draft-ietf-appsawg-xml-mediatypes-08.txt   draft-ietf-appsawg-xml-mediatypes-09.txt 
Network Working Group H. Thompson Network Working Group H. Thompson
Internet-Draft University of Edinburgh Internet-Draft University of Edinburgh
Obsoletes: 3023 (if approved) C. Lilley Obsoletes: 3023 (if approved) C. Lilley
Updates: 6839 (if approved) W3C Updates: 6839 (if approved) W3C
Intended status: Standards Track February 23, 2014 Intended status: Standards Track March 02, 2014
Expires: August 27, 2014 Expires: September 3, 2014
XML Media Types XML Media Types
draft-ietf-appsawg-xml-mediatypes-08 draft-ietf-appsawg-xml-mediatypes-09
Abstract Abstract
This specification standardizes three media types -- application/xml, This specification standardizes three media types -- application/xml,
application/xml-external-parsed-entity, and application/xml-dtd -- application/xml-external-parsed-entity, and application/xml-dtd --
for use in exchanging network entities that are related to the for use in exchanging network entities that are related to the
Extensible Markup Language (XML) while defining text/xml and text/ Extensible Markup Language (XML) while defining text/xml and text/
xml-external-parsed-entity as aliases for the respective application/ xml-external-parsed-entity as aliases for the respective application/
types. This specification also standardizes the '+xml' suffix for types. This specification also standardizes the '+xml' suffix for
naming media types outside of these five types when those media types naming media types outside of these five types when those media types
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 27, 2014. This Internet-Draft will expire on September 3, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 34 skipping to change at page 2, line 34
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Notational Conventions . . . . . . . . . . . . . . . . . . . 4 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 4
2.1. Conformance Keywords . . . . . . . . . . . . . . . . . . 4 2.1. Conformance Keywords . . . . . . . . . . . . . . . . . . 4
2.2. Characters, Encodings, Charsets . . . . . . . . . . . . . 4 2.2. Characters, Encodings, Charsets . . . . . . . . . . . . . 4
2.3. MIME Entities, XML Entities . . . . . . . . . . . . . . . 4 2.3. MIME Entities, XML Entities . . . . . . . . . . . . . . . 4
3. Encoding Considerations . . . . . . . . . . . . . . . . . . . 5 3. Encoding Considerations . . . . . . . . . . . . . . . . . . . 5
3.1. XML MIME producers . . . . . . . . . . . . . . . . . . . 6 3.1. XML MIME producers . . . . . . . . . . . . . . . . . . . 6
3.2. XML MIME consumers . . . . . . . . . . . . . . . . . . . 6 3.2. XML MIME consumers . . . . . . . . . . . . . . . . . . . 6
3.3. The Byte Order Mark (BOM) and Encoding Conversions . . . 7 3.3. The Byte Order Mark (BOM) and Encoding Conversions . . . 7
4. XML Media Types . . . . . . . . . . . . . . . . . . . . . . . 8 4. XML Media Types . . . . . . . . . . . . . . . . . . . . . . . 8
4.1. XML MIME Entities . . . . . . . . . . . . . . . . . . . . 9 4.1. XML MIME Entities . . . . . . . . . . . . . . . . . . . . 8
4.2. Application/xml Registration . . . . . . . . . . . . . . 10 4.2. Using '+xml' when Registering XML-based Media Types . . . 10
4.3. Text/xml Registration . . . . . . . . . . . . . . . . . . 12 4.3. Registration Guidelines for XML-based Media Types Not
4.4. Application/xml-external-parsed-entity Registration . . . 12 Using '+xml' . . . . . . . . . . . . . . . . . . . . . . 11
4.5. Text/xml-external-parsed-entity Registration . . . . . . 13 5. Fragment Identifiers . . . . . . . . . . . . . . . . . . . . 12
4.6. Application/xml-dtd Registration . . . . . . . . . . . . 13 6. The Base URI . . . . . . . . . . . . . . . . . . . . . . . . 13
5. Fragment Identifiers . . . . . . . . . . . . . . . . . . . . 14 7. XML Versions . . . . . . . . . . . . . . . . . . . . . . . . 13
6. The Base URI . . . . . . . . . . . . . . . . . . . . . . . . 15 8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 14
7. XML Versions . . . . . . . . . . . . . . . . . . . . . . . . 15 8.1. UTF-8 Charset . . . . . . . . . . . . . . . . . . . . . . 14
8. The '+xml' Naming Convention for XML-Based Media Types . . . 16 8.2. UTF-16 Charset . . . . . . . . . . . . . . . . . . . . . 15
8.1. +xml Structured Syntax Suffix Registration . . . . . . . 16 8.3. Omitted Charset and 8-bit MIME Entity . . . . . . . . . . 15
9. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 17 8.4. Omitted Charset and 16-bit MIME Entity . . . . . . . . . 15
9.1. UTF-8 Charset . . . . . . . . . . . . . . . . . . . . . . 18 8.5. Omitted Charset, no Internal Encoding Declaration . . . . 16
9.2. UTF-16 Charset . . . . . . . . . . . . . . . . . . . . . 18 8.6. UTF-16BE Charset . . . . . . . . . . . . . . . . . . . . 16
9.3. Omitted Charset and 8-bit MIME Entity . . . . . . . . . . 19 8.7. Non-UTF Charset . . . . . . . . . . . . . . . . . . . . . 17
9.4. Omitted Charset and 16-bit MIME Entity . . . . . . . . . 19 8.8. INCONSISTENT EXAMPLE: Conflicting Charset and Internal
9.5. Omitted Charset, no Internal Encoding Declaration . . . . 20 Encoding Declaration . . . . . . . . . . . . . . . . . . 17
9.6. UTF-16BE Charset . . . . . . . . . . . . . . . . . . . . 20 8.9. INCONSISTENT EXAMPLE: Conflicting Charset and BOM . . . . 17
9.7. Non-UTF Charset . . . . . . . . . . . . . . . . . . . . . 20
9.8. INCONSISTENT EXAMPLE: Conflicting Charset and Internal 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
Encoding Declaration . . . . . . . . . . . . . . . . . . 21 9.1. Application/xml Registration . . . . . . . . . . . . . . 18
9.9. INCONSISTENT EXAMPLE: Conflicting Charset and BOM . . . . 21 9.2. Text/xml Registration . . . . . . . . . . . . . . . . . . 19
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 9.3. Application/xml-external-parsed-entity Registration . . . 20
10.1. Using '+xml' when Registering XML-based Media Types . . 22 9.4. Text/xml-external-parsed-entity Registration . . . . . . 21
10.2. Registration Guidelines for XML-based Media Types Not 9.5. Application/xml-dtd Registration . . . . . . . . . . . . 21
Using '+xml' . . . . . . . . . . . . . . . . . . . . . . 23 9.6. The '+xml' Naming Convention for XML-Based Media Types . 22
11. Security Considerations . . . . . . . . . . . . . . . . . . . 24 9.6.1. +xml Structured Syntax Suffix Registration . . . . . 22
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 10. Security Considerations . . . . . . . . . . . . . . . . . . . 23
12.1. Normative References . . . . . . . . . . . . . . . . . . 25 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 25
12.2. Informative References . . . . . . . . . . . . . . . . . 28 11.1. Normative References . . . . . . . . . . . . . . . . . . 25
11.2. Informative References . . . . . . . . . . . . . . . . . 27
Appendix A. Why Use the '+xml' Suffix for XML-Based MIME Types? 30 Appendix A. Why Use the '+xml' Suffix for XML-Based MIME Types? 30
Appendix B. Core XML specifications . . . . . . . . . . . . . . 30 Appendix B. Core XML specifications . . . . . . . . . . . . . . 30
Appendix C. Changes from RFC 3023 . . . . . . . . . . . . . . . 31 Appendix C. Changes from RFC 3023 . . . . . . . . . . . . . . . 30
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 31 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 31
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31
1. Introduction 1. Introduction
The World Wide Web Consortium has issued the Extensible Markup The World Wide Web Consortium has issued the Extensible Markup
Language (XML) 1.0 [XML] and Extensible Markup Language (XML) 1.1 Language (XML) 1.0 [XML] and Extensible Markup Language (XML) 1.1
[XML1.1] specifications. To enable the exchange of XML network [XML1.1] specifications. To enable the exchange of XML network
entities, this specification standardizes three media types -- entities, this specification standardizes three media types --
application/xml, application/xml-external-parsed-entity, and application/xml, application/xml-external-parsed-entity, and
application/xml-dtd and two aliases -- text/xml and text/xml- application/xml-dtd and two aliases -- text/xml and text/xml-
external-parsed-entity, as well as a naming convention for external-parsed-entity, as well as a naming convention for
identifying XML-based MIME media types (using '+xml'). identifying XML-based MIME media types (using '+xml').
