| RFC 9842 | Compression Dictionary Transport | September 2025 |
| Meenan & Weiss | Standards Track | [Page] |
This document specifies a mechanism for dictionary-based compression in theHypertext Transfer Protocol (HTTP). By utilizing this technique, clients andservers can reduce the size of transmitted data, leading to improved performanceand reduced bandwidth consumption. This document extends existing HTTP compressionmethods and provides guidelines for the delivery and use of compressiondictionaries within the HTTP protocol.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9842.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This specification defines a mechanism for using designated HTTP[HTTP] responsesas an external dictionary for future HTTP responses for compression schemesthat support using external dictionaries (e.g., Brotli[RFC7932] andZstandard[ZSTD]).¶
This document describes the HTTP headers used for negotiating dictionary usageand registers content-encoding values for compressing with Brotli and Zstandardusing a negotiated dictionary.¶
The negotiation of dictionary usage leverages HTTP's content negotiation(seeSection 12 of [HTTP]) and is usable with all versions of HTTP.¶
Any HTTP response can be specified for use as a compression dictionary forfuture HTTP requests, which provides a lot of flexibility. Two commonuse cases that are seen frequently are described below.¶
Using a previous version of a resource as a dictionary for a newer versionenables delivery of a delta-compressed version of the changes, usuallyresulting in significantly smaller responses than what can be achieved bycompression alone.¶
For example:¶
If several resources share common patterns in their responses, then it can beuseful to reference an external dictionary that contains those common patterns,effectively compressing them out of the responses. Some examples of this arecommon template HTML for similar pages across a site and common keys and valuesin API calls.¶
For example:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document uses the following terminology fromSection 3 of [STRUCTURED-FIELDS] to specifysyntax and parsing: Dictionary, String, Inner List, Token, and ByteSequence.¶
This document uses the line folding strategies described in[FOLDING].¶
This document also uses terminology from[HTTP] and[HTTP-CACHING].¶
When responding to an HTTP Request, a server can advertise that the response canbe used as a dictionary for future requests for URLs that match the rulesspecified in the "Use-As-Dictionary" response header.¶
The "Use-As-Dictionary" response header is a Structured Field[STRUCTURED-FIELDS] Dictionary with values for "match", "match-dest", "id",and "type".¶
The "match" value of the "Use-As-Dictionary" response header is a String value thatprovides the URL Pattern to use for request matching (see[URLPATTERN]).¶
The URL Pattern used for matching does not support using regular expressions.¶
The following algorithm is used to validate that a given String value is avalid URL Pattern that does not use regular expressions and is for the sameOrigin (Section 4.3.1 of [HTTP]) as the dictionary. It will return TRUEfor a valid match pattern and FALSE for an invalid pattern thatMUST NOT beused.¶
Let MATCH be the value of "match" for the given dictionary.¶
Let URL be the URL of the dictionary request.¶
Let PATTERN be a "URL pattern struct" created by running the steps to "create aURL pattern" by setting input=MATCH and baseURL=URL (seeSection 1.4 of [URLPATTERN]).¶
If the result of running the "has regexp groups" steps for PATTERN returnsTRUE, then return FALSE (see the last list inSection 1.4 of [URLPATTERN]).¶
Return TRUE.¶
The "match" value is required andMUST be included in the"Use-As-Dictionary" response header for the dictionary to be considered valid.¶
Operating at the HTTP level, the specified match patterns will operate on thepercent-encoded version of the URL path (seeSection 2 of [URL]).¶
For example, the URL "http://www.example.com/düsseldorf" would be encoded as"http://www.example.com/d%C3%BCsseldorf" and a relevant match pattern would be:¶
Use-As-Dictionary: match="/d%C3%BCsseldorf"¶
The "match-dest" value of the "Use-As-Dictionary" response header is an Inner List ofString values that provides a list of Fetch request destinations for thedictionary to match (see "RequestDestination" inSection 5.4 of [FETCH]).¶
An empty list for "match-dest"MUST match all destinations.¶
For clients that do not support request destinations, the clientMUST treat itas an empty list and match all destinations.¶
The "match-dest" value is optional and defaults to an empty list.¶
The "id" value of the "Use-As-Dictionary" response header is a String value that specifiesa server identifier for the dictionary. If an "id" value is present and has astring length longer than zero, then itMUST be sent to the server in a"Dictionary-ID" request header when the client sends an "Available-Dictionary"request header for the same dictionary (seeSection 2.2).¶
The server identifierMUST be treated as an opaque string by the client.¶
The server identifierMUST NOT be relied upon by the server to guarantee thecontents of the dictionary. The dictionary hashMUST be validated before use.¶
The "id" value string length (after any decoding) supports up to 1024characters.¶
