Per Resource Events Protocol

Editor’s Draft,

More details about this document
This version:
https://cxres.github.io/per-resource-events/protocol
Issue Tracking:
GitHub
Editor:
Rahul Gupta
Author:
Rahul Gupta

Abstract

Per Resource Events is a minimal protocol built on top of HTTP that allows clients to receive notifications directly from any resource of interest in a secure manner.

The Per Resource Events Protocol is predicated on the idea that the most intuitive source for notifications about changes made to a resource is the resource itself.

Status of this document

This section describes the status of this document at the time of its publication.

The information in this document is still subject to change. You are invited to contribute any feedback, comments, or questions you might have.

This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

Conformance

Document Conventions

All of the text of this specification is normative except assertions, diagrams, examples, notes and sections explicitly marked as non-normative as described in [RFC2119].

The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT" and "MAY" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

The above-mentioned key words are used exclusively in the normative parts of this document and appear only in all capitals.

Conformant Algorithms

Requirements phrased in the imperative as part of algorithms (such as "strip any leading space characters" or "return false and abort these steps") are to be interpreted with the meaning of the key word ("MUST", "SHOULD", "MAY", etc) used in introducing the algorithm.

Conformance requirements phrased as algorithms or specific steps can be implemented in any manner, so long as the end result is equivalent. In particular, the algorithms defined in this specification are intended to be easy to understand and are not intended to be performant. Implementers are encouraged to optimize.

Compliance with Other Specifications

In general, specifications interact with and rely on a wide variety of other specifications. In certain circumstances, unfortunately, conflicting needs require a specification to violate the requirements of other specifications. This specification denotes such transgressions as a wilful violation and records the reason for that violation. Other specifications that rely on this specification SHOULD do the same.

Specification Category

The Per Resource Events Protocol identifies the following Specification Category to distinguish the types of conformance:

Classes of Products

The Per Resource Events Protocol identifies the following Classes of Products for conforming implementations. These products are referenced throughout this specification.

Resource Server

A resource server that builds on HTTP origin server ([RFC9110] § 3.6 Origin Server) by defining header fields ([RFC9110] § 6.3 Header Fields) and media types ([RFC9110] § 8.3.1 Media Types).

Application Client

An application client that builds on HTTP user Aagent ([RFC9110] § 3.5 User Agents) by defining behaviour in terms of fetching [FETCH] across the platform.

Interoperability

Interoperability occurs between Application Client—Resource Server as defined by the Per Resource Events Protocol.

Application Client—Resource Server Interoperability

Interoperability of implementations for application clients and resource servers is tested by evaluating an implementation’s ability to request and respond to HTTP messages that conform to the Per Resource Events Protocol.

1. Introduction

This section is non-normative.

The Per Resource Events Protocol defines a minimal HTTP-based framework by which clients can securely receive update notifications directly from any resource of interest on the Open Web Platform.

1.1. Motivation

This section is non-normative.

HTTP was originally designed to transfer a static documents within a single request and response. If the document changes, HTTP does not automatically update clients with the new versions. This design was adequate for web pages that were mostly static and written by hand.

But web-applications today are dynamic. They provide (near-)instantaneous updates across multiple clients and servers. The many workarounds developed over the years to provide real-time updates over HTTP have often proven to be inadequate. Web programmers instead resort to implementing custom messaging systems over alternate protocols such as WebSockets, which requires additional layers of code in the form of non-standard JavaScript frameworks to synchronize changes of state.

Per Resource Events is a minimal protocol built on top of HTTP that allows clients to receive notifications directly from a resource of interest. Unlike other HTTP based solutions, Per Resource Events Protocol supports the use of arbitrary media-types for notifications, which can be negotiated just like representations; thus giving implementers a lot of flexibility to customize notifications according to the needs of their application.

1.2. How it Works

This section is non-normative.

A client application that wishes to receive notifications about updates to a resource simply places a `GET` request on that resource with just one additional `Accept-Events` header. The server responds by sending, first the current representation of the resource (though a client can request for this to be skipped), followed by notifications sent in response to resource events as parts of a multipart response while the request is open.

