]> Structured Field Values for HTTP Cloudflare
Prahran VIC Australia mnot@mnot.net https://www.mnot.net/
The Varnish Cache Project
phk@varnish-cache.org
Applications and Real-Time HTTP Internet-Draft This document describes a set of data types and associated algorithms that are intended to make it easier and safer to define and handle HTTP header and trailer fields, known as "Structured Fields", "Structured Headers", or "Structured Trailers". It is intended for use by specifications of new HTTP fields that wish to use a common syntax that is more restrictive than traditional HTTP field values. This document obsoletes RFC 8941. About This Document Status information for this document may be found at . Discussion of this document takes place on the HTTP Working Group mailing list (), which is archived at . Working Group information can be found at . Source for this draft and an issue tracker can be found at .
Introduction Specifying the syntax of new HTTP header (and trailer) fields is an onerous task; even with the guidance in , there are many decisions -- and pitfalls -- for a prospective HTTP field author. Once a field is defined, bespoke parsers and serializers often need to be written, because each field value has a slightly different handling of what looks like common syntax. This document introduces a set of common data structures for use in definitions of new HTTP field values to address these problems. In particular, it defines a generic, abstract model for them, along with a concrete serialization for expressing that model in HTTP header and trailer fields. An HTTP field that is defined as a "Structured Header" or "Structured Trailer" (if the field can be either, it is a "Structured Field") uses the types defined in this specification to define its syntax and basic handling rules, thereby simplifying both its definition by specification writers and handling by implementations. Additionally, future versions of HTTP can define alternative serializations of the abstract model of these structures, allowing fields that use that model to be transmitted more efficiently without being redefined. Note that it is not a goal of this document to redefine the syntax of existing HTTP fields; the mechanisms described herein are only intended to be used with fields that explicitly opt into them. describes how to specify a Structured Field. defines a number of abstract data types that can be used in Structured Fields. Those abstract types can be serialized into and parsed from HTTP field values using the algorithms described in .
Intentionally Strict Processing This specification intentionally defines strict parsing and serialization behaviors using step-by-step algorithms; the only error handling defined is to fail the entire operation altogether. It is designed to encourage faithful implementation and good interoperability. Therefore, an implementation that tried to be helpful by being more tolerant of input would make interoperability worse, since that would create pressure on other implementations to implement similar (but likely subtly different) workarounds. In other words, strict processing is an intentional feature of this specification; it allows non-conformant input to be discovered and corrected by the producer early and avoids both interoperability and security issues that might otherwise result. Note that as a result of this strictness, if a field is appended to by multiple parties (e.g., intermediaries or different components in the sender), an error in one party's value is likely to cause the entire field value to fail parsing.
Notational Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document uses algorithms to specify parsing and serialization behaviors. When parsing from HTTP fields, implementations MUST have behavior that is indistinguishable from following the algorithms. For serialization to HTTP fields, the algorithms define the recommended way to produce them. Implementations MAY vary from the specified behavior so long as the output is still correctly handled by the parsing algorithm described in .
Defining New Structured Fields To specify an HTTP field as a Structured Field, its authors need to:
  • Normatively reference this specification. Recipients and generators of the field need to know that the requirements of this document are in effect.
  • Identify whether the field is a Structured Header (i.e., it can only be used in the header section -- the common case), a Structured Trailer (only in the trailer section), or a Structured Field (both).
  • Specify the type of the field value; either List (), Dictionary (), or Item ().
  • Define the semantics of the field value.
  • Specify any additional constraints upon the field value, as well as the consequences when those constraints are violated.
Typically, this means that a field definition will specify the top-level type -- List, Dictionary, or Item -- and then define its allowable types and constraints upon them. For example, a header defined as a List might have all Integer members, or a mix of types; a header defined as an Item might allow only Strings, and additionally only strings beginning with the letter "Q", or strings in lowercase. Likewise, Inner Lists () are only valid when a field definition explicitly allows them. When parsing fails, the entire field is ignored (see ); in most situations, violating field-specific constraints should have the same effect. Thus, if a header is defined as an Item and required to be an Integer, but a String is received, the field will by default be ignored. If the field requires different handling for type mismatches it should be explicitly specified, but note that field definitions cannot override how parsing failures are handled. Both Items and Inner Lists allow parameters as an extensibility mechanism; this means that values can later be extended to accommodate more information, if need be. To preserve forward compatibility, field specifications are discouraged from defining the presence of an unrecognized parameter as an error condition. To further assure that this extensibility is available in the future, and to encourage consumers to use a complete parser implementation, a field definition can specify that "grease" parameters be added by senders. A specification could stipulate that all parameters that fit a defined pattern are reserved for this use and then encourage them to be sent on some portion of requests. This helps to discourage recipients from writing a parser that does not account for Parameters. Specifications that use Dictionaries can also allow for forward compatibility by requiring that the presence of -- as well as value and type associated with -- unknown members be ignored. Subsequent specifications can then add additional members, specifying constraints on them as appropriate. An extension to a Structured Field can then require that an entire field value be ignored by a recipient that understands the extension if constraints on the value it defines are not met. A field definition cannot relax the requirements of this specification because doing so would preclude handling by generic software; they can only add additional constraints (for example, on the numeric range of Integers and Decimals, the format of Strings and Tokens, the types allowed in a Dictionary's values, or the number of Items in a List). Likewise, field definitions can only use this specification for the entire field value, not a portion thereof. This specification defines minimums for the length or number of various structures supported by implementations. It does not specify maximum sizes in most cases, but authors should be aware that HTTP implementations do impose various limits on the size of individual fields, the total number of fields, and/or the size of the entire header or trailer section. Specifications can refer to a field name as a "structured header name", "structured trailer name", or "structured field name" as appropriate. Likewise, they can refer its field value as a "structured header value", "structured trailer value", or "structured field value" as necessary. For example, a fictitious Foo-Example header field might be specified as:
42. Foo-Example Header The Foo-Example HTTP header field conveys information about how much Foo the message has. Foo-Example is an Item Structured Header [RFC8941]. Its value MUST be an Integer (Section 3.3.1 of [RFC8941]). Its value indicates the amount of Foo in the message, and it MUST be between 0 and 10, inclusive; other values MUST cause the entire header field to be ignored. The following parameter is defined:
  • A parameter whose key is "foourl", and whose value is a String (Section 3.3.3 of [RFC8941]), conveying the Foo URL for the message. See below for processing requirements.
