wdiff draft-ietf-appsawg-xml-mediatypes-05.txt draft-ietf-appsawg-xml-mediatypes-06.txt

Network Working Group H. S. Thompson
Internet-Draft University of Edinburgh
Obsoletes: 3023 (if approved) C. Lilley
Updates: 6839 (if approved) W3C
Intended status: Standards Track November 19, December 05, 2013
Expires: May 23, June 08, 2014

XML Media Types
draft-ietf-appsawg-xml-mediatypes-05
draft-ietf-appsawg-xml-mediatypes-06

Abstract

This specification standardizes three media types -- application/xml,
application/xml-external-parsed-entity, and application/xml-dtd --
for use in exchanging network entities that are related to the
Extensible Markup Language (XML) while defining text/xml and text/
xml-external-parsed-entity as aliases for the respective application/
types. This specification also standardizes the '+xml' suffix for
naming media types outside of these five types when those media types
represent XML MIME entities.

Status of This Memo

This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

This Internet-Draft will expire on May 23, June 08, 2014.

This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.

This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Notational Conventions . . . . . . . . . . . . . . . . . . . 3
3. XML Media Types
2.1. Conformance Keywords . . . . . . . . . . . . . . . . . . 3
2.2. Characters, Encodings, Charsets . . . . . . . . . . . . . 4
3.1. Application/xml Registration
2.3. MIME Entities, XML Entities . . . . . . . . . . . . . . 5
3.2. Text/xml Registration . 4
3. Encoding Considerations . . . . . . . . . . . . . . . . . 7
3.3. Application/xml-external-parsed-entity Registration . . 5
3.1. XML MIME producers . 7
3.4. Text/xml-external-parsed-entity Registration . . . . . . 8
3.5. Application/xml-dtd Registration . . . . . . . . . . . . 8
3.6. Charset considerations 5
3.2. XML MIME consumers . . . . . . . . . . . . . . . . . 9
4. . . 6
3.3. The Byte Order Mark (BOM) and Charset Encoding Conversions . . . . . . 11
5. Fragment Identifiers . . 7
4. XML Media Types . . . . . . . . . . . . . . . . . . 12
6. The Base URI . . . . . 8
4.1. XML MIME Entities . . . . . . . . . . . . . . . . . . . 13
7. XML Versions . 8
4.2. Application/xml Registration . . . . . . . . . . . . . . 10
4.3. Text/xml Registration . . . . . . . . . 13
8. A Naming Convention for XML-Based Media Types . . . . . . . . 14
8.1. Referencing . 11
4.4. Application/xml-external-parsed-entity Registration . . . 11
4.5. Text/xml-external-parsed-entity Registration . . . . . . 12
4.6. Application/xml-dtd Registration . . . . . . . . . . . . 12
5. Fragment Identifiers . 15
8.2. +xml Structured Syntax Suffix Registration . . . . . . . 16
9. Examples . . . . . . . . . . . . 13
6. The Base URI . . . . . . . . . . . . . . 17
9.1. UTF-8 Charset . . . . . . . . . . 14
7. XML Versions . . . . . . . . . . . . 17
9.2. UTF-16 Charset . . . . . . . . . . . . 14
8. The '+xml' Naming Convention for XML-Based Media Types . . . 15
8.1. XML-based Media Types . . . . . . 18
9.3. Omitted Charset and 8-bit MIME entity . . . . . . . . . . 18
9.4. Omitted Charset and 16-bit MIME entity . . 15
8.2. +xml Structured Syntax Suffix Registration . . . . . . . 16
8.3. Registration guidelines for XML-based media types not
using '+xml' . . . . . . . . . . . . . . . . . . . . . . 18
9.5. Omitted Charset, no Internal Encoding Declaration and
UTF-8 Entity
9. Examples . . . . . . . . . . . . . . . . . . . . . . 19
9.6. UTF-16BE . . . . 18
9.1. UTF-8 Charset . . . . . . . . . . . . . . . . . . . . . . 19
9.7. Non-UTF
9.2. UTF-16 Charset . . . . . . . . . . . . . . . . . . . . . 19
9.3. Omitted Charset and 8-bit MIME Entity . . . . . . . . . . 20
9.8.
9.4. Omitted Charset with and 16-bit MIME Entity . . . . . . . . . 20
9.5. Omitted Charset, no Internal Encoding Declaration . . . 20
9.9. . 21
9.6. UTF-16BE Charset . . . . . . . . . . . . . . . . . . . . 21
9.7. Non-UTF Charset . . . . . . . . . . . . . . . . . . . . . 21
9.8. INCONSISTENT EXAMPLE: Conflicting Charset and Internal
Encoding Declaration . . . . . . . . . . . . . . . . . . 20
9.10. 22
9.9. INCONSISTENT EXAMPLE: Conflicting Charset and BOM . . . . 21 22
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 23
11. Security Considerations . . . . . . . . . . . . . . . . . . . 21 23
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 25
12.1. Normative References . . . . . . . . . . . . . . . . . . 23 25
12.2. Informative References . . . . . . . . . . . . . . . . . 25 27
Appendix A. Why Use the '+xml' Suffix for XML-Based MIME Types? 26 29
Appendix B. Core XML specifications . . . . . . . . . . . . . . 29
Appendix C. Changes from RFC 3023 . . . . . . . . . . . . . . . 26 30
Appendix C. D. Acknowledgements . . . . . . . . . . . . . . . . . . 26 30
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 31

1. Introduction

The World Wide Web Consortium has issued the Extensible Markup
Language (XML) 1.0 [XML] and Extensible Markup Language (XML) 1.1
[XML1.1] specifications. To enable the exchange of XML network
entities, this specification standardizes three media types --
application/xml, application/xml-external-parsed-entity, and
application/xml-dtd and two aliases -- text/xml and text/xml-
external-parsed-entity, as well as a naming convention for
identifying XML-based MIME media types (using '+xml').

XML has been used as a foundation for other media types, including
types in every branch of the IETF media types tree. To facilitate
the processing of such types, and in line with the recognition in
[RFC6838] of structured syntax name suffixes, a suffix of '+xml' is
described in Section 8. This will allow generic XML-based tools --
browsers, editors, search engines, and other processors -- to work
with all XML-based media types.

This specification replaces [RFC3023]. Major differences are in the
areas of alignment of charset handling for text/xml and text/xml-
external-parsed-entity text/xml-external-parsed-entity
with application/xml, application/xml and application/xml-external-parsed-entity
respectively, the addition of XPointer and XML Base as fragment
identifiers and base URIs, respectively, integration of the XPointer
Registry and updating of many references.

2. Notational Conventions

2.1. Conformance Keywords
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
specification are to be interpreted as described in [RFC2119].

As defined in [RFC2781] (informative),

2.2. Characters, Encodings, Charsets

Both XML (in an XML or Text declaration using the three character sets
"utf-16", "utf-16le", encoding pseudo-
attribute) and "utf-16be" are used MIME (in a Content-Type header field using the charset
parameter) use a common set of labels [IANA-charsets] to label UTF-16 text.
In this specification, "the UTF-16 family" refers identify the
MIME charset (mapping from byte stream to those three character sets. By contrast, sequence
[RFC2978]).

In this specification we will use the phrases "utf-16" or UTF-16 in this
specification "charset parameter" and
"encoding declaration" to refer specifically to whatever MIME charset is specified
by a MIME charset parameter or XML encoding declaration respectively.
We reserve the single phrase "character encoding" (or, when the context
makes the intention clear, simply "encoding") for the MIME charset "utf-16".
actually used in a particular XML MIME entity.

[UNICODE] defines three "encoding forms", which are independent of
serialization, namely UTF-8, UTF-16 and UTF-32. This specification
follows this precedent. Furthermore, note that UTF-16 XML documents
may be serialised into MIME entities in one of two ways: either big-
endian, labelled (optionally) "utf-16" or "utf-16be", or little-
endian, labelled (optionally) "utf-16" or "utf-16le". As UTF-8 can
only be serialized in one way, the only possible label for
UTF-8-encoded documents when serialised into MIME entities is
"utf-8".

2.3. MIME Entities, XML Entities

As sometimes happens between two communities, both MIME and XML have
defined the term entity, with different meanings. Section 2.4 of
[RFC2045] says:

"The term 'entity' refers specifically to the MIME-defined header
fields and contents of either a message or one of the parts in the
body of a multipart entity."

Section 4 of [XML] says:

"An XML document may consist of one or many storage units. These
are called entities; they all have content and are all (except for
the document entity and the external DTD subset) identified by
entity name".

In this specification, "XML MIME entity" is defined as the latter (an
XML entity) encapsulated in the former (a MIME entity).

Furthermore, XML provides for the naming and referencing of entities
for purposes of inclusion and/or substitution. In this specification
"XML-entity declaration/reference/..." is used to avoid confusion
when referring to such cases.