The "id" value is optional and defaults to the empty string.¶
The "type" value of the "Use-As-Dictionary" response header is a Token value thatdescribes the file format of the supplied dictionary.¶
"raw" is defined as a dictionary format that represents an unformatted blob ofbytes suitable for any compression scheme to use.¶
If a client receives a dictionary with a type that it does not understand, itMUST NOT use the dictionary.¶
The "type" value is optional and defaults to "raw".¶
A response that contained a response header (as shown below) would specify matching any document request for a URL with a path prefix of /product/ on the same Origin (Section 4.3.1 of [HTTP]) as the original request:¶
NOTE: '\' line wrapping per RFC 8792Use-As-Dictionary: \ match="/product/*", match-dest=("document")¶A response that contained a response header (as shown below) would match any path that starts with "/app/" and ends with "/main.js":¶
Use-As-Dictionary: match="/app/*/main.js"¶
When an HTTP client makes a request for a resource for which it has anappropriate dictionary, it can add an "Available-Dictionary" request headerto the request to indicate to the server that it has a dictionary available touse for compression.¶
The "Available-Dictionary" request header is a Structured Field[STRUCTURED-FIELDS] Byte Sequence containing the SHA-256[SHA-256] hash of thecontents of a single available dictionary.¶
The clientMUST only send a single "Available-Dictionary" request headerwith a single hash value for the best available match that it has available.¶
For example:¶
Available-Dictionary: :pZGm1Av0IEBKARczz7exkNYsZb8LzaMrV7J32a2fFG4=:¶
To be considered as a match, the dictionary resourceMUST be either fresh[HTTP-CACHING] or allowed to be served stale (see[RFC5861]).¶
When a dictionary is stored as a result of a "Use-As-Dictionary" directive, itincludes a "match" string and an optional "match-dest" string that are used tomatch an outgoing request from a client to the available dictionaries.¶
To see if an outbound request matches a given dictionary, the followingalgorithm will return TRUE for a successful match and FALSE for no-match:¶
If the current client supports request destinations and a "match-dest"string was provided with the dictionary:¶
Let BASEURL be the URL of the dictionary request.¶
Let URL represent the URL of the outbound request being checked.¶
If the Origin of BASEURL and the Origin of URL are not the same, returnFALSE (seeSection 4.3.1 of [HTTP]).¶
Let MATCH be the value of "match" for the given dictionary.¶
Let PATTERN be a "URL pattern struct" created by running the steps to "create a URL pattern" by setting input=MATCH and baseURL=URL (seeSection 1.4 of [URLPATTERN]).¶
Return the result of running the "match" steps on PATTERN with input=URL,which will check for a match between the request URL and the supplied "match"string (see "Match" inSection 1.4 of [URLPATTERN]).¶
When there are multiple dictionaries that match a given request URL, the clientMUST pick a single dictionary using the following rules:¶
For clients that support request destinations, a dictionary that specifiesand matches a "match-dest" takes precedence over a match that does not use adestination.¶
Given equivalent destination precedence, the dictionary with the longest"match" takes precedence.¶
Given equivalent destination and match length precedence, the most recentlyfetched dictionary takes precedence.¶
When an HTTP client makes a request for a resource for which it has anappropriate dictionary and the dictionary was stored with a server-provided"id" in the "Use-As-Dictionary" response header, the clientMUST echo the stored"id" in a "Dictionary-ID" request header.¶
The "Dictionary-ID" request header is a Structured Field[STRUCTURED-FIELDS]String of up to 1024 characters (after any decoding) andMUST be identical tothe server-provided "id".¶
For example, given an HTTP response that set a dictionary ID:¶
Use-As-Dictionary: match="/app/*/main.js",¶
A future request that matches the given dictionary will include both the hashand the ID:¶
Available-Dictionary: :pZGm1Av0IEBKARczz7exkNYsZb8LzaMrV7J32a2fFG4=:Dictionary-ID: "dictionary-12345"¶
This specification defines the "compression-dictionary" link relation type[WEB-LINKING] that provides a mechanism for an HTTP response to provide a URLfor a compression dictionary that is related to but not directly used by thecurrent HTTP response.¶
The "compression-dictionary" link relation type indicates that fetching andcaching the specified resource is likely to be beneficial for future requests.The response to some of those future requests likely have the ability to usethe indicated resource as a compression dictionary.¶
Clients can fetch the provided resource at a time that they determine would be appropriate.¶
The response to the fetch for the compression dictionary needs to include a "Use-As-Dictionary" response header and a caching response header for it to be usable as a compression dictionary. The link relation only provides the mechanism fortriggering the fetch of the dictionary.¶
The following example shows a link to a resource athttps://example.org/dict.dat that is expected to produce a compressiondictionary:¶
Link: <https://example.org/dict.dat>; rel="compression-dictionary"¶