"foourl" contains a URI-reference (Section 4.1 of [RFC3986]). If its value is not a valid URI-reference, the entire header field MUST be ignored. If its value is a relative reference (Section 4.2 of [RFC3986]), it MUST be resolved (Section 5 of [RFC3986]) before being used. For example:
Note that because the definition of a Structured Field references a specific RFC for Structured Fields, the types available for use in its value are limited to those defined in that RFC. For example, a field whose definition references this document can have a value that uses the Date type (), whereas a field whose definition references RFC 8941 cannot, because it will be treated as invalid (and therefore discarded) by implementations of that specification. Also note that this limitation also applies to future extensions to a field; for example, a field that is defined with reference to RFC 8941 cannot use the Date type, because some recipients might still be using an RFC 8941 parser to process it. However, this document is designed to be backwards-compatible with RFC 8941; a parser that implements the requirements here can also parse valid Structured Fields whose definitions reference RFC 8941. The effect of upgrading a Structured Fields implementation is that some field values that were invalid according to RFC 8941 might become valid when processed. For instance, though it would not be valid for a field defined against RFC 8941, a field might include include a Date value. An RFC 8941 implementation would reject the entire field, whereas an updated Structured Field implementation might permit the value. In some cases, the resulting Date value will be rejected by field-specific logic, but values in fields that are otherwise ignored (such as extension parameters) might not be detected and the field might subsequently be accepted and processed.
Structured Data Types This section defines the abstract types for Structured Fields, and summarises how those types are serialised into textual HTTP fields. In summary:
  • There are three top-level types that an HTTP field can be defined as: Lists, Dictionaries, and Items.
  • Lists and Dictionaries are containers; their members can be Items or Inner Lists (which are themselves arrays of Items).
  • Both Items and Inner Lists can be Parameterized with key/value pairs.
Lists Lists are arrays of zero or more members, each of which can be an Item () or an Inner List (), both of which can be Parameterized (). An empty List is denoted by not serializing the field at all. This implies that fields defined as Lists have a default empty value. When serialised as a textual HTTP field, each member is separated by a comma and optional whitespace. For example, a field whose value is defined as a List of Tokens could look like: Note that Lists can have their members split across multiple lines of the same header or trailer section, as per ; for example, the following are equivalent: and However, individual members of a List cannot be safely split between lines; see for details. Parsers MUST support Lists containing at least 1024 members. Field specifications can constrain the types and cardinality of individual List values as they require.
Inner Lists An Inner List is an array of zero or more Items (). Both the individual Items and the Inner List itself can be Parameterized (). When serialised in a textual HTTP field, Inner Lists are denoted by surrounding parenthesis, and their values are delimited by one or more spaces. A field whose value is defined as a List of Inner Lists of Strings could look like: Note that the last member in this example is an empty Inner List. A header field whose value is defined as a List of Inner Lists with Parameters at both levels could look like: Parsers MUST support Inner Lists containing at least 256 members. Field specifications can constrain the types and cardinality of individual Inner List members as they require.
Parameters Parameters are an ordered map of key-value pairs that are associated with an Item () or Inner List (). The keys are unique within the scope of the Parameters they occur within, and the values are bare items (i.e., they themselves cannot be parameterized; see ). Implementations MUST provide access to Parameters both by index and by key. Specifications MAY use either means of accessing them. Note that parameters are ordered, and parameter keys cannot contain uppercase letters. When serialised in a textual HTTP field, a Parameter is separated from its Item or Inner List and other Parameters by a semicolon. For example: Parameters whose value is Boolean (see ) true MUST omit that value when serialized. For example, the "a" parameter here is true, while the "b" parameter is false: Note that this requirement is only on serialization; parsers are still required to correctly handle the true value when it appears in a parameter. Parsers MUST support at least 256 parameters on an Item or Inner List, and support parameter keys with at least 64 characters. Field specifications can constrain the order of individual parameters, as well as their values' types as required.