3. XML Media Types

Registration Encoding Considerations

The registrations below all address issues around character encoding
in the same way, by referencing this section.

As many as three distinct sources of information about character
encoding may be present for media types for use with an XML MIME entity: a charset parameter,
a Byte Order Mark (BOM -- see Section 3.3 below) and an XML encoding
declaration (see Section 4.3.3 of [XML]). Ensuring consistency among
these sources requires coordination between entity authors and MIME
agents (that is, processes which package, transfer, deliver and/or
receive MIME entities). Some MIME agents will be what we will call
"XML-aware", that is, capable of processing XML MIME entities is described in the sections below. Within and
detecting the XML
specification, such entities can encoding declaration (or its absence). Others will
not be classified into four types. In XML-aware, and thus cannot know anything about the XML terminology, they are called "document entities", "external
DTD subsets", "external parsed entities",
encoding declaration. Some MIME agents, such as proxies and "external parameter
entities". Appropriate usage for the types registered below is as
follows:

document entities The media types application/xml or text/xml MAY be
used.

external DTD subsets The media type application/xml-dtd SHOULD be
used. The media types application/xml
transcoders, both consume and text/xml MUST NOT be
used.

external parsed entities The media types application/xml-external-
parsed-entity or text/xml-external-parsed-entity produce MIME entities.

3.1. XML MIME producers

XML-aware MIME producers SHOULD be used.
The media types application/xml and text/xml MUST NOT be used
unless the parsed entities are also well-formed "document
entities" and are referenced as such.

external supply a charset parameter and/or an
appropriate BOM with non-UTF-8-encoded XML MIME entities The media type application/xml-dtd which lack
an encoding declaration, and SHOULD remove or correct an encoding
declaration which is known to be used. The media types application/xml and text/xml incorrect (for example, as a result
of transcoding).

XML-aware MIME producers MUST
NOT be used.

Note that [RFC3023] (which this specification obsoletes)
recommended supply an XML text declaration at the use
beginning of text/xml and text/xml-external-parsed-
entity for document entities and non-UNICODE XML external parsed entities,
respectively, but described charset handling entities which differed from
common implementation practice. These media types are still
commonly used, and this specification aligns the charset handling would
otherwise begin with industry practice.

Note that [RFC2376] (which is obsolete) allowed application/xml
and text/xml to be used for any of the four types, although hexadecimal octet sequences 0xFE 0xFF, 0xFF
0xFE or 0xEF 0xBB 0xBF, in
practice it is likely order to have been rare.

Neither external DTD subsets nor external avoid the mistaken detection of a
BOM.

XML-unaware MIME producers MUST NOT supply a charset parameter entities parse as with
an XML documents, and while some XML document entities may be used as
external parsed entities and vice versa, there are many cases where MIME entity unless the two are not interchangeable. entity's character encoding is reliably
known.

XML also has unparsed entities,
internal parsed entities, and internal parameter entities, but they MIME producers are not RECOMMENDED to provide means for XML MIME entities.

Compared
entity authors to determine what value, if any, is given to [RFC2376] or [RFC3023], this specification alters the charset handling
parameters for their entities, for example by enabling user-level
configuration of text/xml and text/xml-external-parsed-entity,
treating them no differently from the respective application/ types,
however application/xml and application/xml-external-parsed-entity
are still RECOMMENDED, to avoid possible confusion based filename-to-Content-Type-header mappings on the
earlier distinction. a file-
by-file or suffix basis.

The former confusion around use of UTF-32 is NOT RECOMMENDED for XML MIME entities.

3.2. XML MIME consumers

For XML MIME consumers, the question of
default priority arises in cases when
the available character sets encoding information is not consistent.
Again, we must distinguish betweeen XML-aware and XML-unaware agents.

When a charset parameter is specified for an XML MIME entity, the text/xml... types has been resolved by
[HTTPbis] changing [RFC2616] by removing
normative component of the ISO-8859-1 default and
not defining any default at all, as well [XML] specification leaves the question
open as [RFC6657] updating
[RFC2046] to remove the US-ASCII default. See Section 3.6 for the
now-unified approach how to determine the charset parameter encoding with which results.

XML provides a general framework for defining sequences of structured
data. It is often appropriate to define new media types that use XML
but define a specific application of XML, due attempt to domain-specific
display, editing, security considerations or runtime information.
Furthermore, such media types may allow only UTF-8 and/or UTF-16 and
prohibit other character sets.
process the entity. This is true independently of whether or not the
entity contains in-band encoding information, that is, either a BOM
(Section 3.3) or an XML encoding declaration, or both, or neither.
In particular, in the case where there is in-band information and it
conflicts with the charset parameter, the [XML] specification does
not prohibit
such media types and in fact expects them specify which is authoritative. In its (non-normative)
Appendix F it defers to proliferate. However,
developers this specification:

[T]he preferred method of such media types are RECOMMENDED handling conflict should be specified as
part of the higher-level protocol used to use deliver XML. In
particular, please refer to [IETF RFC 3023] or its successor...

Accordingly, to conform with deployed processors and content and to
avoid conflicting with this or other normative specifications, this
specification sets the priority as follows:

All consumers SHOULD treat a basis for their registration. See Section 8 for
more detailed recommendations on using BOM (Section 3.3) as authoritative if
it is present in an XML MIME entity. In the '+xml' suffix for
registration absence of such media types.

An XML document labeled as application/xml or text/xml, or with a
'+xml' media type, might contain namespace declarations, stylesheet-
linking processing instructions (PIs), schema information, or other
declarations that might be used to suggest how BOM
(Section 3.3), all consumers SHOULD treat the document charset parameter as
authoritative if it is to be
processed. present. For example, a document might have XML-aware consumers, note
that Section 4.3.3 of [XML] does _not_ make it an error for the XHTML namespace
charset parameter and a reference the XML encoding declaration (or the UTF-8
default in the absence of encoding declaration and BOM) to a CSS stylesheet. Such a document might be
handled by applications that would use
inconsistent, although such consumers might choose to issue a
warning in this information case.

When MIME producers conform to dispatch the document for appropriate processing.

3.1. Application/xml Registration

Type name: application
Subtype name: xml

Required parameters: none

Optional parameters: charset

See Section 3.6.

Encoding considerations: Depending on requirements stated above
(Section 3.1), such inconsistencies will not arise---this statement
of priorities only has practical impact in the case of non-conforming
XML MIME entities.

If an XML MIME entity is received where the charset parameter is
omitted, no information is being provided about the character
encoding used, XML by the MIME entities can consist Content-Type header. XML-aware consumers MUST
follow the requirements in section 4.3.3 of 7bit, 8bit [XML] that directly
address this case. XML-unaware MIME consumers SHOULD NOT assume a
default encoding in this case.

3.3. The Byte Order Mark (BOM) and Encoding Conversions

Section 4.3.3 of [XML] specifies thatUTF-16 XML MIME entitiesnot
labelled as "utf-16le" or binary data [RFC6838].
For 7-bit transports, 7bit data, for example data "utf16-be" MUST begin with charset a byte order
mark (BOM), U+FEFF, which appears as the hexadecimal octet sequence
0xFE 0xFF (big-endian) or 0xFF 0xFE (little-endian). [XML] further
states that the BOM is an encoding US-ASCII, does signature, and is not require content-transfer-encoding, but
8bit part of
either the markup or binary data, for example the character data with charset of the XML document.

Due to the presence of the BOM, applications that convert XML from
UTF-16 to an encoding other than UTF-8
or UTF-16, MUST be content-transfer-encoded in quoted-printable or
base64. For 8-bit clean transport (e.g. 8BITMIME ESMTP [RFC6152]
or NNTP [RFC3977]), 7bit or 8bit data, for example data with
charset strip the BOM before
conversion. Similarly, when converting from another encoding UTF-8 or US-ASCII, does not require content-
transfer-encoding, but binary data, for example data with into
UTF-16, either without a charset encoding from parameter, or labelled "utf-16", the UTF-16 family,
BOM MUST be content-transfer-
encoded in base64. For binary clean transports (e.g. BINARY
ESMTP [RFC3030] or HTTP [HTTPbis]), no content-transfer-encoding
is necessary (or even possible, in added unless the original encoding was UTF-8 and a BOM
was already present, in which case it MUST be transcoded into the
appropriate UTF-16 BOM.

Section 4.3.3 of HTTP) [XML] also allows for 7bit,
8bit or binary data.

Security considerations: See Section 11.

Interoperability considerations: UTF-8 XML has proven MIME entities to
begin with a BOM, which appears as the hexadecimal octet sequence
0xEF 0xBB 0xBF. This is likewise defined to be interoperable
across both generic and task-specific applications and for import
and export from multiple XML authoring an encoding
signature, and editing tools.
Validating processors provide maximum interoperability. Although
non-validating processors may be more efficient, they are not
required to handle all features of XML. For further information,
see sub-section 2.9 "Standalone Document Declaration" and section
5 "Conformance" part of [XML] .

