Brought to you by the

HTTP Working Group                                                              R. Fielding, UC Irvine
INTERNET-DRAFT                                                                     H. Frystyk, MIT/LCS
<draft-ietf-http-v11-spec-01.html>                                             T. Berners-Lee, MIT/LCS
Expires May 22, 1996                                                                  January 19, 1996

Hypertext Transfer Protocol -- HTTP/1.1

Status of this Memo

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress".

To learn the current status of any Internet-Draft, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast).

Distribution of this document is unlimited. Please send comments to the HTTP working group at <http-wg@cuckoo.hpl.hp.com>. Discussions of the working group are archived at <URL:http://www.ics.uci.edu/pub/ietf/http/>. General discussions about HTTP and the applications which use HTTP should take place on the <www-talk@w3.org> mailing list.

NOTE: This specification is for discussion purposes only. It is not claimed to represent the consensus of the HTTP working group, and contains a number of proposals that either have not been discussed or are controversial. The working group is discussing significant changes in many areas, including logic bags, support for caching, range retrieval, content negotiation, MIME compatibility, authentication, timing of the PUT operation.

Abstract

HTTP has been in use by the World-Wide Web global information initiative since 1990. This specification defines the protocol referred to as "HTTP/1.1".

Table of Contents

1.  Introduction
    1.1  Purpose
    1.2  Requirements
    1.3  Terminology
    1.4  Overall Operation

2.  Notational Conventions and Generic Grammar
    2.1  Augmented BNF
    2.2  Basic Rules

3.  Protocol Parameters
    3.1  HTTP Version
    3.2  Uniform Resource Identifiers
         3.2.1 General Syntax
         3.2.2 http URL
    3.3  Date/Time Formats
         3.3.1 Full Date
         3.3.2 Delta Seconds
    3.4  Character Sets
    3.5  Content Codings
    3.6  Transfer Codings
    3.7  Media Types
         3.7.1 Canonicalization and Text Defaults
         3.7.2 Multipart Types
    3.8  Product Tokens
    3.9  Quality Values
    3.10 Language Tags
    3.11 Logic Bags

4.  HTTP Message
    4.1  Message Types
    4.2  Message Headers
    4.3  General Header Fields

5. Request
    5.1  Request-Line
         5.1.1 Method
         5.1.2 Request-URI
    5.2  Request Header Fields

6.  Response
    6.1  Status-Line
         6.1.1 Status Code and Reason Phrase
    6.2  Response Header Fields

7.  Entity
    7.1  Entity Header Fields
    7.2  Entity Body
         7.2.1 Type
         7.2.2 Length

8.  Method Definitions
    8.1  OPTIONS
    8.2  GET
    8.3  HEAD
    8.4  POST
    8.5  PUT
    8.6  PATCH
    8.7  COPY
    8.8  MOVE
    8.9  DELETE
    8.10 LINK
    8.11 UNLINK
    8.12 TRACE
    8.13 WRAPPED

9.  Status Code Definitions
    9.1  Informational 1xx
         100 Continue
         101 Switching Protocols
    9.2  Successful 2xx
         200 OK
         201 Created
         202 Accepted
         203 Non-Authoritative Information
         204 No Content
         205 Reset Content
         206 Partial Content
    9.3  Redirection 3xx
         300 Multiple Choices
         301 Moved Permanently
         302 Moved Temporarily
         303 See Other
         304 Not Modified
         305 Use Proxy
    9.4  Client Error 4xx
         400 Bad Request
         401 Unauthorized
         402 Payment Required
         403 Forbidden
         404 Not Found
         405 Method Not Allowed
         406 None Acceptable
         407 Proxy Authentication Required
         408 Request Timeout
         409 Conflict
         410 Gone
         411 Length Required
         412 Unless True
    9.5  Server Error 5xx
         500 Internal Server Error
         501 Not Implemented
         502 Bad Gateway
         503 Service Unavailable
         504 Gateway Timeout

10. Header Field Definitions
    10.1  Accept
    10.2  Accept-Charset
    10.3  Accept-Encoding
    10.4  Accept-Language
    10.5  Allow
    10.6  Authorization
    10.7  Base
    10.8  Cache-Control
    10.9  Connection
          10.9.1 Persistent Connections
    10.10 Content-Encoding
    10.11 Content-Language
    10.12 Content-Length
    10.13 Content-MD5
    10.14 Content-Range
    10.15 Content-Type
    10.16 Content-Version
    10.17 Date
    10.18 Derived-From
    10.19 Expires
    10.20 Forwarded
    10.21 From
    10.22 Host
    10.23 If-Modified-Since
    10.24 Keep-Alive
    10.25 Last-Modified
    10.26 Link
    10.27 Location
    10.28 MIME-Version
    10.29 Pragma
    10.30 Proxy-Authenticate
    10.31 Proxy-Authorization
    10.32 Public
    10.33 Range
    10.34 Referer
    10.35 Refresh
    10.36 Retry-After
    10.37 Server
    10.38 Title
    10.39 Transfer Encoding
    10.40 Unless
    10.41 Upgrade
    10.42 URI
    10.43 User-Agent
    10.44 WWW-Authenticate

11. Access Authentication
    11.1  Basic Authentication Scheme
    11.2  Digest Authentication Scheme

12. Content Negotiation
    12.1  Preemptive Negotiation

13. Caching

14. Security Considerations
    14.1  Authentication of Clients
    14.2  Safe Methods
    14.3  Abuse of Server Log Information
    14.4  Transfer of Sensitive Information

15. Acknowledgments

16. References

17. Authors' Addresses

Appendix A. Internet Media Type message/http

Appendix B. Tolerant Applications

Appendix C. Relationship to MIME
            C.1  Conversion to Canonical Form
                 C.1.1 Representation of Line Breaks
                 C.1.2 Default Character Set
            C.2  Conversion of Date Formats
            C.3  Introduction of Content-Encoding
            C.4  No Content-Transfer-Encoding
            C.5  Introduction of Transfer-Encoding

Appendix D. Changes from HTTP/1.0

1. Introduction

1.1 Purpose

This specification defines the protocol referred to as "HTTP/1.1". This protocol is backwards-compatible with HTTP/1.0, but includes more stringent requirements in order to ensure reliable implementation of its features.

Practical information systems require more functionality than simple retrieval, including search, front-end update, and annotation. HTTP allows an open-ended set of methods to be used to indicate the purpose of a request. It builds on the discipline of reference provided by the Uniform Resource Identifier (URI) [3], as a location (URL) [4] or name (URN) [20], for indicating the resource on which a method is to be applied. Messages are passed in a format similar to that used by Internet Mail [9] and the Multipurpose Internet Mail Extensions (MIME) [7].

HTTP is also used as a generic protocol for communication between user agents and proxies/gateways to other Internet protocols, such as SMTP [16], NNTP [13], FTP [18], Gopher [2], and WAIS [10], allowing basic hypermedia access to resources available from diverse applications and simplifying the implementation of user agents.

1.2 Requirements

must

This word or the adjective "required" means that the item is an absolute requirement of the specification.

should

This word or the adjective "recommended" means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications should be understood and the case carefully weighed before choosing a different course.

may

This word or the adjective "optional" means that this item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because it enhances the product, for example; another vendor may omit the same item.

1.3 Terminology

connection

A transport layer virtual circuit established between two application programs for the purpose of communication.

message

The basic unit of HTTP communication, consisting of a structured sequence of octets matching the syntax defined in Section 4 and transmitted via the connection.

request

An HTTP request message (as defined in Section 5).

response

An HTTP response message (as defined in Section 6).

resource

A network data object or service which can be identified by a URI (Section 3.2).

entity

A particular representation or rendition of a data resource, or reply from a service resource, that may be enclosed within a request or response message. An entity consists of metainformation in the form of entity headers and content in the form of an entity body.

client

An application program that establishes connections for the purpose of sending requests.

user agent

The client which initiates a request. These are often browsers, editors, spiders (web-traversing robots), or other end user tools.

server

An application program that accepts connections in order to service requests by sending back responses.

origin server

The server on which a given resource resides or is to be created.

proxy

An intermediary program which acts as both a server and a client for the purpose of making requests on behalf of other clients. Requests are serviced internally or by passing them, with possible translation, on to other servers. A proxy must interpret and, if necessary, rewrite a request message before forwarding it. Proxies are often used as client-side portals through network firewalls and as helper applications for handling requests via protocols not implemented by the user agent.

gateway

A server which acts as an intermediary for some other server. Unlike a proxy, a gateway receives requests as if it were the origin server for the requested resource; the requesting client may not be aware that it is communicating with a gateway. Gateways are often used as server-side portals through network firewalls and as protocol translators for access to resources stored on non-HTTP systems.

tunnel

A tunnel is an intermediary program which is acting as a blind relay between two connections. Once active, a tunnel is not considered a party to the HTTP communication, though the tunnel may have been initiated by an HTTP request. The tunnel ceases to exist when both ends of the relayed connections are closed. Tunnels are used when a portal is necessary and the intermediary cannot, or should not, interpret the relayed communication.

cache

A program's local store of response messages and the subsystem that controls its message storage, retrieval, and deletion. A cache stores cachable responses in order to reduce the response time and network bandwidth consumption on future, equivalent requests. Any client or server may include a cache, though a cache cannot be used by a server while it is acting as a tunnel.

1.4 Overall Operation

Most HTTP communication is initiated by a user agent and consists of a request to be applied to a resource on some origin server. In the simplest case, this may be accomplished via a single connection (v) between the user agent (UA) and the origin server (O).

          request chain ------------------------>
       UA -------------------v------------------- O
          <----------------------- response chain

          request chain -------------------------------------->
       UA -----v----- A -----v----- B -----v----- C -----v----- O
          <------------------------------------- response chain

Any party to the communication which is not acting as a tunnel may employ an internal cache for handling requests. The effect of a cache is that the request/response chain is shortened if one of the participants along the chain has a cached response applicable to that request. The following illustrates the resulting chain if B has a cached copy of an earlier response from O (via C) for a request which has not been cached by UA or A.

          request chain ---------->
       UA -----v----- A -----v----- B - - - - - - C - - - - - - O
          <--------- response chain

On the Internet, HTTP communication generally takes place over TCP/IP connections. The default port is TCP 80 [19], but other ports can be used. This does not preclude HTTP from being implemented on top of any other protocol on the Internet, or on other networks. HTTP only presumes a reliable transport; any protocol that provides such guarantees can be used, and the mapping of the HTTP/1.1 request and response structures onto the transport data units of the protocol in question is outside the scope of this specification.

For most implementations, each connection is established by the client prior to the request and closed by the server after sending the response. However, this is not a feature of the protocol and is not required by this specification. Both clients and servers must be capable of handling cases where either party closes the connection prematurely, due to user action, automated time-out, or program failure. In any case, the closing of the connection by either or both parties always terminates the current request, regardless of its status.

2. Notational Conventions and Generic Grammar

2.1 Augmented BNF

name = definition

The name of a rule is simply the name itself (without any enclosing "<" and ">") and is separated from its definition by the equal character "=". Whitespace is only significant in that indentation of continuation lines is used to indicate a rule definition that spans more than one line. Certain basic rules are in uppercase, such as SP, LWS, HT, CRLF, DIGIT, ALPHA, etc. Angle brackets are used within definitions whenever their presence will facilitate discerning the use of rule names.

"literal"

Quotation marks surround literal text. Unless stated otherwise, the text is case-insensitive.

rule1 | rule2

Elements separated by a bar ("I") are alternatives, e.g., "yes | no" will accept yes or no.

(rule1 rule2)

Elements enclosed in parentheses are treated as a single element. Thus, "(elem (foo | bar) elem)" allows the token sequences "elem foo elem" and "elem bar elem".