Dictionaries Dictionaries are ordered maps of key-value pairs, where the keys are short textual strings and the values are Items () or arrays of Items, both of which can be Parameterized (). There can be zero or more members, and their keys are unique in the scope of the Dictionary they occur within. Implementations MUST provide access to Dictionaries both by index and by key. Specifications MAY use either means of accessing the members. As with Lists, an empty Dictionary is represented by omitting the entire field. This implies that fields defined as Dictionaries have a default empty value. Typically, a field specification will define the semantics of Dictionaries by specifying the allowed type(s) for individual members by their keys, as well as whether their presence is required or optional. Recipients MUST ignore members whose keys that are undefined or unknown, unless the field's specification specifically disallows them. When serialised as a textual HTTP field, Members are ordered as serialized and separated by a comma with optional whitespace. Member keys cannot contain uppercase characters. Keys and values are separated by "=" (without whitespace). For example: Note that in this example, the final "=" is due to the inclusion of a Byte Sequence; see . Members whose value is Boolean (see ) true MUST omit that value when serialized. For example, here both "b" and "c" are true: Note that this requirement is only on serialization; parsers are still required to correctly handle the true Boolean value when it appears in Dictionary values. A Dictionary with a member whose value is an Inner List of Tokens: A Dictionary with a mix of Items and Inner Lists, some with parameters: Note that Dictionaries can have their members split across multiple lines of the same header or trailer section; for example, the following are equivalent: and However, individual members of a Dictionary cannot be safely split between lines; see for details. Parsers MUST support Dictionaries containing at least 1024 key/value pairs and keys with at least 64 characters. Field specifications can constrain the order of individual Dictionary members, as well as their values' types as required.
Items An Item can be an Integer (), a Decimal (), a String (), a Token (), a Byte Sequence (), a Boolean (), or a Date (). It can have associated parameters (). For example, a header field that is defined to be an Item that is an Integer might look like: or with parameters:
Integers Integers have a range of -999,999,999,999,999 to 999,999,999,999,999 inclusive (i.e., up to fifteen digits, signed), for IEEE 754 compatibility . For example: Integers larger than 15 digits can be supported in a variety of ways; for example, by using a String (), a Byte Sequence (), or a parameter on an Integer that acts as a scaling factor. While it is possible to serialize Integers with leading zeros (e.g., "0002", "-01") and signed zero ("-0"), these distinctions may not be preserved by implementations. Note that commas in Integers are used in this section's prose only for readability; they are not valid in the wire format.
Decimals Decimals are numbers with an integer and a fractional component. The integer component has at most 12 digits; the fractional component has at most three digits. For example, a header whose value is defined as a Decimal could look like: While it is possible to serialize Decimals with leading zeros (e.g., "0002.5", "-01.334"), trailing zeros (e.g., "5.230", "-0.40"), and signed zero (e.g., "-0.0"), these distinctions may not be preserved by implementations. Note that the serialization algorithm () rounds input with more than three digits of precision in the fractional component. If an alternative rounding strategy is desired, this should be specified by the header definition to occur before serialization.
Strings Strings are zero or more printable ASCII characters (i.e., the range %x20 to %x7E). Note that this excludes tabs, newlines, carriage returns, etc. Unicode is not directly supported in Strings, because it causes a number of interoperability issues, and -- with few exceptions -- field values do not require it. When it is necessary for a field value to convey non-ASCII content, a Byte Sequence () can be specified, along with a character encoding (preferably UTF-8 ). When serialised in a textual HTTP field, Strings are delimited with double quotes, using a backslash ("\") to escape double quotes and backslashes. For example: Note that Strings only use DQUOTE as a delimiter; single quotes do not delimit Strings. Furthermore, only DQUOTE and "\" can be escaped; other characters after "\" MUST cause parsing to fail. Parsers MUST support Strings (after any decoding) with at least 1024 characters.
Tokens Tokens are short textual words that begin with an alphabetic character or "*", followed by zero to many token characters, which are the same as those allowed by the "token" ABNF rule defined in , plus the ":" and "/" characters. For example: Parsers MUST support Tokens with at least 512 characters.
Byte Sequences Byte Sequences can be conveyed in Structured Fields. When serialised in a textual HTTP field, a Byte Sequence is delimited with colons and encoded using base64 (). For example: Parsers MUST support Byte Sequences with at least 16384 octets after decoding.
Booleans Boolean values can be conveyed in Structured Fields. When serialised in a textual HTTP field, a Boolean is indicated with a leading "?" character followed by a "1" for a true value or "0" for false. For example: Note that in Dictionary () and Parameter () values, Boolean true is indicated by omitting the value.
Dates Date values can be conveyed in Structured Fields. Dates have a data model that is similar to Integers, representing a (possibly negative) delta in seconds from January 1, 1970 00:00:00 UTC, excluding leap seconds. For example:
Working with Structured Fields in HTTP This section defines how to serialize and parse Structured Fields in textual HTTP field values and other encodings compatible with them (e.g., in HTTP/2 before compression with HPACK ).
Serializing Structured Fields Given a structure defined in this specification, return an ASCII string suitable for use in an HTTP field value.
  1. If the structure is a Dictionary or List and its value is empty (i.e., it has no members), do not serialize the field at all (i.e., omit both the field-name and field-value).
  2. If the structure is a List, let output_string be the result of running Serializing a List () with the structure.
  3. Else, if the structure is a Dictionary, let output_string be the result of running Serializing a Dictionary () with the structure.
