| RFC 9114 | HTTP/3 | June 2022 |
| Bishop | Standards Track | [Page] |
The QUIC transport protocol has several features that are desirable in atransport for HTTP, such as stream multiplexing, per-stream flow control, andlow-latency connection establishment. This document describes a mapping of HTTPsemantics over QUIC. This document also identifies HTTP/2 features that aresubsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9114.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
HTTP semantics ([HTTP]) are used for a broad range of services on theInternet. These semantics have most commonly been used with HTTP/1.1 and HTTP/2.HTTP/1.1 has been used over a variety of transport and session layers, whileHTTP/2 has been used primarily with TLS over TCP. HTTP/3 supports the samesemantics over a new transport protocol: QUIC.¶
HTTP/1.1 ([HTTP/1.1]) uses whitespace-delimited text fields to convey HTTPmessages. While these exchanges are human readable, using whitespace formessage formatting leads to parsing complexity and excessive tolerance ofvariant behavior.¶
Because HTTP/1.1 does not include a multiplexing layer, multiple TCP connectionsare often used to service requests in parallel. However, that has a negativeimpact on congestion control and network efficiency, since TCP does not sharecongestion control across multiple connections.¶
HTTP/2 ([HTTP/2]) introduced a binary framing and multiplexing layerto improve latency without modifying the transport layer. However, because theparallel nature of HTTP/2's multiplexing is not visible to TCP's loss recoverymechanisms, a lost or reordered packet causes all active transactions toexperience a stall regardless of whether that transaction was directly impactedby the lost packet.¶
The QUIC transport protocol incorporates stream multiplexing and per-stream flowcontrol, similar to that provided by the HTTP/2 framing layer. By providingreliability at the stream level and congestion control across the entireconnection, QUIC has the capability to improve the performance of HTTP comparedto a TCP mapping. QUIC also incorporates TLS 1.3 ([TLS]) at thetransport layer, offering comparable confidentiality and integrity to runningTLS over TCP, with the improved connection setup latency of TCP Fast Open([TFO]).¶
This document defines HTTP/3: a mapping of HTTP semantics over the QUICtransport protocol, drawing heavily on the design of HTTP/2. HTTP/3 relies onQUIC to provide confidentiality and integrity protection of data; peerauthentication; and reliable, in-order, per-stream delivery. While delegatingstream lifetime and flow-control issues to QUIC, a binary framing similar to theHTTP/2 framing is used on each stream. Some HTTP/2 features are subsumed byQUIC, while other features are implemented atop QUIC.¶
QUIC is described in[QUIC-TRANSPORT]. For a full description ofHTTP/2, see[HTTP/2].¶
HTTP/3 provides a transport for HTTP semantics using the QUIC transport protocoland an internal framing layer similar to HTTP/2.¶
Once a client knows that an HTTP/3 server exists at a certain endpoint, it opensa QUIC connection. QUIC provides protocol negotiation, stream-basedmultiplexing, and flow control. Discovery of an HTTP/3 endpoint is described inSection 3.1.¶
Within each stream, the basic unit of HTTP/3 communication is a frame(Section 7.2). Each frame type serves a different purpose. For example,HEADERSandDATA frames form the basis of HTTP requests and responses(Section 4.1). Frames that apply to the entire connection areconveyed on a dedicatedcontrol stream.¶
Multiplexing of requests is performed using the QUIC stream abstraction, whichis described inSection 2 of [QUIC-TRANSPORT]. Each request-response pairconsumes a single QUIC stream. Streams are independent of each other, so onestream that is blocked or suffers packet loss does not prevent progress on otherstreams.¶
Server push is an interaction mode introduced in HTTP/2 ([HTTP/2]) thatpermits a server to push a request-response exchange to a client in anticipationof the client making the indicated request. This trades off network usageagainst a potential latency gain. Several HTTP/3 frames are used to manageserver push, such asPUSH_PROMISE,MAX_PUSH_ID, andCANCEL_PUSH.¶
As in HTTP/2, request and response fields are compressed for transmission.Because HPACK ([HPACK]) relies on in-order transmission ofcompressed field sections (a guarantee not provided by QUIC), HTTP/3 replacesHPACK with QPACK ([QPACK]). QPACK uses separate unidirectional streams tomodify and track field table state, while encoded field sections refer to thestate of the table without modifying it.¶
The following sections provide a detailed overview of the lifecycle of an HTTP/3connection:¶
The details of the wire protocol and interactions with the transport aredescribed in subsequent sections:¶
Additional resources are provided in the final sections:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED","MAY", and "OPTIONAL" in this document are to be interpreted asdescribed in BCP 14[RFC2119][RFC8174] when, and only when, theyappear in all capitals, as shown here.¶
This document uses the variable-length integer encoding from[QUIC-TRANSPORT].¶
The following terms are used:¶
An abrupt termination of a connection or stream, possibly due to an errorcondition.¶
The endpoint that initiates an HTTP/3 connection. Clients send HTTP requestsand receive HTTP responses.¶
A transport-layer connection between two endpoints using QUIC as thetransport protocol.¶
An error that affects the entire HTTP/3 connection.¶
Either the client or server of the connection.¶
The smallest unit of communication on a stream in HTTP/3, consisting of aheader and a variable-length sequence of bytes structured according to theframe type.¶
Protocol elements called "frames" exist in both this document and[QUIC-TRANSPORT]. Where frames from[QUIC-TRANSPORT] are referenced, theframe name will be prefaced with "QUIC". For example, "QUIC CONNECTION_CLOSEframes". References without this preface refer to frames defined inSection 7.2.¶
A QUIC connection where the negotiated application protocol is HTTP/3.¶
An endpoint. When discussing a particular endpoint, "peer" refers to theendpoint that is remote to the primary subject of discussion.¶
An endpoint that is receiving frames.¶
An endpoint that is transmitting frames.¶
The endpoint that accepts an HTTP/3 connection. Servers receive HTTP requestsand send HTTP responses.¶
A bidirectional or unidirectional bytestream provided by the QUIC transport.All streams within an HTTP/3 connection can be considered "HTTP/3 streams",but multiple stream types are defined within HTTP/3.¶
An application-level error on the individual stream.¶
The term "content" is defined inSection 6.4 of [HTTP].¶
Finally, the terms "resource", "message", "user agent", "origin server","gateway", "intermediary", "proxy", and "tunnel" are defined inSection 3 of [HTTP].¶
Packet diagrams in this document use the format defined inSection 1.3 of [QUIC-TRANSPORT] to illustrate the order and size of fields.¶
HTTP relies on the notion of an authoritative response: a response that has beendetermined to be the most appropriate response for that request given the stateof the target resource at the time of response message origination by (or at thedirection of) the origin server identified within the target URI. Locating anauthoritative server for an HTTP URI is discussed inSection 4.3 of [HTTP].¶
The "https" scheme associates authority with possession of a certificate thatthe client considers to be trustworthy for the host identified by the authoritycomponent of the URI. Upon receiving a server certificate in the TLS handshake,the clientMUST verify that the certificate is an acceptable match for the URI'sorigin server using the process described inSection 4.3.4 of [HTTP]. Ifthe certificate cannot be verified with respect to the URI's origin server, theclientMUST NOT consider the server authoritative for that origin.¶
A clientMAY attempt access to a resource with an "https" URI by resolving thehost identifier to an IP address, establishing a QUIC connection to that addresson the indicated port (including validation of the server certificate asdescribed above), and sending an HTTP/3 request message targeting the URIto the server over that secured connection. Unless some other mechanism is usedto select HTTP/3, the token "h3" is used in the Application-Layer ProtocolNegotiation (ALPN; see[RFC7301]) extension during the TLS handshake.¶
Connectivity problems (e.g., blocking UDP) can result in a failure to establisha QUIC connection; clientsSHOULD attempt to use TCP-based versions of HTTPin this case.¶
ServersMAY serve HTTP/3 on any UDP port; an alternative service advertisementalways includes an explicit port, and URIs contain either an explicit port or adefault port associated with the scheme.¶
An HTTP origin can advertise the availability of an equivalent HTTP/3 endpointvia the Alt-Svc HTTP response header field or the HTTP/2 ALTSVC frame([ALTSVC]) using the "h3" ALPN token.¶
For example, an origin could indicate in an HTTP response that HTTP/3 wasavailable on UDP port 50781 at the same hostname by including the followingheader field:¶
Alt-Svc: h3=":50781"¶
On receipt of an Alt-Svc record indicating HTTP/3 support, a clientMAY attemptto establish a QUIC connection to the indicated host and port; if thisconnection is successful, the client can send HTTP requests using the mappingdescribed in this document.¶
Although HTTP is independent of the transport protocol, the "http" schemeassociates authority with the ability to receive TCP connections on theindicated port of whatever host is identified within the authority component.Because HTTP/3 does not use TCP, HTTP/3 cannot be used for direct access to theauthoritative server for a resource identified by an "http" URI. However,protocol extensions such as[ALTSVC] permit the authoritative serverto identify other services that are also authoritative and that might bereachable over HTTP/3.¶
Prior to making requests for an origin whose scheme is not "https", the clientMUST ensure the server is willing to serve that scheme. For origins whose schemeis "http", an experimental method to accomplish this is described in[RFC8164]. Other mechanisms might be defined for various schemes in thefuture.¶
HTTP/3 relies on QUIC version 1 as the underlying transport. The use of otherQUIC transport versions with HTTP/3MAY be defined by future specifications.¶
QUIC version 1 uses TLS version 1.3 or greater as its handshake protocol.HTTP/3 clientsMUST support a mechanism to indicate the target host to theserver during the TLS handshake. If the server is identified by a domain name([DNS-TERMS]), clientsMUST send the Server Name Indication (SNI;[RFC6066]) TLS extension unless an alternative mechanism to indicate thetarget host is used.¶
QUIC connections are established as described in[QUIC-TRANSPORT]. Duringconnection establishment, HTTP/3 support is indicated by selecting the ALPNtoken "h3" in the TLS handshake. Support for other application-layer protocolsMAY be offered in the same handshake.¶
While connection-level options pertaining to the core QUIC protocol are set inthe initial crypto handshake, settings specific to HTTP/3 are conveyed in theSETTINGS frame. After the QUIC connection is established, aSETTINGS frameMUST be sent by each endpoint as the initial frame of theirrespective HTTPcontrol stream.¶
HTTP/3 connections are persistent across multiple requests. For bestperformance, it is expected that clients will not close connections until it isdetermined that no further communication with a server is necessary (forexample, when a user navigates away from a particular web page) or until theserver closes the connection.¶
Once a connection to a server endpoint exists, this connectionMAY be reused forrequests with multiple different URI authority components. To use an existingconnection for a new origin, clientsMUST validate the certificate presented bythe server for the new origin server using the process described inSection 4.3.4 of [HTTP]. This implies that clients will need to retain theserver certificate and any additional information needed to verify thatcertificate; clients that do not do so will be unable to reuse the connectionfor additional origins.¶
If the certificate is not acceptable with regard to the new origin for anyreason, the connectionMUST NOT be reused and a new connectionSHOULD beestablished for the new origin. If the reason the certificate cannot beverified might apply to other origins already associated with the connection,the clientSHOULD revalidate the server certificate for those origins. Forinstance, if validation of a certificate fails because the certificate hasexpired or been revoked, this might be used to invalidate all other origins forwhich that certificate was used to establish authority.¶
ClientsSHOULD NOT open more than one HTTP/3 connection to a given IP addressand UDP port, where the IP address and port might be derived from a URI, aselected alternative service ([ALTSVC]), a configured proxy, or nameresolution of any of these. A clientMAY open multiple HTTP/3 connections to thesame IP address and UDP port using different transport or TLS configurations butSHOULD avoid creating multiple connections with the same configuration.¶
Servers are encouraged to maintain open HTTP/3 connections for as long aspossible but are permitted to terminate idle connections if necessary. Wheneither endpoint chooses to close the HTTP/3 connection, the terminating endpointSHOULD first send aGOAWAY frame (Section 5.2) so that bothendpoints can reliably determine whether previously sent frames have beenprocessed and gracefully complete or terminate any necessary remaining tasks.¶
A server that does not wish clients to reuse HTTP/3 connections for a particularorigin can indicate that it is not authoritative for a request by sending a 421(Misdirected Request) status code in response to the request; seeSection 7.4 of [HTTP].¶
A client sends an HTTP request on arequest stream, which is a client-initiatedbidirectional QUIC stream; seeSection 6.1. A clientMUST send only asingle request on a given stream. A server sends zero or more interim HTTPresponses on the same stream as the request, followed by a single final HTTPresponse, as detailed below. SeeSection 15 of [HTTP] for a descriptionof interim and final HTTP responses.¶
Pushed responses are sent on a server-initiated unidirectional QUIC stream; seeSection 6.2.2. A server sends zero or more interim HTTP responses, followedby a single final HTTP response, in the same manner as a standard response.Push is described in more detail inSection 4.6.¶
