draft-ietf-httpbis-safe-method-w-body.xml

<?xml version="1.0"?>
<?rfc toc="yes"?>
<?rfc strict="yes"?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc-ext xml2rfc-backend="202007"?>
<?github-issue-label safe-method-w-body?>
<!DOCTYPE rfc [
  <!ENTITY MAY "<bcp14>MAY</bcp14>">
  <!ENTITY MUST "<bcp14>MUST</bcp14>">
  <!ENTITY MUST-NOT "<bcp14>MUST NOT</bcp14>">
  <!ENTITY OPTIONAL "<bcp14>OPTIONAL</bcp14>">
  <!ENTITY RECOMMENDED "<bcp14>RECOMMENDED</bcp14>">
  <!ENTITY REQUIRED "<bcp14>REQUIRED</bcp14>">
  <!ENTITY SHALL "<bcp14>SHALL</bcp14>">
  <!ENTITY SHALL-NOT "<bcp14>SHALL NOT</bcp14>">
  <!ENTITY SHOULD "<bcp14>SHOULD</bcp14>">
  <!ENTITY SHOULD-NOT "<bcp14>SHOULD NOT</bcp14>">
]>
<rfc category="std" ipr="trust200902" docName="draft-ietf-httpbis-safe-method-w-body-latest" submissionType="IETF" version="3" xmlns:xi="http://www.w3.org/2001/XInclude">
  <front>
    <title>
      The HTTP QUERY Method
    </title>

    <author initials="J." surname="Reschke" fullname="Julian Reschke">
      <organization abbrev="greenbytes">greenbytes GmbH</organization>
      <address>
        <postal>
          <street>Hafenweg 16</street>
          <city>Münster</city><code>48155</code>
          <country>Germany</country>
        </postal>
        <email>julian.reschke@greenbytes.de</email>
        <uri>https://greenbytes.de/tech/webdav/</uri>
      </address>
    </author>
    <author initials="A." surname="Malhotra" fullname="Ashok Malhotra">
      <address>
        <email>malhotrasahib@gmail.com</email>
      </address>
    </author>
     <author initials="J.M." surname="Snell" fullname="James M Snell">
      <address>
        <email>jasnell@gmail.com</email>
      </address>
    </author>
    <author initials="M." surname="Bishop" fullname="Mike Bishop">
      <organization>Akamai</organization>
      <address>
        <email>mbishop@evequefou.be</email>
      </address>
    </author>

    <date/>

    <area>Web and Internet Transport</area>
    <workgroup>HTTP</workgroup>
    <keyword>http</keyword>
    <keyword>query</keyword>
    <keyword>method</keyword>

    <abstract>
      <t>
        This specification defines a new HTTP method, QUERY, as a safe, idempotent
        request method that can carry request content.
      </t>
    </abstract>

    <note title="Editorial Note" removeInRFC="true">
      <t>
        Discussion of this draft takes place on the HTTP working group
        mailing list (ietf-http-wg@w3.org), which is archived at
        <eref target="https://lists.w3.org/Archives/Public/ietf-http-wg/"/>.
      </t>
      <t>
        Working Group information can be found at <eref target="https://httpwg.org/"/>;
        source code and issues list for this draft can be found at
        <eref target="https://github.com/httpwg/http-extensions/labels/safe-method-w-body"/>.
      </t>
      <t>
        The changes in this draft are summarized in <xref target="changes.since.02"/>.
      </t>
    </note>

  </front>

  <middle>

  <section anchor="intro" title="Introduction">

    <t>
      This specification defines the HTTP QUERY request method as a means of
      making a safe, idempotent request that contains content.
    </t>

    <t>
      Most often, this is desirable when the data conveyed in a request is
      too voluminous to be encoded into the request's URI. For example, while
      this is an common and interoperable query:
    </t>

<artwork type="http-message">
GET /feed?q=foo&amp;limit=10&amp;sort=-published HTTP/1.1
Host: example.org
</artwork>