XML has been used as a foundation for other media types, including XML has been used as a foundation for other media types, including
types in every branch of the IETF media types tree. To facilitate types in every branch of the IETF media types tree. To facilitate
the processing of such types, and in line with the recognition in the processing of such types, and in line with the recognition in
[RFC6838] of structured syntax name suffixes, a suffix of '+xml' is [RFC6838] of structured syntax name suffixes, a suffix of '+xml' is
described in Section 8. This will allow generic XML-based tools -- registered in Section 9.6. This will allow generic XML-based tools
browsers, editors, search engines, and other processors -- to work -- browsers, editors, search engines, and other processors -- to work
with all XML-based media types. with all XML-based media types.
This specification replaces [RFC3023]. Major differences are in the This specification replaces [RFC3023]. Major differences are in the
areas of alignment of text/xml and text/xml-external-parsed-entity areas of alignment of text/xml and text/xml-external-parsed-entity
with application/xml and application/xml-external-parsed-entity with application/xml and application/xml-external-parsed-entity
respectively, the addition of XPointer and XML Base as fragment respectively, the addition of XPointer and XML Base as fragment
identifiers and base URIs, respectively, integration of the XPointer identifiers and base URIs, respectively, integration of the XPointer
Registry and updating of many references. Registry and updating of many references.
2. Notational Conventions 2. Notational Conventions
skipping to change at page 8, line 45 skipping to change at page 8, line 45
specification recommends against the use of UTF-32, but if it is specification recommends against the use of UTF-32, but if it is
used, the same considerations apply with respect to its being a used, the same considerations apply with respect to its being a
signature, not part of the document, with respect to transcoding into signature, not part of the document, with respect to transcoding into
or out of it and with respect to the MIME charsets "utf-32le" and or out of it and with respect to the MIME charsets "utf-32le" and
"utf-32be", as for UTF-16. Consumers which do not support UTF-32 "utf-32be", as for UTF-16. Consumers which do not support UTF-32
SHOULD none-the-less recognise UTF-32 signatures in order to give SHOULD none-the-less recognise UTF-32 signatures in order to give
helpful error messages (instead of treating them as invalid UTF-16). helpful error messages (instead of treating them as invalid UTF-16).
4. XML Media Types 4. XML Media Types
Registration information for media types for use with XML MIME
entities is described in the sections below, after some relevant
background information about XML itself.
4.1. XML MIME Entities 4.1. XML MIME Entities
Within the XML specification, XML MIME entities can be classified Within the XML specification, XML MIME entities can be classified
into four types. In the XML terminology, they are called "document into four types. In the XML terminology, they are called "document
entities", "external DTD subsets", "external parsed entities", and entities", "external DTD subsets", "external parsed entities", and
"external parameter entities". Appropriate usage for the types "external parameter entities". Appropriate usage for the types
registered below is as follows: registered below is as follows:
document entities: The media types application/xml or text/xml, or a document entities: The media types application/xml or text/xml, or a
more specific media type (see Section 8), SHOULD be used. more specific media type (see Section 9.6), SHOULD be used.
external DTD subsets: The media type application/xml-dtd SHOULD be external DTD subsets: The media type application/xml-dtd SHOULD be
used. The media types application/xml and text/xml MUST NOT be used. The media types application/xml and text/xml MUST NOT be
used. used.
external parsed entities: The media types application/xml-external- external parsed entities: The media types application/xml-external-
parsed-entity or text/xml-external-parsed-entity SHOULD be used. parsed-entity or text/xml-external-parsed-entity SHOULD be used.
The media types application/xml and text/xml MUST NOT be used The media types application/xml and text/xml MUST NOT be used
unless the parsed entities are also well-formed "document unless the parsed entities are also well-formed "document
entities". entities".
skipping to change at page 10, line 25 skipping to change at page 10, line 18
which results. which results.
XML provides a general framework for defining sequences of structured XML provides a general framework for defining sequences of structured
data. It is often appropriate to define new media types that use XML data. It is often appropriate to define new media types that use XML
but define a specific application of XML, due to domain-specific but define a specific application of XML, due to domain-specific
display, editing, security considerations or runtime information. display, editing, security considerations or runtime information.
Furthermore, such media types may allow only UTF-8 and/or UTF-16 and Furthermore, such media types may allow only UTF-8 and/or UTF-16 and
prohibit other character sets. This specification does not prohibit prohibit other character sets. This specification does not prohibit
such media types and in fact expects them to proliferate. However, such media types and in fact expects them to proliferate. However,
developers of such media types are RECOMMENDED to use this developers of such media types are RECOMMENDED to use this
specification as a basis for their registration. See Section 8 for specification as a basis for their registration. See Section 4.2 for
more detailed recommendations on using the '+xml' suffix for more detailed recommendations on using the '+xml' suffix for
registration of such media types. registration of such media types.
An XML document labeled as application/xml or text/xml, or with a An XML document labeled as application/xml or text/xml, or with a
'+xml' media type, might contain namespace declarations, stylesheet- '+xml' media type, might contain namespace declarations, stylesheet-
linking processing instructions (PIs), schema information, or other linking processing instructions (PIs), schema information, or other
declarations that might be used to suggest how the document is to be declarations that might be used to suggest how the document is to be
processed. For example, a document might have the XHTML namespace processed. For example, a document might have the XHTML namespace
and a reference to a CSS stylesheet. Such a document might be and a reference to a CSS stylesheet. Such a document might be
handled by applications that would use this information to dispatch handled by applications that would use this information to dispatch
the document for appropriate processing. Appendix B lists the core the document for appropriate processing. Appendix B lists the core
XML specifications which, taken together with [XML] itself, show how XML specifications which, taken together with [XML] itself, show how
to determine an XML document's language-level semantics and suggest to determine an XML document's language-level semantics and suggest
how information about its application-level semantics may be how information about its application-level semantics may be
locatable. locatable.
4.2. Application/xml Registration 4.2. Using '+xml' when Registering XML-based Media Types
Type name: application
Subtype name: xml
Required parameters: none
Optional parameters: charset
See Section 3.
Encoding considerations: Depending on the character encoding used,
XML MIME entities can consist of 7bit, 8bit or binary data
[RFC6838]. For 7-bit transports, 7bit data, for example US-ASCII-
encoded data, does not require content-transfer-encoding, but 8bit
or binary data, for example UTF-8 or UTF-16 data, MUST be content-
transfer-encoded in quoted-printable or base64. For 8-bit clean
transport (e.g. 8BITMIME ESMTP [RFC6152] or NNTP [RFC3977]), 7bit
or 8bit data, for example US-ASCII or UTF-8 data, does not require
content-transfer-encoding, but binary data, for example data with
a UTF-16 encoding, MUST be content-transfer-encoded in base64.
For binary clean transports (e.g. BINARY ESMTP [RFC3030] or HTTP
[HTTPbis]), no content-transfer-encoding is necessary (or even
possible, in the case of HTTP) for 7bit, 8bit or binary data.
Security considerations: See Section 11.
Interoperability considerations: XML has proven to be interoperable
across both generic and task-specific applications and for import
and export from multiple XML authoring and editing tools.