*rule

The character "*" preceding an element indicates repetition. The full form is "<n>*<m>element" indicating at least <n> and at most <m> occurrences of element. Default values are 0 and infinity so that "*(element)" allows any number, including zero; "1*element" requires at least one; and "1*2element" allows one or two.

[rule]

Square brackets enclose optional elements; "[foo bar]" is equivalent to "*1(foo bar)".

N rule

Specific repetition: "<n>(element)" is equivalent to "<n>*<n>(element)"; that is, exactly <n> occurrences of (element). Thus 2DIGIT is a 2-digit number, and 3ALPHA is a string of three alphabetic characters.

#rule

A construct "#" is defined, similar to "*", for defining lists of elements. The full form is "<n>#<m>element" indicating at least <n> and at most <m> elements, each separated by one or more commas (",") and optional linear whitespace (LWS). This makes the usual form of lists very easy; a rule such as "( *LWS element *( *LWS "," *LWS element ))" can be shown as "1#element". Wherever this construct is used, null elements are allowed, but do not contribute to the count of elements present. That is, "(element), , (element)" is permitted, but counts as only two elements. Therefore, where at least one element is required, at least one non-null element must be present. Default values are 0 and infinity so that "#(element)" allows any number, including zero; "1#element" requires at least one; and "1#2element" allows one or two.

; comment

A semi-colon, set off some distance to the right of rule text, starts a comment that continues to the end of line. This is a simple way of including useful notes in parallel with the specifications.

implied *LWS

The grammar described by this specification is word-based. Except where noted otherwise, linear whitespace (LWS) can be included between any two adjacent words (token or quoted-string), and between adjacent tokens and delimiters (tspecials), without changing the interpretation of a field. At least one delimiter (tspecials) must exist between any two tokens, since they would otherwise be interpreted as a single token. However, applications should attempt to follow "common form" when generating HTTP constructs, since there exist some implementations that fail to accept anything beyond the common forms.

2.2 Basic Rules

       OCTET          = <any 8-bit sequence of data>
       CHAR           = <any US-ASCII character (octets 0 - 127)>
       UPALPHA        = <any US-ASCII uppercase letter "A".."Z">
       LOALPHA        = <any US-ASCII lowercase letter "a".."z">
       ALPHA          = UPALPHA | LOALPHA
       DIGIT          = <any US-ASCII digit "0".."9">
       CTL            = <any US-ASCII control character
                        (octets 0 - 31) and DEL (127)>
       CR             = <US-ASCII CR, carriage return (13)>
       LF             = <US-ASCII LF, linefeed (10)>
       SP             = <US-ASCII SP, space (32)>
       HT             = <US-ASCII HT, horizontal-tab (9)>
       <">            = <US-ASCII double-quote mark (34)>

       CRLF           = CR LF

       LWS            = [CRLF] 1*( SP | HT )

       TEXT           = <any OCTET except CTLs,
                        but including LWS>

Hexadecimal numeric characters are used in several protocol elements.

       HEX            = "A" | "B" | "C" | "D" | "E" | "F"
                      | "a" | "b" | "c" | "d" | "e" | "f" | DIGIT

       word           = token | quoted-string

       token          = 1*<any CHAR except CTLs or tspecials>

       tspecials      = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT

       comment        = "(" *( ctext | comment ) ")"
       ctext          = <any TEXT excluding "(" and ")">

       quoted-string  = ( <"> *(qdtext) <"> )

       qdtext         = <any CHAR except <"> and CTLs,
                        but including LWS>

       quoted-pair    = "\" CHAR

       bag            = "{" bagname 1*LWS *bagitem "}"
       bagname        = token | URI
       bagitem        = bag | token | quoted-string

3. Protocol Parameters

3.1 HTTP Version

The version of an HTTP message is indicated by an HTTP-Version field in the first line of the message. If the protocol version is not specified, the recipient must assume that the message is in the simple HTTP/0.9 format [6].

       HTTP-Version   = "HTTP" "/" 1*DIGIT "." 1*DIGIT

Applications sending Full-Request or Full-Response messages, as defined by this specification, must include an HTTP-Version of "HTTP/1.1". Use of this version number indicates that the sending application is at least conditionally compliant with this specification.

HTTP/1.1 servers must:

• recognize the format of the Request-Line for HTTP/0.9, 1.0, and 1.1 requests;
• understand any valid request in the format of HTTP/0.9, 1.0, or 1.1;
• respond appropriately with a message in the same major version used by the client.

HTTP/1.1 clients must:

• recognize the format of the Status-Line for HTTP/1.0 and 1.1 responses;
• understand any valid response in the format of HTTP/0.9, 1.0, or 1.1.

3.2 Uniform Resource Identifiers

3.2.1 General Syntax

       URI            = ( absoluteURI | relativeURI ) [ "#" fragment ]

       absoluteURI    = scheme ":" *( uchar | reserved )

       relativeURI    = net_path | abs_path | rel_path

       net_path       = "//" net_loc [ abs_path ]
       abs_path       = "/" rel_path
       rel_path       = [ path ] [ ";" params ] [ "?" query ]

       path           = fsegment *( "/" segment )
       fsegment       = 1*pchar
       segment        = *pchar

       params         = param *( ";" param )
       param          = *( pchar | "/" )

       scheme         = 1*( ALPHA | DIGIT | "+" | "-" | "." )
       net_loc        = *( pchar | ";" | "?" )
       query          = *( uchar | reserved )
       fragment       = *( uchar | reserved )

       pchar          = uchar | ":" | "@" | "&" | "="
       uchar          = unreserved | escape
       unreserved     = ALPHA | DIGIT | safe | extra | national

       escape         = "%" HEX HEX
       reserved       = ";" | "/" | "?" | ":" | "@" | "&" | "="
       extra          = "!" | "*" | "'" | "(" | ")" | ","
       safe           = "$" | "-" | "_" | "." | "+"
       unsafe         = CTL | SP | <"> | "#" | "%" | "<" | ">"
       national       = <any OCTET excluding ALPHA, DIGIT,
                        reserved, extra, safe, and unsafe>

3.2.2 http URL

       http_URL       = "http:" "//" host [ ":" port ] [ abs_path ]

       host           = <A legal Internet host domain name
                         or IP address (in dotted-decimal form),
                         as defined by Section 2.1 of RFC 1123>

       port           = *DIGIT

Note: Although the HTTP protocol is independent of the transport layer protocol, the http URL only identifies resources by their TCP location, and thus non-TCP resources must be identified by some other URI scheme.

3.3 Date/Time Formats

3.3.1 Full Date

       Sun, 06 Nov 1994 08:49:37 GMT    ; RFC 822, updated by RFC 1123
       Sunday, 06-Nov-94 08:49:37 GMT   ; RFC 850, obsoleted by RFC 1036
       Sun Nov  6 08:49:37 1994         ; ANSI C's asctime() format

Note: Recipients of date values are encouraged to be robust in accepting date values that may have been generated by non-HTTP applications, as is sometimes the case when retrieving or posting messages via proxies/gateways to SMTP or NNTP.

       HTTP-date      = rfc1123-date | rfc850-date | asctime-date

       rfc1123-date   = wkday "," SP date1 SP time SP "GMT"
       rfc850-date    = weekday "," SP date2 SP time SP "GMT"
       asctime-date   = wkday SP date3 SP time SP 4DIGIT

       date1          = 2DIGIT SP month SP 4DIGIT
                        ; day month year (e.g., 02 Jun 1982)
       date2          = 2DIGIT "-" month "-" 2DIGIT
                        ; day-month-year (e.g., 02-Jun-82)
       date3          = month SP ( 2DIGIT | ( SP 1DIGIT ))
                        ; month day (e.g., Jun  2)

       time           = 2DIGIT ":" 2DIGIT ":" 2DIGIT
                        ; 00:00:00 - 23:59:59

       wkday          = "Mon" | "Tue" | "Wed"
                      | "Thu" | "Fri" | "Sat" | "Sun"

       weekday        = "Monday" | "Tuesday" | "Wednesday"
                      | "Thursday" | "Friday" | "Saturday" | "Sunday"

       month          = "Jan" | "Feb" | "Mar" | "Apr"
                      | "May" | "Jun" | "Jul" | "Aug"
                      | "Sep" | "Oct" | "Nov" | "Dec"

Note: HTTP requirements for the date/time stamp format apply only to their usage within the protocol stream. Clients and servers are not required to use these formats for user presentation, request logging, etc.

3.3.2 Delta Seconds

       delta-seconds  = 1*DIGIT

3.4 Character Sets

The term "character set" is used in this document to refer to a method used with one or more tables to convert a sequence of octets into a sequence of characters. Note that unconditional conversion in the other direction is not required, in that not all characters may be available in a given character set and a character set may provide more than one sequence of octets to represent a particular character. This definition is intended to allow various kinds of character encodings, from simple single-table mappings such as US-ASCII to complex table switching methods such as those that use ISO 2022's techniques. However, the definition associated with a MIME character set name must fully specify the mapping to be performed from octets to characters. In particular, use of external profiling information to determine the exact mapping is not permitted.

       charset = "US-ASCII"
               | "ISO-8859-1" | "ISO-8859-2" | "ISO-8859-3"
               | "ISO-8859-4" | "ISO-8859-5" | "ISO-8859-6"
               | "ISO-8859-7" | "ISO-8859-8" | "ISO-8859-9"
               | "ISO-2022-JP" | "ISO-2022-JP-2" | "ISO-2022-KR"
               | "UNICODE-1-1" | "UNICODE-1-1-UTF-7" | "UNICODE-1-1-UTF-8"
               | token

Note: This use of the term "character set" is more commonly referred to as a "character encoding." However, since HTTP and MIME share the same registry, it is important that the terminology also be shared.

3.5 Content Codings

       content-coding          = "gzip" | "compress" | token

Note: For historical reasons, HTTP applications should consider "x-gzip" and
"x-compress" to be equivalent to "gzip" and "compress", respectively.

gzip

An encoding format produced by the file compression program "gzip" (GNU zip) developed by Jean-loup Gailly. This format is typically a Lempel-Ziv coding (LZ77) with a 32 bit CRC. Gzip is available from the GNU project at <URL:ftp://prep.ai.mit.edu/pub/gnu/>.

compress

The encoding format produced by the file compression program "compress". This format is an adaptive Lempel-Ziv-Welch coding (LZW).

Note: Use of program names for the identification of encoding formats is not desirable and should be discouraged for future encodings. Their use here is representative of historical practice, not good design.

3.6 Transfer Codings

       transfer-coding         = "chunked" | token

Transfer codings are analogous to the Content-Transfer-Encoding values of MIME [7], which were designed to enable safe transport of binary data over a 7-bit transport service. However, "safe transport" has a different focus for an 8bit-clean transfer protocol. In HTTP, the only unsafe characteristic of message bodies is the difficulty in determining the exact body length (Section 7.2.2), or the desire to encrypt data over a shared transport.

All HTTP/1.1 applications must be able to receive and decode the "chunked" transfer coding. The chunked encoding modifies the body of a message in order to transfer it as a series of chunks, each with its own size indicator, followed by an optional footer containing entity-header fields. This allows dynamically-produced content to be transferred along with the information necessary for the recipient to verify that it has received the full message.

