Internet-Draft The HTTP QUERY Method December 2024
Reschke, et al. Expires 21 June 2025 [Page]
Workgroup:
HTTP
Published:
Intended Status:
Standards Track
Expires:
Authors:
J. Reschke
greenbytes
A. Malhotra
J.M. Snell
M. Bishop
Akamai

The HTTP QUERY Method

Abstract

This specification defines a new HTTP method, QUERY, as a safe, idempotent request method that can carry request content.

Editorial Note

This note is to be removed before publishing as an RFC.

Discussion of this draft takes place on the HTTP working group mailing list (ietf-http-wg@w3.org), which is archived at https://lists.w3.org/Archives/Public/ietf-http-wg/.

Working Group information can be found at https://httpwg.org/; source code and issues list for this draft can be found at https://github.com/httpwg/http-extensions/labels/query-method.

The changes in this draft are summarized in Appendix B.7.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 21 June 2025.

Table of Contents

1. Introduction

This specification defines the HTTP QUERY request method as a means of making a safe, idempotent request that contains content.

Most often, this is desirable when the data conveyed in a request is too voluminous to be encoded into the request's URI. For example, this is a common query pattern:

GET /feed?q=foo&limit=10&sort=-published HTTP/1.1
Host: example.org

However, for a query with parameters that are complex or large in size, encoding it in the request URI may not be the best option because

As an alternative to using GET, many implementations make use of the HTTP POST method to perform queries, as illustrated in the example below. In this case, the input parameters to the query operation are passed along within the request content as opposed to using the request URI.

A typical use of HTTP POST for requesting a query:

POST /feed HTTP/1.1
Host: example.org
Content-Type: application/x-www-form-urlencoded

q=foo&limit=10&sort=-published

This variation, however, suffers from the same basic limitation as GET in that it is not readily apparent -- absent specific knowledge of the resource and server to which the request is being sent -- that a safe, idempotent query is being performed.

The QUERY method provides a solution that spans the gap between the use of GET and POST, with the example above being expressed as:

QUERY /feed HTTP/1.1
Host: example.org
Content-Type: application/x-www-form-urlencoded

q=foo&limit=10&sort=-published

As with POST, the input to the query operation is passed along within the content of the request rather than as part of the request URI. Unlike POST, however, the method is explicitly safe and idempotent, allowing functions like caching and automatic retries to operate.

Summarizing:

Table 1
GET QUERY POST
Safe yes yes potentially no
Idempotent yes yes potentially no
Cacheable yes yes no
Content (body) "no defined semantics" expected (semantics per target resource) expected (semantics per target resource)

1.1. Terminology

This document uses terminology defined in Section 3 of [HTTP].

1.2. Notational Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2. QUERY

The QUERY method is used to initiate a server-side query. Unlike the HTTP GET method, which requests that a server return a representation of the resource identified by the target URI (as defined by Section 7.1 of [HTTP]), the QUERY method is used to ask the server to perform a query operation (described by the request content) over some set of data scoped to the target URI. The content returned in response to a QUERY cannot be assumed to be a representation of the resource identified by the target URI.

The content of the request defines the query. Implementations MAY use a request content of any media type with the QUERY method, provided that it has appropriate query semantics.

QUERY requests are both safe and idempotent with regards to the resource identified by the request URI. That is, QUERY requests do not alter the state of the targeted resource. However, while processing a QUERY request, a server can be expected to allocate computing and memory resources or even create additional HTTP resources through which the response can be retrieved.

A successful response to a QUERY request is expected to provide some indication as to the final disposition of the operation. For instance, a successful query that yields no results can be represented by a 204 No Content response. If the response includes content, it is expected to describe the results of the operation.

2.1. Content-Location and Location Fields

Furthermore, a successful response can include a Content-Location header field (see Section 8.7 of [HTTP]) containing an identifier for a resource corresponding to the results of the operation. This represents a claim from the server that a client can send a GET request for the indicated URI to retrieve the results of the query operation just performed. The indicated resource might be temporary.

A server MAY create or locate a resource that identifies the query operation for future use. If the server does so, the URI of the resource can be included in the Location header field of the response (see Section 10.2.2 of [HTTP]). This represents a claim that a client can send a GET request to the indicated URI to repeat the query operation just performed without resending the query parameters. This resource might be temporary; if a future request fails, the client can retry using the original QUERY resource and the previously submitted parameters again.