On a given stream, receipt of multiple requests or receipt of an additional HTTPresponse following a final HTTP responseMUST be treated asmalformed.¶
An HTTP message (request or response) consists of:¶
Header and trailer sections are described in Sections6.3 and6.5 of[HTTP]; the content is described inSection 6.4 of [HTTP].¶
Receipt of an invalid sequence of framesMUST be treated as aconnection errorof typeH3_FRAME_UNEXPECTED. In particular, aDATA frame beforeanyHEADERS frame, or aHEADERS orDATA frame after the trailingHEADERS frame,is considered invalid. Other frame types, especially unknown frame types,might be permitted subject to their own rules; seeSection 9.¶
A serverMAY send one or morePUSH_PROMISE framesbefore, after, or interleaved with the frames of a response message. ThesePUSH_PROMISE frames are not part of the response; seeSection 4.6 for moredetails.PUSH_PROMISE frames are not permitted onpush streams; a pushedresponse that includesPUSH_PROMISE framesMUST be treated as aconnection errorof typeH3_FRAME_UNEXPECTED.¶
Frames of unknown types (Section 9), including reserved frames(Section 7.2.8)MAY be sent on a request orpush stream before, after, orinterleaved with other frames described in this section.¶
TheHEADERS andPUSH_PROMISE frames might reference updates to the QPACK dynamictable. While these updates are not directly part of the message exchange, theymust be received and processed before the message can be consumed. SeeSection 4.2 for more details.¶
Transfer codings (seeSection 7 of [HTTP/1.1]) are not defined for HTTP/3;the Transfer-Encoding header fieldMUST NOT be used.¶
A responseMAY consist of multiple messages when and only when one or moreinterim responses (1xx; seeSection 15.2 of [HTTP]) precede a finalresponse to the same request. Interim responses do not contain contentor trailer sections.¶
An HTTP request/response exchange fully consumes a client-initiatedbidirectional QUIC stream. After sending a request, a clientMUST close thestream for sending. Unless using the CONNECT method (seeSection 4.4), clientsMUST NOT make stream closure dependent on receiving a response to their request.After sending a final response, the serverMUST close the stream for sending. Atthis point, the QUIC stream is fully closed.¶
When a stream is closed, this indicates the end of the final HTTP message.Because some messages are large or unbounded, endpointsSHOULD begin processingpartial HTTP messages once enough of the message has been received to makeprogress. If a client-initiated stream terminates without enough of the HTTPmessage to provide a complete response, the serverSHOULD abort its responsestream with the error codeH3_REQUEST_INCOMPLETE.¶
A server can send a complete response prior to the client sending an entirerequest if the response does not depend on any portion of the request that hasnot been sent and received. When the server does not need to receive theremainder of the request, itMAY abort reading therequest stream, send acomplete response, and cleanly close the sending part of the stream. The errorcodeH3_NO_ERRORSHOULD be used when requesting that the client stop sending ontherequest stream. ClientsMUST NOT discard complete responses as a result ofhaving their request terminated abruptly, though clients can always discardresponses at their discretion for other reasons. If the server sends a partialor complete response but does not abort reading the request, clientsSHOULDcontinue sending the content of the request and close the stream normally.¶
Once arequest stream has been opened, the requestMAY be cancelled by eitherendpoint. Clients cancel requests if the response is no longer of interest;servers cancel requests if they are unable to or choose not to respond. Whenpossible, it isRECOMMENDED that servers send an HTTP response with anappropriate status code rather than cancelling a request it has already begunprocessing.¶
ImplementationsSHOULD cancel requests by abruptly terminating any directions ofa stream that are still open. To do so, an implementation resets the sendingparts of streams and aborts reading on the receiving parts of streams; seeSection 2.4 of [QUIC-TRANSPORT].¶
When the server cancels a request without performing any application processing,the request is considered "rejected". The serverSHOULD abort its responsestream with the error codeH3_REQUEST_REJECTED. In this context, "processed"means that some data from the stream was passed to some higher layer of softwarethat might have taken some action as a result. The client can treat requestsrejected by the server as though they had never been sent at all, therebyallowing them to be retried later.¶
ServersMUST NOT use theH3_REQUEST_REJECTED error code for requests that werepartially or fully processed. When a server abandons a response after partialprocessing, itSHOULD abort its response stream with the error codeH3_REQUEST_CANCELLED.¶
ClientSHOULD use the error codeH3_REQUEST_CANCELLED to cancel requests. Uponreceipt of this error code, a serverMAY abruptly terminate the response usingthe error codeH3_REQUEST_REJECTED if no processing was performed. ClientsMUST NOT use theH3_REQUEST_REJECTED error code, except when a server has requestedclosure of therequest stream with this error code.¶
If a stream is cancelled after receiving a complete response, the clientMAYignore the cancellation and use the response. However, if a stream is cancelledafter receiving a partial response, the responseSHOULD NOT be used. Onlyidempotent actions such as GET, PUT, or DELETE can be safely retried; a clientSHOULD NOT automatically retry a request with a non-idempotent method unless ithas some means to know that the request semantics are idempotentindependent of the method or some means to detect that the original request wasnever applied. SeeSection 9.2.2 of [HTTP] for more details.¶
A malformed request or response is one that is an otherwise valid sequence offrames but is invalid due to:¶
A request or response that is defined as having content when it contains aContent-Length header field (Section 8.6 of [HTTP]) is malformed if thevalue of the Content-Length header field does not equal the sum of theDATAframe lengths received. A response that is defined as never having content, evenwhen a Content-Length is present, can have a non-zero Content-Length headerfield even though no content is included inDATA frames.¶
Intermediaries that process HTTP requests or responses (i.e., any intermediarynot acting as a tunnel)MUST NOT forward a malformed request or response.Malformed requests or responses that are detectedMUST be treated as astreamerror of typeH3_MESSAGE_ERROR.¶
For malformed requests, a serverMAY send an HTTP response indicating the errorprior to closing or resetting the stream. ClientsMUST NOT accept a malformedresponse. Note that these requirements are intended to protect against severaltypes of common attacks against HTTP; they are deliberately strict because beingpermissive can expose implementations to these vulnerabilities.¶
HTTP messages carry metadata as a series of key-value pairs called "HTTPfields"; see Sections6.3 and6.5 of[HTTP]. For a listing of registeredHTTP fields, see the "Hypertext Transfer Protocol (HTTP) Field Name Registry"maintained at<https://www.iana.org/assignments/http-fields/>. Like HTTP/2, HTTP/3 has additional considerations related tothe use of characters in field names, the Connection header field, andpseudo-header fields.¶
Field names are strings containing a subset of ASCII characters. Properties ofHTTP field names and values are discussed in more detail inSection 5.1 of [HTTP]. Characters in field namesMUST be converted to lowercase prior totheir encoding. A request or response containing uppercase characters in fieldnamesMUST be treated asmalformed.¶
HTTP/3 does not use the Connection header field to indicate connection-specificfields; in this protocol, connection-specific metadata is conveyed by othermeans. An endpointMUST NOT generate an HTTP/3 field section containingconnection-specific fields; any message containing connection-specific fieldsMUST be treated asmalformed.¶
The only exception to this is the TE header field, whichMAY be present in anHTTP/3 request header; when it is, itMUST NOT contain any value other than"trailers".¶
An intermediary transforming an HTTP/1.x message to HTTP/3MUST removeconnection-specific header fields as discussed inSection 7.6.1 of [HTTP], or their messages will be treated by other HTTP/3 endpoints asmalformed.¶
[QPACK] describes a variation of HPACK that gives an encoder some controlover how much head-of-line blocking can be caused by compression. This allowsan encoder to balance compression efficiency with latency. HTTP/3 uses QPACK tocompress header and trailer sections, including the control data present in theheader section.¶
To allow for better compression efficiency, the Cookie header field([COOKIES])MAY be split into separate field lines, each with one ormore cookie-pairs, before compression. If a decompressed field section containsmultiple cookie field lines, theseMUST be concatenated into a single bytestring using the two-byte delimiter of "; " (ASCII 0x3b, 0x20) before beingpassed into a context other than HTTP/2 or HTTP/3, such as an HTTP/1.1connection, or a generic HTTP server application.¶
An HTTP/3 implementationMAY impose a limit on the maximum size of the messageheader it will accept on an individual HTTP message. A server that receives alarger header section than it is willing to handle can send an HTTP 431 (RequestHeader Fields Too Large) status code ([RFC6585]). A client can discardresponses that it cannot process. The size of a field list is calculated basedon the uncompressed size of fields, including the length of the name and valuein bytes plus an overhead of 32 bytes for each field.¶
If an implementation wishes to advise its peer of this limit, it can be conveyedas a number of bytes in theSETTINGS_MAX_FIELD_SECTION_SIZE parameter. Animplementation that has received this parameterSHOULD NOT send an HTTP messageheader that exceeds the indicated size, as the peer will likely refuse toprocess it. However, an HTTP message can traverse one or more intermediariesbefore reaching the origin server; seeSection 3.7 of [HTTP]. Becausethis limit is applied separately by each implementation that processes themessage, messages below this limit are not guaranteed to be accepted.¶
Like HTTP/2, HTTP/3 employs a series of pseudo-header fields, where the fieldname begins with the: character (ASCII 0x3a). These pseudo-header fieldsconvey message control data; seeSection 6.2 of [HTTP].¶
Pseudo-header fields are not HTTP fields. EndpointsMUST NOT generatepseudo-header fields other than those defined in this document. However, anextension could negotiate a modification of this restriction; seeSection 9.¶
Pseudo-header fields are only valid in the context in which they are defined.Pseudo-header fields defined for requestsMUST NOT appear in responses;pseudo-header fields defined for responsesMUST NOT appear in requests.Pseudo-header fieldsMUST NOT appear in trailer sections. EndpointsMUST treat arequest or response that contains undefined or invalid pseudo-header fields asmalformed.¶
All pseudo-header fieldsMUST appear in the header section before regular headerfields. Any request or response that contains a pseudo-header field thatappears in a header section after a regular header fieldMUST be treated asmalformed.¶
The following pseudo-header fields are defined for requests:¶
Contains the scheme portion of the target URI (Section 3.1 of [URI]).¶
The :scheme pseudo-header is not restricted to URIs with scheme "http" and"https". A proxy or gateway can translate requests for non-HTTP schemes,enabling the use of HTTP to interact with non-HTTP services.¶
SeeSection 3.1.2 for guidance on using a scheme other than "https".¶
Contains the authority portion of the target URI (Section 3.2 of [URI]).The authorityMUST NOT include the deprecated userinfosubcomponent for URIs of scheme "http" or "https".¶
To ensure that the HTTP/1.1 request line can be reproduced accurately, thispseudo-header fieldMUST be omitted when translating from an HTTP/1.1request that has a request target in a method-specific form; seeSection 7.1 of [HTTP]. Clients that generate HTTP/3 requests directlySHOULD usethe :authority pseudo-header field instead of the Host header field. Anintermediary that converts an HTTP/3 request to HTTP/1.1MUST create a Hostfield if one is not present in a request by copying the value of the:authority pseudo-header field.¶
Contains the path and query parts of the target URI (the "path-absolute"production and optionally a? character (ASCII 0x3f) followed by the"query" production; see Sections3.3 and3.4 of[URI].¶
This pseudo-header fieldMUST NOT be empty for "http" or "https" URIs;"http" or "https" URIs that do not contain a path componentMUST include avalue of/ (ASCII 0x2f). An OPTIONS request that does not include a pathcomponent includes the value* (ASCII 0x2a) for the :path pseudo-headerfield; seeSection 7.1 of [HTTP].¶
All HTTP/3 requestsMUST include exactly one value for the :method, :scheme,and :path pseudo-header fields, unless the request is a CONNECT request; seeSection 4.4.¶
If the :scheme pseudo-header field identifies a scheme that has a mandatoryauthority component (including "http" and "https"), the requestMUST containeither an :authority pseudo-header field or a Host header field. If thesefields are present, theyMUST NOT be empty. If both fields are present, theyMUST contain the same value. If the scheme does not have a mandatory authoritycomponent and none is provided in the request target, the requestMUST NOTcontain the :authority pseudo-header or Host header fields.¶
An HTTP request that omits mandatory pseudo-header fields or contains invalidvalues for those pseudo-header fields ismalformed.¶
HTTP/3 does not define a way to carry the version identifier that is included inthe HTTP/1.1 request line. HTTP/3 requests implicitly have a protocol versionof "3.0".¶
For responses, a single ":status" pseudo-header field is defined that carriesthe HTTP status code; seeSection 15 of [HTTP]. This pseudo-headerfieldMUST be included in all responses; otherwise, the response ismalformed(seeSection 4.1.2).¶
HTTP/3 does not define a way to carry the version or reason phrase that isincluded in an HTTP/1.1 status line. HTTP/3 responses implicitly have a protocolversion of "3.0".¶
The CONNECT method requests that the recipient establish a tunnel to thedestination origin server identified by the request-target; seeSection 9.3.6 of [HTTP]. It is primarily used with HTTP proxies to establish a TLSsession with an origin server for the purposes of interacting with "https"resources.¶