Validating processors provide maximum interoperability. Although
non-validating processors may be more efficient, they are not
required to handle all features of XML. For further information,
see sub-section 2.9 "Standalone Document Declaration" and section
5 "Conformance" of [XML] .
In practice, character set issues have proved to be the biggest
source of interoperability problems. The use of UTF-8, and
careful attention to the guidelines set out in Section 3, are the
best way to avoid such problems.
Published specification: Extensible Markup Language (XML) 1.0 (Fifth
Edition) [XML] or subsequent editions or versions thereof.
Applications that use this media type: XML is device-, platform-,
and vendor-neutral and is supported by generic and task-specific
applications and a wide range of generic XML tools (editors,
parsers, Web agents, ...).
Additional information:
Magic number(s): None.
Although no byte sequences can be counted on to always be
present, XML MIME entities in ASCII-compatible character sets
(including UTF-8) often begin with hexadecimal 3C 3F 78 6D 6C
("<?xml"), and those in UTF-16 often begin with hexadecimal FE
FF 00 3C 00 3F 00 78 00 6D 00 6C or FF FE 3C 00 3F 00 78 00 6D
00 6C 00 (the Byte Order Mark (BOM) followed by "<?xml"). For
more information, see Appendix F of [XML].
File extension(s): .xml
Macintosh File Type Code(s): "TEXT"
Base URI: See Section 6
Person and email address for further information: See Authors'
Addresses section
Intended usage: COMMON
Author: See Authors' Addresses section
Change controller: The XML specification is a work product of the
World Wide Web Consortium's XML Core Working Group. The W3C has
change control over this specification.
4.3. Text/xml Registration
The registration information for text/xml is in all respects the same
as that given for application/xml above (Section 4.2).
4.4. Application/xml-external-parsed-entity Registration
Type name: application
Subtype name: xml-external-parsed-entity
Required parameters: none
Optional parameters: charset
See Section 3.
Encoding considerations: Same as for application/xml (Section 4.2).
Security considerations: See Section 11.
Interoperability considerations: XML external parsed entities are as
interoperable as XML documents, though they have a less tightly
constrained structure and therefore need to be referenced by XML
documents for proper handling by XML processors. Similarly, XML
documents cannot be reliably used as external parsed entities
because external parsed entities are prohibited from having
standalone document declarations or DTDs. Identifying XML
external parsed entities with their own content type enhances
interoperability of both XML documents and XML external parsed
entities.
Published specification: Same as for application/xml (Section 4.2).
Applications which use this media type: Same as for application/xml
(Section 4.2).
Additional information:
Magic number(s): Same as for application/xml (Section 4.2).
File extension(s): .xml or .ent
Macintosh File Type Code(s): "TEXT"
Base URI: See Section 6
Person and email address for further information: See Authors'
Addresses section.
Intended usage: COMMON
Author: See Authors' Addresses section.
Change controller: The XML specification is a work product of the
World Wide Web Consortium's XML Core Working Group. The W3C has
change control over this specification.
4.5. Text/xml-external-parsed-entity Registration
The registration information for text/xml-external-parsed-entity is
in all respects the same as that given for application/xml-external-
parsed-entity above (Section 4.4).
4.6. Application/xml-dtd Registration
Type name: application
Subtype name: xml-dtd
Required parameters: none
Optional parameters: charset
See Section 3.
Encoding considerations: Same as for application/xml (Section 4.2). In Section 9.6, this specification updates the [RFC6839] registration
for XML-based MIME types (the '+xml' types).
Security considerations: See Section 11. When a new media type is introduced for an XML-based format, the name
of the media type SHOULD end with '+xml' unless generic XML
processing is in some way inappropriate for documents of the new
type. This convention will allow applications that can process XML
generically to detect that the MIME entity is supposed to be an XML
document, verify this assumption by invoking some XML processor, and
then process the XML document accordingly. Applications may check
for types that represent XML MIME entities by comparing the last four
characters of the subtype to the string '+xml'. (However note that 4
of the 5 media types defined in this specification -- text/xml,
application/xml, text/xml-external-parsed-entity, and application/
xml-external-parsed-entity -- also represent XML MIME entities while
not ending with '+xml'.)
NOTE: Section 5.3.2 of HTTPbis [HTTPbis] does not support any form
of Accept header which will match only '+xml' types. In
particular, Accept headers of the form "Accept: */*+xml" are not
allowed, and so this header MUST NOT be used for this purpose.
Interoperability considerations: XML DTDs have proven to be Media types following the naming convention '+xml' SHOULD introduce
interoperable by DTD authoring tools and XML validators, among the charset parameter for consistency, since XML-generic processing
others. applies the same program for any such media type. However, there are
some cases that the charset parameter need not be introduced. For
example:
Published specification: Same as for application/xml (Section 4.2). When an XML-based media type is restricted to UTF-8, it is not
necessary to introduce the charset parameter. UTF-8 is the
default for XML.
Applications which use this media type: DTD authoring tools handle When an XML-based media type is restricted to UTF-8 and UTF-16, it
external DTD subsets as well as external parameter entities. XML might not be unreasonable to omit the charset parameter. Neither
validators may also access external DTD subsets and external UTF-8 nor UTF-16 require XML encoding declarations.
parameter entities.
Additional information: XML generic processing is not always appropriate for XML-based media
types. For example, authors of some such media types may wish that
the types remain entirely opaque except to applications that are
specifically designed to deal with that media type. By NOT following
the naming convention '+xml', such media types can avoid XML-generic
processing. Since generic processing will be useful in many cases,
however -- including in some situations that are difficult to predict
ahead of time -- the '+xml' convention is to be preferred unless
there is some particularly compelling reason not to.
Magic number(s): Same as for application/xml (Section 4.2). The registration process for specific '+xml' media types is described
in [RFC6838]. The registrar for the IETF tree will encourage new
XML-based media type registrations in the IETF tree to follow this
guideline. Registrars for other trees SHOULD follow this convention
in order to ensure maximum interoperability of their XML-based
documents. Only media subtypes that represent XML MIME entities are
allowed to register with a '+xml' suffix.
File extension(s): .dtd or .mod In addition to the changes described above, the change controller has
been changed to be the World Wide Web Consortium (W3C).
Macintosh File Type Code(s): "TEXT" 4.3. Registration Guidelines for XML-based Media Types Not Using '+xml'
Person and email address for further information: See Authors' Registrations for new XML-based media types which do _not_ use the
Addresses section. '+xml' suffix SHOULD, in specifying the charset parameter and
encoding considerations, define them as: "Same as [charset parameter
/ encoding considerations] of application/xml as specified in RFC
XXXX."
Enabling the charset parameter is RECOMMENDED, since this information
can be used by XML processors to determine authoritatively the
character encoding of the XML MIME entity in the absence of a BOM.
If there are some reasons not to follow this advice, they SHOULD be
included as part of the registration. As shown above, two such
reasons are "UTF-8 only" or "UTF-8 or UTF-16 only".
Intended usage: COMMON These registrations SHOULD specify that the XML-based media type
being registered has all of the security considerations described in
RFC XXXX plus any additional considerations specific to that media
type.
Author: See Authors' Addresses section. These registrations SHOULD also make reference to RFC XXXX in
specifying magic numbers, base URIs, and use of the BOM.
Change controller: The XML specification is a work product of the These registrations MAY reference the application/xml registration in
World Wide Web Consortium's XML Core Working Group. The W3C has RFC XXXX in specifying interoperability and fragment identifier
change control over this specification. considerations, if these considerations are not overridden by issues
specific to that media type.
5. Fragment Identifiers 5. Fragment Identifiers
Uniform Resource Identifiers (URIs) can contain fragment identifiers Uniform Resource Identifiers (URIs) can contain fragment identifiers
(see Section 3.5 of [RFC3986]). Specifying the syntax and semantics (see Section 3.5 of [RFC3986]). Specifying the syntax and semantics
of fragment identifiers is devolved by [RFC3986] to the appropriate of fragment identifiers is devolved by [RFC3986] to the appropriate
media type registration. media type registration.