  4. Else, if the structure is an Item, let output_string be the result of running Serializing an Item () with the structure.
  5. Else, fail serialization.
  6. Return output_string converted into an array of bytes, using ASCII encoding .
Serializing a List Given an array of (member_value, parameters) tuples as input_list, return an ASCII string suitable for use in an HTTP field value.
  1. Let output be an empty string.
  2. For each (member_value, parameters) of input_list:
    1. If member_value is an array, append the result of running Serializing an Inner List () with (member_value, parameters) to output.
    2. Otherwise, append the result of running Serializing an Item () with (member_value, parameters) to output.
    3. If more member_values remain in input_list:
      1. Append "," to output.
      2. Append a single SP to output.
  3. Return output.
Serializing an Inner List Given an array of (member_value, parameters) tuples as inner_list, and parameters as list_parameters, return an ASCII string suitable for use in an HTTP field value.
  1. Let output be the string "(".
  2. For each (member_value, parameters) of inner_list:
    1. Append the result of running Serializing an Item () with (member_value, parameters) to output.
    2. If more values remain in inner_list, append a single SP to output.
  3. Append ")" to output.
  4. Append the result of running Serializing Parameters () with list_parameters to output.
  5. Return output.
Serializing Parameters Given an ordered Dictionary as input_parameters (each member having a param_key and a param_value), return an ASCII string suitable for use in an HTTP field value.
  1. Let output be an empty string.
  2. For each param_key with a value of param_value in input_parameters:
    1. Append ";" to output.
    2. Append the result of running Serializing a Key () with param_key to output.
    3. If param_value is not Boolean true:
      1. Append "=" to output.
      2. Append the result of running Serializing a bare Item () with param_value to output.
  3. Return output.
Serializing a Key Given a key as input_key, return an ASCII string suitable for use in an HTTP field value.
  1. Convert input_key into a sequence of ASCII characters; if conversion fails, fail serialization.
  2. If input_key contains characters not in lcalpha, DIGIT, "_", "-", ".", or "*", fail serialization.
  3. If the first character of input_key is not lcalpha or "*", fail serialization.
  4. Let output be an empty string.
  5. Append input_key to output.
  6. Return output.
Serializing a Dictionary Given an ordered Dictionary as input_dictionary (each member having a member_key and a tuple value of (member_value, parameters)), return an ASCII string suitable for use in an HTTP field value.
  1. Let output be an empty string.
  2. For each member_key with a value of (member_value, parameters) in input_dictionary:
    1. Append the result of running Serializing a Key () with member's member_key to output.
    2. If member_value is Boolean true:
      1. Append the result of running Serializing Parameters () with parameters to output.
    3. Otherwise:
      1. Append "=" to output.
      2. If member_value is an array, append the result of running Serializing an Inner List () with (member_value, parameters) to output.
      3. Otherwise, append the result of running Serializing an Item () with (member_value, parameters) to output.
    4. If more members remain in input_dictionary:
      1. Append "," to output.
      2. Append a single SP to output.
  3. Return output.
Serializing an Item Given an Item as bare_item and Parameters as item_parameters, return an ASCII string suitable for use in an HTTP field value.
  1. Let output be an empty string.
  2. Append the result of running Serializing a Bare Item () with bare_item to output.
  3. Append the result of running Serializing Parameters () with item_parameters to output.
  4. Return output.
Serializing a Bare Item Given an Item as input_item, return an ASCII string suitable for use in an HTTP field value.
  1. If input_item is an Integer, return the result of running Serializing an Integer () with input_item.
  2. If input_item is a Decimal, return the result of running Serializing a Decimal () with input_item.
  3. If input_item is a String, return the result of running Serializing a String () with input_item.
  4. If input_item is a Token, return the result of running Serializing a Token () with input_item.
  5. If input_item is a Byte Sequence, return the result of running Serializing a Byte Sequence () with input_item.
  6. If input_item is a Boolean, return the result of running Serializing a Boolean () with input_item.
  7. If input_item is a Date, return the result of running Serializing a Date () with input_item.
  8. Otherwise, fail serialization.
Serializing an Integer Given an Integer as input_integer, return an ASCII string suitable for use in an HTTP field value.
  1. If input_integer is not an integer in the range of -999,999,999,999,999 to 999,999,999,999,999 inclusive, fail serialization.
  2. Let output be an empty string.
  3. If input_integer is less than (but not equal to) 0, append "-" to output.
  4. Append input_integer's numeric value represented in base 10 using only decimal digits to output.
  5. Return output.
Serializing a Decimal Given a decimal number as input_decimal, return an ASCII string suitable for use in an HTTP field value.
  1. If input_decimal is not a decimal number, fail serialization.
  2. If input_decimal has more than three significant digits to the right of the decimal point, round it to three decimal places, rounding the final digit to the nearest value, or to the even value if it is equidistant.
  3. If input_decimal has more than 12 significant digits to the left of the decimal point after rounding, fail serialization.
  4. Let output be an empty string.
  5. If input_decimal is less than (but not equal to) 0, append "-" to output.
  6. Append input_decimal's integer component represented in base 10 (using only decimal digits) to output; if it is zero, append "0".
