Internet Engineering Task Force (IETF) M. Nottingham Request for Comments: 7320 BCP: 190 July 2014 Updates: 3986 Category: Best Current Practice ISSN: 2070-1721
Internet Engineering Task Force (IETF) M. Nottingham Request for Comments: 7320 BCP: 190 July 2014 Updates: 3986 Category: Best Current Practice ISSN: 2070-1721
URI Design and Ownership
URI设计和所有权
Abstract
摘要
Section 1.1.1 of RFC 3986 defines URI syntax as "a federated and extensible naming system wherein each scheme's specification may further restrict the syntax and semantics of identifiers using that scheme." In other words, the structure of a URI is defined by its scheme. While it is common for schemes to further delegate their substructure to the URI's owner, publishing independent standards that mandate particular forms of URI substructure is inappropriate, because that essentially usurps ownership. This document further describes this problematic practice and provides some acceptable alternatives for use in standards.
RFC 3986第1.1.1节将URI语法定义为“一个联邦和可扩展的命名系统,其中每个方案的规范可以进一步限制使用该方案的标识符的语法和语义。”换句话说,URI的结构由其方案定义。虽然方案通常会将其子结构进一步委托给URI的所有者,但发布要求特定形式的URI子结构的独立标准是不合适的,因为这实际上是篡夺了所有权。本文件进一步描述了这一有问题的做法,并提供了一些可接受的替代标准。
Status of This Memo
关于下段备忘
This memo documents an Internet Best Current Practice.
本备忘录记录了互联网最佳实践。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on BCPs is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关BCP的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7320.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7320.
Copyright Notice
版权公告
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2014 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Intended Audience . . . . . . . . . . . . . . . . . . . . 4 1.2. Notational Conventions . . . . . . . . . . . . . . . . . 4 2. Best Current Practices for Standardizing Structured URIs . . 4 2.1. URI Schemes . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. URI Authorities . . . . . . . . . . . . . . . . . . . . . 5 2.3. URI Paths . . . . . . . . . . . . . . . . . . . . . . . . 5 2.4. URI Queries . . . . . . . . . . . . . . . . . . . . . . . 6 2.5. URI Fragment Identifiers . . . . . . . . . . . . . . . . 6 3. Alternatives to Specifying Structure in URIs . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 5.1. Normative References . . . . . . . . . . . . . . . . . . 8 5.2. Informative References . . . . . . . . . . . . . . . . . 8 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 9
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Intended Audience . . . . . . . . . . . . . . . . . . . . 4 1.2. Notational Conventions . . . . . . . . . . . . . . . . . 4 2. Best Current Practices for Standardizing Structured URIs . . 4 2.1. URI Schemes . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. URI Authorities . . . . . . . . . . . . . . . . . . . . . 5 2.3. URI Paths . . . . . . . . . . . . . . . . . . . . . . . . 5 2.4. URI Queries . . . . . . . . . . . . . . . . . . . . . . . 6 2.5. URI Fragment Identifiers . . . . . . . . . . . . . . . . 6 3. Alternatives to Specifying Structure in URIs . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 5.1. Normative References . . . . . . . . . . . . . . . . . . 8 5.2. Informative References . . . . . . . . . . . . . . . . . 8 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 9
URIs [RFC3986] very often include structured application data. This might include artifacts from filesystems (often occurring in the path component) and user information (often in the query component). In some cases, there can even be application-specific data in the authority component (e.g., some applications are spread across several hostnames to enable a form of partitioning or dispatch).
URI[RFC3986]通常包括结构化应用程序数据。这可能包括来自文件系统的工件(通常出现在路径组件中)和用户信息(通常出现在查询组件中)。在某些情况下,授权组件中甚至可能存在特定于应用程序的数据(例如,一些应用程序分布在多个主机名上,以实现某种形式的分区或分派)。
Furthermore, constraints upon the structure of URIs can be imposed by an implementation; for example, many Web servers use the filename extension of the last path segment to determine the media type of the response. Likewise, prepackaged applications often have highly structured URIs that can only be changed in limited ways (often, just the hostname and port on which they are deployed).