Published specification: Extensible Markup Language (XML) 1.0 (Fifth
Edition) [XML] or subsequent editions either the markup or versions thereof. the character data of
the XML document.

Applications that use this media type: XML is device-, platform-,
and vendor-neutral and is supported by a wide range of generic convert XML
tools (editors, parsers, Web agents, ...), generic and task-
specific applications.

Additional information:

Magic number(s): None.

Although no byte sequences can be counted on from UTF-8 to always be an encoding other than
UTF-16 MUST strip the BOM, if present, before conversion.
Applications which convert XML into UTF-8 MAY add a BOM.

In addition to the MIME charset "utf-16", [RFC2781] introduces "utf-
16le" (little endian) and "utf-16be" (big endian). The BOM is
prohibited in MIME entities with these labels. When an XML MIME
entity is encoded in ASCII-compatible character sets
(including UTF-8) often "utf-16le" or "utf-16be", it MUST NOT begin with hexadecimal 3C 3F 78 6D 6C
("<?xml"), and those in
the BOM but SHOULD contain an in-band XML encoding declaration.
Conversion from UTF-8 or UTF-16 often begin (unlabelled, or labelled with hexadecimal FE
FF 00 3C 00 3F 00 78 00 6D 00 6C
"utf-16") to "utf-16be" or FF FE 3C 00 3F 00 78 00 6D
00 6C 00 (the Byte Order Mark (BOM) followed by "<?xml"). For
more information, see "utf-16le" MUST strip a BOM if present,
and conversion in the other direction MUST (for UTF-16) or MAY (for
UTF-8) add the appropriate BOM.

Appendix F of [XML].

File extension(s): .xml

Macintosh File Type Code(s): "TEXT"

Base URI: See Section 6

Person and email address for further information: See Authors'
Addresses section

Intended usage: COMMON

Author: See Authors' Addresses section

Change controller: The XML [XML] also implies the a UTF-32 BOM may be used in
conjunction with UTF-32-encoded documents. As noted above, this
specification recommends against the use of UTF-32, but if it is
used, the same considerations apply with respect to its being a work product
signature, not part of the
World Wide Web Consortium's XML Core Working Group. The W3C has
change control over this specification.

3.2. Text/xml Registration

text/xml is an alias for application/xml, document, with respect to transcoding into
or out of it and with respect to the MIME charsets "utf-32le" and
"utf-32be", as defined for UTF-16. Consumers which do not support UTF-32
SHOULD none-the-less recognise UTF-32 signatures in Section 3.1
above.

3.3. Application/xml-external-parsed-entity Registration

Type name: application

Subtype name: xml-external-parsed-entity

Required parameters: none

Optional parameters: charset

See Section 3.6.

Encoding considerations: Same as application/xml order to give
helpful error messages (instead of treating them as invalid UTF-16).

4. XML Media Types

Registration information for media types for use with XML MIME
entities is described in
Section 3.1.

Security considerations: See Section 11.

Interoperability considerations: the sections below, after some relevant
background information about XML external parsed itself.

4.1. XML MIME Entities

Within the XML specification, XML MIME entities are as
interoperable as can be classified
into four types. In the XML documents, though terminology, they have a less tightly
constrained structure are called "document
entities", "external DTD subsets", "external parsed entities", and therefore need to be referenced by XML
documents
"external parameter entities". Appropriate usage for proper handling by XML processors. Similarly, XML
documents cannot be reliably used the types
registered below is as external parsed entities
because external parsed entities are prohibited from having
standalone follows:

document declarations entities: The media types application/xml or DTDs. Identifying XML text/xml, or a
more specific media type (see Section 8), SHOULD be used.

external parsed entities with their own content DTD subsets: The media type should
enhance interoperability of both XML documents application/xml-dtd SHOULD be
used. The media types application/xml and XML text/xml MUST NOT be
used.

external parsed entities.

Published specification: Same as application/xml as described in
Section 3.1.

Applications which use this entities: The media type: Same as types application/xml-external-
parsed-entity or text/xml-external-parsed-entity SHOULD be used.
The media types application/xml as
described in Section 3.1.

Additional information:

Magic number(s): Same as application/xml as described in
Section 3.1.

File extension(s): .xml or .ent

Macintosh File Type Code(s): "TEXT"

Base URI: See Section 6

Person and email address for further information: See Authors'
Addresses section.

Intended usage: COMMON

Author: See Authors' Addresses section.

Change controller: The XML specification is a work product of text/xml MUST NOT be used
unless the
World Wide Web Consortium's XML Core Working Group. parsed entities are also well-formed "document
entities".

external parameter entities: The W3C has
change control over media type application/xml-dtd
SHOULD be used. The media types application/xml and text/xml MUST
NOT be used.

Note that [RFC3023] (which this specification.

3.4. Text/xml-external-parsed-entity Registration specification obsoletes) recommended
the use of text/xml and text/xml-external-parsed-entity is an alias for application/xml-
external-parsed-entity, as defined in Section 3.3 above.

3.5. Application/xml-dtd Registration

Type name: application
Subtype name: xml-dtd

Required parameters: none

Optional parameters: charset

See Section 3.6.

Encoding considerations: Same as Section 3.1.

Security considerations: See Section 11.

Interoperability considerations: XML DTDs have proven to be
interoperable by DTD authoring tools document
entities and XML validators, among
others.

Published specification: Same as application/xml as external parsed entities, respectively, but described in
Section 3.1.

Applications
handling of character encoding which use this differed from common
implementation practice. These media type: DTD authoring tools handle types are still commonly used,
and this specification aligns the handling of character encoding with
industry practice.

Note that [RFC2376] (which is obsolete) allowed application/xml and
text/xml to be used for any of the four types, although in practice
it is likely to have been rare.

Neither external DTD subsets as well as nor external parameter entities. XML
validators entities parse as
XML documents, and while some XML document entities may also access be used as
external DTD subsets parsed entities and external vice versa, there are many cases where
the two are not interchangeable. XML also has unparsed entities,
internal parsed entities, and internal parameter entities, but they
are not XML MIME entities.

Additional information:

Magic number(s): Same as application/xml as described in
Section 3.1.

File extension(s): .dtd

Compared to [RFC2376] or .mod

Macintosh File Type Code(s): "TEXT"

Person and email address for further information: See Authors'
Addresses section.

Intended usage: COMMON

Author: See Authors' Addresses section.

Change controller: The XML [RFC3023], this specification is a work product of alters the
World Wide Web Consortium's XML Core Working Group. The W3C has
change control over this specification.

3.6. Charset considerations

As many as three distinct sources
handling of information about character encoding may be present for an XML MIME entity: a charset parameter,
a Byte Order Mark (BOM -- see Section 4 below) and an XML encoding
declaration (see Section 4.3.3 of [XML]). Ensuring consistency among
these sources requires coordination between entity authors and MIME
agents (that is, processes which package, transfer, deliver and/or
receive MIME entities). Some MIME agents will be what we will call
"XML-aware", that is, capable of processing XML MIME entities text/xml and
detecting text/xml-external-
parsed-entity, treating them no differently from the XML encoding declaration (or its absence). Others will
not be XML-aware, respective
application/ types. However application/xml and thus cannot know anything about application/xml-
external-parsed-entity are still RECOMMENDED, to avoid possible
confusion based on the XML
encoding declaration. Some MIME agents, such as proxies and
transcoders, both consume earlier distinction. The former confusion
around the question of default character sets for the two text/ types
no longer arises because

[HTTPbis] changes [RFC2616] by removing the ISO-8859-1 default and produce MIME entities.

XML-aware MIME producers SHOULD supply a
not defining any default at all;

[RFC6657] updates [RFC2046] to remove the US-ASCII default.

See Section 3 for the now-unified approach to the charset parameter and/or an
appropriate BOM with non-UTF-8-encoded XML MIME entities which lack
an encoding declaration, and SHOULD remove or correct an encoding
declaration
which results.

XML provides a general framework for defining sequences of structured
data. It is known often appropriate to be incorrect (for example, as define new media types that use XML
but define a result specific application of transcoding).

XML-unaware MIME producers MUST NOT supply a charset parameter with
an XML MIME entity unless the entity's XML, due to domain-specific
display, editing, security considerations or runtime information.
Furthermore, such media types may allow only UTF-8 and/or UTF-16 and
prohibit other character encoding is reliably
known.

XML MIME producers sets. This specification does not prohibit
such media types and in fact expects them to proliferate. However,
developers of such media types are RECOMMENDED to provide means for XML MIME
entity authors to control the supply of charset parameters use this
specification as a basis for their
entities, registration. See Section 8 for example by enabling user-level configuration of
filename-to-Content-Type-header mappings
more detailed recommendations on a file-by-file or suffix
basis.