In HTTP/1.x, CONNECT is used to convert an entire HTTP connection into a tunnelto a remote host. In HTTP/2 and HTTP/3, the CONNECT method is used to establisha tunnel over a single stream.¶
A CONNECT requestMUST be constructed as follows:¶
Therequest stream remains open at the end of the request to carry the data tobe transferred. A CONNECT request that does not conform to these restrictionsismalformed.¶
A proxy that supports CONNECT establishes a TCP connection ([RFC0793]) to theserver identified in the :authority pseudo-header field. Once this connectionis successfully established, the proxy sends aHEADERS frame containing a 2xxseries status code to the client, as defined inSection 15.3 of [HTTP].¶
AllDATA frames on the stream correspond to data sent or received on the TCPconnection. The payload of anyDATA frame sent by the client is transmitted bythe proxy to the TCP server; data received from the TCP server is packaged intoDATA frames by the proxy. Note that the size and number of TCP segments is notguaranteed to map predictably to the size and number of HTTPDATA or QUIC STREAMframes.¶
Once the CONNECT method has completed, onlyDATA frames are permitted to be senton the stream. Extension framesMAY be used if specifically permitted by thedefinition of the extension. Receipt of any other known frame typeMUST betreated as aconnection error of typeH3_FRAME_UNEXPECTED.¶
The TCP connection can be closed by either peer. When the client ends therequest stream (that is, the receive stream at the proxy enters the "Data Recvd"state), the proxy will set the FIN bit on its connection to the TCP server. Whenthe proxy receives a packet with the FIN bit set, it will close the send streamthat it sends to the client. TCP connections that remain half closed in asingle direction are not invalid, but are often handled poorly by servers, soclientsSHOULD NOT close a stream for sending while they still expect to receivedata from the target of the CONNECT.¶
A TCPconnection error is signaled by abruptly terminating the stream. A proxytreats any error in the TCP connection, which includes receiving a TCP segmentwith the RST bit set, as astream error of typeH3_CONNECT_ERROR.¶
Correspondingly, if a proxy detects an error with the stream or the QUICconnection, itMUST close the TCP connection. If the proxy detects that theclient has reset the stream or aborted reading from the stream, itMUST closethe TCP connection. If the stream is reset or reading is aborted by the client,a proxySHOULD perform the same operation on the other direction in order toensure that both directions of the stream are cancelled. In all these cases, ifthe underlying TCP implementation permits it, the proxySHOULD send a TCPsegment with the RST bit set.¶
Since CONNECT creates a tunnel to an arbitrary server, proxies that supportCONNECTSHOULD restrict its use to a set of known ports or a list of saferequest targets; seeSection 9.3.6 of [HTTP] for more details.¶
HTTP/3 does not support the HTTP Upgrade mechanism (Section 7.8 of [HTTP]) or the 101 (Switching Protocols) informational status code(Section 15.2.2 of [HTTP]).¶
Server push is an interaction mode that permits a server to push arequest-response exchange to a client in anticipation of the client making theindicated request. This trades off network usage against a potential latencygain. HTTP/3 server push is similar to what is described inSection 8.2 of [HTTP/2], but it uses different mechanisms.¶
Each server push is assigned a unique push ID by the server. The push ID isused to refer to the push in various contexts throughout the lifetime of theHTTP/3 connection.¶
The push ID space begins at zero and ends at a maximum value set by theMAX_PUSH_ID frame. In particular, a server is notable to push until after the client sends aMAX_PUSH_ID frame. A client sendsMAX_PUSH_ID frames to control the number of pushes that a server can promise. AserverSHOULD use push IDs sequentially, beginning from zero. A clientMUSTtreat receipt of apush stream as aconnection error of typeH3_ID_ERRORwhen noMAX_PUSH_ID frame has been sent or when the streamreferences a push ID that is greater than the maximum push ID.¶
The push ID is used in one or morePUSH_PROMISE frames that carry the controldata and header fields of the request message. These frames are sent on therequest stream that generated the push. This allows the server push to beassociated with a client request. When the same push ID is promised on multiplerequest streams, the decompressed request field sectionsMUST contain the samefields in the same order, and both the name and the value in each fieldMUST beidentical.¶
The push ID is then included with thepush stream that ultimately fulfillsthose promises. Thepush stream identifies the push ID ofthe promise that it fulfills, then contains a response to the promised requestas described inSection 4.1.¶
Finally, the push ID can be used inCANCEL_PUSH frames; seeSection 7.2.3. Clients use this frame to indicate they do not wish toreceive a promised resource. Servers use this frame to indicate they will notbe fulfilling a previous promise.¶
Not all requests can be pushed. A serverMAY push requests that have thefollowing properties:¶
The serverMUST include a value in the :authority pseudo-header field forwhich the server is authoritative. If the client has not yet validated theconnection for the origin indicated by the pushed request, itMUST perform thesame verification process it would do before sending a request for that originon the connection; seeSection 3.3. If this verification fails,the clientMUST NOT consider the server authoritative for that origin.¶
ClientsSHOULD send aCANCEL_PUSH frame upon receipt of aPUSH_PROMISE framecarrying a request that is not cacheable, is not known to be safe, thatindicates the presence of request content, or for which it does not consider theserver authoritative. Any corresponding responsesMUST NOT be used or cached.¶
Each pushed response is associated with one or more client requests. The pushis associated with therequest stream on which thePUSH_PROMISE frame wasreceived. The same server push can be associated with additional clientrequests using aPUSH_PROMISE frame with the same push ID on multiplerequeststreams. These associations do not affect the operation of the protocol, buttheyMAY be considered by user agents when deciding how to use pushed resources.¶
Ordering of aPUSH_PROMISE frame in relation to certain parts of the response isimportant. The serverSHOULD sendPUSH_PROMISE frames prior to sendingHEADERSorDATA frames that reference the promised responses. This reduces the chancethat a client requests a resource that will be pushed by the server.¶
Due to reordering,push stream data can arrive before the correspondingPUSH_PROMISE frame. When a client receives a newpush stream with anas-yet-unknown push ID, both the associated client request and the pushedrequest header fields are unknown. The client can buffer the stream data inexpectation of the matchingPUSH_PROMISE. The client can use stream flow control(Section 4.1 of [QUIC-TRANSPORT]) to limit the amount of data a server maycommit to the pushed stream. ClientsSHOULD abort reading and discard dataalready read frompush streams if no correspondingPUSH_PROMISE frame isprocessed in a reasonable amount of time.¶
Push stream data can also arrive after a client has cancelled a push. In thiscase, the client can abort reading the stream with an error code ofH3_REQUEST_CANCELLED. This asks the server not to transfer additional data andindicates that it will be discarded upon receipt.¶
Pushed responses that are cacheable (seeSection 3 of [HTTP-CACHING]) can bestored by the client, if it implements an HTTP cache. Pushed responses areconsidered successfully validated on the origin server (e.g., if the "no-cache"cache response directive is present; seeSection 5.2.2.4 of [HTTP-CACHING]) at thetime the pushed response is received.¶
Pushed responses that are not cacheableMUST NOT be stored by any HTTP cache.TheyMAY be made available to the application separately.¶
Once established, an HTTP/3 connection can be used for many requests andresponses over time until the connection is closed. Connection closure canhappen in any of several different ways.¶
Each QUIC endpoint declares an idle timeout during the handshake. If the QUICconnection remains idle (no packets received) for longer than this duration, thepeer will assume that the connection has been closed. HTTP/3 implementationswill need to open a new HTTP/3 connection for new requests if the existingconnection has been idle for longer than the idle timeout negotiated during theQUIC handshake, and theySHOULD do so if approaching the idle timeout; seeSection 10.1 of [QUIC-TRANSPORT].¶
HTTP clients are expected to request that the transport keep connections openwhile there are responses outstanding for requests or server pushes, asdescribed inSection 10.1.2 of [QUIC-TRANSPORT]. If the client is notexpecting a response from the server, allowing an idle connection to time out ispreferred over expending effort maintaining a connection that might not beneeded. A gatewayMAY maintain connections in anticipation of need rather thanincur the latency cost of connection establishment to servers. ServersSHOULD NOT actively keep connections open.¶
Even when a connection is not idle, either endpoint can decide to stop using theconnection and initiate a graceful connection close. Endpoints initiate thegraceful shutdown of an HTTP/3 connection by sending aGOAWAY frame. TheGOAWAYframe contains an identifier that indicates to the receiver the range ofrequests or pushes that were or might be processed in this connection. Theserver sends a client-initiated bidirectional stream ID; the client sends apushID. Requests or pushes with the indicated identifier or greater are rejected(Section 4.1.1) by the sender of theGOAWAY. This identifierMAY bezero if no requests or pushes were processed.¶
The information in theGOAWAY frame enables a client and server to agree onwhich requests or pushes were accepted prior to the shutdown of the HTTP/3connection. Upon sending aGOAWAY frame, the endpointSHOULD explicitly cancel(see Sections4.1.1 and7.2.3) any requestsor pushes that have identifiers greater than or equal to the one indicated, inorder to clean up transport state for the affected streams. The endpointSHOULDcontinue to do so as more requests or pushes arrive.¶
EndpointsMUST NOT initiate new requests or promise new pushes on the connectionafter receipt of aGOAWAY frame from the peer. ClientsMAY establish a newconnection to send additional requests.¶
Some requests or pushes might already be in transit:¶
Upon receipt of aGOAWAY frame, if the client has already sent requests witha stream ID greater than or equal to the identifier contained in theGOAWAYframe, those requests will not be processed. Clients can safely retryunprocessed requests on a different HTTP connection. A client that isunable to retry requests loses all requests that are in flight when theserver closes the connection.¶
Requests on stream IDs less than the stream ID in aGOAWAY frame from theserver might have been processed; their status cannot be known until aresponse is received, the stream is reset individually, anotherGOAWAY isreceived with a lower stream ID than that of the request in question,or the connection terminates.¶
ServersMAY reject individual requests on streams below the indicated ID ifthese requests were not processed.¶
ServersSHOULD send aGOAWAY frame when the closing of a connection is knownin advance, even if the advance notice is small, so that the remote peer canknow whether or not a request has been partially processed. For example, if anHTTP client sends a POST at the same time that a server closes a QUICconnection, the client cannot know if the server started to process that POSTrequest if the server does not send aGOAWAY frame to indicate what streams itmight have acted on.¶
An endpointMAY send multipleGOAWAY frames indicating different identifiers,but the identifier in each frameMUST NOT be greater than the identifier in anyprevious frame, since clients might already have retried unprocessed requests onanother HTTP connection. Receiving aGOAWAY containing a larger identifier thanpreviously receivedMUST be treated as aconnection error of typeH3_ID_ERROR.¶
An endpoint that is attempting to gracefully shut down a connection can send aGOAWAY frame with a value set to the maximum possible value (262-4for servers, 262-1 for clients). This ensures that the peer stopscreating new requests or pushes. After allowing time for any in-flight requestsor pushes to arrive, the endpoint can send anotherGOAWAY frame indicating whichrequests or pushes it might accept before the end of the connection. Thisensures that a connection can be cleanly shut down without losing requests.¶
A client has more flexibility in the value it chooses for the Push ID field in aGOAWAY that it sends. A value of 262-1 indicates that the server cancontinue fulfilling pushes that have already been promised. A smaller valueindicates the client will reject pushes with push IDs greater than or equal tothis value. Like the server, the clientMAY send subsequentGOAWAY frames solong as the specifiedpush ID is no greater than any previously sent value.¶
Even when aGOAWAY indicates that a given request or push will not be processedor accepted upon receipt, the underlying transport resources still exist. Theendpoint that initiated these requests can cancel them to clean up transportstate.¶
Once all accepted requests and pushes have been processed, the endpoint canpermit the connection to become idle, or itMAY initiate an immediate closure ofthe connection. An endpoint that completes a graceful shutdownSHOULD use theH3_NO_ERROR error code when closing the connection.¶
If a client has consumed all available bidirectional stream IDs with requests,the server need not send aGOAWAY frame, since the client is unable to makefurther requests.¶
An HTTP/3 implementation can immediately close the QUIC connection at any time.This results in sending a QUIC CONNECTION_CLOSE frame to the peer indicatingthat the application layer has terminated the connection. The application errorcode in this frame indicates to the peer why the connection is being closed.SeeSection 8 for error codes that can be used when closing a connection inHTTP/3.¶
Before closing the connection, aGOAWAY frameMAY be sent to allow the client toretry some requests. Including theGOAWAY frame in the same packet as the QUICCONNECTION_CLOSE frame improves the chances of the frame being received byclients.¶
If there are open streams that have not been explicitly closed, they areimplicitly closed when the connection is closed; seeSection 10.2 of [QUIC-TRANSPORT].¶
