draft-ietf-httpbis-origin-frame-06.txt   rfc8336.txt 
HTTP M. Nottingham Internet Engineering Task Force (IETF) M. Nottingham
Internet-Draft Request for Comments: 8336
Intended status: Standards Track E. Nygren Category: Standards Track E. Nygren
Expires: July 17, 2018 Akamai ISSN: 2070-1721 Akamai Technologies
January 13, 2018 March 2018
The ORIGIN HTTP/2 Frame The ORIGIN HTTP/2 Frame
draft-ietf-httpbis-origin-frame-06
Abstract Abstract
This document specifies the ORIGIN frame for HTTP/2, to indicate what This document specifies the ORIGIN frame for HTTP/2, to indicate what
origins are available on a given connection. origins are available on a given connection.
Note to Readers
Discussion of this draft takes place on the HTTP working group
mailing list (ietf-http-wg@w3.org), which is archived at
https://lists.w3.org/Archives/Public/ietf-http-wg/ [1].
Working Group information can be found at http://httpwg.github.io/
[2]; source code and issues list for this draft can be found at
https://github.com/httpwg/http-extensions/labels/origin-frame [3].
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on July 17, 2018. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8336.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 2
2. The ORIGIN HTTP/2 Frame . . . . . . . . . . . . . . . . . . . 3 2. The ORIGIN HTTP/2 Frame . . . . . . . . . . . . . . . . . . . 3
2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Processing ORIGIN Frames . . . . . . . . . . . . . . . . 4 2.2. Processing ORIGIN Frames . . . . . . . . . . . . . . . . 3
2.3. The Origin Set . . . . . . . . . . . . . . . . . . . . . 5 2.3. The Origin Set . . . . . . . . . . . . . . . . . . . . . 4
2.4. Authority, Push and Coalescing with ORIGIN . . . . . . . 6 2.4. Authority, Push, and Coalescing with ORIGIN . . . . . . . 6
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
5.1. Normative References . . . . . . . . . . . . . . . . . . 7 5.1. Normative References . . . . . . . . . . . . . . . . . . 8
5.2. Informative References . . . . . . . . . . . . . . . . . 8 5.2. Informative References . . . . . . . . . . . . . . . . . 8
5.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Appendix A. Non-Normative Processing Algorithm . . . . . . . . . 10
Appendix A. Non-Normative Processing Algorithm . . . . . . . . . 9 Appendix B. Operational Considerations for Servers . . . . . . . 10
Appendix B. Operational Considerations for Servers . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
HTTP/2 [RFC7540] allows clients to coalesce different origins HTTP/2 [RFC7540] allows clients to coalesce different origins
[RFC6454] onto the same connection when certain conditions are met. [RFC6454] onto the same connection when certain conditions are met.
However, in certain cases, a connection is not usable for a coalesced However, in some cases, a connection is not usable for a coalesced
origin, so the 421 (Misdirected Request) status code ([RFC7540], origin, so the 421 (Misdirected Request) status code ([RFC7540],
Section 9.1.2) was defined. Section 9.1.2) was defined.
Using a status code in this manner allows clients to recover from Using a status code in this manner allows clients to recover from
misdirected requests, but at the penalty of adding latency. To misdirected requests, but at the penalty of adding latency. To
address that, this specification defines a new HTTP/2 frame type, address that, this specification defines a new HTTP/2 frame type,
"ORIGIN", to allow servers to indicate what origins a connection is "ORIGIN", to allow servers to indicate for which origins a connection
usable for. is usable.
Additionally, experience has shown that HTTP/2's requirement to Additionally, experience has shown that HTTP/2's requirement to
establish server authority using both DNS and the server's establish server authority using both DNS and the server's
certificate is onerous. This specification relaxes the requirement certificate is onerous. This specification relaxes the requirement
to check DNS when the ORIGIN frame is in use. Doing so has to check DNS when the ORIGIN frame is in use. Doing so has
additional benefits, such as removing the latency associated with additional benefits, such as removing the latency associated with
some DNS lookups. some DNS lookups.
1.1. Notational Conventions 1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. The ORIGIN HTTP/2 Frame 2. The ORIGIN HTTP/2 Frame
This document defines a new HTTP/2 frame type ([RFC7540], Section 4) This document defines a new HTTP/2 frame type ([RFC7540], Section 4)
called ORIGIN, that allows a server to indicate what origin(s) called ORIGIN, that allows a server to indicate what origin(s)
[RFC6454] the server would like the client to consider as members of [RFC6454] the server would like the client to consider as members of
the Origin Set (Section 2.3) for the connection it occurs within. the Origin Set (Section 2.3) for the connection within which it
occurs.