The syntax and semantics of fragment identifiers for the XML media The syntax and semantics of fragment identifiers for the XML media
types defined in this specification are based on the types defined in this specification are based on the
skipping to change at page 15, line 19 skipping to change at page 13, line 5
but need not support other schemes. but need not support other schemes.
If an XPointer error is reported in the attempt to process the part, If an XPointer error is reported in the attempt to process the part,
this specification does not define an interpretation for the part. this specification does not define an interpretation for the part.
A registry of XPointer schemes [XPtrReg] is maintained at the W3C. A registry of XPointer schemes [XPtrReg] is maintained at the W3C.
Document authors SHOULD NOT use unregistered schemes. Scheme authors Document authors SHOULD NOT use unregistered schemes. Scheme authors
SHOULD register their schemes ([XPtrRegPolicy] describes requirements SHOULD register their schemes ([XPtrRegPolicy] describes requirements
and procedures for doing so). and procedures for doing so).
See Section 10.2 for additional requirements which apply when an XML- See Section 4.2 for additional requirements which apply when an XML-
based media type follows the naming convention '+xml'. based media type follows the naming convention '+xml'.
If [XPointerFramework] and [XPointerElement] are inappropriate for If [XPointerFramework] and [XPointerElement] are inappropriate for
some XML-based media type, it SHOULD NOT follow the naming convention some XML-based media type, it SHOULD NOT follow the naming convention
'+xml'. '+xml'.
When a URI has a fragment identifier, it is encoded by a limited When a URI has a fragment identifier, it is encoded by a limited
subset of the repertoire of US-ASCII characters, see subset of the repertoire of US-ASCII characters, see
[XPointerFramework] for details.. [XPointerFramework] for details..
skipping to change at page 16, line 18 skipping to change at page 14, line 5
identical from the first edition to the current (5th) edition of XML identical from the first edition to the current (5th) edition of XML
1.0, and for XML 1.1 1st or 2nd edition [XML1.1]. Therefore, 1.0, and for XML 1.1 1st or 2nd edition [XML1.1]. Therefore,
references herein to [XML] may be interpreted as referencing any references herein to [XML] may be interpreted as referencing any
existing version or edition of XML, or any subsequent edition or existing version or edition of XML, or any subsequent edition or
version which makes no incompatible changes to that section. version which makes no incompatible changes to that section.
Specifications and recommendations based on or referring to this RFC Specifications and recommendations based on or referring to this RFC
SHOULD indicate any limitations on the particular versions or SHOULD indicate any limitations on the particular versions or
editions of XML to be used. editions of XML to be used.
8. The '+xml' Naming Convention for XML-Based Media Types 8. Examples
This section supersedes the earlier registration of the '+xml' suffix
[RFC6839].
This specification recommends the use of the '+xml' naming convention
for identifying XML-based media types, in line with the recognition
in [RFC6838] of structured syntax name suffixes. This allows the use
of generic XML processors and technologies on a wide variety of
different XML document types at a minimum cost, using existing
frameworks for media type registration.
See Section 10 for guidance on when and how to register a
'+xml'-based media subtype, and on registering a media subtype for
XML but _not_ using '+xml'.
8.1. +xml Structured Syntax Suffix Registration
Name: Extensible Markup Language (XML)
+suffix: +xml
Reference: This specification
Encoding considerations: Same as Section 4.2.
Fragment identifier considerations: Registrations which use this
'+xml' convention MUST also make reference to RFC XXXX,
specifically Section 5, in specifying fragment identifier syntax
and semantics, and they MAY restrict the syntax to a specified
subset of schemes, except that they MUST NOT disallow barenames or
'element' scheme pointers. They MAY further require support for
other registered schemes. They also MAY add additional syntax
(which MUST NOT overlap with [XPointerFramework] syntax) together
with associated semantics, and MAY add additional semantics for
barename XPointers which, as provided for in Section 5, will only
apply when this specification does not define an interpretation.
In practice these constraints imply that for a fragment
identifier addressed to an instance of a specific "xxx/yyy+xml"
type, there are three cases:
For fragment identifiers matching the syntax defined in
[XPointerFramework], where the fragment identifier resolves
per the rules specified there, then process as specified
there;
For fragment identifiers matching the syntax defined in
[XPointerFramework], where the fragment identifier does
_not_ resolve per the rules specified there, then process as
specified in "xxx/yyy+xml";
For fragment identifiers _not_ matching the syntax defined
in [XPointerFramework], then process as specified in "xxx/
yyy+xml". A fragment identifier of the form
"xywh=160,120,320,240", as defined in [MediaFrags], which
might be used in a URI for an XML-encoded image, would fall
in this category.
Interoperability considerations: Same as Section 4.2. See above,
and also Section 3, for guidelines on the use of the 'charset'
parameter.
Security considerations: See Section 11.
Contact: See Authors' Addresses section.
Author: See Authors' Addresses section.
Change controller: The XML specification is a work product of the
World Wide Web Consortium's XML Core Working Group. The W3C has
change control over this specification.
9. Examples
This section is non-normative. In particular, note that all This section is non-normative. In particular, note that all
[RFC2119] language herein reproduces or summarizes the consequences [RFC2119] language herein reproduces or summarizes the consequences
of normative statements already made above, and has no independent of normative statements already made above, and has no independent
normative force, and accordingly does not appear in uppercase. normative force, and accordingly does not appear in uppercase.
The examples below give the MIME Content-type header, including the The examples below give the MIME Content-type header, including the
charset parameter, if present and the XML declaration or Text charset parameter, if present and the XML declaration or Text
declaration (which includes the encoding declaration) inside the XML declaration (which includes the encoding declaration) inside the XML
MIME entity. For UTF-16 examples, the Byte Order Mark character MIME entity. For UTF-16 examples, the Byte Order Mark character
appropriately UTF-16-encoded is denoted as "{BOM}", and the XML or appropriately UTF-16-encoded is denoted as "{BOM}", and the XML or
Text declaration is assumed to come at the beginning of the XML MIME Text declaration is assumed to come at the beginning of the XML MIME
entity, immediately following the encoded BOM. Note that other MIME entity, immediately following the encoded BOM. Note that other MIME
headers may be present, and the XML MIME entity will normally contain headers may be present, and the XML MIME entity will normally contain
other data in addition to the XML declaration; the examples focus on other data in addition to the XML declaration; the examples focus on
the Content-type header and the encoding declaration for clarity. the Content-type header and the encoding declaration for clarity.
Although they show a content type of 'application/xml', all the Although they show a content type of 'application/xml', all the
examples below apply to all five media types declared above in examples below apply to all five media types declared below in
Section 4, as well as to any media types declared using the '+xml' Section 9, as well as to any media types declared using the '+xml'
convention (with the exception of the examples involving the charset convention (with the exception of the examples involving the charset
parameter for any such media types which do not enable its use). See parameter for any such media types which do not enable its use). See
the XML MIME entities table (Section 4.1, Paragraph 1) for discussion the XML MIME entities table (Section 4.1, Paragraph 1) for discussion
of which types are appropriate for which varieties of XML MIME of which types are appropriate for which varieties of XML MIME
entity. entity.
9.1. UTF-8 Charset 8.1. UTF-8 Charset
Content-Type: application/xml; charset=utf-8 Content-Type: application/xml; charset=utf-8
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
or or
<?xml version="1.0"?> <?xml version="1.0"?>
UTF-8 is the recommended encoding for use with all the media types UTF-8 is the recommended encoding for use with all the media types
skipping to change at page 18, line 47 skipping to change at page 15, line 5
provided and there is no overriding BOM, conformant MIME and XML provided and there is no overriding BOM, conformant MIME and XML
processors must treat the enclosed entity as UTF-8 encoded. processors must treat the enclosed entity as UTF-8 encoded.