For various reasons, the QUIC transport could indicate to the application layerthat the connection has terminated. This might be due to an explicit closureby the peer, a transport-level error, or a change in network topology thatinterrupts connectivity.¶
If a connection terminates without aGOAWAY frame, clientsMUST assume that anyrequest that was sent, whether in whole or in part, might have been processed.¶
A QUIC stream provides reliable in-order delivery of bytes, but makes noguarantees about order of delivery with regard to bytes on other streams. Inversion 1 of QUIC, the stream data containing HTTP frames is carried by QUICSTREAM frames, but this framing is invisible to the HTTP framing layer. Thetransport layer buffers and orders received stream data, exposing a reliablebyte stream to the application. Although QUIC permits out-of-order deliverywithin a stream, HTTP/3 does not make use of this feature.¶
QUIC streams can be either unidirectional, carrying data only from initiator toreceiver, or bidirectional, carrying data in both directions. Streams can beinitiated by either the client or the server. For more detail on QUIC streams,seeSection 2 of [QUIC-TRANSPORT].¶
When HTTP fields and data are sent over QUIC, the QUIC layer handles most ofthe stream management. HTTP does not need to do any separate multiplexing whenusing QUIC: data sent over a QUIC stream always maps to a particular HTTPtransaction or to the entire HTTP/3 connection context.¶
All client-initiated bidirectional streams are used for HTTP requests andresponses. A bidirectional stream ensures that the response can be readilycorrelated with the request. These streams are referred to as request streams.¶
This means that the client's first request occurs on QUIC stream 0, withsubsequent requests on streams 4, 8, and so on. In order to permit these streamsto open, an HTTP/3 serverSHOULD configure non-zero minimum values for thenumber of permitted streams and the initial stream flow-control window. So asto not unnecessarily limit parallelism, at least 100 request streamsSHOULD bepermitted at a time.¶
HTTP/3 does not use server-initiated bidirectional streams, though an extensioncould define a use for these streams. ClientsMUST treat receipt of aserver-initiated bidirectional stream as aconnection error of typeH3_STREAM_CREATION_ERROR unless such an extension has beennegotiated.¶
Unidirectional streams, in either direction, are used for a range of purposes.The purpose is indicated by a stream type, which is sent as a variable-lengthinteger at the start of the stream. The format and structure of data thatfollows this integer is determined by the stream type.¶
Unidirectional Stream Header { Stream Type (i),}Two stream types are defined in this document:control streams(Section 6.2.1) andpush streams (Section 6.2.2).[QPACK] definestwo additional stream types. Other stream types can be defined by extensions toHTTP/3; seeSection 9 for more details. Some stream types are reserved(Section 6.2.3).¶
The performance of HTTP/3 connections in the early phase of their lifetime issensitive to the creation and exchange of data on unidirectional streams.Endpoints that excessively restrict the number of streams or the flow-controlwindow of these streams will increase the chance that the remote peer reachesthe limit early and becomes blocked. In particular, implementations shouldconsider that remote peers may wish to exercise reserved stream behavior(Section 6.2.3) with some of the unidirectional streams they are permittedto use.¶
Each endpoint needs to create at least one unidirectional stream for the HTTPcontrol stream. QPACK requires two additional unidirectional streams, and otherextensions might require further streams. Therefore, the transport parameterssent by both clients and serversMUST allow the peer to create at least threeunidirectional streams. These transport parametersSHOULD also provide at least1,024 bytes of flow-control credit to each unidirectional stream.¶
Note that an endpoint is not required to grant additional credits to create moreunidirectional streams if its peer consumes all the initial credits beforecreating the critical unidirectional streams. EndpointsSHOULD create the HTTPcontrol stream as well as the unidirectional streams required by mandatoryextensions (such as the QPACK encoder and decoder streams) first, and thencreate additional streams as allowed by their peer.¶
If the stream header indicates a stream type that is not supported by therecipient, the remainder of the stream cannot be consumed as the semantics areunknown. Recipients of unknown stream typesMUST either abort reading of thestream or discard incoming data without further processing. If reading isaborted, the recipientSHOULD use theH3_STREAM_CREATION_ERROR error code or areserved error code (Section 8.1). The recipientMUST NOT considerunknown stream types to be aconnection error of any kind.¶
As certain stream types can affect connection state, a recipientSHOULD NOTdiscard data from incoming unidirectional streams prior to reading the streamtype.¶
ImplementationsMAY send stream types before knowing whether the peer supportsthem. However, stream types that could modify the state or semantics ofexisting protocol components, including QPACK or other extensions,MUST NOT besent until the peer is known to support them.¶
A sender can close or reset a unidirectional stream unless otherwise specified.A receiverMUST tolerate unidirectional streams being closed or reset prior tothe reception of the unidirectional stream header.¶
A control stream is indicated by a stream type of 0x00. Data on this streamconsists of HTTP/3 frames, as defined inSection 7.2.¶
Each sideMUST initiate a single control stream at the beginning of theconnection and send itsSETTINGS frame as the first frame on this stream. Ifthe first frame of the control stream is any other frame type, thisMUST betreated as aconnection error of typeH3_MISSING_SETTINGS. Only one controlstream per peer is permitted; receipt of a second stream claiming to be acontrol streamMUST be treated as aconnection error of typeH3_STREAM_CREATION_ERROR. The senderMUST NOT close the control stream, and thereceiverMUST NOT request that the sender close the control stream. If eithercontrol stream is closed at any point, thisMUST be treated as aconnectionerror of typeH3_CLOSED_CRITICAL_STREAM. Connection errors are described inSection 8.¶
Because the contents of the control stream are used to manage the behavior ofother streams, endpointsSHOULD provide enough flow-control credit to keep thepeer's control stream from becoming blocked.¶
A pair of unidirectional streams is used rather than a single bidirectionalstream. This allows either peer to send data as soon as it is able. Dependingon whether 0-RTT is available on the QUIC connection, either client or servermight be able to send stream data first.¶
Server push is an optional feature introduced in HTTP/2 that allows a server toinitiate a response before a request has been made. SeeSection 4.6 formore details.¶
A push stream is indicated by a stream type of 0x01, followed by thepush IDof the promise that it fulfills, encoded as a variable-length integer. Theremaining data on this stream consists of HTTP/3 frames, as defined inSection 7.2, and fulfills a promised server push by zero or more interim HTTPresponses followed by a single final HTTP response, as defined inSection 4.1. Server push and push IDs are described inSection 4.6.¶
Only servers can push; if a server receives a client-initiated push stream, thisMUST be treated as aconnection error of typeH3_STREAM_CREATION_ERROR.¶
Push Stream Header { Stream Type (i) = 0x01, Push ID (i),}A clientSHOULD NOT abort reading on a push stream prior to reading the pushstream header, as this could lead to disagreement between client and server onwhich push IDs have already been consumed.¶
Eachpush IDMUST only be used once in a push stream header. If a client detectsthat a push stream header includes apush ID that was used in another pushstream header, the clientMUST treat this as aconnection error of typeH3_ID_ERROR.¶
Stream types of the format0x1f * N + 0x21 for non-negative integer values ofN are reserved to exercise the requirement that unknown types be ignored.These streams have no semantics, and they can be sent when application-layerpadding is desired. TheyMAY also be sent on connections where no data iscurrently being transferred. EndpointsMUST NOT consider these streams to haveany meaning upon receipt.¶
The payload and length of the stream are selected in any manner the sendingimplementation chooses. When sending a reserved stream type, the implementationMAY either terminate the stream cleanly or reset it. When resetting the stream,either theH3_NO_ERROR error code or a reserved error code(Section 8.1)SHOULD be used.¶
HTTP frames are carried on QUIC streams, as described inSection 6.HTTP/3 defines three stream types:control stream,request stream, andpushstream. This section describes HTTP/3 frame formats and their permitted streamtypes; seeTable 1 for an overview. A comparison betweenHTTP/2 and HTTP/3 frames is provided inAppendix A.2.¶
| Frame | Control Stream | Request Stream | Push Stream | Section |
|---|---|---|---|---|
| DATA | No | Yes | Yes | Section 7.2.1 |
| HEADERS | No | Yes | Yes | Section 7.2.2 |
| CANCEL_PUSH | Yes | No | No | Section 7.2.3 |
| SETTINGS | Yes (1) | No | No | Section 7.2.4 |
| PUSH_PROMISE | No | Yes | No | Section 7.2.5 |
| GOAWAY | Yes | No | No | Section 7.2.6 |
| MAX_PUSH_ID | Yes | No | No | Section 7.2.7 |
| Reserved | Yes | Yes | Yes | Section 7.2.8 |
TheSETTINGS frame can only occur as the first frame of a Control stream; thisis indicated inTable 1 with a (1). Specific guidanceis provided in the relevant section.¶
Note that, unlike QUIC frames, HTTP/3 frames can span multiple packets.¶
All frames have the following format:¶
HTTP/3 Frame Format { Type (i), Length (i), Frame Payload (..),}A frame includes the following fields:¶
A variable-length integer that identifies the frame type.¶
A variable-length integer that describes the length in bytes ofthe Frame Payload.¶
A payload, the semantics of which are determined by the Type field.¶
Each frame's payloadMUST contain exactly the fields identified in itsdescription. A frame payload that contains additional bytes after theidentified fields or a frame payload that terminates before the end of theidentified fieldsMUST be treated as aconnection error of typeH3_FRAME_ERROR. In particular, redundant length encodingsMUSTbe verified to be self-consistent; seeSection 10.8.¶
When a stream terminates cleanly, if the last frame on the stream was truncated,thisMUST be treated as aconnection error of typeH3_FRAME_ERROR. Streams thatterminate abruptly may be reset at any point in a frame.¶
DATA frames (type=0x00) convey arbitrary, variable-length sequences of bytesassociated with HTTP request or response content.¶
DATA framesMUST be associated with an HTTP request or response. If a DATAframe is received on acontrol stream, the recipientMUST respond with aconnection error of typeH3_FRAME_UNEXPECTED.¶
DATA Frame { Type (i) = 0x00, Length (i), Data (..),}The HEADERS frame (type=0x01) is used to carry an HTTP field section that isencoded using QPACK. See[QPACK] for more details.¶
HEADERS Frame { Type (i) = 0x01, Length (i), Encoded Field Section (..),}HEADERS frames can only be sent onrequest streams orpush streams. If aHEADERS frame is received on acontrol stream, the recipientMUST respond with aconnection error of typeH3_FRAME_UNEXPECTED.¶
The CANCEL_PUSH frame (type=0x03) is used to request cancellation of a serverpush prior to thepush stream being received. The CANCEL_PUSH frame identifiesa server push bypush ID (seeSection 4.6), encoded as a variable-lengthinteger.¶
When a client sends a CANCEL_PUSH frame, it is indicating that it does not wishto receive the promised resource. The serverSHOULD abort sending the resource,but the mechanism to do so depends on the state of the correspondingpushstream. If the server has not yet created apush stream, it does not createone. If thepush stream is open, the serverSHOULD abruptly terminate thatstream. If thepush stream has already ended, the serverMAY still abruptlyterminate the stream orMAY take no action.¶
A server sends a CANCEL_PUSH frame to indicate that it will not be fulfilling apromise that was previously sent. The client cannot expect the correspondingpromise to be fulfilled, unless it has already received and processed thepromised response. Regardless of whether apush stream has been opened, a serverSHOULD send a CANCEL_PUSH frame when it determines that promise will not befulfilled. If a stream has already been opened, the server can abort sending onthe stream with an error code ofH3_REQUEST_CANCELLED.¶
Sending a CANCEL_PUSH frame has no direct effect on the state of existingpushstreams. A clientSHOULD NOT send a CANCEL_PUSH frame when it has alreadyreceived a correspondingpush stream. Apush stream could arrive after a clienthas sent a CANCEL_PUSH frame, because a server might not have processed theCANCEL_PUSH. The clientSHOULD abort reading the stream with an error code ofH3_REQUEST_CANCELLED.¶
A CANCEL_PUSH frame is sent on thecontrol stream. Receiving a CANCEL_PUSHframe on a stream other than thecontrol streamMUST be treated as aconnectionerror of typeH3_FRAME_UNEXPECTED.¶
CANCEL_PUSH Frame { Type (i) = 0x03, Length (i), Push ID (i),}The CANCEL_PUSH frame carries apush ID encoded as a variable-length integer.The Push ID field identifies the server push that is being cancelled; seeSection 4.6. If a CANCEL_PUSH frame is received that references apush IDgreater than currently allowed on the connection, thisMUST be treated as aconnection error of typeH3_ID_ERROR.¶
If the client receives a CANCEL_PUSH frame, that frame might identify apush IDthat has not yet been mentioned by aPUSH_PROMISE frame due to reordering. If aserver receives a CANCEL_PUSH frame for apush ID that has not yet beenmentioned by aPUSH_PROMISE frame, thisMUST be treated as aconnection error oftypeH3_ID_ERROR.¶
The SETTINGS frame (type=0x04) conveys configuration parameters that affect howendpoints communicate, such as preferences and constraints on peer behavior.Individually, a SETTINGS parameter can also be referred to as a "setting"; theidentifier and value of each setting parameter can be referred to as a "settingidentifier" and a "setting value".¶
SETTINGS frames always apply to an entire HTTP/3 connection, never a singlestream. A SETTINGS frameMUST be sent as the first frame of eachcontrol stream(seeSection 6.2.1) by each peer, and itMUST NOT be sent subsequently. Ifan endpoint receives a second SETTINGS frame on thecontrol stream, the endpointMUST respond with aconnection error of typeH3_FRAME_UNEXPECTED.¶