For XML MIME consumers, using the question '+xml' suffix for
registration of priority arises in cases when
the available character encoding information is not consistent.
Again, we must distinguish betweeen XML-aware and XML-unaware
processors.

When a charset parameter is specified for an such media types.

An XML MIME entity, then
regardless of whether or not the entity contains in-band encoding
information, that is, either a BOM (Section 4) document labeled as application/xml or an XML encoding
declaration text/xml, or both, with a
'+xml' media type, might contain namespace declarations, stylesheet-
linking processing instructions (PIs), schema information, or none, the normative component of the [XML]
specification leaves the question open as other
declarations that might be used to suggest how to determine the
encoding with which to attempt document is to process the entity. In particular,
in be
processed. For example, a document might have the case where there is in-band information XHTML namespace
and it conflicts with
the charset parameter, the [XML] specification does not specify which
should be taken a reference to a CSS stylesheet. Such a document might be authoritative. In its (non-normative)
Appendix F it defers to
handled by applications that would use this specification:

[T]he preferred method of handling conflict should be specified as
part of the higher-level protocol used to deliver XML. In
particular, please refer to [IETF RFC 3023] or its successor...

Accordingly, information to conform dispatch
the document for appropriate processing. Appendix B lists the core
XML specifications which, taken together with deployed processors and content and [XML] itself, show how
to
avoid conflicting with this or other normative specifications, this
specification sets the priority as follows:

All consumers SHOULD treat a BOM (Section 4) as authoritative if it
is present in determine an XML MIME entity. In document's semantics at both the absence of a BOM
(Section 4), all consumers SHOULD treat language level
and the charset parameter as
authoritative if it is present. For XML-aware consumers, note that application level.

4.2. Application/xml Registration

Type name: application

Subtype name: xml

Required parameters: none

Optional parameters: charset

See Section 4.3.3 of 3.

Encoding considerations: Depending on the [XML] specification character encoding used,
XML MIME entities can consist of 7bit, 8bit or binary data
[RFC6838]. For 7-bit transports, 7bit data, for example US-ASCII-
encoded data, does _not_ make it an error not require content-transfer-encoding, but 8bit
or binary data, for the charset parameter and the XML encoding declaration (or the example UTF-8 default in the absence of encoding declaration and BOM) to or UTF-16 data, MUST be
inconsistent, although such processors might choose to issue a
warning content-
transfer-encoded in this case.

When MIME producers conform to the requirements on them stated above,
such inconsistencies will quoted-printable or base64. For 8-bit clean
transport (e.g. 8BITMIME ESMTP [RFC6152] or NNTP [RFC3977]), 7bit
or 8bit data, for example US-ASCII or UTF-8 data, does not arise---this statement of priorities
only has practical impact require
content-transfer-encoding, but binary data, for example data with
a UTF-16 encoding, MUST be content-transfer-encoded in base64.
For binary clean transports (e.g. BINARY ESMTP [RFC3030] or HTTP
[HTTPbis]), no content-transfer-encoding is necessary (or even
possible, in the case of non-conforming HTTP) for 7bit, 8bit or binary data.

Security considerations: See Section 11.

Interoperability considerations: XML MIME
entities.

If an has proven to be interoperable
across both generic and task-specific applications and for import
and export from multiple XML MIME entity is received where the charset parameter is
omitted, no information is being provided about the charset by the
MIME Content-Type header. XML-aware processors MUST follow the
requirements in authoring and editing tools.
Validating processors provide maximum interoperability. Although
non-validating processors may be more efficient, they are not
required to handle all features of XML. For further information,
see sub-section 2.9 "Standalone Document Declaration" and section 4.3.3
5 "Conformance" of [XML] .

Published specification: Extensible Markup Language (XML) 1.0 (Fifth
Edition) [XML] or subsequent editions or versions thereof.

Applications that directly address this
case. XML-unaware MIME processors SHOULD NOT assume a default
charset in use this case.

4. The Byte Order Mark (BOM) media type: XML is device-, platform-,
and Charset Conversions

Section 4.3.3 vendor-neutral and is supported by generic and task-specific
applications and a wide range of [XML] specifies that generic XML tools (editors,
parsers, Web agents, ...).

Additional information:

Magic number(s): None.

Although no byte sequences can be counted on to always be
present, XML MIME entities in the
charset "utf-16" MUST ASCII-compatible character sets
(including UTF-8) often begin with a byte order mark (BOM), which is a hexadecimal octet sequence 0xFE 0xFF (or 0xFF 0xFE, depending on
endianness). 3C 3F 78 6D 6C
("<?xml"), and those in UTF-16 often begin with hexadecimal FE
FF 00 3C 00 3F 00 78 00 6D 00 6C or FF FE 3C 00 3F 00 78 00 6D
00 6C 00 (the Byte Order Mark (BOM) followed by "<?xml"). For
more information, see Appendix F of [XML].

File extension(s): .xml

Macintosh File Type Code(s): "TEXT"

Base URI: See Section 6

Person and email address for further information: See Authors'
Addresses section

Intended usage: COMMON

Author: See Authors' Addresses section

Change controller: The XML Recommendation further states that the BOM is
an encoding signature, and specification is not part a work product of either the markup or
World Wide Web Consortium's XML Core Working Group. The W3C has
change control over this specification.

4.3. Text/xml Registration

The registration information for text/xml is in all respects the
character data same
as that given for application/xml above (Section 4.2).

4.4. Application/xml-external-parsed-entity Registration

Type name: application

Subtype name: xml-external-parsed-entity

Required parameters: none

Optional parameters: charset

See Section 3.

Encoding considerations: Same as for application/xml (Section 4.2).

Security considerations: See Section 11.

Interoperability considerations: XML external parsed entities are as
interoperable as XML documents, though they have a less tightly
constrained structure and therefore need to be referenced by XML
documents for proper handling by XML processors. Similarly, XML
documents cannot be reliably used as external parsed entities
because external parsed entities are prohibited from having
standalone document declarations or DTDs. Identifying XML
external parsed entities with their own content type enhances
interoperability of the both XML documents and XML external parsed
entities.

Published specification: Same as for application/xml (Section 4.2).

Applications which use this media type: Same as for application/xml
(Section 4.2).

Additional information:

Magic number(s): Same as for application/xml (Section 4.2).

File extension(s): .xml or .ent

Macintosh File Type Code(s): "TEXT"

Base URI: See Section 6

Person and email address for further information: See Authors'
Addresses section.

Intended usage: COMMON

Author: See Authors' Addresses section.

Change controller: The XML document.

Due to the presence specification is a work product of the BOM, applications that convert
World Wide Web Consortium's XML from
"utf-16" to an encoding other than "utf-8" MUST strip the BOM before
conversion. Similarly, when converting from another encoding into
"utf-16", the BOM MUST be added after conversion Core Working Group. The W3C has
change control over this specification.

4.5. Text/xml-external-parsed-entity Registration

The registration information for text/xml-external-parsed-entity is complete unless
the original encoding was "utf-8" and a BOM was already present,
in
which case it will have been transcoded into a "utf-16" BOM already. all respects the same as that given for application/xml-external-
parsed-entity above (Section 4.4).

4.6. Application/xml-dtd Registration

Type name: application

Subtype name: xml-dtd

Required parameters: none
Optional parameters: charset

See Section 4.3.3 of [XML] also allows 3.

Encoding considerations: Same as for application/xml (Section 4.2).

Security considerations: See Section 11.

Interoperability considerations: XML MIME entities in the
charset "utf-8" to begin with a byte order mark (BOM), which is a
hexadecimal octet sequence 0xEF 0xBB 0xBF, also defined DTDs have proven to be an
encoding signature,
interoperable by DTD authoring tools and not part of either the markup or the
character data of the XML document.

Applications that convert XML from "utf-8" to an encoding other than
"utf-16" MUST strip the BOM, if present, before conversion. validators, among
others.

Published specification: Same as for application/xml (Section 4.2).

Applications which convert XML into "utf-8" SHOULD add a BOM after
conversion is complete.

In addition to the charset "utf-16", [RFC2781] introduces "utf-16le"
(little endian) use this media type: DTD authoring tools handle
external DTD subsets as well as external parameter entities. XML
validators may also access external DTD subsets and "utf-16be" (big endian) external
parameter entities.

Additional information:

Magic number(s): Same as well. The BOM is
prohibited for these character sets. When an application/xml (Section 4.2).

File extension(s): .dtd or .mod

Macintosh File Type Code(s): "TEXT"

Person and email address for further information: See Authors'
Addresses section.

Intended usage: COMMON

Author: See Authors' Addresses section.