2.2. Redirection

In some cases, the server may choose to respond indirectly to the QUERY request by redirecting the user agent to a different URI (see Section 15.4 of [HTTP]). The semantics of the redirect response do not differ from other methods. For instance, a 303 (See Other) response would indicate that the Location field identifies an alternate URI from which the results can be retrieved using a GET request (this use case is also covered by the use of the Location response field in a 2xx response). On the other hand, response codes 307 (Temporary Redirect) and 308 (Permanent Redirect) can be used to request the user agent to redo the QUERY request on the URI specified by the Location field. Various non-normative examples of successful QUERY responses are illustrated in Appendix A.

2.3. Conditional Requests

A conditional QUERY requests that the selected representation (i.e., the query results, after any content negotiation) be returned in the response only under the circumstances described by the conditional header field(s), as defined in Section 13 of [HTTP].

2.4. Caching

The response to a QUERY method is cacheable; a cache MAY use it to satisfy subsequent QUERY requests as per Section 4 of [HTTP-CACHING]).

The cache key for a query (see Section 2 of [HTTP-CACHING]) MUST incorporate the request content. When doing so, caches SHOULD first normalize request content to remove semantically insignificant differences, thereby improving cache efficiency, by:

  • Removing content encoding(s)
  • Normalizing based upon knowledge of format conventions, as indicated by the any media type suffix in the request's Content-Type field (e.g., "+json")
  • Normalizing based upon knowledge of the semantics of the content itself, as indicated by the request's Content-Type field.

Note that any such normalization is performed solely for the purpose of generating a cache key; it does not change the request itself.

3. The "Accept-Query" Header Field

The "Accept-Query" response header field can be used by a resource to directly signal support for the QUERY method while identifying the specific query format media type(s) that may be used.

"Accept-Query" contains a list of media ranges (Section 12.5.1 of [HTTP]) using "Structured Fields" syntax ([STRUCTURED-FIELDS]). Media ranges are represented by a List Structured Header Field of either Tokens or Strings, containing the media range value without parameters. Parameters, if any, are mapped to Parameters of type String.

The choice of Token vs. String is semantically insignificant. That is, recipients MAY convert Tokens to Strings, but MUST NOT process them differently based on the received type.

Media types do not exactly map to Tokens, for instance they allow a leading digit. In cases like these, the String format needs to be used.

The only supported uses of wildcards are "*/*", which matches any type, or "xxxx/*", which matches any subtype of the indicated type.

The order of types listed in the field value is not significant.

The only allowed format for parameters is String.

Accept-Query's value applies to every URI on the server that shares the same path; in other words, the query component is ignored. If requests to the same resource return different Accept-Query values, the most recently received fresh value (per Section 4.2 of [HTTP-CACHING]) is used.

Example:

Accept-Query: "application/jsonpath", application/sql;charset="UTF-8"

Although the syntax for this field appears to be similar to other fields, such as "Accept" (Section 12.5.1 of [HTTP]), it is a Structured Field and thus MUST be processed as specified in Section 4 of [STRUCTURED-FIELDS].

4. Security Considerations

The QUERY method is subject to the same general security considerations as all HTTP methods as described in [HTTP].

It can be used as an alternative to passing request information in the URI (e.g., in the query section). This is preferred in some cases, as the URI is more likely to be logged or otherwise processed by intermediaries than the request content. If a server creates a temporary resource to represent the results of a QUERY request (e.g., for use in the Location or Content-Location field) and the request contains sensitive information that cannot be logged, then the URI of this resource SHOULD be chosen such that it does not include any sensitive portions of the original request content.

Caches that normalize QUERY content incorrectly or in ways that are significantly different than how the resource processes the content can return the incorrect response if normalization results in a false positive.

A QUERY request from user agents implementing CORS (Cross-Origin Resource Sharing) will require a "preflight" request, as QUERY does not belong to the set of CORS-safelisted methods (see "Methods" in [FETCH]).

5. IANA Considerations

5.1. Registration of QUERY method

IANA is requested to add the QUERY method to the HTTP Method Registry at <http://www.iana.org/assignments/http-methods> (see Section 16.3.1 of [HTTP]).

Table 2
Method Name Safe Idempotent Specification
QUERY Yes Yes Section 2

5.2. Registration of Accept-Query field

IANA is requested to add the Accept-Query field to the HTTP Field Name Registry at <https://www.iana.org/assignments/http-fields> (see Section 16.1.1 of [HTTP]).