此外,可以通过实现对uri的结构施加约束;例如,许多Web服务器使用最后一个路径段的文件扩展名来确定响应的媒体类型。类似地,预打包的应用程序通常具有高度结构化的URI,这些URI只能以有限的方式进行更改(通常仅限于部署它们的主机名和端口)。
Because the owner of the URI (as defined in [webarch] Section 2.2.2.1) is choosing to use the server or the application, this can be seen as reasonable delegation of authority. However, when such conventions are mandated by a party other than the owner, it can have several potentially detrimental effects:
由于URI的所有者(定义见[webarch]第2.2.2.1节)选择使用服务器或应用程序,因此这可以被视为合理的授权。但是,当此类约定由业主以外的一方强制执行时,可能会产生几种潜在的有害影响:
o Collisions - As more ad hoc conventions for URI structure become standardized, it becomes more likely that there will be collisions between them (especially considering that servers, applications, and individual deployments will have their own conventions).
o 冲突—随着URI结构的更多特别约定变得标准化,它们之间发生冲突的可能性也越来越大(特别是考虑到服务器、应用程序和单个部署将有自己的约定)。
o Dilution - When the information added to a URI is ephemeral, this dilutes its utility by reducing its stability (see [webarch] Section 3.5.1), and can cause several alternate forms of the URI to exist (see [webarch] Section 2.3.1).
o 稀释-当添加到URI的信息是短暂的时,这会通过降低其稳定性来稀释其效用(参见[webarch]第3.5.1节),并可能导致URI的几种替代形式存在(参见[webarch]第2.3.1节)。
o Rigidity - Fixed URI syntax often interferes with desired deployment patterns. For example, if an authority wishes to offer several applications on a single hostname, it becomes difficult to impossible to do if their URIs do not allow the required flexibility.
o 刚性-固定URI语法通常会干扰所需的部署模式。例如,如果一个机构希望在一个主机名上提供多个应用程序,那么如果它们的URI不允许所需的灵活性,就很难做到这一点。
o Operational Difficulty - Supporting some URI conventions can be difficult in some implementations. For example, specifying that a particular query parameter be used with "HTTP" URIs precludes the use of Web servers that serve the response from a filesystem. Likewise, an application that fixes a base path for its operation (e.g., "/v1") makes it impossible to deploy other applications with the same prefix on the same host.
o 操作困难-在某些实现中,支持某些URI约定可能很困难。例如,指定一个特定的查询参数与“HTTP”URI一起使用会阻止使用为文件系统响应提供服务的Web服务器。同样,如果应用程序为其操作(例如“/v1”)修复了基本路径,则无法在同一主机上部署具有相同前缀的其他应用程序。
o Client Assumptions - When conventions are standardized, some clients will inevitably assume that the standards are in use when those conventions are seen. This can lead to interoperability problems; for example, if a specification documents that the "sig" URI query parameter indicates that its payload is a cryptographic signature for the URI, it can lead to undesirable behavior.
o 客户假设-当约定被标准化时,一些客户不可避免地会假设,当看到这些约定时,标准正在使用中。这可能导致互操作性问题;例如,如果规范记录了“sig”URI查询参数指示其有效负载是URI的加密签名,则可能导致不良行为。
Publishing a standard that constrains an existing URI structure in ways that aren't explicitly allowed by [RFC3986] (usually, by updating the URI scheme definition) is inappropriate, because the structure of a URI needs to be firmly under the control of its owner, and the IETF (as well as other organizations) should not usurp it.
发布以[RFC3986]不明确允许的方式约束现有URI结构的标准(通常,通过更新URI方案定义)是不合适的,因为URI的结构需要严格受其所有者的控制,IETF(以及其他组织)不应该篡夺它。
This document explains some best current practices for establishing URI structures, conventions, and formats in standards. It also offers strategies for specifications to avoid violating these guidelines in Section 3.
本文档解释了在标准中建立URI结构、约定和格式的一些最佳实践。它还提供了规范策略,以避免违反第3节中的这些准则。
This document's requirements target the authors of specifications that constrain the syntax or structure of URIs or parts of them. Two classes of such specifications are called out specifically:
本文档的需求针对规范的作者,这些规范约束URI或部分URI的语法或结构。具体称为两类此类规范:
o Protocol Extensions ("extensions") - specifications that offer new capabilities that could apply to any identifier, or to a large subset of possible identifiers; e.g., a new signature mechanism for 'http' URIs, or metadata for any URI.
o 协议扩展(“扩展”)—提供新功能的规范,可应用于任何标识符或可能的标识符的大子集;e、 例如,“http”URI的新签名机制,或任何URI的元数据。
o Applications Using URIs ("applications") - specifications that use URIs to meet specific needs; e.g., an HTTP interface to particular information on a host.
o 使用URI的应用程序(“应用程序”)—使用URI满足特定需求的规范;e、 例如,主机上特定信息的HTTP接口。
Requirements that target the generic class "Specifications" apply to all specifications, including both those enumerated above and others.