2.1. Syntax 2.1. Syntax
The ORIGIN frame type is 0xc (decimal 12), and contains zero or more The ORIGIN frame type is 0xc (decimal 12) and contains zero or more
instances of the Origin-Entry field. instances of the Origin-Entry field.
+-------------------------------+-------------------------------+ +-------------------------------+-------------------------------+
| Origin-Entry (*) ... | Origin-Entry (*) ...
+-------------------------------+-------------------------------+ +-------------------------------+-------------------------------+
An Origin-Entry is a length-delimited string: An Origin-Entry is a length-delimited string:
+-------------------------------+-------------------------------+ +-------------------------------+-------------------------------+
| Origin-Len (16) | ASCII-Origin? ... | Origin-Len (16) | ASCII-Origin? ...
skipping to change at page 4, line 10 skipping to change at page 3, line 45
sender asserts this connection is or could be authoritative for. sender asserts this connection is or could be authoritative for.
The ORIGIN frame does not define any flags. However, future updates The ORIGIN frame does not define any flags. However, future updates
to this specification MAY define flags. See Section 2.2. to this specification MAY define flags. See Section 2.2.
2.2. Processing ORIGIN Frames 2.2. Processing ORIGIN Frames
The ORIGIN frame is a non-critical extension to HTTP/2. Endpoints The ORIGIN frame is a non-critical extension to HTTP/2. Endpoints
that do not support this frame can safely ignore it upon receipt. that do not support this frame can safely ignore it upon receipt.
When received by an implementing client, it is used to initialise and When received by an implementing client, it is used to initialize and
manipulate the Origin Set (see Section 2.3), thereby changing how the manipulate the Origin Set (see Section 2.3), thereby changing how the
client establishes authority for origin servers (see Section 2.4). client establishes authority for origin servers (see Section 2.4).
The ORIGIN frame MUST be sent on stream 0; an ORIGIN frame on any The ORIGIN frame MUST be sent on stream 0; an ORIGIN frame on any
other stream is invalid and MUST be ignored. other stream is invalid and MUST be ignored.
Likewise, the ORIGIN frame is only valid on connections with the "h2" Likewise, the ORIGIN frame is only valid on connections with the "h2"
protocol identifier, or when specifically nominated by the protocol's protocol identifier or when specifically nominated by the protocol's
definition; it MUST be ignored when received on a connection with the definition; it MUST be ignored when received on a connection with the
"h2c" protocol identifier. "h2c" protocol identifier.
This specification does not define any flags for the ORIGIN frame, This specification does not define any flags for the ORIGIN frame,
but future updates to this specification (through IETF consensus) but future updates to this specification (through IETF consensus)
might use them to change its semantics. The first four flags (0x1, might use them to change its semantics. The first four flags (0x1,
0x2, 0x4 and 0x8) are reserved for backwards-incompatible changes, 0x2, 0x4, and 0x8) are reserved for backwards-incompatible changes;
and therefore when any of them are set, the ORIGIN frame containing therefore, when any of them are set, the ORIGIN frame containing them
them MUST be ignored by clients conforming to this specification, MUST be ignored by clients conforming to this specification, unless
unless the flag's semantics are understood. The remaining flags are the flag's semantics are understood. The remaining flags are
reserved for backwards-compatible changes, and do not affect reserved for backwards-compatible changes and do not affect
processing by clients conformant to this specification. processing by clients conformant to this specification.
The ORIGIN frame describes a property of the connection, and The ORIGIN frame describes a property of the connection and therefore
therefore is processed hop-by-hop. An intermediary MUST NOT forward is processed hop by hop. An intermediary MUST NOT forward ORIGIN
ORIGIN frames. Clients configured to use a proxy MUST ignore any frames. Clients configured to use a proxy MUST ignore any ORIGIN
ORIGIN frames received from it. frames received from it.
Each ASCII-Origin field in the frame's payload MUST be parsed as an Each ASCII-Origin field in the frame's payload MUST be parsed as an
ASCII serialisation of an origin ([RFC6454], Section 6.2). If ASCII serialization of an origin ([RFC6454], Section 6.2). If
parsing fails, the field MUST be ignored. parsing fails, the field MUST be ignored.
