Applications Area Working Group                            P. Bryan, Ed.
Internet-Draft                                            Salesforce.com
Intended status: Informational                        M. Nottingham, Ed.
Expires: April 25, June 8, 2013                                 October 22,                                             Akamai
                                                        December 5, 2012

                               JSON Patch
                    draft-ietf-appsawg-json-patch-06
                    draft-ietf-appsawg-json-patch-07

Abstract

   JSON Patch defines the media type "application/json-patch", a JSON
   document structure for expressing a sequence of operations to apply
   to a JSON document.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 25, June 8, 2013.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Conventions  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Document Structure . . . . . . . . . . . . . . . . . . . . . .  3
   4.  Operations . . . . . . . . . . . . . . . . . . . . . . . . . .  4
     4.1.  add  . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
     4.2.  remove . . . . . . . . . . . . . . . . . . . . . . . . . .  5
     4.3.  replace  . . . . . . . . . . . . . . . . . . . . . . . . .  5
     4.4.  move . . . . . . . . . . . . . . . . . . . . . . . . . . .  5  6
     4.5.  copy . . . . . . . . . . . . . . . . . . . . . . . . . . .  6
     4.6.  test . . . . . . . . . . . . . . . . . . . . . . . . . . .  7
   5.  Error Handling . . . . . . . . . . . . . . . . . . . . . . . .  8  7
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . .  9
   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  9
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 10
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 10
   Appendix A.  Examples  . . . . . . . . . . . . . . . . . . . . . . 10
     A.1.  Adding an Object Member  . . . . . . . . . . . . . . . . . 10
     A.2.  Adding an Array Element  . . . . . . . . . . . . . . . . . 11
     A.3.  Removing an Object Member  . . . . . . . . . . . . . . . . 11
     A.4.  Removing an Array Element  . . . . . . . . . . . . . . . . 11 12
     A.5.  Replacing a Value  . . . . . . . . . . . . . . . . . . . . 12
     A.6.  Moving a Value . . . . . . . . . . . . . . . . . . . . . . 12
     A.7.  Moving an Array Element  . . . . . . . . . . . . . . . . . 13
     A.8.  Testing a Value: Success . . . . . . . . . . . . . . . . . 14
     A.9.  Testing a Value: Error . . . . . . . . . . . . . . . . . . 14
     A.10. Adding a nested Member Object  . . . . . . . . . . . . . . 14
     A.11. Ignoring Unrecognized Elements . . . . . . . . . . . . . . 15
     A.12. Adding to a Non-existant Target  . . . . . . . . . . . . . 15
     A.13. Invalid JSON Patch Document  . . . . . . . . . . . . . . . 16
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16

1.  Introduction

   JavaScript Object Notation (JSON) [RFC4627] is a common format for
   the exchange and storage of structured data.  HTTP PATCH [RFC5789]
   extends the Hypertext Transfer Protocol (HTTP) [RFC2616] with a
   method to perform partial modifications to resources.

   JSON Patch is a format (identified by the media type "application/
   json-patch") for expressing a sequence of operations to apply to a
   target JSON document, suitable for use with the HTTP PATCH method.

   This format is also potentially useful in other cases when it's
   necessary to make partial updates to a JSON document.

2.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

   See Section 5 for information about handling errors.

3.  Document Structure

   A JSON Patch document is a JSON [RFC4627] document whose root is that represents an
   array of objects.  Each object represents a single operation to be
   applied to the target JSON document.

   An example JSON Patch document:

   [
     { "op": "test", "path": "/a/b/c", "value": "foo" },
     { "op": "remove", "path": "/a/b/c" },
     { "op": "add", "path": "/a/b/c", "value": [ "foo", "bar" ] },
     { "op": "replace", "path": "/a/b/c", "value": 42 },
     { "op": "move", "path": "from": "/a/b/c", "to": "path": "/a/b/d" },
     { "op": "copy", "path": "from": "/a/b/d", "to": "path": "/a/b/e" }
   ]

   Evaluation of a JSON Patch document begins with a target JSON
   document.  Operations are applied sequentially in the order they
   appear in the array.  Each operation in the sequence is applied to
   the target document; the resulting document becomes the target of the
   next operation.  Evaluation continues until all operations are
   successfully applied, or an error condition is encountered.