If a server does not implement the Per Resource Events Protocol, the `Accept Events` header in a `GET` request is simply ignored. The resource returns the current representation thereby preserving backwards compatibility.

1.3. Scope

This section is non-normative.

The Per Resource Events Protocol specifies:

The Per Resource Events Protocol does not specify:

1.4. Audience

This section is non-normative.

This specification is for:

2. Design

This section is non-normative.

The Per Resource Events Protocol is predicated on a resource being the most intuitive source for notifications about its own updates.

This is unlike other notification protocols that require additional resources to be specifically dedicated as endpoints for delivering notifications. Servers that provide updates are forced to maintain these additional endpoints and clients that consume these updates have to co-ordinate data between the endpoint and a resource of interest.

By giving every resource the ability to send notifications when it updates, the Per Resource Events Protocol aims to reduce the complexity of both servers and clients implementing notifications; thus, making it easier for developers to build and maintain real-time applications.

2.1. Principles

This section is non-normative.

The Per Resource Events Protocol treats notifications as a temporally extended representation of any resource. That is, a representation can describe not (just) the state of the resource but events on the resource. With HTTP allowing representations to provide a potentially unbounded stream of data, the Per Resource Events Protocol is able to communicate events on the resource as notifications.

2.2. Goals

This section is non-normative.

The goals of the Per Resource Events Protocol are:

2.3. Constraints

This section is non-normative.

To the extent feasible, the Per Resource Events Protocol:

2.4. Known Limitations

This section is non-normative.

The Per Resource Events Protocol only allows notifications to be sent for events on a given resource. It is not possible for resources to send notifications for arbitrary events such as state changes on multiple resources or combinations thereof. Implementations using Per Resource Events Protocol have to create separate resources to realize such notification endpoints. But this is no different from APIs built on top of existing messaging protocols (See, for example, [WEBSOCKETS] and [WEBSUB]).

Due to the limits on connections per domain, the Per Resource Events Protocol is not suitable for use with HTTP/1.1, especially when providing notifications for multiple resource from the same domain that might be accessed simultaneously. This limitation is identical to that of other HTTP based streaming based protocols such as Server-Sent Events [EVENTSOURCE]. Implementations are strongly encouraged to adopt HTTP/2 (or later) and implement mitigation strategies, such as to maximize the number of concurrent connections and to provide alternate locations for resources on different domains.

3. Terminology

Notification

A message sent to application clients (that had previously requested it) when an HTTP request made on a resource fulfils some specified criteria.

Base Response

The response that would have been returned were notifications not requested for in an otherwise identical HTTP request.

Event Field

A parameter for a protocol item in the `Accept-Events` header field or a member of the `Events` header field.

4. Header Fields

The Per Resource Events Protocol introduces new header fields. These header fields are not specific to the Per Resource Events Protocol. They can be used by other protocols that augment resources with the ability to send notifications.

Protocols MUST ensure that the semantics be so defined that these header fields are safely ignored by recipients that do not recognize them ([RFC9110] § 5.1 Field Names).

4.1. Accept-Events

The `Accept-Events` header field can be used by application clients to specify their preferred protocol for receiving notifications. For example, the `Accept-Events` header field can be used to indicate that the request is specifically limited to a small set of desired protocols, as in the case for notifications with the Per Resource Events Protocol.

When sent by a resource server in a response, the `Accept-Events` header field provides information about which notification protocols are preferred in a subsequent request to the same resource.

An application client MAY generate a request for notifications regardless of having received an `Accept-Events` header field. The information only provides advice for the sake of improving performance and reducing unnecessary network transfers.

Conversely, an application client MUST NOT assume that receiving an `Accept-Events` header field means that future requests will return notifications. The content might change, the server might only support notifications requests at certain times or under certain conditions, or a different intermediary might process the next request.