    <t>
      if the query parameters extend to several kilobytes or more of
      data it may not be, because many implementations place limits on their size. Often these limits are not
      known or discoverable ahead of time, because a request can pass through many uncoordinated
      systems. Additionally, expressing some data in the target URI is inefficient, because it
      needs to be encoded to be a valid URI.
    </t>

    <t>
      Encoding query parameters directly into the request URI also effectively
      casts every possible combination of query inputs as distinct
      resources. Depending on the application, that may not be desirable.
    </t>

    <t>
      As an alternative to using GET, many implementations make use of the
      HTTP POST method to perform queries, as illustrated in the example
      below. In this case, the input parameters to the query operation are
      passed along within the request content as opposed to using the
      request URI.
    </t>

    <t>
      A typical use of HTTP POST for requesting a query:
    </t>
<artwork type="http-message">
POST /feed HTTP/1.1
Host: example.org
Content-Type: application/x-www-form-urlencoded

q=foo&amp;limit=10&amp;sort=-published
</artwork>

    <t>
      This variation, however, suffers from the same basic limitation as GET
      in that it is not readily apparent -- absent specific knowledge of the
      resource and server to which the request is being sent -- that a safe,
      idempotent query is being performed.
    </t>

    <t>
      The QUERY method provides a solution that spans the gap between the use of GET and POST. As
      with POST, the input to the query operation is passed along within the content of the request
      rather than as part of the request URI. Unlike POST, however, the method is explicitly safe
      and idempotent, allowing functions like caching and automatic retries to operate.
    </t>

    <t>
      The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
      NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
      "MAY", and "OPTIONAL" in this document are to be interpreted as
      described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
      appear in all capitals, as shown here.
    </t>

  </section>

  <section title="QUERY" anchor="query">

    <t>
      The QUERY method is used to initiate a server-side query. Unlike
      the HTTP GET method, which requests that a server return a
      representation of the resource identified by the target URI
      (as defined by <xref target="HTTP" section="7.1"/>), the QUERY
      method is used to ask the server to perform a query operation
      (described by the request content) over some set of data scoped to the
      effective request URI. The content returned in response to a QUERY
      cannot be assumed to be a representation of the resource identified by
      the effective request URI.
    </t>

    <t>
      The content of the request defines the query. Implementations &MAY; use
      a request content of any media type with the QUERY method, provided that it
      has appropriate query semantics.
    </t>

    <t>
      QUERY requests are both safe and idempotent with regards to the
      resource identified by the request URI. That is, QUERY requests do not
      alter the state of the targeted resource. However, while processing a
      QUERY request, a server can be expected to allocate computing and memory
      resources or even create additional HTTP resources through which the
      response can be retrieved.
    </t>

    <t>
      A successful response to a QUERY request is expected to provide some
      indication as to the final disposition of the operation. For
      instance, a successful query that yields no results can be represented
      by a 204 No Content response. If the response includes content,
      it is expected to describe the results of the operation.
      In some cases, the server may choose to respond indirectly to the QUERY
      request by returning a 3xx Redirection with a Location header field specifying
      an alternate Request URI from which the results can be retrieved
      using an HTTP GET request. Various non-normative examples of successful
      QUERY responses are illustrated in <xref target="examples" />.
    </t>

    <t>
      The semantics of the QUERY method change to a "conditional QUERY" if
      the request message includes an If-Modified-Since, If-Unmodified-
      Since, If-Match, If-None-Match, or If-Range header field
      (<xref target="HTTP" sectionFormat="comma" section="13"/>).  A conditional QUERY requests that the query
      be performed only under the circumstances described by the conditional
      header field(s). It is important to note, however, that such conditions
      are evaluated against the state of the target resource itself as opposed
      to the collected results of the query operation.
    </t>

    <section title="Caching">

      <t>
        The response to a QUERY method is cacheable; a cache &MAY; use it to satisfy subsequent
        QUERY requests as per <xref target="HTTP-CACHING" section="4"/>).
      </t>

      <t>
        The cache key for a query (see <xref target="HTTP-CACHING" section="2"/>) &MUST;
        incorporate the request content. When doing so, caches &SHOULD; first normalize request
        content to remove semantically insignificant differences, thereby improving cache
        efficiency, by:
      </t>

