| Network Working Group | C. Lilley |
| Internet-Draft | W3C |
| Obsoletes: 3023 (if approved) | M. Murata |
| Updates: 4288, 4289, 6839 (if approved) | International University of Japan |
| Intended status: Standards Track | A. Melnikov |
| Expires: November 29, 2013 | Isode Ltd. |
| H. S. Thompson | |
| University of Edinburgh | |
| May 28, 2013 |
XML Media Types
draft-ietf-appsawg-xml-mediatypes-01
This specification standardizes three media types -- application/xml, application/xml-external-parsed-entity, and application/xml-dtd -- for use in exchanging network entities that are related to the Extensible Markup Language (XML) while defining text/xml and text/xml-external-parsed-entity as aliases for the respective application/ types. This specification also standardizes a convention (using the suffix '+xml') for naming media types outside of these five types when those media types represent XML MIME entities.
Major differences from [RFC3023] are alignment of charset handling for text/xml and text/xml-external-parsed-entity with application/xml, the addition of XPointer and XML Base as fragment identifiers and base URIs, respectively, mention of the XPointer Registry, and updating of many references.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 29, 2013.
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The World Wide Web Consortium has issued the Extensible Markup Language (XML) 1.0 [XML]
Section 8. This will allow generic XML-based tools -- browsers, editors, search engines, and other processors -- to work with all XML-based media types.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in [RFC2119].
As defined in [RFC2781] (informative), the three charsets "utf-16", "utf-16le", and "utf-16be" are used to label UTF-16 text. In this specification, "the UTF-16 family" refers to those three charsets. By contrast, the phrases "utf-16" or UTF-16 in this specification refer specifically to the single charset "utf-16".
As sometimes happens between two communities, both MIME and XML have defined the term entity, with different meanings. Section 2.4 of [RFC2045] says:
Section 4 of [XML] says:
In this specification, "XML MIME entity" is defined as the latter (an XML entity) encapsulated in the former (a MIME entity).
This specification standardizes three media types related to XML MIME entities: application/xml (with text/xml as an alias), application/xml-external-parsed-entity (with text/xml-external-parsed-entity as an alias), and application/xml-dtd. Registration information for these media types is described in the sections below.
Within the XML specification, XML MIME entities can be classified into four types. In the XML terminology, they are called "document entities", "external DTD subsets", "external parsed entities", and "external parameter entities".
Neither external DTD subsets nor external parameter entities parse as XML documents, and while some XML document entities may be used as external parsed entities and vice versa, there are many cases where the two are not interchangeable. XML also has unparsed entities, internal parsed entities, and internal parameter entities, but they are not XML MIME entities.
Application/xml and application/xml-external-parsed-entity are recommended. Compared to [RFC2376] or [RFC3023], this specification alters the charset handling of text/xml and text/xml-external-parsed-entity, treating them no differently from the respective application/ types. The reasons are as follows:
XML provides a general framework for defining sequences of structured data. In some cases, it may be desirable to define new media types that use XML but define a specific application of XML, perhaps due to domain-specific display, editing, security considerations or runtime information. Furthermore, such media types may allow UTF-8 or UTF-16 only and prohibit other charsets. This specification does not prohibit such media types and in fact expects them to proliferate. However, developers of such media types are STRONGLY RECOMMENDED to use this specification as a basis for their registration. In particular, the charset parameter, if used, MUST agree with the
An XML document labeled as application/xml or text/xml, or with a +xml media type, might contain namespace declarations, stylesheet-linking processing instructions (PIs), schema information, or other declarations that might be used to suggest how the document is to be processed. For example, a document might have the XHTML namespace and a reference to a CSS stylesheet. Such a document might be handled by applications that would use this information to dispatch the document for appropriate processing.
text/xml is an alias for application/xml, as defined in Section 3.1 above.
text/xml-external-parsed-entity is an alias for application/xml-external-parsed-entity, as defined in Section 3.3 above.
The charset parameter MUST only be used, when the charset is reliably known and agrees with the
"utf-8" [RFC3629] and "utf-16" [RFC2781] are the recommended values, representing the UTF-8 and UTF-16 charsets, respectively. These charsets are preferred since they are supported by all conforming processors of [XML].
