/RFC6901, April 2013,
<https://www.rfc-editor.org/rfc/rfc6901>. <https://www.rfc-editor.org/info/rfc6901>.
[MEDIATYPE] [MEDIATYPE]
Freed, N., Klensin, J., and T. Hansen, "Media Type Freed, N., Klensin, J., and T. Hansen, "Media Type
Specifications and Registration Procedures", BCP 13, Specifications and Registration Procedures", BCP 13,
RFC 6838, DOI 10.17487/RFC6838, January 2013, RFC 6838, DOI 10.17487/RFC6838, January 2013,
<https://www.rfc-editor.org/rfc/rfc6838>. <https://www.rfc-editor.org/info/rfc6838>.
[OAS] Darrel Miller, Jeremy Whitlock, Marsh Gardiner, Mike [OAS] Miller, D., Whitlock, J., Gardiner, M., Ralphson, M.,
Ralphson, Ron Ratovsky, and Uri Sarid, "OpenAPI Ratovsky, R., and U. Sarid, "OpenAPI Specification",
Specification 3.0.0", 26 July 2017. v3.0.0, 26 July 2017.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/rfc/rfc3986>. <https://www.rfc-editor.org/info/rfc3986>.
[UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <https://www.rfc-editor.org/rfc/rfc3629>. 2003, <https://www.rfc-editor.org/info/rfc3629>.
[YAML] Oren Ben-Kiki, Clark Evans, Ingy dot Net, Tina Müller, [YAML] Ben-Kiki, O., Evans, C., dot Net, I., Müller, T.,
Pantelis Antoniou, Eemeli Aro, and Thomas Smith, "YAML Antoniou, P., Aro, E., and T. Smith, "YAML Ain't Markup
Ain't Markup Language Version 1.2", 1 October 2021, Language Version 1.2", 1 October 2021,
<https://yaml.org/spec/1.2.2/>. <https://yaml.org/spec/1.2.2/>.
6.2. Informative References 6.2. Informative References
[I-D.ietf-jsonpath-base]
Gössner, S., Normington, G., and C. Bormann, "JSONPath:
Query expressions for JSON", Work in Progress, Internet-
Draft, draft-ietf-jsonpath-base-20, 25 August 2023,
<https://datatracker.ietf.org/doc/html/draft-ietf-
jsonpath-base-20>.
[RFC7464] Williams, N., "JavaScript Object Notation (JSON) Text [RFC7464] Williams, N., "JavaScript Object Notation (JSON) Text
Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015, Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015,
<https://www.rfc-editor.org/rfc/rfc7464>. <https://www.rfc-editor.org/info/rfc7464>.
Appendix A. Examples related to fragment identifier interoperability Appendix A. Examples Related to Fragment Identifier Interoperability
A.1. Unreferenceable nodes
In this example, a couple of YAML nodes that cannot be referenced A.1. Unreferenceable Nodes
This example shows a couple of YAML nodes that cannot be referenced
based on the JSON data model since their mapping keys are not based on the JSON data model since their mapping keys are not
strings. strings.
%YAML 1.2 %YAML 1.2
--- ---
a-map-cannot: a-map-cannot:
? {be: expressed} ? {be: expressed}
: with a JSON Pointer : with a JSON Pointer
0: no numeric mapping keys in JSON 0: no numeric mapping keys in JSON
Figure 6: Example of YAML nodes that are not referenceable based Figure 6: Example of YAML Nodes That Are Not Referenceable Based
on JSON data model. on JSON Data Model
A.2. Referencing a missing node A.2. Referencing a Missing Node
In this example the fragment #/0 does not reference an existing node In this example, the fragment #/0 does not reference an existing
node.
%YAML 1.2 %YAML 1.2
--- ---
0: "JSON Pointer `#/0` references a string mapping key." 0: "JSON Pointer `#/0` references a string mapping key."
Figure 7: Example of a JSON Pointer that does not reference an Figure 7: Example of a JSON Pointer That Does Not Reference an
existing node. Existing Node
A.3. Representation graph with anchors and cyclic references A.3. Representation Graph with Anchors and Cyclic References
In this YAML document, the #/foo/bar/baz fragment identifier In this YAML document, the #/foo/bar/baz fragment identifier
traverses the representation graph and references the string you. traverses the representation graph and references the string you.
Moreover, the presence of a cyclic reference implies that there are Moreover, the presence of a cyclic reference implies that there are
infinite fragment identifiers #/foo/bat/../bat/bar referencing the infinite fragment identifiers #/foo/bat/../bat/bar referencing the
&anchor node. &anchor node.
%YAML 1.2 %YAML 1.2
--- ---
anchor: &anchor anchor: &anchor
baz: you baz: you
foo: &foo foo: &foo
bar: *anchor bar: *anchor
bat: *foo bat: *foo
Figure 8: Example of a cyclic reference and alias nodes. Figure 8: Example of a Cyclic Reference and Alias Nodes
Many YAML implementations will resolve the merge key "<<:" Many YAML implementations will resolve the merge key "<<:"
(https://yaml.org/type/merge.html) defined in YAML 1.1 in the (https://yaml.org/type/merge.html) defined in YAML 1.1 in the
representation graph. This means that the fragment #/book/author/ representation graph. This means that the fragment #/book/author/
given_name references the string Federico and that the fragment given_name references the string Federico and that the fragment
#/book/<< will not reference any existing node. #/book/<< will not reference any existing node.