The "dcb" content encoding identifies a resource that is a"Dictionary-Compressed Brotli" stream.¶
A "Dictionary-Compressed Brotli" stream has a fixed header that is followed bya Shared Brotli[SHARED-BROTLI] stream. The header consists of a fixed 4-bytesequence and a 32-byte hash of the external dictionary that was used. TheShared Brotli stream is created using the referenced external dictionary and acompression window that is at most 16 MB in size.¶
The dictionary used for the "dcb" content encoding is a "raw" dictionary typeas defined inSection 2.1.4 and is treated as a prefix dictionary as defined inSection 8.2 of [SHARED-BROTLI].¶
The 36-byte fixed header is as follows:¶
4 fixed bytes -- 0xff, 0x44, 0x43, 0x42.¶
Clients that announce support for dcb content encodingMUST be able todecompress resources that were compressed with a window size of up to 16 MB.¶
With Brotli compression, the full dictionary is available during compressionand decompression independent of the compression window, allowing fordelta-compression of resources larger than the compression window.¶
The "dcz" content encoding identifies a resource that is a"Dictionary-Compressed Zstandard" stream.¶
A "Dictionary-Compressed Zstandard" stream is a binary stream that starts witha 40-byte fixed header and is followed by a Zstandard[ZSTD] stream of theresponse that has been compressed with an external dictionary.¶
The dictionary used for the "dcz" content encoding is a "raw" dictionary typeas defined inSection 2.1.4 and is treated as a raw dictionary as perSection 5 of [ZSTD].¶
The 40-byte header consists of a fixed 8-byte sequence followed by the32-byte SHA-256 hash of the external dictionary that was used to compress theresource:¶
8 fixed bytes -- 0x5e, 0x2a, 0x4d, 0x18, 0x20, 0x00, 0x00, 0x00.¶
The 40-byte header is a Zstandard skippable frame (little-endian 0x184D2A5E)with a 32-byte length (little-endian 0x00000020) that is compatible withexisting Zstandard decoders.¶
Clients that announce support for dcz content encodingMUST be able todecompress resources that were compressed with a window size of at least 8 MBor 1.25 times the size of the dictionary, whichever is greater, up to amaximum of 128 MB.¶
The window size used will be encoded in the content (currently, this can beexpressed in powers of two only) and itMUST be lower than this limit. AnimplementationMAY treat a window size that exceeds the limit as a decodingerror.¶
With Zstandard compression, the full dictionary is available during compressionand decompression until the size of the input exceeds the compression window.Beyond that point, the dictionary becomes unavailable. Using a compressionwindow that is 1.25 times the size of the dictionary allows for full deltacompression of resources that have grown by 25% between releases while stillgiving the client control over the memory it will need to allocate for a givenresponse.¶
When a compression dictionary is available to compress the response to a given request, the encoding to be used is negotiated through the regular mechanism for negotiating content encoding in HTTP through the "Accept-Encoding" request header and "Content-Encoding" response header.¶
The dictionary to use is negotiated separately and advertised in the"Available-Dictionary" request header.¶
When a dictionary is available for use on a given request and the clientchooses to make dictionary-based content encoding available, the client addsthe dictionary-aware content encodings that it supports to the"Accept-Encoding" request header. For example:¶
Accept-Encoding: gzip, deflate, br, zstd, dcb, dcz¶
When a client does not have a stored dictionary that matches the request orchooses not to use one for the request, the clientMUST NOT send itsdictionary-aware content encodings in the "Accept-Encoding" request header.¶
If a server supports one of the dictionary encodings advertised by the clientand chooses to compress the content of the response using the dictionary thatthe client has advertised, then it sets the "Content-Encoding" response headerto the appropriate value for the algorithm selected. For example:¶
Content-Encoding: dcb¶
If the response is cacheable, itMUST include a "Vary" header to prevent caches fromserving dictionary-compressed resources to clients that don't support them orserving the response compressed with the wrong dictionary. For example:¶
Vary: accept-encoding, available-dictionary¶
IANA has added the following entries to the "HTTP Content Coding Registry" maintained at<https://www.iana.org/assignments/http-parameters/>:¶
IANA has added the following entries to the"Hypertext Transfer Protocol (HTTP) Field Name Registry" maintained at<https://www.iana.org/assignments/http-fields/>:¶
| Field Name | Status | Reference |
|---|---|---|
| Use-As-Dictionary | permanent | RFC 9842,Section 2.1 |
| Available-Dictionary | permanent | RFC 9842,Section 2.2 |
| Dictionary-ID | permanent | RFC 9842,Section 2.3 |
IANA has added the following entry to the "Link Relation Types" registry maintained at<https://www.iana.org/assignments/link-relations/>:¶
It is not unusual for devices to be on the network path that intercept,inspect, and process HTTP requests (web proxies, firewalls, intrusion detectionsystems, etc.). To minimize the risk of these devices incorrectly processingdictionary-compressed responses, compression dictionary transportMUST only beused in secure contexts (HTTPS).¶