       Chunked-Body   = *chunk
                        "0" CRLF
                        footer
                        CRLF

       chunk          = chunk-size CRLF
                        chunk-data CRLF

       chunk-size     = hex-no-zero *HEX
       chunk-data     = chunk-size(OCTET)

       footer         = *<Entity-Header, excluding Content-Length
                          and Transfer-Encoding>

       hex-no-zero    = <HEX excluding "0">

3.7 Media Types

       media-type     = type "/" subtype *( ";" parameter )
       type           = token
       subtype        = token

       parameter      = attribute "=" value
       attribute      = token
       value          = token | quoted-string

If a given media-type value has been registered by the IANA, any use of that value must be indicative of the registered data format. Although HTTP allows the use of non-registered media types, such usage must not conflict with the IANA registry. Data providers are strongly encouraged to register their media types with IANA via the procedures outlined in RFC 1590 [17].

All media-type's registered by IANA must be preferred over extension tokens. However, HTTP does not limit applications to the use of officially registered media types, nor does it encourage the use of an "x-" prefix for unofficial types outside of explicitly short experimental use between consenting applications.

3.7.1 Canonicalization and Text Defaults

HTTP redefines the canonical form of text media to allow multiple octet sequences to indicate a text line break. In addition to the preferred form of CRLF, HTTP applications must accept a bare CR or LF alone as representing a single line break in text media. Furthermore, if the text media is represented in a character set which does not use octets 13 and 10 for CR and LF respectively, as is the case for some multi-byte character sets, HTTP allows the use of whatever octet sequence(s) is defined by that character set to represent the equivalent of CRLF, bare CR, and bare LF. It is assumed that any recipient capable of using such a character set will know the appropriate octet sequence for representing line breaks within that character set.

Note: This interpretation of line breaks applies only to the contents of an Entity-Body and only after any Transfer-Encoding and/or Content-Encoding has been removed. All other HTTP constructs use CRLF exclusively to indicate a line break. Content and transfer codings define their own line break requirements.

HTTP also redefines the default character set for text media in an entity body. If a textual media type defines a charset parameter with a registered default value of "US-ASCII", HTTP changes the default to be "ISO-8859-1". Since the ISO-8859-1 [22] character set is a superset of US-ASCII [21], this does not affect the interpretation of entity bodies which only contain octets within the US-ASCII character set (0 - 127). The presence of a charset parameter value in a Content-Type header field overrides the default.

It is recommended that the character set of an entity body be labelled as the lowest common denominator of the character codes used within a document, with the exception that no label is preferred over the labels US-ASCII or ISO-8859-1.

3.7.2 Multipart Types

In HTTP, multipart body-parts may contain header fields which are significant to the meaning of that part. A URI entity-header field (Section 10.42) should be included in the body-part for each enclosed entity that can be identified by a URI.

In general, an HTTP user agent should follow the same or similar behavior as a MIME user agent would upon receipt of a multipart type. The following subtypes have been defined:

multipart/mixed

The mixed subtype is used when there are no additional semantics implied beyond the fact that one or more entities are encaspsulated. HTTP servers should not use this type to send groups of entities if it is possible for those entities to be individually retrieved and cached.

multipart/alternative

The alternative subtype implies that each of the parts is an alternative format for the same information; the user agent should present only the part most preferred by the user. HTTP servers should use some form of content negotiation (Section 12) instead of this type.

multipart/digest

The digest subtype implies that each of the parts is a message (normally of type "message/rfc822") and thus the whole entity is a collected sequence of message traffic. This type does not have any special significance for HTTP.

multipart/form-data

The form-data subtype is defined by RFC 1867 [15] for use in submitting the data that comes about from filling-in a form.

multipart/parallel

The parallel subtype implies that the parts should be presented simultaneously by the user agent. This media type would be appropriate for situations where simultaneous presentation is an important aspect of the information, such as for audio-annotated slides.

Note: This document does not define what is meant by "simultaneous presentation". That is, HTTP does not provide any means of synchronization between the parts in messages of type "multipart/parallel".

3.8 Product Tokens

       product         = token ["/" product-version]
       product-version = token

       User-Agent: CERN-LineMode/2.15 libwww/2.17b3

       Server: Apache/0.8.4

3.9 Quality Values

       qvalue         = ( "0" [ "." 0*3DIGIT ] )
                      | ( "." 0*3DIGIT )
                      | ( "1" [ "." 0*3("0") ] )

3.10 Language Tags

The syntax and registry of HTTP language tags is the same as that defined by RFC 1766 [1]. In summary, a language tag is composed of 1 or more parts: A primary language tag and a possibly empty series of subtags:

        language-tag  = primary-tag *( "-" subtag )

        primary-tag   = 1*8ALPHA
        subtag        = 1*8ALPHA

       en, en-US, en-cockney, i-cherokee, x-pig-latin

In the context of the Accept-Language header (Section 10.4), a language tag is not to be interpreted as a single token, as per RFC 1766, but as a hierarchy. A server should consider that it has a match when a language tag received in an Accept-Language header matches the initial portion of the language tag of a document. An exact match should be preferred. This interpretation allows a browser to send, for example:

       Accept-Language: en-US, en; ql=0.95

Note: Using the language tag as a hierarchy does not imply that all languages with a common prefix will be understood by those fluent in one or more of those languages; it simply allows the user to request this commonality when it is true for that user.

3.11 Logic Bags

       logic-bag      = "{" expression "}"

       expression     = ( log-op 1*logic-bag )
                      | ( rel-op 1*field-tuple )
                      | ( "def" 1*field-name )

       log-op         = "and" | "or" | "xor" | "not"
       rel-op         = "eq" | "ne" | "lt" | "le" | "ge" | "gt" | "in"

       field-tuple    = "{" field-name ( bag | token | quoted-string ) "}"

       {or {ne {Content-MD5 "Q2hlY2sgSW50ZWdyaXR5IQ=="}}
           {ne {Content-Length 10036}}
           {ne {Content-Version "12.4.8"}}
           {gt {Last-Modified "Mon, 04 Dec 1995 01:23:45 GMT"}}}

       {eq {A "a"} {B "b"} {C "c"}}

       {and {eq {A "a"}} {eq {B "b"}} {eq {C "c"}}}

and

True if all of the operands evaluate true.

or

True if any of the operands evaluate true.

xor

True if one and only one operand evaluates true.

not

True if all of the operands evaluate false.

eq

True if all field-tuple values exactly match the resource's corresponding field values.

ne

True if all field-tuple values do not match the resource's corresponding field values.

lt

True if, for each field-tuple, the resource's corresponding field value is less than the one given in the expression.

le

True if, for each field-tuple, the resource's corresponding field value is less than or equal to the one given in the expression.

ge

True if, for each field-tuple, the resource's corresponding field value is greater than or equal to the one given in the expression.

gt

True if, for each field-tuple, the resource's corresponding field value is greater than the one given in the expression.

in

True if, for each field-tuple, the resource's corresponding field value contains the component value given in the expression.

def

True if, for each field-name operand, the resource defines a value for that field.

Except for "ne", any comparison to a field not defined by the resource evaluates to false.

4. HTTP Message

4.1 Message Types

       HTTP-message   = Simple-Request            ; HTTP/0.9 messages
                      | Simple-Response
                      | Full-Request              ; HTTP/1.1 messages
                      | Full-Response

       Full-Request   = Request-Line              ; Section 5.1
                        *( General-Header         ; Section 4.3
                         | Request-Header         ; Section 5.2
                         | Entity-Header )        ; Section 7.1
                        CRLF
                        [ Entity-Body ]           ; Section 7.2

       Full-Response  = Status-Line               ; Section 6.1
                        *( General-Header         ; Section 4.3
                         | Response-Header        ; Section 6.2
                         | Entity-Header )        ; Section 7.1
                        CRLF
                        [ Entity-Body ]           ; Section 7.2

       Simple-Request  = "GET" SP Request-URI CRLF

       Simple-Response = [ Entity-Body ]

4.2 Message Headers

       HTTP-header    = field-name ":" [ field-value ] CRLF

       field-name     = token
       field-value    = *( field-content | LWS )

       field-content  = <the OCTETs making up the field-value
                        and consisting of either *TEXT or combinations
                        of token, tspecials, and quoted-string>

Multiple HTTP-header fields with the same field-name may be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It must be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma.

4.3 General Header Fields

       General-Header = Cache-Control            ; Section 10.8
                      | Connection               ; Section 10.9
                      | Date                     ; Section 10.17
                      | Forwarded                ; Section 10.20
                      | Keep-Alive               ; Section 10.24
                      | MIME-Version             ; Section 10.28
                      | Pragma                   ; Section 10.29
                      | Upgrade                  ; Section 10.41

5. Request

       Request        = Simple-Request | Full-Request

       Simple-Request = "GET" SP Request-URI CRLF

       Full-Request   = Request-Line              ; Section 5.1
                        *( General-Header         ; Section 4.3
                         | Request-Header         ; Section 5.2
                         | Entity-Header )        ; Section 7.1
                        CRLF
                        [ Entity-Body ]           ; Section 7.2

5.1 Request-Line

       Request-Line   = Method SP Request-URI SP HTTP-Version CRLF

5.1.1 Method

       Method         = "OPTIONS"                ; Section 8.1
                      | "GET"                    ; Section 8.2
                      | "HEAD"                   ; Section 8.3
                      | "POST"                   ; Section 8.4
                      | "PUT"                    ; Section 8.5
                      | "PATCH"                  ; Section 8.6
                      | "COPY"                   ; Section 8.7
                      | "MOVE"                   ; Section 8.8
                      | "DELETE"                 ; Section 8.9
                      | "LINK"                   ; Section 8.10
                      | "UNLINK"                 ; Section 8.11
                      | "TRACE"                  ; Section 8.12
                      | "WRAPPED"                ; Section 8.13
                      | extension-method

       extension-method = token

The methods GET and HEAD must be supported by all general-purpose servers. Servers which provide Last-Modified dates for resources must also support the conditional GET method. All other methods are optional; however, if the above methods are implemented, they must be implemented with the same semantics as those specified in Section 8.

5.1.2 Request-URI

       Request-URI    = "*" | absoluteURI | abs_path

       OPTIONS * HTTP/1.1

       GET http://www.w3.org/pub/WWW/TheProject.html HTTP/1.1

       GET /pub/WWW/TheProject.html HTTP/1.1

If a proxy receives a request without any path in the Request-URI and the method used is capable of supporting the asterisk form of request, then the last proxy on the request chain must forward the request with "*" as the final Request-URI. For example, the request

       OPTIONS http://www.ics.uci.edu:8001 HTTP/1.1

       OPTIONS * HTTP/1.1

The Request-URI is transmitted as an encoded string, where some characters may be escaped using the "% hex hex" encoding defined by RFC 1738 [4]. The origin server must decode the Request-URI in order to properly interpret the request.