If an[XML] that directly address this contingency. However, MIME processors that are not XML processors SHOULD NOT assume a default charset if the charset parameter is omitted from
Since a receiving application can, with very high reliability, determine the encoding of an XML document by reading it, the
There are several reasons that the charset parameter is optionally allowed. First, recent web servers have been improved so that users can specify the charset parameter. Second, [RFC2130] (informative) specifies that the recommended specification scheme is the "charset" parameter.
On the other hand, it has been argued that the charset parameter should be omitted and the mechanism described in Appendix F of [XML] (which is non-normative) should be solely relied on. This approach would allow users to avoid configuration of the charset parameter; an XML document stored in a file is likely to contain a correct encoding declaration or BOM (if necessary), since the operating system does not typically provide charset information for files. If users would like to rely on the
Section 4.3.3 of [XML] specifies that XML MIME entities in the charset "utf-16" MUST begin with a byte order mark (BOM), which is a hexadecimal octet sequence 0xFE 0xFF (or 0xFF 0xFE, depending on endian). The XML Recommendation further states that the BOM is an encoding signature, and is not part of either the markup or the character data of the XML document.
Due to the presence of the BOM, applications that convert XML from "utf-16" to a non-Unicode encoding MUST strip the BOM before conversion. Similarly, when converting from another encoding into "utf-16", the BOM MUST be added after conversion is complete.
In addition to the charset "utf-16", [RFC2781] introduces "utf-16le" (little endian) and "utf-16be" (big endian) as well. The BOM is prohibited for these charsets. When an XML MIME entity is encoded in "utf-16le" or "utf-16be", it MUST NOT begin with the BOM but SHOULD contain an
Uniform Resource Identifiers (URIs) may contain fragment identifiers (see Section 3.5 of [RFC3986]). Likewise, Internationalized Resource Identifiers (IRIs) [RFC3987] may contain fragment identifiers.
The syntax and semantics of fragment identifiers for the XML media types defined in this specification are based on the [XPointerFramework] W3C Recommendation. It allows simple names, and more complex constructions based on named schemes. When the syntax of a fragment identifier part of any URI or IRI with a retrieved media type governed by this specification conforms to the syntax specified in [XPointerFramework], conformant applications MUST [XPointerFramework] and whatever other specifications define any XPointer schemes used. Conformant applications MUST support the 'element' scheme as defined in [XPointerElement], but need not support other schemes.
If an XPointer error is reported in the attempt to process the part, this specification does not define an interpretation for the part.
A registry of XPointer schemes [XPtrReg] is maintained at the W3C.
See Section 8.1 for additional rquirements which apply when an XML-based MIME media type follows the naming convention '+xml'.
If [XPointerFramework] and [XPointerElement] are inappropriate for some XML-based media type, it SHOULD NOT follow the naming convention '+xml'.
When a URI has a fragment identifier, it is encoded by a limited subset of the repertoire of US-ASCII [ASCII] characters, as defined in [RFC3986]. When an IRI contains a fragment identifier, it is encoded by a much wider repertoire of characters. The conversion between IRI fragment identifiers and URI fragment identifiers is presented in Section 7 of [RFC3987].
Section 5.1 of [RFC3986] specifies that the semantics of a relative URI reference embedded in a MIME entity is dependent on the base URI. The base URI is either (1) the base URI embedded in context, (2) the base URI from the encapsulating entity, (3) the base URI from the Retrieval URI, or (4) the default base URI, where (1) has the highest precedence. [RFC3986] further specifies that the mechanism for embedding the base URI is dependent on the media type.
The media type dependent mechanism for embedding the base URI in a MIME entity of type application/xml, text/xml, application/xml-external-parsed-entity or text/xml-external-parsed-entity is to use the xml:base attribute described in detail in [XBase].