  7. Append "." to output.
  8. If input_decimal's fractional component is zero, append "0" to output.
  9. Otherwise, append the significant digits of input_decimal's fractional component represented in base 10 (using only decimal digits) to output.
  10. Return output.
Serializing a String Given a String as input_string, return an ASCII string suitable for use in an HTTP field value.
  1. Convert input_string into a sequence of ASCII characters; if conversion fails, fail serialization.
  2. If input_string contains characters in the range %x00-1f or %x7f-ff (i.e., not in VCHAR or SP), fail serialization.
  3. Let output be the string DQUOTE.
  4. For each character char in input_string:
    1. If char is "\" or DQUOTE:
      1. Append "\" to output.
    2. Append char to output.
  5. Append DQUOTE to output.
  6. Return output.
Serializing a Token Given a Token as input_token, return an ASCII string suitable for use in an HTTP field value.
  1. Convert input_token into a sequence of ASCII characters; if conversion fails, fail serialization.
  2. If the first character of input_token is not ALPHA or "*", or the remaining portion contains a character not in tchar, ":", or "/", fail serialization.
  3. Let output be an empty string.
  4. Append input_token to output.
  5. Return output.
Serializing a Byte Sequence Given a Byte Sequence as input_bytes, return an ASCII string suitable for use in an HTTP field value.
  1. If input_bytes is not a sequence of bytes, fail serialization.
  2. Let output be an empty string.
  3. Append ":" to output.
  4. Append the result of base64-encoding input_bytes as per , taking account of the requirements below.
  5. Append ":" to output.
  6. Return output.
The encoded data is required to be padded with "=", as per . Likewise, encoded data SHOULD have pad bits set to zero, as per , unless it is not possible to do so due to implementation constraints.
Serializing a Boolean Given a Boolean as input_boolean, return an ASCII string suitable for use in an HTTP field value.
  1. If input_boolean is not a boolean, fail serialization.
  2. Let output be an empty string.
  3. Append "?" to output.
  4. If input_boolean is true, append "1" to output.
  5. If input_boolean is false, append "0" to output.
  6. Return output.
Serialising a Date Given a Date as input_integer, return an ASCII string suitable for use in an HTTP field value.
  1. Let output be "@".
  2. Append to output the result of running Serializing an Integer with input_date ().
  3. Return output.
Parsing Structured Fields When a receiving implementation parses HTTP fields that are known to be Structured Fields, it is important that care be taken, as there are a number of edge cases that can cause interoperability or even security problems. This section specifies the algorithm for doing so. Given an array of bytes as input_bytes that represent the chosen field's field-value (which is empty if that field is not present) and field_type (one of "dictionary", "list", or "item"), return the parsed header value.
  1. Convert input_bytes into an ASCII string input_string; if conversion fails, fail parsing.
  2. Discard any leading SP characters from input_string.
  3. If field_type is "list", let output be the result of running Parsing a List () with input_string.
  4. If field_type is "dictionary", let output be the result of running Parsing a Dictionary () with input_string.
  5. If field_type is "item", let output be the result of running Parsing an Item () with input_string.
  6. Discard any leading SP characters from input_string.
  7. If input_string is not empty, fail parsing.
  8. Otherwise, return output.
When generating input_bytes, parsers MUST combine all field lines in the same section (header or trailer) that case-insensitively match the field name into one comma-separated field-value, as per ; this assures that the entire field value is processed correctly. For Lists and Dictionaries, this has the effect of correctly concatenating all of the field's lines, as long as individual members of the top-level data structure are not split across multiple header instances. The parsing algorithms for both types allow tab characters, since these might be used to combine field lines by some implementations. Strings split across multiple field lines will have unpredictable results, because one or more commas (with optional whitespace) will become part of the string output by the parser. Since concatenation might be done by an upstream intermediary, the results are not under the control of the serializer or the parser, even when they are both under the control of the same party. Tokens, Integers, Decimals, and Byte Sequences cannot be split across multiple field lines because the inserted commas will cause parsing to fail. Parsers MAY fail when processing a field value spread across multiple field lines, when one of those lines does not parse as that field. For example, a parsing handling an Example-String field that's defined as an sf-string is allowed to fail when processing this field section: If parsing fails, either the entire field value MUST be ignored (i.e., treated as if the field were not present in the section), or alternatively the complete HTTP message MUST be treated as malformed. This is intentionally strict to improve interoperability and safety, and field specifications that use Structured Fields are not allowed to loosen this requirement. Note that this requirement does not apply to an implementation that is not parsing the field; for example, an intermediary is not required to strip a failing field from a message before forwarding it.
Parsing a List Given an ASCII string as input_string, return an array of (item_or_inner_list, parameters) tuples. input_string is modified to remove the parsed value.
  1. Let members be an empty array.
  2. While input_string is not empty:
    1. Append the result of running Parsing an Item or Inner List () with input_string to members.
    2. Discard any leading OWS characters from input_string.
    3. If input_string is empty, return members.
    4. Consume the first character of input_string; if it is not ",", fail parsing.
    5. Discard any leading OWS characters from input_string.
    6. If input_string is empty, there is a trailing comma; fail parsing.
  3. No structured data has been found; return members (which is empty).
Parsing an Item or Inner List Given an ASCII string as input_string, return the tuple (item_or_inner_list, parameters), where item_or_inner_list can be either a single bare item or an array of (bare_item, parameters) tuples. input_string is modified to remove the parsed value.