Change controller: The XML MIME entity specification is
encoded in "utf-16le" or "utf-16be", it MUST NOT begin with a work product of the BOM
but SHOULD contain an in-band
World Wide Web Consortium's XML encoding declaration. Conversion
from "utf-16"or "utf-8" to "utf-16be" or "utf-16le" and conversion in
the other direction MUST strip or add the appropriate BOM,
respectively. Core Working Group. The W3C has
change control over this specification.

5. Fragment Identifiers

Uniform Resource Identifiers (URIs) can contain fragment identifiers
(see Section 3.5 of [RFC3986]). Specifying the syntax and semantics
of fragment identifiers is devolved by [RFC3986] to the appropriate
media type registration.

The syntax and semantics of fragment identifiers for the XML media
types defined in this specification are based on the
[XPointerFramework] W3C Recommendation. It allows simple names, and
more complex constructions based on named schemes. When the syntax
of a fragment identifier part of any URI or IRI ([RFC3987]) with a
retrieved media type governed by this specification conforms to the
syntax specified in [XPointerFramework], conforming applications MUST
interpret such fragment identifiers as designating whatever is
specified by the [XPointerFramework] together with any other
specifications governing the XPointer schemes used in those
identifiers which the applications support. Conforming applications
MUST support the 'element' scheme as defined in [XPointerElement],
but need not support other schemes.

If an XPointer error is reported in the attempt to process the part,
this specification does not define an interpretation for the part.

A registry of XPointer schemes [XPtrReg] is maintained at the W3C.
Document authors SHOULD NOT use unregistered schemes. Scheme authors
SHOULD register their schemes ([XPtrRegPolicy] describes requirements
and procedures for doing so).

See Section 8.1 8.3 for additional requirements which apply when an XML-
based media type follows the naming convention '+xml'.

If [XPointerFramework] and [XPointerElement] are inappropriate for
some XML-based media type, it SHOULD NOT follow the naming convention
'+xml'.

When a URI has a fragment identifier, it is encoded by a limited
subset of the repertoire of US-ASCII [ASCII] characters, as defined
in [RFC3986]. see
[XPointerFramework] for details..

6. The Base URI

Section 5.1 of [RFC3986] specifies that the semantics of a relative
URI reference embedded in a MIME entity is dependent on the base URI.
The base URI is established by (1) the base URI embedded in content,
(2) the base URI from the encapsulating entity, (3) the base URI from
the Retrieval URI, or (4) the default base URI, in order of
precedence. [RFC3986] further specifies that the mechanism for
embedding the base URI is dependent on the media type.

This specification accordingly provides the following media type
dependent mechanism for embedding the base URI in a

An XML MIME entity of type application/xml, text/xml, application/xml-external-parsed-
entity application/
xml-external-parsed-entity or text/xml-external-parsed-entity: An XML MIME entity text/xml-external-parsed-entity MAY use
the xml:base attribute, as described in detail in [XMLBase], to
establish embed a base
URI for in that entity. entity for use in resolving relative URI references (see
Section 5.1 of [RFC3986]).

Note that the base URI itself might be embedded in a different MIME
entity, since the default value for the xml:base attribute can be
specified in an external DTD subset or external parameter entity.
Since conforming XML processors need not always read and process
external entities, the effect of such an external default is
uncertain and therefore its use is NOT RECOMMENDED.

7. XML Versions
application/xml, application/xml-external-parsed-entity, and
application/xml-dtd, text/xml and text/xml-external-parsed-entity are
to be used with [XML]. In all examples herein where version="1.0" is
shown, it is understood that version="1.1" might also appear,
providing the content does indeed conform to [XML1.1].

The normative requirement of this specification upon XML documents
and processors is to follow the requirements of [XML], section 4.3.3.
Except for minor clarifications, that section is substantially
identical from the first edition to the current (5th) edition of XML
1.0, and for XML 1.1 1st or 2nd edition [XML1.1]. Therefore,
references herein to [XML] may be interpreted as referencing any
existing version or edition of XML, or any subsequent edition or
version which makes no incompatible changes to that section.

Specifications and recommendations based on or referring to this RFC
SHOULD indicate any limitations on the particular versions or
editions of XML to be used.

8. A The '+xml' Naming Convention for XML-Based Media Types

This section supersedes the earlier registration of the '+xml' suffix
[RFC6839].

This specification recommends the use of a the '+xml' naming convention (a
suffix of '+xml')
for identifying XML-based media types, in line with the recognition
in [RFC6838] of structured syntax name suffixes. This allows the use
of generic XML processors and technologies on a wide variety of
different XML document types at a minimum cost, using existing
frameworks for media type registration.

8.1. XML-based Media Types

When a new media type is introduced for an XML-based format, the name
of the media type SHOULD end with '+xml' unless generic XML
processing is in some way inappropriate for documents of the new
type. This convention will allow applications that can process XML
generically to detect that the MIME entity is supposed to be an XML
document, verify this assumption by invoking some XML processor, and
then process the XML document accordingly. Applications may match check
for types that represent XML MIME entities by comparing the last four
characters of the subtype to the pattern '*/*+xml'. string '+xml'. (However note that 4
of the 5 media types defined in this specification -- text/xml,
application/xml, text/xml-
external-parsed-entity, text/xml-external-parsed-entity, and application/xml-external-parsed-entity application/
xml-external-parsed-entity -- also represent XML MIME entities while
not conforming to the '*/
*+xml' pattern.) ending with '+xml'.)
NOTE: Section 5.3.2HTTPbis [HTTPbis] does not support any form of
Accept header which will match only '+xml' types. In particular,
Accept headers of the form "Accept: */*+xml" are not allowed, and
so this header MUST NOT be used in for this way. purpose.

Media types following the naming convention '+xml' SHOULD introduce
the charset parameter for consistency, since XML-generic processing
applies the same program for any such media type. However, there are
some cases that the charset parameter need not be introduced. For
example:

When an XML-based media type is restricted to UTF-8, it is not
necessary to introduce the charset parameter. "UTF-8 only" is a
generic principle and UTF-8 is the
default of for XML.

When an XML-based media type is restricted to UTF-8 and UTF-16, it
might not be unreasonable to omit the charset parameter. Neither
UTF-8 nor UTF-16 require in-band XML encoding declarations.

XML generic processing is not always appropriate for XML-based media
types. For example, authors of some such media types may wish that
the types remain entirely opaque except to applications that are
specifically designed to deal with that media type. By NOT following
the naming convention '+xml', such media types can avoid XML-generic
processing. Since generic processing will be useful in many cases,
however -- including in some situations that are difficult to predict
ahead of time -- the '+xml' convention is to be preferred unless
there is some particularly compelling reason not to.

The registration process for specific '+xml' media types is described
in [RFC6838]. The registrar for the IETF tree will encourage new
XML-based media type registrations in the IETF tree to follow this
guideline. Registrars for other trees SHOULD follow this convention
in order to ensure maximum interoperability of their XML-based
documents. Similarly, media subtypes that do not represent XML MIME
entities MUST NOT be allowed to register with a '+xml' suffix.

In addition to the changes described above, the change controller has
been changed to be the World Wide Web Consortium (W3C).

8.1. Referencing

Registrations for new XML-based media types under top-level types
SHOULD, in specifying the charset parameter and encoding
considerations, define them as: "Same as [charset parameter /
encoding considerations] of application/xml as specified in RFC
XXXX."

Enabling the charset parameter is RECOMMENDED, since this information
can be used by XML processors to determine authoritatively the
charset of the XML MIME entity in the absence of a BOM. If there are
some reasons not to follow this advice, they SHOULD be included as
part of the registration. As shown above, two such reasons are
"UTF-8 only" or "UTF-8 or UTF-16 only".

These registrations SHOULD specify that the XML-based media type
being registered has all of the security considerations described in
RFC XXXX plus any additional considerations specific to that media
type.

These registrations SHOULD also make reference to RFC XXXX in
specifying magic numbers, base URIs, and use of the BOM.

These registrations MAY reference the application/xml registration in
RFC XXXX convention
in specifying order to ensure maximum interoperability considerations, if these
considerations are of their XML-based
documents. Media subtypes that do not overridden by issues specific represent XML MIME entities
MUST NOT be allowed to that media
type. register with a '+xml' suffix.

In addition to the changes described above, the change controller has
been changed to be the World Wide Web Consortium (W3C).

8.2. +xml Structured Syntax Suffix Registration

Name: Extensible Markup Language (XML)

+suffix: +xml

Reference: This specification
Encoding considerations: Same as Section 3.1. 4.2.

Fragment identifier considerations: Registrations which use this
'+xml' convention MUST also make reference to RFC XXXX,
specifically Section 5, in specifying fragment identifier syntax
and semantics, and they MAY restrict the syntax to a specified
subset of schemes, except that they MUST NOT disallow barenames or
'element' scheme pointers. They MAY further require support for
other registered schemes. They also MAY add additional syntax
(which MUST NOT overlap with [XPointerFramework] syntax) together
with associated semantics, and MAY add additional semantics for
barename XPointers which, as provided for in Section 5, will only
apply when this specification does not define an interpretation.