SETTINGS framesMUST NOT be sent on any stream other than thecontrol stream.If an endpoint receives a SETTINGS frame on a different stream, the endpointMUST respond with aconnection error of typeH3_FRAME_UNEXPECTED.¶
SETTINGS parameters are not negotiated; they describe characteristics of thesending peer that can be used by the receiving peer. However, a negotiationcan be implied by the use of SETTINGS: each peer uses SETTINGS to advertise aset of supported values. The definition of the setting would describe how eachpeer combines the two sets to conclude which choice will be used. SETTINGS doesnot provide a mechanism to identify when the choice takes effect.¶
Different values for the same parameter can be advertised by each peer. Forexample, a client might be willing to consume a very large response fieldsection, while servers are more cautious about request size.¶
The same setting identifierMUST NOT occur more than once in the SETTINGS frame.A receiverMAY treat the presence of duplicate setting identifiers as aconnection error of typeH3_SETTINGS_ERROR.¶
The payload of a SETTINGS frame consists of zero or more parameters. Eachparameter consists of a setting identifier and a value, both encoded as QUICvariable-length integers.¶
Setting { Identifier (i), Value (i),}SETTINGS Frame { Type (i) = 0x04, Length (i), Setting (..) ...,}An implementationMUST ignore any parameter with an identifier it doesnot understand.¶
The following settings are defined in HTTP/3:¶
The default value is unlimited. SeeSection 4.2.2 for usage.¶
Setting identifiers of the format0x1f * N + 0x21 for non-negative integervalues ofN are reserved to exercise the requirement that unknown identifiersbe ignored. Such settings have no defined meaning. EndpointsSHOULD include atleast one such setting in their SETTINGS frame. EndpointsMUST NOT consider suchsettings to have any meaning upon receipt.¶
Because the setting has no defined meaning, the value of the setting can be anyvalue the implementation selects.¶
Setting identifiers that were defined in[HTTP/2] where there is nocorresponding HTTP/3 setting have also been reserved (Section 11.2.2). Thesereserved settingsMUST NOT be sent, and their receiptMUST be treated as aconnection error of typeH3_SETTINGS_ERROR.¶
Additional settings can be defined by extensions to HTTP/3; seeSection 9for more details.¶
An HTTP implementationMUST NOT send frames or requests that would be invalidbased on its current understanding of the peer's settings.¶
All settings begin at an initial value. Each endpointSHOULD use these initialvalues to send messages before the peer's SETTINGS frame has arrived, as packetscarrying the settings can be lost or delayed. When the SETTINGS frame arrives,any settings are changed to their new values.¶
This removes the need to wait for the SETTINGS frame before sending messages.EndpointsMUST NOT require any data to be received from the peer prior tosending the SETTINGS frame; settingsMUST be sent as soon as the transport isready to send data.¶
For servers, the initial value of each client setting is the default value.¶
For clients using a 1-RTT QUIC connection, the initial value of each serversetting is the default value. 1-RTT keys will always become available prior tothe packet containing SETTINGS being processed by QUIC, even if the server sendsSETTINGS immediately. ClientsSHOULD NOT wait indefinitely for SETTINGS toarrive before sending requests, but theySHOULD process received datagrams inorder to increase the likelihood of processing SETTINGS before sending the firstrequest.¶
When a 0-RTT QUIC connection is being used, the initial value of each serversetting is the value used in the previous session. ClientsSHOULD store thesettings the server provided in the HTTP/3 connection where resumptioninformation was provided, but theyMAY opt not to store settings in certaincases (e.g., if the session ticket is received before the SETTINGS frame). AclientMUST comply with stored settings -- or default values if no values arestored -- when attempting 0-RTT. Once a server has provided new settings,clientsMUST comply with those values.¶
A server can remember the settings that it advertised or store anintegrity-protected copy of the values in the ticket and recover the informationwhen accepting 0-RTT data. A server uses the HTTP/3 settings values indetermining whether to accept 0-RTT data. If the server cannot determine thatthe settings remembered by a client are compatible with its current settings, itMUST NOT accept 0-RTT data. Remembered settings are compatible if a clientcomplying with those settings would not violate the server's current settings.¶
A serverMAY accept 0-RTT and subsequently provide different settings in itsSETTINGS frame. If 0-RTT data is accepted by the server, its SETTINGS frameMUST NOT reduce any limits or alter any values that might be violated by the clientwith its 0-RTT data. The serverMUST include all settings that differ fromtheir default values. If a server accepts 0-RTT but then sends settings thatare not compatible with the previously specified settings, thisMUST be treatedas aconnection error of typeH3_SETTINGS_ERROR. If a server accepts 0-RTT butthen sends a SETTINGS frame that omits a setting value that the clientunderstands (apart from reserved setting identifiers) that was previouslyspecified to have a non-default value, thisMUST be treated as aconnectionerror of typeH3_SETTINGS_ERROR.¶
The PUSH_PROMISE frame (type=0x05) is used to carry a promised request headersection from server to client on arequest stream.¶
PUSH_PROMISE Frame { Type (i) = 0x05, Length (i), Push ID (i), Encoded Field Section (..),}The payload consists of:¶
A variable-length integer that identifies the server push operation. ApushID is used inpush stream headers (Section 4.6) andCANCEL_PUSH frames.¶
QPACK-encoded request header fields for the promised response. See[QPACK] for more details.¶
A serverMUST NOT use apush ID that is larger than the client has provided in aMAX_PUSH_ID frame (Section 7.2.7). A clientMUST treat receipt of aPUSH_PROMISE frame that contains a largerpush ID than the client has advertisedas aconnection error ofH3_ID_ERROR.¶
A serverMAY use the samepush ID in multiple PUSH_PROMISE frames. If so, thedecompressed request header setsMUST contain the same fields in the same order,and both the name and the value in each fieldMUST be exact matches. ClientsSHOULD compare the request header sections for resources promised multipletimes. If a client receives apush ID that has already been promised and detectsa mismatch, itMUST respond with aconnection error of typeH3_GENERAL_PROTOCOL_ERROR. If the decompressed field sections match exactly, theclientSHOULD associate the pushed content with each stream on which aPUSH_PROMISE frame was received.¶
Allowing duplicate references to the samepush ID is primarily to reduceduplication caused by concurrent requests. A serverSHOULD avoid reusing apushID over a long period. Clients are likely to consume server push responses andnot retain them for reuse over time. Clients that see a PUSH_PROMISE frame thatuses apush ID that they have already consumed and discarded are forced toignore the promise.¶
If a PUSH_PROMISE frame is received on thecontrol stream, the clientMUSTrespond with aconnection error of typeH3_FRAME_UNEXPECTED.¶
A clientMUST NOT send a PUSH_PROMISE frame. A serverMUST treat the receipt ofa PUSH_PROMISE frame as aconnection error of typeH3_FRAME_UNEXPECTED.¶
SeeSection 4.6 for a description of the overall server push mechanism.¶
The GOAWAY frame (type=0x07) is used to initiate graceful shutdown of an HTTP/3connection by either endpoint. GOAWAY allows an endpoint to stop accepting newrequests or pushes while still finishing processing of previously receivedrequests and pushes. This enables administrative actions, like servermaintenance. GOAWAY by itself does not close a connection.¶
GOAWAY Frame { Type (i) = 0x07, Length (i), Stream ID/Push ID (i),}The GOAWAY frame is always sent on thecontrol stream. In the server-to-clientdirection, it carries a QUIC stream ID for a client-initiated bidirectionalstream encoded as a variable-length integer. A clientMUST treat receipt of aGOAWAY frame containing a stream ID of any other type as aconnection error oftypeH3_ID_ERROR.¶
In the client-to-server direction, the GOAWAY frame carries apush ID encoded asa variable-length integer.¶
The GOAWAY frame applies to the entire connection, not a specific stream. AclientMUST treat a GOAWAY frame on a stream other than thecontrol stream as aconnection error of typeH3_FRAME_UNEXPECTED.¶
SeeSection 5.2 for more information on the use of the GOAWAY frame.¶
The MAX_PUSH_ID frame (type=0x0d) is used by clients to control the number ofserver pushes that the server can initiate. This sets the maximum value for apush ID that the server can use inPUSH_PROMISE andCANCEL_PUSH frames.Consequently, this also limits the number ofpush streams that the server caninitiate in addition to the limit maintained by the QUIC transport.¶
The MAX_PUSH_ID frame is always sent on thecontrol stream. Receipt of aMAX_PUSH_ID frame on any other streamMUST be treated as aconnection error oftypeH3_FRAME_UNEXPECTED.¶
A serverMUST NOT send a MAX_PUSH_ID frame. A clientMUST treat the receipt ofa MAX_PUSH_ID frame as aconnection error of typeH3_FRAME_UNEXPECTED.¶
The maximumpush ID is unset when an HTTP/3 connection is created, meaning thata server cannot push until it receives a MAX_PUSH_ID frame. A client thatwishes to manage the number of promised server pushes can increase the maximumpush ID by sending MAX_PUSH_ID frames as the server fulfills or cancels serverpushes.¶
MAX_PUSH_ID Frame { Type (i) = 0x0d, Length (i), Push ID (i),}The MAX_PUSH_ID frame carries a single variable-length integer that identifiesthe maximum value for apush ID that the server can use; seeSection 4.6. AMAX_PUSH_ID frame cannot reduce the maximumpush ID; receipt of a MAX_PUSH_IDframe that contains a smaller value than previously receivedMUST be treated asaconnection error of typeH3_ID_ERROR.¶
Frame types of the format0x1f * N + 0x21 for non-negative integer values ofN are reserved to exercise the requirement that unknown types be ignored(Section 9). These frames have no semantics, and theyMAY be sent on anystream where frames are allowed to be sent. This enables their use forapplication-layer padding. EndpointsMUST NOT consider these frames to have anymeaning upon receipt.¶
The payload and length of the frames are selected in any manner theimplementation chooses.¶
Frame types that were used in HTTP/2 where there is no corresponding HTTP/3frame have also been reserved (Section 11.2.1). These frame typesMUST NOT besent, and their receiptMUST be treated as aconnection error of typeH3_FRAME_UNEXPECTED.¶
When a stream cannot be completed successfully, QUIC allows the application toabruptly terminate (reset) that stream and communicate a reason; seeSection 2.4 of [QUIC-TRANSPORT]. This is referred to as a "stream error". An HTTP/3implementation can decide to close a QUIC stream and communicate the type oferror. Wire encodings of error codes are defined inSection 8.1.Stream errors are distinct from HTTP status codes that indicate errorconditions. Stream errors indicate that the sender did not transfer or consumethe full request or response, while HTTP status codes indicate the result of arequest that was successfully received.¶
If an entire connection needs to be terminated, QUIC similarly providesmechanisms to communicate a reason; seeSection 5.3 of [QUIC-TRANSPORT]. Thisis referred to as a "connection error". Similar to stream errors, an HTTP/3implementation can terminate a QUIC connection and communicate the reason usingan error code fromSection 8.1.¶
Although the reasons for closing streams and connections are called "errors",these actions do not necessarily indicate a problem with the connection oreither implementation. For example, a stream can be reset if the requestedresource is no longer needed.¶
An endpointMAY choose to treat a stream error as a connection error undercertain circumstances, closing the entire connection in response to a conditionon a single stream. Implementations need to consider the impact on outstandingrequests before making this choice.¶
Because new error codes can be defined without negotiation (seeSection 9),use of an error code in an unexpected context or receipt of an unknown errorcodeMUST be treated as equivalent toH3_NO_ERROR. However, closing a streamcan have other effects regardless of the error code; for example, seeSection 4.1.¶
The following error codes are defined for use when abruptly terminating streams,aborting reading of streams, or immediately closing HTTP/3 connections.¶
No error. This is used when the connection or stream needs to be closed, butthere is no error to signal.¶
Peer violated protocol requirements in a way that does not match a morespecific error code or endpoint declines to use the more specific error code.¶
An internal error has occurred in the HTTP stack.¶
The endpoint detected that its peer created a stream that it will not accept.¶
A stream required by the HTTP/3 connection was closed or reset.¶
A frame was received that was not permitted in the current state or on thecurrent stream.¶
A frame that fails to satisfy layout requirements or with an invalid sizewas received.¶
The endpoint detected that its peer is exhibiting a behavior that might begenerating excessive load.¶
NoSETTINGS frame was received at the beginning of thecontrol stream.¶
A server rejected a request without performing any application processing.¶
The request or its response (including pushed response) is cancelled.¶
The client's stream terminated without containing a fully formed request.¶
The TCP connection established in response to a CONNECT request was reset orabnormally closed.¶
The requested operation cannot be served over HTTP/3. The peer shouldretry over HTTP/1.1.¶
Error codes of the format0x1f * N + 0x21 for non-negative integer values ofN are reserved to exercise the requirement that unknown error codes be treatedas equivalent toH3_NO_ERROR (Section 9). ImplementationsSHOULD select anerror code from this space with some probability when they would have sentH3_NO_ERROR.¶
HTTP/3 permits extension of the protocol. Within the limitations described inthis section, protocol extensions can be used to provide additional services oralter any aspect of the protocol. Extensions are effective only within thescope of a single HTTP/3 connection.¶