4.  Operations

   Operation objects MUST have exactly one "op" member, whose value
   indicates the operation to perform.  Its value MUST be one of "add",
   "remove", "replace", "move", "copy" or "test".  The semantics of each
   is defined below.

   Additionally, operation objects MUST have exactly one "path" member,
   whose value MUST be a string containing a [JSON-Pointer] value that
   references the a location within the target document to perform the
   operation (the "target location").

   Other members of operation objects MUST be ignored, unless they are
   explicitly allowed by the definition of the operation.

   Note that the ordering of members in JSON objects is not significant;
   therefore, the following operations operation objects are equivalent:

   { "op": "add", "path": "/a/b/c", "value": "foo" }
   { "path": "/a/b/c", "op": "add", "value": "foo" }
   { "value": "foo", "path": "/a/b/c", "op": "add" }

   Operations are applied to the data structures represented by a JSON
   document; i.e., after unescaping takes place.

4.1.  add

   The "add" operation adds a new value at the target location.  The
   operation object MUST contain a "value" member that specifies the
   value to be added.

   For example:

   { "op": "add", "path": "/a/b/c", "value": [ "foo", "bar" ] }

   When the operation is applied, the target location MUST reference one
   of:

   o  the  The root of the target document, document - whereupon the specified value
      becomes the entire content of the target document.

   o  a  A member to add to an existing object, or object - whereupon the supplied
      value is added to that object at the indicated location.  If the
      member already exists, it is replaced by the specified value.

   o  an  An element to add to an existing array.

   For example:

   { "op": "add", "path": "/a/b/c", "value": [ "foo", "bar" ] }

   If array - whereupon the target location references an element of an existing array,
   any supplied
      value is added to the array at the indicated location.  Any
      elements at or above the specified index are shifted one position
      to the right.  The specified index MUST NOT be greater than the
      number of elements in the array.

   When  If the "-" character is used to
      index the end of the array, this has the effect of appending the
      value to the array.

   Note that this operation will, can, in common use, have a target location
   that does not resolve to an existing value, resulting in the
   pointer's error handling algorithm being invoked.  This specification
   defines the error handling algorithm for "add" pointers to explicitly
   ignore the error and perform the operation as specified.

   However, if the object or array containing it does not exist, it is
   an error.

   For example, "add"ing to the path "/a/b" to this document:

   { "a": { "foo": 1 } }

   is not an error, because "a" exists, and "b" will be added to its
   value.  It is an error in this document:

   { "q": { "bar": 2 } }

   because "a" does not exist.

4.2.  remove

   The "remove" operation removes the value at the target location.

   The target location MUST exist for the operation to be successful.

   For example:

   { "op": "remove", "path": "/a/b/c" }

   If removing an element from an array, any elements above the
   specified index are shifted one position to the left.

4.3.  replace

   The "replace" operation replaces the value at the target location
   with a new value.  The operation object MUST contain a "value" member
   that specifies the replacement value.

   The target location MUST exist for the operation to be successful.

   For example:

   { "op": "replace", "path": "/a/b/c", "value": 42 }

   This operation is functionally identical to expressing a "remove" operation for
   a value, followed immediately by an "add" operation at the same
   location with the replacement value.

4.4.  move

   The "move" operation removes the value at the target a specified location and
   adds it to another the target location.

   The operation object MUST contain a "to" "from" member, a string
   containing a JSON Pointer value that references the location in the
   target document to add move the value to. from.

   The "to" "from" location MUST reference one of:

   o exist for the member to add to an existing object, or
   o  an element to add operation to an existing array. be successful.

