Applications Area Working Group | P. Bryan, Ed. |
Internet-Draft | Salesforce.com |
Intended status: Standards Track | M. Nottingham, Ed. |
Expires: July 24, 2013 | Akamai |
January 20, 2013 |
JSON Patch
draft-ietf-appsawg-json-patch-10
JSON Patch defines a JSON document structure for expressing a sequence of operations to apply to a JavaScript Object Notation (JSON) document, suitable for use with the HTTP PATCH method. The "application/json-patch" media type is used to identify such patch documents.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http:/⁠/⁠datatracker.ietf.org/⁠drafts/⁠current/⁠.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 24, 2013.
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:/⁠/⁠trustee.ietf.org/⁠license-⁠info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
JavaScript Object Notation (JSON) [RFC4627] is a common format for the exchange and storage of structured data. HTTP PATCH [RFC5789] extends the Hypertext Transfer Protocol (HTTP) [RFC2616] with a method to perform partial modifications to resources.
JSON Patch is a format (identified by the media type "application/json-patch") for expressing a sequence of operations to apply to a target JSON document, suitable for use with the HTTP PATCH method.
This format is also potentially useful in other cases where necessary to make partial updates to a JSON document, or to a data structure that has similar constraints (i.e., they can be serialised as an object or an array using the JSON grammar).
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
See Section 5 for information about handling errors.
A JSON Patch document is a JSON [RFC4627] document that represents an array of objects. Each object represents a single operation to be applied to the target JSON document.
An example JSON Patch document, transferred in a HTTP PATCH request:
PATCH /my/data HTTP/1.1 Host: example.org Content-Length: 326 Content-Type: application/json-patch If-Match: "abc123" [ { "op": "test", "path": "/a/b/c", "value": "foo" }, { "op": "remove", "path": "/a/b/c" }, { "op": "add", "path": "/a/b/c", "value": [ "foo", "bar" ] }, { "op": "replace", "path": "/a/b/c", "value": 42 }, { "op": "move", "from": "/a/b/c", "path": "/a/b/d" }, { "op": "copy", "from": "/a/b/d", "path": "/a/b/e" } ]
Evaluation of a JSON Patch document begins against a target JSON document. Operations are applied sequentially in the order they appear in the array. Each operation in the sequence is applied to the target document; the resulting document becomes the target of the next operation. Evaluation continues until all operations are successfully applied, or an error condition is encountered.
Operation objects MUST have exactly one "op" member, whose value indicates the operation to perform. Its value MUST be one of "add", "remove", "replace", "move", "copy" or "test"; other values are errors. The semantics of each is defined below.
Additionally, operation objects MUST have exactly one "path" member. That member's value is a string containing a [JSON-Pointer] value that references a location within the target document (the "target location") where the operation is performed.
The meanings of other members of operation objects are defined by operation (see the subsections below). Members that are not explicitly defined for the operation in question MUST be ignored (i.e., the operation will complete as if the undefined member did not appear in the object).
Note that the ordering of members in JSON objects is not significant; therefore, the following operation objects are equivalent:
{ "op": "add", "path": "/a/b/c", "value": "foo" } { "path": "/a/b/c", "op": "add", "value": "foo" } { "value": "foo", "path": "/a/b/c", "op": "add" }
Operations are applied to the data structures represented by a JSON document; i.e., after any unescaping (see [RFC4627], Section 2.5) takes place.
The "add" operation performs the following function, depending upon what the target location references:
The operation object MUST contain a "value" member whose content specifies the value to be added.
For example:
{ "op": "add", "path": "/a/b/c", "value": [ "foo", "bar" ] }
When the operation is applied, the target location MUST reference one of:
Because this operation is designed to add to existing objects and arrays, its target location will often not exist. Although the pointer's error handling algorithm will thus be invoked, this specification defines the error handling behaviour for "add" pointers to ignore that error and add the value as specified.
However, the object itself or an array containing it does need to exist, and it remains an error for that not to be the case. For example, an "add" with a target location of "/a/b" starting with this document:
{ "a": { "foo": 1 } }
is not an error, because "a" exists, and "b" will be added to its value. It is an error in this document:
{ "q": { "bar": 2 } }
because "a" does not exist.