If sent using a 7-bit transport (e.g. SMTP [RFC5321]), in general, a If sent using a 7-bit transport (e.g. SMTP [RFC5321]), in general, a
UTF-8 XML MIME entity must use a content-transfer-encoding of either UTF-8 XML MIME entity must use a content-transfer-encoding of either
quoted-printable or base64. For an 8-bit clean transport (e.g. quoted-printable or base64. For an 8-bit clean transport (e.g.
8BITMIME ESMTP or NNTP), or a binary clean transport (e.g. BINARY 8BITMIME ESMTP or NNTP), or a binary clean transport (e.g. BINARY
ESMTP or HTTP), no content-transfer-encoding is necessary (or even ESMTP or HTTP), no content-transfer-encoding is necessary (or even
possible, in the case of HTTP). possible, in the case of HTTP).
9.2. UTF-16 Charset 8.2. UTF-16 Charset
Content-Type: application/xml; charset=utf-16 Content-Type: application/xml; charset=utf-16
{BOM}<?xml version="1.0" encoding="utf-16"?> {BOM}<?xml version="1.0" encoding="utf-16"?>
or or
{BOM}<?xml version="1.0"?> {BOM}<?xml version="1.0"?>
For the three application/ media types defined above, if sent using a For the three application/ media types defined above, if sent using a
7-bit transport (e.g. SMTP) or an 8-bit clean transport (e.g. 7-bit transport (e.g. SMTP) or an 8-bit clean transport (e.g.
8BITMIME ESMTP or NNTP), the XML MIME entity must be encoded in 8BITMIME ESMTP or NNTP), the XML MIME entity must be encoded in
quoted-printable or base64; for a binary clean transport (e.g. BINARY quoted-printable or base64; for a binary clean transport (e.g. BINARY
ESMTP or HTTP), no content-transfer-encoding is necessary (or even ESMTP or HTTP), no content-transfer-encoding is necessary (or even
possible, in the case of HTTP). possible, in the case of HTTP).
skipping to change at page 19, line 25 skipping to change at page 15, line 32
As described in [RFC2781], the UTF-16 family must not be used with As described in [RFC2781], the UTF-16 family must not be used with
media types under the top-level type "text" except over HTTP or HTTPS media types under the top-level type "text" except over HTTP or HTTPS
(see section A.2 of HTTP [HTTPbis] for details). Hence one of the (see section A.2 of HTTP [HTTPbis] for details). Hence one of the
two text/ media types defined above can be used with this exampleonly two text/ media types defined above can be used with this exampleonly
when the XML MIME entity is transmitted via HTTP or HTTPS, which use when the XML MIME entity is transmitted via HTTP or HTTPS, which use
a MIME-like mechanism and are binary-clean protocols, hence do not a MIME-like mechanism and are binary-clean protocols, hence do not
perform CR and LF transformations and allow NUL octets. Since HTTP perform CR and LF transformations and allow NUL octets. Since HTTP
is binary clean, no content-transfer-encoding is necessary (or even is binary clean, no content-transfer-encoding is necessary (or even
possible). possible).
9.3. Omitted Charset and 8-bit MIME Entity 8.3. Omitted Charset and 8-bit MIME Entity
Content-Type: application/xml Content-Type: application/xml
<?xml version="1.0" encoding="iso-8859-1"?> <?xml version="1.0" encoding="iso-8859-1"?>
Since the charset parameter is not provided in the Content-Type Since the charset parameter is not provided in the Content-Type
header and there is no overriding BOM, conformant XML processors must header and there is no overriding BOM, conformant XML processors must
treat the "iso-8859-1" encoding as authoritative. Conformant XML- treat the "iso-8859-1" encoding as authoritative. Conformant XML-
unaware MIME processors should make no assumptions about the unaware MIME processors should make no assumptions about the
character encoding of the XML MIME entity. character encoding of the XML MIME entity.
9.4. Omitted Charset and 16-bit MIME Entity 8.4. Omitted Charset and 16-bit MIME Entity
Content-Type: application/xml Content-Type: application/xml
{BOM}<?xml version="1.0" encoding="utf-16"?> {BOM}<?xml version="1.0" encoding="utf-16"?>
or or
{BOM}<?xml version="1.0"?> {BOM}<?xml version="1.0"?>
This example shows a 16-bit MIME entity with no charset parameter. This example shows a 16-bit MIME entity with no charset parameter.
However since there is a BOM conformant processors must treat the However since there is a BOM conformant processors must treat the
entity as UTF-16-encoded. entity as UTF-16-encoded.
Omitting the charset parameter is not recommended in conjunction with Omitting the charset parameter is not recommended in conjunction with
media types under the top-level type "application" when used with media types under the top-level type "application" when used with
transports other than HTTP or HTTPS. Media types under the top-level transports other than HTTP or HTTPS. Media types under the top-level
type "text" should not be used for 16-bit MIME with transports other type "text" should not be used for 16-bit MIME with transports other
than HTTP or HTTPS (see discussion above (Section 9.2, Paragraph 7)). than HTTP or HTTPS (see discussion above (Section 8.2, Paragraph 7)).
9.5. Omitted Charset, no Internal Encoding Declaration 8.5. Omitted Charset, no Internal Encoding Declaration
Content-Type: application/xml Content-Type: application/xml
<?xml version='1.0'?> <?xml version='1.0'?>
In this example, the charset parameter has been omitted, there is no In this example, the charset parameter has been omitted, there is no
internal encoding declaration, and there is no BOM. Since there is internal encoding declaration, and there is no BOM. Since there is
no BOM or charset parameter, the XML processor follows the no BOM or charset parameter, the XML processor follows the
requirements in section 4.3.3, and optionally applies the mechanism requirements in section 4.3.3, and optionally applies the mechanism
described in Appendix F (which is non-normative) of [XML] to described in Appendix F (which is non-normative) of [XML] to
determine an encoding of UTF-8. Although the XML MIME entity does determine an encoding of UTF-8. Although the XML MIME entity does
not contain an encoding declaration, provided the encoding actually not contain an encoding declaration, provided the encoding actually
_is_ UTF-8, this is a conforming XML MIME entity. _is_ UTF-8, this is a conforming XML MIME entity.
A conformant XML-unaware MIME processor should make no assumptions A conformant XML-unaware MIME processor should make no assumptions
about the character encoding of the XML MIME entity. about the character encoding of the XML MIME entity.
See Section 9.1 for transport-related issues for UTF-8 XML MIME See Section 8.1 for transport-related issues for UTF-8 XML MIME
entities. entities.
9.6. UTF-16BE Charset 8.6. UTF-16BE Charset
Content-Type: application/xml; charset=utf-16be Content-Type: application/xml; charset=utf-16be
<?xml version='1.0' encoding='utf-16be'?> <?xml version='1.0' encoding='utf-16be'?>
Observe that, as required for this encoding, there is no BOM. Since Observe that, as required for this encoding, there is no BOM. Since
the charset parameter is provided and there is no overriding BOM, the charset parameter is provided and there is no overriding BOM,
conformant MIME and XML processors must treat the enclosed entity as conformant MIME and XML processors must treat the enclosed entity as
UTF-16BE encoded. UTF-16BE encoded.
See also the additional considerations in the UTF-16 example See also the additional considerations in the UTF-16 example
(Section 9.2) above. (Section 8.2) above.
9.7. Non-UTF Charset 8.7. Non-UTF Charset
Content-Type: application/xml; charset=iso-2022-kr Content-Type: application/xml; charset=iso-2022-kr
<?xml version="1.0" encoding="iso-2022-kr"?> <?xml version="1.0" encoding="iso-2022-kr"?>
This example shows the use of a non-UTF character encoding (in this This example shows the use of a non-UTF character encoding (in this
case Hangul, but this example is intended to cover all non-UTF-family case Hangul, but this example is intended to cover all non-UTF-family
character encodings). Since the charset parameter is provided and character encodings). Since the charset parameter is provided and
there is no overriding BOM, conformant processors must treat the there is no overriding BOM, conformant processors must treat the
enclosed entity as encoded per RFC 1557. enclosed entity as encoded per RFC 1557.