In practice these constraints imply that for a fragment
identifier addressed to an instance of a specific "xxx/yyy+xml"
type, there are three cases:

For fragment identifiers matching the syntax defined in
[XPointerFramework], where the fragment identifier resolves
per the rules specified there, then process as specified
there;

For fragment identifiers matching the syntax defined in
[XPointerFramework], where the fragment identifier does
_not_ resolve per the rules specified there, then process as
specified in "xxx/yyy+xml";

For fragment identifiers _not_ matching the syntax defined
in [XPointerFramework], then process as specified in "xxx/
yyy+xml". A fragment identifier of the form
"xywh=160,120,320,240", as defined in [MediaFrags], which
might be used form
"xywh=160,120,320,240", as defined in [MediaFrags], which
might be used in a URI for an XML-encoded image, would fall
in this category.

Interoperability considerations: Same as Section 4.2. See above,
and also Section 3, for guidelines on the use of the 'charset'
parameter.

Security considerations: See Section 11.

Contact: See Authors' Addresses section.

Author: See Authors' Addresses section.

Change controller: The XML specification is a work product of the
World Wide Web Consortium's XML Core Working Group. The W3C has
change control over this specification.

8.3. Registration guidelines for XML-based media types not using '+xml'

Registrations for new XML-based media types which do _not_ use the
'+xml' suffix SHOULD, in specifying the charset parameter and
encoding considerations, define them as: "Same as [charset parameter
/ encoding considerations] of application/xml as specified in RFC
XXXX."

Enabling the charset parameter is RECOMMENDED, since this information
can be used by XML processors to determine authoritatively the
character encoding of the XML MIME entity in the absence of a BOM.
If there are some reasons not to follow this advice, they SHOULD be
included as part of the registration. As shown above, two such
reasons are "UTF-8 only" or "UTF-8 or UTF-16 only".

These registrations SHOULD specify that the XML-based media type
being registered has all of the security considerations described in a URI for an XML-encoded image, would fall
RFC XXXX plus any additional considerations specific to that media
type.

These registrations SHOULD also make reference to RFC XXXX in this category.

Interoperability considerations: Same as Section 3.1. See above,
specifying magic numbers, base URIs, and also Section 3.6, for guidelines on the use of the 'charset'
parameter.

Security considerations: See Section 11.

Contact: See Authors' Addresses section.

Author: See Authors' Addresses section.

Change controller: The XML specification is a work product of BOM.

These registrations MAY reference the
World Wide Web Consortium's XML Core Working Group. The W3C has
change control over this specification. application/xml registration in
RFC XXXX in specifying interoperability and fragment identifier
considerations, if these considerations are not overridden by issues
specific to that media type.

9. Examples

This section is non-normative. In particular, note that all
[RFC2119] language herein reproduces or summarizes the consequences
of normative statements already made above, and has no independent
normative force, and accordingly does not appear in uppercase.

The examples below give the charset portion, if any, of the value of
the MIME Content-type header header, including the
charset parameter, if present and the XML declaration or Text
declaration (which includes the encoding declaration) inside the XML
MIME entity. For UTF-16 examples, the Byte Order Mark character
appropriately UTF-16-encoded is denoted as "{BOM}", and the XML or
Text declaration is assumed to come at the beginning of the XML MIME
entity, immediately following the encoded BOM. Note that other MIME
headers may be present, and the XML MIME entity may will normally contain
other data in addition to the XML declaration; the examples focus on
the Content-type header and the encoding declaration for clarity.

All

Although they show a content type of 'application/xml', all the
examples below apply to all five media types declared above in
Section 3, 4, as well as to any media types declared using the '+xml'
convention (with the exception of the examples involving the charset
parameter for any such media types which do not enable its use). See
the XML MIME entities table (Section 3, 4.1, Paragraph 2) 1) for discussion
of which types are appropriate for which varieties of XML MIME
entities.

9.1. UTF-8 Charset

Content-type charset: charset="utf-8"

Content-Type: application/xml; charset=utf-8

<?xml version="1.0" encoding="utf-8"?>

This

<?xml version="1.0"?>

UTF-8 is the recommended encoding for use with all the media types
defined in this specification. Since the charset parameter is
provided and there is no overriding BOM, both MIME and XML processors
must treat the enclosed entity as UTF-8 encoded.

If sent using a 7-bit transport (e.g. SMTP [RFC5321]), the in general, a
UTF-8 XML MIME entity must use a content-transfer-encoding of either quoted-
printable
quoted-printable or base64. For an 8-bit clean transport (e.g.
8BITMIME ESMTP or NNTP), or a binary clean transport (e.g. BINARY
ESMTP or HTTP), no content-transfer-encoding is necessary (or even
possible, in the case of HTTP).

9.2. UTF-16 Charset

Content-type charset: charset="utf-16"

Content-Type: application/xml; charset=utf-16

{BOM}<?xml version="1.0" encoding="utf-16"?>
or

{BOM}<?xml version="1.0"?>

For application/... cases, the three application/ media types defined above, if sent using a
7-bit transport (e.g. SMTP) or an 8-bit clean transport (e.g.
8BITMIME ESMTP or NNTP), the XML MIME entity must be encoded in
quoted-printable or base64; for a binary clean transport (e.g.
BINARY ESMTP or HTTP), no content-
transfer-encoding content-transfer-encoding is necessary (or
even possible, in the case of HTTP).

As described in [RFC2781], the UTF-16 family must not be used with
media types under the top-level type "text" except over HTTP or HTTPS
(see section A.2 of HTTP [HTTPbis] for details). Hence one of the
two text/ media types defined above can be used with this example
is only possible in text/... cases exampleonly
when the XML MIME entity is transmitted via HTTP or HTTPS, which use
a MIME-like mechanism and are binary-clean protocols, hence do not
perform CR and LF transformations and allow NUL octets. Since HTTP
is binary clean, no content-transfer-encoding is necessary (or even
possible).

9.3. Omitted Charset and 8-bit MIME entity

Content-type charset: [none] Entity

Content-Type: application/xml

<?xml version="1.0" encoding="iso-8859-1"?>

Since the charset parameter is not provided in the Content-Type
header and there is no overriding BOM, XML processors must treat the
"iso-8859-1" encoding as authoritative. XML-unaware MIME processors
should make no assumptions about the charset character encoding of the XML
MIME entity.

9.4. Omitted Charset and 16-bit MIME entity

Content-type charset: [none] Entity

Content-Type: application/xml

{BOM}<?xml version="1.0" encoding="utf-16"?>

{BOM}<?xml version="1.0"?>

This example shows a 16-bit MIME entity with no charset parameter.
However since there is a BOM all processors must treat the entity as
UTF-16-encoded.

Omitting the charset parameter is not recommended for application/... in conjunction with
media types under the top-level type "application" when used with
transports other than HTTP or HTTPS. text/... Media types under the top-level
type "text" should not be used for 16-bit MIME with transports other
than HTTP or HTTPS (see discussion above (Section 9.2, Paragraph 6)). 7)).

9.5. Omitted Charset, no Internal Encoding Declaration and UTF-8 Entity

Content-type charset: [none]

Content-Type: application/xml

<?xml version='1.0'?>

In this example, the charset parameter has been omitted, there is no
internal encoding declaration, and there is no BOM. Since there is
no BOM or charset parameter, the XML processor follows the
requirements in section 4.3.3, and optionally applies the mechanism
described in Appendix F (which is non-normative) of [XML] to
determine the charset an encoding of UTF-8. Although the XML MIME entity does
not contain an encoding declaration, provided the encoding actually
_is_ UTF-8, so this is still a conforming XML MIME entity.

An XML-unaware MIME processor should make no assumptions about the
charset
character encoding of the XML MIME entity.

See Section 9.1 for transport-related issues for UTF-8 XML MIME
entities.

9.6. UTF-16BE Charset

Content-type charset: charset="utf-16be"

Content-Type: application/xml; charset=utf-16be

<?xml version='1.0' encoding='utf-16be'?>

Observe that the BOM does not exist. that, as required for this encoding, there is no BOM. Since
the charset parameter is provided and there is no overriding BOM,
MIME and XML processors must treat the enclosed entity as UTF-16BE
encoded.

See also the additional considerations in the UTF-16 example
(Section 9.2) above.

9.7. Non-UTF Charset

Content-type charset: charset="iso-2022-kr"

Content-Type: application/xml; charset=iso-2022-kr

<?xml version="1.0" encoding="iso-2022-kr"?>
This example shows the use of a non-UTF charset character encoding (in this
case Hangul, but this example is intended to cover all non-UTF-family
character
sets). encodings). Since the charset parameter is provided and
there is no overriding BOM, all processors must treat the enclosed
entity as encoded per RFC 1557.