The "remove" operation removes the value at the target location.
The target location MUST exist for the operation to be successful.
For example:
{ "op": "remove", "path": "/a/b/c" }
If removing an element from an array, any elements above the specified index are shifted one position to the left.
The "replace" operation replaces the value at the target location with a new value. The operation object MUST contain a "value" member whose content specifies the replacement value.
The target location MUST exist for the operation to be successful.
For example:
{ "op": "replace", "path": "/a/b/c", "value": 42 }
This operation is functionally identical to a "remove" operation for a value, followed immediately by an "add" operation at the same location with the replacement value.
The "move" operation removes the value at a specified location and adds it to the target location.
The operation object MUST contain a "from" member, a string containing a JSON Pointer value that references the location in the target document to move the value from.
The "from" location MUST exist for the operation to be successful.
For example:
{ "op": "move", "from": "/a/b/c", "path": "/a/b/d" }
This operation is functionally identical to a "remove" operation on the "from" location, followed immediately by an "add" operation at the target location with the value that was just removed.
The "from" location MUST NOT be a proper prefix of the "path" location; i.e., a location cannot be moved into one of its children.
The "copy" operation copies the value at a specified location to the target location.
The operation object MUST contain a "from" member, a string containing a JSON Pointer value that references the location in the target document to copy the value from.
The "from" location MUST exist for the operation to be successful.
For example:
{ "op": "copy", "from": "/a/b/c", "path": "/a/b/e" }
This operation is functionally identical to an "add" operation at the target location using the value specified in the "from" member.
The "test" operation tests that a value at the target location is equal to a specified value.
The operation object MUST contain a "value" member that conveys the value to be compared to that at the target location.
The target location MUST be equal to the "value" value for the operation to be considered successful.
Here, "equal" means that the value at the target location and that conveyed by "value" are of the same JSON type, and considered equal by the following rules for that type:
Note that this is a logical comparison; e.g., whitespace between the member values of an array is not significant.
Also, note that ordering of the serialisation of object members is not significant.
For example:
{ "op": "test", "path": "/a/b/c", "value": "foo" }
If a normative requirement is violated by a JSON Patch document, or if an operation is not successful, evaluation of the JSON Patch document SHOULD terminate and application of the entire patch document SHALL NOT be deemed successful.
See [RFC5789], Section 2.2 for considerations regarding handling errors when JSON Patch is used with the HTTP PATCH method, including suggested status codes to use to indicate various conditions.
Note that the HTTP PATCH method is atomic, as per [RFC5789]. Therefore, the following patch would result in no changes being made to the document at all (because the "test" operation results in an error).
[ { "op": "replace", "path": "/a/b/c", "value": 42 }, { "op": "test", "path": "/a/b/c", "value": "C" } ]
The Internet media type for a JSON Patch document is application/json-patch.
This specification has the same security considerations as JSON [RFC4627] and [JSON-Pointer].
A few older Web browsers can be coerced into loading an arbitrary JSON document whose root is an array, leading to a situation where a JSON Patch document containing sensitive information could be exposed to attackers, even if access is authenticated. This is known as a Cross-Site Request Forgery (CSRF) attack [CSRF].
However, such browsers are not widely used ( estimated to comprise less than 1% of the market, at the time of writing). Publishers who are nevertheless concerned about this attack are advised to avoid making such documents available with HTTP GET.
The following individuals contributed ideas, feedback and wording to this specification:
The structure of a JSON Patch document was influenced by the XML Patch document [RFC5261] specification.