   For example:

   { "op": "move", "path": "from": "/a/b/c", "to": "path": "/a/b/d" }

   This operation is functionally identical to expressing a "remove" operation on
   the target "from" location, followed immediately by an "add" operation at
   the "to" target location with the value that was just removed.

   The target location in the "to" member MUST NOT be part of the location defined by "path";
   "from"; i.e., a location cannot be moved into one of its children.

4.5.  copy

   The location in "copy" operation copies the "to" member MUST NOT reference value at a member of an
   existing object in specified location to the
   target document, unless "path" and "to"
   specify the same object, which has no effect.

   If the location in the "to" member references an element of an
   existing array, any elements at or above the specified index are
   shifted one position to the right.  The specified index MUST NOT be
   greater than the number of elements in the array.

4.5.  copy

   The "copy" operation copies the value at the target location to
   another location.

   The operation object MUST contain a "to" "from" member, a string
   containing a JSON Pointer value that references the location in the
   target document to add copy the value to.

   This from.

   The "from" location MUST reference one of:

   o exist for the member to add to an existing object, or

   o  an element to add operation to an existing array. be successful.

   For example:

   { "op": "copy", "path": "from": "/a/b/c", "to": "path": "/a/b/e" }

   The location in the "to" member MUST NOT be part of the location
   defined by "path"; i.e., a location cannot be copied into one of its
   children.

   The location in the "to" member MUST NOT reference a member of

   This operation is functionally identical to an
   existing object in "add" operation at the
   target document, unless "path" and "to"
   specify the same object, which has no effect.

   If the location in the "to" member references an element of an
   existing array, any elements at or above the specified index are
   shifted one position to using the right.  The value specified index MUST NOT be
   greater than the number of elements in the array. "from".

4.6.  test

   The "test" operation tests that a value at the target location is
   equal to a specified value.

   The operation object MUST contain a "value" member that conveys the
   value to be compared to that at the target location.

   The target location MUST be equal to the "value" value for the
   operation to be considered successful.

   Here, "equal" means that the value at the target location and the
   value conveyed by "value" are of the same JSON type, and considered
   equal by the following rules for that type:

   o  strings: are considered equal if, after unescaping any sequence(s)
      in both strings starting with a reverse solidus, if they contain the same number of
      Unicode characters and their code points are position-wise equal.

   o  numbers: are considered equal if subtracting one from the other
      results in 0. their values are numerically
      equal.

   o  arrays: are considered equal if they contain the same number of
      values, and each value can be considered equal to the value at the
      corresponding position in the other array.

   o  objects: are considered equal if they contain the same number of
      members, and each member can be considered equal to a member in
      the other object, by comparing their keys as strings, and values
      using this list of type-specific rules.

   o  literals (false, true and null): are considered equal if they are
      the same.

   Note that this is a logical comparison; e.g., whitespace between the
   member values of an array is not significant.

   Also, note that ordering of the serialisation of object members is
   not significant.

   For example:

   { "op": "test", "path": "/a/b/c", "value": "foo" }

5.  Error Handling

   If a RFC2119 [RFC2119] requirement is violated by a JSON Patch
   document, or if an operation is not successful, evaluation of the
   JSON Patch document SHOULD terminate and application of the entire
   patch document SHALL NOT be deemed successful.

   See [RFC5789], Section 2.2 for considerations regarding handling
   errors when JSON Patch is used with the HTTP PATCH method, including
   suggested status codes to use to indicate various conditions.

   Note that as per [RFC5789], when used with the PATCH HTTP method, it PATCH method is atomic. atomic, as per [RFC5789].
   Therefore, the following patch would result in no changes being made
   to the document at all (because the "test" operation results in an
   error).

   [
     { "op": "replace", "path": "/a/b/c", "value": 42 },
     { "op": "test", "path": "/a/b/c", "value": "C" }
   ]

6.  IANA Considerations

   The Internet media type for a JSON Patch document is application/
   json-patch.