Note that the ORIGIN frame does not support wildcard names (e.g., Note that the ORIGIN frame does not support wildcard names (e.g.,
"*.example.com") in Origin-Entry. As a result, sending ORIGIN when a "*.example.com") in Origin-Entry. As a result, sending ORIGIN when a
wildcard certificate is in use effectively disables any origins that wildcard certificate is in use effectively disables any origins that
are not explicitly listed in the ORIGIN frame(s) (when the client are not explicitly listed in the ORIGIN frame(s) (when the client
understands ORIGIN). understands ORIGIN).
See Appendix A for an illustrative algorithm for processing ORIGIN See Appendix A for an illustrative algorithm for processing ORIGIN
frames. frames.
2.3. The Origin Set 2.3. The Origin Set
The set of origins (as per [RFC6454]) that a given connection might The set of origins (as per [RFC6454]) that a given connection might
be used for is known in this specification as the Origin Set. be used for is known in this specification as the Origin Set.
By default, the Origin Set for a connection is uninitialised. An By default, the Origin Set for a connection is uninitialized. An
uninitialized Origin Set means that clients apply the coalescing uninitialized Origin Set means that clients apply the coalescing
rules from Section 9.1.1 of [RFC7540]. rules from Section 9.1.1 of [RFC7540].
When an ORIGIN frame is first received and successfully processed by When an ORIGIN frame is first received and successfully processed by
a client, the connection's Origin Set is defined to contain an a client, the connection's Origin Set is defined to contain an
initial origin. The initial origin is composed from: initial origin. The initial origin is composed from:
o Scheme: "https" o Scheme: "https"
o Host: the value sent in Server Name Indication (SNI, [RFC6066], o Host: the value sent in Server Name Indication (SNI) ([RFC6066],
Section 3), converted to lower case; if SNI is not present, the Section 3) converted to lower case; if SNI is not present, the
remote address of the connection (i.e., the server's IP address) remote address of the connection (i.e., the server's IP address)
o Port: the remote port of the connection (i.e., the server's port) o Port: the remote port of the connection (i.e., the server's port)
The contents of that ORIGIN frame (and subsequent ones) allows the The contents of that ORIGIN frame (and subsequent ones) allow the
server to incrementally add new origins to the Origin Set, as server to incrementally add new origins to the Origin Set, as
described in Section 2.2. described in Section 2.2.
The Origin Set is also affected by the 421 (Misdirected Request) The Origin Set is also affected by the 421 (Misdirected Request)
response status code, defined in [RFC7540], Section 9.1.2. Upon response status code, as defined in [RFC7540], Section 9.1.2. Upon
receipt of a response with this status code, implementing clients receipt of a response with this status code, implementing clients
MUST create the ASCII serialisation of the corresponding request's MUST create the ASCII serialization of the corresponding request's
origin (as per [RFC6454], Section 6.2) and remove it from the origin (as per [RFC6454], Section 6.2) and remove it from the
connection's Origin Set, if present. connection's Origin Set, if present.
Note: When sending an ORIGIN frame to a connection that is Note: When sending an ORIGIN frame to a connection that is
initialised as an Alternative Service [RFC7838], the initial initialized as an alternative service [RFC7838], the initial
origin set (Section 2.3) will contain an origin with the Origin Set (Section 2.3) will contain an origin with the
appropriate scheme and hostname (since Alternative Services appropriate scheme and hostname (since RFC 7838 specifies that the
specifies that the origin's hostname be sent in SNI). However, it origin's hostname be sent in SNI). However, it is possible that
is possible that the port will be different than that of the the port will be different than that of the intended origin, since
intended origin, since the initial origin set is calculated using the initial Origin Set is calculated using the actual port in use,
the actual port in use, which can be different for the alternative which can be different for the alternative service. In this case,
service. In this case, the intended origin needs to be sent in the intended origin needs to be sent in the ORIGIN frame
the ORIGIN frame explicitly. explicitly.
For example, a client making requests for "https://example.com" is For example, a client making requests for "https://example.com" is
directed to an alternative service at ("h2", "x.example.net", directed to an alternative service at ("h2", "x.example.net",
"8443"). If this alternative service sends an ORIGIN frame, the "8443"). If this alternative service sends an ORIGIN frame, the
initial origin will be "https://example.com:8443". The client initial origin will be "https://example.com:8443". The client
will not be able to use the alternative service to make requests will not be able to use the alternative service to make requests
for "https://example.com" unless that origin is explicitly for "https://example.com" unless that origin is explicitly
included in the ORIGIN frame. included in the ORIGIN frame.