5.2 Request Header Fields

       Request-Header = Accept                   ; Section 10.1
                      | Accept-Charset           ; Section 10.2
                      | Accept-Encoding          ; Section 10.3
                      | Accept-Language          ; Section 10.4
                      | Authorization            ; Section 10.6
                      | From                     ; Section 10.21
                      | Host                     ; Section 10.22
                      | If-Modified-Since        ; Section 10.23
                      | Proxy-Authorization      ; Section 10.31
                      | Range                    ; Section 10.33
                      | Referer                  ; Section 10.34
                      | Unless                   ; Section 10.40
                      | User-Agent               ; Section 10.43

6. Response

       Response        = Simple-Response | Full-Response

       Simple-Response = [ Entity-Body ]

       Full-Response   = Status-Line               ; Section 6.1
                         *( General-Header         ; Section 4.3
                          | Response-Header        ; Section 6.2
                          | Entity-Header )        ; Section 7.1
                         CRLF
                         [ Entity-Body ]           ; Section 7.2

6.1 Status-Line

       Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF

       "HTTP/" 1*DIGIT "." 1*DIGIT SP 3DIGIT SP

6.1.1 Status Code and Reason Phrase

The first digit of the Status-Code defines the class of response. The last two digits do not have any categorization role. There are 5 values for the first digit:

• 1xx: Informational - Request received, continuing process
• 2xx: Success - The action was successfully received, understood, and accepted
• 3xx: Redirection - Further action must be taken in order to complete the request
• 4xx: Client Error - The request contains bad syntax or cannot be fulfilled
• 5xx: Server Error - The server failed to fulfill an apparently valid request

       Status-Code    = "100"   ; Continue
                      | "101"   ; Switching Protocols
                      | "200"   ; OK
                      | "201"   ; Created
                      | "202"   ; Accepted
                      | "203"   ; Non-Authoritative Information
                      | "204"   ; No Content
                      | "205"   ; Reset Content
                      | "206"   ; Partial Content
                      | "300"   ; Multiple Choices
                      | "301"   ; Moved Permanently
                      | "302"   ; Moved Temporarily
                      | "303"   ; See Other
                      | "304"   ; Not Modified
                      | "305"   ; Use Proxy
                      | "400"   ; Bad Request
                      | "401"   ; Unauthorized
                      | "402"   ; Payment Required
                      | "403"   ; Forbidden
                      | "404"   ; Not Found
                      | "405"   ; Method Not Allowed
                      | "406"   ; None Acceptable
                      | "407"   ; Proxy Authentication Required
                      | "408"   ; Request Timeout
                      | "409"   ; Conflict
                      | "410"   ; Gone
                      | "411"   ; Length Required
                      | "412"   ; Unless True
                      | "500"   ; Internal Server Error
                      | "501"   ; Not Implemented
                      | "502"   ; Bad Gateway
                      | "503"   ; Service Unavailable
                      | "504"   ; Gateway Timeout
                      | extension-code

       extension-code = 3DIGIT

       Reason-Phrase  = *<TEXT, excluding CR, LF>

6.2 Response Header Fields

       Response-Header = Location                ; Section 10.27
                       | Proxy-Authenticate      ; Section 10.30
                       | Public                  ; Section 10.32
                       | Retry-After             ; Section 10.36
                       | Server                  ; Section 10.37
                       | WWW-Authenticate        ; Section 10.44

7. Entity

7.1 Entity Header Fields

       Entity-Header  = Allow                    ; Section 10.5
                      | Content-Encoding         ; Section 10.10
                      | Content-Language         ; Section 10.11
                      | Content-Length           ; Section 10.12
                      | Content-MD5              ; Section 10.13
                      | Content-Range            ; Section 10.14
                      | Content-Type             ; Section 10.15
                      | Content-Version          ; Section 10.16
                      | Derived-From             ; Section 10.18
                      | Expires                  ; Section 10.19
                      | Last-Modified            ; Section 10.25
                      | Link                     ; Section 10.26
                      | Title                    ; Section 10.38
                      | Transfer-Encoding        ; Section 10.39
                      | URI-header               ; Section 10.42
                      | extension-header

       extension-header = HTTP-header

7.2 Entity Body

       Entity-Body    = *OCTET

For response messages, whether or not an entity body is included with a message is dependent on both the request method and the response code. All responses to the HEAD request method must not include a body, even though the presence of entity header fields may lead one to believe they do. All 1xx (informational), 204 (no content), and 304 (not modified) responses must not include a body. All other responses must include an entity body or a Content-Length header field defined with a value of zero (0).

7.2.1 Type

       entity-body :=
          Transfer-Encoding( Content-Encoding( Content-Type( data ) ) )

Any HTTP/1.1 message containing an entity body should include a Content-Type header field defining the media type of that body. If and only if the media type is not given by a Content-Type header, as is the case for Simple-Response messages, the recipient may attempt to guess the media type via inspection of its content and/or the name extension(s) of the URL used to identify the resource. If the media type remains unknown, the recipient should treat it as type "application/octet-stream".

7.2.2 Length

Note: Any response message which must not include an entity body (such as the 1xx, 204, and 304 responses and any response to a HEAD request) is always terminated by the first empty line after the header fields, regardless of the entity header fields present in the message.

If a request contains an entity body and Content-Length is not specified, the server should respond with 400 (bad request) if it cannot determine the length of the request message's content, or with 411 (length required) if it wishes to insist on receiving a valid Content-Length.

Messages must not include both a Content-Length header field and the "chunked" transfer coding. If both are received, the Content-Length must be ignored.

When a Content-Length is given in a message where an entity body is allowed, its field value must exactly match the number of OCTETs in the entity body. HTTP/1.1 user agents must notify the user when an invalid length is received and detected.

8. Method Definitions

The semantics of all methods may be affected by the presence of an Unless request header field, as described in Section 10.40.

8.1 OPTIONS

Unless the server's response is an error, the response must not include entity information other than what can be considered as communication options (e.g., Allow is appropriate, but Content-Type is not) and must include a Content-Length with a value of zero (0). Responses to this method are not cachable.

If the Request-URI is an asterisk ("*"), the OPTIONS request is intended to apply to the server as a whole. A 200 response should include any header fields which indicate optional features implemented by the server (e.g., Public), including any extensions not defined by this specification, in addition to any applicable general or response header fields. As described in Section 5.1.2, an "OPTIONS *" request can be applied through a proxy by specifying the destination server in the Request-URI without any path information.

If the Request-URI is not an asterisk, the OPTIONS request applies only to the options that are available when communicating with that resource. A 200 response should include any header fields which indicate optional features implemented by the server and applicable to that resource (e.g., Allow), including any extensions not defined by this specification, in addition to any applicable general or response header fields. If the OPTIONS request passes through a proxy, the proxy must edit the response to exclude those options known to be unavailable through that proxy.

8.2 GET

The semantics of the GET method change to a "conditional GET" if the request message includes an If-Modified-Since header field. A conditional GET method requests that the identified resource be transferred only if it has been modified since the date given by the If-Modified-Since header, as described in Section 10.23. The conditional GET method is intended to reduce unnecessary network usage by allowing cached entities to be refreshed without requiring multiple requests or transferring data already held by the client.

The semantics of the GET method change to a "partial GET" if the request message includes a Range header field. A partial GET requests that only part of the identified resource be transferred, as described in Section 10.33. The partial GET method is intended to reduce unnecessary network usage by allowing partially-retrieved entities to be completed without transferring data already held by the client.

The response to a GET request may be cachable if and only if it meets the requirements for HTTP caching described in Section 13.

8.3 HEAD

The response to a HEAD request may be cachable in the sense that the information contained in the response may be used to update a previously cached entity from that resource. If the new field values indicate that the cached entity differs from the current resource (as would be indicated by a change in Content-Length, Content-MD5, or Content-Version), then the cache must discard the cached entity.

There is no "conditional HEAD" or "partial HEAD" request analogous to those associated with the GET method. If an If-Modified-Since and/or Range header field is included with a HEAD request, they should be ignored.

8.4 POST

• Annotation of existing resources;
• Posting a message to a bulletin board, newsgroup, mailing list, or similar group of articles;
• Providing a block of data, such as the result of submitting a form [5], to a data-handling process;
• Extending a database through an append operation.

HTTP/1.1 allows for a two-phase process to occur in accepting and processing a POST request. If the media type of the posted entity is not "application/x-www-form-urlencoded" [5], an HTTP/1.1 client must pause between sending the message header fields (including the empty line signifying the end of the headers) and sending the message body; the duration of the pause is five (5) seconds or until a response is received from the server, whichever is shorter. If no response is received during the pause period, or if the initial response is 100 (continue), the client may continue sending the POST request. If the response indicates an error, the client must discontinue the request and close the connection with the server after reading the response.

Upon receipt of a POST request, the server must examine the header fields and determine whether or not the client should continue its request. If any of the header fields indicate the request is insufficient or unacceptable to the server (i.e., will result in a 4xx or 5xx response), or if the server can determine the response without reading the entity body (e.g., a 301 or 302 response due to an old Request-URI), the server must send that response immediately upon its determination. If, on the other hand, the request appears (at least initially) to be acceptable and the client has indicated HTTP/1.1 compliance, the server must transmit an interim 100 response message after receiving the empty line terminating the request headers and continue processing the request. After processing has finished, a final response message must be sent to indicate the actual result of the request. A 100 response should not be sent in response to an HTTP/1.0 request except under experimental conditions, since an HTTP/1.0 client may mistake the 100 response for the final response.

For compatibility with HTTP/1.0 applications, all POST requests must include a valid Content-Length header field unless the server is known to be HTTP/1.1 compliant. When sending a POST request to an HTTP/1.1 server, a client must use at least one of: a valid Content-Length, a multipart Content-Type, or the "chunked" Transfer-Encoding. The server should respond with a 400 (bad request) message if it cannot determine the length of the request message's content, or with 411 (length required) if it wishes to insist on receiving a valid Content-Length.

The client can suggest one or more URIs for the new resource by including a URI header field in the request. However, the server should treat those URIs as advisory and may store the entity under a different URI, additional URIs, or without any URI.

The client may apply relationships between the new resource and other existing resources by including Link header fields, as described in Section 10.26. The server may use the Link information to perform other operations as a result of the new resource being added. For example, lists and indexes might be updated. However, no mandatory operation is imposed on the origin server. The origin server may also generate its own or additional links to other resources.

A successful POST does not require that the entity be created as a resource on the origin server or made accessible for future reference. That is, the action performed by the POST method might not result in a resource that can be identified by a URI. In this case, either 200 (ok) or 204 (no content) is the appropriate response status, depending on whether or not the response includes an entity that describes the result.

If a resource has been created on the origin server, the response should be 201 (created) and contain an entity (preferably of type "text/html") which describes the status of the request and refers to the new resource.

Responses to this method are not cachable. However, the 303 (see other) response can be used to direct the user agent to retrieve a cachable resource.

8.5 PUT

If the request passes through a cache and the Request-URI identifies a currently cached entity, that entity must be removed from the cache. Responses to this method are not cachable.

The fundamental difference between the POST and PUT requests is reflected in the different meaning of the Request-URI. The URI in a POST request identifies the resource that will handle the enclosed entity as an appendage. That resource may be a data-accepting process, a gateway to some other protocol, or a separate entity that accepts annotations. In contrast, the URI in a PUT request identifies the entity enclosed with the request -- the user agent knows what URI is intended and the server must not attempt to apply the request to some other resource. If the server desires that the request be applied to a different URI, it must send a 301 (moved permanently) response; the user agent may then make its own decision regarding whether or not to redirect the request.

A single resource may be identified by many different URIs. For example, an article may have a URI for identifying "the current version" which is separate from the URI identifying each particular version. In this case, a PUT request on a general URI may result in several other URIs being defined by the origin server. The user agent should be informed of these URIs via one or more URI header fields in the response.

HTTP/1.1 allows for a two-phase process to occur in accepting and processing a PUT request. An HTTP/1.1 client must pause between sending the message header fields (including the empty line signifying the end of the headers) and sending the message body; the duration of the pause is five (5) seconds or until a response is received from the server, whichever is shorter. If no response is received during the pause period, or if the initial response is 100 (continue), the client may continue sending the PUT request. If the response indicates an error, the client must discontinue the request and close the connection with the server after reading the response.

Upon receipt of a PUT request, the server must examine the header fields and determine whether or not the client should continue its request. If any of the header fields indicate the request is insufficient or unacceptable to the server (i.e., will result in a 4xx or 5xx response), or if the server can determine the response without reading the entity body (e.g., a 301 or 302 response due to an old Request-URI), the server must send that response immediately upon its determination. If, on the other hand, the request appears (at least initially) to be acceptable and the client has indicated HTTP/1.1 compliance, the server must transmit an interim 100 response message after receiving the empty line terminating the request headers and continue processing the request. After processing has finished, a final response message must be sent to indicate the actual result of the request. A 100 response should not be sent in response to an HTTP/1.0 request except under experimental conditions, since an HTTP/1.0 client may mistake the 100 response for the final response.