4.1.1. Validity

A recipient MUST ignore the `Accept-Events` header field received with a request method that is unrecognized or for which notifications response is not defined for a particular notifications protocol.

A recipient MUST ignore the `Accept-Events` header field received in response to a request method that is unrecognized or for which notifications discovery and/or response is not defined for a particular notifications protocol.

A recipient MUST ignore the `Accept-Events` header field that it does not understand.

Where a recipient receives an illegal `Accept-Events` header field, can we:

A recipient MUST ignore the protocols specified in the `Accept-Events` header field that they are not aware of.

4.1.2. Syntax

`Accept-Events` is a List structured ([STRUCTURED-FIELDS] § 3.1 Lists) header field. Its members MUST be of type string that identifies a notification protocol. A protocol identifier MAY be followed with zero or more parameters defined by the given protocol, which MAY be followed by a `q` parameter.

Could the protocol identifier be a URL?

If the protocol is an identifier, do we need to define a registry?

The `q` parameter assigns a relative "weight" to the sender’s preference for a notification protocol with semantics as defined in [RFC9110] § 12.4.2 Quality Values. Senders using weights SHOULD send `q` last (after all protocol parameters). Recipients SHOULD process any parameter named `q` as weight, regardless of parameter ordering.

Note: Use of the `q` parameter name to negotiate notification protocols would interfere with any parameter having the same name. Hence, protocol parameters named `q` are disallowed.

4.2. Events

The `Events` header field is sent by a resource server to provide event fields in response to a request for notifications.

Where the `Accept-Events` header field sent in the request is ignored, a resource server MUST NOT send the `Events` header field in a response.

Conversely, a resource server MUST send the `Events` header field in a response, if the `Accept-Events` header field sent in the request is not ignored.

4.2.1. Validity

If the `Events` header field is sent in response to a request that does not contain the `Accept-Events` header field, the recipient MUST treat the response as invalid.

Does compliance with HTTP demand that we ignore the `Events` header? How will recipient process such a response that presumably contains notifications that it has not requested?

If the response contains a `Events` header field that the recipient does not understand or the `Events` header field specifies a `protocol` that the recipient does not understand, the recipient MUST NOT process the response. A proxy that receives such a message SHOULD forward it downstream.

Could the constraints on the `Events` field not being understood be more specific?

Such as:
"A recipient MUST ignore the `Events` header field received in response to a request method that is unrecognized or for which notifications response is not defined for a particular notifications protocol."

4.2.2. Syntax

`Events` is a Dictionary structured ([STRUCTURED-FIELDS] § 3.2 Dictionaries) header field. It MUST contain one member with the key `protocol` whose value identifies the notification protocol used in the response. It MAY contain other members that are defined by the given notification protocol.

5. Protocol

5.1. Event Fields

The Per Resource Events Protocol reuses existing HTTP fields ([RFC9110] § 5 Fields) as event fields. Any HTTP field MAY be used as an event field. For the limited context of notifications using the Per Resource Events Protocol, an event field with the same name as an HTTP field MUST have identical semantics to that HTTP field, unless otherwise specified.

This specification restricts `Accept-Events` and `Events` as Structured header fields [STRUCTURED-FIELDS]. From this it follows:

5.2. Methods

For the Per Resource Events Protocol, `HEAD` ([RFC9110] § 9.3.2 HEAD) and `GET` ([RFC9110] § 9.3.1 GET) are the only methods in response to which notifications are advertised.

A resource server MUST NOT send the `Accept-Events` header field with `PREP` as a protocol in response to a request with any method other than `HEAD` or `GET`.

For the Per Resource Events Protocol, `GET` ([RFC9110] § 9.3.1 GET) is the only method by which notifications are requested and for which notifications response is defined.

An application client MUST NOT send the `Accept-Events` header field with `PREP` as a protocol in a request with any method other than `GET`.

An resource server MUST NOT send the `Events` header field with the parameter `protocol` with a value of `PREP` in response to a request with any method other than `GET`.

A resource server MUST NOT send the `Events` header field except in response to a `GET` request.