Note that the base URI may be embedded in a different MIME entity, since the default value for the xml:base attribute may be specified in an external DTD subset or external parameter entity.
application/xml, application/xml-external-parsed-entity, and application/xml-dtd, text/xml and text/xml-external-parsed-entity are to be used with [XML] In all examples herein where version="1.0" is shown, it is understood that version="1.1" may also be used, providing the content does indeed conform to [XML1.1].
The normative requirement of this specification upon XML is to follow the requirements of [XML], section 4.3.3. Except for minor clarifications, that section is substantially identical from the first edition to the current (5th) edition of XML 1.0, and for XML 1.1. Therefore, this specification may be used with any version or edition of XML 1.0 or 1.1.
Specifications and recommendations based on or referring to this RFC SHOULD indicate any limitations on the particular versions of XML to be used. For example, a particular specification might indicate: "content MUST be represented using media-type application/xml, and the document must either (a) carry an xml declaration specifying version="1.0" or (b) omit the XML declaration, in which case per the XML recommendation the version defaults to 1.0"
This specification recommends the use of a naming convention (a suffix of '+xml') for identifying XML-based MIME media types, whatever their particular content may represent
When a new media type is introduced for an XML-based format, the name of the media type SHOULD end with '+xml'. This convention will allow applications that can process XML generically to detect that the MIME entity is supposed to be an XML document, verify this assumption by invoking some XML processor, and then process the XML document accordingly. Applications may match for types that represent XML MIME entities by comparing the subtype to the pattern '*/*+xml'. (Of course, 4 of the 5 media types defined in this specification -- text/xml, application/xml, text/xml-external-parsed-entity, and application/xml-external-parsed-entity -- also represent XML MIME entities while not conforming to the '*/*+xml' pattern.)
Media types following the naming convention '+xml' SHOULD introduce the charset parameter for consistency, since XML-generic processing applies the same program for any such media type. However, there are some cases that the charset parameter need not be introduced. For example:
XML generic processing is not always appropriate for XML-based media types. For example, authors of some such media types may wish that the types remain entirely opaque except to applications that are specifically designed to deal with that media type. By NOT following the naming convention '+xml', such media types can avoid XML-generic processing. Since generic processing will be useful in many cases, however -- including in some situations that are difficult to predict ahead of time -- those registering media types SHOULD use the '+xml' convention unless they have a particularly compelling reason not to.
HST: What do we do about the registration of +xml in RFC6839? I think we need to reproduce it with appropriate changes, as it currently references 3023, and can be simplified/clarified by including it here. . .
Registrations for new XML-based media types under top-level types SHOULD, in specifying the charset parameter and encoding considerations, define them as: "Same as [charset parameter / encoding considerations] of application/xml as specified in RFC XXXX."
The use of the charset parameter is STRONGLY RECOMMENDED, since this information can be used by XML processors to determine authoritatively the charset of the XML MIME entity. If there are some reasons not to follow this advice, they SHOULD be included as part of the registration. As shown above, two such reasons are "UTF-8 only" or "UTF-8 or UTF-16 only".
These registrations SHOULD specify that the XML-based media type being registered has all of the security considerations described in RFC XXXX plus any additional considerations specific to that media type.
These registrations SHOULD also make reference to RFC XXXX in specifying magic numbers, base URIs, and use of the BOM.
When these registrations use the '+xml' convention, they MUST also make reference to RFC XXXX in specifying fragment identifier syntax and semantics, and they MAY restrict the syntax to a specified subset of schemes, except that they MUST NOT disallow barenames or 'element' scheme pointers. They MAY further require support for other registered schemes. They also MAY add additional syntax (which MUST NOT overlap with [XPointerFramework] syntax) together with associated semantics, and MAY add additional semantics for barename XPointers which, as provided for in Section 5, will only apply when this specification does not define an interpretation.
These registrations MAY reference the application/xml registration in RFC XXXX in specifying interoperability considerations, if these considerations are not overridden by issues specific to that media type.
The examples below give the value of the MIME Content-type header and the XML declaration (which includes the encoding declaration) inside the XML MIME entity. For UTF-16 examples, the Byte Order Mark character is denoted as "{BOM}", and the XML declaration is assumed to come at the beginning of the XML MIME entity, immediately following the BOM. Note that other MIME headers may be present, and the XML MIME entity may contain other data in addition to the XML declaration; the examples focus on the Content-type header and the encoding declaration for clarity.
