WEBDAV Working Group J. Slein Internet-Draft Xerox Expires:January 23,March 10, 2004 J. Whitehead U.C. Santa Cruz J. Davis CourseNet G. Clemm Rational C. Fay FileNet J. Crawford IBM J. Reschke, Ed. greenbytesJuly 25,September 10, 2003 WebDAV Redirect Reference Resourcesdraft-ietf-webdav-redirectref-protocol-03.txtdraft-ietf-webdav-redirectref-protocol-04 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire onJanuary 23,March 10, 2004. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract Thisis one of a pair of specifications that extend the WebDAV Distributed Authoring Protocol to enable clients to create new access paths to existing resources. The two protocol extensions have very different characteristics that make them useful for different sorts of applications. The presentspecification defines redirect reference resources. A redirect reference resource is a resource whose default response is anHTTP/1.1HTTP/ 1.1 302 (Found) status code, redirecting the client to a different resource, the target resource. A redirect reference makes it possible to access the target resource indirectly, through any URI mapped to the redirect reference resource. There are no integrity guarantees associated with redirect reference resources.The related specification [B], defines bindings, and the BIND method for creating them. Creating a new binding to a resource indirectly creates one or more new URIs mapped to that resource, which can then be used to access it. Servers are required to insure the integrity of any bindings that they allow to be created.Distribution of this document is unlimited. Please send comments to the Distributed Authoring and Versioning (WebDAV) working group at w3c-dist-auth@w3.org [1], which may be joined by sending a message with subject "subscribe" to w3c-dist-auth-request@w3.org [2]. Discussions of the WEBDAV working group are archived at URL: http:// lists.w3.org/Archives/Public/w3c-dist-auth/. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . .75 2. Notational Conventions . . . . . . . . . . . . . . . . . . .97 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . .108 4. Overview of Redirect Reference Resources . . . . . . . . . .119 5. Creating a Redirect Reference Resource . . . . . . . . . . .1210 5.1 MKRESOURCE . . . . . . . . . . . . . . . . . . . . . . . . .1210 5.2 Example: Creating a Redirect Reference Resource with MKRESOURCE . . . . . . . . . . . . . . . . . . . . . . . . .1311 6. Operations on Redirect Reference Resources . . . . . . . . .1513 6.1 Example: GET on a Redirect Reference Resource . . . . . . .1614 6.2 Example: PUT on a Redirect Reference Resource with Apply-To-Redirect-Ref . . . . . . . . . . . . . . . . . . .1614 6.3 Example: PROPPATCH on a Redirect Reference Resource . . . .1715 7. Operations on Collections That Contain Redirect Reference Resources . . . . . . . . . . . . . . . . . . . . . . . . .1816 7.1 MOVE and DELETE on Collections That Contain Redirect References . . . . . . . . . . . . . . . . . . . . . . . . .1816 7.2 LOCK on a Collection That Contains Redirect References . . .1917 7.3 Example: PROPFIND on a Collection with Redirect Reference Resources . . . . . . . . . . . . . . . . . . . . . . . . .1917 7.4 Example: PROPFIND with Apply-To-Redirect-Ref on a Collection with Redirect Reference Resources . . . . . . . .2018 7.5 Example: COPY on a Collection That Contains a Redirect Reference Resource . . . . . . . . . . . . . . . . . . . . .2220 7.6 Example: LOCK on a Collection That Contains a Redirect Reference Resource . . . . . . . . . . . . . . . . . . . . .2321 8. Operations on Targets of Redirect Reference Resources . . .2624 9. Relative URIs in DAV:reftarget . . . . . . . . . . . . . . .2725 9.1 Example: Resolving a Relative URI in a MKRESOURCE Request .2725 9.2 Example: Resolving a Relative URI in a Multi-Status Response . . . . . . . . . . . . . . . . . . . . . . . . . .2826 10. Redirect References to Collections . . . . . . . . . . . . .3028 11. Headers . . . . . . . . . . . . . . . . . . . . . . . . . .3230 11.1 Redirect-Ref Response Header . . . . . . . . . . . . . . . .3230 11.2 Apply-To-Redirect-Ref Request Header . . . . . . . . . . . .3230 12. Properties . . . . . . . . . . . . . . . . . . . . . . . . .3331 12.1 reftarget Property . . . . . . . . . . . . . . . . . . . . .3331 12.2 location Pseudo-Property . . . . . . . . . . . . . . . . . .3331 13. XML Elements . . . . . . . . . . . . . . . . . . . . . . . .3432 13.1 redirectref XML Element . . . . . . . . . . . . . . . . . .3432 14. Extensions to the DAV:response XML Element for Multi-Status Responses . . . . . . . . . . . . . . . . . . .3533 15. Capability Discovery . . . . . . . . . . . . . . . . . . . .3634 15.1 Example: Discovery of Support for Redirect Reference Resources . . . . . . . . . . . . . . . . . . . . . . . . .3634 16. Security Considerations . . . . . . . . . . . . . . . . . .3735 16.1 Privacy Concerns . . . . . . . . . . . . . . . . . . . . . .3735 16.2 Redirect Loops . . . . . . . . . . . . . . . . . . . . . . .3735 16.3 Redirect Reference Resources and Denial of Service . . . . .3735 16.4 Revealing Private Locations . . . . . . . . . . . . . . . .3735 17. Internationalization Considerations . . . . . . . . . . . .3937 18. IANA Considerations . . . . . . . . . . . . . . . . . . . .4038 19. Acknowledgements . . . . . . . . . . . . . . . . . . . . . .4139 Normative References . . . . . . . . . . . . . . . . . . . .42 Informative References . . . . . . . . . . . . . . . . . . . 4340 Authors' Addresses . . . . . . . . . . . . . . . . . . . . .4440 A. Changes to the WebDAV Document Type Definition . . . . . . .4642 B. Change Log (to be removed by RFC Editor before publication) . . . . . . . . . . . . . . . . . . . . . . . .. 4743 B.1 Since draft-ietf-webdav-redirectref-protocol-02 . . . . . .4743 B.2 Since draft-ietf-webdav-redirectref-protocol-03 . . . . . . 43 C. Resolved issues (to be removed by RFC Editor before publication) . . . . . . . . . . . . . . . . . . . . . .48 C.1 lc-11-pagination. . 44 C.1 lc-07-bind . . . . . . . . . . . . . . . . . . . .48 C.2 lc-09-notational-after-introduction. . . . . 44 C.2 lc-08-bind . . . . . . .48 C.3 lc-13-usually. . . . . . . . . . . . . . . . . . 44 C.3 lc-34-bind . . . . .48 C.4 lc-16-insure. . . . . . . . . . . . . . . . . . . . 44 C.4 lc-83-bind . . . .48 C.5 lc-17-location. . . . . . . . . . . . . . . . . . . . . 44 C.5 lc-12-bind . .49 C.6 lc-21-bind. . . . . . . . . . . . . . . . . . . . . . . 45 C.6 lc-35-bind . .49 C.7 lc-46-bind .. . . . . . . . . . . . . . . . . . . . . . . 45 C.7 lc-01-body .49 C.8 lc-26-lang. . . . . . . . . . . . . . . . . . . . . . . . 45 C.8 lc-14-bind .49 C.9 lc-03-mkresource-response-cacheability. . . . . . . . . . .50 C.10 lc-02-status-codes. . . . . . . . . . . . . 45 C.9 lc-15-direct-ref . . . . . . . .50 C.11 lc-27-lang. . . . . . . . . . . . . . 46 C.10 lc-39-no-reference-or-direct-resource . . . . . . . . . . .50 C.12 lc-30-headers46 C.11 lc-40-direct . . . . . . . . . . . . . . . . . . . . . . .50 C.13 lc-32-ORDERPATCH. 46 C.12 lc-45-apply-to-rr . . . . . . . . . . . . . . . . . . . . .51 C.14 lc-51-repeat47 C.13 lc-01A-body . . . . . . . . . . . . . . . . . . . . . . . .51 C.15 lc-59-depth47 C.14 lc-31-MKCOL . . . . . . . . . . . . . . . . . . . . . . . .51 C.16 lc-65-lock47 C.15 lc-67-redirectref . . . . . . . . . . . . . . . . . . . . . 47 C.16 lc-54-s10 . . . .51 C.17 lc-66-depth. . . . . . . . . . . . . . . . . . . . . 48 C.17 lc-78-directory . . .52 C.18 lc-69-424. . . . . . . . . . . . . . . . . . . 48 C.18 lc-82-iana . . . . . .52 C.19 lc-68-lock. . . . . . . . . . . . . . . . . . . 48 D. Open issues (to be removed by RFC Editor before publication) . . . . . .52 C.20 lc-52-no-relative. . . . . . . . . . . . . . . . . . 49 D.1 lc-85-301 . . .53 C.21 lc-64-reftarget. . . . . . . . . . . . . . . . . . . . . .53 C.22 lc-70-relative49 D.2 lc-38-not-hierarchical . . . . . . . . . . . . . . . . . . . 49 D.3 lc-36-server . . . .53 C.23 lc-73-asciiart. . . . . . . . . . . . . . . . . . . . 49 D.4 lc-33-forwarding . . .53 C.24 lc-77-webdav-applications. . . . . . . . . . . . . . . . .54 C.25 lc-10-title. . 49 D.5 lc-56-notjusthttp . . . . . . . . . . . . . . . . . . . . . 50 D.6 lc-37-integrity .54 C.26 lc-81-typo. . . . . . . . . . . . . . . . . . . . . 50 D.7 3-terminology-redirectref . . . .54 C.27 lc-18-resource-types. . . . . . . . . . . . . 50 D.8 lc-43-webdav . . . . . . .54 C.28 lc-84-ext. . . . . . . . . . . . . . . . . 50 D.9 lc-19-direct-ref . . . . . . . .54 D. Open issues. . . . . . . . . . . . . . 51 D.10 lc-04-standard-data-container . . . . . . . . . .56 D.1 lc-85-301. . . . . 51 D.11 lc-05-standard-data-container . . . . . . . . . . . . . . . 51 D.12 lc-20-intro-mkresource . . . . .56 D.2 lc-07-bind. . . . . . . . . . . . . . 51 D.13 lc-22-coll . . . . . . . . . . .56 D.3 lc-08-bind. . . . . . . . . . . . . . 52 D.14 lc-25-atomic . . . . . . . . . . .56 D.4 lc-34-bind. . . . . . . . . . . . . 52 D.15 lc-41-no-webdav . . . . . . . . . . . .56 D.5 lc-35-bind. . . . . . . . . . 52 D.16 lc-42-no-webdav . . . . . . . . . . . . . . .57 D.6 lc-83-bind. . . . . . . 52 D.17 lc-58-update . . . . . . . . . . . . . . . . . .57 D.7 lc-12-bind. . . . . . 53 D.18 lc-23-body . . . . . . . . . . . . . . . . . . .57 D.8 lc-38-not-hierarchical. . . . . . 53 D.19 lc-24-properties . . . . . . . . . . . . .57 D.9 lc-36-server. . . . . . . . . 53 D.20 lc-47-207 . . . . . . . . . . . . . . .58 D.10 lc-33-forwarding. . . . . . . . . . 54 D.21 lc-48-s6 . . . . . . . . . . . .58 D.11 lc-56-notjusthttp. . . . . . . . . . . . . . 54 D.22 lc-28-lang . . . . . . .58 D.12 lc-01-body. . . . . . . . . . . . . . . . . . 55 D.23 lc-29-lang . . . . . . .58 D.13 lc-37-integrity. . . . . . . . . . . . . . . . . . 55 D.24 lc-49-put . . . .59 D.14 lc-14-bind. . . . . . . . . . . . . . . . . . . . . 55 D.25 lc-44-pseudo . . . .59 D.15 lc-15-direct-ref. . . . . . . . . . . . . . . . . . . . 55 D.26 lc-61-pseudo . .59 D.16 lc-39-no-reference-or-direct-resource. . . . . . . . . . .59 D.17 lc-40-direct. . . . . . . . . . . 56 D.27 lc-60-ex . . . . . . . . . . . . .60 D.18 lc-43-webdav. . . . . . . . . . . . . 56 D.28 lc-62-oldclient . . . . . . . . . . .60 D.19 lc-19-direct-ref. . . . . . . . . . . 56 D.29 lc-63-move . . . . . . . . . . .60 D.20 lc-45-apply-to-rr. . . . . . . . . . . . . . 56 D.30 lc-06-reftarget-relative . . . . . . .61 D.21 lc-04-standard-data-container. . . . . . . . . . . 57 D.31 lc-57-noautoupdate . . . .61 D.22 lc-05-standard-data-container. . . . . . . . . . . . . . .61 D.23 lc-20-intro-mkresource. . 57 D.32 lc-71-relative . . . . . . . . . . . . . . . . .61 D.24 lc-22-coll. . . . . . 57 D.33 lc-53-s10 . . . . . . . . . . . . . . . . . . .62 D.25 lc-25-atomic. . . . . . 58 D.34 lc-72-trailingslash . . . . . . . . . . . . . . . . . .62 D.26 lc-41-no-webdav. . 58 D.35 lc-50-blindredirect . . . . . . . . . . . . . . . . . . . .62 D.27 lc-42-no-webdav . . . . . . . . . . . . . . . . . . . . . . 62 D.28 lc-58-update . . . . . . . . . . . . . . . . . . . . . . . . 63 D.29 lc-01A-body . . . . . . . . . . . . . . . . . . . . . . . . 63 D.30 lc-23-body . . . . . . . . . . . . . . . . . . . . . . . . . 63 D.31 lc-24-properties . . . . . . . . . . . . . . . . . . . . . . 64 D.32 lc-47-207 . . . . . . . . . . . . . . . . . . . . . . . . . 64 D.33 lc-48-s6 . . . . . . . . . . . . . . . . . . . . . . . . . . 64 D.34 lc-28-lang . . . . . . . . . . . . . . . . . . . . . . . . . 65 D.35 lc-29-lang . . . . . . . . .58 D.36 lc-74-terminology . . . . . . . . . . . . . . . .65 D.36 lc-31-MKCOL. . . . . 59 D.37 lc-75-ignore . . . . . . . . . . . . . . . . . . .65 D.37 lc-49-put. . . . . 59 D.38 lc-76-location . . . . . . . . . . . . . . . . . . . .65 D.38 lc-44-pseudo. . . 59 D.39 lc-79-accesscontrol . . . . . . . . . . . . . . . . . . . . 59 D.40 lc-80-i18n .66 D.39 lc-61-pseudo. . . . . . . . . . . . . . . . . . . . . . . .66 D.40 lc-60-ex60 D.41 lc-55-iana . . . . . . . . . . . . . . . . . . . . . . . . . 60 Intellectual Property and Copyright Statements .66 D.41 lc-62-oldclient. . . . . .. . . . . . . . . . . . . . . . 67 D.42 lc-63-move . . . . . . . . . . . . . . . . . . . . . . . . . 67 D.43 lc-67-redirectref . . . . . . . . . . . . . . . . . . . . . 67 D.44 lc-06-reftarget-relative . . . . . . . . . . . . . . . . . . 67 D.45 lc-57-noautoupdate . . . . . . . . . . . . . . . . . . . . . 68 D.46 lc-71-relative . . . . . . . . . . . . . . . . . . . . . . . 68 D.47 lc-53-s10 . . . . . . . . . . . . . . . . . . . . . . . . . 68 D.48 lc-72-trailingslash . . . . . . . . . . . . . . . . . . . . 69 D.49 lc-54-s10 . . . . . . . . . . . . . . . . . . . . . . . . . 69 D.50 lc-50-blindredirect . . . . . . . . . . . . . . . . . . . . 69 D.51 lc-74-terminology . . . . . . . . . . . . . . . . . . . . . 70 D.52 lc-75-ignore . . . . . . . . . . . . . . . . . . . . . . . . 70 D.53 lc-76-location . . . . . . . . . . . . . . . . . . . . . . . 70 D.54 lc-78-directory . . . . . . . . . . . . . . . . . . . . . . 70 D.55 lc-79-accesscontrol . . . . . . . . . . . . . . . . . . . . 71 D.56 lc-80-i18n . . . . . . . . . . . . . . . . . . . . . . . . . 71 D.57 lc-55-iana . . . . . . . . . . . . . . . . . . . . . . . . . 71 D.58 lc-82-iana . . . . . . . . . . . . . . . . . . . . . . . . . 71 Intellectual Property and Copyright Statements . . . . . . . 72 1. Introduction This is one of a pair of specifications that extend the WebDAV Distributed Authoring Protocol to enable clients to create new access paths to existing resources. This capability is useful for several reasons: URIs of WebDAV-compliant resources are hierarchical and correspond to a hierarchy of collections in resource space. The WebDAV Distributed Authoring Protocol makes it possible to organize these resources into hierarchies, placing them into groupings, known as collections, which are more easily browsed and manipulated than a single flat collection. However, hierarchies require categorization decisions that locate resources at a single location in the hierarchy, a drawback when a resource has multiple valid categories. For example, in a hierarchy of vehicle descriptions containing collections for cars and boats, a description of a combination car/boat vehicle could belong in either collection. Ideally, the description should be accessible from both. Allowing clients to create new URIs that access the existing resource lets them put that resource into multiple collections. Hierarchies also make resource sharing more difficult, since resources that have utility across many collections are still forced into a single collection. For example, the mathematics department at one university might create a collection of information on fractals that contains bindings to some local resources, but also provides access to some resources at other universities. For many reasons, it may be undesirable to make physical copies of the shared resources on the local server: to conserve disk space, to respect copyright constraints, or to make any changes in the shared resources visible automatically. Being able to create new access paths to existing resources in other collections or even on other servers is useful for this sort of case. The redirect reference resources defined here provide a mechanism for creating alternative access paths to existing resources. A redirect reference resource is a resource in one collection whose purpose is to forward requests to another resource (its target), possibly in a different collection. In this way, it allows clients to submit requests to the target resource from another collection. It redirects most requests to the target resource using the HTTP 302 (Found) status code, thereby providing a form of mediated access to the target resource. The companion specification [B], defines the BIND method, a different mechanism for allowing clients to create alternative access paths to existing WebDAV-compliant resources. The BIND method lets clients associate a new URI with an existing WebDAV resource. This URI can then be used to submit requests to the resource. Since URIs of WebDAV-compliant resources are hierarchical, and correspond to a hierarchy of collections in resource space, the BIND method also has the effect of adding the resource to a collection. As new URIs are associated with the resource, it appears in additional collections. Redirect references and bindings have very different characteristics: A redirect reference is a resource, and so can have properties and a body of its own. Properties of a redirect reference resource can contain such information as who created the reference, when, and why. Since redirect reference resources are implemented using HTTP 302 responses, it generally takes two round trips to submit a request to the intended resource. Servers are not required to enforce the integrity of redirect references. Redirect references work equally well for local resources and for resources that reside on a different server from the reference. By contrast, a BIND request does not create a new resource, but simply makes available a new URI for submitting requests to an existing resource. The new URI is indistinguishable from any other URI when submitting a request to a resource. Only one round trip is needed to submit a request to the intended target. Servers are required to enforce the integrity of the relationships between the new URIs and the resources associated with them. Consequently, it may be very costly for servers to support BIND requests that cross server boundaries. The remainder of this document is structured as follows: Section 3 defines terms that will be used throughout the specification. Section 4 provides an overview of redirect reference resources. Section 5 discusses how to create a redirect reference resource. Section 6 defines the semantics of existing methods when applied to redirect reference resources, and Section 7 discusses their semantics when applied to collections that contain redirect reference resources. Sections 8 through 10 discuss several other issues raised by the existence of redirect reference resources. Sections 11 through 14 define the new headers, properties, and XML elements required to support redirect reference resources. Section 15 discusses capability discovery. Sections 16 through 18 present the security, internationalization, and IANA concerns raised by this specification. The remaining sections provide a variety of supporting information. 