This applies to the protocol elements defined in this document. This does notaffect the existing options for extending HTTP, such as defining new methods,status codes, or fields.¶
Extensions are permitted to use new frame types (Section 7.2), new settings(Section 7.2.4.1), new error codes (Section 8), or new unidirectionalstream types (Section 6.2). Registries are established formanaging these extension points: frame types (Section 11.2.1), settings(Section 11.2.2), error codes (Section 11.2.3), and stream types(Section 11.2.4).¶
ImplementationsMUST ignore unknown or unsupported values in all extensibleprotocol elements. ImplementationsMUST discard data or abort reading onunidirectional streams that have unknown or unsupported types. This means thatany of these extension points can be safely used by extensions without priorarrangement or negotiation. However, where a known frame type is required to bein a specific location, such as theSETTINGS frame as the first frame of thecontrol stream (seeSection 6.2.1), an unknown frame type does not satisfythat requirement andSHOULD be treated as an error.¶
Extensions that could change the semantics of existing protocol componentsMUSTbe negotiated before being used. For example, an extension that changes thelayout of theHEADERS frame cannot be used until the peer has given a positivesignal that this is acceptable. Coordinating when such a revised layout comesinto effect could prove complex. As such, allocating new identifiers fornew definitions of existing protocol elements is likely to be more effective.¶
This document does not mandate a specific method for negotiating the use of anextension, but it notes that a setting (Section 7.2.4.1) could be usedfor that purpose. If both peers set a value that indicates willingness to usethe extension, then the extension can be used. If a setting is used forextension negotiation, the default valueMUST be defined in such a fashion thatthe extension is disabled if the setting is omitted.¶
The security considerations of HTTP/3 should be comparable to those of HTTP/2with TLS. However, many of the considerations fromSection 10 of [HTTP/2]apply to[QUIC-TRANSPORT] and are discussed in that document.¶
HTTP/3 relies on the HTTP definition of authority. The security considerationsof establishing authority are discussed inSection 17.1 of [HTTP].¶
The use of ALPN in the TLS and QUIC handshakes establishes the targetapplication protocol before application-layer bytes are processed. This ensuresthat endpoints have strong assurances that peers are using the same protocol.¶
This does not guarantee protection from all cross-protocol attacks.Section 21.5 of [QUIC-TRANSPORT] describes some ways in which the plaintext of QUICpackets can be used to perform request forgery against endpoints that don't useauthenticated transports.¶
The HTTP/3 field encoding allows the expression of names that are not validfield names in the syntax used by HTTP (Section 5.1 of [HTTP]). Requests orresponses containing invalid field namesMUST be treated asmalformed.Therefore, an intermediary cannot translate an HTTP/3 request or responsecontaining an invalid field name into an HTTP/1.1 message.¶
Similarly, HTTP/3 can transport field values that are not valid. While mostvalues that can be encoded will not alter field parsing, carriage return (ASCII0x0d), line feed (ASCII 0x0a), and the null character (ASCII 0x00) might beexploited by an attacker if they are translated verbatim. Any request orresponse that contains a character not permitted in a field valueMUST betreated asmalformed. Valid characters are defined by the"field-content" ABNF rule inSection 5.5 of [HTTP].¶
Pushed responses do not have an explicit request from the client; the request isprovided by the server in thePUSH_PROMISE frame.¶
Caching responses that are pushed is possible based on the guidance provided bythe origin server in the Cache-Control header field. However, this can causeissues if a single server hosts more than one tenant. For example, a servermight offer multiple users each a small portion of its URI space.¶
Where multiple tenants share space on the same server, that serverMUST ensurethat tenants are not able to push representations of resources that they do nothave authority over. Failure to enforce this would allow a tenant to provide arepresentation that would be served out of cache, overriding the actualrepresentation that the authoritative tenant provides.¶
Clients are required to reject pushed responses for which an origin server isnot authoritative; seeSection 4.6.¶
An HTTP/3 connection can demand a greater commitment of resources to operatethan an HTTP/1.1 or HTTP/2 connection. The use of field compression and flowcontrol depend on a commitment of resources for storing a greater amount ofstate. Settings for these features ensure that memory commitments for thesefeatures are strictly bounded.¶
The number ofPUSH_PROMISE frames is constrained in a similar fashion. A clientthat accepts server pushSHOULD limit the number of push IDs it issues at atime.¶
Processing capacity cannot be guarded as effectively as state capacity.¶
The ability to send undefined protocol elements that the peer is required toignore can be abused to cause a peer to expend additional processing time. Thismight be done by setting multiple undefinedSETTINGS parameters, unknown frametypes, or unknown stream types. Note, however, that some uses are entirelylegitimate, such as optional-to-understand extensions and padding to increaseresistance to traffic analysis.¶
Compression of field sections also offers some opportunities to waste processingresources; seeSection 7 of [QPACK] for more details on potential abuses.¶
All these features -- i.e., server push, unknown protocol elements, fieldcompression -- have legitimate uses. These features become a burden only whenthey are used unnecessarily or to excess.¶
An endpoint that does not monitor such behavior exposes itself to a risk ofdenial-of-service attack. ImplementationsSHOULD track the use of thesefeatures and set limits on their use. An endpointMAY treat activity that issuspicious as aconnection error of typeH3_EXCESSIVE_LOAD, butfalse positives will result in disrupting valid connections and requests.¶
A large field section (Section 4.1) can cause an implementation tocommit a large amount of state. Header fields that are critical for routing canappear toward the end of a header section, which prevents streaming of theheader section to its ultimate destination. This ordering and other reasons,such as ensuring cache correctness, mean that an endpoint likely needs to bufferthe entire header section. Since there is no hard limit to the size of a fieldsection, some endpoints could be forced to commit a large amount of availablememory for header fields.¶
An endpoint can use theSETTINGS_MAX_FIELD_SECTION_SIZE(Section 4.2.2) setting to advise peers of limits that might applyon the size of field sections. This setting is only advisory, so endpointsMAYchoose to send field sections that exceed this limit and risk having the requestor response being treated asmalformed. This setting is specific to an HTTP/3connection, so any request or response could encounter a hop with a lower,unknown limit. An intermediary can attempt to avoid this problem by passing onvalues presented by different peers, but they are not obligated to do so.¶
A server that receives a larger field section than it is willing to handle cansend an HTTP 431 (Request Header Fields Too Large) status code ([RFC6585]).A client can discard responses that it cannot process.¶
The CONNECT method can be used to create disproportionate load on a proxy, sincestream creation is relatively inexpensive when compared to the creation andmaintenance of a TCP connection. Therefore, a proxy that supports CONNECT mightbe more conservative in the number of simultaneous requests it accepts.¶
A proxy might also maintain some resources for a TCP connection beyond theclosing of the stream that carries the CONNECT request, since the outgoing TCPconnection remains in the TIME_WAIT state. To account for this, a proxy mightdelay increasing the QUIC stream limits for some time after a TCP connectionterminates.¶
Compression can allow an attacker to recover secret data when it is compressedin the same context as data under attacker control. HTTP/3 enables compressionof fields (Section 4.2); the following concerns also apply to the useof HTTP compressed content-codings; seeSection 8.4.1 of [HTTP].¶
There are demonstrable attacks on compression that exploit the characteristicsof the web (e.g.,[BREACH]). The attacker induces multiple requestscontaining varying plaintext, observing the length of the resulting ciphertextin each, which reveals a shorter length when a guess about the secret iscorrect.¶
Implementations communicating on a secure channelMUST NOT compress content thatincludes both confidential and attacker-controlled data unless separatecompression contexts are used for each source of data. CompressionMUST NOT beused if the source of data cannot be reliably determined.¶
Further considerations regarding the compression of field sections aredescribed in[QPACK].¶
Padding can be used to obscure the exact size of frame content and is providedto mitigate specific attacks within HTTP, for example, attacks where compressedcontent includes both attacker-controlled plaintext and secret data (e.g.,[BREACH]).¶
Where HTTP/2 employs PADDING frames and Padding fields in other frames to make aconnection more resistant to traffic analysis, HTTP/3 can either rely ontransport-layer padding or employ the reserved frame and stream types discussedin Sections7.2.8 and6.2.3. These methods ofpadding produce different results in terms of the granularity of padding, howpadding is arranged in relation to the information that is being protected,whether padding is applied in the case of packet loss, and how an implementationmight control padding.¶
Reserved stream types can be used to give the appearance of sending traffic evenwhen the connection is idle. Because HTTP traffic often occurs in bursts,apparent traffic can be used to obscure the timing or duration of such bursts,even to the point of appearing to send a constant stream of data. However, assuch traffic is still flow controlled by the receiver, a failure to promptlydrain such streams and provide additional flow-control credit can limit thesender's ability to send real traffic.¶
To mitigate attacks that rely on compression, disabling or limiting compressionmight be preferable to padding as a countermeasure.¶
Use of padding can result in less protection than might seem immediatelyobvious. Redundant padding could even be counterproductive. At best, paddingonly makes it more difficult for an attacker to infer length information byincreasing the number of frames an attacker has to observe. Incorrectlyimplemented padding schemes can be easily defeated. In particular, randomizedpadding with a predictable distribution provides very little protection;similarly, padding payloads to a fixed size exposes information as payload sizescross the fixed-sized boundary, which could be possible if an attacker cancontrol plaintext.¶
Several protocol elements contain nested length elements, typically in the formof frames with an explicit length containing variable-length integers. Thiscould pose a security risk to an incautious implementer. An implementationMUSTensure that the length of a frame exactly matches the length of the fields itcontains.¶
The use of 0-RTT with HTTP/3 creates an exposure to replay attack. Theanti-replay mitigations in[HTTP-REPLAY]MUST be applied when usingHTTP/3 with 0-RTT. When applying[HTTP-REPLAY] to HTTP/3, references to theTLS layer refer to the handshake performed within QUIC, while all references toapplication data refer to the contents of streams.¶
Certain HTTP implementations use the client address for logging oraccess-control purposes. Since a QUIC client's address might change during aconnection (and future versions might support simultaneous use of multipleaddresses), such implementations will need to either actively retrieve theclient's current address or addresses when they are relevant or explicitlyaccept that the original address might change.¶
Several characteristics of HTTP/3 provide an observer an opportunity tocorrelate actions of a single client or server over time. These include thevalue of settings, the timing of reactions to stimulus, and the handling of anyfeatures that are controlled by settings.¶
As far as these create observable differences in behavior, they could be used asa basis for fingerprinting a specific client.¶
HTTP/3's preference for using a single QUIC connection allows correlation of auser's activity on a site. Reusing connections for different origins allowsfor correlation of activity across those origins.¶
Several features of QUIC solicit immediate responses and can be used by anendpoint to measure latency to their peer; this might have privacy implicationsin certain scenarios.¶
This document registers a new ALPN protocol ID (Section 11.1) and creates newregistries that manage the assignment of code points in HTTP/3.¶
This document creates a new registration for the identification ofHTTP/3 in the "TLS Application-Layer Protocol Negotiation (ALPN)Protocol IDs" registry established in[RFC7301].¶
The "h3" string identifies HTTP/3:¶
New registries created in this document operate under the QUIC registrationpolicy documented inSection 22.1 of [QUIC-TRANSPORT]. These registries allinclude the common set of fields listed inSection 22.1.1 of [QUIC-TRANSPORT].These registries are collected under the "Hypertext Transfer Protocol version 3(HTTP/3)" heading.¶
The initial allocations in these registries are all assigned permanent statusand list a change controller of the IETF and a contact of the HTTP working group(ietf-http-wg@w3.org).¶
This document establishes a registry for HTTP/3 frame type codes. The "HTTP/3Frame Types" registry governs a 62-bit space. This registry follows the QUICregistry policy; seeSection 11.2. Permanent registrations in this registryare assigned using the Specification Required policy ([RFC8126]), except forvalues between 0x00 and 0x3f (in hexadecimal; inclusive), which are assignedusing Standards Action or IESG Approval as defined inSections4.9 and4.10 of[RFC8126].¶
While this registry is separate from the "HTTP/2 Frame Type" registry defined in[HTTP/2], it is preferable that the assignments parallel each other where thecode spaces overlap. If an entry is present in only one registry, every effortSHOULD be made to avoid assigning the corresponding value to an unrelatedoperation. Expert reviewersMAY reject unrelated registrations that wouldconflict with the same value in the corresponding registry.¶