针对通用类“规范”的要求适用于所有规范,包括上面列举的规范和其他规范。
Note that this specification ought not be interpreted as preventing the allocation of control of URIs by parties that legitimately own them, or have delegated that ownership; for example, a specification might legitimately define the semantics of a URI on IANA's Web site as part of the establishment of a registry.
请注意,本规范不应被解释为阻止合法拥有或授权拥有URI的各方分配对URI的控制权;例如,作为注册中心建立的一部分,规范可以合法地定义IANA网站上URI的语义。
There may be existing IETF specifications that already deviate from the guidance in this document. In these cases, it is up to the relevant communities (i.e., those of the URI scheme as well as that which produced the specification in question) to determine an appropriate outcome; e.g., updating the scheme definition, or changing the specification.
现有的IETF规范可能已经偏离了本文件中的指南。在这些情况下,由相关社区(即URI方案的社区以及产生相关规范的社区)确定适当的结果;e、 例如,更新方案定义或更改规范。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
This section updates [RFC3986] by setting limitations on how other specifications may define structure and semantics within URIs. Best practices differ depending on the URI component, as described below.
本节通过设置其他规范如何定义URI中的结构和语义的限制来更新[RFC3986]。最佳实践因URI组件而异,如下所述。
Applications and extensions MAY require use of specific URI scheme(s); for example, it is perfectly acceptable to require that an application support 'http' and 'https' URIs. However, applications SHOULD NOT preclude the use of other URI schemes in the future, unless they are clearly only usable with the nominated schemes.
应用程序和扩展可能需要使用特定的URI方案;例如,要求应用程序支持“http”和“https”URI是完全可以接受的。但是,应用程序不应排除将来使用其他URI方案,除非它们显然只能用于指定的方案。
A specification that defines substructure within a specific URI scheme MUST do so in the defining document for that URI scheme. A specification that defines substructure for URI schemes overall MUST do so by modifying [BCP115] (an exceptional circumstance).
在特定URI方案中定义子结构的规范必须在该URI方案的定义文档中这样做。定义URI方案整体子结构的规范必须通过修改[BCP115](例外情况)来实现。
Scheme definitions define the presence, format and semantics of an authority component in URIs; all other specifications MUST NOT constrain, or define the structure or the semantics for URI authorities, unless they update the scheme registration itself.
方案定义定义URI中权限组件的存在、格式和语义;所有其他规范不得约束或定义URI权限的结构或语义,除非它们更新了方案注册本身。
For example, an extension or application ought not say that the "foo" prefix in "foo_app.example.com" is meaningful or triggers special handling in URIs.
例如,扩展或应用程序不应该说“foo_app.example.com”中的“foo”前缀有意义,或者在URI中触发特殊处理。
However, applications MAY nominate or constrain the port they use, when applicable. For example, BarApp could run over port nnnn (provided that it is properly registered).
但是,应用程序可以指定或限制其使用的端口(如果适用)。例如,BarApp可以在端口nnnn上运行(只要正确注册)。
Scheme definitions define the presence, format, and semantics of a path component in URIs; all other specifications MUST NOT constrain, or define the structure or the semantics for any path component.
方案定义定义URI中路径组件的存在、格式和语义;所有其他规范不得约束或定义任何路径组件的结构或语义。
The only exception to this requirement is registered "well-known" URIs, as specified by [RFC5785]. See that document for a description of the applicability of that mechanism.
此要求的唯一例外是[RFC5785]规定的注册“知名”URI。有关该机制适用性的说明,请参见该文件。
For example, an application ought not specify a fixed URI path "/myapp", since this usurps the host's control of that space.
例如,应用程序不应该指定固定的URI路径“/myapp”,因为这会篡夺主机对该空间的控制权。
Specifying a fixed path relative to another (e.g., {whatever}/myapp) is also bad practice (even if "whatever" is discovered as suggested in Section 3); while doing so might prevent collisions, it does not avoid the potential for operational difficulties (for example, an implementation that prefers to use query processing instead, because of implementation constraints).