Content-type: application/xml or text/xml
<?xml version="1.0" encoding="iso-8859-1"?>
Since the charset parameter is not provided in the Content-Type header, XML processors MUST treat the "iso-8859-1" encoding as authoritative. XML-unaware MIME processors SHOULD make no assumptions about the charset of the XML MIME entity.
Content-type: application/xml or text/xml
{BOM}<?xml version="1.0" encoding="utf-16"?>
or
{BOM}<?xml version="1.0"?>
This example shows a 16-bit MIME entity with no charset parameter. Since the charset parameter is not provided in the Content-Type header, in this case XML processors MUST treat the "utf-16" encoding and/or the BOM as authoritative. XML-unaware MIME processors SHOULD make no assumptions about the charset of the XML MIME entity.
Omitting the charset parameter is NOT RECOMMENDED for application/xml when used with transports other than HTTP or HTTPS---text/xml SHOULD NOT be used for 16-bit MIME with transports other than HTTP or HTTPS (see. Section 9.5).
Content-type: application/xml or text/xml; charset="utf-8"
<?xml version="1.0" encoding="utf-8"?>
This is the recommended encoding for use with all the media types defined in this specification. Since the charset parameter is provided, both MIME and XML processors MUST treat the enclosed entity as UTF-8 encoded.
If sent using a 7-bit transport (e.g. SMTP [RFC5321]), the XML MIME entity MUST use a content-transfer-encoding of either quoted-printable or base64. For an 8-bit clean transport (e.g., 8BITMIME ESMTP or NNTP), or a binary clean transport (e.g., HTTP), no content-transfer-encoding is necessary.
Content-type: application/xml; charset="utf-16"
{BOM}<?xml version="1.0" encoding="utf-16"?>
or
{BOM}<?xml version="1.0"?>
If sent using a 7-bit transport (e.g., SMTP) or an 8-bit clean transport (e.g., 8BITMIME ESMTP or NNTP), the XML MIME entity MUST be encoded in quoted-printable or base64. For a binary clean transport (e.g., HTTP), no content-transfer-encoding is necessary.
Content-type: text/xml; charset="utf-16"
{BOM}<?xml version='1.0' encoding='utf-16'?>
or
{BOM}<?xml version='1.0'?>
This is possible only when the XML MIME entity is transmitted via HTTP or HTTPS, which use a MIME-like mechanism and are binary-clean protocols, hence do not perform CR and LF transformations and allow NUL octets. As described in [RFC2781], the UTF-16 family MUST NOT be used with media types under the top-level type "text" except over HTTP or HTTPS (see section 19.4.1 of [RFC2616] for details).
Since HTTP is binary clean, no content-transfer-encoding is necessary.
Content-type: application/xml; charset="utf-16be"
<?xml version='1.0' encoding='utf-16be'?>
Observe that the BOM does not exist. Since the charset parameter is provided, MIME and XML processors MUST treat the enclosed entity as UTF-16BE encoded.
Content-type: text/xml; charset="utf-16be"
<?xml version='1.0' encoding='utf-16be'?>
Observe that the BOM does not exist. As for UTF-16, this is possible only when the XML MIME entity is transmitted via HTTP.
Content-type: application/xml; charset="iso-2022-kr"
<?xml version="1.0" encoding="iso-2022-kr"?>
This example shows the use of a Korean charset (e.g., Hangul) encoded following the specification in [RFC1557]. Since the charset parameter is provided, MIME processors MUST treat the enclosed entity as encoded per RFC 1557. Since the XML MIME entity has an internal encoding declaration (this example does show such a declaration, which agrees with the charset parameter) XML processors MUST also treat the enclosed entity as encoded per RFC 1557. Thus, interoperability is assured.
Since ISO-2022-KR has been defined to use only 7 bits of data, no content-transfer-encoding is necessary with any transport.