Since ISO-2022-KR [RFC1557] has been defined to use only 7 bits of Since ISO-2022-KR [RFC1557] has been defined to use only 7 bits of
data, no content-transfer-encoding is necessary with any transport: data, no content-transfer-encoding is necessary with any transport:
for character sets needing 8 or more bits, considerations such as for character sets needing 8 or more bits, considerations such as
those discussed above (Section 9.1, Section 9.2) would apply. those discussed above (Section 8.1, Section 8.2) would apply.
9.8. INCONSISTENT EXAMPLE: Conflicting Charset and Internal Encoding 8.8. INCONSISTENT EXAMPLE: Conflicting Charset and Internal Encoding
Declaration Declaration
Content-Type: application/xml; charset=iso-8859-1 Content-Type: application/xml; charset=iso-8859-1
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
Although the charset parameter is provided in the Content-Type header Although the charset parameter is provided in the Content-Type header
and there is no BOM and the charset parameter differs from the XML and there is no BOM and the charset parameter differs from the XML
encoding declaration, conformant MIME and XML processors will encoding declaration, conformant MIME and XML processors will
interoperate. Since the charset parameter is authoritative in the interoperate. Since the charset parameter is authoritative in the
skipping to change at page 21, line 38 skipping to change at page 17, line 45
declaration will be ignored. declaration will be ignored.
Conformant processors generating XML MIME entities must not label Conformant processors generating XML MIME entities must not label
conflicting character encoding information between the MIME Content- conflicting character encoding information between the MIME Content-
Type and the XML declaration unless they have definitive information Type and the XML declaration unless they have definitive information
about the actual encoding, for example as a result of systematic about the actual encoding, for example as a result of systematic
transcoding. In particular, the addition by servers of an explicit, transcoding. In particular, the addition by servers of an explicit,
site-wide charset parameter default has frequently lead to site-wide charset parameter default has frequently lead to
interoperability problems for XML documents. interoperability problems for XML documents.
9.9. INCONSISTENT EXAMPLE: Conflicting Charset and BOM 8.9. INCONSISTENT EXAMPLE: Conflicting Charset and BOM
Content-Type: application/xml; charset=iso-8859-1 Content-Type: application/xml; charset=iso-8859-1
{BOM}<?xml version="1.0"?> {BOM}<?xml version="1.0"?>
Although the charset parameter is provided in the Content-Type Although the charset parameter is provided in the Content-Type
header, there is a BOM, so MIME and XML processors may not header, there is a BOM, so MIME and XML processors may not
interoperate. Since the BOM parameter is authoritative for interoperate. Since the BOM parameter is authoritative for
conformant XML processors, they will treat the enclosed entity as conformant XML processors, they will treat the enclosed entity as
UTF-16-encoded. That is, the "iso-8859-1" charset parameter will be UTF-16-encoded. That is, the "iso-8859-1" charset parameter will be
ignored. XML-unaware MIME processors on the other hand may be ignored. XML-unaware MIME processors on the other hand may be
unaware of the BOM and so treat the entity as encoded in iso-8859-1. unaware of the BOM and so treat the entity as encoded in iso-8859-1.
Conformant processors generating XML MIME entities must not label Conformant processors generating XML MIME entities must not label
conflicting character encoding information between the MIME Content- conflicting character encoding information between the MIME Content-
Type and an entity-initial BOM. Type and an entity-initial BOM.
10. IANA Considerations 9. IANA Considerations
As described in Section 8, this specification updates the [RFC6839] 9.1. Application/xml Registration
registration for XML-based MIME types (the '+xml' types).
10.1. Using '+xml' when Registering XML-based Media Types Type name: application
When a new media type is introduced for an XML-based format, the name Subtype name: xml
of the media type SHOULD end with '+xml' unless generic XML
processing is in some way inappropriate for documents of the new
type. This convention will allow applications that can process XML
generically to detect that the MIME entity is supposed to be an XML
document, verify this assumption by invoking some XML processor, and
then process the XML document accordingly. Applications may check
for types that represent XML MIME entities by comparing the last four
characters of the subtype to the string '+xml'. (However note that 4
of the 5 media types defined in this specification -- text/xml,
application/xml, text/xml-external-parsed-entity, and application/
xml-external-parsed-entity -- also represent XML MIME entities while
not ending with '+xml'.)
NOTE: Section 5.3.2 of HTTPbis [HTTPbis] does not support any form Required parameters: none
of Accept header which will match only '+xml' types. In
particular, Accept headers of the form "Accept: */*+xml" are not
allowed, and so this header MUST NOT be used for this purpose.
Media types following the naming convention '+xml' SHOULD introduce Optional parameters: charset
the charset parameter for consistency, since XML-generic processing
applies the same program for any such media type. However, there are
some cases that the charset parameter need not be introduced. For
example:
When an XML-based media type is restricted to UTF-8, it is not See Section 3.
necessary to introduce the charset parameter. UTF-8 is the
default for XML.
When an XML-based media type is restricted to UTF-8 and UTF-16, it Encoding considerations: Depending on the character encoding used,
might not be unreasonable to omit the charset parameter. Neither XML MIME entities can consist of 7bit, 8bit or binary data
UTF-8 nor UTF-16 require XML encoding declarations. [RFC6838]. For 7-bit transports, 7bit data, for example US-ASCII-
encoded data, does not require content-transfer-encoding, but 8bit
or binary data, for example UTF-8 or UTF-16 data, MUST be content-
transfer-encoded in quoted-printable or base64. For 8-bit clean
transport (e.g. 8BITMIME ESMTP [RFC6152] or NNTP [RFC3977]), 7bit
or 8bit data, for example US-ASCII or UTF-8 data, does not require
content-transfer-encoding, but binary data, for example data with
a UTF-16 encoding, MUST be content-transfer-encoded in base64.
For binary clean transports (e.g. BINARY ESMTP [RFC3030] or HTTP
[HTTPbis]), no content-transfer-encoding is necessary (or even
possible, in the case of HTTP) for 7bit, 8bit or binary data.
XML generic processing is not always appropriate for XML-based media Security considerations: See Section 10.
types. For example, authors of some such media types may wish that
the types remain entirely opaque except to applications that are
specifically designed to deal with that media type. By NOT following
the naming convention '+xml', such media types can avoid XML-generic
processing. Since generic processing will be useful in many cases,
however -- including in some situations that are difficult to predict
ahead of time -- the '+xml' convention is to be preferred unless
there is some particularly compelling reason not to.
The registration process for specific '+xml' media types is described Interoperability considerations: XML has proven to be interoperable
in [RFC6838]. The registrar for the IETF tree will encourage new across both generic and task-specific applications and for import
XML-based media type registrations in the IETF tree to follow this and export from multiple XML authoring and editing tools.
guideline. Registrars for other trees SHOULD follow this convention Validating processors provide maximum interoperability, because
in order to ensure maximum interoperability of their XML-based they have to handle all aspects of XML. Although a non-validating
documents. Only media subtypes that represent XML MIME entities are processor may be more efficient, it might not handle all aspects.
allowed to register with a '+xml' suffix. For further information, see sub-section 2.9 "Standalone Document
Declaration" and section 5 "Conformance" of [XML] .
In addition to the changes described above, the change controller has In practice, character set issues have proved to be the biggest
been changed to be the World Wide Web Consortium (W3C). source of interoperability problems. The use of UTF-8, and
careful attention to the guidelines set out in Section 3, are the
best ways to avoid such problems.
10.2. Registration Guidelines for XML-based Media Types Not Using Published specification: Extensible Markup Language (XML) 1.0 (Fifth
'+xml' Edition) [XML] or subsequent editions or versions thereof.
Registrations for new XML-based media types which do _not_ use the Applications that use this media type: XML is device-, platform-,
'+xml' suffix SHOULD, in specifying the charset parameter and and vendor-neutral and is supported by generic and task-specific
encoding considerations, define them as: "Same as [charset parameter applications and a wide range of generic XML tools (editors,
/ encoding considerations] of application/xml as specified in RFC parsers, Web agents, ...).
XXXX."