2.4. Authority, Push and Coalescing with ORIGIN 2.4. Authority, Push, and Coalescing with ORIGIN
Section 10.1 of [RFC7540] uses both DNS and the presented TLS Section 10.1 of [RFC7540] uses both DNS and the presented Transport
certificate to establish the origin server(s) that a connection is Layer Security (TLS) certificate to establish the origin server(s)
authoritative for, just as HTTP/1.1 does in [RFC7230]. that a connection is authoritative for, just as HTTP/1.1 does in
[RFC7230].
Furthermore, Section 9.1.1 of [RFC7540] explicitly allows a Furthermore, Section 9.1.1 of [RFC7540] explicitly allows a
connection to be used for more than one origin server, if it is connection to be used for more than one origin server, if it is
authoritative. This affects what responses can be considered authoritative. This affects what responses can be considered
authoritative, both for direct responses to requests and for server authoritative, both for direct responses to requests and for server
push (see [RFC7540], Section 8.2.2). Indirectly, it also affects push (see [RFC7540], Section 8.2.2). Indirectly, it also affects
what requests will be sent on a connection, since clients will what requests will be sent on a connection, since clients will
generally only send requests on connections that they believe to be generally only send requests on connections that they believe to be
authoritative for the origin in question. authoritative for the origin in question.
Once an Origin Set has been initialised for a connection, clients Once an Origin Set has been initialized for a connection, clients
that implement this specification use it to help determine what the that implement this specification use it to help determine what the
connection is authoritative for. Specifically, such clients MUST NOT connection is authoritative for. Specifically, such clients MUST NOT
consider a connection to be authoritative for an origin not present consider a connection to be authoritative for an origin not present
in the Origin Set, and SHOULD use the connection for all requests to in the Origin Set, and they SHOULD use the connection for all
origins in the Origin Set for which the connection is authoritative, requests to origins in the Origin Set for which the connection is
unless there are operational reasons for opening a new connection. authoritative, unless there are operational reasons for opening a new
connection.
Note that for a connection to be considered authoritative for a given Note that for a connection to be considered authoritative for a given
origin, the server is still required to authenticate with certificate origin, the server is still required to authenticate with a
that passes suitable checks; see Section 9.1.1 of [RFC7540] for more certificate that passes suitable checks; see Section 9.1.1 of
information. This includes verifying that the host matches a [RFC7540] for more information. This includes verifying that the
"dNSName" value from the certificate "subjectAltName" field (using host matches a "dNSName" value from the certificate "subjectAltName"
the rules defined in [RFC2818]; see also [RFC5280], Section 4.2.1.6). field (using the rules defined in [RFC2818]; see also [RFC5280],
Section 4.2.1.6).
Additionally, clients MAY avoid consulting DNS to establish the Additionally, clients MAY avoid consulting DNS to establish the
connection's authority for new requests to origins in the Origin Set; connection's authority for new requests to origins in the Origin Set;
however, those that do so face new risks, as explained in Section 4. however, those that do so face new risks, as explained in Section 4.
Because ORIGIN can change the set of origins a connection is used for Because ORIGIN can change the set of origins a connection is used for
over time, it is possible that a client might have more than one over time, it is possible that a client might have more than one
viable connection to an origin open at any time. When this occurs, viable connection to an origin open at any time. When this occurs,
clients SHOULD NOT emit new requests on any connection whose Origin clients SHOULD NOT emit new requests on any connection whose Origin
Set is a proper subset of another connection's Origin Set, and SHOULD Set is a proper subset of another connection's Origin Set, and they
close it once all outstanding requests are satisfied. SHOULD close it once all outstanding requests are satisfied.
The Origin Set is unaffected by any alternative services [RFC7838] The Origin Set is unaffected by any alternative services [RFC7838]
advertisements made by the server. Advertising an alternative advertisements made by the server. Advertising an alternative
service does not affect whether a server is authoritative. service does not affect whether a server is authoritative.