2. Notational Conventions Since this document describes a set of extensions to the WebDAV Distributed Authoring Protocol [RFC2518], itself an extension to the HTTP/1.1 protocol, the augmented BNF used here to describe protocol elements is exactly the same as described in Section 2.1 of [RFC2616]. Since this augmented BNF uses the basic production rules provided in Section 2.2 of [RFC2616], these rules apply to this document as well. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Terminology The terminology used here follows and extends that in the WebDAV Distributed Authoring Protocol specification [RFC2518]. Definitions of the terms resource, Uniform Resource Identifier (URI), and Uniform Resource Locator (URL) are provided in [RFC2396]. Reference Resource A resource whose purpose is to forward requests to another resource. Reference resources are an alternative mechanism to bindings (defined in [B]) for allowing clients to create multiple URIs that can be used to submit requests to the same resource. Redirect Reference Resource A resource that allows clients to forward requests to another resource using the HTTP 1.1 302 (Found) response mechanism. The client is aware that this type of reference resource is mediating between it and the target resource. Direct Reference Resource Direct Reference Resources are out of scope for this specification, but are defined here for contrast with redirect reference resources. A direct reference resource automatically forwards requests to another resource, in a way that is transparent to the client. Non-Reference Resource A resource that is not a reference to another resource. Target Resource The resource to which requests are forwarded by a reference resource. 4. Overview of Redirect Reference Resources For all operations submitted to a redirect reference resource, the default response is a 302 (Found), accompanied by the Redirect-Ref header (defined in Section 11.1 below) and the Location header set to the URI of the target resource. With this information, the client can resubmit the request to the URI of the target resource. A redirect reference resource never automatically forwards requests to its target resource. It is this characteristic that distinguishes redirect reference resource from direct reference resources and from bindings. It is also what helps to insure that redirect reference resources will be simple to implement and that cross-server references will be possible. If the redirect reference resource were required to forward requests automatically, the server would need proxy capabilities in order to support cross-server references. If the client is aware that it is operating on a redirect reference resource, it can resolve the reference by retrieving the reference resource's DAV:reftarget property (defined in Section 12.1 below), whose value contains the URI of the target resource. It can then submit requests to the target resource. A redirect reference resource is a new type of resource. To distinguish redirect reference resources from non-reference resources, a new value of the DAV:resourcetype property (defined in [RFC2518]), DAV:redirectref, is defined in Section 13.1 below. Since a redirect reference resource is a resource, it can have its own properties and body, and methods can be applied to the reference resource as well as to its target resource. The Apply-To-Redirect-Ref request header (defined in Section 11.2 below) is provided so that referencing-aware clients can control whether an operation is applied to the redirect reference resource or to its target resource. The Apply-To-Redirect-Ref header can be used with most requests to redirect reference resources. This header is particularly useful with PROPFIND, to retrieve the reference resource's own properties. 5. Creating a Redirect Reference Resource The MKRESOURCE method is used to create new redirect reference resources. As defined in Section 5.1, MKRESOURCE can be used to create a resource of any type other than standard data containers and collections. In order to create a redirect reference resource using MKRESOURCE, the values of two properties must be set in the body of the MKRESOURCE request. The value of DAV:resourcetype MUST be set to DAV:redirectref, a new value of DAV:resourcetype defined in Section 13.1. The value of DAV:reftarget MUST be set to the URI of the target resource. Used in this way, the MKRESOURCE method creates a redirect reference resource whose target is identified by the DAV:reftarget property. 5.1 MKRESOURCE The MKRESOURCE method requests the creation of a resource and initialization of its properties. It allows resources other than standard data containers and collections to be created and their properties initialized in one atomic operation. Preconditions: A resource MUST NOT exist at the Request-URI. Request Marshalling: The location of the new resource to be created is specified by the Request-URI. The request body of the MKRESOURCE method MUST consist of the DAV:propertyupdate XML element defined in Section 12.13 of [RFC2518]. Postconditions: If the response status code is 201, a new resource exists at the Request-URI. The body of the new resource is empty. The properties of the new resource are as specified by the DAV:propertyupdate request body, using PROPPATCH semantics. If the DAV:propertyupdate does not specify a DAV:resourcetype, the resource will be a standard data container. If the response status code is not 201, then a new resource is not created at the Request-URI, and any existing resource at the Request-URI is unaffected. Response Marshalling: Responses from a MKRESOURCE request MUST NOT be cached, as MKRESOURCE has non-idempotent semantics. The following status codes can be expected in responses to MKRESOURCE: 201 (Created): The new resource was successfully created. 207 (Multi-Status): This response is generated if an error was encountered while initializing the properties of the resource, in which case the response is as defined in Section 8.2.1 of [RFC2518]. 403 (Forbidden): The server does not allow the creation of the requested resource type at the requested location, or the parent collection of the Request-URI exists but cannot accept members. 409 (Conflict): A resource cannot be created at the Request-URI because the parent collection for the resource does not exist, or because there is already a resource at that request-URL. 423 (Locked): The Request-URI is locked, and the lock token was not passed with the request. 507 (Insufficient Storage): The server does not have sufficient space to record the state of the resource. 5.2 Example: Creating a Redirect Reference Resource with MKRESOURCE >> Request: MKRESOURCE /~whitehead/dav/spec08.ref HTTP/1.1 Host: www.ics.uci.edu Content-Type: text/xml; charset="utf-8" Content-Length: xxx <?xml version="1.0" encoding="utf-8" ?> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <D:resourcetype><D:redirectref/></D:resourcetype> <D:reftarget> <D:href>/i-d/draft-webdav-protocol-08.txt</D:href> </D:reftarget> </D:prop> </D:set> </D:propertyupdate> >> Response: HTTP/1.1 201 Created This request resulted in the creation of a new redirect reference resource at www.ics.uci.edu/~whitehead/dav/spec08.ref, which points to the resource identified by the DAV:reftarget property. In this example, the target resource is identified by the URI http:// www.ics.uci.edu/i-d/draft-webdav-protocol-08.txt. The redirect reference resource's DAV:resourcetype property is set to DAV:redirectref. 6. Operations on Redirect Reference Resources Although non-referencing-aware clients cannot create reference resources, they should be able to submit requests through the reference resources created by reference-aware WebDAV clients. They should be able to follow any references to their targets. To make this possible, a server that receives any request made via a redirect reference resource MUST return a 302 (Found) status code, unless the request includes an Apply-To-Redirect-Ref header. The client and server MUST follow [RFC2616] Section 10.3.3 "302 Found," but with these additional rules: o The Location response header MUST contain an absolute URI that identifies the target61 1. Introduction This is one of a pair of specifications that extend thereference resource. o The response MUST include the Redirect-Ref header. This header allows reference-awareWebDAV Distributed Authoring Protocol to enable clients torecognize the resource as a reference resource and understand the reasoncreate new access paths to existing resources. This capability is useful forthe redirection. A reference-aware WebDAV client can act on this response in oneseveral reasons: URIs oftwo ways. It can, like a non-referencing client, resubmit the requestWebDAV-compliant resources are hierarchical and correspond tothe URI in the Location headera hierarchy of collections inorder to operate on the target resource. Alternatively,resource space. The WebDAV Distributed Authoring Protocol makes itcan resubmit the requestpossible tothe URI of the redirect reference resource with the Apply-To-Redirect-Ref headerorganize these resources into hierarchies, placing them into groupings, known as collections, which are more easily browsed and manipulated than a single flat collection. However, hierarchies require categorization decisions that locate resources at a single location inorder to operate onthereferencehierarchy, a drawback when a resourceitself. If the Apply-To-Redirect-Ref header is present,has multiple valid categories. For example, in a hierarchy of vehicle descriptions containing collections for cars and boats, a description of a combination car/boat vehicle could belong in either collection. Ideally, therequest MUSTdescription should beappliedaccessible from both. Allowing clients to create new URIs that access thereferenceexisting resourceitself, and a 302 response MUST NOT be returned. A reference-aware client may know before submitting its requestlets them put thatthe Request-URI identifiesresource into multiple collections. Hierarchies also make resource sharing more difficult, since resources that have utility across many collections are still forced into aredirect reference resource. In this case, ifsingle collection. For example, theclient wantsmathematics department at one university might create a collection of information on fractals that contains bindings toapply the methodsome local resources, but also provides access tothe reference resource,some resources at other universities. For many reasons, itcan savemay be undesirable to make physical copies of theround trip caused byshared resources on the302 response by using an Apply-To-Redirect-Ref header in its initial requestlocal server: tothe URI. A few methods need additional explanation: The Apply-To-Redirect-Ref header can be used with GETconserve disk space, to respect copyright constraints, orHEADtoretrievemake any changes in theentity headersshared resources visible automatically. Being able to create new access paths to existing resources in other collections or even on other servers is useful for this sort ofacase. The redirect referenceresource. When Apply-To-Redirect-Ref is used with GET or HEAD, the Redirect-Ref entity header MUST be returned.resources defined here provide a mechanism for creating alternative access paths to existing resources. A redirect reference resourceMAY have a body, though noneisdefined for ita resource inthis specification. The PUT method can be used, with Apply-To-Redirect-Ref,one collection whose purpose is tocreate or replace the body of a redirect reference resource. Since MKCOL and MKRESOURCE fail when appliedforward requests toexisting resources, if the client attemptsanother resource (its target), possibly in a different collection. In this way, it allows clients toresubmit the requestsubmit requests to the targetresource, the request MUST fail (unless the referenceresourceis a dangling reference). Similarly, if the client attempts to resubmit the requestfrom another collection. It redirects most requests to thereferencetarget resourcewith an Apply-To-Redirect-Ref header,using therequest MUST fail. 6.1 Example: GET on a Redirect Reference Resource >> Request: GET /bar.html HTTP/1.1 Host: www.foo.com >> Response: HTTP/1.1HTTP 302Found Location: http://www.svr.com/Internet/xxspec08.html Redirect-Ref: Since /bar.html is(Found) status code, thereby providing a form of mediated access to the target resource. A redirect referenceresource and the Apply-To-Redirect-Ref header is not included in the request, the responseis a302 (Found). The Redirect-Ref header informsresource, and so can have properties and areference-aware client that this is not an ordinary HTTP 1.1 redirect, but isbody of its own. Properties of a redirect referenceresource. The URI of the targetresourceis provided in the Location header so that the clientcanresubmitcontain such information as who created the reference, when, and why. Since redirect reference resources are implemented using HTTP 302 responses, it generally takes two round trips to submit a request to thetargetintended resource.6.2 Example: PUTServers are not required to enforce the integrity of redirect references. Redirect references work equally well for local resources and for resources that reside on aRedirect Reference Resource with Apply-To-Redirect-Ref >> Request: PUT /bar.html HTTP/1.1 Host: www.foo.com Apply-To-Redirect-Ref: Content-Type: text/xml; charset="utf-8" Content-Length: xxxx . . . some content . . . >> Response: HTTP/1.1 200 OK Although /bar.htmldifferent server from the reference. The remainder of this document is structured as follows: Section 3 defines terms that will be used throughout the specification. Section 4 provides an overview of redirect reference resources. Section 5 discusses how to create a redirect referenceresource,resource. Section 6 defines thepresencesemantics ofthe Apply-To-Redirect-Ref header prevents a 302 response, and instead causes the requestexisting methods when applied toberedirect reference resources, and Section 7 discusses their semantics when applied to collections that contain redirect reference resources. Sections 8 through 10 discuss several other issues raised by the existence of redirect referenceresource. The result in this case is thatresources. Sections 11 through 14 define the new headers, properties, and XML elements required to support redirect referenceresource is replacedresources. Section 15 discusses capability discovery. Sections 16 through 18 present the security, internationalization, and IANA concerns raised by this specification. The remaining sections provide anon-reference resource havingvariety of supporting information. 2. Notational Conventions Since this document describes a set of extensions to thecontent submitted withWebDAV Distributed Authoring Protocol [RFC2518], itself an extension to therequest. 6.3 Example: PROPPATCH on a Redirect Reference Resource >> Request: PROPPATCH /bar.html HTTP/1.1 Host: www.foo.com Content-Type: text/xml; charset="utf-8" Content-Length: xxxx <?xml version="1.0" encoding="utf-8" ?> <D:propertyupdate xmlns:D="DAV:" xmlns:Z="http://www.w3.com/standards/z39.50/"> <D:set> <D:prop> <Z:authors> <Z:Author>Jim Whitehead</Z:Author> <Z:Author>Roy Fielding</Z:Author> </Z:authors> </D:prop> </D:set> <D:remove> <D:prop> <Z:Copyright-Owner/> </D:prop> </D:remove> </D:propertyupdate> >> Response:HTTP/1.1302 Found Location: http://www.svr.com/Internet/xxspec08.html Redirect-Ref: Since /bar.htmlprotocol, the augmented BNF used here to describe protocol elements isa redirect reference resourceexactly the same as described in Section 2.1 of [RFC2616]. Since this augmented BNF uses the basic production rules provided in Section 2.2 of [RFC2616], these rules apply to this document as well. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", andthe Apply-To-Redirect-Ref header is not included"OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Terminology The terminology used here follows and extends that in therequest,WebDAV Distributed Authoring Protocol specification [RFC2518]. Definitions of theresponse is aterms resource, Uniform Resource Identifier (URI), and Uniform Resource Locator (URL) are provided in [RFC2396]. Redirect Reference Resource A resource created to redirect all requests made to it, using 302(Found). The Redirect-Ref header informs(Found), to areference-aware clientdefined target resource. Non-Reference Resource A resource thatthisis notan ordinary HTTP 1.1 redirect, but isaredirectreference to another resource. Target Resource TheURI of the targetresourceis provided in the Location header so that the client can resubmit the requesttothe targetwhich requests are forwarded by a reference resource.7. Operations on Collections That Contain4. Overview of Redirect Reference ResourcesConsistent with the rules in Section 6, the response for each redirect reference encountered while processing a collection MUST be a 302 (Found) unless a Apply-To-Redirect-Ref header is included with the request. The overall response will therefore be a 207 (Multi-Status). SinceFor all operations submitted to aLocation header and Redirect-Ref header cannot be returned for eachredirect referenceencountered, the same information is provided using properties inresource, the default responseelements for those resources. The DAV:location pseudo-property and the DAV:resourcetype property MUST be included with the 302 status code. This necessitates an extension to the syntax of the DAV:response element that was defined in [RFC2518]. The extensionisdefineda 302 (Found), accompanied by the Redirect-Ref header (defined in Section14 below. A referencing-aware client can tell from the DAV:resourcetype property that11.1 below) and thecollection contains a redirect reference resource. The DAV:location pseudo-property containsLocation header set to theabsoluteURI of the target resource.A referencing-awareWith this information, the client caneither useresubmit the request to the URIvalueof theDAV:location pseudo-propertytarget resource. A redirect reference resource never automatically forwards requests toresubmititsrequest totarget resource. Redirect resources bring the same benefits as links in HTML documents. They can be created and maintained without the involvement or even knowledge of their target resource. This reduces the cost of linking between resources." If the client is aware that it is operating on a redirect reference resource,orit cansubmitresolve therequestreference by retrieving the reference resource's DAV:reftarget property (defined in Section 12.1 below), whose value contains the URI of the target resource. It can then submit requests to the target resource. A redirect reference resourcewith Apply-To-Redirect-Ref. Itisrecommended that future editorsa new type of resource. To distinguish redirect reference resources from non-reference resources, a new value of[RFC2518] definetheDAV:location pseudo-propertyDAV:resourcetype property (defined in[RFC2518], so that non-referencing clients will also be able to use the response to operate on the target resource. (This will also enable clients to operate on traditional HTTP/1.1 302 responses[RFC2518]), DAV:redirectref, is defined inMulti-Status responses.) Until then, non- referencing clients will not be able to process 302 responses fromSection 13.1 below. Since a redirect referenceresources encountered while processingresource is acollection.resource, it can have its own properties and body, and methods can be applied to the reference resource as well as to its target resource. The Apply-To-Redirect-Ref request header (defined in Section11.2) MAY be used with any request on a collection. If present, it will be11.2 below) is provided so that referencing-aware clients can control whether an operation is applied toallthe redirect referenceresources encountered while processing the collection. 7.1 MOVE and DELETE on Collections That Contain Redirect References DELETE removes the binding that corresponds to the Request-URI. MOVE removes that binding and creates a new bindingresource or tothe sameits target resource.In cases where DELETE and MOVE are appliedThe Apply-To-Redirect-Ref header can be used with most requests toa collection, these operations affect all the descendents of the collection, but they do so indirectly. Thereredirect reference resources. This header isno need to visit each descendent in orderparticularly useful with PROPFIND, toprocessretrieve therequest. Consequently, even if there are redirectreferenceresources inresource's own properties. 5. Creating atree thatRedirect Reference Resource The MKRESOURCE method isbeing deleted or moved, there will be no 302 responses from theused to create new redirect reference resources.7.2 LOCK on a Collection That Contains Redirect References LOCK poses special problems because it is atomic. An attemptAs defined in Section 5.1, MKRESOURCE can be used tolock (with Depth: infinity)create acollection that contains redirect references will always fail. The Multi-Status response will containresource of any type other than standard data containers and collections. In order to create a302 response for eachredirectreference. Reference-aware clients can lock the collection byreference resource usingApply-To-Redirect-Ref, and, if desired, lockMKRESOURCE, the values of two properties must be set in thetargetsbody of theredirect references individually. Non-referencing clients must resortMKRESOURCE request. The value of DAV:resourcetype MUST be set tolocking each resource individually. 7.3 Example: PROPFIND on a Collection with Redirect Reference Resources SupposeDAV:redirectref, aPROPFIND request with Depth: infinity is submittednew value of DAV:resourcetype defined in Section 13.1. The value of DAV:reftarget MUST be set to thefollowing collection, withURI of themembers shown here: http://www.svr.com/MyCollection/ (non-reference resource) diary.html (redirect reference resource) nunavut >> Request: PROPFIND /MyCollection/ HTTP/1.1 Host: www.svr.com Depth: infinity Content-Type: text/xml Content-Length: xxxx <?xml version="1.0" ?> <D:propfind xmlns:D="DAV: "> <D:prop xmlns:J="http://www.svr.com/jsprops/"> <D:resourcetype/> <J:keywords/> </D:prop> </D:propfind> >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml Content-Length: xxxx <?xml version="1.0" ?> <D:multistatus xmlns:D="DAV:" xmlns:J="http://www.svr.com/jsprops/"> <D:response> <D:href>http://www.svr.com/MyCollection/</D:href> <D:propstat> <D:prop> <D:resourcetype><D:collection/></D:resourcetype> <J:keywords>diary, interests, hobbies</J:keywords> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> <D:response> <D:href>http://www.svr.com/MyCollection/diary.html</D:href> <D:propstat> <D:prop> <D:resourcetype/> <J:keywords>diary, travel, family, history</J:keywords> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> <D:response> <D:href>http://www.svr.com/MyCollection/nunavut</D:href> <D:status>HTTP/1.1 302 Found</D:status> <D:prop> <D:location> <D:href>http://www.inac.gc.ca/art/inuit/</D:href> </D:location> <D:resourcetype><D:redirectref/></D:resourcetype> </D:prop> </D:response> </D:multistatus> Intarget resource. Used in thisexampleway, theDepth headerMKRESOURCE method creates a redirect reference resource whose target issetidentified by the DAV:reftarget property. 5.1 MKRESOURCE The MKRESOURCE method requests the creation of a resource and initialization of its properties. It allows resources other than standard data containers and collections toinfinity,be created and their properties initialized in one atomic operation. Preconditions: A resource MUST NOT exist at theApply-To-Redirect-Ref header is not used.Request-URI. Request Marshalling: Thecollection contains one URI that identifies a redirect reference resource.location of the new resource to be created is specified by the Request-URI. Theresponse element forrequest body of theredirect reference resource has a statusMKRESOURCE method MUST consist of302 (Found), and includes a DAV:propthe DAV:propertyupdate XML elementwithdefined in Section 12.13 of [RFC2518]. Postconditions: If theDAV:location pseudo-property andresponse status code is 201, a new resource exists at theDAV:resourcetype property to allow clients to retrieveRequest-URI. The body of the new resource is empty. The properties ofits target resource. (The response element fortheredirect referencenew resourcedoes not includeare as specified by therequested properties. The client can submit another PROPFINDDAV:propertyupdate requesttobody, using PROPPATCH semantics. If theURI inDAV:propertyupdate does not specify a DAV:resourcetype, theDAV:location pseudo-property to retrieve those properties.) 7.4 Example: PROPFIND with Apply-To-Redirect-Ref onresource will be aCollection with Redirect Reference Resources Supposestandard data container. If the response status code is not 201, then aPROPFIND request with Apply-To-Redirect-Ref and Depth = infinitynew resource issubmitted to the following collection, withnot created at themembers shown here: /MyCollection/ (non-reference resource) diary.html (redirect reference resource) nunavut >> Request: PROPFIND /MyCollection/ HTTP/1.1 Host: www.svr.com Depth: infinity Apply-To-Redirect-Ref: Content-Type: text/xml Content-Length: xxxx <?xml version="1.0" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:resourcetype/> <D:reftarget/> </D:prop> </D:propfind> >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml Content-Length: xxxx <?xml version="1.0" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.svr.com/MyCollection/</D:href> <D:propstat> <D:prop> <D:resourcetype><D:collection/></D:resourcetype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> <D:propstat> <D:prop><D:reftarget/></D:prop> <D:status>HTTP/1.1 404 Not Found</D:status> </D:propstat> </D:response> <D:response> <D:href>http://www.svr.com/MyCollection/diary.html</D:href> <D:propstat> <D:prop> <D:resourcetype/> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> <D:propstat> <D:prop><D:reftarget/></D:prop> <D:status>HTTP/1.1 404 Not Found</D:status> </D:propstat> </D:response> <D:response> <D:href>http://www.svr.com/MyCollection/nunavut</D:href> <D:propstat> <D:prop> <D:resourcetype><D:redirectref/></D:resourcetype> <D:reftarget> <D:href>http://www.inac.gc.ca/art/inuit/</D:href> </D:reftarget> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> SinceRequest-URI, and any existing resource at theApply-To-Redirect-Ref headerRequest-URI ispresent, theunaffected. Response Marshalling: Responses from a MKRESOURCE request MUST NOT be cached, as MKRESOURCE has non-idempotent semantics. The following status codes can be expected in responses to MKRESOURCE: 201 (Created): The new resource was successfully created. 207 (Multi-Status): This responseshowsis generated if an error was encountered while initializing the properties of theredirect reference resourceresource, in which case thecollection rather than the propertiesresponse is as defined in Section 8.2.1 ofits target.[RFC2518]. 403 (Forbidden): TheApply-To-Redirect-Ref header also prevents a 302 response from being returned forserver does not allow theredirect reference resource. 7.5 Example: COPY on a Collection That Contains a Redirect Reference Resource Suppose a COPY request is submitted tocreation of thefollowing collection, withrequested resource type at themembers shown: /MyCollection/ (non-reference resource) diary.html (redirect reference resource) nunavut with target /Someplace/nunavut.map >> Request: COPY /MyCollection/ HTTP/1.1 Host: www.svr.com Depth: infinity Destination: http://www.svr.com/OtherCollection/ >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.svr.com/MyCollection/nunavut</D:href> <D:status>HTTP/1.1 302 Found</D:status> <D:prop> <D:location> <D:href>http://www.svr.com//Someplace/nunavut.map</D:href> </D:location> <D:resourcetype><D:redirectref/></D:resourcetype> </D:prop> </D:response> </D:multistatus> In this case, since /MyCollection/nunavut is a redirect reference resource,requested location, or theCOPY operation was onlyparent collection of the Request-URI exists but cannot accept members. 409 (Conflict): A resource cannot be created at the Request-URI because the parent collection for the resource does not exist, or because there is already apartial success. The redirect referenceresource at that request-URL. 423 (Locked): The Request-URI is locked, and the lock token was notcopied, but a 302 response was returned for it. Sopassed with the request. 507 (Insufficient Storage): The server does not have sufficient space to record theresulting collection is as follows: /OtherCollection/ (non-reference resource) diary.html 7.6state of the resource. 5.2 Example:LOCK on a Collection That ContainsCreating a Redirect Reference ResourceSuppose a LOCK request is submitted to the following collection,withthe members shown: /MyCollection/ (non-reference resource) diary.html (redirect reference resource) nunavutMKRESOURCE >> Request:LOCK /MyCollection/MKRESOURCE /~whitehead/dav/spec08.ref HTTP/1.1 Host:www.svr.comwww.ics.uci.edu Content-Type:text/xmltext/xml; charset="utf-8" Content-Length:nnnn Authorizaton: Digest username="jas", realm=jas@webdav.sb.aol.com, nonce=". . . ", uri="/MyCollection/tuva", response=". . . ", opaque=". . . "xxx <?xml version="1.0" encoding="utf-8" ?><D:lockinfo<D:propertyupdate xmlns:D="DAV:"><D:lockscope><D:exclusive/></D:lockscope> <D:locktype><D:write/></D:locktype> <D:owner> <D:href>http://www.svr.com/~jas/contact.html</D:href> </D:owner> </D:lockinfo> >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml Content-Length: nnnn <?xml version="1.0" ?> <D:multistatus xmlns:D="Dav:"> <D:response> <D:href>http://www.svr.com/MyCollection/</D:href> <D:propstat> <D:prop><D:lockdiscovery/></D:prop> <D:status>HTTP/1.1 424 Failed Dependency</D:status> </D:propstat> </D:response> <D:response> <D:href>http://www.svr.com/MyCollection/diary.html</D:href> <D:status>HTTP/1.1 424 Failed Dependency</D:status> </D:response> <D:response> <D:href>http://www.svr.com/MyCollection/nunavut</D:href> <D:status>HTTP/1.1 302 Found</D:status><D:set> <D:prop><D:location> <D:href>http://www.inac.gc.ca/art/inuit/</D:href> </D:location><D:resourcetype><D:redirectref/></D:resourcetype> <D:reftarget> <D:href>/i-d/draft-webdav-protocol-08.txt</D:href> </D:reftarget> </D:prop></D:response> </D:multistatus> The server returns a 302 response code for the redirect reference resource in the collection. Consequently, neither the collection nor any of the resources identified by its internal member URIs were locked. A referencing-aware client can submit a separate LOCK</D:set> </D:propertyupdate> >> Response: HTTP/1.1 201 Created This requestto the URIresulted in theDAV:location pseudo-property returned for the redirect reference resource, and can resubmit the LOCK request with the Apply-To-Redirect-Ref header to the collection. At that point both the reference resource and its target resource will be locked (as well as the collection and all the resources identified by its other members). 8. Operations on Targets of Redirect Reference Resources Operations on targetscreation of a new redirect referenceresources have no effect onresource at www.ics.uci.edu/~whitehead/dav/spec08.ref, which points to thereference resource. 9. Relative URIs in DAV:reftarget The URI inresource identified by thehref in aDAV:reftargetproperty MAY be a relative URI.property. In thiscase, the base URI to be used for resolvingexample, therelative URI to absolute formtarget resource is identified by the URIused in the HTTP message to identify thehttp:// www.ics.uci.edu/i-d/draft-webdav-protocol-08.txt. The redirect referenceresource to which the DAV:reftargetresource's DAV:resourcetype propertybelongs. When DAV:reftarget occurs in the body of a MKRESOURCE request, the base URI is constructed as follows: Its scheme component is "http", its authority component is the value of the Host header in the request, and its path componentis set to DAV:redirectref. 6. Operations on Redirect Reference Resources Although non-referencing-aware clients cannot create reference resources, they should be able to submit requests through theRequest-URI in the request. See Section 5 of [RFC2396] for a discussion of relative URIreference resources created by reference-aware WebDAV clients. They should be able to follow any referencesand howtoresolve them. When DAV:reftarget appears in the context of a Multi-Status response, it is intheir targets. To make this possible, aDAV:response elementserver thatcontains a single DAV:href element. The value of this DAV:href element serves as the base URI for resolvingreceives any request made via arelative URI in DAV:reftarget. The value of DAV:href may itself be relative, in which case it must be resolved first in order to serve as the base URI for the relative URI in DAV:reftarget. Ifredirect reference resource MUST return a 302 (Found) status code, unless theDAV:href element is relative, its baserequest includes an Apply-To-Redirect-Ref header. The client and server MUST follow [RFC2616] Section 10.3.3 "302 Found," but with these additional rules: o The Location response header MUST contain an absolute URIis constructed from the scheme component "http",that identifies thevaluetarget of theHostreference resource. o The response MUST include the Redirect-Ref header. This headerinallows reference-aware WebDAV clients to recognize therequest,resource as a reference resource and understand therequest-URI. 9.1 Example: Resolving a Relative URIreason for the redirection. A reference-aware WebDAV client can act on this response in one of two ways. It can, like aMKRESOURCE Request >> Request: MKRESOURCE /north/inuvik HTTP/1.1 Host: www.somehost.edu Content-Type: text/xml; charset="utf-8" Content-Length: xxx <?xml version="1.0" encoding="utf-8" ?> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <D:resourcetype><D:redirectref/></D:resourcetype> <D:reftarget> <D:href>mapcollection/inuvik.gif</D:href> </D:reftarget> </D:prop> </D:set> </D:propertyupdate> >> Response: HTTP/1.1 201 Created In this example, the base URI is http://www.somehost.edu/north/ inuvik. Then, followingnon-referencing client, resubmit therules in [RFC2396] Section 5,request to therelativeURI inDAV:reftarget resolves totheabsolute URI http:// www.somehost.edu/north/mapcollection/inuvik.gif. 9.2 Example: Resolving a Relative URILocation header ina Multi-Status Response >> Request: PROPFIND /geog/ HTTP/1.1 Host: www.xxsvr.com Apply-To-Redirect-Ref: Depth: 1 Content-Type: text/xml Content-Length: nnn <?xml version="1.0" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:resourcetype/> <D:reftarget/> </D:prop> </D:propfind> >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml Content-Length: nnn <?xml version="1/0" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>/geog/</D:href> <D:propstat> <D:prop> <D:resourcetype><D:collection/></D:resourcetype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> <D:propstat> <D:prop><D:reftarget/></D:prop> <D:status>HTTP/1.1 404 Not Found</D:status> </D:propstat> </D:response> <D:response> <D:href>/geog/stats.html</D:href> <D:propstat> <D:prop> <D:resourcetype><D:redirectref/></D:resourcetype> <D:reftarget> <D:href>statistics/population/1997.html</D:href> </D:reftarget> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> In this example,order to operate on therelative URI statistics/population/1997.html is returned astarget resource. Alternatively, it can resubmit thevaluerequest to the URI ofreftarget forthe redirect reference resourceidentified by href /geog/stats.html. The hrefwith the Apply-To-Redirect-Ref header in order to operate on the reference resource itself. If the Apply-To-Redirect-Ref header isitselfpresent, the request MUST be applied to the reference resource itself, and arelative URI, which resolves302 response MUST NOT be returned. A reference-aware client may know before submitting its request that the Request-URI identifies a redirect reference resource. In this case, if the client wants tohttp://www.xxsrv.com/geog/stats.html. This isapply thebase URI for resolvingmethod to therelative URIreference resource, it can save the round trip caused by the 302 response by using an Apply-To-Redirect-Ref header inreftarget.its initial request to the URI. A few methods need additional explanation: Theabsolute URI of reftarget is http://www.xxsrv.com/geog/statistics/ population/1997.html. 10. Redirect ReferencesApply-To-Redirect-Ref header can be used with GET or HEAD toCollections In a Request-URI /segment1/segment2/segment3, any ofretrieve thethree segments may identifyentity headers of a redirect reference resource.(See [RFC2396], Section 3.3,When Apply-To-Redirect-Ref is used with GET or HEAD, the Redirect-Ref entity header MUST be returned. A redirect reference resource MAY have a body, though none is defined fordefinitions of "path" and "segment".) If any segmentit in this specification. The PUT method can be used, with Apply-To-Redirect-Ref, to create or replace the body of aRequest- URI identifiesredirect reference resource. 6.1 Example: GET on a Redirect Reference Resource >> Request: GET /bar.html HTTP/1.1 Host: www.foo.com >> Response: HTTP/1.1 302 Found Location: http://www.svr.com/Internet/xxspec08.html Redirect-Ref: Since /bar.html is a redirect referenceresource, the response is a 302. The value ofresource and theLocationApply-To-Redirect-Ref header is not included in the302request, the response isas follows:a 302 (Found). Theleftmost path segment of the request-URIRedirect-Ref header informs a reference-aware client thatidentifiesthis is not an ordinary HTTP 1.1 redirect, but is a redirect referenceresource, together with all path segments and separators to the leftresource. The URI ofit,the target resource isreplaced byprovided in thevalue ofLocation header so that theredirect reference resource's DAV:reftarget property (resolved to an absolute URI). The remainder ofclient can resubmit therequest-URI is concatenatedrequest tothis path. Note: IftheDAV:reftarget property endstarget resource. 6.2 Example: PUT on a Redirect Reference Resource with Apply-To-Redirect-Ref >> Request: PUT /bar.html HTTP/1.1 Host: www.foo.com Apply-To-Redirect-Ref: Content-Type: text/xml; charset="utf-8" Content-Length: xxxx . . . some content . . . >> Response: HTTP/1.1 200 OK Although /bar.html is a"/" andredirect reference resource, theremainderpresence of theRequest-URI is non-empty (and therefore must begin withApply-To-Redirect-Ref header prevents a"/ "),302 response, and instead causes thefinal "/"request to be applied to the reference resource. The result in this case is that theDAV:reftarget propertyreference resource isdropped beforereplaced by a non-reference resource having theremainder ofcontent submitted with theRequest-URI is appended. Consider Request-URI /x/y/z.html. Suppose that /x/request. 6.3 Example: PROPPATCH on a Redirect Reference Resource >> Request: PROPPATCH /bar.html HTTP/1.1 Host: www.foo.com Content-Type: text/xml; charset="utf-8" Content-Length: xxxx <?xml version="1.0" encoding="utf-8" ?> <D:propertyupdate xmlns:D="DAV:" xmlns:Z="http://www.w3.com/standards/z39.50/"> <D:set> <D:prop> <Z:authors> <Z:Author>Jim Whitehead</Z:Author> <Z:Author>Roy Fielding</Z:Author> </Z:authors> </D:prop> </D:set> <D:remove> <D:prop> <Z:Copyright-Owner/> </D:prop> </D:remove> </D:propertyupdate> >> Response: HTTP/1.1 302 Found Location: http://www.svr.com/Internet/xxspec08.html Redirect-Ref: Since /bar.html is a redirect reference resourcewhose target resourceand the Apply-To-Redirect-Ref header iscollection /a/, which contains redirect reference resource y whose target resourcenot included in the request, the response iscollection /b/, which containsa 302 (Found). The Redirect-Ref header informs a reference-aware client that this is not an ordinary HTTP 1.1 redirect, but is a redirect referenceresource z.html whoseresource. The URI of the target resource is/c/d.html. /x/y/z.html | | /x -> /a | v /a/y/z.html | | /a/y -> /b | v /b/z.html | | /b/z.html -> /c/d.html | v /c/d.html In this caseprovided in the Location header so that the clientmust follow up three separate 302 responses before finally reachingcan resubmit thetarget resource. The server respondsrequest to theinitial requesttarget resource. 7. Operations on Collections That Contain Redirect Reference Resources Consistent with the rules in Section 6, the response for each redirect reference encountered while processing a collection MUST be a 302 (Found) unless a Apply-To-Redirect-Ref header is included withLocation: /a/y/z.html, andtheclient resubmits the request to /a/y/z.html.request. Theserver responds to this request withoverall response will therefore be a302 with Location: /b/z.html,207 (Multi-Status). Since a Location header and Redirect-Ref header cannot be returned for each redirect reference encountered, theclient resubmitssame information is provided using properties in therequest to /b/z.html.response elements for those resources. Theserver responds to this request with a 302 with Location: /c/d.html,DAV:location pseudo-property and theclient resubmits the request to /c/d.html. This final request succeeds. 11. Headers 11.1 Redirect-Ref Response Header Redirect-Ref = "Redirect-Ref:"DAV:resourcetype property MUST be included with the 302 status code. This necessitates an extension to the syntax of the DAV:response element that was defined in [RFC2518]. TheRedirect-Ref headerextension isuseddefined inall 302 responsesSection 14 below. A referencing-aware client can tell fromredirect reference resources. Its presence informs reference-aware clientsthe DAV:resourcetype property that theresponse is not a plain HTTP/1.1 redirect, but is a response fromcollection contains a redirect reference resource.11.2 Apply-To-Redirect-Ref Request Header Apply-To-Redirect-Ref = "Apply-To-Redirect-Ref" ":"Theoptional Apply-To-Redirect-Ref headerDAV:location pseudo-property contains the absolute URI of the target resource. A referencing-aware client canbe used on anyeither use the URI value of the DAV:location pseudo-property to resubmit its request toa redirect reference resource. Whenthe target resource, or itis used,can submit the requestMUST be appliedto the redirect reference resourceitself, and a 302 response MUST NOT be returned. If the Apply-To-Redirect-Ref headerwith Apply-To-Redirect-Ref. It isused on a request to any other sortrecommended that future editors ofresource besides a redirect reference resource,[RFC2518] define theserver SHOULD ignore it. 12. Properties 12.1 reftarget Property Name: reftarget Namespace: DAV: Purpose: A property of redirect reference resourcesDAV:location pseudo-property in [RFC2518], so thatprovides an efficient way fornon-referencing clients will also be able todiscoveruse theURI ofresponse to operate on the target resource.This is a read-only property after its initial creation. Its value can only be set(This will also enable clients to operate on traditional HTTP/1.1 302 responses ina MKRESOURCE request. Value: href containing the URI of the target resource. This value MAYMulti-Status responses.) Until then, non-referencing clients will not be able to process 302 responses from redirect reference resources encountered while processing arelative URI.collection. Thereftarget property can occurApply-To-Redirect-Ref header (defined in Section 11.2) MAY be used with any request on a collection. If present, it will be applied to all redirect reference resources encountered while processing theentity bodies of MKRESOURCE requestscollection. 7.1 MOVE andof responses to PROPFIND requests. <!ELEMENT reftarget href > 12.2 location Pseudo-Property Name: location Namespace: DAV: Purpose: For use with 302 (Found) response codes in Multi-Status responses. It containsDELETE on Collections That Contain Redirect References DELETE removes theabsolute URI ofbinding that corresponds to thetemporary location ofRequest-URI. MOVE removes that binding and creates a new binding to the same resource. In cases where DELETE and MOVE are applied to a collection, these operations affect all thecontext of redirect reference resources, this value is the absolute URIdescendents of thetarget resource. Itcollection, but they do so indirectly. There isanalogousno need to visit each descendent in order to process theLocation headerrequest. Consequently, even if there are redirect reference resources inHTTPa tree that is being deleted or moved, there will be no 302 responsesdefined in [RFC2616] Section 10.3.3 "302 Found." Includingfrom thelocation pseudo-property inredirect reference resources. 7.2 LOCK on aMulti- Status response requires an extensionCollection That Contains Redirect References LOCK poses special problems because it is atomic. An attempt to lock (with Depth: infinity) a collection that contains redirect references will always fail. The Multi-Status response will contain a 302 response for each redirect reference. Reference-aware clients can lock thesyntaxcollection by using Apply-To-Redirect-Ref, and, if desired, lock the targets of theDAV:response element defined in [RFC2518], which is defined in Section 14 below. This pseudo-property is not expectedredirect references individually. Non-referencing clients must resort tobe storedlocking each resource individually. 7.3 Example: PROPFIND onthe reference resource. It is modeled as a property only so that it can be returned insideaDAV:prop element inCollection with Redirect Reference Resources Suppose aMulti-Status response. Value: href containing the absolute URI ofPROPFIND request with Depth: infinity is submitted to thetarget resource. <!ELEMENT location href > 13. XML Elements 13.1 redirectref XML Element Name: redirectref Namespace: DAV: Purpose: Used asfollowing collection, with thevalue ofmembers shown here: http://www.svr.com/MyCollection/ (non-reference resource) diary.html (redirect reference resource) nunavut >> Request: PROPFIND /MyCollection/ HTTP/1.1 Host: www.svr.com Depth: infinity Content-Type: text/xml Content-Length: xxxx <?xml version="1.0" ?> <D:propfind xmlns:D="DAV: "> <D:prop xmlns:J="http://www.svr.com/jsprops/"> <D:resourcetype/> <J:keywords/> </D:prop> </D:propfind> >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml Content-Length: xxxx <?xml version="1.0" ?> <D:multistatus xmlns:D="DAV:" xmlns:J="http://www.svr.com/jsprops/"> <D:response> <D:href>http://www.svr.com/MyCollection/</D:href> <D:propstat> <D:prop> <D:resourcetype><D:collection/></D:resourcetype> <J:keywords>diary, interests, hobbies</J:keywords> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> <D:response> <D:href>http://www.svr.com/MyCollection/diary.html</D:href> <D:propstat> <D:prop> <D:resourcetype/> <J:keywords>diary, travel, family, history</J:keywords> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> <D:response> <D:href>http://www.svr.com/MyCollection/nunavut</D:href> <D:status>HTTP/1.1 302 Found</D:status> <D:prop> <D:location> <D:href>http://www.inac.gc.ca/art/inuit/</D:href> </D:location> <D:resourcetype><D:redirectref/></D:resourcetype> </D:prop> </D:response> </D:multistatus> In this example theDAV:resourcetype propertyDepth header is set tospecify thatinfinity, and theresource typeApply-To-Redirect-Ref header is not used. The collection contains one URI that identifies a redirect reference resource.<!ELEMENT redirectref EMPTY > 14. Extensions to the DAV:response XML ElementThe response element forMulti-Status Responses As described in Section 7,the redirect reference resource has a status of 302 (Found), and includes a DAV:prop element with the DAV:location pseudo-property and the DAV:resourcetype propertymay be returned in the DAV:response element of a 207 Multi-Status response,to allow clients toresubmit their requests toretrieve thetarget resourceproperties ofa redirect referenceits target resource.Whenever these properties are included in a Multi-Status response, they are placed in a DAV:prop(The response elementassociated with the href to which they apply. This structure provides a frameworkforfuture extensions by other standards that may need to include additional properties in their responses. Consequently,thedefinition ofredirect reference resource does not include theDAV:response XML element changesrequested properties. The client can submit another PROPFIND request to thefollowing: <!ELEMENT response (href, ((href*, status, prop?) | (propstat+)), responsedescription?) > 15. Capability Discovery Sections 9.1 and 15 of [RFC2518] describe the use of compliance classes with the DAV headerURI inresponses to OPTIONS, to indicate which parts of the WebDAV Distributed Authoring protocolstheresource supports. This specification defines an OPTIONAL extensionDAV:location pseudo-property to[RFC2518]. It definesretrieve those properties.) 7.4 Example: PROPFIND with Apply-To-Redirect-Ref on anew compliance class, called redirectrefs, for useCollection withthe DAV header in responses to OPTIONS requests. IfRedirect Reference Resources Suppose aresource does support redirect references, its response to an OPTIONSPROPFIND requestmay indicate that it does, by listing the new redirectrefs compliance class in the DAV headerand by listing the MKRESOURCE method as one it supports. When respondingwith Apply-To-Redirect-Ref and Depth: infinity is submitted toan OPTIONS request, any type of resource can include redirectrefs in the value of the DAV header. Doing so indicates thattheserver permits a redirect reference resource atfollowing collection, with therequest URI. 15.1 Example: Discovery of Support for Redirect Reference Resourcesmembers shown here: /MyCollection/ (non-reference resource) diary.html (redirect reference resource) nunavut >> Request:OPTIONS /somecollection/someresourcePROPFIND /MyCollection/ HTTP/1.1HOST: somehost.orgHost: www.svr.com Depth: infinity Apply-To-Redirect-Ref: Content-Type: text/xml Content-Length: xxxx <?xml version="1.0" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:resourcetype/> <D:reftarget/> </D:prop> </D:propfind> >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml Content-Length: xxxx <?xml version="1.0" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.svr.com/MyCollection/</D:href> <D:propstat> <D:prop> <D:resourcetype><D:collection/></D:resourcetype> </D:prop> <D:status>HTTP/1.1 200OK Date: Tue, 20 Jan 1998 20:52:29 GMT Connection: close Accept-Ranges: none Allow: OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, MKRESOURCE DAV: 1, 2, redirectrefs The DAVOK</D:status> </D:propstat> <D:propstat> <D:prop><D:reftarget/></D:prop> <D:status>HTTP/1.1 404 Not Found</D:status> </D:propstat> </D:response> <D:response> <D:href>http://www.svr.com/MyCollection/diary.html</D:href> <D:propstat> <D:prop> <D:resourcetype/> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> <D:propstat> <D:prop><D:reftarget/></D:prop> <D:status>HTTP/1.1 404 Not Found</D:status> </D:propstat> </D:response> <D:response> <D:href>http://www.svr.com/MyCollection/nunavut</D:href> <D:propstat> <D:prop> <D:resourcetype><D:redirectref/></D:resourcetype> <D:reftarget> <D:href>http://www.inac.gc.ca/art/inuit/</D:href> </D:reftarget> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> Since the Apply-To-Redirect-Ref headerinis present, the responseindicates thatshows the properties of theresource / somecollection/someresource is level 1 and level 2 compliant, as defined in [RFC2518]. In addition, /somecollection/someresource supportsredirect referenceresources. The Allow header indicates that MKRESOURCE requests can be submitted to /somecollection/ someresource. The Public header shows that other Request-URIs onresource in theserver support additional methods. 