In addition to common fields as described inSection 11.2, permanentregistrations in this registryMUST include the following field:¶
A name or label for the frame type.¶
Specifications of frame typesMUST include a description of the frame layout andits semantics, including any parts of the frame that are conditionally present.¶
The entries inTable 2 are registered by this document.¶
| Frame Type | Value | Specification |
|---|---|---|
| DATA | 0x00 | Section 7.2.1 |
| HEADERS | 0x01 | Section 7.2.2 |
| Reserved | 0x02 | This document |
| CANCEL_PUSH | 0x03 | Section 7.2.3 |
| SETTINGS | 0x04 | Section 7.2.4 |
| PUSH_PROMISE | 0x05 | Section 7.2.5 |
| Reserved | 0x06 | This document |
| GOAWAY | 0x07 | Section 7.2.6 |
| Reserved | 0x08 | This document |
| Reserved | 0x09 | This document |
| MAX_PUSH_ID | 0x0d | Section 7.2.7 |
Each code of the format0x1f * N + 0x21 for non-negative integer values ofN(that is, 0x21, 0x40, ..., through 0x3ffffffffffffffe)MUST NOT be assigned byIANA andMUST NOT appear in the listing of assigned values.¶
This document establishes a registry for HTTP/3 settings. The "HTTP/3 Settings"registry governs a 62-bit space. This registry follows the QUIC registrypolicy; seeSection 11.2. Permanent registrations in this registry areassigned using the Specification Required policy ([RFC8126]), except forvalues between 0x00 and 0x3f (in hexadecimal; inclusive), which are assignedusing Standards Action or IESG Approval as defined inSections4.9 and4.10 of[RFC8126].¶
While this registry is separate from the "HTTP/2 Settings" registry defined in[HTTP/2], it is preferable that the assignments parallel each other. If anentry is present in only one registry, every effortSHOULD be made to avoidassigning the corresponding value to an unrelated operation. Expert reviewersMAY reject unrelated registrations that would conflict with the same value inthe corresponding registry.¶
In addition to common fields as described inSection 11.2, permanentregistrations in this registryMUST include the following fields:¶
A symbolic name for the setting. Specifying a setting name is optional.¶
The value of the setting unless otherwise indicated. A defaultSHOULD be themost restrictive possible value.¶
The entries inTable 3 are registered by this document.¶
| Setting Name | Value | Specification | Default |
|---|---|---|---|
| Reserved | 0x00 | This document | N/A |
| Reserved | 0x02 | This document | N/A |
| Reserved | 0x03 | This document | N/A |
| Reserved | 0x04 | This document | N/A |
| Reserved | 0x05 | This document | N/A |
| MAX_FIELD_SECTION_SIZE | 0x06 | Section 7.2.4.1 | Unlimited |
For formatting reasons, setting names can be abbreviated by removing the'SETTINGS_' prefix.¶
Each code of the format0x1f * N + 0x21 for non-negative integer values ofN(that is, 0x21, 0x40, ..., through 0x3ffffffffffffffe)MUST NOT be assigned byIANA andMUST NOT appear in the listing of assigned values.¶
This document establishes a registry for HTTP/3 error codes. The "HTTP/3 ErrorCodes" registry manages a 62-bit space. This registry follows the QUIC registrypolicy; seeSection 11.2. Permanent registrations in this registry areassigned using the Specification Required policy ([RFC8126]), except forvalues between 0x00 and 0x3f (in hexadecimal; inclusive), which are assignedusing Standards Action or IESG Approval as defined inSections4.9 and4.10 of[RFC8126].¶
Registrations for error codes are required to include a description of the errorcode. An expert reviewer is advised to examine new registrations for possibleduplication with existing error codes. Use of existing registrations is to beencouraged, but not mandated. Use of values that are registered in the "HTTP/2Error Code" registry is discouraged, and expert reviewersMAY reject suchregistrations.¶
In addition to common fields as described inSection 11.2, this registryincludes two additional fields. Permanent registrations in this registryMUSTinclude the following field:¶
The entries inTable 4 are registered by this document. Theseerror codes were selected from the range that operates on a SpecificationRequired policy to avoid collisions with HTTP/2 error codes.¶
| Name | Value | Description | Specification |
|---|---|---|---|
| H3_NO_ERROR | 0x0100 | No error | Section 8.1 |
| H3_GENERAL_PROTOCOL_ERROR | 0x0101 | General protocol error | Section 8.1 |
| H3_INTERNAL_ERROR | 0x0102 | Internal error | Section 8.1 |
| H3_STREAM_CREATION_ERROR | 0x0103 | Stream creation error | Section 8.1 |
| H3_CLOSED_CRITICAL_STREAM | 0x0104 | Critical stream was closed | Section 8.1 |
| H3_FRAME_UNEXPECTED | 0x0105 | Frame not permitted in the current state | Section 8.1 |
| H3_FRAME_ERROR | 0x0106 | Frame violated layout or size rules | Section 8.1 |
| H3_EXCESSIVE_LOAD | 0x0107 | Peer generating excessive load | Section 8.1 |
| H3_ID_ERROR | 0x0108 | An identifier was used incorrectly | Section 8.1 |
| H3_SETTINGS_ERROR | 0x0109 | SETTINGS frame contained invalid values | Section 8.1 |
| H3_MISSING_SETTINGS | 0x010a | NoSETTINGS frame received | Section 8.1 |
| H3_REQUEST_REJECTED | 0x010b | Request not processed | Section 8.1 |
| H3_REQUEST_CANCELLED | 0x010c | Data no longer needed | Section 8.1 |
| H3_REQUEST_INCOMPLETE | 0x010d | Stream terminated early | Section 8.1 |
| H3_MESSAGE_ERROR | 0x010e | Malformed message | Section 8.1 |
| H3_CONNECT_ERROR | 0x010f | TCP reset or error on CONNECT request | Section 8.1 |
| H3_VERSION_FALLBACK | 0x0110 | Retry over HTTP/1.1 | Section 8.1 |
Each code of the format0x1f * N + 0x21 for non-negative integer values ofN(that is, 0x21, 0x40, ..., through 0x3ffffffffffffffe)MUST NOT be assigned byIANA andMUST NOT appear in the listing of assigned values.¶
This document establishes a registry for HTTP/3 unidirectional stream types. The"HTTP/3 Stream Types" registry governs a 62-bit space. This registry followsthe QUIC registry policy; seeSection 11.2. Permanent registrations in thisregistry are assigned using the Specification Required policy ([RFC8126]),except for values between 0x00 and 0x3f (in hexadecimal; inclusive), which areassigned using Standards Action or IESG Approval as defined in Sections4.9 and4.10 of[RFC8126].¶
In addition to common fields as described inSection 11.2, permanentregistrations in this registryMUST include the following fields:¶
A name or label for the stream type.¶
Which endpoint on an HTTP/3 connection may initiate a stream of this type.Values are "Client", "Server", or "Both".¶
Specifications for permanent registrationsMUST include a description of thestream type, including the layout and semantics of the stream contents.¶
The entries inTable 5 are registered by this document.¶
| Stream Type | Value | Specification | Sender |
|---|---|---|---|
| Control Stream | 0x00 | Section 6.2.1 | Both |
| Push Stream | 0x01 | Section 4.6 | Server |
Each code of the format0x1f * N + 0x21 for non-negative integer values ofN(that is, 0x21, 0x40, ..., through 0x3ffffffffffffffe)MUST NOT be assigned byIANA andMUST NOT appear in the listing of assigned values.¶
HTTP/3 is strongly informed by HTTP/2, and it bears many similarities. Thissection describes the approach taken to design HTTP/3, points out importantdifferences from HTTP/2, and describes how to map HTTP/2 extensions into HTTP/3.¶
HTTP/3 begins from the premise that similarity to HTTP/2 is preferable, but nota hard requirement. HTTP/3 departs from HTTP/2 where QUIC differs from TCP,either to take advantage of QUIC features (like streams) or to accommodateimportant shortcomings (such as a lack of total ordering). While HTTP/3 issimilar to HTTP/2 in key aspects, such as the relationship of requests andresponses to streams, the details of the HTTP/3 design are substantiallydifferent from HTTP/2.¶
Some important departures are noted in this section.¶
HTTP/3 permits use of a larger number of streams (262-1) than HTTP/2.The same considerations about exhaustion of stream identifier space apply,though the space is significantly larger such that it is likely that otherlimits in QUIC are reached first, such as the limit on the connectionflow-control window.¶
In contrast to HTTP/2, stream concurrency in HTTP/3 is managed by QUIC. QUICconsiders a stream closed when all data has been received and sent data has beenacknowledged by the peer. HTTP/2 considers a stream closed when the framecontaining the END_STREAM bit has been committed to the transport. As a result,the stream for an equivalent exchange could remain "active" for a longer periodof time. HTTP/3 servers might choose to permit a larger number of concurrentclient-initiated bidirectional streams to achieve equivalent concurrency toHTTP/2, depending on the expected usage patterns.¶
In HTTP/2, only request and response bodies (the frame payload ofDATA frames)are subject to flow control. All HTTP/3 frames are sent on QUIC streams, so allframes on all streams are flow controlled in HTTP/3.¶
Due to the presence of other unidirectional stream types, HTTP/3 does not relyexclusively on the number of concurrent unidirectional streams to control thenumber of concurrent in-flight pushes. Instead, HTTP/3 clients use theMAX_PUSH_ID frame to control the number of pushes received from an HTTP/3server.¶
Many framing concepts from HTTP/2 can be elided on QUIC, because the transportdeals with them. Because frames are already on a stream, they can omit thestream number. Because frames do not block multiplexing (QUIC's multiplexingoccurs below this layer), the support for variable-maximum-length packets can beremoved. Because stream termination is handled by QUIC, an END_STREAM flag isnot required. This permits the removal of the Flags field from the genericframe layout.¶
Frame payloads are largely drawn from[HTTP/2]. However, QUIC includes manyfeatures (e.g., flow control) that are also present in HTTP/2. In these cases,the HTTP mapping does not re-implement them. As a result, several HTTP/2 frametypes are not required in HTTP/3. Where an HTTP/2-defined frame is no longerused, the frame ID has been reserved in order to maximize portability betweenHTTP/2 and HTTP/3 implementations. However, even frame types that appear inboth mappings do not have identical semantics.¶
Many of the differences arise from the fact that HTTP/2 provides an absoluteordering between frames across all streams, while QUIC provides this guaranteeon each stream only. As a result, if a frame type makes assumptions that framesfrom different streams will still be received in the order sent, HTTP/3 willbreak them.¶
Some examples of feature adaptations are described below, as well as generalguidance to extension frame implementors converting an HTTP/2 extension toHTTP/3.¶
HTTP/2 specifies priority assignments in PRIORITY frames and (optionally) inHEADERS frames. HTTP/3 does not provide a means of signaling priority.¶
Note that, while there is no explicit signaling for priority, this does not meanthat prioritization is not important for achieving good performance.¶
HPACK was designed with the assumption of in-order delivery. A sequence ofencoded field sections must arrive (and be decoded) at an endpoint in the sameorder in which they were encoded. This ensures that the dynamic state at the twoendpoints remains in sync.¶
Because this total ordering is not provided by QUIC, HTTP/3 uses a modifiedversion of HPACK, called QPACK. QPACK uses a single unidirectional stream tomake all modifications to the dynamic table, ensuring a total order of updates.All frames that contain encoded fields merely reference the table state at agiven time without modifying it.¶
HTTP/2 specifies a stream flow-control mechanism. Although all HTTP/2 frames aredelivered on streams, only theDATA frame payload is subject to flow control.QUIC provides flow control for stream data and all HTTP/3 frame types defined inthis document are sent on streams. Therefore, all frame headers and payload aresubject to flow control.¶
Frame type definitions in HTTP/3 often use the QUIC variable-length integerencoding. In particular, stream IDs use this encoding, which allows for alarger range of possible values than the encoding used in HTTP/2. Some framesin HTTP/3 use an identifier other than a stream ID (e.g., push IDs).Redefinition of the encoding of extension frame types might be necessary if theencoding includes a stream ID.¶
Because the Flags field is not present in generic HTTP/3 frames, those framesthat depend on the presence of flags need to allocate space for flags as partof their frame payload.¶
Other than these issues, frame type HTTP/2 extensions are typically portable toQUIC simply by replacing stream 0 in HTTP/2 with acontrol stream in HTTP/3.HTTP/3 extensions will not assume ordering, but would not be harmed by ordering,and are expected to be portable to HTTP/2.¶
Padding is not defined in HTTP/3 frames. SeeSection 7.2.1.¶
The PRIORITY region ofHEADERS is not defined in HTTP/3 frames. Padding is notdefined in HTTP/3 frames. SeeSection 7.2.2.¶
As described inAppendix A.2.1, HTTP/3 does not provide a means ofsignaling priority.¶
RST_STREAM frames do not exist in HTTP/3, since QUIC provides stream lifecyclemanagement. The same code point is used for theCANCEL_PUSH frame(Section 7.2.3).¶
SETTINGS frames are sent only at the beginning of the connection. SeeSection 7.2.4 andAppendix A.3.¶
ThePUSH_PROMISE frame does not reference a stream; instead, thepush streamreferences thePUSH_PROMISE frame using apush ID. SeeSection 7.2.5.¶
PING frames do not exist in HTTP/3, as QUIC provides equivalentfunctionality.¶
GOAWAY does not contain an error code. In the client-to-server direction,it carries apush ID instead of a server-initiated stream ID.SeeSection 7.2.6.¶
WINDOW_UPDATE frames do not exist in HTTP/3, since QUIC provides flow control.¶
CONTINUATION frames do not exist in HTTP/3; instead, largerHEADERS/PUSH_PROMISE frames than HTTP/2 are permitted.¶
Frame types defined by extensions to HTTP/2 need to be separately registered forHTTP/3 if still applicable. The IDs of frames defined in[HTTP/2] have beenreserved for simplicity. Note that the frame type space in HTTP/3 issubstantially larger (62 bits versus 8 bits), so many HTTP/3 frame types have noequivalent HTTP/2 code points. SeeSection 11.2.1.¶
An important difference from HTTP/2 is that settings are sent once, as the firstframe of thecontrol stream, and thereafter cannot change. This eliminates manycorner cases around synchronization of changes.¶
Some transport-level options that HTTP/2 specifies via theSETTINGS frame aresuperseded by QUIC transport parameters in HTTP/3. The HTTP-level setting thatis retained in HTTP/3 has the same value as in HTTP/2. The supersededsettings are reserved, and their receipt is an error. SeeSection 7.2.4.1 for discussion of both the retained and reserved values.¶
