Internet DRAFT - draft-brown-device-stock-ua
draft-brown-device-stock-ua
Network Working Group T. Brown
Internet-Draft Opera Software
Intended status: Standards Track R. Cremin
Expires: April 19, 2013 Afilias Technologies Limited
October 16, 2012
Device-Stock-UA HTTP Extension
draft-brown-device-stock-ua-00
Abstract
This document standardizes an HTTP extension header field that allows
third-party HTTP clients and embeddable HTTP client components to
include the user agent string of the HTTP-client that is bundled with
the device operating system.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 19, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Brown & Cremin Expires April 19, 2013 [Page 1]
Internet-Draft Device-Stock-UA HTTP Extension October 2012
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 3
3. Syntax Notations . . . . . . . . . . . . . . . . . . . . . . . 4
4. Device-Stock-UA . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Use of Device-Stock-UA Header Field . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 5
9. Normative references . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6
Brown & Cremin Expires April 19, 2013 [Page 2]
Internet-Draft Device-Stock-UA HTTP Extension October 2012
1. Introduction
An optional header field, User-Agent was originally defined by
Hypertext Transfer Protocol RFC 1945 (since superseded by [RFC2616]).
Its intent was to enable statistical tracking, allow tracing of
protocol violations, and provide a means for tailoring responses
based on HTTP user agent limitations, quirks, and capabilities.
Application developers have long used the user agent string to infer
user agent capability. Increasingly, developers are relying on the
user agent string to infer the capabilities of the hardware,
firmware, and operating system on which the user agent runs. For
example, the user agent string is sometimes used to infer the display
size or whether the user agent allows access to the device file
system. In some cases, the user agent string is used to infer which
other software may be running in addition to the user agent, such as
a bundled media player or mapping service.
This works as follows: when the HTTP client includes a User-Agent
header field, the value of the header field is compared to a
datastore of stock or native user agent strings and known
capabilities of the device on which it is known to run. Responses
are then tailored based on the results supplied by this datastore.
Such content negotiation assumes a one-to-one relationship between
the value of the User-Agent header field and a device. However, many
HTTP clients do not have such a relationship -- third-party web
browsers that run on top of device operating system software, for
example.
To compensate for this, some third-party clients include an
additional, non-standardized header field. The value of this header
field is set to the user agent string of the device's native client.
In practice, several different non-standard header fields are in use,
for example: X-OperaMini-Phone-UA, used by Opera Software ASA;
X-Device-User-Agent; and X-ATT-DeviceId, used by AT&T Inc.
Applications can use such header fields, when available, to serve
content optimized for a particular device, such as a mobile phone,
electronic reader, or tablet computer. This document standardizes
the syntax and semantics for the Device-Stock-UA header field for
this purpose.
2. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
Brown & Cremin Expires April 19, 2013 [Page 3]
Internet-Draft Device-Stock-UA HTTP Extension October 2012
document are to be interpreted as described in [RFC2119].
3. Syntax Notations
This specification uses the Augmented Backus-Naur Form (ABNF)
notation of [RFC5234].
4. Device-Stock-UA
The Device-Stock-UA HTTP header field is an OPTIONAL header field
that, when used, discloses the user agent of the native browser for a
device or operating system. This is for statistical purposes, as
well as to tailor responses to particular user agent or device
constraints.
When the Device-Stock-UA header field is included with a request,
other non-standard header fields that report a user agent string may
be included.
Third-party browsers that use the same user agent string as the
device's default browser SHOULD NOT include the Device-Stock-UA
header field, i.e., its presence indicates the use of something other
than the default browser user-agent string.
If the user agent string for the default browser changes, as with an
operating system update, the Device-Stock-UA header field SHOULD
mirror this change.
The parameter names are case-insensitive. The header field can be
defined in augmented BNF syntax as:
Device-Stock-UA = "Device-Stock-UA" ":" (User-Agent)
User-Agent = <Defined in RFC2616 Section 14.43>
Example:
Device-Stock-UA: CERN-LineMode/2.15 libwww/2.17b3
The user-agent-string should be retrieved from the firmware, matching
that of the HTTP client bundled with the firmware.
Brown & Cremin Expires April 19, 2013 [Page 4]
Internet-Draft Device-Stock-UA HTTP Extension October 2012
5. Use of Device-Stock-UA Header Field
Entities that provide web analytics services SHOULD use the Device-
Stock-UA header field (if present) in addition to the User-Agent
header field in their identification of devices to ensure that
devices are correctly measured.
Content publishers may use the Device-Stock-UA header field (if
present) rather than the User-Agent header field in order to infer
the nature and capabilities of the underlying device rather than, or
in addition to, the capabilities of the browser in question.
Publishers of third-party HTTP-capable clients SHOULD include the
Device-Stock-UA with each HTTP request in order to enable publishers
to recognize the underlying device.
6. Security Considerations
Because the Device-Stock-UA header field includes hardware and
operating system/firmware information, it may help an attacker narrow
the scope of an attack by first targeting client device specific
vulnerabilities.
The value of Device-Stock-UA may not correctly represent the hardware
and software. It can easily be spoofed on the client or modified
between the endpoints.
This header field may reveal more specific information about the user
agent than would otherwise be the case. This information could then
be used for tracking purposes.
7. IANA Considerations
This document specifies the HTTP header field listed below, which
should be added to the permanent HTTP header field registry defined
in [RFC3864].
Header field: Device-Stock-UA Applicable protocol: http/https Status:
standard Author/Change controller: IETF (iesg@ietf.org) Internet
Engineering Task Force Specification document(s): this specification
Related information: none
8. Acknowledgments
Thanks to Andreas Bovens, Hamish Graham, Bruce Lawson, Susan Nichols,
Brown & Cremin Expires April 19, 2013 [Page 5]
Internet-Draft Device-Stock-UA HTTP Extension October 2012
Martin Nilsson, and Andreas Petersson for their feedback.
9. Normative references
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
Procedures for Message Header Fields", BCP 90, RFC 3864,
September 2004.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC6648] Saint-Andre, P., Crocker, D., and M. Nottingham,
"Deprecating the "X-" Prefix and Similar Constructs in
Application Protocols", BCP 178, RFC 6648, June 2012.
Authors' Addresses
Tiffany Brown
Opera Software
Gjerdrums vei 19
OSLO NO-0484
Email: tiffanyb@opera.com
Ronan Cremin
Afilias Technologies Limited
2 La Touche House
Dublin 1
Email: rcremin@afilias.info
Brown & Cremin Expires April 19, 2013 [Page 6]