3. IANA Considerations 3. IANA Considerations
This specification adds an entry to the "HTTP/2 Frame Type" registry. This specification adds an entry to the "HTTP/2 Frame Type" registry.
o Frame Type: ORIGIN o Frame Type: ORIGIN
o Code: 0xc o Code: 0xc
o Specification: [this document] o Specification: RFC 8336
4. Security Considerations 4. Security Considerations
Clients that blindly trust the ORIGIN frame's contents will be Clients that blindly trust the ORIGIN frame's contents will be
vulnerable to a large number of attacks. See Section 2.4 for vulnerable to a large number of attacks. See Section 2.4 for
mitigations. mitigations.
Relaxing the requirement to consult DNS when determining authority Relaxing the requirement to consult DNS when determining authority
for an origin means that an attacker who possesses a valid for an origin means that an attacker who possesses a valid
certificate no longer needs to be on-path to redirect traffic to certificate no longer needs to be on path to redirect traffic to
them; instead of modifying DNS, they need only convince the user to them; instead of modifying DNS, they need only convince the user to
visit another Web site in order to coalesce connections to the target visit another website in order to coalesce connections to the target
onto their existing connection. onto their existing connection.
As a result, clients opting not to consult DNS ought to employ some As a result, clients opting not to consult DNS ought to employ some
alternative means to establish a high degree of confidence that the alternative means to establish a high degree of confidence that the
certificate is legitimate. For example, clients might skip certificate is legitimate. For example, clients might skip
consulting DNS only if they receive proof of inclusion in a consulting DNS only if they receive proof of inclusion in a
Certificate Transparency log [RFC6962] or they have a recent OCSP Certificate Transparency log [RFC6962] or if they have a recent
response [RFC6960] (possibly using the "status_request" TLS extension Online Certificate Status Protocol (OCSP) response [RFC6960]
[RFC6066]) showing that the certificate was not revoked. (possibly using the "status_request" TLS extension [RFC6066]) showing
that the certificate was not revoked.
The Origin Set's size is unbounded by this specification, and thus The Origin Set's size is unbounded by this specification and thus
could be used by attackers to exhaust client resources. To mitigate could be used by attackers to exhaust client resources. To mitigate
this risk, clients can monitor their state commitment and close the this risk, clients can monitor their state commitment and close the
connection if it is too high. connection if it is too high.
5. References 5. References
5.1. Normative References 5.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
skipping to change at page 9, line 5 skipping to change at page 10, line 5
<https://www.rfc-editor.org/info/rfc7230>. <https://www.rfc-editor.org/info/rfc7230>.
[RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP [RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP
Alternative Services", RFC 7838, DOI 10.17487/RFC7838, Alternative Services", RFC 7838, DOI 10.17487/RFC7838,
April 2016, <https://www.rfc-editor.org/info/rfc7838>. April 2016, <https://www.rfc-editor.org/info/rfc7838>.
[RFC8288] Nottingham, M., "Web Linking", RFC 8288, [RFC8288] Nottingham, M., "Web Linking", RFC 8288,
DOI 10.17487/RFC8288, October 2017, DOI 10.17487/RFC8288, October 2017,
<https://www.rfc-editor.org/info/rfc8288>. <https://www.rfc-editor.org/info/rfc8288>.
5.3. URIs
[1] https://lists.w3.org/Archives/Public/ietf-http-wg/
[2] http://httpwg.github.io/
[3] https://github.com/httpwg/http-extensions/labels/origin-frame
Appendix A. Non-Normative Processing Algorithm Appendix A. Non-Normative Processing Algorithm
The following algorithm illustrates how a client could handle The following algorithm illustrates how a client could handle
received ORIGIN frames: received ORIGIN frames:
1. If the client is configured to use a proxy for the connection, 1. If the client is configured to use a proxy for the connection,
ignore the frame and stop processing. ignore the frame and stop processing.
2. If the connection is not identified with the "h2" protocol 2. If the connection is not identified with the "h2" protocol
identifier or another protocol that has explicitly opted into identifier or another protocol that has explicitly opted into
this specification, ignore the frame and stop processing. this specification, ignore the frame and stop processing.
3. If the frame occurs upon any stream except stream 0, ignore the 3. If the frame occurs upon any stream except stream 0, ignore the
frame and stop processing. frame and stop processing.
4. If any of the flags 0x1, 0x2, 0x4 or 0x8 are set, ignore the 4. If any of the flags 0x1, 0x2, 0x4, or 0x8 are set, ignore the
frame and stop processing. frame and stop processing.
