| RFC 8820 | URI Design and Ownership | June 2020 |
| Nottingham | Best Current Practice | [Page] |
Section 1.1.1 of RFC 3986 defines URI syntax as "a federated and extensible naming system wherein each scheme's specification may further restrict the syntax and semantics of identifiers using that scheme." In other words, the structure of a URI is defined by its scheme. While it is common for schemes to further delegate their substructure to the URI's owner, publishing independent standards that mandate particular forms of substructure in URIs is often problematic.¶
This document provides guidance on the specification of URI substructure in standards.¶
This document obsoletes RFC 7320 and updates RFC 3986.¶
This memo documents an Internet Best Current Practice.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc8820.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
URIs[RFC3986] very often include structured application data. This might include artifacts from filesystems (often occurring in the path component) and user information (often in the query component). In some cases, there can even be application-specific data in the authority component (e.g., some applications are spread across several hostnames to enable a form of partitioning or dispatch).¶
Implementations can impose further constraints upon the structure of URIs; for example, many web servers use the filename extension of the last path segment to determine the media type of the response. Likewise, prepackaged applications often have highly structured URIs that can only be changed in limited ways (often, just the hostname and port on which they are deployed).¶
Because the owner of the URI (as defined in[webarch], Section 2.2.2.1) is choosing to use theserver or the application, this can be seen as reasonable delegation of authority. However, whensuch conventions are mandated by a party other than the owner, it can have several potentiallydetrimental effects:¶
Publishing a standard that constrains an existing URI structure in ways that aren't explicitlyallowed by[RFC3986] (usually, by updating the URI scheme definition) is therefore sometimesproblematic, both for these reasons and because the structure of a URI needs to be firmly underthe control of its owner.¶
This document explains some best current practices for establishing URI structures, conventions, andformats in standards. It also offers strategies for specifications inSection 3.¶
This document's guidelines and requirements target the authors of specifications that constrain thesyntax or structure of URIs or parts of them. Two classes of such specifications are called outspecifically:¶
Requirements that target the generic class "Specifications" apply to all specifications, includingboth those enumerated above and others.¶
Note that this specification ought not be interpreted as preventing the allocation of control ofURIs by parties that legitimately own them or have delegated that ownership; for example, aspecification might legitimately define the semantics of a URI on IANA's web site as part ofthe establishment of a registry.¶
There may be existing IETF specifications that already deviate from the guidance in this document.In these cases, it is up to the relevant communities (i.e., those of the URIscheme as well as any relevant community that produced the specification in question) to determine an appropriate outcome, e.g., updatingthe scheme definition or changing the specification.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This section updates[RFC3986] by advising Specifications how they should define structure andsemantics within URIs. Best practices differ, depending on the URI component in question, asdescribed below.¶
Applications and Extensions can require the use of one or more specific URI schemes; for example, it is perfectlyacceptable to require that an Application support "http" and "https" URIs. However, Applicationsought not preclude the use of other URI schemes in the future, unless they are clearly only usablewith the nominated schemes.¶
A Specification that defines substructure for URI schemes overall (e.g., a prefix or suffix for URIscheme names)MUST do so by modifying[BCP35] (an exceptional circumstance).¶
Scheme definitions define the presence, format, and semantics of an authority component in URIs; all other SpecificationsMUST NOT constrain or define the structure or the semantics for URI authorities, unless they update the scheme registration itself or the structures it relies upon (e.g., DNS name syntax, as defined inSection 3.5 of [RFC1034]).¶
For example, an Extension or Application cannot say that the "foo" prefix in"https://foo_app.example.com" is meaningful or triggers special handling inURIs, unless they update either the "http" URI scheme or the DNS hostnamesyntax.¶
Applications can nominate or constrain the port they use, when applicable. For example,BarApp could run over port nnnn (provided that it is properly registered).¶
