WGLC: Strengthening SHOULDs

Mark Nottingham <mnot@mnot.net> Tue, 30 April 2013 02:19 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 4355121F992E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 29 Apr 2013 19:19:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.803
X-Spam-Status: No, score=-9.803 tagged_above=-999 required=5 tests=[AWL=0.796, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Rwvat+FbezMv for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 29 Apr 2013 19:19:01 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org []) by ietfa.amsl.com (Postfix) with ESMTP id 6C5B821F969F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 29 Apr 2013 19:19:01 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UX09E-0000zP-NV for ietf-http-wg-dist@listhub.w3.org; Tue, 30 Apr 2013 02:18:28 +0000
Resent-Date: Tue, 30 Apr 2013 02:18:28 +0000
Resent-Message-Id: <E1UX09E-0000zP-NV@frink.w3.org>
Received: from lisa.w3.org ([]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1UX095-0000yg-5H for ietf-http-wg@listhub.w3.org; Tue, 30 Apr 2013 02:18:19 +0000
Received: from mxout-08.mxes.net ([]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1UX094-0001oS-Fh for ietf-http-wg@w3.org; Tue, 30 Apr 2013 02:18:19 +0000
Received: from mnot-mini.mnot.net (unknown []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 95B6B509B5 for <ietf-http-wg@w3.org>; Mon, 29 Apr 2013 22:17:56 -0400 (EDT)
From: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <E19622EE-C450-4268-A277-55999B085F12@mnot.net>
Date: Tue, 30 Apr 2013 12:17:52 +1000
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
X-Mailer: Apple Mail (2.1503)
Received-SPF: pass client-ip=; envelope-from=mnot@mnot.net; helo=mxout-08.mxes.net
X-W3C-Hub-Spam-Status: No, score=-4.3
X-W3C-Hub-Spam-Report: AWL=-2.403, BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UX094-0001oS-Fh 7590b0f949cd4df69e6779d655f2d6e2
X-Original-To: ietf-http-wg@w3.org
Subject: WGLC: Strengthening SHOULDs
Archived-At: <http://www.w3.org/mid/E19622EE-C450-4268-A277-55999B085F12@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17699
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Reviewing the current specs, I think there are a few cases where we use SHOULD that are important enough for interop and/or security to justify a MUST (in some cases, with a bit more explanation). 


* 3.3.2 "A server SHOULD NOT send a Content-Length header field in any 2xx (Successful) response to a CONNECT request (Section 4.3.6 of [Part2])."

* B "For compatibility with legacy list rules, recipients SHOULD accept empty list elements." (note that this requirement is in an appendix; it might be good to move it up)


* 4.3.4 "An origin server SHOULD reject any PUT request that contains a Content-Range header field"

* 4.3.6 "A server SHOULD NOT send any Transfer-Encoding or Content-Length header fields in a successful response."  (CONNECT)

* 4.3.6 "Proxies that support CONNECT SHOULD restrict its use to a limited set of known ports or a configurable whitelist of safe request targets."

* 5.5.2 "A user agent SHOULD NOT send a Referer header field in an unsecured HTTP request if the referring page was received with a secure protocol."

* "Recipients of a timestamp value in rfc850-date format, which uses a two-digit year, SHOULD interpret a timestamp that appears to be more than 50 years in the future as representing the most recent year in the past that had the same last two digits."

* 7.1.2 "When Location is provided in a 3xx (Redirection) response and the URI reference that the user agent used to generate the request target contains a fragment identifier, the user agent SHOULD process the redirection as if the Location field value inherits the original fragment. In other words, if the Location does not have a fragment component, the user agent SHOULD interpret the Location reference as if it had the original reference's fragment." 

(note repeated requirement; second instance change to "can")


* 4.1.3 "Cache recipients SHOULD consider a date with a zone abbreviation other than "GMT" to be invalid for calculating expiration."

* 5 "If the Content-Length, ETag and Last-Modified values of a HEAD response (when present) are the same as that in a selected GET response (as per Section 4.3), the cache SHOULD update the remaining header fields in the stored response using the following rules..."  

(add "and the cache updates the stored response")

Mark Nottingham   http://www.mnot.net/