5.3. Status Codes

The Per Resource Events Protocol reuses existing HTTP status codes ([RFC9110] § 15 Status Codes) to describe the result of the request for notifications and the semantics of notifications in the response.

In response to a request where `Accept-Events` header field indicates `PREP` as the preferred protocol, a resource server that supports notifications using the Per Resource Events Protocol MUST communicate the status code for the notifications response using the `status` parameter in the `Events` header field.

For the limited context of notifications using the Per Resource Events Protocol, the status code communicated using the `status` parameter in the `Events` header field MUST have identical semantics to the corresponding HTTP status code, unless otherwise specified.

6. Discovery

Application clients can engage in reactive content negotiation to discover if a resource server supports notifications using the Per Resource Events Protocol on a given resource.

6.1. Request

An application client can discover the ability of a resource server to deliver PREP notifications for a target resource by sending a `HEAD` ([RFC9110] § 9.3.2 HEAD) request.

6.2. Not Available

In the response to a `HEAD` request, a resource server that does not provide notifications for the target resource using the Per Resource Events Protocol MUST NOT list `PREP` as as one of the available protocols in the `Accept-Events` header field.

6.3. Available

In response to a `HEAD` request, a resource server that serves notifications for the target resource using the Per Resource Events Protocol SHOULD include the `Accept-Events` header field, which MUST list `PREP` as one of the available protocols.

Associated with `PREP` list item, the resource server MUST include an `accept` event field with at least one acceptable media-type for notifications.

Notifications Discovery
Discovery request:
HEAD /foo HTTP/1.1
Host: example.org
HEADERS
  + END_HEADERS
  + END_STREAM
    :method = HEAD
    :scheme = https
    :authority = example.org
    :path = /foo

Discovery response:
HTTP/1.1 200 OK
Accept: text/html
Accept-Events: PREP; accept=message/rfc822
HEADERS
  + END_HEADERS
  + END_STREAM
    :status = 304
    accept = text/html
    accept-events: PREP; accept=message/rfc822
Implementation Guidance

When resource servers support HTTP/2 [RFC9113] for a resource, they are strongly encouraged to advertise it in the response.

When a resource is accessible from different locations, resource servers are encouraged to advertise these locations in the response.

HTTP Alternative Services [RFC7838], for example, describes a mechanism for advertising these capabilities.

7. Request

The Per Resource Events Protocol extends the content negotiation mechanism provided by HTTP allowing application clients to negotiate notifications independent of the base response.

In order to receive notifications using the Per Resource Events Protocol from a resource, an application client sends a `GET` request to resource server, which:

Implementation Guidance

Set the `Last-Event-ID` to a wildcard `*` to explicitly request a resource server to not send the base response body in the response at all.

Request for Notifications
GET /foo HTTP/1.1
Host: example.org
Authorization: DPoP <token>
DPoP: <proof>
Last-Event-ID: *
Accept-Encoding: gzip
Accept-Events: PREP; accept=message/rfc822; accept-encoding=identity
HEADERS
  + END_STREAM
  - END_HEADERS
    :method = GET
    :scheme = https
    :authority = example.org
    :path = /foo

CONTINUATION
  + END_HEADERS
    authorization = DPoP <token>
    DPoP = <proof>
    last-event-id = *
    accept-encoding = gzip
    accept-events = PREP; accept=message/rfc822; accept-encoding=identity

A resource server MUST ignore event fields for `PREP` notifications in the `Accept-Events` header that it does not recognize or implement.

8. Response without Notifications

8.1. Not Available

A resource server not implementing the Per Resource Events Protocol (or not supporting it for the target resource) can ignore a request for notifications and respond as if it received a normal request on that resource without impacting interoperability.

A resource server that does not provide notifications using the Per Resource Events Protocol MUST NOT:

Implementation Guidance

Implementations are advised against sending notifications for long-lived resources. A resource might be considered long-lived, if the resource server determines that the resource is unlikely to change in the duration of the notification response. In such instances, resource servers are strongly advised to respond with the `Cache-Control` header and set the `max-age` parameter in it.