Scheme definitions define the presence, format, and semantics of a path component in URIs, although these are often delegated to the Application(s) in a given deployment.¶
To avoid collisions, rigidity, and erroneous client assumptions, SpecificationsMUST NOT define afixed prefix for their URI paths -- for example, "/myapp" -- unless allowed by the scheme definition.¶
One such exception to this requirement is registered "well-known" URIs, as specified by[RFC8615]. See that document for a description of the applicability of that mechanism.¶
Note that this does not apply to Applications defining a structure of a URI's path "under" a resourcecontrolled by the server. Because the prefix is under control of the party deploying theApplication, collisions and rigidity are avoided, and the risk of erroneous client assumptions isreduced.¶
For example, an Application might define "app_root" as a deployment-controlled URI prefix.Application-defined resources might then be assumed to be present at "{app_root}/foo" and"{app_root}/bar".¶
ExtensionsMUST NOT define a structure within individual URI components (e.g., a prefix or suffix),again to avoid collisions and erroneous client assumptions.¶
The presence, format, and semantics of the query component of URIs are dependent upon many factorsand can be constrained by a scheme definition. Often, they are determined by the implementation ofa resource itself.¶
Applications can specify the syntax of queries for the resources under their control. However,doing so can cause operational difficulties for deployments that do not support a particular formof a query. For example, a site may wish to support an Application using "static" files that do notsupport query parameters.¶
ExtensionsMUST NOT constrain the format or semantics of queries, to avoid collisions and erroneousclient assumptions. For example, an Extension that indicates that all query parameters with thename "sig" indicate a cryptographic signature would collide with potentially preexisting queryparameters on sites and lead clients to assume that any matching query parameter is a signature.¶
Per the "Form submission" section of[HTML5], HTML constrains the syntax of query strings used in form submission.New form languages are encouraged to allow creation of a broader variety of URIs(e.g., by allowing the form to create new path components, and so forth).¶
Section 3.5 of [RFC3986] specifies fragment identifiers' syntax and semantics as being dependentupon the media type of a potentially retrieved resource. As a result, other SpecificationsMUST NOTdefine structure within the fragment identifier, unless they are explicitly defining one for reuseby media types in their definitions (for example, as JSON Pointer[RFC6901] does).¶
An Application that defines common fragment identifiers across media types notcontrolled by it would engender interoperability problems with handlers for those media types(because the new, non-standard syntax is not expected).¶
Given the issues described inSection 1, the most successful strategy for Applications andExtensions that wish to use URIs is to use them in the fashion for which they were designed: as links thatare exchanged as part of the protocol, rather than statically specified syntax. Several existingspecifications can aid in this.¶
[RFC8288] specifies relation types for web links. By providing a framework for linking on theWeb, where every link has a relation type, context, and target, it allows Applications to define alink's semantics and connectivity.¶
[RFC6570] provides a standard syntax for URI Templates that can be used to dynamically insertApplication-specific variables into a URI to enable such Applications while avoiding impinging uponURI owners' control of them.¶
[RFC8615] allows specific paths to be "reserved" for standard use on URI schemes that opt intothat mechanism ("http" and "https" by default). Note, however, that this is not a general "escapevalve" for Applications that need structured URIs; see that specification for more information.¶
Specifying more elaborate structures in an attempt to avoid collisions is not an acceptablesolution and does not address the issues described inSection 1. For example, prefixing query parameterswith "myapp_" does not help, because the prefix itself is subject to the risk of collision (sinceit is not "reserved").¶
This document does not introduce new protocol artifacts with security considerations. It prohibitssome practices that might lead to vulnerabilities; for example, if a security-sensitive mechanismis introduced by assuming that a URI path component or query string has a particular meaning, falsepositives might be encountered (due to sites that already use the chosen string). See also[RFC6943].¶
This document has no IANA actions.¶
Many of the requirements of RFC 7320 were removed, in the spirit of making this BCP guidance rather than rules.¶
Thanks toDavid Booth,Dave Crocker,Tim Bray,Anne van Kesteren,Martin Thomson,Erik Wilde,Dave Thaler, andBarry Leiba for their suggestions and feedback.¶