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[RFC4627] | Crockford, D., "The application/json Media Type for JavaScript Object Notation (JSON)", RFC 4627, July 2006. |
[JSON-Pointer] | Bryan, P., Zyp, K. and M. Nottingham, "JSON Pointer", Internet-Draft draft-ietf-appsawg-json-pointer-07, November 2012. |
[RFC2616] | Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. |
[RFC5261] | Urpalainen, J., "An Extensible Markup Language (XML) Patch Operations Framework Utilizing XML Path Language (XPath) Selectors", RFC 5261, September 2008. |
[RFC5789] | Dusseault, L. and J. Snell, "PATCH Method for HTTP", RFC 5789, March 2010. |
[CSRF] | Barth, A., Jackson, C. and J Mitchell, "Robust Defenses for Cross-Site Request Forgery", |
An example target JSON document:
{ "foo": "bar"}
A JSON Patch document:
[ { "op": "add", "path": "/baz", "value": "qux" } ]
The resulting JSON document:
{ "baz": "qux", "foo": "bar" }
An example target JSON document:
{ "foo": [ "bar", "baz" ] }
A JSON Patch document:
[ { "op": "add", "path": "/foo/1", "value": "qux" } ]
The resulting JSON document:
{ "foo": [ "bar", "qux", "baz" ] }
An example target JSON document:
{ "baz": "qux", "foo": "bar" }
A JSON Patch document:
[ { "op": "remove", "path": "/baz" } ]
The resulting JSON document:
{ "foo": "bar" }
An example target JSON document:
{ "foo": [ "bar", "qux", "baz" ] }
A JSON Patch document:
[ { "op": "remove", "path": "/foo/1" } ]
The resulting JSON document:
{ "foo": [ "bar", "baz" ] }
An example target JSON document:
{ "baz": "qux", "foo": "bar" }
A JSON Patch document:
[ { "op": "replace", "path": "/baz", "value": "boo" } ]
The resulting JSON document:
{ "baz": "boo", "foo": "bar" }
An example target JSON document:
{ "foo": { "bar": "baz", "waldo": "fred" }, "qux": { "corge": "grault" } }
A JSON Patch document:
[ { "op": "move", "from": "/foo/waldo", "path": "/qux/thud" } ]
The resulting JSON document:
{ "foo": { "bar": "baz" }, "qux": { "corge": "grault", "thud": "fred" } }
An example target JSON document:
{ "foo": [ "all", "grass", "cows", "eat" ] }
A JSON Patch document:
[ { "op": "move", "from": "/foo/1", "path": "/foo/3" } ]
The resulting JSON document:
{ "foo": [ "all", "cows", "eat", "grass" ] }
An example target JSON document:
{ "baz": "qux", "foo": [ "a", 2, "c" ] }
A JSON Patch document that will result in successful evaluation:
[ { "op": "test", "path": "/baz", "value": "qux" }, { "op": "test", "path": "/foo/1", "value": 2 } ]
An example target JSON document:
{ "baz": "qux" }
A JSON Patch document that will result in an error condition:
[ { "op": "test", "path": "/baz", "value": "bar" } ]
An example target JSON document:
{ "foo": "bar" }
A JSON Patch document:
[ { "op": "add", "path": "/child", "value": { "grandchild": { } } } ]
The resulting JSON document:
{ "foo": "bar", "child": { "grandchild": { } } }
An example target JSON document:
{ "foo": "bar" }
A JSON Patch document:
[ { "op": "add", "path": "/baz", "value": "qux", "xyz": 123 } ]
The resulting JSON document:
{ "foo": "bar", "baz": "qux" }
An example target JSON document:
{ "foo": "bar" }
A JSON Patch document:
[ { "op": "add", "path": "/baz/bat", "value": "qux" } ]
This JSON Patch document, applied to the target JSON document above, would result in an error (therefore not being applied) because the "add" operation's target location that references neither the root of the document, nor a member of an existing object, nor a member of an existing array.
A JSON Patch document:
[ { "op": "add", "path": "/baz", "value": "qux", "op": "remove" } ]
This JSON Patch document cannot be treated as an "add" operation since there is a later "op":"remove" element. JSON requires that object member names be unique with a "SHOULD" requirement, and there is no standard error handling for duplicates.
An example target JSON document:
{ "/": 9, "~1": 10 }
A JSON Patch document:
[ {"op": "test", "path": "/~01", "value": 10} ]
The resulting JSON document:
{ "/": 9, "~1": 10 }
An example target JSON document:
{ "/": 9, "~1": 10 }
A JSON Patch document:
[ {"op": "test", "path": "/~01", "value": "10"} ]
This results in an error, because the test fails; the document value is numeric, whereas the value tested for is a string.
An example target JSON document:
{ "foo": ["bar"] }
A JSON Patch document:
[ { "op": "add", "path": "/foo/-", "value": ["abc", "def"] } ]
The resulting JSON document:
{ "foo": ["bar", ["abc", "def"]] }