For compatibility with HTTP/1.0 applications, all PUT requests must include a valid Content-Length header field unless the server is known to be HTTP/1.1 compliant. When sending a PUT request to an HTTP/1.1 server, a client must use at least one of: a valid Content-Length, a multipart Content-Type, or the "chunked" Transfer-Encoding. The server should respond with a 400 (bad request) message if it cannot determine the length of the request message's content, or with 411 (length required) if it wishes to insist on receiving a valid Content-Length.

The client can create or modify relationships between the enclosed entity and other existing resources by including Link header fields, as described in Section 10.26. As with POST, the server may use the Link information to perform other operations as a result of the request. However, no mandatory operation is imposed on the origin server. The origin server may generate its own or additional links to other resources.

The actual method for determining how the resource is placed, and what happens to its predecessor, is defined entirely by the origin server. If version control is implemented by the origin server, then Link relationships should be defined by the server to help identify and control revisions to a resource. If the entity being PUT was derived from an existing resource which included a Content-Version header field, the new entity must include a Derived-From header field corresponding to the value of the original Content-Version header field. Multiple Derived-From values may be included if the entity was derived from multiple resources with Content-Version information. Applications are encouraged to use these fields for constructing versioning relationships and resolving version conflicts.

8.6 PATCH

If the request passes through a cache and the Request-URI identifies a currently cached entity, that entity must be removed from the cache. Responses to this method are not cachable.

HTTP/1.1 allows for a two-phase process to occur in accepting and processing a PATCH request. An HTTP/1.1 client must pause between sending the message header fields (including the empty line signifying the end of the headers) and sending the message body; the duration of the pause is five (5) seconds or until a response is received from the server, whichever is shorter. If no response is received during the pause period, or if the initial response is 100 (continue), the client may continue sending the PATCH request. If the response indicates an error, the client must discontinue the request and close the connection with the server after reading the response.

Upon receipt of a PATCH request, the server must examine the header fields and determine whether or not the client should continue its request. If any of the header fields indicate the request is insufficient or unacceptable to the server (i.e., will result in a 4xx or 5xx response), or if the server can determine the response without reading the entity body (e.g., a 301 or 302 response due to an old Request-URI), the server must send that response immediately upon its determination. If, on the other hand, the request appears (at least initially) to be acceptable and the client has indicated HTTP/1.1 compliance, the server must transmit an interim 100 response message after receiving the empty line terminating the request headers and continue processing the request. After processing has finished, a final response message must be sent to indicate the actual result of the request. A 100 response should not be sent in response to an HTTP/1.0 request except under experimental conditions, since an HTTP/1.0 client may mistake the 100 response for the final response.

For compatibility with HTTP/1.0 applications, all PATCH requests must include a valid Content-Length header field unless the server is known to be HTTP/1.1 compliant. When sending a PATCH request to an HTTP/1.1 server, a client must use at least one of: a valid Content-Length, a multipart Content-Type, or the "chunked" Transfer-Encoding. The server should respond with a 400 (bad request) message if it cannot determine the length of the request message's content, or with 411 (length required) if it wishes to insist on receiving a valid Content-Length.

The client can create or modify relationships between the new resource and other existing resources by including Link header fields, as described in Section 10.26. As with POST, the server may use the Link information to perform other operations as a result of the request. However, no mandatory operation is imposed on the origin server. The origin server may generate its own or additional links to other resources.

The actual method for determining how the patched resource is placed, and what happens to its predecessor, is defined entirely by the origin server. If version control is implemented by the origin server, then Link relationships should be defined by the server to help identify and control revisions to a resource. If the original version of the resource being patched included a Content-Version header field, the request entity must include a Derived-From header field corresponding to the value of the original Content-Version header field. Applications are encouraged to use these fields for constructing versioning relationships and resolving version conflicts.

8.7 COPY

8.8 MOVE

If the request passes through a cache and the Request-URI identifies a currently cached entity, that entity must be removed from the cache. Responses to this method are not cachable.

8.9 DELETE

A successful response should be 200 (ok) if the response includes an entity describing the status, 202 (accepted) if the action has not yet been enacted, or 204 (no content) if the response is OK but does not include an entity.

If the request passes through a cache and the Request-URI identifies a currently cached entity, that entity must be removed from the cache. Responses to this method are not cachable.

8.10 LINK

If the request passes through a cache and the Request-URI identifies a currently cached entity, that entity must be removed from the cache. Responses to this method are not cachable.

8.11 UNLINK

If the request passes through a cache and the Request-URI identifies a currently cached entity, that entity must be removed from the cache. Responses to this method are not cachable.

8.12 TRACE

If successful, the response should contain the entire, unedited request message in the entity body, with a Content-Type of "message/http", "application/http", or "text/plain". Responses to this method are not cachable.

8.13 WRAPPED

Responses to this method are not cachable. Applications should not use this method for making requests that would normally be public and cachable.

The request entity must include at least one encapsulated message, with the media type identifying the protocol of that message. For example, if the wrapped request is another HTTP request message, then the media type must be either "message/http" (for a single message) or "application/http" (for a request stream containing one or more requests), with any codings identied by the Content-Encoding and Transfer-Encoding header fields.

HTTP/1.1 allows for a two-phase process to occur in accepting and processing a WRAPPED request. An HTTP/1.1 client must pause between sending the message header fields (including the empty line signifying the end of the headers) and sending the message body; the duration of the pause is five (5) seconds or until a response is received from the server, whichever is shorter. If no response is received during the pause period, or if the initial response is 100 (continue), the client may continue sending the WRAPPED request. If the response indicates an error, the client must discontinue the request and close the connection with the server after reading the response.

Upon receipt of a WRAPPED request, the server must examine the header fields and determine whether or not the client should continue its request. If any of the header fields indicate the request is insufficient or unacceptable to the server (i.e., will result in a 4xx or 5xx response), or if the server can determine the response without reading the entity body (e.g., a 301 or 302 response due to an old Request-URI), the server must send that response immediately upon its determination. If, on the other hand, the request appears (at least initially) to be acceptable and the client has indicated HTTP/1.1 compliance, the server must transmit an interim 100 response message after receiving the empty line terminating the request headers and continue processing the request. After processing has finished, a final response message must be sent to indicate the actual result of the request. A 100 response should not be sent in response to an HTTP/1.0 request except under experimental conditions, since an HTTP/1.0 client may mistake the 100 response for the final response.

For compatibility with HTTP/1.0 applications, all WRAPPED requests must include a valid Content-Length header field unless the server is known to be HTTP/1.1 compliant. When sending a WRAPPED request to an HTTP/1.1 server, a client must use at least one of: a valid Content-Length, a multipart Content-Type, or the "chunked" Transfer-Encoding. The server should respond with a 400 (bad request) message if it cannot determine the length of the request message's content, or with 411 (length required) if it wishes to insist on receiving a valid Content-Length.

9. Status Code Definitions

9.1 Informational 1xx

100 Continue

101 Switching Protocols

The protocol should only be switched when it is advantageous to do so. For example, switching to a newer version of HTTP is advantageous over older versions, and switching to a real-time, synchronous protocol may be advantageous when delivering resources that use such features.

9.2 Successful 2xx

200 OK

GET

an entity corresponding to the requested resource is sent in the response;

HEAD

the response must only contain the header information and no Entity-Body;

POST

an entity describing or containing the result of the action;

TRACE

an entity containing the request message as received by the end server;

otherwise,

an entity describing the result of the action;

201 Created

202 Accepted

The 202 response is intentionally non-committal. Its purpose is to allow a server to accept a request for some other process (perhaps a batch-oriented process that is only run once per day) without requiring that the user agent's connection to the server persist until the process is completed. The entity returned with this response should include an indication of the request's current status and either a pointer to a status monitor or some estimate of when the user can expect the request to be fulfilled.

203 Non-Authoritative Information

204 No Content

The 204 response must not include an entity body, and thus is always ternminated by the first empty line after the header fields.

205 Reset Content

206 Partial Content

9.3 Redirection 3xx

300 Multiple Choices

301 Moved Permanently

If the new URI is a single location, its URL must be given by the Location field in the response. If more than one URI exists for the resource, the primary URL should be given in the Location field and the other URIs given in one or more URI-header fields. Unless it was a HEAD request, the Entity-Body of the response should contain a short hypertext note with a hyperlink to the new URI(s).

If the 301 status code is received in response to a request other than GET or HEAD, the user agent must not automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

302 Moved Temporarily

If the new URI is a single location, its URL must be given by the Location field in the response. If more than one URI exists for the resource, the primary URL should be given in the Location field and the other URIs given in one or more URI-header fields. Unless it was a HEAD request, the Entity-Body of the response should contain a short hypertext note with a hyperlink to the new URI(s).

If the 302 status code is received in response to a request other than GET or HEAD, the user agent must not automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

303 See Other

If the new URI is a single location, its URL must be given by the Location field in the response. If more than one URI exists for the resource, the primary URL should be given in the Location field and the other URIs given in one or more URI-header fields. Unless it was a HEAD request, the Entity-Body of the response should contain a short hypertext note with a hyperlink to the new URI(s).

304 Not Modified

A cache should update its cached entity to reflect any new field values given in the 304 response. If the new field values indicate that the cached entity differs from the current resource (as would be indicated by a change in Content-Length, Content-MD5, or Content-Version), then the cache must disregard the 304 response and repeat the request without an If-Modified-Since field.

The 304 response must not include an entity body, and thus is always ternminated by the first empty line after the header fields.

305 Use Proxy

9.4 Client Error 4xx

Note: If the client is sending data, server implementations on TCP should be careful to ensure that the client acknowledges receipt of the packet(s) containing the response prior to closing the input connection. If the client continues sending data to the server after the close, the server's controller will send a reset packet to the client, which may erase the client's unacknowledged input buffers before they can be read and interpreted by the HTTP application.

400 Bad Request

401 Unauthorized

402 Payment Required

403 Forbidden

404 Not Found

405 Method Not Allowed

406 None Acceptable

407 Proxy Authentication Required

408 Request Timeout

409 Conflict

Conflicts are most likely to occur in response to a PUT or PATCH request. If versioning is being used and the entity being PUT or PATCHed includes changes to a resource which conflict with those made by an earlier (third-party) request, the server may use the 409 response to indicate that it can't complete the request. In this case, the response entity should contain a list of the differences between the two versions in a format defined by the response Content-Type.

410 Gone

The 410 response is primarily intended to assist the task of web maintenance by notifying the recipient that the resource is intentionally unavailable and that the server owners desire that remote links to that resource be removed. Such an event is common for limited-time, promotional services and for resources belonging to individuals no longer working at the server's site. It is not necessary to mark all permanently unavailable resources as "gone" or to keep the mark for any length of time -- that is left to the discretion of the server owner.

411 Length Required

412 Unless True

9.5 Server Error 5xx

500 Internal Server Error

501 Not Implemented

502 Bad Gateway

503 Service Unavailable

Note: The existence of the 503 status code does not imply that a server must use it when becoming overloaded. Some servers may wish to simply refuse the connection.

504 Gateway Timeout

10. Header Field Definitions

10.1 Accept

The field may be folded onto several lines and more than one occurrence of the field is allowed, with the semantics being the same as if all the entries had been in one field value.