Since ISO-2022-KR [RFC1557] has been defined to use only 7 bits of
data, no content-transfer-encoding is necessary with any transport:
for character sets needing 8 or more bits, considerations such as
those discussed above (Section 9.1, Section 9.2) would apply.

9.8. Omitted Charset with Internal Encoding Declaration

Content-type charset: [none]

<?xml version='1.0' encoding="iso-10646-ucs-4"?>

In this example, the charset parameter has been omitted, and there is
no BOM. However, the XML MIME entity does have an encoding
declaration inside the XML MIME entity that specifies the entity's
charset. Following the requirements in section 4.3.3, and optionally
applying the mechanism described in Appendix F (non-normative) of
[XML], the XML processor determines the charset encoding of the XML
MIME entity (in this example, UCS-4).

An XML-unaware MIME processor should make no assumptions about the
charset of the XML MIME entity.

For character sets needing 8 or more bits, considerations such as
those discussed above (Section 9.1, Section 9.2) would apply

9.9. INCONSISTENT EXAMPLE: Conflicting Charset and Internal Encoding
Declaration

Content-type charset: charset="iso-8859-1"

Content-Type: application/xml; charset=iso-8859-1

<?xml version="1.0" encoding="utf-8"?>

Although the charset parameter is provided in the Content-Type header
and there is no BOM and the charset parameter differs from the XML
encoding declaration, MIME and XML processors will interoperate.
Since the charset parameter is authoritative in the absence of a BOM,
all processors will treat the enclosed entity as iso-8859-1 encoded.
That is, the "UTF-8" encoding declaration will be ignored.

Processors generating XML MIME entities must not label conflicting
charset
character encoding information between the MIME Content-Type and the
XML declaration unless they have definitive information about the
actual encoding, for example as a result of systematic transcoding.
In particular, the addition by servers of an explicit, site-wide
charset parameter default has frequently lead to interoperability
problems for XML documents.

9.10.

9.9. INCONSISTENT EXAMPLE: Conflicting Charset and BOM

Content-type charset: charset="iso-8859-1"

Content-Type: application/xml; charset=iso-8859-1

{BOM}<?xml version="1.0"?>

Although the charset parameter is provided in the Content-Type
header, there is a BOM, so MIME and XML processors may not
interoperate. Since the BOM parameter is authoritative for XML
processors, they will treat the enclosed entity as UTF-16-encoded.
That is, the "iso-8859-1" charset parameter will be ignored. XML-
unaware MIME processors on the other hand may be unaware of the BOM
and so treat the entity as encoded in iso-8859-1.

Processors generating XML MIME entities must not label conflicting
charset
character encoding information between the MIME Content-Type and an entity-
initial
entity-initial BOM.

10. IANA Considerations

As described in Section 8, this specification updates the [RFC6839]
registration for XML-based MIME types (the "+xml" types).

11. Security Considerations

XML MIME entities contain information which may be parsed and further
processed by the recipient. These entities may contain, and
recipients may permit, explicit system level commands to be executed
while processing the data. To the extent that a recipient
application executes arbitrary command strings from within XML MIME
entities, they may be at risk.

In general, any information stored outside of the direct control of
the user -- including CSS style sheets, XSL transformations, XML-
entity declarations, and DTDs -- can be a source of insecurity, by
either obvious or subtle means. For example, a tiny "whiteout
attack" modification made to a "master" style sheet could make words
in critical locations disappear in user documents, without directly
modifying the user document or the stylesheet it references. Thus,
the security of any XML document is vitally dependent on all of the
documents recursively referenced by that document.

The XML-entity lists and DTDs for XHTML 1.0 [XHTML], for instance,
are likely to be a commonly used set of information. Many developers
will use and trust them, few of whom will know much about the level
of security on the W3C's servers, or on any similarly trusted
repository.

The simplest attack involves adding declarations that break
validation. Adding extraneous declarations to a list of character
XML-entities can effectively "break the contract" used by documents.
A tiny change that produces a fatal error in a DTD could halt XML
processing on a large scale. Extraneous declarations are fairly
obvious, but more sophisticated tricks, like changing attributes from
being optional to required, can be difficult to track down. Perhaps
the most dangerous option available to attackers, when external DTD
subsets or external parameter entities or other externally-specified
defaulting is involved, is redefining default values for attributes:
e.g. if developers have relied on defaulted attributes for security,
a relatively small change might expose enormous quantities of
information.

Apart from the structural possibilities, another option, "XML-entity
spoofing," can be used to insert text into documents, vandalizing and
perhaps conveying an unintended message. Because XML permits
multiple XML-entity declarations, and the first declaration takes
precedence, it is possible to insert malicious content where an XML-
entity reference is used, such as by inserting the full text of
Winnie the Pooh in place of every occurrence of &mdash;.

Security considerations will vary by domain of use. For example, XML
medical records will have much more stringent privacy and security
considerations than XML library metadata. Similarly, use of XML as a
parameter marshalling syntax necessitates a case by case security
review.

XML may also have some of the same security concerns as plain text.
Like plain text, XML can contain escape sequences that, when
displayed, have the potential to change the display processor
environment in ways that adversely affect subsequent operations.
Possible effects include, but are not limited to, locking the
keyboard, changing display parameters so subsequent displayed text is
unreadable, or even changing display parameters to deliberately
obscure or distort subsequent displayed material so that its meaning
is lost or altered. Display processors SHOULD either filter such
material from displayed text or else make sure to reset all important
settings after a given display operation is complete.

Some terminal devices have keys whose output, when pressed, can be
changed by sending the display processor a character sequence. If
this is possible the display of a text object containing such
character sequences could reprogram keys to perform some illicit or
dangerous action when the key is subsequently pressed by the user.
In some cases not only can keys be programmed, they can be triggered
remotely, making it possible for a text display operation to directly
perform some unwanted action. As such, the ability to program keys
SHOULD be blocked either by filtering or by disabling the ability to
program keys entirely.

Note that it is also possible to construct XML documents that make
use of what XML terms "[XML-]entity references" to construct repeated
expansions of text. Recursive expansions are prohibited by [XML] and
XML processors are required to detect them. However, even non-
recursive expansions may cause problems with the finite computing
resources of computers, if they are performed many times. For
example, consider the case where XML-entity A consists of 100 copies
of XML-entity B, which in turn consists of 100 copies of XML-entity
C, and so on.

12. References

12.1. Normative References

[HTTPbis] Fielding, R., Ed. and J. F. Reschke, Ed., "Hypertext
Transfer Protocol (HTTP/1.1)
[revised]", ietf-httpbis-p2-semantics (HTTP/1.1): Message Syntax and Routing",
draft-ietf-httpbis-p1-messaging-25 (work in progress),
September
November 2013.

[IANA-charsets]
IANA, "Character Sets Registry", 2013, <http://
www.iana.org/assignments/character-sets/character-
sets.xhtml>.

[RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message
Bodies", RFC 2045, November 1996.

[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046,
November 1996.

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO
10646", RFC 2781, February 2000.

[RFC2978] Freed, N. and J. Postel, "IANA Charset Registration
Procedures", RFC 2978, October 2000.

[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifiers (URI): Generic Syntax.", RFC 3986,
January 2005.

[RFC3987] Dueerst, M. and M. Suignard, "Internationalized Resource
Identifiers (IRIs)", RFC 3987, July 2005.

[RFC6657] Melnikov, A. and J. Reschke, "Update to MIME regarding
"charset" Parameter Handling in Textual Media Types", RFC
6657, July 2012,
<http://www.rfc-editor.org/rfc/rfc6657.txt>.

[RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type
Specifications and Registration Procedures", BCP 13, RFC
6838, January 2013.

[RFC6839] Hansen, T. and A. Melnikov, "Additional Media Type
Structured Syntax Suffixes", RFC 6839, January 2013.

[UNICODE] The Unicode Consortium, "The Unicode Standard, Version
6.3.0", 2013,
<http://www.unicode.org/versions/Unicode6.3.0/>.

Defined by: The Unicode Standard, Version 6.3 (Mountain
View, CA: The Unicode Consortium, 2013. ISBN
978-1-936213-08-5)

[XML1.1] Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E.,
Yergeau, F., and J. Cowan, "Extensible Markup Language
(XML) 1.1 (Second Edition)", W3C Recommendation REC-xml,
September 2006,
<http://www.w3.org/TR/2006/REC-xml11-20060816/>.

Latest version available at

[XMLBase] Marsh, J. and R. Tobin, "XML Base (Second Edition)", W3C
Recommendation REC-xmlbase-20090128, January 2009,
<http://www.w3.org/TR/2009/REC-xmlbase-20090128/>.