指定一条相对于另一条路径的固定路径(例如,{whater}/myapp)也是不好的做法(即使如第3节所建议的那样发现了“whater”);虽然这样做可能会防止冲突,但它并不能避免操作困难的可能性(例如,由于实现约束,一个更倾向于使用查询处理的实现)。
The presence, format and semantics of the query component of URIs is dependent upon many factors, and MAY be constrained by a scheme definition. Often, they are determined by the implementation of a resource itself.
URI的查询组件的存在、格式和语义取决于许多因素,并且可能受到方案定义的约束。通常,它们由资源本身的实现决定。
Applications MUST NOT directly specify the syntax of queries, as this can cause operational difficulties for deployments that do not support a particular form of a query. For example, a site may wish to support an application using "static" files that do not support query parameters.
应用程序不得直接指定查询的语法,因为这可能会给不支持特定查询形式的部署带来操作困难。例如,站点可能希望使用不支持查询参数的“静态”文件支持应用程序。
Extensions MUST NOT constrain the format or semantics of queries.
扩展不能约束查询的格式或语义。
For example, an extension that indicates that all query parameters with the name "sig" indicate a cryptographic signature would collide with potentially preexisting query parameters on sites and lead clients to assume that any matching query parameter is a signature.
例如,一个扩展表示所有名为“sig”的查询参数都表示一个加密签名,它将与站点上潜在的预先存在的查询参数发生冲突,并导致客户端假定任何匹配的查询参数都是签名。
HTML [W3C.REC-html401-19991224] constrains the syntax of query strings used in form submission. New form languages SHOULD NOT emulate it, but instead allow creation of a broader variety of URIs (e.g., by allowing the form to create new path components, and so forth).
HTML[W3C.REC-html401-19991224]约束表单提交中使用的查询字符串的语法。新的表单语言不应该模仿它,而是允许创建更广泛的URI(例如,通过允许表单创建新的路径组件等等)。
Note that "well-known" URIs (see [RFC5785]) MAY constrain their own query syntax, since these name spaces are effectively delegated to the registering party.
请注意,“众所周知的”URI(请参见[RFC5785])可能会约束它们自己的查询语法,因为这些名称空间实际上是委托给注册方的。
Media type definitions (as per [RFC6838]) SHOULD specify the fragment identifier syntax(es) to be used with them; other specifications MUST NOT define structure within the fragment identifier, unless they are explicitly defining one for reuse by media type definitions.
媒体类型定义(根据[RFC6838])应指定与之一起使用的片段标识符语法;其他规范不得在片段标识符内定义结构,除非它们显式地定义了一个结构以供媒体类型定义重用。
For example, an application that defines common fragment identifiers across media types not controlled by it would engender interoperability problems with handlers for those media types (because the new, non-standard syntax is not expected).
例如,如果一个应用程序在不受其控制的媒体类型之间定义公共片段标识符,那么这些媒体类型的处理程序将产生互操作性问题(因为不需要新的非标准语法)。
Given the issues described in Section 1, the most successful strategy for applications and extensions that wish to use URIs is to use them in the fashion they were designed: as links that are exchanged as part of the protocol, rather than statically specified syntax. Several existing specifications can aid in this.
考虑到第1节中描述的问题,对于希望使用URI的应用程序和扩展来说,最成功的策略是按照设计的方式使用它们:作为协议的一部分交换的链接,而不是静态指定的语法。一些现有规范可以帮助实现这一点。
[RFC5988] specifies relation types for Web links. By providing a framework for linking on the Web, where every link has a relation type, context and target, it allows applications to define a link's semantics and connectivity.
[RFC5988]指定Web链接的关系类型。通过在Web上提供链接框架(每个链接都有一个关系类型、上下文和目标),它允许应用程序定义链接的语义和连接性。
[RFC6570] provides a standard syntax for URI Templates that can be used to dynamically insert application-specific variables into a URI to enable such applications while avoiding impinging upon URI owners' control of them.
[RFC6570]为URI模板提供了标准语法,可用于将特定于应用程序的变量动态插入到URI中,以启用此类应用程序,同时避免影响URI所有者对它们的控制。
[RFC5785] allows specific paths to be 'reserved' for standard use on URI schemes that opt into that mechanism ('http' and 'https' by default). Note, however, that this is not a general "escape valve" for applications that need structured URIs; see that specification for more information.