       Accept         = "Accept" ":" #(
                             media-range
                             [ ";" "q" "=" qvalue ]
                             [ ";" "mxb" "=" 1*DIGIT ] )

       media-range    = ( "*/*"
                        | ( type "/" "*" )
                        | ( type "/" subtype )
                        ) *( ";" parameter )

The example

       Accept: audio/*; q=0.2, audio/basic

If no Accept header is present, then it is assumed that the client accepts all media types with quality factor 1. This is equivalent to the client sending the following accept header field:

       Accept: */*; q=1

       Accept: */*

A more elaborate example is

       Accept: text/plain; q=0.5, text/html,
               text/x-dvi; q=0.8; mxb=100000, text/x-c

Media ranges can be overridden by more specific media ranges or specific media types. If more than one media range applies to a given type, the most specific reference has precedence. For example,

       Accept: text/*, text/html, text/html;version=2.0, */*

       1) text/html;version=2.0
       2) text/html
       3) text/*
       4) */*

       Accept: text/*;q=0.3, text/html;q=0.7, text/html;version=2.0,
               */*;q=0.5

       text/html;version=2.0                      = 1
       text/html                                  = 0.7
       text/plain                                 = 0.3
       image/jpeg                                 = 0.5
       text/html;level=3                          = 0.7

Note: A user agent may be provided with a default set of quality values for certain media ranges. However, unless the user agent is a closed system which cannot interact with other rendering agents, this default set should be configurable by the user.

10.2 Accept-Charset

       Accept-Charset = "Accept-Charset" ":" 1#charset

       Accept-Charset: iso-8859-1, unicode-1-1

10.3 Accept-Encoding

       Accept-Encoding         = "Accept-Encoding" ":" 
                                 #( content-coding )

       Accept-Encoding: compress, gzip

10.4 Accept-Language

       Accept-Language         = "Accept-Language" ":"
                                 1#( language-tag [ ";" "q" "=" qvalue ] )

       Accept-Language: da, en-gb;q=0.8, de;q=0.55

If the server cannot fulfill the request with one or more of the languages given, or if the languages only represent a subset of a multi-linguistic Entity-Body, it is acceptable to serve the request in an unspecified language. This is equivalent to assigning a quality value of "q=0.001" to any unlisted language.

If no Accept-Language header is present in the request, the server should assume that all languages are equally acceptable.

Note: As intelligibility is highly dependent on the individual user, it is recommended that client applications make the choice of linguistic preference available to the user. If the choice is not made available, then the Accept-Language header field must not be given in the request.

10.5 Allow

       Allow          = "Allow" ":" 1#method

       Allow: GET, HEAD, PUT

The Allow header field may be provided with a PUT request to recommend the methods to be supported by the new or modified resource. The server is not required to support these methods and should include an Allow header in the response giving the actual supported methods.

A proxy must not modify the Allow header field even if it does not understand all the methods specified, since the user agent may have other means of communicating with the origin server.

The Allow header field does not indicate what methods are implemented at the server level. Servers may use the Public response header field (Section 10.32) to describe what methods are implemented on the server as a whole.

10.6 Authorization

       Authorization  = "Authorization" ":" credentials

Responses to requests containing an Authorization field are not cachable.

10.7 Base

10.8 Cache-Control

       Cache-Control   = "Cache-Control" ":" 1#cache-directive

       cache-directive = "cachable"
                       | "max-age" "=" delta-seconds
                       | "private" [ "=" <"> 1#field-name <"> ]
                       | "no-cache" [ "=" <"> 1#field-name <"> ]

The "cachable" directive indicates that the entire response message is cachable unless required otherwise by HTTP restrictions on the request method and response code. In other words, this directive indicates that the server believes the response to be cachable. This directive applies only to responses and must not be used with any other cache directive.

When the "max-age" directive is present in a request message, an application must forward the request toward the origin server if it has no cached copy, or refresh its cached copy if it is older than the age value given (in seconds) prior to returning a response. A cached copy's age is determined by the cached message's Date header field, or the equivalent as stored by the cache manager.

In most cases, a cached copy can be refreshed by forwarding a conditional GET request toward the origin server with the stored message's Last-Modified value in the If-Modified-Since field. The Unless header field may be used to add further restrictions to the modification test on the server. If a 304 (not modified) response is received, the cache should replace the cached message's Date with that of the 304 response and send this refreshed message as the response. Any other response should be forwarded directly to the requestor and, depending on the response code and the discretion of the cache manager, may replace the message in the cache.

When the "max-age" directive is present in a cached response message, an application must refresh the message if it is older than the age value given (in seconds) at the time of a new request for that resource. The behavior should be equivalent to what would occur if the request had included the max-age directive. If both the new request and the cached message have max-age specified, then the lesser of the two values must be used. A max-age value of zero (0) forces a cache to perform a refresh (If-Modified-Since) on every request. The max-age directive on a response implies that the server believes it to be cachable.

The "private" directive indicates that parts of the response message are intended for a single user and must not be cached except within a private (non-shared) cache controlled by the user agent. If no list of field names is given, then the entire message is private; otherwise, only the information within the header fields identified by the list of names is private and the remainder of the message is believed to be cachable by any application. This allows an origin server to state that the specified parts of the message are intended for only one user and are not a valid response for requests by other agents. The "private" directive is only applicable to responses and must not be generated by clients.

Note: This usage of the word "private" implies only that the message must not be cached publically; it does not ensure the privacy of the message content.

The "no-cache" directive on a response message indicates that parts of the message must never be cached. If no list of field names is given, then the entire message must not be cached; otherwise, only the information within the header fields identified by the list of names must not be cached and the remainder of the message is believed to be cachable. This allows an origin server to state that the specified parts of the message are intended for only one recipient and must not be stored unless the user explicitly requests it through a separate action.

The max-age, private, and no-cache directives may be used in combination to define the cachability of each part of the message. In all cases, no-cache takes precedence over private, which in turn takes precedence over max-age.

Cache directives must be passed through by a proxy or gateway application, regardless of their significance to that application, since the directives may be applicable to all recipients along the request/response chain. It is not possible to specify a cache-directive for a specific cache.

10.9 Connection

       Connection     = "Connection" ":" 1#field-name

Whether or not the listed field-name(s) occur as header fields in the message is optional. If no corresponding header field is present, then the field name is treated as a keyword. Keywords are useful for indicating a desired option without assigning parameters to that option. This allows for a minimal syntax to provide connection-based options without pre-restricting the syntax or number of those options. HTTP/1.1 only defines the "keep-alive" keyword.

The semantics of Connection are defined by HTTP/1.1 in order to provide a safe transition to connection-based features. Connection header fields received in an HTTP/1.0 message, as would be the case if an older proxy mistakenly forwards the field, cannot be trusted and must be discarded except under experimental conditions.

10.9.1 Persistent Connections

As an example, a client would send

       Connection: Keep-Alive

       Connection: Keep-Alive

The Keep-Alive header field (Section 10.24) may be used to include diagnostic information and other optional parameters. For example, the server may responds with

       Connection: Keep-Alive
       Keep-Alive: timeout=10, max=5

The persistent connection ends when either side closes the connection or after the receipt of a response which lacks the "keep-alive" keyword. The server may close the connection immediately after responding to a request without a "keep-alive" keyword. A client can tell if the connection will be closed by looking for a "keep-alive" in the response.

10.10 Content-Encoding

       Content-Encoding        = "Content-Encoding" ":" 1#content-coding

       Content-Encoding: gzip

If multiple encodings have been applied to a resource, the content codings must be listed in the order in which they were applied. Additional information about the encoding parameters may be provided by other Entity-Header fields not defined by this specification.

10.11 Content-Language

       Content-Language        = "Content-Language" ":" 1#language-tag

       Content-Language: dk

Multiple languages may be listed for content that is intended for multiple audiences. For example, a rendition of the "Treaty of Waitangi," presented simultaneously in the original Maori and English versions, would call for

       Content-Language: mi, en

Content-Language may be applied to any media type -- it should not be limited to textual documents.

10.12 Content-Length

       Content-Length = "Content-Length" ":" 1*DIGIT

       Content-Length: 3495

Any Content-Length greater than or equal to zero is a valid value. Section 7.2.2 describes how to determine the length of an Entity-Body if a Content-Length is not given.

Note: The meaning of this field is significantly different from the corresponding definition in MIME, where it is an optional field used within the "message/external-body" content-type. In HTTP, it should be used whenever the entity's length can be determined prior to being transferred.

10.13 Content-MD5

10.14 Content-Range

10.15 Content-Type

       Content-Type   = "Content-Type" ":" media-type

       Content-Type: text/html; charset=ISO-8859-4

10.16 Content-Version

       Content-Version = "Content-Version" ":" quoted-string

       Content-Version: "2.1.2"

       Content-Version: "Fred 19950116-12:26:48"

       Content-Version: "2.5a4-omega7"

10.17 Date

       Date           = "Date" ":" HTTP-date

       Date: Tue, 15 Nov 1994 08:12:31 GMT

In theory, the date should represent the moment just before the entity is generated. In practice, the date can be generated at any time during the message origination without affecting its semantic value.

Note: An earlier version of this document incorrectly specified that this field should contain the creation date of the enclosed Entity-Body. This has been changed to reflect actual (and proper) usage.

10.18 Derived-From

       Derived-From   = "Derived-From" ":" quoted-string

       Derived-From: "2.1.1"

10.19 Expires

       Expires        = "Expires" ":" HTTP-date

       Expires: Thu, 01 Dec 1994 16:00:00 GMT

The Expires field cannot be used to force a user agent to refresh its display or reload a resource; its semantics apply only to caching mechanisms, and such mechanisms need only check a resource's expiration status when a new request for that resource is initiated.

User agents often have history mechanisms, such as "Back" buttons and history lists, which can be used to redisplay an entity retrieved earlier in a session. By default, the Expires field does not apply to history mechanisms. If the entity is still in storage, a history mechanism should display it even if the entity has expired, unless the user has specifically configured the agent to refresh expired history documents.

Note: Applications are encouraged to be tolerant of bad or misinformed implementations of the Expires header. A value of zero (0) or an invalid date format should be considered equivalent to an "expires immediately." Although these values are not legitimate for HTTP/1.1, a robust implementation is always desirable.

10.20 Forwarded

       Forwarded      = "Forwarded" ":" #( "by" URI [ "(" product ")" ]
                        [ "for" FQDN ] )

       FQDN           = <Fully-Qualified Domain Name>

       Forwarded: by http://info.cern.ch:8000/ for ptsun00.cern.ch

10.21 From

       From           = "From" ":" mailbox

       From: webmaster@w3.org

The Internet e-mail address in this field may be separate from the Internet host which issued the request. For example, when a request is passed through a proxy the original issuer's address should be used.

Note: The client should not send the From header field without the user's approval, as it may conflict with the user's privacy interests or their site's security policy. It is strongly recommended that the user be able to disable, enable, and modify the value of this field at any time prior to a request.

10.22 Host

       Host           = "Host" ":" host          ; Section 3.2.2

       Host: www.w3.org

10.23 If-Modified-Since

       If-Modified-Since = "If-Modified-Since" ":" HTTP-date

       If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT

a)

If the request would normally result in anything other than a 200 (ok) status, or if the passed If-Modified-Since date is invalid, the response is exactly the same as for a normal GET. A date which is later than the server's current time is invalid.

b)

If the resource has been modified since the If-Modified-Since date, the response is exactly the same as for a normal GET.

c)

If the resource has not been modified since a valid If-Modified-Since date, the server must return a 304 (not modified) response.

10.24 Keep-Alive

       Keep-Alive     = "Keep-Alive" ":" 1#kaparam

       kaparam        = ( "timeout" "=" delta-seconds )
                      | ( "max" "=" 1*DIGIT )
                      | ( attribute [ "=" value ] )

HTTP/1.1 defines semantics for the optional "timeout" and "max" parameters on responses; other parameters may be added and the field may also be used on request messages. The "timeout" parameter allows the server to indicate, for diagnostic purposes only, the amount of time in seconds it is currently allowing between when the response was generated and when the next request is received from the client (i.e., the request timeout limit). Similarly, the "max" parameter allows the server to indicate the maximum additional requests that it will allow on the current persistent connection.