16. Security Considerations This sectioncollection rather than reporting a 302 status. 7.5 Example: COPY on a Collection That Contains a Redirect Reference Resource Suppose a COPY request isprovidedsubmitted tomake applications that implement this protocol aware ofthesecurity implications of this protocol. All offollowing collection, with thesecurity considerations ofmembers shown: /MyCollection/ (non-reference resource) diary.html (redirect reference resource) nunavut with target /Someplace/nunavut.map >> Request: COPY /MyCollection/ HTTP/1.1and the WebDAV Distributed Authoring Protocol specification also apply to this protocol specification.Host: www.svr.com Depth: infinity Destination: http://www.svr.com/OtherCollection/ >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml; charset="utf-8" Content-Length: xxx <?xml version="1.0" encoding="utf-8" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>http://www.svr.com/MyCollection/nunavut</D:href> <D:status>HTTP/1.1 302 Found</D:status> <D:prop> <D:location> <D:href>http://www.svr.com//Someplace/nunavut.map</D:href> </D:location> <D:resourcetype><D:redirectref/></D:resourcetype> </D:prop> </D:response> </D:multistatus> Inaddition,this case, since /MyCollection/nunavut is a redirect referenceresources introduce several new security concerns and increaseresource, therisk of some existing threats. These issues are detailed below. 16.1 Privacy Concerns By creatingCOPY operation was only a partial success. The redirect referenceresources onresource was not copied, but atrusted server, it is possible302 response was returned for it. So the resulting collection is as follows: /OtherCollection/ (non-reference resource) diary.html 7.6 Example: LOCK on ahostile agent to induce users to send private information toCollection That Contains atarget onRedirect Reference Resource Suppose adifferent server. This riskLOCK request ismitigated somewhat, since clients are requiredsubmitted tonotifytheuser offollowing collection, with theredirection for any request other than GET or HEAD. (See [RFC2616], Section 10.3.3members shown: /MyCollection/ (non-reference resource) diary.html (redirect reference resource) nunavut >> Request: LOCK /MyCollection/ HTTP/1.1 Host: www.svr.com Content-Type: text/xml Content-Length: nnnn Authorizaton: Digest username="jas", realm=jas@webdav.sb.aol.com, nonce=". . . ", uri="/MyCollection/tuva", response=". . . ", opaque=". . . " <?xml version="1.0" ?> <D:lockinfo xmlns:D="DAV:"> <D:lockscope><D:exclusive/></D:lockscope> <D:locktype><D:write/></D:locktype> <D:owner> <D:href>http://www.svr.com/~jas/contact.html</D:href> </D:owner> </D:lockinfo> >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml Content-Length: nnnn <?xml version="1.0" ?> <D:multistatus xmlns:D="Dav:"> <D:response> <D:href>http://www.svr.com/MyCollection/</D:href> <D:propstat> <D:prop><D:lockdiscovery/></D:prop> <D:status>HTTP/1.1 424 Failed Dependency</D:status> </D:propstat> </D:response> <D:response> <D:href>http://www.svr.com/MyCollection/diary.html</D:href> <D:status>HTTP/1.1 424 Failed Dependency</D:status> </D:response> <D:response> <D:href>http://www.svr.com/MyCollection/nunavut</D:href> <D:status>HTTP/1.1 302Found.) 16.2 Redirect Loops AlthoughFound</D:status> <D:prop> <D:location> <D:href>http://www.inac.gc.ca/art/inuit/</D:href> </D:location> <D:resourcetype><D:redirectref/></D:resourcetype> </D:prop> </D:response> </D:multistatus> The server returns a 302 response code for the redirectloops were already possiblereference resource inHTTP 1.1,theintroductioncollection. Consequently, neither the collection nor any of theMKRESOURCE method createsresources identified by its internal member URIs were locked. A referencing-aware client can submit anew avenueseparate LOCK request to the URI in the DAV:location pseudo-property returned forclientsthe redirect reference resource, and can resubmit the LOCK request with the Apply-To-Redirect-Ref header tocreate loops accidentally or maliciously. Ifthe collection. At that point both the reference resource and its targetare onresource will be locked (as well as thesame server,collection and all theserver may be able to detect MKRESOURCE requests that would create loops. See also [RFC2616], Section 10.3 "Redirection 3xx." 16.3resources identified by its other members). 8. Operations on Targets of Redirect Reference Resourcesand Denial of Service Denial of service attacks were already possible by posting URLs that were intended for limited use at heavily used Web sites. The introduction of MKRESOURCE creates a new avenue for similar denialOperations on targets ofservice attacks. Clients can now createredirect reference resourcesat heavily used sites to target locations that were not designed for heavy usage. 16.4 Revealing Private Locations There are several ways that redirecthave no effect on the referenceresources may reveal information about directory structures. First,resource. 9. Relative URIs in DAV:reftarget The URI in the href in a DAV:reftarget propertyof every redirect reference resource containsMAY be a relative URI. In this case, the base URIofto be used for resolving thetarget resource. Anyone who has accessrelative URI to absolute form is thereference resource can discoverURI used in thedirectory path that leadsHTTP message to identify thetarget resource. The owner of the targetredirect reference resourcemay have wanted to limit knowledge of this directory structure. Sufficiently powerful access control mechanisms can control this risktosome extent. Property-level access control could prevent users from examiningwhich the DAV:reftargetproperty. (The Location header returnedproperty belongs. When DAV:reftarget occurs inresponses to requests on redirect reference resources reveals the same information, however.) In some environments,theownerbody of aresource might be able to use access control to prevent others from creating references to that resource. This risk is no greater thanMKRESOURCE request, thesimilar risk posed by HTML links. 17. Internationalization Considerations This specification followsbase URI is constructed as follows: Its scheme component is "http", its authority component is thepracticesvalue of[RFC2518]the Host header inencoding all human-readable content using XML [XML]the request, and its path component is the Request-URI in thetreatmentrequest. See Section 5 ofnames. Consequently, this specification complies with the IETF Character Set Policy [RFC2277]. WebDAV applications MUST support the character set tagging, character set encoding,[RFC2396] for a discussion of relative URI references and how to resolve them. When DAV:reftarget appears in thelanguage tagging functionalitycontext ofthe XML specification. This constraint ensuresa Multi-Status response, it is in a DAV:response element that contains a single DAV:href element. The value of this DAV:href element serves as thehuman-readable contentbase URI for resolving a relative URI in DAV:reftarget. The value ofthis specification complies with [RFC2277]. AsDAV:href may itself be relative, in[RFC2518], nameswhich case it must be resolved first inthis specification fall into three categories: names of protocol elements suchorder to serve asmethods and headers, names of XML elements, and names of properties. Naming of protocol elements followstheprecedentbase URI for the relative URI in DAV:reftarget. If the DAV:href element is relative, its base URI is constructed from the scheme component "http", the value ofHTTP, using English names encodedthe Host header inUSASCII for methodsthe request, andheaders. The names of XML elements usedthe request-URI. 9.1 Example: Resolving a Relative URI in a MKRESOURCE Request >> Request: MKRESOURCE /north/inuvik HTTP/1.1 Host: www.somehost.edu Content-Type: text/xml; charset="utf-8" Content-Length: xxx <?xml version="1.0" encoding="utf-8" ?> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <D:resourcetype><D:redirectref/></D:resourcetype> <D:reftarget> <D:href>mapcollection/inuvik.gif</D:href> </D:reftarget> </D:prop> </D:set> </D:propertyupdate> >> Response: HTTP/1.1 201 Created In thisspecification are English names encodedexample, the base URI is http://www.somehost.edu/north/ inuvik. Then, following the rules inUTF-8. For error reporting, [RFC2518] follows[RFC2396] Section 5, theconvention of HTTP/1.1 status codes, including with each status code a short, English description ofrelative URI in DAV:reftarget resolves to thecode (e.g., 423 Locked). Internationalized applications will ignoreabsolute URI http:// www.somehost.edu/north/mapcollection/inuvik.gif. 9.2 Example: Resolving a Relative URI in a Multi-Status Response >> Request: PROPFIND /geog/ HTTP/1.1 Host: www.xxsvr.com Apply-To-Redirect-Ref: Depth: 1 Content-Type: text/xml Content-Length: nnn <?xml version="1.0" ?> <D:propfind xmlns:D="DAV:"> <D:prop> <D:resourcetype/> <D:reftarget/> </D:prop> </D:propfind> >> Response: HTTP/1.1 207 Multi-Status Content-Type: text/xml Content-Length: nnn <?xml version="1/0" ?> <D:multistatus xmlns:D="DAV:"> <D:response> <D:href>/geog/</D:href> <D:propstat> <D:prop> <D:resourcetype><D:collection/></D:resourcetype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> <D:propstat> <D:prop><D:reftarget/></D:prop> <D:status>HTTP/1.1 404 Not Found</D:status> </D:propstat> </D:response> <D:response> <D:href>/geog/stats.html</D:href> <D:propstat> <D:prop> <D:resourcetype><D:redirectref/></D:resourcetype> <D:reftarget> <D:href>statistics/population/1997.html</D:href> </D:reftarget> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> In thismessage, and display an appropriate message inexample, theuser's language and character set. This specification introduces no new strings that are displayed to usersrelative URI statistics/population/1997.html is returned aspart of normal, error-free operation oftheprotocol. For rationales for these decisions and advicevalue of reftarget forapplication implementors, see [RFC2518]. 18. IANA Considerations This document usesthenamespaces definedreference resource identified by[RFC2518] for properties and XML elements. All other IANA considerations mentioned in [RFC2518] also applyhref /geog/stats.html. The href is itself a relative URI, which resolves tothis document. 19. Acknowledgementshttp://www.xxsrv.com/geog/stats.html. Thisdraft has benefited from thoughtful discussion by Jim Amsden, Peter Carlson, Steve Carter, Tyson Chihaya, Ken Coar, Ellis Cohen, Bruce Cragun, Spencer Dawkins, Mark Day, Rajiv Dulepet, David Durand, Roy Fielding, Yaron Goland, Fred Hitt, Alex Hopmann, James Hunt, Marcus Jager, Chris Kaler, Manoj Kasichainula, Rohit Khare, Daniel LaLiberte, Steve Martin, Larry Masinter, Jeff McAffer, Surendra Koduru Reddy, Max Rible, Sam Ruby, Bradley Sergeant, Nick Shelness, John Stracke, John Tigue, John Turner, Kevin Wiggen, and others. Normativeis the base URI for resolving the relative URI in reftarget. The absolute URI of reftarget is http://www.xxsrv.com/geog/statistics/ population/1997.html. 10. Redirect References[RFC2277] Alvestrand, H., "IETF Policy on Character Sets and Languages", BCP 18, RFC 2277, January 1998. [RFC2119] Bradner, S., "Key wordsto Collections In a Request-URI /segment1/segment2/segment3, any of the three segments may identify a redirect reference resource. (See [RFC2396], Section 3.3, forusedefinitions of "path" and "segment".) If any segment inRFCsa Request- URI identifies a redirect reference resource, the response is a 302. The value of the Location header in the 302 response is as follows: The leftmost path segment of the request-URI that identifies a redirect reference resource, together with all path segments and separators toIndicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2396] Berners-Lee, T., Fielding, R.the left of it, is replaced by the value of the redirect reference resource's DAV:reftarget property (resolved to an absolute URI). The remainder of the request-URI is concatenated to this path. Note: If the DAV:reftarget property ends with a "/" andL. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 2396, August 1998. [RFC2518] Goland, Y., Whitehead, E., Faizi, A., Carter, S.the remainder of the Request-URI is non-empty (and therefore must begin with a "/ "), the final "/" in the DAV:reftarget property is dropped before the remainder of the Request-URI is appended. Consider Request-URI /x/y/z.html. Suppose that /x/ is a redirect reference resource whose target resource is collection /a/, which contains redirect reference resource y whose target resource is collection /b/, which contains redirect reference resource z.html whose target resource is /c/d.html. /x/y/z.html | | /x -> /a | v /a/y/z.html | | /a/y -> /b | v /b/z.html | | /b/z.html -> /c/d.html | v /c/d.html In this case the client must follow up three separate 302 responses before finally reaching the target resource. The server responds to the initial request with a 302 with Location: /a/y/z.html, andD. Jensen, "HTTP Extensions for Distributed Authoring -- WEBDAV", RFC 2518, February 1999. [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P.the client resubmits the request to /a/y/z.html. The server responds to this request with a 302 with Location: /b/z.html, andT. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. [XML] Bray, T., Paoli, J., Sperberg-McQueen, C.the client resubmits the request to /b/z.html. The server responds to this request with a 302 with Location: /c/d.html, andE. Maler, "Extensible Markup Language (XML) 1.0 (2nd ed)", W3C REC-xml, October 2000, <http://www.w3.org/TR/2000/ REC-xml-20001006>. Informative References [B] Clemm, G., Crawford, J., Reschke, J., Slein, J.the client resubmits the request to /c/d.html. This final request succeeds. 11. Headers 11.1 Redirect-Ref Response Header Redirect-Ref = "Redirect-Ref:" The Redirect-Ref header is used in all 302 responses from redirect reference resources. Its presence informs reference-aware clients that the response is not a plain HTTP/1.1 redirect, but is a response from a redirect reference resource. 11.2 Apply-To-Redirect-Ref Request Header Apply-To-Redirect-Ref = "Apply-To-Redirect-Ref" ":" The optional Apply-To-Redirect-Ref header can be used on any request to a redirect reference resource. When it is used, the request MUST be applied to the reference resource itself, andJ. Whitehead, "Binding Extensionsa 302 response MUST NOT be returned. If the Apply-To-Redirect-Ref header is used on a request to any other sort of resource besides a redirect reference resource, the server SHOULD ignore it. 12. Properties 12.1 reftarget Property Name: reftarget Namespace: DAV: Purpose: A property of redirect reference resources that provides an efficient way for clients toWebDAV", Internet Draft (work in progress) draft-ietf-webdav-bind-02, June 2003. URIs [1] <mailto:w3c-dist-auth@w3.org> [2] <mailto:w3c-dist-auth-request@w3.org?subject=subscribe> [3] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [4] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [5] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [6] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [7] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [8] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [9] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0296.html> [10] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [11] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0191.html> [12] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0222.html> [13] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [14] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [15] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [16] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0301.html> [17] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [18] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [19] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [20] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [21] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [22] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0303.html> [23] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [24] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [25] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [26] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> [27] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [28] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> [29] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [30] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> [31] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [32] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [33] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0286.html> [34] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0287.html> [35] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> [36] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [37] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0289.html> [38] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0285.html> [39] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0284.html> [40] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0306.html> [41] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0188.html> [42] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0288.html> [43] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [44] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [45] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0290.html> [46] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0291.html> [47] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0294.html> [48] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [49] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0295.html> [50] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0189.html> [51] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0189.html> [52] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [53] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [54] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [55] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0292.html> [56] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0293.html> [57] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0308.html> [58] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0188.html> [59] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [60] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [61] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0297.html> [62] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0298.html> [63] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [64] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [65] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [66] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0299.html> [67] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0302.html> [68] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [69] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [70] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [71] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [72] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [73] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0222.html> [74] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0307.html> [75] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [76] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0304.html> [77] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [78] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0304.html> [79] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0300.html> [80] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [81] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [82] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> [83] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> [84] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> [85] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> [86] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0305.html> [87] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> Authors' Addresses J. Slein Xerox Corporation 800 Phillips Road, 105-50C Webster, NY 14580 EMail: jslein@crt.xerox.com Jim Whitehead UC Santa Cruz, Dept.discover the URI of the target resource. This is a read-only property after its initial creation. Its value can only be set in a MKRESOURCE request. Value: href containing the URI of the target resource. This value MAY be a relative URI. The reftarget property can occur in the entity bodies of MKRESOURCE requests and of responses to PROPFIND requests. <!ELEMENT reftarget href > 12.2 location Pseudo-Property Name: location Namespace: DAV: Purpose: For use with 302 (Found) response codes in Multi-Status responses. It contains the absolute URI of the temporary location of the resource. In the context of redirect reference resources, this value is the absolute URI of the target resource. It is analogous to the Location header in HTTP 302 responses defined in [RFC2616] Section 10.3.3 "302 Found." Including the location pseudo-property in a Multi- Status response requires an extension to the syntax of the DAV:response element defined in [RFC2518], which is defined in Section 14 below. This pseudo-property is not expected to be stored on the reference resource. It is modeled as a property only so that it can be returned inside a DAV:prop element in a Multi-Status response. Value: href containing the absolute URI of the target resource. <!ELEMENT location href > 13. XML Elements 13.1 redirectref XML Element Name: redirectref Namespace: DAV: Purpose: Used as the value of the DAV:resourcetype property to specify that the resource type is a redirect reference resource. <!ELEMENT redirectref EMPTY > 14. Extensions to the DAV:response XML Element for Multi-Status Responses As described in Section 7, the DAV:location pseudo-property and the DAV:resourcetype property may be returned in the DAV:response element ofComputer Science 1156 High Street Santa Cruz, CA 95064 US EMail: ejw@cse.ucsc.edu J. Davis CourseNet Systems 170 Capp Street San Francisco, CA 94110 EMail: jrd3@alum.mit.edu G. Clemm Rational Software Corporationa 207 Multi-Status response, to allow clients to resubmit their requests to the target resource of a redirect reference resource. Whenever these properties are included in a Multi-Status response, they are placed in a DAV:prop element associated with the href to which they apply. This structure provides a framework for future extensions by other standards that may need to include additional properties in their responses. Consequently, the definition of the DAV:response XML element changes to the following: <!ELEMENT response (href, ((href*, status, prop?) | (propstat+)), responsedescription?) > 15. Capability Discovery Sections 9.1 and 15 of [RFC2518] describe the use of compliance classes with the DAV header in responses to OPTIONS, to indicate which parts of the WebDAV Distributed Authoring protocols the resource supports. This specification defines an OPTIONAL extension to [RFC2518]. It defines a new compliance class, called redirectrefs, for use with the DAV header in responses to OPTIONS requests. If a resource does support redirect references, its response to an OPTIONS request may indicate that it does, by listing the new redirectrefs compliance class in the DAV headerand by listing the MKRESOURCE method as one it supports. When responding to an OPTIONS request, any type of resource can include redirectrefs in the value of the DAV header. Doing so indicates that the server permits a redirect reference resource at the request URI. 15.1 Example: Discovery of Support for Redirect Reference Resources >> Request: OPTIONS /somecollection/someresource HTTP/1.1 HOST: somehost.org >> Response: HTTP/1.1 200 OK Date: Tue, 20Maguire Road Lexington, MA 02173-3104 EMail: geoffrey.clemm@us.ibm.com C. Fay FileNet Corporation 3565 Harbor Boulevard Costa Mesa, CA 92626-1420 EMail: cfay@filenet.com J. Crawford IBM Research P.O. Box 704 Yorktown Heights, NY 10598 EMail: ccjason@us.ibm.com Julian F. Reschke (editor) greenbytes GmbH Salzmannstrasse 152 Muenster, NW 48159 Germany Phone: +49 251 2807760 Fax: +49 251 2807761 EMail: julian.reschke@greenbytes.de URI: http://greenbytes.de/tech/webdav/ Appendix A. ChangesJan 1998 20:52:29 GMT Connection: close Accept-Ranges: none Allow: OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, MKRESOURCE DAV: 1, 2, redirectrefs The DAV header in the response indicates that the resource / somecollection/someresource is level 1 and level 2 compliant, as defined in [RFC2518]. In addition, /somecollection/someresource supports redirect reference resources. The Allow header indicates that MKRESOURCE requests can be submitted to /somecollection/ someresource. The Public header shows that other Request-URIs on the server support additional methods. 16. Security Considerations This section is provided to make applications that implement this protocol aware of the security implications of this protocol. All of the security considerations of HTTP/1.1 and the WebDAV Distributed Authoring Protocol specification also apply to this protocol specification. In addition, redirect reference resources introduce several new security concerns and increase the risk of some existing threats. These issues are detailed below. 16.1 Privacy Concerns By creating redirect reference resources on a trusted server, it is possible for a hostile agent to induce users to send private information to a target on a different server. This risk is mitigated somewhat, since clients are required to notify theWebDAV Document Type Definition <!-- XML Elements from Section 13 --> <!ELEMENT redirectref EMPTY > <!-- -->Property Elements fromuser of the redirection for any request other than GET or HEAD. (See [RFC2616], Section12 --> <!ELEMENT reftarget href> <!ELEMENT location href> <!-- Changes10.3.3 302 Found.) 16.2 Redirect Loops Although redirect loops were already possible in HTTP 1.1, the introduction of the MKRESOURCE method creates a new avenue for clients to create loops accidentally or maliciously. If theDAV:response Element from Section 14 --> <!ELEMENT response (href, ((href*, status, prop?) | (propstat+)), responsedescription?) > Appendix B. Change Log B.1 Since draft-ietf-webdav-redirectref-protocol-02 Julian Reschke takes editorial role (addedreference resource and its target are on the same server, the server may be able toauthors list). Cleanup XML indentation. Start adding all unresolved last call issues. Update some author's contact information. Update references, split into "normative"detect MKRESOURCE requests that would create loops. See also [RFC2616], Section 10.3 "Redirection 3xx." 16.3 Redirect Reference Resources and"informational". Remove non-RFC2616 headers ("Public") from examples. Fixed width problems in artwork. Start resolving editorial issues. Appendix C. Resolved issues IssuesDenial of Service Denial of service attacks were already possible by posting URLs that were intended for limited use at heavily used Web sites. The introduction of MKRESOURCE creates a new avenue for similar denial of service attacks. Clients can now create redirect reference resources at heavily used sites to target locations that wereeither rejected or resolved in this versionnot designed for heavy usage. 16.4 Revealing Private Locations There are several ways that redirect reference resources may reveal information about collection structures. First, the DAV:reftarget property ofthis document. C.1 lc-11-pagination Type: change [3] reuterj@ira.uka.de (2000-02-07): Don't paginateevery redirect reference resource contains thereview draft. Resolution: We will paginate in accordance with IETF rules, but will try to produce a nicely formatted review spec as well. C.2 lc-09-notational-after-introduction Type: change [4] reuterj@ira.uka.de (2000-02-07): Move Notational Conventions after Introduction. Resolution: Section will be moved. C.3 lc-13-usually Type: change [5] reuterj@ira.uka.de (2000-02-07): Intro, para 4: Change "usually"URI of the target resource. Anyone who has access to"possibly" inthesentence "A redirectreference resourceis a resource in onecan discover the collectionwhose purpose is to forward requestspath that leads toanotherthe target resource. The owner of the target resource(its target), usually in a different collection." Resolution: Agreed. C.4 lc-16-insure Type: change [6] reuterj@ira.uka.de (2000-02-07): Section 4, para 2: Change "It is also what insures"may have wanted to"It is also what helpslimit knowledge of this collection structure. Sufficiently powerful access control mechanisms can control this risk toinsure". Resolution: Agreed. C.5 lc-17-location Type: change [7] reuterj@ira.uka.de (2000-02-07): Section 4, para 3: Clients should usesome extent. Property-level access control could prevent users from examining the DAV:reftarget property. (The Locationheader, notheader returned in responses to requests on redirect reference resources reveals theDAV:reftarget property,same information, however.) In some environments, the owner of a resource might be able tofinduse access control to prevent others from creating references to that resource. This risk is no greater than the similar risk posed by HTML links. 17. Internationalization Considerations This specification follows thelocationpractices of [RFC2518] in encoding all human-readable content using XML [XML] and in thetarget. The purposetreatment of names. Consequently, this specification complies with theDAV:reftarget property should be to letIETF Character Set Policy [RFC2277]. WebDAV applications MUST support theclient update its value. Resolution: We need both Location (which is absolute)character set tagging, character set encoding, andtarget (which may be relative). See also issue 6, 43. C.6 lc-21-bind Type: change [8] reuterj@ira.uka.de (2000-02-07): Get rid ofthebinding-dependentlanguagein the last paratagging functionality ofSection 5. Resolution: Delete all butthefirst sentence in this paragraph. C.7 lc-46-bind Type: change [9] yarong@Exchange.Microsoft.com (2000-02-11): Remove dependency on bindings from second paragraph of section 5. Resolution: Agreed. C.8 lc-26-lang Type: edit [10] reuterj@ira.uka.de (2000-02-07): Change "is not created" to "was not created" in para 4 under Postconditions of MKRESOURCE. Resolution: Editor's discretion. C.9 lc-03-mkresource-response-cacheability Type: change [11] joe@orton.demon.co.uk (2000-01-26): Saying that responses to MKRESOURCE SHOULD NOT be cached suggestsXML specification. This constraint ensures thatthere are sometimes good reasons to cache responses. Is thisthecase? Resolution: Responses to MKREF MUST NOT be cached. C.10 lc-02-status-codes Type: change [12] joe@orton.demon.co.uk (2000-01-29): List only new status codes for MKRESOURCE. Don't discuss previously-defined status codes. Resolution: Follow same practice as in binding spec: for existing status codes, describe new circumstances that might cause them. Make it clear that we are not redefining these codes. C.11 lc-27-lang Type: edit [13] reuterj@ira.uka.de (2000-02-07): Section 6: Change "non-referencing-aware clients" to "clients not awarehuman-readable content of thisprotocol". Resolution: Editor's discretion. C.12 lc-30-headers Type: edit [14] reuterj@ira.uka.de (2000-02-07): Section 6, "When Apply-To-RR is usedspecification complies withGET or HEAD..." Either give a precise list[RFC2277]. As in [RFC2518], names in this specification fall into three categories: names of protocol elements such as methods and headers, names of XML elements, and names of properties. Naming of protocol elements follows theheaders that MUST be returned, or change MUST to SHOULD with the listprecedent ofexamples. Resolution: Delete "along with all HTTP headers that make senseHTTP, using English names encoded in USASCII forreference resources (for example, Cache-Control, Age, Etag, Expires,methods andLast-Modified)." See also issue 48. C.13 lc-32-ORDERPATCH Type: edit [15] reuterj@ira.uka.de (2000-02-07): Section 6. Don't talk about ORDERPATCH, since it hasn't been specified anywhere. Resolution: Agreed. See also issue 48. C.14 lc-51-repeat Type: change [16] yarong@Exchange.Microsoft.com (2000-02-11):headers. Thefirst sentencenames of XML elements used in thisparagraph says only what's clear from RFC 2518, so will cause confusion by its presence. Delete it. The last sentencespecification are English names encoded in UTF-8. For error reporting, [RFC2518] follows the convention ofthis paragraph lists methods. That's a bad idea. Remove it. Resolution: Delete entire paragraph. C.15 lc-59-depth Type: change [17] reuterj@ira.uka.de (2000-02-14): Section 7: When a method is being applied to a collectionHTTP/1.1 status codes, including withDepth > 0, let Apply-To-Redirect-Ref containeach status code alist of URIs. This way you could have it apply to some subsetshort, English description of theredirect referencescode (e.g., 423 Locked). Internationalized applications will ignore this message, and display an appropriate message in thecollection. Resolution: Declined. Too complex,user's language and character set. This specification introduces nouse case for it. C.16 lc-65-lock Type: change [18] reuterj@ira.uka.de (2000-02-14): "In the case of a redirect reference resource, I think the intended meaning of WebDAV isnew strings thatthe resource itself is the internal memberare displayed tobe locked, not the target resource. In so far, I think,users as part of normal, error-free operation of theApply-To-Redirect-Ref header should implicitly always be set,protocol. For rationales for these decisions and advice for application implementors, see [RFC2518]. 18. IANA Considerations All IANA considerations mentioned in [RFC2518] also apply to this document. 