8.2. Error Response

A resource server MUST NOT include PREP notifications in a response, unless request results in one of the following status codes:

A resource server that does not serve PREP notifications, on account of the response not having one of the above-mentioned status codes:

8.3. Notification Errors

A resource server might still not be able to send notifications using the Per Resource Events Protocol requested by an application client despite a valid response.

A resource server unable to serve PREP notifications, even when the request results in a status code mentioned in § 8.2 Error Response:

9. Notifications Response

9.1. Common Headers

A resource server providing notifications using the Per Resource Events Protocol:

9.2. Only Notifications

An application client requesting only notifications using the Per Resource Events Protocol needs to explicitly opt out of receiving the base response as described in § 7 Request.

A resource server MUST NOT send the [base response], if the request for PREP notifications includes the `Last-Event-ID` header field ([EVENTSOURCE] § 9.2.4 The `Last-Event-ID` header) which matches the `Event-ID` of the last event on the resource.

9.2.1. Headers

A resource server that provides only notifications using the Per Resource Events Protocol MUST include the `Vary` header field ([RFC9110] § 12.5.5 Vary) with `Last-Event-ID` as one of the values.

9.2.2. Body

A resource server MUST transmit PREP notifications as a multipart message body ([RFC2046] § 5.1 Multipart Media Type), with a media type of `multipart/digest` ([RFC2046] § 5.1.5 Digest Subtype) that MAY include zero or more body parts. Each body part of the multipart message body MAY contain at most one notification.

Response with Notifications Only
HTTP/1.1 200 OK
Vary: Accept-Events, Last-Event-ID
Accept-Events: PREP; accept=message/rfc822
Events: protocol=PREP, status=200, vary=accept-encoding
Last-Modified: Sat, 1 April 2023 10:11:12 GMT
Transfer-Encoding: chunked
ETag: 1234abcd
Content-Type: multipart/digest; boundary=next-message

--next-message
Content-Type: message/rfc822

<message>
--next-message-- 
HEADERS
  + END_HEADERS
  - END_STREAM
    :status = 304
    vary = accept-events, last-event-id
    accept-events = PREP; accept=message/rfc822
    events = protocol=PREP, status=200, vary=accept-encoding
    last-modified = Sat, 1 April 2023 10:11:12 GMT
    etag = 1234abcd
    content-type = multipart/digest; boundary=next-message

DATA
  - END_STREAM
--next-message

DATA
  - END_STREAM
content-type = message/rfc822
CRLF<message>
--next-message

DATA
  + END_STREAM
--next-message-- 
Implementation Guidance

While not strictly necessary, it is strongly encouraged that resource servers send notifications in a manner such that the boundary delimiter ([RFC2046] § 5.1 Multipart Media Type > § 5.1.2 Common Syntax) is always at the end of a chunk ([RFC9112] § 7.1 Chunked Transfer Coding) or data frame ([RFC9113] § 6 Frame Definitions > § 6.1 DATA) as shown in the example above. This way an application client does not have to wait until the next chunk or frame (which might be a while or in cases of error never arrive) to be certain that the immediate message is complete.

9.3. Composite Response

By default, the Per Resource Events Protocol requires a resource server to transmit the base response body before notifications. An application client MAY opt out of this behaviour as described in § 7 Request.

NOTE: Not only does this behaviour ensure interoperability, it is also desirable in most scenarios. It short-circuits an extra round trip that would be otherwise needed to fetch the current representation before notifications and eliminates the need to co-ordinate the two responses.

9.3.1. Headers

If the request for PREP notifications includes the `Last-Event-ID` header field, a resource server MUST include `Vary` header field ([RFC9110] § 12.5.5 Vary) with `last-event-id` as one of the values.