For example, the server may respond to a request for a persistent connection with

       Connection: Keep-Alive
       Keep-Alive: timeout=10, max=5

10.25 Last-Modified

       Last-Modified  = "Last-Modified" ":" HTTP-date

       Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT

An origin server must not send a Last-Modified date which is later than the server's time of message origination. In such cases, where the resource's last modification would indicate some time in the future, the server must replace that date with the message origination date.

10.26 Link

       Link           = "Link" ":" #("<" URI ">"
                        [ ";" "rel" "=" relationship ]
                        [ ";" "rev" "=" relationship ]
                        [ ";" "title" "=" quoted-string ] )

       relationship   = sgml-name
                      | ( <"> sgml-name *( SP sgml-name) <"> )

       sgml-name      = ALPHA *( ALPHA | DIGIT | "." | "-" )

Examples of usage include:

       Link: <http://www.cern.ch/TheBook/chapter2>; rel="Previous"

       Link: <mailto:timbl@w3.org>; rev="Made"; title="Tim Berners-Lee"

10.27 Location

       Location       = "Location" ":" absoluteURI

       Location: http://www.w3.org/pub/WWW/People.html

10.28 MIME-Version

       MIME-Version   = "MIME-Version" ":" 1*DIGIT "." 1*DIGIT

10.29 Pragma

       Pragma                  = "Pragma" ":" 1#pragma-directive

       pragma-directive        = "no-cache" | extension-pragma
       extension-pragma        = token [ "=" word ]

Pragma directives must be passed through by a proxy or gateway application, regardless of their significance to that application, since the directives may be applicable to all recipients along the request/response chain. It is not possible to specify a pragma for a specific recipient; however, any pragma directive not relevant to a recipient should be ignored by that recipient.

10.30 Proxy-Authenticate

       Proxy-Authentication    = "Proxy-Authentication" ":" challenge

10.31 Proxy-Authorization

       Proxy-Authorization     = "Proxy-Authorization" ":" credentials

10.32 Public

       Public         = "Public" ":" 1#method

       Public: OPTIONS, MGET, MHEAD

10.33 Range

10.34 Referer

       Referer        = "Referer" ":" ( absoluteURI | relativeURI )

       Referer: http://www.w3.org/hypertext/DataSources/Overview.html

Note: Because the source of a link may be private information or may reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information.

10.35 Refresh

10.36 Retry-After

       Retry-After    = "Retry-After" ":" ( HTTP-date | delta-seconds )

       Retry-After: Wed, 14 Dec 1994 18:22:54 GMT
       Retry-After: 120

10.37 Server

       Server         = "Server" ":" 1*( product | comment )

       Server: CERN/3.0 libwww/2.17

Note: Revealing the specific software version of the server may allow the server machine to become more vulnerable to attacks against software that is known to contain security holes. Server implementors are encouraged to make this field a configurable option.

10.38 Title

       Title          = "Title" ":" *TEXT

       Title: Hypertext Transfer Protocol -- HTTP/1.1

10.39 Transfer Encoding

       Transfer-Encoding       = "Transfer-Encoding" ":" 1#transfer-coding

       Transfer-Encoding: chunked

10.40 Unless

       Unless         = "Unless" ":" 1#logic-bag

       Unless: {or {ne {Content-MD5 "Q2hlY2sgSW50ZWdyaXR5IQ=="}}
                   {ne {Content-Length 10036}}
                   {ne {Content-Version "12.4.8"}}
                   {gt {Last-Modified "Mon, 04 Dec 1995 01:23:45 GMT"}}}

       Unless: {eq {A "a"}}
       Unless: {eq {B "b"}}

       Unless: {eq {A "a"}},{eq {B "b"}}

       Unless: {or {eq {A "a"}} {eq {B "b"}}}

10.41 Upgrade

       Upgrade        = "Upgrade" ":" 1#product

       Upgrade: HTTP/2.0, SHTTP/1.3, IRC/6.9, RTA/x11

10.42 URI

       URI-header     = "URI" ":" 1#( uri-mirror | uri-name | uri-variant )

       uri-mirror     = "{" "mirror" <"> URI <"> "}"
       uri-name       = "{" "name" <"> URI <"> "}"
       uri-variant    = "{" "variant" <"> URI <"> qvalue
                            [ "{" "type" <"> media-type <"> "}" ]
                            [ "{" "language" <"> 1#language-tag <"> "}" ]
                            [ "{" "encoding" <"> 1#content-coding <"> "}" ]
                            [ "{" "length" 1*DIGIT "}" ]
                            [ "{" "user-agent" "}" ]
                        "}"

If the Request-URI maps to a set of variants, then the dimensions of that variance must be given in any response containing one of those variants. If the Location header field is present in a 2xx response, its value identifies which one of the variants is included with the response. An example is:

       Location: http://www.w3.org/pub/WWW/TheProject.en.html

       URI: {variant "TheProject.fr.html" 1.0
                    {type "text/html"} {language "fr"}},
            {variant "TheProject.en.html" 1.0
                    {type "text/html"} {language "en"}},
            {variant "TheProject.fr.txt" 0.7
                    {type "text/plain"} {language "fr"}},
            {variant "TheProject.en.txt" 0.8
                    {type "text/plain"} {language "en"}}

User agents may use this information to notify the user of additional formats and to guide the process of reactive content negotiation (Section 12).

10.43 User-Agent

       User-Agent     = "User-Agent" ":" 1*( product | comment )

       User-Agent: CERN-LineMode/2.15 libwww/2.17b3

10.44 WWW-Authenticate

       WWW-Authenticate        = "WWW-Authenticate" ":" 1#challenge

11. Access Authentication

       auth-scheme    = token

       auth-param     = token "=" quoted-string

       challenge      = auth-scheme 1*SP realm *( "," auth-param )

       realm          = "realm" "=" realm-value
       realm-value    = quoted-string

A user agent that wishes to authenticate itself with a server--usually, but not necessarily, after receiving a 401 or 411 response--may do so by including an Authorization header field with the request. The Authorization field value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested.

       credentials    = basic-credentials
                      | auth-scheme *("," auth-param )

If the server does not wish to accept the credentials sent with a request, it should return a 401 (unauthorized) response. The response must include a WWW-Authenticate header field containing the (possibly new) challenge applicable to the requested resource and an entity explaining the refusal.

The HTTP protocol does not restrict applications to this simple challenge-response mechanism for access authentication. Additional mechanisms may be used, such as encryption at the transport level or via message encapsulation, and with additional header fields specifying authentication information. However, these additional mechanisms are not defined by this specification.

Proxies must be completely transparent regarding user agent authentication. That is, they must forward the WWW-Authenticate and Authorization headers untouched, and must not cache the response to a request containing Authorization.

HTTP/1.1 allows a client pass authentication information to and from a proxy via the Proxy-Authenticate and Proxy-Authorization headers.

11.1 Basic Authentication Scheme

Upon receipt of an unauthorized request for a URI within the protection space, the server should respond with a challenge like the following:

       WWW-Authenticate: Basic realm="WallyWorld"

To receive authorization, the client sends the user-ID and password, separated by a single colon (":") character, within a base64 [7] encoded string in the credentials.

       basic-credentials = "Basic" SP basic-cookie

       basic-cookie   = <base64 [7] encoding of userid-password,
                         except not limited to 76 char/line>

       userid-password = [ token ] ":" *TEXT

       Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

11.2 Digest Authentication Scheme

12. Content Negotiation

Servers that make use of content negotiated resources must include URI response headers which accurately describe the available variants, and include the relevant parameters necessary for the client (user agent or proxy) to evaluate those variants.

12.1 Preemptive Negotiation

The first step in the negotiation algorithm is for the server to determine whether or not there are any content variants for the requested resource. Content variants may be in the form of multiple preexisting entities or a set of dynamic conversion filters. These variants make up the set of entities which may be sent in response to a request for the given Request-URI. In most cases, there will only be one available form of the resource, and thus a single "variant".

For each variant form of the resource, the server identifies a set of quality values (Section 3.9) which act as weights for measuring the desirability of that resource as a response to the current request. The calculated weights are all real numbers in the range 0 through 1, where 0 is the minimum and 1 the maximum value. The maximum acceptable bytes for each media range and the size of the resource variant are also factors in the equation.

The following parameters are included in the calculation:

qs

Source quality is measured by the content provider as representing the amount of degradation from the original source. For example, a picture originally in JPEG form would have a lower qs when translated to the XBM format, and much lower qs when translated to an ASCII-art representation. Note, however, that this is a function of the source -- an original piece of ASCII-art may degrade in quality if it is captured in JPEG form. The qs value should be assigned to each variant by the content provider; if no qs value has been assigned, the default is generally "qs=1". A server may define its own default qs value based on the resource characteristics, but only if individual resources can override those defaults.

qe

Encoding quality is measured by comparing the variant's applied content-codings (Section 3.5) to those listed in the request message's Accept-Encoding field. If the variant has no assigned Content-Encoding, or if no Accept-Encoding field is present, the value assigned is "qe=1". If all of the variant's content encodings are listed in the Accept-Encoding field, then the value assigned is "qe=1". If any of the variant's content encodings are not listed in the provided Accept-Encoding field, then the value assigned is "qe=0".

qc

Charset quality is measured by comparing the variant media-type's charset parameter value (if any) to those character sets (Section 3.4) listed in the request message's Accept-Charset field. If the variant's media-type has no charset parameter, or the variant's charset is US-ASCII, or if no Accept-Charset field is present, then the value assigned is "qc=1". If the variant's charset is listed in the Accept-Charset field, then the value assigned is "qc=1". Otherwise, if the variant's charset is not listed in the provided Accept-Encoding field, then the value assigned is "qc=0".

ql

Language quality is measured by comparing the variant's assigned language tag(s) (Section 3.10) to those listed in the request message's Accept-Language field. If no variant has an assigned Content-Language, or if no Accept-Language field is present, the value assigned is "ql=1". If at least one variant has an assigned content language, but the one currently under consideration does not, then it should be assigned the value "ql=0.5". If any of the variant's content languages are listed in the Accept-Language field, then the value assigned is the maximum of the "q" parameter values for those language tags (Section 10.4); if there was no exact match and at least one of the Accept-Language field values is a complete subtag prefix of the content language tag(s), then the "q" parameter value of the largest matching prefix is used. If none of the variant's content language tags or tag prefixes are listed in the provided Accept-Language field, then the value assigned is "ql=0.001".

q

Media type quality is measured by comparing the variant's assigned media type (Section 3.7) to those listed in the request message's Accept field. If no Accept field is given, then the value assigned is "q=1". If at least one listed media range (Section 10.1) matches the variant's media type, then the "q" parameter value assigned to the most specific of those matched is used (e.g., "text/html;version=3.0" is more specific than "text/html", which is more specific than "text/*", which in turn is more specific than "*/*"). If no media range in the provided Accept field matches the variant's media type, then the value assigned is "q=0".

mxb

The maximum number of bytes in an Entity-Body that the client will accept is also obtained from the matching of the variant's assigned media type to those listed in the request message's Accept field. If no Accept field is given, or if no media range in the provided Accept field matches the variant's media type, then the value assigned is "mxb=undefined" (i.e., infinity). Otherwise, the value used is that given to the "mxb" parameter in the media range chosen above for the q value.

bs

The actual number of bytes in the Entity-Body for the variant when it is included in a response message. This should equal the value of Content-Length.