Below is a listing of how each HTTP/2SETTINGS parameter is mapped:¶
This is removed in favor of theMAX_PUSH_ID frame, which provides a moregranular control over server push. Specifying a setting with the identifier0x02 (corresponding to the SETTINGS_ENABLE_PUSH parameter) in the HTTP/3SETTINGS frame is an error.¶
QUIC controls the largest open stream ID as part of its flow-control logic.Specifying a setting with the identifier 0x03 (corresponding to theSETTINGS_MAX_CONCURRENT_STREAMS parameter) in the HTTP/3SETTINGS frame is anerror.¶
QUIC requires both stream and connection flow-control window sizes to bespecified in the initial transport handshake. Specifying a setting with theidentifier 0x04 (corresponding to the SETTINGS_INITIAL_WINDOW_SIZE parameter)in the HTTP/3SETTINGS frame is an error.¶
This setting has no equivalent in HTTP/3. Specifying a setting with theidentifier 0x05 (corresponding to the SETTINGS_MAX_FRAME_SIZE parameter) inthe HTTP/3SETTINGS frame is an error.¶
This setting identifier has been renamedSETTINGS_MAX_FIELD_SECTION_SIZE.¶
In HTTP/3, setting values are variable-length integers (6, 14, 30, or 62 bitslong) rather than fixed-length 32-bit fields as in HTTP/2. This will oftenproduce a shorter encoding, but can produce a longer encoding for settings thatuse the full 32-bit space. Settings ported from HTTP/2 might choose to redefinetheir value to limit it to 30 bits for more efficient encoding or to make useof the 62-bit space if more than 30 bits are required.¶
Settings need to be defined separately for HTTP/2 and HTTP/3. The IDs ofsettings defined in[HTTP/2] have been reserved for simplicity. Note thatthe settings identifier space in HTTP/3 is substantially larger (62 bits versus16 bits), so many HTTP/3 settings have no equivalent HTTP/2 code point. SeeSection 11.2.2.¶
As QUIC streams might arrive out of order, endpoints are advised not to wait forthe peers' settings to arrive before responding to other streams. SeeSection 7.2.4.2.¶
QUIC has the same concepts of "stream" and "connection" errors that HTTP/2provides. However, the differences between HTTP/2 and HTTP/3 mean that errorcodes are not directly portable between versions.¶
The HTTP/2 error codes defined inSection 7 of [HTTP/2] logically map tothe HTTP/3 error codes as follows:¶
This is mapped toH3_GENERAL_PROTOCOL_ERROR except in cases where morespecific error codes have been defined. Such cases includeH3_FRAME_UNEXPECTED,H3_MESSAGE_ERROR, andH3_CLOSED_CRITICAL_STREAM definedinSection 8.1.¶
Not applicable, since QUIC handles flow control.¶
Not applicable, since no acknowledgment ofSETTINGS is defined.¶
Not applicable, since QUIC handles stream management.¶
H3_FRAME_ERROR error code defined inSection 8.1.¶
H3_REQUEST_REJECTED (inSection 8.1) is used to indicate that arequest was not processed. Otherwise, not applicable because QUIC handlesstream management.¶
Not applicable, since QUIC is assumed to provide sufficient security on allconnections.¶
Error codes need to be defined for HTTP/2 and HTTP/3 separately. SeeSection 11.2.3.¶
An intermediary that converts between HTTP/2 and HTTP/3 may encounter errorconditions from either upstream. It is useful to communicate the occurrence oferrors to the downstream, but error codes largely reflect connection-localproblems that generally do not make sense to propagate.¶
An intermediary that encounters an error from an upstream origin can indicatethis by sending an HTTP status code such as 502 (Bad Gateway), which is suitablefor a broad class of errors.¶
There are some rare cases where it is beneficial to propagate the error bymapping it to the closest matching error type to the receiver. For example, anintermediary that receives an HTTP/2stream error of type REFUSED_STREAM fromthe origin has a clear signal that the request was not processed and that therequest is safe to retry. Propagating this error condition to the client as anHTTP/3stream error of typeH3_REQUEST_REJECTED allows the client to take theaction it deems most appropriate. In the reverse direction, the intermediarymight deem it beneficial to pass on client request cancellations that areindicated by terminating a stream withH3_REQUEST_CANCELLED; seeSection 4.1.1.¶
Conversion between errors is described in the logical mapping. The error codesare defined in non-overlapping spaces in order to protect against accidentalconversion that could result in the use of inappropriate or unknown error codesfor the target version. An intermediary is permitted to promotestream errors toconnection errors but they should be aware of the cost to the HTTP/3 connectionfor what might be a temporary or intermittent error.¶
Robbie Shade andMike Warres were the authors ofdraft-shade-quic-http2-mapping, a precursor of this document.¶
The IETF QUIC Working Group received an enormous amount of support from manypeople. Among others, the following people provided substantial contributions tothis document:¶
Bence Beky¶
Daan De Meyer¶
Martin Duke¶
Roy Fielding¶
Alan Frindell¶
Alessandro Ghedini¶
Nick Harper¶
Ryan Hamilton¶
Christian Huitema¶
Subodh Iyengar¶
Robin Marx¶
Patrick McManus¶
Luca Niccolini¶
奥 一穂 (Kazuho Oku)¶
Lucas Pardue¶
Roberto Peon¶
Julian Reschke¶
Eric Rescorla¶
Martin Seemann¶
Ben Schwartz¶
Ian Swett¶
Willy Taureau¶
Martin Thomson¶
Dmitri Tikhonov¶
Tatsuhiro Tsujikawa¶
A portion ofMike Bishop's contribution was supported by Microsoft duringhis employment there.¶
Section 2, Paragraph 5;Section 4.6, Paragraph 6;Section 4.6, Paragraph 10;Table 1;Section 7.2.3;Section 7.2.5, Paragraph 4.2.1;Section 7.2.7, Paragraph 1;Table 2;Appendix A.2.5, Paragraph 1.8.1¶
Section 2.2;Section 4.1, Paragraph 7;Section 4.1, Paragraph 8;Section 4.4, Paragraph 8;Section 4.4, Paragraph 10;Section 4.6, Paragraph 3;Section 5.2, Paragraph 7;Section 6.1, Paragraph 3;Section 6.2, Paragraph 7;Section 6.2.1, Paragraph 2;Section 6.2.1, Paragraph 2;Section 6.2.1, Paragraph 2;Section 6.2.2, Paragraph 3;Section 6.2.2, Paragraph 6;Section 7.1, Paragraph 5;Section 7.1, Paragraph 6;Section 7.2.1, Paragraph 2;Section 7.2.2, Paragraph 3;Section 7.2.3, Paragraph 5;Section 7.2.3, Paragraph 7;Section 7.2.3, Paragraph 8;Section 7.2.4, Paragraph 2;Section 7.2.4, Paragraph 3;Section 7.2.4, Paragraph 6;Section 7.2.4.1, Paragraph 5;Section 7.2.4.2, Paragraph 8;Section 7.2.4.2, Paragraph 8;Section 7.2.5, Paragraph 5;Section 7.2.5, Paragraph 6;Section 7.2.5, Paragraph 8;Section 7.2.5, Paragraph 9;Section 7.2.6, Paragraph 3;Section 7.2.6, Paragraph 5;Section 7.2.7, Paragraph 2;Section 7.2.7, Paragraph 3;Section 7.2.7, Paragraph 6;Section 7.2.8, Paragraph 3;Section 8;Section 10.5, Paragraph 7;Appendix A.4.1, Paragraph 4¶
Section 2, Paragraph 3;Section 3.2, Paragraph 4;Section 6.2, Paragraph 3;Section 6.2, Paragraph 5;Section 6.2, Paragraph 6;Section 6.2.1;Section 7, Paragraph 1;Section 7.2.1, Paragraph 2;Section 7.2.2, Paragraph 3;Section 7.2.3, Paragraph 5;Section 7.2.3, Paragraph 5;Section 7.2.4, Paragraph 2;Section 7.2.4, Paragraph 2;Section 7.2.4, Paragraph 3;Section 7.2.5, Paragraph 8;Section 7.2.6, Paragraph 3;Section 7.2.6, Paragraph 5;Section 7.2.7, Paragraph 2;Section 8.1, Paragraph 2.22.1;Section 9, Paragraph 4;Appendix A.2.4, Paragraph 3;Appendix A.3, Paragraph 1¶
Section 2, Paragraph 3;Section 4.1, Paragraph 5, Item 2;Section 4.1, Paragraph 7;Section 4.1, Paragraph 7;Section 4.1.2, Paragraph 3;Section 4.1.2, Paragraph 3;Section 4.4, Paragraph 7;Section 4.4, Paragraph 7;Section 4.4, Paragraph 7;Section 4.4, Paragraph 7;Section 4.4, Paragraph 8;Section 4.6, Paragraph 12;Table 1;Section 7.2.1;Table 2;Appendix A.1, Paragraph 3;Appendix A.2.3, Paragraph 1;Appendix A.2.5¶
Section 3.3, Paragraph 5;Section 5.2, Paragraph 1;Section 5.2, Paragraph 1;Section 5.2, Paragraph 1;Section 5.2, Paragraph 2;Section 5.2, Paragraph 2;Section 5.2, Paragraph 3;Section 5.2, Paragraph 5.1.1;Section 5.2, Paragraph 5.1.1;Section 5.2, Paragraph 5.1.2;Section 5.2, Paragraph 5.1.2;Section 5.2, Paragraph 5, Item 2;Section 5.2, Paragraph 5, Item 2;Section 5.2, Paragraph 6;Section 5.2, Paragraph 6;Section 5.2, Paragraph 7;Section 5.2, Paragraph 7;Section 5.2, Paragraph 8;Section 5.2, Paragraph 8;Section 5.2, Paragraph 9;Section 5.2, Paragraph 9;Section 5.2, Paragraph 10;Section 5.2, Paragraph 12;Section 5.3, Paragraph 2;Section 5.3, Paragraph 2;Section 5.4, Paragraph 2;Table 1;Section 7.2.6;Table 2;Appendix A.2.5;Appendix A.2.5, Paragraph 1.16.1¶
Section 6.2.1, Paragraph 2;Section 8.1;Table 4;Appendix A.4, Paragraph 3.4.1¶
Section 4.4, Paragraph 10;Section 8.1;Table 4;Appendix A.4, Paragraph 3.22.1¶
Section 8.1;Section 10.5, Paragraph 7;Table 4;Appendix A.4, Paragraph 3.24.1¶
Section 7.1, Paragraph 5;Section 7.1, Paragraph 6;Section 8.1;Table 4;Appendix A.4, Paragraph 3.14.1¶
Section 4.1, Paragraph 7;Section 4.1, Paragraph 8;Section 4.4, Paragraph 8;Section 7.2.1, Paragraph 2;Section 7.2.2, Paragraph 3;Section 7.2.3, Paragraph 5;Section 7.2.4, Paragraph 2;Section 7.2.4, Paragraph 3;Section 7.2.5, Paragraph 8;Section 7.2.5, Paragraph 9;Section 7.2.6, Paragraph 5;Section 7.2.7, Paragraph 2;Section 7.2.7, Paragraph 3;Section 7.2.8, Paragraph 3;Section 8.1;Table 4;Appendix A.4, Paragraph 3.4.1¶
Section 7.2.5, Paragraph 6;Section 8.1;Table 4;Appendix A.4, Paragraph 3.4.1¶
Section 4.6, Paragraph 3;Section 5.2, Paragraph 7;Section 6.2.2, Paragraph 6;Section 7.2.3, Paragraph 7;Section 7.2.3, Paragraph 8;Section 7.2.5, Paragraph 5;Section 7.2.6, Paragraph 3;Section 7.2.7, Paragraph 6;Section 8.1;Table 4¶
Section 4.1.2, Paragraph 4;Section 8.1;Table 4;Appendix A.4, Paragraph 3.4.1¶
Section 4.1, Paragraph 15;Section 5.2, Paragraph 11;Section 6.2.3, Paragraph 2;Section 8, Paragraph 5;Section 8.1;Section 8.1, Paragraph 3;Section 8.1, Paragraph 3;Table 4;Appendix A.4, Paragraph 3.2.1¶
Section 4.1.1, Paragraph 4;Section 4.1.1, Paragraph 5;Section 4.6, Paragraph 14;Section 7.2.3, Paragraph 3;Section 7.2.3, Paragraph 4;Section 8.1;Table 4;Appendix A.4, Paragraph 3.18.1;Appendix A.4.1, Paragraph 3¶
Section 4.1.1, Paragraph 3;Section 4.1.1, Paragraph 4;Section 4.1.1, Paragraph 5;Section 4.1.1, Paragraph 5;Section 8.1;Table 4;Appendix A.4, Paragraph 3.16.1;Appendix A.4.1, Paragraph 3¶
Section 7.2.4, Paragraph 6;Section 7.2.4.1, Paragraph 5;Section 7.2.4.2, Paragraph 8;Section 7.2.4.2, Paragraph 8;Section 8.1;Table 4¶
Section 6.1, Paragraph 3;Section 6.2, Paragraph 7;Section 6.2.1, Paragraph 2;Section 6.2.2, Paragraph 3;Section 8.1;Table 4¶
Section 2, Paragraph 3;Section 4.1, Paragraph 5, Item 1;Section 4.1, Paragraph 5, Item 3;Section 4.1, Paragraph 7;Section 4.1, Paragraph 7;Section 4.1, Paragraph 7;Section 4.1, Paragraph 10;Section 4.4, Paragraph 6;Section 4.6, Paragraph 12;Table 1;Section 7.2.2;Section 9, Paragraph 5;Table 2;Appendix A.2.1, Paragraph 1;Appendix A.2.5;Appendix A.2.5, Paragraph 1.4.1;Appendix A.2.5, Paragraph 1.20.1¶
Section 4.1, Paragraph 3;Section 4.1.2;Section 4.2, Paragraph 2;Section 4.2, Paragraph 3;Section 4.2, Paragraph 5;Section 4.3, Paragraph 3;Section 4.3, Paragraph 4;Section 4.3.1, Paragraph 5;Section 4.3.2, Paragraph 1;Section 4.4, Paragraph 5;Section 8.1, Paragraph 2.30.1;Section 10.3, Paragraph 1;Section 10.3, Paragraph 2;Section 10.5.1, Paragraph 2¶
Section 2, Paragraph 5;Section 4.6, Paragraph 3;Section 4.6, Paragraph 3;Section 4.6, Paragraph 3;Section 4.6, Paragraph 3;Table 1;Section 7.2.5, Paragraph 5;Section 7.2.7;Table 2;Appendix A.1, Paragraph 4;Appendix A.3, Paragraph 4.4.1¶
Section 4.6;Section 5.2, Paragraph 1;Section 5.2, Paragraph 5, Item 2;Section 5.2, Paragraph 9;Section 6.2.2, Paragraph 2;Section 6.2.2, Paragraph 6;Section 6.2.2, Paragraph 6;Section 7.2.3, Paragraph 1;Section 7.2.3, Paragraph 7;Section 7.2.3, Paragraph 7;Section 7.2.3, Paragraph 8;Section 7.2.3, Paragraph 8;Section 7.2.5, Paragraph 4.2.1;Section 7.2.5, Paragraph 5;Section 7.2.5, Paragraph 5;Section 7.2.5, Paragraph 6;Section 7.2.5, Paragraph 6;Section 7.2.5, Paragraph 7;Section 7.2.5, Paragraph 7;Section 7.2.5, Paragraph 7;Section 7.2.6, Paragraph 4;Section 7.2.7, Paragraph 1;Section 7.2.7, Paragraph 4;Section 7.2.7, Paragraph 4;Section 7.2.7, Paragraph 6;Section 7.2.7, Paragraph 6;Section 8.1, Paragraph 2.18.1;Appendix A.2.5, Paragraph 1.12.1;Appendix A.2.5, Paragraph 1.16.1¶
Section 4.1, Paragraph 8;Section 4.1, Paragraph 9;Section 4.6, Paragraph 3;Section 4.6, Paragraph 5;Section 4.6, Paragraph 5;Section 4.6, Paragraph 13;Section 4.6, Paragraph 13;Section 4.6, Paragraph 13;Section 6.2, Paragraph 3;Section 6.2.2;Section 7, Paragraph 1;Section 7.2.2, Paragraph 3;Section 7.2.3, Paragraph 1;Section 7.2.3, Paragraph 2;Section 7.2.3, Paragraph 2;Section 7.2.3, Paragraph 2;Section 7.2.3, Paragraph 2;Section 7.2.3, Paragraph 3;Section 7.2.3, Paragraph 4;Section 7.2.3, Paragraph 4;Section 7.2.3, Paragraph 4;Section 7.2.5, Paragraph 4.2.1;Section 7.2.7, Paragraph 1;Appendix A.2.5, Paragraph 1.12.1¶
Section 2, Paragraph 5;Section 4.1, Paragraph 8;Section 4.1, Paragraph 8;Section 4.1, Paragraph 8;Section 4.1, Paragraph 8;Section 4.1, Paragraph 10;Section 4.6, Paragraph 4;Section 4.6, Paragraph 10;Section 4.6, Paragraph 11;Section 4.6, Paragraph 11;Section 4.6, Paragraph 12;Section 4.6, Paragraph 12;Section 4.6, Paragraph 13;Section 4.6, Paragraph 13;Section 4.6, Paragraph 13;Table 1;Section 7.2.3, Paragraph 8;Section 7.2.3, Paragraph 8;Section 7.2.5;Section 7.2.7, Paragraph 1;Section 10.4, Paragraph 1;Section 10.5, Paragraph 2;Table 2;Appendix A.2.5;Appendix A.2.5, Paragraph 1.12.1;Appendix A.2.5, Paragraph 1.12.1;Appendix A.2.5, Paragraph 1.20.1¶
Section 4.1, Paragraph 1;Section 4.1, Paragraph 15;Section 4.1, Paragraph 15;Section 4.1.1, Paragraph 1;Section 4.1.1, Paragraph 5;Section 4.4, Paragraph 5;Section 4.4, Paragraph 9;Section 4.6, Paragraph 4;Section 4.6, Paragraph 4;Section 4.6, Paragraph 11;Section 4.6, Paragraph 11;Section 6.1;Section 7, Paragraph 1;Section 7.2.2, Paragraph 3;Section 7.2.5, Paragraph 1¶
Section 3.2, Paragraph 4;Section 3.2, Paragraph 4;Section 6.2.1, Paragraph 2;Table 1;Section 7, Paragraph 3;Section 7.2.4;Section 8.1, Paragraph 2.20.1;Section 8.1, Paragraph 2.22.1;Section 9, Paragraph 4;Section 10.5, Paragraph 4;Table 2;Table 4;Table 4;Appendix A.2.5;Appendix A.2.5, Paragraph 1.10.1;Appendix A.3, Paragraph 2;Appendix A.3, Paragraph 3;Appendix A.3, Paragraph 4.4.1;Appendix A.3, Paragraph 4.6.1;Appendix A.3, Paragraph 4.8.1;Appendix A.3, Paragraph 4.10.1;Appendix A.4, Paragraph 3.10.1¶
Section 4.2.2, Paragraph 2;Section 7.2.4.1;Section 10.5.1, Paragraph 2;Appendix A.3, Paragraph 4.12.1¶
Section 2.2;Section 4.1.2, Paragraph 4;Section 4.4, Paragraph 10;Section 8;Appendix A.4.1, Paragraph 3;Appendix A.4.1, Paragraph 3;Appendix A.4.1, Paragraph 4¶