9.3.2. Body

Where the response includes a base response body prior to PREP notifications, a resource server MUST transmit a multipart message body ([RFC2046] § 5.1 Multipart Media Type) with a media type of `multipart/mixed` ([RFC2046] § 5.1.3 Mixed Subtype) with two body parts in the order specified below:

  1. the message body that would have been sent had notifications not been requested.

  2. the multipart response body with body parts containing notifications as defined in § 9.2 Only Notifications.

Full Response
HTTP/1.1 200 OK
Vary: Accept-Events
Accept-Events: PREP; accept=message/rfc822
Events: protocol=PREP, status=200, vary=accept-encoding
Last-Modified: Sat, 1 April 2023 10:11:12 GMT
Transfer-Encoding: chunked
ETag: 1234abcd
Content-Type: multipart/mixed; boundary=main-boundary

--main-boundary
Content-Type: text/html
CRLF
<html>
--main-boundary
Content-Type: multipart/digest; boundary=next-message

--next-message
Content-Type: message/rfc822

<message>
--next-message-- 
--main-boundary-- 
HEADERS
  + END_HEADERS
  - END_STREAM
    :status = 304
    vary = accept-events
    accept-events = PREP; accept=message/rfc822
    events = protocol=PREP, status=200, vary=accept-encoding
    last-modified = Sat, 1 April 2023 10:11:12 GMT
    etag = 1234abcd
    content-type = multipart/mixed; boundary=main-boundary

DATA
  - END STREAM
--main-boundary
Content-Type: text/html
CRLF
<html>
--main-boundary

DATA
  - END STREAM
Content-Type: multipart/digest; boundary=next-message
CRLF
--next-message

DATA
  - END STREAM
Content-Type: message/rfc822
CRLF<message>
--next-message

DATA
  + END STREAM
--next-message--
--main-boundary-- 

9.4. Termination

A resource server MUST end the notification response in any one of the following scenarios:

A resource server MUST properly terminate the multipart response as defined in [RFC2046] § 5.1 Multipart Media Type > § 5.1.2 Common Syntax, before closing the notification response stream.

Implementation Guidance

When a user navigates away from a website or an application using PREP notifications, application clients are strongly encouraged to properly close the response stream to ensure that servers do not keep sending notifications.

Appendix A: Additional Semantics for `message/rfc822`

The `multipart/digest` multipart media-type ([RFC2046] § 5.1.5 Digest Subtype) uses `message/rfc822` media-type ([RFC2046] § 5.2.1 RFC822 Subtype, [RFC822]) for body parts as default. It follows that the Per Resource Events Protocol transmits notifications as `message/rfc822`, unless the application client requests otherwise.

Request

An application clients MAY specify additional parameters to `message/rfc822` notification media-type in the `accept` event field associated with the `PREP` list item in the `accept-events` header field of the request.

Notification

A resource server implementing the Per Resource Events Protocol SHOULD send a notification to an application client when a request with one of the following methods generates a response with any of the following status codes:

Notification Triggers
Request Method Response Status
`PUT` ([RFC9110] § 9.3.4 PUT)
`PATCH` ([RFC5789])
`DELETE` ([RFC9110] §.3.5 DELETE)
`200 (OK)` ([RFC9110] § 15.3.1 200 OK)
`204 (No Content)` ([RFC9110] § 15.3.5 204 No Content)
`POST` ([RFC9110] § 9.3.3 POST) `200 (OK)` ([RFC9110] § 15.3.1 200 OK)
`204 (No Content)` ([RFC9110] § 15.3.5 204 No Content)
`201 (Created)` ([RFC9110] § 15.3.2 201 Created)
`205 (Reset Content)` ([RFC9110] § 15.3.6 205 Reset Content)

The notification MUST NOT be sent before the success response has been sent to the user agent that initiated the request.

Headers

A resource server MUST include the following header fields in a `message/rfc822` formatted PREP notification:

`Method`

identical to `:method` pseudo-header field in a HTTP/2 request ([RFC9113] § 8.3.1 Request Pseudo-Header Fields), that specifies the request method that triggered the notification.