[RFC5785]允许对特定路径进行“保留”,以便在选择该机制的URI方案上标准使用(“默认情况下为http”和“https”)。但是,请注意,对于需要结构化URI的应用程序,这不是一个通用的“安全阀”;有关更多信息,请参阅该规范。
Specifying more elaborate structures in an attempt to avoid collisions is not an acceptable solution, and does not address the issues in Section 1. For example, prefixing query parameters with "myapp_" does not help, because the prefix itself is subject to the risk of collision (since it is not "reserved").
为避免冲突而指定更复杂的结构不是一个可接受的解决方案,也不能解决第1节中的问题。例如,在查询参数前面加上“myapp_”前缀没有帮助,因为前缀本身有冲突的风险(因为它不是“保留的”)。
This document does not introduce new protocol artifacts with security considerations. It prohibits some practices that might lead to vulnerabilities; for example, if a security-sensitive mechanism is introduced by assuming that a URI path component or query string has a particular meaning, false positives might be encountered (due to sites that already use the chosen string). See also [RFC6943].
本文档不引入具有安全性考虑的新协议工件。它禁止一些可能导致漏洞的做法;例如,如果通过假设URI路径组件或查询字符串具有特定含义来引入安全敏感机制,则可能会遇到误报(由于站点已经使用所选字符串)。另见[RFC6943]。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005.
[RFC3986]Berners Lee,T.,Fielding,R.,和L.Masinter,“统一资源标识符(URI):通用语法”,STD 66,RFC 3986,2005年1月。
[RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type Specifications and Registration Procedures", BCP 13, RFC 6838, January 2013.
[RFC6838]Freed,N.,Klensin,J.和T.Hansen,“媒体类型规范和注册程序”,BCP 13,RFC 6838,2013年1月。
[webarch] Jacobs, I. and N. Walsh, "Architecture of the World Wide Web, Volume One", December 2004, <http://www.w3.org/TR/2004/REC-webarch-20041215>.
[webarch]Jacobs,I.和N.Walsh,“万维网的架构,第一卷”,2004年12月<http://www.w3.org/TR/2004/REC-webarch-20041215>.
[BCP115] Hansen, T., Hardie, T., and L. Masinter, "Guidelines and Registration Procedures for New URI Schemes", RFC 4395, BCP 115, February 2006.
[BCP115]Hansen,T.,Hardie,T.,和L.Masinter,“新URI方案的指南和注册程序”,RFC 4395,BCP 115,2006年2月。
[RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known Uniform Resource Identifiers (URIs)", RFC 5785, April 2010.
[RFC5785]诺丁汉,M.和E.Hammer Lahav,“定义众所周知的统一资源标识符(URI)”,RFC 5785,2010年4月。
[RFC5988] Nottingham, M., "Web Linking", RFC 5988, October 2010.
[RFC5988]诺丁汉,M.,“网络链接”,RFC 5988,2010年10月。
[RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., and D. Orchard, "URI Template", RFC 6570, March 2012.
[RFC6570]Gregorio,J.,Fielding,R.,Hadley,M.,Nottingham,M.,和D.Orchard,“URI模板”,RFC 65702012年3月。
[RFC6943] Thaler, D., "Issues in Identifier Comparison for Security Purposes", RFC 6943, May 2013.
[RFC6943]Thaler,D.“出于安全目的的标识符比较问题”,RFC 6943,2013年5月。
[W3C.REC-html401-19991224] Raggett, D., Hors, A., and I. Jacobs, "HTML 4.01 Specification", World Wide Web Consortium Recommendation REC-html401-19991224, December 1999, <http://www.w3.org/TR/1999/REC-html401-19991224>.
[W3C.REC-html401-19991224]Raggett,D.,Hors,A.和I.Jacobs,“HTML 4.01规范”,万维网联盟建议REC-html401-19991224,1999年12月<http://www.w3.org/TR/1999/REC-html401-19991224>.
Thanks to David Booth, Dave Crocker, Tim Bray, Anne van Kesteren, Martin Thomson, Erik Wilde, Dave Thaler, and Barry Leiba for their suggestions and feedback.
感谢David Booth、Dave Crocker、Tim Bray、Anne van Kesteren、Martin Thomson、Erik Wilde、Dave Thaler和Barry Leiba的建议和反馈。
Author's Address
作者地址
Mark Nottingham
马克诺丁汉
EMail: mnot@mnot.net URI: http://www.mnot.net/
EMail: mnot@mnot.net URI: http://www.mnot.net/