Table 3
Field Name Status Structured Type Reference Comments
Accept-Query permanent List Section 3 of this document.

6. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[HTTP]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, , <https://www.rfc-editor.org/rfc/rfc9110>.
[HTTP-CACHING]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Caching", STD 98, RFC 9111, , <https://www.rfc-editor.org/rfc/rfc9111>.
[STRUCTURED-FIELDS]
Nottingham, M. and P-H. Kamp, "Structured Field Values for HTTP", RFC 9651, , <https://www.rfc-editor.org/rfc/rfc9651>.

7. Informative References

[FETCH]
WHATWG, "FETCH", <https://fetch.spec.whatwg.org>.

Appendix A. Examples

The non-normative examples in this section make use of a simple, hypothetical plain-text based query syntax based on SQL with results returned as comma-separated values. This is done for illustration purposes only. Implementations are free to use any format they wish on both the request and response.

A.1. Simple QUERY with a Direct Response

A simple query with a direct response:

QUERY /contacts HTTP/1.1
Host: example.org
Content-Type: application/sql
Accept: text/csv

select surname, givenname, email limit 10

Response:

HTTP/1.1 200 OK
Content-Type: text/csv

surname, givenname, email
Smith, John, john.smith@example.org
Jones, Sally, sally.jones@example.com
Dubois, Camille, camille.dubois@example.net

A.2. Simple QUERY with a Direct Response and Location Fields

A simple query with a direct response:

QUERY /contacts HTTP/1.1
Host: example.org
Content-Type: application/sql
Accept: text/csv

select surname, givenname, email limit 10

Response:

HTTP/1.1 200 OK
Content-Type: text/csv
Content-Location: /contacts/responses/42
Location: /contacts/queries/17

surname, givenname, email
Smith, John, john.smith@example.org
Jones, Sally, sally.jones@example.com
Dubois, Camille, camille.dubois@example.net

A subsequent GET request on /contacts/responses/42 would return the same response, until the server decides to remove that resource.

A GET request on /contacts/queries/17 however would execute the same query again, and return a fresh result for that query:

GET /contacts/queries/17 HTTP/1.1
Host: example.org
Accept: text/csv

Response:

HTTP/1.1 200 OK
Content-Type: text/csv
Content-Location: /contacts/responses/43

surname, givenname, email
Jones, Sally, sally.jones@example.com
Dubois, Camille, camille.dubois@example.net

A.3. Simple QUERY with Indirect Response (303 See Other)

A simple query with an Indirect Response (303 See Other):

QUERY /contacts HTTP/1.1
Host: example.org
Content-Type: application/sql
Accept: text/csv

select surname, givenname, email limit 10

Response:

HTTP/1.1 303 See Other
Location: /contacts/query123

Retrieval of the Query Response:

GET /contacts/query123 HTTP/1.1
Host: example.org

Response:

HTTP/1.1 200 OK
Content-Type: text/csv

surname, givenname, email
Smith, John, john.smith@example.org
Jones, Sally, sally.jones@example.com
Dubois, Camille, camille.dubois@example.net

A.4. Simple QUERY with Redirect Response (308 Moved Permanently)

A simple query being redirected:

QUERY /contacts HTTP/1.1
Host: example.org
Content-Type: application/sql
Accept: text/csv

select surname, givenname, email limit 10

Response:

HTTP/1.1 308 Moved Permanently
Location: /morecontacts

Redirected request:

QUERY /morecontacts HTTP/1.1
Host: example.org
Content-Type: application/sql
Accept: text/csv

select surname, givenname, email limit 10

Response:

HTTP/1.1 200 OK
Content-Type: text/csv

surname, givenname, email
Smith, John, john.smith@example.org
Jones, Sally, sally.jones@example.com
Dubois, Camille, camille.dubois@example.net

Appendix B. Change Log

This section is to be removed before publishing as an RFC.

B.1. Since draft-ietf-httpbis-safe-method-w-body-00

B.3. Since draft-ietf-httpbis-safe-method-w-body-02

B.5. Since draft-ietf-httpbis-safe-method-w-body-04

B.6. Since draft-ietf-httpbis-safe-method-w-body-05

B.7. Since draft-ietf-httpbis-safe-method-w-body-06

Authors' Addresses

Julian Reschke
greenbytes GmbH
Hafenweg 16
48155 Münster
Germany
Ashok Malhotra
James M Snell
Mike Bishop
Akamai