  1. If the first character of input_string is "(", return the result of running Parsing an Inner List () with input_string.
  2. Return the result of running Parsing an Item () with input_string.
Parsing an Inner List Given an ASCII string as input_string, return the tuple (inner_list, parameters), where inner_list is an array of (bare_item, parameters) tuples. input_string is modified to remove the parsed value.
  1. Consume the first character of input_string; if it is not "(", fail parsing.
  2. Let inner_list be an empty array.
  3. While input_string is not empty:
    1. Discard any leading SP characters from input_string.
    2. If the first character of input_string is ")":
      1. Consume the first character of input_string.
      2. Let parameters be the result of running Parsing Parameters () with input_string.
      3. Return the tuple (inner_list, parameters).
    3. Let item be the result of running Parsing an Item () with input_string.
    4. Append item to inner_list.
    5. If the first character of input_string is not SP or ")", fail parsing.
  4. The end of the Inner List was not found; fail parsing.
Parsing a Dictionary Given an ASCII string as input_string, return an ordered map whose values are (item_or_inner_list, parameters) tuples. input_string is modified to remove the parsed value.
  1. Let dictionary be an empty, ordered map.
  2. While input_string is not empty:
    1. Let this_key be the result of running Parsing a Key () with input_string.
    2. If the first character of input_string is "=":
      1. Consume the first character of input_string.
      2. Let member be the result of running Parsing an Item or Inner List () with input_string.
    3. Otherwise:
      1. Let value be Boolean true.
      2. Let parameters be the result of running Parsing Parameters () with input_string.
      3. Let member be the tuple (value, parameters).
    4. If dictionary already contains a key this_key (comparing character for character), overwrite its value with member.
    5. Otherwise, append key this_key with value member to dictionary.
    6. Discard any leading OWS characters from input_string.
    7. If input_string is empty, return dictionary.
    8. Consume the first character of input_string; if it is not ",", fail parsing.
    9. Discard any leading OWS characters from input_string.
    10. If input_string is empty, there is a trailing comma; fail parsing.
  3. No structured data has been found; return dictionary (which is empty).
Note that when duplicate Dictionary keys are encountered, all but the last instance are ignored.
Parsing an Item Given an ASCII string as input_string, return a (bare_item, parameters) tuple. input_string is modified to remove the parsed value.
  1. Let bare_item be the result of running Parsing a Bare Item () with input_string.
  2. Let parameters be the result of running Parsing Parameters () with input_string.
  3. Return the tuple (bare_item, parameters).
Parsing a Bare Item Given an ASCII string as input_string, return a bare Item. input_string is modified to remove the parsed value.
  1. If the first character of input_string is a "-" or a DIGIT, return the result of running Parsing an Integer or Decimal () with input_string.
  2. If the first character of input_string is a DQUOTE, return the result of running Parsing a String () with input_string.
  3. If the first character of input_string is an ALPHA or "*", return the result of running Parsing a Token () with input_string.
  4. If the first character of input_string is ":", return the result of running Parsing a Byte Sequence () with input_string.
  5. If the first character of input_string is "?", return the result of running Parsing a Boolean () with input_string.
  6. If the first character of input_string is "@", return the result of running Parsing a Date () with input_string.
  7. Otherwise, the item type is unrecognized; fail parsing.
Parsing Parameters Given an ASCII string as input_string, return an ordered map whose values are bare Items. input_string is modified to remove the parsed value.
  1. Let parameters be an empty, ordered map.
  2. While input_string is not empty:
    1. If the first character of input_string is not ";", exit the loop.
    2. Consume the ";" character from the beginning of input_string.
    3. Discard any leading SP characters from input_string.
    4. Let param_key be the result of running Parsing a Key () with input_string.
    5. Let param_value be Boolean true.
    6. If the first character of input_string is "=":
      1. Consume the "=" character at the beginning of input_string.
      2. Let param_value be the result of running Parsing a Bare Item () with input_string.
    7. If parameters already contains a key param_key (comparing character for character), overwrite its value with param_value.
    8. Otherwise, append key param_key with value param_value to parameters.
  3. Return parameters.
Note that when duplicate parameter keys are encountered, all but the last instance are ignored.
Parsing a Key Given an ASCII string as input_string, return a key. input_string is modified to remove the parsed value.
  1. If the first character of input_string is not lcalpha or "*", fail parsing.
  2. Let output_string be an empty string.
  3. While input_string is not empty:
    1. If the first character of input_string is not one of lcalpha, DIGIT, "_", "-", ".", or "*", return output_string.
    2. Let char be the result of consuming the first character of input_string.
    3. Append char to output_string.
  4. Return output_string.
Parsing an Integer or Decimal Given an ASCII string as input_string, return an Integer or Decimal. input_string is modified to remove the parsed value. NOTE: This algorithm parses both Integers () and Decimals (), and returns the corresponding structure.