      <ul>
        <li>Removing content encoding(s)</li>
        <li>Normalizing based upon knowledge of format conventions, as indicated by the any media type suffix in the request's Content-Type field (e.g., "+json")</li>
        <li>Normalizing based upon knowledge of the semantics of the content itself, as indicated by the request's Content-Type field.</li>
      </ul>

      <t>
        Note that any such normalization is performed solely for the purpose of generating a cache key; it
        does not change the request itself.
      </t>

    </section>

  </section>

  <section title="The &quot;Accept-Query&quot; Header Field" anchor="field.accept-query">
    <t>
      The "Accept-Query" response header field &MAY; be used by a resource to
      directly signal support for the QUERY method while identifying
      the specific query format media type(s) that may be used.
    </t>
<sourcecode type="abnf">
Accept-Query = 1#media-type
</sourcecode>
    <t>
      The Accept-Query header field specifies a comma-separated listing of media
      types (with optional parameters) as defined by
      <xref target="HTTP" section="8.3.1"/>.
    </t>
    <t>
      The order of types listed by the Accept-Query header field is not significant.
    </t>
    <t>
      Accept-Query's value applies to every URI on the server that shares the same path; in
      other words, the query component is ignored. If requests to the same resource return
      different Accept-Query values, the most recently received fresh (per
      <xref target="HTTP-CACHING" section="4.2"/>) value is used.
    </t>
  </section>

  <section title="Examples" anchor="examples">

    <t>
      The non-normative examples in this section make use of a simple,
      hypothetical plain-text based query syntax based on SQL with results
      returned as comma-separated values. This is done for illustration
      purposes only. Implementations are free to use any format they wish on
      both the request and response.
    </t>

    <section title="Simple QUERY with a Direct Response">

      <t>A simple query with a direct response:</t>
<artwork type="http-message">
QUERY /contacts HTTP/1.1
Host: example.org
Content-Type: example/query
Accept: text/csv

select surname, givenname, email limit 10
</artwork>

      <t>Response:</t>
<artwork type="http-message">
HTTP/1.1 200 OK
Content-Type: text/csv

surname, givenname, email
Smith, John, john.smith@example.org
Jones, Sally, sally.jones@example.com
Dubois, Camille, camille.dubois@example.net
</artwork>

    </section>

    <section title="Simple QUERY with indirect response (303 See Other)">

      <t>A simple query with an Indirect Response (303 See Other):</t>
<artwork type="http-message">
QUERY /contacts HTTP/1.1
Host: example.org
Content-Type: example/query
Accept: text/csv

select surname, givenname, email limit 10
</artwork>

      <t>Response:</t>
<artwork type="http-message">
HTTP/1.1 303 See Other
Location: http://example.org/contacts/query123
</artwork>

      <t>Fetch Query Response:</t>
<artwork type="http-message">
GET /contacts/query123 HTTP/1.1
Host: example.org
</artwork>

      <t>Response:</t>
<artwork type="http-message">
HTTP/1.1 200 OK
Content-Type: text/csv

surname, givenname, email
Smith, John, john.smith@example.org
Jones, Sally, sally.jones@example.com
Dubois, Camille, camille.dubois@example.net
</artwork>

    </section>

  </section>

  <section title="Security Considerations">
    <t>
      The QUERY method is subject to the same general security
      considerations as all HTTP methods as described in
      <xref target="HTTP"/>.
    </t>
  </section>

  <section title="IANA Considerations">

    <t>
      IANA is requested to add QUERY method in the
      permanent registry at &lt;http://www.iana.org/assignments/http-methods&gt;
      (see <xref target="HTTP" section="16.1.1"/>).
    </t>

    <table>
      <thead>
        <tr>
          <th>Method Name</th>
          <th>Safe</th>
          <th>Idempotent</th>
          <th>Specification</th>
        </tr>
      </thead>
      <tbody>
        <tr>
          <td>QUERY</td>
          <td>Yes</td>
          <td>Yes</td>
          <td><xref target="query"/></td>
        </tr>
      </tbody>
    </table>
  </section>