Enabling the charset parameter is RECOMMENDED, since this information Additional information:
can be used by XML processors to determine authoritatively the
character encoding of the XML MIME entity in the absence of a BOM.
If there are some reasons not to follow this advice, they SHOULD be
included as part of the registration. As shown above, two such
reasons are "UTF-8 only" or "UTF-8 or UTF-16 only".
These registrations SHOULD specify that the XML-based media type Magic number(s): None.
being registered has all of the security considerations described in
RFC XXXX plus any additional considerations specific to that media
type.
These registrations SHOULD also make reference to RFC XXXX in Although no byte sequences can be counted on to always be
specifying magic numbers, base URIs, and use of the BOM. present, XML MIME entities in ASCII-compatible character sets
(including UTF-8) often begin with hexadecimal 3C 3F 78 6D 6C
("<?xml"), and those in UTF-16 often begin with hexadecimal FE
FF 00 3C 00 3F 00 78 00 6D 00 6C or FF FE 3C 00 3F 00 78 00 6D
00 6C 00 (the Byte Order Mark (BOM) followed by "<?xml"). For
more information, see Appendix F of [XML].
These registrations MAY reference the application/xml registration in File extension(s): .xml
RFC XXXX in specifying interoperability and fragment identifier
considerations, if these considerations are not overridden by issues
specific to that media type.
11. Security Considerations Macintosh File Type Code(s): "TEXT"
Base URI: See Section 6
Person and email address for further information: See Authors'
Addresses section
Intended usage: COMMON
Author: See Authors' Addresses section
Change controller: The XML specification is a work product of the
World Wide Web Consortium's XML Core Working Group. The W3C has
change control over RFC XXXX.
9.2. Text/xml Registration
The registration information for text/xml is in all respects the same
as that given for application/xml above (Section 9.1), except that
the "Type name" is "text".
9.3. Application/xml-external-parsed-entity Registration
Type name: application
Subtype name: xml-external-parsed-entity
Required parameters: none
Optional parameters: charset
See Section 3.
Encoding considerations: Same as for application/xml (Section 9.1).
Security considerations: See Section 10.
Interoperability considerations: XML external parsed entities are as
interoperable as XML documents, though they have a less tightly
constrained structure and therefore need to be referenced by XML
documents for proper handling by XML processors. Similarly, XML
documents cannot be reliably used as external parsed entities
because external parsed entities are prohibited from having
standalone document declarations or DTDs. Identifying XML
external parsed entities with their own content type enhances
interoperability of both XML documents and XML external parsed
entities.
Published specification: Same as for application/xml (Section 9.1).
Applications which use this media type: Same as for application/xml
(Section 9.1).
Additional information:
Magic number(s): Same as for application/xml (Section 9.1).
File extension(s): .xml or .ent
Macintosh File Type Code(s): "TEXT"
Base URI: See Section 6
Person and email address for further information: See Authors'
Addresses section.
Intended usage: COMMON
Author: See Authors' Addresses section.
Change controller: The XML specification is a work product of the
World Wide Web Consortium's XML Core Working Group. The W3C has
change control over RFC XXXX.
9.4. Text/xml-external-parsed-entity Registration
The registration information for text/xml-external-parsed-entity is
in all respects the same as that given for application/xml-external-
parsed-entity above (Section 9.3), except that the "Type name" is
"text".
9.5. Application/xml-dtd Registration
Type name: application
Subtype name: xml-dtd
Required parameters: none
Optional parameters: charset
See Section 3.
Encoding considerations: Same as for application/xml (Section 9.1).
Security considerations: See Section 10.
Interoperability considerations: XML DTDs have proven to be
interoperable by DTD authoring tools and XML validators, among
others.
Published specification: Same as for application/xml (Section 9.1).
Applications which use this media type: DTD authoring tools handle
external DTD subsets as well as external parameter entities. XML
validators may also access external DTD subsets and external
parameter entities.
Additional information:
Magic number(s): Same as for application/xml (Section 9.1).
File extension(s): .dtd or .mod
Macintosh File Type Code(s): "TEXT"
Person and email address for further information: See Authors'
Addresses section.
Intended usage: COMMON
Author: See Authors' Addresses section.
Change controller: The XML specification is a work product of the
World Wide Web Consortium's XML Core Working Group. The W3C has
change control over RFC XXXX.
9.6. The '+xml' Naming Convention for XML-Based Media Types
This section supersedes the earlier registration of the '+xml' suffix
[RFC6839].
This specification recommends the use of the '+xml' naming convention
for identifying XML-based media types, in line with the recognition
in [RFC6838] of structured syntax name suffixes. This allows the use
of generic XML processors and technologies on a wide variety of
different XML document types at a minimum cost, using existing
frameworks for media type registration.
See Section 4.2 for guidance on when and how to register a
'+xml'-based media subtype, and Section 4.3 on registering a media
subtype for XML but _not_ using '+xml'.
9.6.1. +xml Structured Syntax Suffix Registration
Name: Extensible Markup Language (XML)
+suffix: +xml
Reference: RFC XXXX
Encoding considerations: Same as Section 9.1.
Fragment identifier considerations: Registrations which use this
'+xml' convention MUST also make reference to RFC XXXX,
specifically Section 5, in specifying fragment identifier syntax
and semantics, and they MAY restrict the syntax to a specified
subset of schemes, except that they MUST NOT disallow barenames or
'element' scheme pointers. They MAY further require support for
other registered schemes. They also MAY add additional syntax
(which MUST NOT overlap with [XPointerFramework] syntax) together
with associated semantics, and MAY add additional semantics for
barename XPointers which, as provided for in Section 5, will only
apply when RFC XXXX does not define an interpretation.
In practice these constraints imply that for a fragment
identifier addressed to an instance of a specific "xxx/yyy+xml"
type, there are three cases:
For fragment identifiers matching the syntax defined in
[XPointerFramework], where the fragment identifier resolves
per the rules specified there, then process as specified
there;
For fragment identifiers matching the syntax defined in
[XPointerFramework], where the fragment identifier does
_not_ resolve per the rules specified there, then process as
specified in "xxx/yyy+xml";
For fragment identifiers _not_ matching the syntax defined
in [XPointerFramework], then process as specified in "xxx/
yyy+xml". A fragment identifier of the form
"xywh=160,120,320,240", as defined in [MediaFrags], which
might be used in a URI for an XML-encoded image, would fall
in this category.
Interoperability considerations: Same as Section 9.1. See above,
and also Section 3, for guidelines on the use of the 'charset'
parameter.
Security considerations: See Section 10.
Contact: See Authors' Addresses section.
Author: See Authors' Addresses section.
Change controller: The XML specification is a work product of the
World Wide Web Consortium's XML Core Working Group. The W3C has
change control over RFC XXXX.
10. Security Considerations
XML MIME entities contain information which may be parsed and further XML MIME entities contain information which may be parsed and further
processed by the recipient. These entities may contain, and processed by the recipient. These entities may contain, and
recipients may permit, explicit system level commands to be executed recipients may permit, explicit system level commands to be executed
while processing the data. To the extent that a recipient while processing the data. To the extent that a recipient
application executes arbitrary command strings from within XML MIME application executes arbitrary command strings from within XML MIME
entities, they may be at risk. entities, they may be at risk.
In general, any information stored outside of the direct control of In general, any information stored outside of the direct control of
the user -- including CSS style sheets, XSL transformations, XML- the user -- including CSS style sheets, XSL transformations, XML-
entity declarations, and DTDs -- can be a source of insecurity, by entity declarations, and DTDs -- can be a source of insecurity, by
either obvious or subtle means. For example, a tiny "whiteout either obvious or subtle means. For example, a tiny "whiteout
attack" modification made to a "master" style sheet could make words attack" modification made to a "master" style sheet could make words
in critical locations disappear in user documents, without directly in critical locations disappear in user documents, without directly
modifying the user document or the stylesheet it references. Thus, modifying the user document or the stylesheet it references. Thus,
the security of any XML document is vitally dependent on all of the the security of any XML document is vitally dependent on all of the
documents recursively referenced by that document. documents recursively referenced by that document.
