Network Working Group J.M. Snell Internet-Draft March 12, 2013 Intended status: Informational Expires: September 13, 2013 HTTP/2.0 Discussion: Using Multiple Request URI's in Idempotent and Safe Requests draft-snell-httpbis-mget-00 Abstract This memo describes a proposed mechanism for specifying multiple request URI's within Idempotent methods (i.e. "Multi-GET", "Multi- Delete") Status of This Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 13, 2013. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Using Multiple-Request URIs . . . . . . . . . . . . . . . . . 2 Snell Expires September 13, 2013 [Page 1] Internet-Draft application/merge-patch March 2013 1.1. "Globbed" Requests . . . . . . . . . . . . . . . . . . . 5 2. Security Considerations . . . . . . . . . . . . . . . . . . . 6 3. Normative References . . . . . . . . . . . . . . . . . . . . 6 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 1. Using Multiple-Request URIs This document introduces the concept of allowing Idempotent and Safe HTTP/2 requests to contain multiple, independent Request URIs. For example, if a User-Agent wishes to retrieve multiple image resources from a server, it could send a single GET request separately listing each of the resources being requested: An example "Multi-GET" request +---------+--------------------------------------+ | Header | Value | +---------+--------------------------------------+ | :method | GET | | :path | "/images/foo.png", "/images/bar.png" | | :host | example.org | +---------+--------------------------------------+ Upon receiving this request, a server supporting multiple Request URIs would respond by initiating two distinct response streams back to the requesting-user agent, one for each of the requested resources: UA SERVER ---------------------- | | | MGET REQUEST | |--------------->| | | | Resp#1:foo.png | |<---------------| | Resp#2:bar.png | |<---------------| | | Snell Expires September 13, 2013 [Page 2] Internet-Draft application/merge-patch March 2013 This singular Multiple-GET request is semantically equivallent to sending two simultaneous, separate GET requests for each of the two resources. There is no implicit or explicit ordering or relationship between the resources being requested. Each has their own distinct response stream, with it's own headers and response status code. The server can choose to return the requested resources in any order it chooses. All request header fields included in the request apply equally to each of the listed request URIs. To perform a conditional GET request using the If-None-Match request header, for example, the entity tags for each of the requested resources would be listed: +---------------+-------------------------------------------+ | Header | Value | +---------------+-------------------------------------------+ | :method | GET | | :path | "/images/foo.png", "/images/bar.png" | | :host | example.org | | if-none-match | "some-opaque-etag", "another-opaque-etag" | +---------------+-------------------------------------------+ The condition would be evaluated for each of the requested URIs; that is, each of the listed Entity Tags would be evaluated against each of the individual requested resources, preserving the existing semantics of the conditional headers and enforcing the notion that a Multi-GET is semantically equivalent to multiple, simultaneous independent GET requests. Because each of the requested resources are returned using separately identifiable response streams, each with their own set of metadata, response status codes and data frames, intermediate caches with support for Multiple Request URIs can simply and transparently "do the right thing". UA CACHE SERVER ---------------------------------------- | | | | MGET REQUEST | | |foo.png, bar.png| | |--------------->| GET REQUEST | | | bar.png | | Resp#1:foo.png |--------------->| |<---------------| | | | Resp:bar.png | | Resp#2:bar.png |<---------------| |<---------------| | Snell Expires September 13, 2013 [Page 3] Internet-Draft application/merge-patch March 2013 | | | Here, the intermediate cache receives the initial GET containing multiple request URIs and determines that one of the resources (foo.png) can be served from it's cache, while the second (bar.png) needs to be fetched from the origin server. From the User-Agents point of view, this action is entirely transparent. Because such requests are semantically equivalent to multiple, simultaneous individual requests, translating to and from HTTP/1 becomes a simple matter of splitting out each request URI into its own distinct HTTP/1 request, each with its own exact copy of the full set of request header fields. Intermediaries should be able to handle the translation in a manner that is completely transparent to the User-Agent. UA PROXY SERVER ---------------------------------------- | | | | MGET REQUEST | | |foo.png, bar.png| | |--------------->| GET REQUEST | | | foo.png | | |--------------->| | | GET REQUEST | | | bar.png | | |--------------->| | | Resp:foo.png | | |<---------------| | Resp#1:foo.png | | |<---------------| Resp:bar.png | | Resp#2:bar.png |<---------------| |<---------------| | | | | Multiple Request URIs are only permitted on requests methods that are known to be both Safe and Idempotent with one notable exception: The DELETE method, which is Idempotent but not Safe MAY include multiple request URIs. An example Multi-HEAD Request: Snell Expires September 13, 2013 [Page 4] Internet-Draft application/merge-patch March 2013 +---------+--------------------------------------+ | Header | Value | +---------+--------------------------------------+ | :method | HEAD | | :path | "/images/foo.png", "/images/bar.png" | | :host | example.org | +---------+--------------------------------------+ An example Multi-DELETE Request: +---------+--------------------------------------+ | Header | Value | +---------+--------------------------------------+ | :method | DELETE | | :path | "/images/foo.png", "/images/bar.png" | | :host | example.org | +---------+--------------------------------------+ In particular, Multiple Request URIs MUST NOT ever be used for POST or PUT requests and SHOULD NOT be used for any other request method carrying a request entity unless the method is known to be both Safe and Idempotent. Server support for Multiple-Request URIs within HTTP/2 implementations ought to be required. If, however, the working group decides that the mechanism is to be optional, a server endpoint not supporting multiple request URIs can return a 400 "Bad Request" error when it receives such requests. A mechanism such as Mark Nottingham's proposed "Browser Hints" format can be used to communicate to User-Agents whether or not multiple request URIs are supported on a given host. Whether and when to bundle multiple request URIs into a single GET request is entirely up to the requesting HTTP/2 client. A user-agent that is attempting to optimize page load times, for instance, could choose to send a mix of multi- and single-request URI requests to the server depending on whatever strategy it chooses for optimization. 1.1. "Globbed" Requests This document specifically rules out the notion of "globbed" Multi- Requests. That is, sending a request with a single "wildcard" request URI that returns multiple independent streams, e.g.: An example "Multi-GET" request Snell Expires September 13, 2013 [Page 5] Internet-Draft application/merge-patch March 2013 +---------+-----------------+ | Header | Value | +---------+-----------------+ | :method | GET | | :path | "/images/*.png" | | :host | example.org | +---------+-----------------+ The reason this is not defined is because such requests play havoc with the existing HTTP Caching Model, greatly complicates implementation and carries with it a variety of security risks. 2. Security Considerations TBD 3. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Author's Address James M Snell Email: jasnell@gmail.com Snell Expires September 13, 2013 [Page 6]