HTTP Working Group
Internet Engineering Task Force (IETF)                        P. McManus
Internet-Draft
Request for Comments: 8246                                       Mozilla
Intended status:
Category: Standards Track                            July 3,                                 September 2017
Expires: January 4, 2018
ISSN: 2070-1721

                        HTTP Immutable Responses
                    draft-ietf-httpbis-immutable-03

Abstract

   The immutable HTTP response Cache-Control extension allows servers to
   identify resources that will not be updated during their freshness
   lifetime.  This assures ensures that a client never needs to revalidate a
   cached fresh resource to be certain it has not been modified.

Note to Readers

   Discussion of this draft takes place on the HTTP working group
   mailing list (ietf-http-wg@w3.org), which is archived at
   https://lists.w3.org/Archives/Public/ietf-http-wg/ .

   Working Group information can be found at http://httpwg.github.io/ ;
   source code and issues list for this draft can be found at
   https://github.com/httpwg/http-extensions/labels/immutable .

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list  It represents the consensus of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid the IETF community.  It has
   received public review and has been approved for a maximum publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of six months this document, any errata,
   and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 4, 2018.
   https://www.rfc-editor.org/info/rfc8246.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info)
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Notational Conventions  . . . . . . . . . . . . . . . . .   3
   2.  The Immutable Cache-Control Extension . . . . . . . . . . . .   3
     2.1.  About Intermediaries  . . . . . . . . . . . . . . . . . .   4
     2.2.  Example . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
     5.2.  Informative References  . . . . . . . . . . . . . . . . .   5
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .   5
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   HTTP's freshness lifetime mechanism [RFC7234] allows a client to
   safely reuse a stored response to satisfy future requests for a
   specified period of time.  However, it is still possible that the
   resource will be modified during that period.

   For instance, a front page front-page newspaper photo with a freshness lifetime
   of one hour would mean that no user would see a cached photo more
   than one hour old.  However, the photo could be updated at any time time,
   resulting in different users seeing different photos depending on the
   contents of their caches for up to one hour.  This is compliant with
   the caching mechanism defined in [RFC7234].

   Users that need to confirm there have been no updates to their cached
   responses typically use the reload (or refresh) mechanism in their
   user agents.  This in turn generates a conditional request [RFC7232] [RFC7232],
   and either a new representation or, if unmodified, a 304 (Not
   Modified) response [RFC7232] is returned.  A user agent that
   understands HTML and fetches its dependent sub-resources might issue
   hundreds of conditional requests to refresh all portions of a common
   page [REQPERPAGE].

   However

   However, some content providers never create more than one variant of
   a sub-resource, because they use "versioned" URLs.  When these
   resources need an update update, they are simply published under a new URL,
   typically embedding an identifier unique to that version of the
   resource in the path, and references to the sub-resource are updated
   with the new path information.

   For example, "https://www.example.com/101016/main.css" might be
   updated and republished as "https://www.example.com/102026/main.css",
   with any links that reference it being changed at the same time.

   This design pattern allows a very large freshness lifetime to be used
   for the sub-resource without guessing when it will be updated in the
   future.

   Unfortunately, the user agent does not know when this versioned URL
   design pattern is used.  As a result, user-driven refreshes still
   translate into wasted conditional requests for each sub-resource as
   each will return 304 responses.

   The "immutable" immutable HTTP response Cache-Control extension allows servers to
   identify responses that will not be updated during their freshness
   lifetimes.

   This effectively informs clients that any conditional request for
   that response can be safely skipped without worrying that it has been
   updated.

1.1.  Notational Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  The immutable Immutable Cache-Control extension Extension

   When present in an HTTP response, the "immutable" immutable Cache-Control
   extension indicates that the origin server will not update the
   representation of that resource during the freshness lifetime of the
   response.

   Clients SHOULD NOT issue a conditional request during the response's
   freshness lifetime (e.g. (e.g., upon a reload) unless explicitly overridden
   by the user (e.g. (e.g., a force reload).

   The immutable extension only applies during the freshness lifetime of
   the stored response.  Stale responses SHOULD be revalidated as they
   normally would be in the absence of immutable. the immutable extension.

   The immutable extension takes no arguments.  If any arguments are
   present, they have no meaning, meaning and MUST be ignored.  Multiple
   instances of the immutable extension are equivalent to one instance.
   The presence of an immutable Cache-Control extension in a request has
   no effect.

2.1.  About Intermediaries

   An immutable response has the same semantic meaning when received by
   proxy clients as it does when received by User-Agent based user-agent-based clients.
   Therefore
   Therefore, proxies SHOULD skip conditionally revalidating fresh
   responses containing the immutable extension unless there is a signal
   from the client that a validation is necessary (e.g. (e.g., a no-cache
   Cache-Control request directive defined by in Section 5.2.1.4 of
   [RFC7234]).

   A proxy that uses the immutable extension to bypass a conditional
   revalidation can choose whether to reply with a 304 or 200 response
   to its requesting client based on the request headers the proxy
   received.

2.2.  Example

   Cache-Control: max-age=31536000, immutable

3.  Security Considerations

   The immutable mechanism acts as form of soft pinning and, as with all
   pinning mechanisms, creates a vector for amplification of cache
   corruption incidents.  These incidents include cache poisoning cache-poisoning
   attacks.  Three mechanisms are suggested for mitigation of this risk:

   o  Clients SHOULD ignore the immutable extension from resources that
      are not part of an authenticated context such as HTTPS.
      Authenticated resources are less vulnerable to cache poisoning.

   o  User-Agents  User agents often provide two different refresh mechanisms: reload
      and some form of force-reload.  The latter is used to rectify
      interrupted loads and other corruption.  These reloads, typically
      indicated through no-cache request attributes, SHOULD ignore the
      immutable extension as well.

   o  Clients SHOULD ignore the immutable extension for resources that
      do not provide a strong indication that the stored response size
      is the correct response size such as responses delimited by
      connection close.

4.  IANA Considerations

   Section 7.1 of [RFC7234] requires registration of the

   The immutable extension has been registered in the "Hypertext
   Transfer Protocol (HTTP) Cache Directive Registry" with IETF Review. per the guidelines
   described in Section 7.1 of [RFC7234].

   o  Cache-Directive:  Cache Directive: immutable
   o  Pointer to specification text: [this document]  Reference: RFC 8246

5.  Acknowledgments

   Thank you to Ben Maurer for partnership in developing and testing
   this idea.  Thank you to Amos Jeffries for help with proxy
   interactions and to Mark Nottingham for help with the documentation.

6.  References

6.1.

5.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC7232]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Conditional Requests", RFC 7232,
              DOI 10.17487/RFC7232, June 2014,
              <http://www.rfc-editor.org/info/rfc7232>.
              <https://www.rfc-editor.org/info/rfc7232>.

   [RFC7234]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
              Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
              RFC 7234, DOI 10.17487/RFC7234, June 2014,
              <http://www.rfc-editor.org/info/rfc7234>.

6.2.
              <https://www.rfc-editor.org/info/rfc7234>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

5.2.  Informative References

   [REQPERPAGE]
              "HTTP Archive", n.d.,
              HTTP Archive, "Total Requests per Page",
              <http://httparchive.org/interesting.php#reqTotal>.

Acknowledgments

   Thank you to Ben Maurer for partnership in developing and testing
   this idea.  Thank you to Amos Jeffries for help with proxy
   interactions and to Mark Nottingham for help with the documentation.

Author's Address

   Patrick McManus
   Mozilla

   Email: pmcmanus@mozilla.com mcmanus@ducksong.com