  1. Let type be "integer".
  2. Let sign be 1.
  3. Let input_number be an empty string.
  4. If the first character of input_string is "-", consume it and set sign to -1.
  5. If input_string is empty, there is an empty integer; fail parsing.
  6. If the first character of input_string is not a DIGIT, fail parsing.
  7. While input_string is not empty:
    1. Let char be the result of consuming the first character of input_string.
    2. If char is a DIGIT, append it to input_number.
    3. Else, if type is "integer" and char is ".":
      1. If input_number contains more than 12 characters, fail parsing.
      2. Otherwise, append char to input_number and set type to "decimal".
    4. Otherwise, prepend char to input_string, and exit the loop.
    5. If type is "integer" and input_number contains more than 15 characters, fail parsing.
    6. If type is "decimal" and input_number contains more than 16 characters, fail parsing.
  8. If type is "integer":
    1. Let output_number be an Integer that is the result of parsing input_number as an integer.
  9. Otherwise:
    1. If the final character of input_number is ".", fail parsing.
    2. If the number of characters after "." in input_number is greater than three, fail parsing.
    3. Let output_number be a Decimal that is the result of parsing input_number as a decimal number.
  10. Let output_number be the product of output_number and sign.
  11. Return output_number.
Parsing a String Given an ASCII string as input_string, return an unquoted String. input_string is modified to remove the parsed value.
  1. Let output_string be an empty string.
  2. If the first character of input_string is not DQUOTE, fail parsing.
  3. Discard the first character of input_string.
  4. While input_string is not empty:
    1. Let char be the result of consuming the first character of input_string.
    2. If char is a backslash ("\"):
      1. If input_string is now empty, fail parsing.
      2. Let next_char be the result of consuming the first character of input_string.
      3. If next_char is not DQUOTE or "\", fail parsing.
      4. Append next_char to output_string.
    3. Else, if char is DQUOTE, return output_string.
    4. Else, if char is in the range %x00-1f or %x7f-ff (i.e., it is not in VCHAR or SP), fail parsing.
    5. Else, append char to output_string.
  5. Reached the end of input_string without finding a closing DQUOTE; fail parsing.
Parsing a Token Given an ASCII string as input_string, return a Token. input_string is modified to remove the parsed value.
  1. If the first character of input_string is not ALPHA or "*", fail parsing.
  2. Let output_string be an empty string.
  3. While input_string is not empty:
    1. If the first character of input_string is not in tchar, ":", or "/", return output_string.
    2. Let char be the result of consuming the first character of input_string.
    3. Append char to output_string.
  4. Return output_string.
Parsing a Byte Sequence Given an ASCII string as input_string, return a Byte Sequence. input_string is modified to remove the parsed value.
  1. If the first character of input_string is not ":", fail parsing.
  2. Discard the first character of input_string.
  3. If there is not a ":" character before the end of input_string, fail parsing.
  4. Let b64_content be the result of consuming content of input_string up to but not including the first instance of the character ":".
  5. Consume the ":" character at the beginning of input_string.
  6. If b64_content contains a character not included in ALPHA, DIGIT, "+", "/", and "=", fail parsing.
  7. Let binary_content be the result of base64-decoding b64_content, synthesizing padding if necessary (note the requirements about recipient behavior below). If base64 decoding fails, parsing fails.
  8. Return binary_content.
Because some implementations of base64 do not allow rejection of encoded data that is not properly "=" padded (see ), parsers SHOULD NOT fail when "=" padding is not present, unless they cannot be configured to do so. Because some implementations of base64 do not allow rejection of encoded data that has non-zero pad bits (see ), parsers SHOULD NOT fail when non-zero pad bits are present, unless they cannot be configured to do so. This specification does not relax the requirements in Sections and of ; therefore, parsers MUST fail on characters outside the base64 alphabet and on line feeds in encoded data.
Parsing a Boolean Given an ASCII string as input_string, return a Boolean. input_string is modified to remove the parsed value.
  1. If the first character of input_string is not "?", fail parsing.
  2. Discard the first character of input_string.
  3. If the first character of input_string matches "1", discard the first character, and return true.
  4. If the first character of input_string matches "0", discard the first character, and return false.
  5. No value has matched; fail parsing.
Parsing a Date Given an ASCII string as input_string, return a Date. input_string is modified to remove the parsed value.
  1. If the first character of input_string is not "@", fail parsing.
  2. Discard the first character of input_string.
  3. Let output_date be the result of running Parsing an Integer or Decimal () with input_string.
  4. If output_date is a Decimal, fail parsing.
  5. Return output_date.
IANA Considerations Please add the following note to the "Hypertext Transfer Protocol (HTTP) Field Name Registry":
  • The "Structured Type" column indicates the type of the field (per RFC nnnn), if any, and may be "Dictionary", "List" or "Item". Note that field names beginning with characters other than ALPHA or "*" will not be able to be represented as a Structured Fields Token, and therefore may be incompatible with being mapped into fields that refer to it.
Then, add a new column, "Structured Type". Then, add the indicated Structured Type for each existing registry entry listed in . Existing Fields
Field Name Structured Type
Accept-CH List
Cache-Status List
CDN-Cache-Control Dictionary
Cross-Origin-Embedder-Policy Item
Cross-Origin-Embedder-Policy-Report-Only Item
Cross-Origin-Opener-Policy Item
Cross-Origin-Opener-Policy-Report-Only Item
Origin-Agent-Cluster Item
Priority Dictionary
Proxy-Status List
Security Considerations The size of most types defined by Structured Fields is not limited; as a result, extremely large fields could be an attack vector (e.g., for resource consumption). Most HTTP implementations limit the sizes of individual fields as well as the overall header or trailer section size to mitigate such attacks. It is possible for parties with the ability to inject new HTTP fields to change the meaning of a Structured Field. In some circumstances, this will cause parsing to fail, but it is not possible to reliably fail in all such circumstances.