The security considerations for Brotli[RFC7932], Shared Brotli[SHARED-BROTLI], and Zstandard[ZSTD] apply to thedictionary-based versions of the respective algorithms.¶
The dictionary must be treated with the same security precautions asthe content because a change to the dictionary can result in achange to the decompressed content.¶
The dictionary is validated using an SHA-256 hash of the content to make surethat the client and server are both using the same dictionary. The strengthof the SHA-256 hash algorithm isn't explicitly needed to counter attackssince the dictionary is being served from the same origin as the content. Thatsaid, if a weakness is discovered in SHA-256 and it is determined that thedictionary negotiation should use a different hash algorithm, the"Use-As-Dictionary" response header can be extended to specify a differentalgorithm and the server would just ignore any "Available-Dictionary" requeststhat do not use the updated hash.¶
The compression attacks inSection 2.6 of [RFC7457] show that it's a bad ideato compress data from mixed (e.g., public and private) sources. The datasources include not only the compressed data but also the dictionaries. Forexample, if secret cookies are compressed using a public-data-only dictionary,information about the cookies is still leaked.¶
The dictionary can reveal information about the compresseddata and vice versa. That is, data compressed with the dictionary can revealcontents of the dictionary when an adversary can control parts ofthe data to compress and see the compressed size. On the other hand, ifthe adversary can control the dictionary, the adversary can learninformation about the compressed data.¶
If any of the mitigations do not pass, the clientMUST drop the response andreturn an error.¶
To make sure that a dictionary can only impact content from the same originwhere the dictionary was served, the URL Pattern used for matching a dictionaryto requests (Section 2.1.1) is guaranteed to be for the same origin that thedictionary is served from.¶
For clients, like web browsers, that provide additional protection against thereadability of the payload of a response and against user tracking, additionalprotectionsMUST be taken to make sure that the use of dictionary-basedcompression does not reveal information that would not otherwise be available.¶
In these cases, dictionary compressionMUST only be used when both the dictionary and the compressed response are fully readable by the client.¶
In browser terms, that means either the dictionary and compressed response are same-origin to the context they are being fetched from or the response is cross-origin and passes the Cross-Origin Resource Sharing (CORS) check (seeSection 4.9 of [FETCH]).¶
As with any usage of compressed content in a secure context, a potentialtiming attack exists if the attacker can control any part of the dictionaryor if it can read the dictionary and control any part of the content beingcompressed while performing multiple requests that vary the dictionary orinjected content. Under such an attack, the changing size or processing timeof the response reveals information about the content, which might besufficient to read the supposedly secure response.¶
In general, a server can mitigate such attacks by preventing variations perrequest, as in preventing active use of multiple dictionaries for the samecontent, disabling compression when any portion of the content comes fromuncontrolled sources, and securing access and control over the dictionarycontent in the same way as the response content. In addition, the followingrequirements on a server are intended to disable dictionary-aware compressionwhen the client provides CORS request header fields that indicate across-origin request context.¶
The following algorithm will return FALSE for cross-origin requests whereprecautions such as not using dictionary-based compression should beconsidered:¶
If there is no "Sec-Fetch-Site" request header, return TRUE.¶
If the value of the "Sec-Fetch-Site" request header is "same-origin",return TRUE.¶
If there is no "Sec-Fetch-Mode" request header, return TRUE.¶
If the value of the "Sec-Fetch-Mode" request header is "navigate" or"same-origin", return TRUE.¶
If the value of the "Sec-Fetch-Mode" request header is "cors":¶
If the response does not include an "Access-Control-Allow-Origin" response header, return FALSE.¶
If the request does not include an "Origin" request header, return FALSE.¶
If the value of the "Access-Control-Allow-Origin" response header is "*", return TRUE.¶
If the value of the "Access-Control-Allow-Origin" response header matches the value of the "Origin" request header, return TRUE.¶
Return FALSE.¶
Since dictionaries are advertised in future requests using the hash of thecontent of the dictionary, it is possible to abuse the dictionary to turn itinto a tracking cookie.¶
To mitigate any additional tracking concerns, clientsMUST treat dictionariesin the same way that they treat cookies[RFC6265]. This includes partitioning the storage using partitioning similar to or stricter than the partitioning used for cookies, as well as clearing the dictionaries whenever cookies are cleared.¶