`Date`

identical to `Date` header field in a HTTP response ([RFC9110] § 6.6.1 Date), that specifies date and time at which the event that triggered the notification was completed.

`Event-ID`

an opaque identifier for the generated notification.

Do we need to make this identical to one of the following:

A resource server SHOULD include the following headers in a `message/rfc822` formatted PREP notification when the state of the resource or its representation is modified as a result of the event:

`ETag`

identical to `ETag` header field ([RFC9110] § 8.8.3 ETag) in a HTTP response, that is an opaque identifier for the current representation of the state of the resource.

`PUT` notification message

--random-boundary  <- From the previous message (Do not include)
                   <- Empty part response headers & blank line
Method: PUT
Date: Sat, 1 April 2023 10:11:12 GMT
Event-ID: 1234
ETag: "abc123"
--random-boundary

A resource server MUST include the following headers in a `message/rfc822` formatted PREP notification when sent as a result of a `POST` request that modifies another resource:

`Content-Location`

identical to the `Content-Location` header field ([RFC9110] § 8.7 Content-Location).

`POST` notification message:

--random-boundary  <- From the previous message (Do not include)
                   <- Empty part response headers & blank line
Method: POST
Date: Sat, 1 April 2023 10:12:14 GMT
Event-ID: 1235
Content-Location: /foo
--random-boundary

Body

The body of a `message/rfc822` formatted PREP notification might be used to provide a delta representation, the difference between the state of the representation before and after the most recent event on the resource.

If the application client does not specify delta parameter associated with a preferred notifications format of `message/rfc822` in the `accept` event field of the § 7 Request that results in `message/rfc822` formatted PREP notifications, the notifications MUST NOT contain a body.

If state of the resource is not modified as a result of an HTTP operation, the resulting notification MUST NOT contain a body.

If the application client specifies a (`delta`) parameter associated with a preferred notifications format of `message/rfc822` in the `accept` event field of the § 7 Request that results in `message/rfc822` formatted PREP notifications, a resource server:

A resource server SHOULD send the delta representation in the content-type preferred by the client as specified by the `delta` parameter.

`PATCH` notification with delta representation:

--random-boundary  <- From the previous message (Do not include)
                   <- Empty part response headers & blank line
Method: PATCH
Date: Sat, 1 April 2023 10:14:16 GMT
Event-ID: 1236
ETag: "xyz987"
Content-type: application/example

<delta>
--random-boundary

Considerations

This section details security and privacy considerations.

Some of the normative references within this specification point to documents with a Living Standard or Draft status, meaning their contents can still change over time. It is advised to monitor these documents, as such changes might have implications.

Security Considerations

This section is non-normative.

Resource servers are strongly discouraged from exposing information beyond the minimum amount necessary to enable a feature. Application clients are strongly discouraged from exposing information beyond the minimum amount necessary to receive updates about particular resources.

Application clients are discouraged from sending requests for notifications to untrusted resource servers, including localhost or any other loopback IP address, in order to avoid making arbitrary requests.

Privacy Considerations

This section is non-normative.

Security and Privacy Review

This section is non-normative.

These questions provide an overview of security and privacy considerations for this specification as guided by [SECURITY-PRIVACY-QUESTIONNAIRE].

What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?

There are no known security impacts of the features in this specification.

Do features in your specification expose the minimum amount of information necessary to enable their intended uses?

Yes.

How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?

Access to resource server is only granted to authorized access subjects. Notification payloads can contain any data (including that which identifies or refers to agents that control the resource server). Meaningful consent to any personal data that resource servers include about agents associated with themselves or resources of interest are extended to the application client. Resource servers are discouraged from exposing information beyond the amount necessary to enable or use a feature.

How do the features in your specification deal with sensitive information?

The features do not require sensitive information to be obtained or exposed.

Do the features in your specification introduce new state for an origin that persists across browsing sessions?

No.

Do the features in your specification expose information about the underlying platform to origins?

No.

Does this specification allow an origin to send data to the underlying platform?