Content-type: application/xml or text/xml
<?xml version='1.0'?>
In this example, the charset parameter has been omitted, the is no internal encoding declaration, and there is no BOM. Since there is no BOM, the XML processor follows the requirements in section 4.3.3, and optionally applies the mechanism described in Appendix F (which is non-normative) of [XML] to determine the charset encoding of UTF-8. Although the XML MIME entity does not contain an encoding declaration, the encoding actually is UTF-8, so this is still a conforming XML MIME entity.
An XML-unaware MIME processor SHOULD make no assumptions about the charset of the XML MIME entity.
Content-type: application/xml or text/xml
<?xml version='1.0' encoding="iso-10646-ucs-4"?>
In this example, the charset parameter has been omitted, and there is no BOM. However, the XML MIME entity does have an encoding declaration inside the XML MIME entity that specifies the entity's charset. Following the requirements in section 4.3.3, and optionally applying the mechanism described in Appendix F (non-normative) of [XML], the XML processor determines the charset encoding of the XML MIME entity (in this example, UCS-4).
An XML-unaware MIME processor SHOULD make no assumptions about the charset of the XML MIME entity.
Content-type: text/xml-external-parsed-entity or application/xml-external-parsed-entity; charset="utf-8"
<?xml encoding="utf-8"?>
Since the charset parameter is provided, MIME and XML processors MUST treat the enclosed entity as UTF-8 encoded.
If sent using a 7-bit transport (e.g. SMTP), the XML MIME entity MUST use a content-transfer-encoding of either quoted-printable or base64. For an 8-bit clean transport (e.g., 8BITMIME ESMTP or NNTP), or a binary clean transport (e.g., HTTP) no content-transfer-encoding is necessary.
Content-type: application/xml-external-parsed-entity; charset="utf-16"
{BOM}<?xml encoding="utf-16"?>
or
{BOM}<?xml?>
Since the charset parameter is provided, MIME and XML processors MUST treat the enclosed entity as UTF-16 encoded.
If sent using a 7-bit transport (e.g., SMTP) or an 8-bit clean transport (e.g., 8BITMIME ESMTP or NNTP), the XML MIME entity MUST be encoded in quoted-printable or base64. For a binary clean transport (e.g., HTTP), no content-transfer-encoding is necessary.
Content-type: application/xml-external-parsed-entity; charset="utf-16be"
<?xml encoding="utf-16be"?>
Since the charset parameter is provided, MIME and XML processors MUST treat the enclosed entity as UTF-16BE encoded.
Content-type: application/xml-dtd; charset="utf-8"
<?xml encoding="utf-8"?>
Charset "utf-8" is a recommended charset value for use with application/xml-dtd. Since the charset parameter is provided, MIME and XML processors MUST treat the enclosed entity as UTF-8 encoded.
Content-type: application/mathml+xml
<?xml version="1.0" ?>
MathML documents are XML documents whose content describes mathematical information, as defined by [MathML]. As a format based on XML, MathML documents SHOULD follow the '+xml' suffix convention and use 'mathml+xml' in their MIME content-type identifier.This media type has been registered at IANA and is fully defined in [MathML].
Content-type: application/xslt+xml
<?xml version="1.0" ?>
Extensible Stylesheet Language (XSLT) documents are XML documents whose content describes stylesheets for other XML documents, as defined by [XSLT]. As a format based on XML, XSLT documents SHOULD follow the '+xml' suffix convention and use 'xslt+xml' in their MIME content-type identifier.This media type has been registered at IANA and is fully defined in [XSLT].
Content-type: application/rdf+xml
<?xml version="1.0" ?>
Resources identified using the application/rdf+xml media type are XML documents whose content describe RDF metadata. This media type has been registered at IANA and is fully defined in [RFC3870].
Content-type: image/svg+xml
<?xml version="1.0" ?>
Scalable Vector Graphics (SVG) documents are XML documents whose content describes graphical information, as defined by [SVG]. As a format based on XML, SVG documents SHOULD follow the '+xml' suffix convention and use 'svg+xml' in their MIME content-type identifier.The image/svg+xml media type has been registered at IANA and is fully defined in [SVG]. .