</middle>
<back>
  <references title="Normative References">
    <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.2119.xml"/>
    <xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8174.xml"/>
    <reference anchor="HTTP">
      <front>
        <title>HTTP Semantics</title>
        <author fullname="Roy T. Fielding" initials="R." surname="Fielding" role="editor"/>
        <author fullname="Mark Nottingham" initials="M." surname="Nottingham" role="editor"/>
        <author fullname="Julian Reschke" initials="J." surname="Reschke" role="editor"/>
        <date year="2022" month="June"/>
      </front>
      <seriesInfo name="STD" value="97"/>
      <seriesInfo name="RFC" value="9110"/>
    </reference>
    <reference anchor="HTTP-CACHING">
      <front>
        <title>HTTP Caching</title>
        <author fullname="Roy T. Fielding" initials="R." surname="Fielding" role="editor"/>
        <author fullname="Mark Nottingham" initials="M." surname="Nottingham" role="editor"/>
        <author fullname="Julian Reschke" initials="J." surname="Reschke" role="editor"/>
        <date year="2022" month="June"/>
      </front>
      <seriesInfo name="STD" value="98"/>
      <seriesInfo name="RFC" value="9111"/>
    </reference>
  </references>

<section title="Change Log" anchor="change.log" removeInRFC="true">
<section title="Since draft-ietf-httpbis-safe-method-w-body-00" anchor="changes.since.00">
<ul>
  <li>Use "example/query" media type instead of undefined "text/query" (<eref target="https://github.com/httpwg/http-extensions/issues/1450"/>)</li>
  <li>In <xref target="field.accept-query"/>, adjust the grammar to just define the field value (<eref target="https://github.com/httpwg/http-extensions/issues/1470"/>)</li>
  <li>Update to latest HTTP core spec, and adjust terminology accordingly (<eref target="https://github.com/httpwg/http-extensions/issues/1473"/>)</li>
  <li>Reference RFC 8174 and markup bcp14 terms (<eref target="https://github.com/httpwg/http-extensions/issues/1497"/>)</li>
  <li>Update HTTP reference (<eref target="https://github.com/httpwg/http-extensions/issues/1524"/>)</li>
  <li>Relax restriction of generic XML media type in request content (<eref target="https://github.com/httpwg/http-extensions/issues/1535"/>)</li>
</ul>
</section>
<section title="Since draft-ietf-httpbis-safe-method-w-body-01" anchor="changes.since.01">
<ul>
  <li>Add minimal description of cacheability (<eref target="https://github.com/httpwg/http-extensions/issues/1552"/>)</li>
  <li>Use "QUERY" as method name (<eref target="https://github.com/httpwg/http-extensions/issues/1614"/>)</li>
  <li>Update HTTP reference (<eref target="https://github.com/httpwg/http-extensions/issues/1669"/>)</li>
</ul>
</section>
<section title="Since draft-ietf-httpbis-safe-method-w-body-02" anchor="changes.since.02">
<ul>
  <li>In <xref target="field.accept-query"/>, slightly rephrase statement about significance of ordering (<eref target="https://github.com/httpwg/http-extensions/issues/1896"/>)</li>
  <li>Throughout: use "content" instead of "payload" or "body" (<eref target="https://github.com/httpwg/http-extensions/issues/1915"/>)</li>
  <li>Updated references (<eref target="https://github.com/httpwg/http-extensions/issues/2157"/>)</li>
</ul>
</section>
<section title="Since draft-ietf-httpbis-safe-method-w-body-03" anchor="changes.since.03">
<ul>
  <li>In <xref target="field.accept-query"/>, clarify scope (<eref target="https://github.com/httpwg/http-extensions/issues/1913"/>)</li>
</ul>
</section>
<section title="Since draft-ietf-httpbis-safe-method-w-body-04" anchor="changes.since.04">
<ul>
  <li>Added Mike Bishop as author (<eref target="https://github.com/httpwg/http-extensions/issues/2837"/>)</li>
</ul>
</section>
</section>

</back>
</rfc>