19. Acknowledgements This draft has benefited from thoughtful discussion by Jim Amsden, Peter Carlson, Steve Carter, Tyson Chihaya, Ken Coar, Ellis Cohen, Bruce Cragun, Spencer Dawkins, Mark Day, Rajiv Dulepet, David Durand, Roy Fielding, Yaron Goland, Fred Hitt, Alex Hopmann, James Hunt, Marcus Jager, Chris Kaler, Manoj Kasichainula, Rohit Khare, Daniel LaLiberte, Steve Martin, Larry Masinter, Jeff McAffer, Joe Orton, Surendra Koduru Reddy, Juergen Reuter, Max Rible, Sam Ruby, Bradley Sergeant, Nick Shelness, John Stracke, John Tigue, John Turner, Kevin Wiggen, anda LOCK requestothers. Normative References [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and Languages", BCP 18, RFC 2277, January 1998. [RFC2119] Bradner, S., "Key words fora collection MUST fail ifuse inthe hierarchy of collections there is an ordinary redirect reference as internal member." Resolution: Declined. Behavior will be the sameRFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2396] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 2396, August 1998. [RFC2518] Goland, Y., Whitehead, E., Faizi, A., Carter, S. and D. Jensen, "HTTP Extensions forall methods. No exceptions. Consistency / simplicity override other considerations C.17 lc-66-depth Type: changeDistributed Authoring -- WEBDAV", RFC 2518, February 1999. [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. [XML] Bray, T., Paoli, J., Sperberg-McQueen, C. and E. Maler, "Extensible Markup Language (XML) 1.0 (2nd ed)", W3C REC-xml, October 2000, <http://www.w3.org/TR/2000/ REC-xml-20001006>. [1] <mailto:w3c-dist-auth@w3.org> [2] <mailto:w3c-dist-auth-request@w3.org?subject=subscribe> [3] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [4] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [5] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0286.html> [6] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> [7] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [8] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0287.html> [9] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0188.html> [10] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [11] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [12] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0290.html> [13] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0291.html> [14] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0295.html> [15] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0188.html> [16] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [17] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [18] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0304.html> [19]reuterj@ira.uka.de (2000-02-14): 7.3, 7.4: Change "Depth=infinity" to "Depth: infinity". Resolution: Agreed. C.18 lc-69-424 Type: change<http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> [20]reuterj@ira.uka.de (2000-02-14): 7.6: Thinks there should not be 424 returned for diary.html because it is not an ancestor of a member that caused the lock to fail. Resolution: No change needed. The interpretation of "dependency" in the example is correct. It doesn't have to do with ancestor relationship, only with what caused operation to fail. C.19 lc-68-lock Type: change<http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> [21]reuterj@ira.uka.de (2000-02-14): 7.6: The LOCK example responds with 207, as does the example in RFC 2518, but section 8.10.4<http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0289.html> [22] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0285.html> [23] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0284.html> [24] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0306.html> [25] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0288.html> [26] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0290.html> [27] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0294.html> [28] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [29] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0189.html> [30] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0189.html> [31] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [32] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [33] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [34] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0292.html> [35] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0293.html> [36] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0308.html> [37] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [38] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [39] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0297.html> [40] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0298.html> [41] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [42] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0266.html> [43] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0299.html> [44] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0302.html> [45] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [46] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [47] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [48] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [49] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0222.html> [50] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0307.html> [51] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [52] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0304.html> [53] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [54] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0300.html> [55] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [56] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0316.html> [57] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> [58] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> [59] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0359.html> [60] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JanMar/ 0305.html> Authors' Addresses J. Slein Xerox Corporation 800 Phillips Road, 105-50C Webster, NY 14580 EMail: jslein@crt.xerox.com Jim Whitehead UC Santa Cruz, Dept. ofRFC 2518 says if the lock cannot be granted to all resources the response MUST be 409 conflict. Resolution: We'll keep 207 and encourage RFC 2518Computer Science 1156 High Street Santa Cruz, CA 95064 US EMail: ejw@cse.ucsc.edu J. Davis CourseNet Systems 170 Capp Street San Francisco, CA 94110 EMail: jrd3@alum.mit.edu G. Clemm Rational Software Corporation 20 Maguire Road Lexington, MA 02173-3104 EMail: geoffrey.clemm@us.ibm.com C. Fay FileNet Corporation 3565 Harbor Boulevard Costa Mesa, CA 92626-1420 EMail: cfay@filenet.com J. Crawford IBM Research P.O. Box 704 Yorktown Heights, NY 10598 EMail: ccjason@us.ibm.com Julian F. Reschke (editor) greenbytes GmbH Salzmannstrasse 152 Muenster, NW 48159 Germany Phone: +49 251 2807760 Fax: +49 251 2807761 EMail: julian.reschke@greenbytes.de URI: http://greenbytes.de/tech/webdav/ Appendix A. Changes tosay the same. (This inconsistency in RFC 2518 is onthe WebDAVissues list.) C.20 lc-52-no-relative Type: change [22] yarong@Exchange.Microsoft.com (2000-02-11): Don't allow relative URIs. Delete section 9. Resolution: Declined. Some applications need relative URI. C.21 lc-64-reftarget Type: change [23] reuterj@ira.uka.de (2000-02-14): Perhaps make DAV:location a real property, instead of DAV:reftarget, and require it to be an absolute URI. Resolution: Declined. Some applications need relative URI. See also issue 52. C.22 lc-70-relative Type: change [24] reuterj@ira.uka.de (2000-02-14): Section 9, para 1: Maybe say that the resulting absolute URI could be any of a number of URIs, depending on which URI is used in the request to identify the redirect reference. Resolution: No change needed. C.23 lc-73-asciiart Type: change [25] reuterj@ira.uka.de (2000-02-14):Document Type Definition <!-- XML Elements from Section10: Replace the ascii art with Juergen's suggestion (see his message). Resolution: Replace. C.24 lc-77-webdav-applications Type: change [26] reuterj@ira.uka.de (2000-02-22):13 --> <!ELEMENT redirectref EMPTY > <!-- -->Property Elements from Section16: Change "WebDAV applications"12 --> <!ELEMENT reftarget href> <!ELEMENT location href> <!-- Changes to"applications that implement this protocol". C.25 lc-10-title Type: change [27] reuterj@ira.uka.de (2000-02-07): Changethetitle of 16.4 so that it is not a sentence. Resolution:DAV:response Element from Section 14 --> <!ELEMENT response (href, ((href*, status, prop?) | (propstat+)), responsedescription?) > Appendix B. Change Log (to be removed by RFC Editor before publication) B.1 Since draft-ietf-webdav-redirectref-protocol-02 Julian Reschke takes editorial role (added to"Revealing Private Locations". C.26 lc-81-typo Type: change [28] reuterj@ira.uka.de (2000-02-22): Section 17: Typo "Asauthors list). Cleanup XML indentation. Start adding all unresolved last call issues. Update some author's contact information. Update references, split into "normative" and "informational". Remove non-RFC2616 headers ("Public") from examples. Fixed width problems in[WebDAV}" Resolution: Fixed. C.27 lc-18-resource-types Type: change [29] reuterj@ira.uka.de (2000-02-07): Need a registration procedure for resource types to insure interoperability. Resolution: We won't hold up this specartwork. Start resolving editorial issues. B.2 Since draft-ietf-webdav-redirectref-protocol-03 Added Joe Orton and Juergen Reuter toestablish a registration procedure. We will mention in IANA considerations that as the number of resource types grows the need for a registration procedure increases, but that there is none at this time. C.28 lc-84-ext Type: change [30] reuterj@ira.uka.de (2000-02-22): Appendix 24.1: This is not an extension but a replacement for the WebDAV definition of the response element. Resolution: Fixed.Acknowledgements section. Close more editorial issues. Remove dependencies on BIND spec. AppendixD. OpenC. Resolved issuesD.1 lc-85-301 Type: change ejw@cse.ucsc.edu (2000-01-03): Support creation(to be removed by RFC Editor before publication) Issues that were either rejected or resolved in this version ofother than 302 redirects, especially 301. D.2this document. C.1 lc-07-bind Type: change[31][3] reuterj@ira.uka.de (2000-02-07): Abstract should discuss only redirect references, not bindings. Expand discussion of redirect references. Resolution: Abstract will discuss only redirect references. See also issue 34.D.3C.2 lc-08-bind Type: change[32][4] reuterj@ira.uka.de (2000-02-07): Get rid of cross-references to the binding spec: in the abstract, in the introduction, in the definition of Reference Resource. Resolution: Cross-references to bindings will be removed. See also issue 34.D.4C.3 lc-34-bind Type: change[33][5] yarong@Exchange.Microsoft.com (2000-02-11): NoBind:Remove all cross-references to the binding spec. Prefer also removing all mention of bindings. Resolution: Agreed. See also issues 7, 8, 14 D.5 lc-35-bind Type: change [34] yarong@Exchange.Microsoft.com (2000-02-11): ReallyNoBind: Remove paras. 6 and 8 from Intro.Remove all cross-references to the binding spec. Prefer also removing all mention of bindings. Resolution: Agreed. See alsoissue 14. D.6issues 7, 8, 14 C.4 lc-83-bind Type: change[35][6] reuterj@ira.uka.de (2000-02-22): References: Get rid of the reference to the bindings spec.D.7Resolution: Agreed. C.5 lc-12-bind Type: change[36][7] reuterj@ira.uka.de (2000-02-07): First 3 paragraphs of Introduction are identical to those in binding spec. Make sure that any changes made there are also incorporated here. Resolution: These paragraphs will change as necessary to make the redirect spec completely independent of the rest of WebDAV.D.8 lc-38-not-hierarchicalC.6 lc-35-bind Type: change[37][8] yarong@Exchange.Microsoft.com (2000-02-11):Not Hierarchical: The first sentence ofReallyNoBind: Remove paras. 6 and 8 from Intro. Resolution: Agreed. See also issue 14. C.7 lc-01-body Type: change [9] joe@orton.demon.co.uk (2000-01-26): Entity Bodies for Redirect References: Clarify: Are there 2 resources, one that redirects and one that responds with its own entity body? Clarify: What is thesecond paragrapheffect of PUT for a URI that currently maps to a redirect reference? Resolution: Redirect resource MUST NOT have a body. See also issue last call issue 23. C.8 lc-14-bind Type: change [10] reuterj@ira.uka.de (2000-02-07): Limit theintroductiondiscussion of bindings to just what is needed to understand the differences from redirectspec asserts thatreferences. Maybe theURIs of WebDAV compliant resources match to collections. The WebDAV standard makes no such requirement. I therefore moveparagraph in the Intro thatthis sentence be stricken.starts "By contrast, a BIND request . . ." is all that is needed. Resolution:StateGet rid of discussion of bindings altogether. See also issue 34, 35. C.9 lc-15-direct-ref Type: change [11] reuterj@ira.uka.de (2000-02-07): Don't define Direct Reference Resource, since direct references are out of scope. (If you do keep themore general HTTP rationale first (alternative names fordefinition, say explicitly that a direct reference resource is a type of reference resource.) Resolution: Remove definition of Direct Reference Resource. See also issue 39. C.10 lc-39-no-reference-or-direct-resource Type: change [12] yarong@Exchange.Microsoft.com (2000-02-11): NoReferenceOrDirectResource: Remove thesame resource), then introducedefinitions of "Reference" and "Direct Reference Resource." Change thecollection hierarchy rationale, which applies only if you are indefinition of "Redirect Reference Resource" to be: Redirect Resource: A resource created to redirect all requests made to it, using 302 (Found), to aWebDAV-compliant space. D.9 lc-36-serverdefined target resource. julian.reschke@greenbytes.de (2003-07-27): (Rename from "redirect reference resource" to "redirect resource" delayed for now). Resolution: Agreed. See also issue 15. C.11 lc-40-direct Type: change[38][13] yarong@Exchange.Microsoft.com (2000-02-11):Servers: ReplaceAssorted changes to Section 4, para 2 to get rid of the word "forward" and the word "server" and remove comparison with"unrelated system" throughout.direct references. Resolution:Try replacing "server" with "host" in some contexts, rephrasing in passive voice in others.See also issue40. D.10 lc-33-forwarding33 (forward). See also issue 36 (server). Remove discussion of direct references. C.12 lc-45-apply-to-rr Type: change[39][14] yarong@Exchange.Microsoft.com (2000-02-11):Forwarding: Replace "forward" with "redirect" throughout. Resolution: Use "redirect"Suggested replacement text for this paragraph, which briefly introduces Apply-To-Redirect-Ref. Includes a note that even with this header, thebehavior redirect resources do exhibit. Use "forward"response may be a 302. Resolution: See issue 19 for replacement text. Disagree. Redirect reference will never respond to Apply-To-RR with 302. C.13 lc-01A-body Type: change [15] joe@orton.demon.co.uk (2000-01-26): In thecontrasting behavior (passing a methoddefinition of MKRESOURCE, "Body" needs to be defined or else terminology changed. Resolution: We will use MKREF instead of MKRESOURCE. C.14 lc-31-MKCOL Type: edit [16] reuterj@ira.uka.de (2000-02-07): Section 6, para on MKRESOURCE and MKCOL is obvious and doesn't need tothe target with no client action needed). Define these two terms.be stated. Maybe show in an example. Resolution: Agreed. See also issue40. D.11 lc-56-notjusthttp48. C.15 lc-67-redirectref Type: change[40][17] reuterj@ira.uka.de (2000-02-14): 7.4: The explanation should not contrast displaying the properties of the redirect ref with displaying the properties of its target, but with returning a 302. Resolution: Revise as recommended. C.16 lc-54-s10 Type: change [18] yarong@Exchange.Microsoft.com (2000-02-11):Make it clearThe Note: inexamplessection 10 has the same problem pointed out in Bindings.NoSlash andtextneeds to be fixed. It contradicts RFC 2518 and 2616, which both assume that a URL and theredirection URI could be non-HTTP.same URL + "/" may map to different resources. Resolution:We agreeAgreed in mailing list discussions thatitno change ispossible to create redirect references to non-HTTP resources. Add example. D.12 lc-01-bodyneeded. C.17 lc-78-directory Type: change[41] joe@orton.demon.co.uk (2000-01-26): Entity Bodies[19] reuterj@ira.uka.de (2000-02-22): Section 16.4: Change "directory" to "collection". Not new to this protocol. Holds forRedirect References: Clarify: Are there 2 resources, oneany protocol thatredirectshas hierarchical access paths. C.18 lc-82-iana Type: change [20] reuterj@ira.uka.de (2000-02-22): Section 18: Just reference [WebDAV] andone that responds with its own entity body? Clarify: What is the effect of PUT for a URI that currently maps to a redirect reference?say this protocol does not introduce any new considerations. Resolution:Redirect resource MUST NOT have a body. See also issue last callSimplify, then resolve issue23. D.13 lc-37-integrity55. Appendix D. Open issues (to be removed by RFC Editor before publication) D.1 lc-85-301 Type: change[42]ejw@cse.ucsc.edu (2000-01-03): Support creation of other than 302 redirects, especially 301. D.2 lc-38-not-hierarchical Type: change [21] yarong@Exchange.Microsoft.com (2000-02-11):Integrity: Intro, para 7 "Servers are not required to enforceNot Hierarchical: The first sentence of theintegritysecond paragraph ofredirect references." Integrity is not defined. Replace with something clearer. Resolution: Rewrite to say thattheserver MUST NOT updateintroduction of thetarget See also issue 6. D.14 lc-14-bind Type: change [43] reuterj@ira.uka.de (2000-02-07): Limitredirect spec asserts that thediscussionURIs ofbindings to just what is neededWebDAV compliant resources match tounderstandcollections. The WebDAV standard makes no such requirement. I therefore move that this sentence be stricken. Resolution: State thedifferences from redirect references. Maybemore general HTTP rationale first (alternative names for theparagraph insame resource), then introduce theIntro that starts "By contrast,collection hierarchy rationale, which applies only if you are in aBIND request . . ." is all that is needed. Resolution: Get rid of discussion of bindings altogether. See also issue 34, 35. D.15 lc-15-direct-refWebDAV-compliant space. D.3 lc-36-server Type: change[44] reuterj@ira.uka.de (2000-02-07): Don't define Direct Reference Resource, since direct references are out of scope. (If you do keep the definition, say explicitly that a direct reference resource is a type of reference resource.)