5. If no previous ORIGIN frame on the connection has reached this 5. If no previous ORIGIN frame on the connection has reached this
step, initialise the Origin Set as per Section 2.3. step, initialize the Origin Set as per Section 2.3.
6. For each "Origin-Entry" in the frame payload: 6. For each "Origin-Entry" in the frame payload:
1. Parse "ASCII-Origin" as an ASCII serialization of an origin 1. Parse "ASCII-Origin" as an ASCII serialization of an origin
([RFC6454], Section 6.2) and let the result be ([RFC6454], Section 6.2), and let the result be
"parsed_origin". If parsing fails, skip to the next "Origin- "parsed_origin". If parsing fails, skip to the next
Entry". "Origin-Entry".
2. Add "parsed_origin" to the Origin Set. 2. Add "parsed_origin" to the Origin Set.
Appendix B. Operational Considerations for Servers Appendix B. Operational Considerations for Servers
The ORIGIN frame allows a server to indicate for which origins a The ORIGIN frame allows a server to indicate for which origins a
given connection ought be used. The set of origins advertised using given connection ought be used. The set of origins advertised using
this mechanism is under control of the server; servers are not this mechanism is under control of the server; servers are not
obligated to use it, or to advertise all origins which they might be obligated to use it or to advertise all origins that they might be
able to answer a request for. able to answer a request for.
For example, it can be used to inform the client that the connection For example, it can be used to inform the client that the connection
is to only be used for the SNI-based origin, by sending an empty is to only be used for the SNI-based origin, by sending an empty
ORIGIN frame. Or, a larger number of origins can be indicated by ORIGIN frame. Or, a larger number of origins can be indicated by
including a payload. including a payload.
Generally, this information is most useful to send before sending any Generally, this information is most useful to send before sending any
part of a response that might initiate a new connection; for example, part of a response that might initiate a new connection; for example,
"Link" header fields [RFC8288] in a response HEADERS, or links in the "Link" response header fields [RFC8288], or links in the response
response body. body.
Therefore, the ORIGIN frame ought be sent as soon as possible on a Therefore, the ORIGIN frame ought be sent as soon as possible on a
connection, ideally before any HEADERS or PUSH_PROMISE frames. connection, ideally before any HEADERS or PUSH_PROMISE frames.
However, if it's desirable to associate a large number of origins However, if it's desirable to associate a large number of origins
with a connection, doing so might introduce end-user perceived with a connection, doing so might introduce end-user-perceived
latency, due to their size. As a result, it might be necessary to latency, due to their size. As a result, it might be necessary to
select a "core" set of origins to send initially, expanding the set select a "core" set of origins to send initially, and expand the set
of origins the connection is used for with subsequent ORIGIN frames of origins the connection is used for with subsequent ORIGIN frames
later (e.g., when the connection is idle). later (e.g., when the connection is idle).
That said, senders are encouraged to include as many origins as That said, senders are encouraged to include as many origins as
practical within a single ORIGIN frame; clients need to make practical within a single ORIGIN frame; clients need to make
decisions about creating connections on the fly, and if the origin decisions about creating connections on the fly, and if the Origin
set is split across many frames, their behaviour might be suboptimal. Set is split across many frames, their behavior might be suboptimal.
Senders take note that, as per Section 4, Step 5 of [RFC6454], the Senders take note that, as per Section 4, Step 5, of [RFC6454], the
values in an ORIGIN header need to be case-normalised before values in an ORIGIN header need to be case-normalized before
serialisation. serialization.
Finally, servers that host alternative services [RFC7838] will need Finally, servers that host alternative services [RFC7838] will need
to explicitly advertise their origins when sending ORIGIN, because to explicitly advertise their origins when sending ORIGIN, because
the default contents of the Origin Set (as per Section 2.3) do not the default contents of the Origin Set (as per Section 2.3) do not
contain any Alternative Services' origins, even if they have been contain any alternative services' origins, even if they have been
used previously on the connection. used previously on the connection.
Authors' Addresses Authors' Addresses
Mark Nottingham Mark Nottingham
Email: mnot@mnot.net Email: mnot@mnot.net
URI: https://www.mnot.net/ URI: https://www.mnot.net/
Erik Nygren Erik Nygren
Akamai Akamai Technologies
Email: nygren@akamai.com Email: erik+ietf@nygren.org
 End of changes. 50 change blocks. 
119 lines changed or deleted 101 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/