Internet-Draft The HTTP QUERY Method July 2022
Reschke, et al. Expires 5 January 2023 [Page]
Workgroup:
HTTP
Published:
Intended Status:
Standards Track
Expires:
Authors:
J. Reschke
greenbytes
A. Malhotra
J.M. Snell

The HTTP QUERY Method

Abstract

This specification defines a new HTTP method, QUERY, as a safe, idempotent request method that can carry request content.

Editorial Note

This note is to be removed before publishing as an RFC.

Discussion of this draft takes place on the HTTP working group mailing list (ietf-http-wg@w3.org), which is archived at https://lists.w3.org/Archives/Public/ietf-http-wg/.

Working Group information can be found at https://httpwg.org/; source code and issues list for this draft can be found at https://github.com/httpwg/http-extensions/labels/safe-method-w-body.

The changes in this draft are summarized in Appendix A.3.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 5 January 2023.

1. Introduction

This specification defines the HTTP QUERY request method as a means of making a safe, idempotent request that contains content.

Most often, this is desirable when the data conveyed in a request is too voluminous to be encoded into the request's URI. For example, while this is an common and interoperable query:

GET /feed?q=foo&limit=10&sort=-published HTTP/1.1
Host: example.org

if the query parameters extend to several kilobytes or more of data it may not be, because many implementations place limits on their size. Often these limits are not known or discoverable ahead of time, because a request can pass through many uncoordinated systems. Additionally, expressing some data in the target URI is inefficient, because it needs to be encoded to be a valid URI.

Encoding query parameters directly into the request URI also effectively casts every possible combination of query inputs as distinct resources. Depending on the application, that may not be desirable.

As an alternative to using GET, many implementations make use of the HTTP POST method to perform queries, as illustrated in the example below. In this case, the input parameters to the search operation are passed along within the request content as opposed to using the request URI.

A typical use of HTTP POST for requesting a search

POST /feed HTTP/1.1
Host: example.org
Content-Type: application/x-www-form-urlencoded

q=foo&limit=10&sort=-published

This variation, however, suffers from the same basic limitation as GET in that it is not readily apparent -- absent specific knowledge of the resource and server to which the request is being sent -- that a safe, idempotent query is being performed.

The QUERY method provides a solution that spans the gap between the use of GET and POST. As with POST, the input to the query operation is passed along within the content of the request rather than as part of the request URI. Unlike POST, however, the method is explicitly safe and idempotent, allowing functions like caching and automatic retries to operate.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. The "Accept-Query" Header Field

The "Accept-Query" response header field MAY be used by a server to directly signal support for the QUERY method while identifying the specific query format media type(s) that may be used.

Accept-Query = 1#media-type

The Accept-Query header field specifies a comma-separated listing of media types (with optional parameters) as defined by Section 8.3.1 of [HTTP].

The order of types listed by the Accept-Query header field is not significant.

4. Examples

The non-normative examples in this section make use of a simple, hypothetical plain-text based query syntax based on SQL with results returned as comma-separated values. This is done for illustration purposes only. Implementations are free to use any format they wish on both the request and response.

4.1. Simple QUERY with a Direct Response

A simple query with a direct response:

QUERY /contacts HTTP/1.1
Host: example.org
Content-Type: example/query
Accept: text/csv

select surname, givenname, email limit 10

Response:

HTTP/1.1 200 OK
Content-Type: text/csv

surname, givenname, email
Smith, John, john.smith@example.org
Jones, Sally, sally.jones@example.com
Dubois, Camille, camille.dubois@example.net

4.2. Simple QUERY with indirect response (303 See Other)

A simple query with an Indirect Response (303 See Other):

QUERY /contacts HTTP/1.1
Host: example.org
Content-Type: example/query
Accept: text/csv

select surname, givenname, email limit 10

Response:

HTTP/1.1 303 See Other
Location: http://example.org/contacts/query123

Fetch Query Response:

GET /contacts/query123 HTTP/1.1
Host: example.org

Response:

HTTP/1.1 200 OK
Content-Type: text/csv

surname, givenname, email
Smith, John, john.smith@example.org
Jones, Sally, sally.jones@example.com
Dubois, Camille, camille.dubois@example.net

5. Security Considerations

The QUERY method is subject to the same general security considerations as all HTTP methods as described in [HTTP].

6. IANA Considerations

IANA is requested to add QUERY method in the permanent registry at <http://www.iana.org/assignments/http-methods> (see Section 16.1.1 of [HTTP]).

Table 1
Method Name Safe Idempotent Specification
QUERY Yes Yes Section 2

7. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[HTTP]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, , <https://www.rfc-editor.org/rfc/rfc9110>.
[HTTP-CACHING]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Caching", STD 98, RFC 9111, , <https://www.rfc-editor.org/rfc/rfc9111>.

Appendix A. Change Log

This section is to be removed before publishing as an RFC.

A.1. Since draft-ietf-httpbis-safe-method-w-body-00

A.3. Since draft-ietf-httpbis-safe-method-w-body-02

Authors' Addresses

Julian Reschke
greenbytes GmbH
Hafenweg 16
48155 Münster
Germany
Ashok Malhotra
James M Snell