[22] yarong@Exchange.Microsoft.com (2000-02-11): Servers: Replace "server" with "unrelated system" throughout. Resolution:Remove definition of Direct Reference Resource.Try replacing "server" with "host" in some contexts, rephrasing in passive voice in others. See also issue39. D.16 lc-39-no-reference-or-direct-resource40. D.4 lc-33-forwarding Type: change[45][23] yarong@Exchange.Microsoft.com (2000-02-11):NoReferenceOrDirectResource: Remove the definitions of "Reference" and "Direct Reference Resource." ChangeForwarding: Replace "forward" with "redirect" throughout. Resolution: Use "redirect" for thedefinition of "Redirect Reference Resource" to be: Redirect Resource: A resource created tobehavior redirectall requests made to it, using 302 (Found), toresources do exhibit. Use "forward" for the contrasting behavior (passing adefinedmethod on to the targetresource. Resolution: Agreed.with no client action needed). Define these two terms. See also issue15. D.17 lc-40-direct40. D.5 lc-56-notjusthttp Type: change[46][24] yarong@Exchange.Microsoft.com (2000-02-11):Assorted changesMake it clear in examples and text that the redirection URI could be non-HTTP. Resolution: We agree that it is possible toSection 4,create redirect references to non-HTTP resources. Add example. D.6 lc-37-integrity Type: change [25] yarong@Exchange.Microsoft.com (2000-02-11): Integrity: Intro, para27 "Servers are not required toget rid of the word "forward" andenforce theword "server" and remove comparisonintegrity of redirect references." Integrity is not defined. Replace withdirect references.something clearer. Resolution: Rewrite to say that the server MUST NOT update the target See also issue33 (forward). See also issue 36 (server). Remove discussion6. D.7 3-terminology-redirectref Type: change [26] julian.reschke@greenbytes.de (2003-07-27): Consider global rename ofdirect references. D.18"redirect reference resource" to "redirect resource". D.8 lc-43-webdav Type: change[47][27] yarong@Exchange.Microsoft.com (2000-02-11): Get rid of the DAV:reftarget property. Resolution: DAV:reftarget is readonly and is present only for redirect references that are also WebDAV resources. We'll also have a method for setting target; Redirect-Ref header (returned on all 302 responses) will have the target as its value. See also issue 6, 17, 50.D.19D.9 lc-19-direct-ref Type: change[48][28] reuterj@ira.uka.de (2000-02-07): Section 4, para 5 and Section 6, para 3 discussions of the Apply-to-Redirect-Ref header make it sound as if we are specifying direct reference behavior. Resolution: Change these passages so that the contrast is between applying the method to the redirect reference and responding with a 302.D.20 lc-45-apply-to-rr Type: change [49] yarong@Exchange.Microsoft.com (2000-02-11): Suggested replacement text for this paragraph, which briefly introduces Apply-To-Redirect-Ref. Includes a note that even with this header, the response may be a 302. Resolution: See issue 19 for replacement text. Disagree. Redirect reference will never respond to Apply-To-RR with 302. D.21D.10 lc-04-standard-data-container Type: change[50][29] joe@orton.demon.co.uk (2000-01-26): "Standard data container" needs to be defined in the context of MKRESOURCE Resolution: Not relevant once we switch to MKREF.D.22D.11 lc-05-standard-data-container Type: change[51][30] joe@orton.demon.co.uk (2000-01-26): Inconsistency about whether a "standard data container" can be created with MKRESOURCE or not. Resolution: Not relevant once we switch to MKREF.D.23D.12 lc-20-intro-mkresource Type: change[52][31] reuterj@ira.uka.de (2000-02-07): Section 5: Start with "The new MKRESOURCE method" to make it clear that it is being introduced for the first time here. Resolution: Say "The MKREF method defined normatively here . . ."D.24D.13 lc-22-coll Type: change[53][32] reuterj@ira.uka.de (2000-02-07): Inconsistency about whether collections can be created with MKRESOURCE. Resolution: Not relevant for MKREF.D.25D.14 lc-25-atomic Type: change[54][33] reuterj@ira.uka.de (2000-02-07): Is MKRESOURCE atomic as viewed by a client? Can another client access the new resource's properties before they have been fully initialized? Maybe the MKRESOURCE request should let the client ask for it to be atomic. Resolution: No longer relevant once we switch to MKREF with no request body.D.26D.15 lc-41-no-webdav Type: change[55][34] yarong@Exchange.Microsoft.com (2000-02-11): Make redirect references independent of the rest of WebDAV. The creation method for redirect references shouldn't require an XML request body. Resolution: We will make redirect references independent of the rest of WebDAV. MKREF will not have an XML request body.D.27D.16 lc-42-no-webdav Type: change[56][35] yarong@Exchange.Microsoft.com (2000-02-11): Use a creation method that creates only redirect references. The MKRESOURCE method hinders experiment because a user of a server who wishes to add support for the creation of a new resource type can't simply throw in another Apache module and allow it to provide the code for the new resource type. They have to find the code used for MKRESOURCE and change it to support the new resource type. Resolution: We will replace MKRESOURCE with MKREF, which creates only redirect reference resources.D.28D.17 lc-58-update Type: change[57][36] yarong@Exchange.Microsoft.com (2000-02-11): There needs to be away to update the target of a redirect reference. Resolution: Agreed. See also issues 6, 43. D.29 lc-01A-body Type: change [58] joe@orton.demon.co.uk (2000-01-26): In the definition of MKRESOURCE, "Body" needsway tobe defined or else terminology changed. Resolution: We will use MKREF insteadupdate the target ofMKRESOURCE. D.30a redirect reference. Resolution: Agreed. See also issues 6, 43. D.18 lc-23-body Type: change[59][37] reuterj@ira.uka.de (2000-02-07): Section 5.1: Get rid of the statement that the body of the resource is empty (PostConditions). It would be good if the response to GET included a response body that could be shown to a user by a client that doesn't do automatic redirection. There is a related problem in Section 6 on PUT. It is wrong to assume that what is PUT to a resource is what GET will return. In Section 6, say "A PUT with Apply-To-RR MAY contain a request body. The semantics of the request body is out of scope for this specification..." Also fix the discussion of example 6.2. Resolution: Redirect references cannot have bodies. GET with Apply-To-RR MUST fail with 403. PUT with Apply-To-RR MUST fail with 403. See also issue 1.D.31D.19 lc-24-properties Type: change[60][38] reuterj@ira.uka.de (2000-02-07): Section 5.1: Replace the sentence "The properties of the new resource are as specified by the DAV:propertyupdate request body, using PROPPATCH semantics" with the following: "The MKRESOURCE request MAY contain a DAV:propertyupdate request body to initialize resource properties. Herein, the semantics is the same as when sending a MKRESOURCE request without a request body, followed by a PROPPATCH with the DAV:propertyupdate request body." Resolution: No longer relevant once we switch to MKREF with no request body.D.32D.20 lc-47-207 Type: change[61][39] yarong@Exchange.Microsoft.com (2000-02-11): In line with his wish to get rid of the request message body of MKRESOURCE, 207 would not be an appropriate response code. The description of 409 might lead someone to believe that you can't create redirect references outside of WebDAV namespaces. Suggests a different description. Resolution: No longer relevant - MKREF can't get a 207 response. Revise to make it clear that the first condition will only occur in WebDAV-compliant namespaces.D.33D.21 lc-48-s6 Type: change[62][40] yarong@Exchange.Microsoft.com (2000-02-11): Replace all of section 6 with just this: A redirect resource, upon receiving a request without an Apply-To-Redirect-Ref header, MUST respond with a 302 (Found) response. The 302 (Found) response MUST include a location header identifying the target and a Redirect-Ref header. If a redirect resource receives a request with an Apply-To-Redirect-Ref header then the redirect reference resource MUST apply the method to itself rather than blindly returning a 302 (Found) response. Resolution: Keep a summary along the lines of Yaron's proposal (don't use the word "blindly"). Keep the bullets detailing the headers to be returned. Delete the rest, including the examples. See also issue 28, 29, 30, 31, 32.D.34D.22 lc-28-lang Type: edit[63][41] reuterj@ira.uka.de (2000-02-07): Section 6: Get rid of the sentence "A reference-aware WebDAV client can act on this response in one of two ways." A client can act on the response in any way it wants. Resolution: Agreed. See also issue 48.D.35D.23 lc-29-lang Type: edit[64][42] reuterj@ira.uka.de (2000-02-07): Section 6, para 4: Obvious, doesn't need to be stated. Maybe note in an example. Resolution: Agreed. See also issue 48.D.36 lc-31-MKCOL Type: edit [65] reuterj@ira.uka.de (2000-02-07): Section 6, para on MKRESOURCE and MKCOL is obvious and doesn't need to be stated. Maybe show in an example. Resolution: Agreed. See also issue 48. D.37D.24 lc-49-put Type: change[66][43] yarong@Exchange.Microsoft.com (2000-02-11): Remove the last sentence of Example 6.2, which says that PUT replaces the reference with a different resource. Resolution: No longer relevant. Deleted this example in response to issue 48.D.38D.25 lc-44-pseudo Type: change[67][44] yarong@Exchange.Microsoft.com (2000-02-11): Instead of adding an optional prop XML element to the response element in 207 responses, define a new location XML element and a new refresource XML element. Resolution: Agree to define new XML elements that are not pseudo-properties. Disagreement about whether refresource is needed. See issue 61.D.39D.26 lc-61-pseudo Type: change[68][45] reuterj@ira.uka.de (2000-02-14): Section 7: It doesn't make sense to ask future editors of RFC 2518 to define DAV:location with the semantics it has here. RFC 2518 should provide the information in the Location header somehow in multistatus responses, but not by using properties. Resolution: Define an XML element for location that is not a pseudo-property. We'll keep the recommendation that RFC 2518 add this for 302 responses. See also issue 44.D.40D.27 lc-60-ex Type: change[69][46] reuterj@ira.uka.de (2000-02-14): Section 7, para 3: Make it clear that these are just examples of client behavior, and are not meant to limit the client's behavior to these options. Resolution: Agreed to delete this paragraph. Continue discussion of what information should be returned with 302 in multistatus. Just location? Also redirectref?D.41D.28 lc-62-oldclient Type: change[70][47] reuterj@ira.uka.de (2000-02-14): Section 7: It's too strong to claim that non-referencing clients can't process 302 responses occurring in Multi-Status responses. They just have an extra round trip for each 302. Resolution: Remove last sentence of the paragraph that recommends changes to RFC 2518.D.42D.29 lc-63-move Type: change[71][48] reuterj@ira.uka.de (2000-02-14): Section 7.1: Is MOVE atomic from the perspective of a client? Agrees that there should be no 302s for member redirect references, but finds the rationale dubious. Resolution: Remove 7.1. Reword 7.2 to avoid concerns with "poses special problems" and "due to atomicity".D.43 lc-67-redirectref Type: change [72] reuterj@ira.uka.de (2000-02-14): 7.4: The explanation should not contrast displaying the properties of the redirect ref with displaying the properties of its target, but with returning a 302. Resolution: Revise as recommended. D.44D.30 lc-06-reftarget-relative Type: change[73][49] joe@orton.demon.co.uk (2000-01-29): Why does the spec talk about relative URIs in DAV:reftarget in MKRESOURCE requests? Is the server required to resolve the relative URI and store it as absolute? Is the server required to keep DAV:reftarget pointing to the target resource as the reference / target move, or is DAV:reftarget a dead property? Resolution: DAV:reftarget is readonly and present only on redirect references that are also WebDAV resources. Add a method for setting the target. Change definition of Redirect-Ref header so that it has the target as its value (comes back on all 302 responses). Server MUST store the target exactly as it is set. It MUST NOT resolve relatives to absolutes and MUST NOT update if target resource moves. See also issue 17, 43, 50, 57D.45D.31 lc-57-noautoupdate Type: change[74][50] yarong@Exchange.Microsoft.com (2000-02-11): Add language to forbid servers from automatically updating redirect resources when their targets move. Resolution: Agreed. See also issue 6.D.46D.32 lc-71-relative Type: change[75][51] reuterj@ira.uka.de (2000-02-14): Section 9: Base URI should be the Request-URI or href minus its final segment. Resolution: Fix this.D.47D.33 lc-53-s10 Type: change[76][52] yarong@Exchange.Microsoft.com (2000-02-11): The behavior described in this section would have a very serious impact on the efficiency of mapping Request-URIs to resources in HTTP request processing. Also specify another type of redirect resource that does not behave as in section 10, but instead would "expose the behavior we see today in various HTTP servers that allow their users to create 300 resources." Be sure we know what behavior will be if the redirect location is not an HTTP URL, but, say ftp. Resolution: We won't define 2 sorts of redirect references here. Servers SHOULD respond with 302 as described here, but if they can't do that, respond with 404 Not Found. (It's hard to modularize the behavior specified - it impacts processing Not Found cases of all methods, so you can't just add it to an HTTP server in a redirect ref module.)D.48D.34 lc-72-trailingslash Type: change[77][53] reuterj@ira.uka.de (2000-02-14): Section 10: Forbid DAV:reftarget from ending in "/" Resolution: Make the note warn about the possibility of two slashes in a row, recommend against ending target with a slash, since that could result in two slashes in a row.D.49 lc-54-s10 Type: change [78] yarong@Exchange.Microsoft.com (2000-02-11): The Note: in section 10 has the same problem pointed out in Bindings.NoSlash and needs to be fixed. It contradicts RFC 2518 and 2616, which both assume that a URL and the same URL + "/" may map to different resources. Resolution: Agreed in mailing list discussions that no change is needed. D.50D.35 lc-50-blindredirect Type: change[79][54] yarong@Exchange.Microsoft.com (2000-02-11): Replace current language explaining the purpose of the Redirect-Ref header with language that simply states that it marks blind 302 responses from redirect resources. (Section 6.3, 11.1) Resolution: Section 6.3 was removed in response to issue 48. In 11.1, change the definition of the Redirect-Ref header to have the value of the target (relative URI) as its value. Then we don't need a method for retrieving the target's relative URI. Presence of the Redirect-Ref header lets the client know that the resource accepts Apply-To-RR header and the new method for updating target. Reject Yaron's suggested language, but make the above changes.D.51D.36 lc-74-terminology Type: change[80][55] reuterj@ira.uka.de (2000-02-14): "plain HTTP/1.1 redirect" - find some good name for this an use it consistentlyD.52D.37 lc-75-ignore Type: change[81][56] reuterj@ira.uka.de (2000-02-14): 11.2: "If the Apply-To-Redirect-Ref header is used on a request to any other sort of resource besides a redirect reference resource, the server SHOULD ignore it." Don't need to say this since HTP already says that any header that is not understood should be ignored.D.53D.38 lc-76-location Type: change[82][57] reuterj@ira.uka.de (2000-02-22): 12.2: Make DAV:location a real (live) property, get rid of the DAV:reftarget propertyD.54 lc-78-directory Type: change [83] reuterj@ira.uka.de (2000-02-22): Section 16.4: Change "directory" to "collection". Not new to this protocol. Holds for any protocol that has hierarchical access paths. D.55D.39 lc-79-accesscontrol Type: change[84][58] reuterj@ira.uka.de (2000-02-22): Section 16.4: "In some environments, the owner of a resource might be able to use access control to prevent others from creating references to that resource." That would not be consistent with the concept of redirect references as weak links (e.g. think of moving a resource to a different locationo that is already the target of some redirection reference.D.56D.40 lc-80-i18n Type: change[85][59] reuterj@ira.uka.de (2000-02-22): Section 17: Could get rid of a lot of this section, since this protocol extends WebDAV. Just reference [WebDAV].D.57D.41 lc-55-iana Type: change[86][60] yarong@Exchange.Microsoft.com (2000-02-11): Expand the IANA section to list all methods, headers, XML elements, MIME types, URL schemes, etc., defined by the spec. Resolution: Agreed.D.58 lc-82-iana Type: change [87] reuterj@ira.uka.de (2000-02-22): Section 18: Just reference [WebDAV] and say this protocol does not introduce any new considerations.Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society.