%YAML 1.1 %YAML 1.1
--- ---
# Many implementations use merge keys. # Many implementations use merge keys.
the-viceroys: &the-viceroys the-viceroys: &the-viceroys
title: The Viceroys title: The Viceroys
author: author:
given_name: Federico given_name: Federico
family_name: De Roberto family_name: De Roberto
book: book:
<<: *the-viceroys <<: *the-viceroys
title: The Illusion title: The Illusion
Figure 9: Example of YAML merge keys. Figure 9: Example of YAML Merge Keys
Acknowledgements Acknowledgements
Thanks to Erik Wilde and David Biesack for being the initial Thanks to Erik Wilde and David Biesack for being the initial
contributors of this specification, and to Darrel Miller and Rich contributors to this specification and to Darrel Miller and Rich Salz
Salz for their support during the adoption phase. for their support during the adoption phase.
In addition to the people above, this document owes a lot to the
extensive discussion inside and outside the HTTPAPI workgroup. The
following contributors have helped improve this specification by
opening pull requests, reporting bugs, asking smart questions,
drafting or reviewing text, and evaluating open issues:
Tina (tinita) Müller, Ben Hutton, Carsten Bormann, Manu Sporny and
Jason Desrosiers.
FAQ
This section is to be removed before publishing as an RFC.
Q: Why this document? After all these years, we still lack a proper
media-type for YAML. This has some security implications too (eg.
wrt on identifying parsers or treat downloads)
Q: Why using alias nodes as fragment identifiers? Alias nodes are a
native YAML feature that allows addressing any node in a YAML
document. Since YAML is not limited to string keywords, not all
nodes are addressable using JSON Pointers. Alias nodes are thus
the natural choice for fragment identifiers Section 1.2.
Q: Why not use plain names for alias nodes? Why not define plain
names? Using plain name fragments could have limited the ability of
future xxx+yaml media types to define their plain name fragments.
Moreover, alias nodes starts with * so we found no reason to strip
it when using them in fragments.
Preserving * had another positive result: it allows distinguishing
a fragment identifier expressed as an alias node from one
expressed in other formats. In this document we included JSON
Pointer [JSON-POINTER] which is expected to start with /.
Moreover, since JSON Path [I-D.ietf-jsonpath-base] expressions
start with $, this mechanism can be extended to JSON Path too.
Q: Why not just use JSON Pointer as the primary fragment
identifier? Fragment identifiers in YAML always reference YAML
representation graph nodes. JSON Pointer can only rely on string
keywords so it is not able to reference a generic node in the
representation graph.
Since JSON Pointer is a specification unrelated to YAML, we
decided to isolate the impacts of changes in JSON Pointer on YAML
fragments: only fragments starting with "/" are "delegated" to an
external spec, and if [JSON-POINTER] changes, it will only affect
fragments starting with "/".
The current behaviour for empty fragments is the same for both
JSON Pointer and alias nodes. Incidentally, it's the only
sensible behaviour independently of [JSON-POINTER].
Q: Why describe the YAML/JSON so closely? In the context of Web
APIs, YAML is widely used as a more compact way to serialize
content inteded to be consumed according to the JSON data model.
Typical examples are OpenAPI specifications and Kubernetes
manifest files, that can be serialized in both formats. The YAML
media type registration I-D is a spin-off and a building block for
the OpenAPI specification media type registration. The YAML/JSON
section aims at clarifying what developers should expect when
using YAML instead of JSON, and its content arose from common
mistakes and FAQs.
Please note that we are not imposing any normative restriction on
YAML streams; this is because YAML is defined outside this
document. Instead, we only provide Interoperability and Security
considerations that, by their nature, are not normative.
Q: Do we forbid using non-UTF-8 YAML serialization? No. Since
[JSON] recommends UTF-8 in interoperability context we suggest
that using UTF-8 is an interoperable behavior. This is aligned
with Section 5.2 of [YAML] that explicitly recommends UTF-8.
Q: Why media type registration information is outside the IANA
Considerations? We decided to follow the style adopted in [HTTP]
where the IANA Considerations in Section 18.8 of [HTTP] references
the multipart/byteranges media type registration form contained in
the specification body Section 14.6 of [HTTP].
Change Log
This section is to be removed before publishing as an RFC.
Since draft-ietf-httpapi-yaml-mediatypes-02
* clarification on fragment identifiers #50.
Since draft-ietf-httpapi-yaml-mediatypes-01
* application/yaml fragment identifiers compatible with JSON Pointer In addition, this document owes a lot to the extensive discussion
#41 (#47). inside and outside the HTTPAPI Working Group. The following
contributors helped improve this specification by opening pull
requests, reporting bugs, asking smart questions, drafting or
reviewing text, and evaluating open issues: Tina (tinita) Müller, Ben
Hutton, Carsten Bormann, Manu Sporny, and Jason Desrosiers.
Authors' Addresses Authors' Addresses
Roberto Polli Roberto Polli
Digital Transformation Department, Italian Government Digital Transformation Department, Italian Government
Italy Italy
Email: robipolli@gmail.com Email: robipolli@gmail.com
Erik Wilde Erik Wilde
Axway Axway
 End of changes. 106 change blocks. 
362 lines changed or deleted 224 lines changed or added

This html diff was produced by rfcdiff 1.48.