       Q(qs,qe,qc,ql,    { if mxb=undefined, then (qs*qe*qc*ql*q) }
         q,mxb,bs)     = { if mxb >= bs,     then (qs*qe*qc*ql*q) }
                         { if mxb <  bs,     then 0               }

If no variants remain with a value of Q greater than zero (0), the server should respond with a 406 (none acceptable) response message. If multiple variants remain with an equally high Q value, the server may either choose one from those available and respond with 200 (ok) or respond with 300 (multiple choices) and include an entity describing the choices. In the latter case, the entity should either be of type "text/html', such that the user can choose from among the choices by following an exact link, or of some type that would allow the user agent to perform the selection automatically.

The 300 (multiple choices) response can be given even if the server does not perform any winnowing of the representation choices via the content negotiation algorithm described above. Furthermore, it may include choices that were not considered as part of the negotiation algorithm and resources that may be located at other servers.

The algorithm presented above assumes that the user agent has correctly implemented the protocol and is accurately communicating its intentions in the form of Accept-related header fields. The server may alter its response if it knows that the particular version of user agent software making the request has incorrectly or inadequately implemented these fields.

13. Caching

14. Security Considerations

14.1 Authentication of Clients

14.2 Safe Methods

In particular, the convention has been established that the GET and HEAD methods should never have the significance of taking an action other than retrieval. These methods should be considered "safe." This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.

Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them.

14.3 Abuse of Server Log Information

14.4 Transfer of Sensitive Information

Revealing the specific software version of the server may allow the server machine to become more vulnerable to attacks against software that is known to contain security holes. Implementors should make the Server header field a configurable option.

Proxies which serve as a portal through a network firewall should take special precautions regarding the transfer of header information that identifies the hosts behind the firewall. In particular, they should remove, or replace with sanitized versions, any Forwarded fields generated behind the firewall.

The Referer field allows reading patterns to be studied and reverse links drawn. Although it can be very useful, its power can be abused if user details are not separated from the information contained in the Referer. Even when the personal information has been removed, the Referer field may indicate a private document's URI whose publication would be inappropriate.

The information sent in the From field might conflict with the user's privacy interests or their site's security policy, and hence it should not be transmitted without the user being able to disable, enable, and modify the contents of the field. The user must be able to set the contents of this field within a user preference or application defaults configuration.

We suggest, though do not require, that a convenient toggle interface be provided for the user to enable or disable the sending of From and Referer information.

15. Acknowledgments

The HTTP protocol has evolved considerably over the past four years. It has benefited from a large and active developer community--the many people who have participated on the www-talk mailing list--and it is that community which has been most responsible for the success of HTTP and of the World-Wide Web in general. Marc Andreessen, Robert Cailliau, Daniel W. Connolly, Bob Denny, John Franks, Jean-Francois Groff, Phillip M. Hallam-Baker, Håkon W. Lie, Ari Luotonen, Rob McCool, Lou Montulli, Dave Raggett, Tony Sanders, and Marc VanHeyningen deserve special recognition for their efforts in defining early aspects of the protocol.

This document has benefited greatly from the comments of all those participating in the HTTP-WG. In addition to those already mentioned, the following individuals have contributed to this specification:

       Gary Adams                         Harald Tveit Alvestrand
       Keith Ball                         Brian Behlendorf
       Paul Burchard                      Maurizio Codogno
       Mike Cowlishaw                     Roman Czyborra
       Michael A. Dolan                   Jim Gettys
       Marc Hedlund                       Koen Holtman
       Alex Hopmann                       Bob Jernigan
       Shel Kaphan                        Rohit Khare
       Martijn Koster                     Alexei Kosut
       Dave Kristol                       Daniel LaLiberte
       Paul Leach                         Albert Lunde
       John C. Mallery                    Jean-Philippe Martin-Flatin
       Larry Masinter                     Mitra
       Jeffrey Mogul                      Gavin Nicol
       Bill Perry                         Jeffrey Perry
       Owen Rees                          Luigi Rizzo
       David Robinson                     Marc Salomon
       Rich Salz                          Jim Seidman
       Chuck Shotton                      Eric W. Sink
       Simon E. Spero                     Richard N. Taylor
       Robert S. Thau                     François Yergeau
       Mary Ellen Zurko

16. References

[1]

H. Alvestrand. "Tags for the identification of languages." RFC 1766, UNINETT, March 1995.

[2]

F. Anklesaria, M. McCahill, P. Lindner, D. Johnson, D. Torrey, B. Alberti. "The Internet Gopher Protocol: A distributed document search and retrieval protocol." RFC 1436, University of Minnesota, March 1993.

[3]

T. Berners-Lee. "Universal Resource Identifiers in WWW: A Unifying Syntax for the Expression of Names and Addresses of Objects on the Network as used in the World-Wide Web." RFC 1630, CERN, June 1994.

[4]

T. Berners-Lee, L. Masinter, M. McCahill. "Uniform Resource Locators (URL)." RFC 1738, CERN, Xerox PARC, University of Minnesota, December 1994.

[5]

T. Berners-Lee, D. Connolly. "HyperText Markup Language Specification - 2.0." RFC 1866, MIT/LCS, November 1995.

[6]

T. Berners-Lee, R. Fielding, H. Frystyk. "Hypertext Transfer Protocol - HTTP/1.0." Work in Progress (draft-ietf-http-v10-spec-04.txt), MIT/LCS, UC Irvine, September 1995.

[7]

N. Borenstein, N. Freed. "MIME (Multipurpose Internet Mail Extensions) Part One: Mechanisms for Specifying and Describing the Format of Internet Message Bodies." RFC 1521, Bellcore, Innosoft, September 1993.

[8]

R. Braden. "Requirements for Internet hosts - application and support." STD 3, RFC 1123, IETF, October 1989.

[9]

D. H. Crocker. "Standard for the Format of ARPA Internet Text Messages." STD 11, RFC 822, UDEL, August 1982.

[10]

F. Davis, B. Kahle, H. Morris, J. Salem, T. Shen, R. Wang, J. Sui, M. Grinbaum. "WAIS Interface Protocol Prototype Functional Specification." (v1.5), Thinking Machines Corporation, April 1990.

[11]

R. Fielding. "Relative Uniform Resource Locators." RFC 1808, UC Irvine, June 1995.

[12]

M. Horton, R. Adams. "Standard for interchange of USENET messages." RFC 1036 (Obsoletes RFC 850), AT&T Bell Laboratories, Center for Seismic Studies, December 1987.

[13]

B. Kantor, P. Lapsley. "Network News Transfer Protocol: A Proposed Standard for the Stream-Based Transmission of News." RFC 977, UC San Diego, UC Berkeley, February 1986.

[14]

K. Moore. "MIME (Multipurpose Internet Mail Extensions) Part Two: Message Header Extensions for Non-ASCII Text." RFC 1522, University of Tennessee, September 1993.

[15]

E. Nebel, L. Masinter. "Form-based File Upload in HTML." RFC 1867, Xerox Corporation, November 1995.

[16]

J. Postel. "Simple Mail Transfer Protocol." STD 10, RFC 821, USC/ISI, August 1982.

[17]

J. Postel. "Media Type Registration Procedure." RFC 1590, USC/ISI, March 1994.

[18]

J. Postel, J. K. Reynolds. "File Transfer Protocol (FTP)." STD 9, RFC 959, USC/ISI, October 1985.

[19]

J. Reynolds, J. Postel. "Assigned Numbers." STD 2, RFC 1700, USC/ISI, October 1994.

[20]

K. Sollins, L. Masinter. "Functional Requirements for Uniform Resource Names." RFC 1737, MIT/LCS, Xerox Corporation, December 1994.

[21]

US-ASCII. Coded Character Set - 7-Bit American Standard Code for Information Interchange. Standard ANSI X3.4-1986, ANSI, 1986.

[22]

ISO-8859. International Standard -- Information Processing --
8-bit Single-Byte Coded Graphic Character Sets --
Part 1: Latin alphabet No. 1, ISO 8859-1:1987.
Part 2: Latin alphabet No. 2, ISO 8859-2, 1987.
Part 3: Latin alphabet No. 3, ISO 8859-3, 1988.
Part 4: Latin alphabet No. 4, ISO 8859-4, 1988.
Part 5: Latin/Cyrillic alphabet, ISO 8859-5, 1988.
Part 6: Latin/Arabic alphabet, ISO 8859-6, 1987.
Part 7: Latin/Greek alphabet, ISO 8859-7, 1987.
Part 8: Latin/Hebrew alphabet, ISO 8859-8, 1988.
Part 9: Latin alphabet No. 5, ISO 8859-9, 1990.

17. Authors' Addresses

Henrik Frystyk Nielsen
W3 Consortium
MIT Laboratory for Computer Science
545 Technology Square
Cambridge, MA 02139, U.S.A.
Fax: +1 (617) 258 8682
Email: frystyk@w3.org

Tim Berners-Lee
Director, W3 Consortium
MIT Laboratory for Computer Science
545 Technology Square
Cambridge, MA 02139, U.S.A.
Fax: +1 (617) 258 8682
Email: timbl@w3.org

Appendices

A. Internet Media Type message/http

       Media Type name:         message

       Media subtype name:      http

       Required parameters:     none

       Optional parameters:     version, msgtype

              version: The HTTP-Version number of the enclosed message 
                       (e.g., "1.1"). If not present, the version can be 
                       determined from the first line of the body.

              msgtype: The message type -- "request" or "response". If not 
                       present, the type can be determined from the first 
                       line of the body.

       Encoding considerations: only "7bit", "8bit", or "binary" are 
                                permitted

       Security considerations: none

B. Tolerant Applications

Clients should be tolerant in parsing the Status-Line and servers tolerant when parsing the Request-Line. In particular, they should accept any amount of SP or HT characters between fields, even though only a single SP is required.

The line terminator for HTTP-header fields is the sequence CRLF. However, we recommend that applications, when parsing such headers, recognize a single LF as a line terminator and ignore the leading CR.

C. Relationship to MIME

This appendix describes specific areas where HTTP differs from MIME. Proxies/gateways to MIME-compliant protocols must be aware of these differences and provide the appropriate conversions where necessary.

C.1 Conversion to Canonical Form

C.1.1 Representation of Line Breaks

Where it is possible, a proxy/gateway from HTTP to a MIME-compliant protocol should translate all line breaks within text/* media types to the MIME canonical form of CRLF. However, this may be complicated by the presence of a Content-Encoding and by the fact that HTTP allows the use of some character sets which do not use octets 13 and 10 to represent CR and LF, as is the case for some multi-byte character sets. If canonicalization is performed, the Content-Length header field value must be updated to reflect the new body length.

C.1.2 Default Character Set

       ;charset="iso-8859-1"

C.2 Conversion of Date Formats

C.3 Introduction of Content-Encoding

Note: Some experimental applications of Content-Type for Internet mail have used a media-type parameter of ";conversions=<content-coding>" to perform an equivalent function as Content-Encoding. However, this parameter is not part of the MIME specification at the time of this writing.

C.4 No Content-Transfer-Encoding

       Content-Transfer-Encoding: binary

An HTTP client may include a Content-Transfer-Encoding as an extension Entity-Header in a POST request when it knows the destination of that request is a proxy/gateway to a MIME-compliant protocol.

C.5 Introduction of Transfer-Encoding

       length := 0
       read chunk-size and CRLF
       while (chunk-size > 0) {
          read chunk-data and CRLF
          append chunk-data to Entity-Body
          length := length + chunk-size
          read chunk-size and CRLF
       }
       read entity-header
       while (entity-header not empty) {
          append entity-header to existing header fields
          read entity-header
       }
       Content-Length := length
       Remove "chunked" from Transfer-Encoding

D. Changes from HTTP/1.0