   Type name:  application

   Subtype name:  json-patch

   Required parameters:  none

   Optional parameters:   none

   Encoding considerations:  binary

   Security considerations:
      See Security Considerations in section 7.

   Interoperability considerations:  N/A

   Published specification:
      [this memo]

   Applications that use this media type:
      Applications that manipulate JSON documents.

   Additional information:

      Magic number(s):  N/A

      File extension(s):  .json-patch

      Macintosh file type code(s):  TEXT

   Person & email address to contact for further information:
      Paul C. Bryan <pbryan@anode.ca>

   Intended usage:  COMMON

   Restrictions on usage:  none

   Author:  Paul C. Bryan <pbryan@anode.ca>

   Change controller:  IETF

7.  Security Considerations

   This specification has the same security considerations as JSON
   [RFC4627] and [JSON-Pointer].

   A few older Web browsers can be coerced into loading an arbitrary
   JSON document whose root is an array, leading to a situation where a
   JSON Patch document containing sensitive information could be exposed
   to attackers, even if access is authenticated.  This is known as a
   Cross-Site Request Forgery (CSRF) attack [CSRF].

   However, such browsers are not widely used ( estimated to comprise
   less than 1% of the market, at the time of writing).  Publishers who
   are nevertheless concerned about this attack are advised to avoid
   making such documents available with HTTP GET.

8.  Acknowledgements

   The following individuals contributed ideas, feedback and wording to
   this specification:

      Mike Acar, Mike Amundsen, Cyrus Daboo, Paul Davis, Murray S.
      Kucherawy, Dean Landolt, Randall Leeds, James Manger, Julian
      Reschke, James Snell, Eli Stevens. Stevens and Henry S. Thompson.

   The structure of a JSON Patch document was influenced by the XML
   Patch document [RFC5261] specification.

9.  References

9.1.  Normative References

   [JSON-Pointer]
              Bryan, P. and K. P., Zyp, K., and M. Nottingham, "JSON Pointer",
              draft-ietf-appsawg-json-pointer-04
              draft-ietf-appsawg-json-pointer-06 (work in progress),
              March
              November 2012.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4627]  Crockford, D., "The application/json Media Type for
              JavaScript Object Notation (JSON)", RFC 4627, July 2006.

9.2.  Informative References

   [CSRF]     Barth, A., Jackson, C., and J. Mitchell, "Robust Defenses
              for Cross-Site Request Forgery".

   [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
              Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
              Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.

   [RFC5261]  Urpalainen, J., "An Extensible Markup Language (XML) Patch
              Operations Framework Utilizing XML Path Language (XPath)
              Selectors", RFC 5261, September 2008.

   [RFC5789]  Dusseault, L. and J. Snell, "PATCH Method for HTTP",
              RFC 5789, March 2010.

Appendix A.  Examples

A.1.  Adding an Object Member

   An example target JSON document:

   {
     "foo": "bar"
   }

   A JSON Patch document:

   [
     { "op": "add", "path": "/baz", "value": "qux" }
   ]
   The resulting JSON document:

   {
     "baz": "qux",
     "foo": "bar"
   }

A.2.  Adding an Array Element

   An example target JSON document:

   {
     "foo": [ "bar", "baz" ]
   }

   A JSON Patch document:

   [
     { "op": "add", "path": "/foo/1", "value": "qux" }
   ]

   The resulting JSON document:

   {
     "foo": [ "bar", "qux", "baz" ]
   }

A.3.  Removing an Object Member

   An example target JSON document:

   {
     "baz": "qux",
     "foo": "bar"
   }

   A JSON Patch document:

   [
     { "op": "remove", "path": "/baz" }
   ]

   The resulting JSON document:

   {
     "foo": "bar"
   }

A.4.  Removing an Array Element

   An example target JSON document:

   {
     "foo": [ "bar", "qux", "baz" ]
   }

   A JSON Patch document:

   [
     { "op": "remove", "path": "/foo/1" }
   ]

   The resulting JSON document:

   {
     "foo": [ "bar", "baz" ]
   }

A.5.  Replacing a Value

   An example target JSON document:

   {
     "baz": "qux",
     "foo": "bar"
   }

   A JSON Patch document:

   [
     { "op": "replace", "path": "/baz", "value": "boo" }
   ]

   The resulting JSON document:

   {
     "baz": "boo",
     "foo": "bar"
   }

A.6.  Moving a Value

   An example target JSON document:

   {
     "foo": {
       "bar": "baz",
       "waldo": "fred"
     }
     },
     "qux": {
       "corge": "grault"
     }
   }

   A JSON Patch document:

   [
     { "op": "move", "path": "from": "/foo/waldo", to: "path": "/qux/thud" }
   ]

   The resulting JSON document:

   {
     "foo": {
       "bar": "baz"
     }
     },
     "qux": {
       "corge": "grault",
       "thud": "fred"
     }
   }

A.7.  Moving an Array Element

   An example target JSON document:

   {
     "foo": [ "all", "grass", "cows", "eat" ]
   }

   A JSON Patch document:

   [
     { "op": "move", "path": "from": "/foo/1", "to": "path": "/foo/3" }
   ]

   The resulting JSON document:

   {
     "foo": [ "all", "cows", "eat", "grass" ]
   }

A.8.  Testing a Value: Success

   An example target JSON document:

   {
     "baz": "qux",
     "foo": [ "a", 2, "c" ]
   }

   A JSON Patch document that will result in successful evaluation:

   [
     { "op": "test", "path": "/baz", "value": "qux" },
     { "op": "test", "path": "/foo/1", "value": 2 }
   ]

A.9.  Testing a Value: Error

   An example target JSON document:

   {
     "baz": "qux"
   }

   A JSON Patch document that will result in an error condition:

   [
     { "op": "test", "path": "/baz", "value": "bar" }
   ]

A.10.  Adding a nested Member Object

   An example target JSON document:

   {
     "foo": "bar"
   }

   A JSON Patch document:

   [
     { "op": "add", "path": "/child", "value": { "grandchild": { } } }
   ]

   The resulting JSON document:

   {
     "foo": "bar",
     "child": {
       "grandchild": {
       }
     }
   }

A.11.  Ignoring Unrecognized Elements

   An example target JSON document:

   {
     "foo":"bar"
   }

   A JSON Patch document:

   [
     { "op":"add", "path":"/baz", "value":"qux", "xyz":123 "op": "add", "path": "/baz", "value": "qux", "xyz": 123 }
   ]

   The resulting JSON document:

   {
     "foo":"bar",
     "baz":"qux"
   }

A.12.  Adding to a Non-existant Target

   An example target JSON document:

   {
     "foo": "bar"
   }

   A JSON Patch document:

   [
     { "op": "add", "path": "/baz/bat", "value": "qux" }
   ]

   This JSON Patch document, applied to the target JSON document above,
   would result in an error (therefore not being applied) because the
   "add" operation's target location that references neither the root of
   the document, nor a member of an existing object, nor a member of an
   existing array.

A.13.  Invalid JSON Patch Document

   A JSON Patch document:

   [
     { "op":"add", "path":"/baz", "value":"qux", "op":"remove" "op": "add", "path": "/baz", "value": "qux", "op": "remove" }
   ]

   This JSON Patch document cannot be treated as an "add" operation
   since there is a later "op":"remove" element.  A JSON parser that
   hides such duplicate element names therefore cannot be used unless it
   always exposes only the last element with a given name (eg
   "op":"remove" in this example).

Authors' Addresses

   Paul C. Bryan (editor)
   Salesforce.com

   Phone: +1 604 783 1481
   Email: pbryan@anode.ca

   Mark Nottingham (editor)
   Akamai

   Email: mnot@mnot.net