Content-type: model/x3d+xml
<?xml version="1.0" ?>
X3D is derived from VRML and is used for 3D models. Besides the XML representation, it may also be serialised in classic VRML syntax and using a fast infoset. Separate, but clearly related media types are used for these serialisations (model/x3d+vrml and model/x3d+fastinfoset respectively).
Content-type: text/xml; charset="utf-8"
<?xml version="1.0" encoding="iso-8859-1"?>
Since the charset parameter is provided in the Content-Type header and differs from the XML encoding declaration , MIME and XML processors will not interoperate. MIME processors will treat the enclosed entity as UTF-8 encoded. That is, the "iso-8859-1" encoding will be be ignored. XML processors on the other hand will ignore the charset parameter and treat the XML entity as encoded in iso-8859-1.
Processors generating XML MIME entities MUST NOT label conflicting charset information between the MIME Content-Type and the XML declaration. In particular, the addition of an explicit, site-wide charset without inspecting the XML
Content-type: application/soap+xml
<?xml version="1.0" ?>
Resources identified using the application/soap+xml media type are SOAP 1.2 message envelopes that have been serialized with XML 1.0. This media type has been registered at IANA and is fully defined in [RFC3902].
As described in Section 8, this specification updates the
In general, any information stored outside of the direct control of the user -- including CSS style sheets, XSL transformations,
The XHTML 1.0 [XHTML], for instance, are likely to be a commonly used set of information. Many developers will use and trust them, few of whom will know much about the level of security on the W3C's servers, or on any similarly trusted repository.
The simplest attack involves adding declarations that break validation. Adding extraneous declarations to a list of character
Apart from the structural possibilities, another option, "
Security considerations will vary by domain of use. For example, XML medical records will have much more stringent privacy and security considerations than XML library metadata. Similarly, use of XML as a parameter marshalling syntax necessitates a case by case security review.
XML may also have some of the same security concerns as plain text. Like plain text, XML can contain escape sequences that, when displayed, have the potential to change the display processor environment in ways that adversely affect subsequent operations. Possible effects include, but are not limited to, locking the keyboard, changing display parameters so subsequent displayed text is unreadable, or even changing display parameters to deliberately obscure or distort subsequent displayed material so that its meaning is lost or altered. Display processors SHOULD either filter such material from displayed text or else make sure to reset all important settings after a given display operation is complete.
Some terminal devices have keys whose output, when pressed, can be changed by sending the display processor a character sequence. If this is possible the display of a text object containing such character sequences could reprogram keys to perform some illicit or dangerous action when the key is subsequently pressed by the user. In some cases not only can keys be programmed, they can be triggered remotely, making it possible for a text display operation to directly perform some unwanted action. As such, the ability to program keys SHOULD be blocked either by filtering or by disabling the ability to program keys entirely.
Note that it is also possible to construct XML documents that make use of what XML terms "[[XML] and XML processors are required to detect them. However, even non-recursive expansions may cause problems with the finite computing resources of computers, if they are performed many times. (
There are numerous and significant differences between this specification and [RFC3023], which it obsoletes. This appendix summarizes the major differences only.
First, XPointer ([XPointerFramework] and [XPointerElement] has been added as fragment identifier syntax for "application/xml", and the XPointer Registry ([XPtrReg]) mentioned. Second, [XBase] has been added as a mechanism for specifying base URIs. Third, the language regarding charsets was updated to correspond to the W3C TAG finding Internet Media Type registration, consistency of use [TAGMIME]. Fourth, many references are updated
This specification reflects the input of numerous participants to the ietf-xml-mime@imc.org mailing list, though any errors are the responsibility of the authors. Special thanks to:
Mark Baker, James Clark, Dan Connolly, Martin Duerst, Ned Freed, Yaron Goland, Rick Jelliffe, Larry Masinter, David Megginson, Keith Moore, Chris Newman, Gavin Nicol, Marshall Rose, Jim Whitehead and participants of the XML activity and the TAG at the W3C.
Jim Whitehead and Simon St.Laurent are editors of [RFC2376] and [RFC3023], respectively.