The XML-entity lists and DTDs for XHTML 1.0 [XHTML], for instance, The XML-entity lists and DTDs for XHTML 1.0 [XHTML], for instance,
are likely to be a commonly used set of information. Many developers are likely to be a widely exploited set of resources. They will be
will use and trust them, few of whom will know much about the level used and trusted by many developers, few of whom will know much about
of security on the W3C's servers, or on any similarly trusted the level of security on the W3C's servers, or on any similarly
repository. trusted repository.
The simplest attack involves adding declarations that break The simplest attack involves adding declarations that break
validation. Adding extraneous declarations to a list of character validation. Adding extraneous declarations to a list of character
XML-entities can effectively "break the contract" used by documents. XML-entities can effectively "break the contract" used by documents.
A tiny change that produces a fatal error in a DTD could halt XML A tiny change that produces a fatal error in a DTD could halt XML
processing on a large scale. Extraneous declarations are fairly processing on a large scale. Extraneous declarations are fairly
obvious, but more sophisticated tricks, like changing attributes from obvious, but more sophisticated tricks, like changing attributes from
being optional to required, can be difficult to track down. Perhaps being optional to required, can be difficult to track down. Perhaps
the most dangerous option available to attackers, when external DTD the most dangerous option available to attackers, when external DTD
subsets or external parameter entities or other externally-specified subsets or external parameter entities or other externally-specified
skipping to change at page 25, line 23 skipping to change at page 25, line 8
displayed, have the potential to change the display processor displayed, have the potential to change the display processor
environment in ways that adversely affect subsequent operations. environment in ways that adversely affect subsequent operations.
Possible effects include, but are not limited to, locking the Possible effects include, but are not limited to, locking the
keyboard, changing display parameters so subsequent displayed text is keyboard, changing display parameters so subsequent displayed text is
unreadable, or even changing display parameters to deliberately unreadable, or even changing display parameters to deliberately
obscure or distort subsequent displayed material so that its meaning obscure or distort subsequent displayed material so that its meaning
is lost or altered. Display processors SHOULD either filter such is lost or altered. Display processors SHOULD either filter such
material from displayed text or else make sure to reset all important material from displayed text or else make sure to reset all important
settings after a given display operation is complete. settings after a given display operation is complete.
Some terminal devices have keys whose output, when pressed, can be With some terminal devices, sending particular character sequences to
changed by sending the display processor a character sequence. If the display processor can change the output of subsequent key
this is possible the display of a text object containing such presses. If this is possible the display of a text object containing
character sequences could reprogram keys to perform some illicit or such character sequences could reprogram keys to perform some illicit
dangerous action when the key is subsequently pressed by the user. or dangerous action when the key is subsequently pressed by the user.
In some cases not only can keys be programmed, they can be triggered In some cases not only can keys be programmed, they can be triggered
remotely, making it possible for a text display operation to directly remotely, making it possible for a text display operation to directly
perform some unwanted action. As such, the ability to program keys perform some unwanted action. As such, the ability to program keys
SHOULD be blocked either by filtering or by disabling the ability to SHOULD be blocked either by filtering or by disabling the ability to
program keys entirely. program keys entirely.
Note that it is also possible to construct XML documents that make Note that it is also possible to construct XML documents that make
use of what XML terms "[XML-]entity references" to construct repeated use of what XML terms "[XML-]entity references" to construct repeated
expansions of text. Recursive expansions are prohibited by [XML] and expansions of text. Recursive expansions are prohibited by [XML] and
XML processors are required to detect them. However, even non- XML processors are required to detect them. However, even non-
recursive expansions may cause problems with the finite computing recursive expansions may cause problems with the finite computing
resources of computers, if they are performed many times. For resources of computers, if they are performed many times. For
example, consider the case where XML-entity A consists of 100 copies example, consider the case where XML-entity A consists of 100 copies
of XML-entity B, which in turn consists of 100 copies of XML-entity of XML-entity B, which in turn consists of 100 copies of XML-entity
C, and so on. C, and so on.
12. References 11. References
12.1. Normative References 11.1. Normative References
[HTTPbis] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [HTTPbis] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing", draft- Protocol (HTTP/1.1): Message Syntax and Routing", draft-
ietf-httpbis-p1-messaging-25 (work in progress), November ietf-httpbis-p1-messaging-25 (work in progress), November
2013. 2013.
[IANA-charsets] [IANA-charsets]
IANA, "Character Sets Registry", 2013, IANA, "Character Sets Registry", 2013,
<http://www.iana.org/assignments/character-sets/ <http://www.iana.org/assignments/character-sets/
character-sets.xhtml>. character-sets.xhtml>.
skipping to change at page 28, line 5 skipping to change at page 27, line 38
Latest version available at [5]. Latest version available at [5].
[XPtrRegPolicy] [XPtrRegPolicy]
Hazael-Massieux, D., "XPointer Scheme Name Registry Hazael-Massieux, D., "XPointer Scheme Name Registry
Policy", 2005, Policy", 2005,
<http://www.w3.org/2005/04/xpointer-policy.html>. <http://www.w3.org/2005/04/xpointer-policy.html>.
[XPtrReg] Hazael-Massieux, D., "XPointer Registry", 2005, [XPtrReg] Hazael-Massieux, D., "XPointer Registry", 2005,
<http://www.w3.org/2005/04/xpointer-schemes/>. <http://www.w3.org/2005/04/xpointer-schemes/>.
12.2. Informative References 11.2. Informative References
[ASCII] American National Standards Institute, "Coded Character [ASCII] American National Standards Institute, "Coded Character
Set -- 7-bit American Standard Code for Information Set -- 7-bit American Standard Code for Information
Interchange", ANSI X3.4, 1986. Interchange", ANSI X3.4, 1986.
[AWWW] Jacobs, I. and N. Walsh, "Architecture of the World Wide [AWWW] Jacobs, I. and N. Walsh, "Architecture of the World Wide
Web, Volume One", W3C Recommendation REC-webarch-20041215, Web, Volume One", W3C Recommendation REC-webarch-20041215,
December 2004, December 2004,
<http://www.w3.org/TR/2004/REC-webarch-20041215/>. <http://www.w3.org/TR/2004/REC-webarch-20041215/>.
skipping to change at page 30, line 21 skipping to change at page 30, line 8
[XMLid] Marsh, J., Veillard, D., and N. Walsh, "xml:id Version [XMLid] Marsh, J., Veillard, D., and N. Walsh, "xml:id Version
1.0", W3C Recommendation REC-xml-id-20050909, September 1.0", W3C Recommendation REC-xml-id-20050909, September
2005, <http://www.w3.org/TR/2005/REC-xml-id-20050909/>. 2005, <http://www.w3.org/TR/2005/REC-xml-id-20050909/>.
Latest version available at [10]. Latest version available at [10].
Appendix A. Why Use the '+xml' Suffix for XML-Based MIME Types? Appendix A. Why Use the '+xml' Suffix for XML-Based MIME Types?
[RFC3023] contains a detailed discussion of the (at the time) novel [RFC3023] contains a detailed discussion of the (at the time) novel
use of a suffix, a practice which has since become widespread. use of a suffix, a practice which has since become widespread. Those
Interested parties are referred to [RFC3023], Appendix A. interested in a historical perspective on this topic are referred to
[RFC3023], Appendix A.
The registration process for new '+xml' media types is described in The registration process for new '+xml' media types is described in
[RFC6838] [RFC6838]
Appendix B. Core XML specifications Appendix B. Core XML specifications
The following specifications each articulate key aspects of XML The following specifications each articulate key aspects of XML
document semantics: document semantics:
Namespaces in XML 1.0 [XMLNS10]/Namespaces in XML 1.1 [XMLNS11] Namespaces in XML 1.0 [XMLNS10]/Namespaces in XML 1.1 [XMLNS11]
 End of changes. 67 change blocks. 
397 lines changed or deleted 396 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/