References Normative References HTTP Semantics The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. ASCII format for network interchange The Base16, Base32, and Base64 Data Encodings This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK] Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document provides an overview of HTTP architecture and its associated terminology, defines the "http" and "https" Uniform Resource Identifier (URI) schemes, defines the HTTP/1.1 message syntax and parsing requirements, and describes related security concerns for implementations. Informative References IEEE Standard for Floating-Point Arithmetic IEEE UTF-8, a transformation format of ISO 10646 HTTP/2 This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced latency by introducing field compression and allowing multiple concurrent exchanges on the same connection. This document obsoletes RFCs 7540 and 8740. HPACK: Header Compression for HTTP/2 This specification defines HPACK, a compression format for efficiently representing HTTP header fields, to be used in HTTP/2. The JavaScript Object Notation (JSON) Data Interchange Format JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. The I-JSON Message Format I-JSON (short for "Internet JSON") is a restricted profile of JSON designed to maximize interoperability and increase confidence that software can process it successfully with predictable results. Augmented BNF for Syntax Specifications: ABNF Internet technical specifications often need to define a formal syntax. Over the years, a modified version of Backus-Naur Form (BNF), called Augmented BNF (ABNF), has been popular among many Internet specifications. The current specification documents ABNF. It balances compactness and simplicity with reasonable representational power. The differences between standard BNF and ABNF involve naming rules, repetition, alternatives, order-independence, and value ranges. This specification also supplies additional rule definitions and encoding for a core lexical analyzer of the type common to several Internet specifications. [STANDARDS-TRACK]
Frequently Asked Questions
Why Not JSON? Earlier proposals for Structured Fields were based upon JSON . However, constraining its use to make it suitable for HTTP header fields required senders and recipients to implement specific additional handling. For example, JSON has specification issues around large numbers and objects with duplicate members. Although advice for avoiding these issues is available (e.g., ), it cannot be relied upon. Likewise, JSON strings are by default Unicode strings, which have a number of potential interoperability issues (e.g., in comparison). Although implementers can be advised to avoid non-ASCII content where unnecessary, this is difficult to enforce. Another example is JSON's ability to nest content to arbitrary depths. Since the resulting memory commitment might be unsuitable (e.g., in embedded and other limited server deployments), it's necessary to limit it in some fashion; however, existing JSON implementations have no such limits, and even if a limit is specified, it's likely that some field definition will find a need to violate it. Because of JSON's broad adoption and implementation, it is difficult to impose such additional constraints across all implementations; some deployments would fail to enforce them, thereby harming interoperability. In short, if it looks like JSON, people will be tempted to use a JSON parser/serializer on field values. Since a major goal for Structured Fields is to improve interoperability and simplify implementation, these concerns led to a format that requires a dedicated parser and serializer. Additionally, there were widely shared feelings that JSON doesn't "look right" in HTTP fields.
Implementation Notes A generic implementation of this specification should expose the top-level serialize () and parse () functions. They need not be functions; for example, it could be implemented as an object, with methods for each of the different top-level types. For interoperability, it's important that generic implementations be complete and follow the algorithms closely; see . To aid this, a common test suite is being maintained by the community at <https://github.com/httpwg/structured-field-tests>. Implementers should note that Dictionaries and Parameters are order-preserving maps. Some fields may not convey meaning in the ordering of these data types, but it should still be exposed so that it will be available to applications that need to use it. Likewise, implementations should note that it's important to preserve the distinction between Tokens and Strings. While most programming languages have native types that map to the other types well, it may be necessary to create a wrapper "token" object or use a parameter on functions to assure that these types remain separate. The serialization algorithm is defined in a way that it is not strictly limited to the data types defined in in every case. For example, Decimals are designed to take broader input and round to allowed values. Implementations are allowed to limit the size of different structures, subject to the minimums defined for each type. When a structure exceeds an implementation limit, that structure fails parsing or serialization.
ABNF This section uses the Augmented Backus-Naur Form (ABNF) notation to illustrate expected syntax of Structured Fields. In doing so, it uses the VCHAR, SP, DIGIT, ALPHA, and DQUOTE rules from . It also includes the tchar and OWS rules from . This section is non-normative. If there is disagreement between the parsing algorithms and ABNF, the specified algorithms take precedence.
Changes from RFC 8941 This revision of the Structured Field Values for HTTP specification has made the following changes:
  • Added the Date structured type. ()
  • Stopped encouraging use of ABNF in definitions of new structured fields. ()
  • Moved ABNF to an informative appendix. ()
  • Added a "Structured Type" column to the HTTP Field Name Registry. ()
  • Refined parse failure handling. ()
Acknowledgements Many thanks to Matthew Kerwin for his detailed feedback and careful consideration during the development of this specification. Thanks also to Ian Clelland, Roy Fielding, Anne van Kesteren, Kazuho Oku, Evert Pot, Julian Reschke, Martin Thomson, Mike West, and Jeffrey Yasskin for their contributions.