Latest version available at

[XML] Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E.,
and F. Yergeau, "Extensible Markup Language (XML) 1.0
(Fifth Edition)", W3C Recommendation REC-xml, November
2008, <http://www.w3.org/TR/2008/REC-xml-20081126/>.

Latest version available at

[XPointerElement]
Grosso, P., Maler, E., Marsh, J., and N. Walsh, "XPointer
element() Scheme", W3C Recommendation REC-XPointer-
Element, March 2003,
<http://www.w3.org/TR/2003/REC-xptr-element-20030325/>.

Latest version available at

[XPointerFramework]
Grosso, P., Maler, E., Marsh, J., and N. Walsh, "XPointer
Framework", W3C Recommendation REC-XPointer-Framework,
March 2003,
<http://www.w3.org/TR/2003/REC-xptr-framework-20030325/>.

Latest version available at

[XPtrRegPolicy]
Hazael-Massieux, D., "XPointer Scheme Name Registry
Policy", 2005,
<http://www.w3.org/2005/04/xpointer-policy.html>.

[XPtrReg] Hazael-Massieux, D., "XPointer Registry", 2005,
<http://www.w3.org/2005/04/xpointer-schemes/>.

12.2. Informative References

[ASCII] American National Standards Institute, "Coded Character
Set -- 7-bit American Standard Code for Information
Interchange", ANSI X3.4, 1986.

[AWWW] Jacobs, I. and N. Walsh, "Architecture of the World Wide
Web, Volume One", W3C Recommendation REC-webarch-20041215,
December 2004,
<http://www.w3.org/TR/2004/REC-webarch-20041215/>.

Latest version available at

[FYN] Mendelsohn, N., "The Self-Describing Web", W3C TAG Finding
selfDescribingDocuments-2009-02-07, February 2009, <http:/
/www.w3.org/2001/tag/doc/
selfDescribingDocuments-2009-02-07.html>.

Latest version available at

[Infoset] Cowan, J. and R. Tobin, "XML Information Set (Second
Edition)", W3C Recommendation REC-xml-infoset-20040204,
Febuary 2004,
<http://www.w3.org/TR/2005/REC-xml-id-20050909/>.

Latest version available at

[MediaFrags]
Troncy, R., Mannens, E., Pfeiffer, S., and D. Van Deursen,
"Media Fragments URI 1.0 (basic)", W3C Recommendation
media-frags, September 2012,
<http://www.w3.org/TR/2012/REC-media-frags-20120925/>.

Latest version available at

[RFC1557] Choi, U., Chon, K., and H. Park, "Korean Character
Encoding for Internet Messages", RFC 1557, December 1993.

[RFC2376] Whitehead, E. and M. Murata, "XML Media Types", RFC 2376,
July 1998.

[RFC2616] Fielding, R., Gettys, J., Mogul, J., Nielsen, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.

[RFC3023] Murata, M., St.Laurent, S., and D. Kohn, "XML Media
Types", RFC 3023, January 2001.

[RFC3030] Vaudreuil, G., "SMTP Service Extensions for Transmission
of Large and Binary MIME Messages", RFC 3030, 2000.

[RFC3977] Feather, B., "Network News Transfer Protocol", RFC 3977,
October 2006.

[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
October 2008.

[RFC6152] Klensin, J., Freed, N., Rose, M., and D. Crocker, "SMTP
Service Extension for 8-bit MIME Transport", RFC 6152,
March 2011.

[TAGMIME] Bray, T., Ed., "Internet Media Type registration,
consistency of use", April 2004,
<http://www.w3.org/2001/tag/2004/0430-mime>.

[XHTML] Pemberton, S. and et al, "XHTML 1.0: The Extensible
HyperText Markup Language", W3C Recommendation xhtml1,
December 1999,
<http://www.w3.org/TR/2000/REC-xhtml1-20000126/>.

Latest version available at

[XMLModel]
Grosso, P. and J. Kosek, "Associating Schemas with XML
documents 1.0 (Third Edition)", W3C Group Note NOTE-xml-
model-20121009, October 2012,
<http://www.w3.org/TR/2012/NOTE-xml-model-20121009/>.

Latest version available at

[XMLNS10] Bray, T., Hollander, D., Layman, A., Tobin, R., and H.
Thompson, "Namespaces in XML 1.0 (Third Edition)", W3C
Recommendation REC-xml-names-20091208, December 2009,
<http://www.w3.org/TR/2009/REC-xml-names-20091208/>.

Latest version available at

[XMLNS11] Bray, T., Hollander, D., Layman, A., and R. Tobin,
"Namespaces in XML 1.1 (Second Edition)", W3C
Recommendation REC-xml-names11-20060816, August 2006,
<http://www.w3.org/TR/2006/REC-xml-names11-20060816/>.

Latest version available at

[XMLSS] Clark, J., Pieters, S., and H. Thompson, "Associating
Style Sheets with XML documents 1.0 (Second Edition)", W3C
Recommendation REC-xml-stylesheet-20101028, October 2010,
<http://www.w3.org/TR/2010/REC-xml-stylesheet-20101028/>.

Latest version available at

[XMLid] Marsh, J., Veillard, D., and N. Walsh, "xml:id Version
1.0", W3C Recommendation REC-xml-id-20050909, September
2005, <http://www.w3.org/TR/2005/REC-xml-id-20050909/>.

Latest version available at

Appendix A. Why Use the '+xml' Suffix for XML-Based MIME Types?

[RFC3023] contains a detailed discussion of the (at the time) novel
use of a suffix, a practice which has since become widespread.
Interested parties are referred to [RFC3023], Appendix A.

The registration process for new '+xml' media types is described in
[RFC6838]

Appendix B. Core XML specifications

The following specifications each articulate key aspects of XML
document semantics:

Namespaces in XML 1.0 [XMLNS10]/Namespaces in XML 1.1 [XMLNS11]

XML Information Set [Infoset]

xml:id [XMLid]

XML Base [XMLBase]

Associating Style Sheets with XML documents [XMLSS]

Associating Schemas with XML documents [XMLModel]

The W3C Technical Architecture group has produced two documents which
are also relevant:

The Self-Describing Web [FYN] discusses the overall principles of
how document semantics are determined on the Web.

Architecture of the World Wide Web, Volume One [AWWW], section
4.5.4, discusses the specific role of XML Namespace documents in
this process.

Appendix C. Changes from RFC 3023

There are numerous and significant differences between this
specification and [RFC3023], which it obsoletes. This appendix
summarizes the major differences only.

First,

XPointer ([XPointerFramework] and [XPointerElement]) has been
added as fragment identifier syntax for "application/xml", all the XML media types,
and the XPointer Registry ([XPtrReg]) mentioned. Second, mentioned

[XMLBase] has been added as a mechanism for specifying base URIs. Third, the URIs

The language regarding character sets was updated to correspond to
the W3C TAG finding Internet Media Type registration, consistency
of use
[TAGMIME]. Fourth, many [TAGMIME]

Priority is now given to a Byte Order Mark (BOM) if present

Many references are updated, and the existence of XML 1.1 and
relevance of this specification to it acknowledged.
Finally, a acknowledged

A number of justifications and contextualizations which were
appropriate when XML was new have been removed, including the
whole of the original Appendix A. A

Making BOMs authoritative is in principle a backwards-
incompatibility. In practice serious interoperability issues already
exist when BOMs are used. Making BOMs authoritative, in conjunction
with the deprecation of the UTF-32 encoding form and the requirement
to include an XML encoding declaration in certain cases
(Section 3.1), is intended to improve in-practice interoperability as
much as possible.

Appendix C. D. Acknowledgements

MURATA Makoto (FAMILY Given) and Alexey Melnikov made early and
important contributions to the effort to revise [RFC3023].

This specification reflects the input of numerous participants to the
ietf-xml-mime@imc.org, xml-mime@ietf.org and apps-discuss@ietf.org
mailing lists, though any errors are the responsibility of the
authors. Special thanks to:

Mark Baker, James Clark, Dan Connolly, Martin Duerst, Ned Freed,
Yaron Goland, Bjoern Hoehrmann, Rick Jelliffe, Murray S. Kucherawy,
Larry Masinter, David Megginson, S. Moonesamy, Keith Moore, Chris
Newman, Gavin Nicol, Julian Reschke, Marshall Rose, Jim Whitehead,
Erik Wilde and participants of the XML activity and the TAG at the
W3C.

Jim Whitehead and Simon St.Laurent were editors of [RFC2376] and
[RFC3023], respectively.

Authors' Addresses

Henry S. Thompson
University of Edinburgh

Email: ht@inf.ed.ac.uk
URI: http://www.ltg.ed.ac.uk/~ht/

Chris Lilley
World Wide Web Consortium
2004, Route des Lucioles - B.P. 93 06902
Sophia Antipolis Cedex
France

Email: chris@w3.org
URI: http://www.w3.org/People/chris/