No. Resources are described within the framework of HTTP. A resource server might be able to redirect to other resources, (e.g., the https: URLs to file:, data:, or blob: URLs), but no such behaviour is defined by this specification.

Do features in this specification allow an origin access to sensors on a user’s device

No.

What data do the features in this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts.

No detail about another origin’s state is exposed. When resource servers participate in the CORS protocol [FETCH], HTTP requests from different origins might be allowed. This feature does not add any new attack surface above and beyond normal CORS requests, so no extra mitigation is deemed necessary.

Do features in this specification enable new script execution/loading mechanisms?

No.

Do features in this specification allow an origin to access other devices?

No.

Do features in this specification allow an origin some measure of control over a user agent’s native UI?

No.

What temporary identifiers do the features in this specification create or expose to the web?

No.

How does this specification distinguish between behaviour in first-party and third-party contexts?

Not Applicable.

How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?

No different than in the browser’s "normal" state.

Does this specification have both "Security Considerations" and "Privacy Considerations" sections?

Yes, in Security Considerations and Privacy Considerations.

Do features in your specification enable origins to downgrade default security protections?

No.

How does your feature handle non-"fully active" documents?

Not Applicable.

References

Normative References

[EVENTSOURCE]
Ian Hickson. Server-Sent Events. URL: https://html.spec.whatwg.org/multipage/server-sent-events.html
[FETCH]
Anne van Kesteren. Fetch Standard. Living Standard. URL: https://fetch.spec.whatwg.org/
[RETROFIT-FIELDS]
Mark Nottingham. Retrofit Structured Fields for HTTP. Internet Draft. URL: https://datatracker.ietf.org/doc/draft-ietf-httpbis-retrofit/06/
[RFC2046]
N. Freed; N. Borenstein. Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types. November 1996. Draft Standard. URL: https://www.rfc-editor.org/rfc/rfc2046
[RFC2119]
S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://datatracker.ietf.org/doc/html/rfc2119
[RFC3229]
J. Mogul; et al. Delta encoding in HTTP. January 2002. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc3229
[RFC5789]
L. Dusseault; J. Snell. PATCH Method for HTTP. March 2010. Proposed Standard. URL: https://httpwg.org/specs/rfc5789.html
[RFC8174]
B. Leiba. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174
[RFC822]
P. Resnick, Ed.. Internet Message Format. October 2008. Draft Standard. URL: https://www.rfc-editor.org/rfc/rfc5322
[RFC9110]
R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. HTTP Semantics. June 2022. Internet Standard. URL: https://www.rfc-editor.org/rfc/rfc9110
[RFC9112]
R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. HTTP/1.1. June 2022. Internet Standard. URL: https://www.rfc-editor.org/rfc/rfc9112
[RFC9113]
M. Thomson, Ed.; C. Benfield, Ed.. HTTP/2. June 2022. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc9113
[STRUCTURED-FIELDS]
Mark Nottingham; Poul-Henning Kamp. Structured Field Values for HTTP. Internet Draft. URL: https://datatracker.ietf.org/doc/draft-ietf-httpbis-sfbis/03/

Informative References

[REST]
Roy Thomas Fielding. Architectural styles and the design of network-based software architectures. 2000. URL: https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm
[RFC7838]
M. Nottingham; P. McManus; J. Reschke. HTTP Alternative Services. April 2016. Proposed Standard. URL: https://httpwg.org/specs/rfc7838.html
[RFC9205]
M. Nottingham. Building Protocols with HTTP. June 2022. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc9205
[SECURITY-PRIVACY-QUESTIONNAIRE]
Theresa O'Connor; Peter Snyder. Self-Review Questionnaire: Security and Privacy. URL: https://w3ctag.github.io/security-questionnaire/
[WEBSOCKETS]
Adam Rice. WebSockets Standard. Living Standard. URL: https://websockets.spec.whatwg.org/
[WEBSUB]
Julien Genestoux; Aaron Parecki. WebSub. URL: https://websub.net/draft