Network Working Group T. Brown Internet-Draft Opera Software Intended status: Standards Track R. Cremin Expires: April 19, 2013 Afilias Technologies Limited October 16, 2012 Device-Stock-UA HTTP Extension draft-brown-device-stock-ua-00 Abstract This document standardizes an HTTP extension header field that allows third-party HTTP clients and embeddable HTTP client components to include the user agent string of the HTTP-client that is bundled with the device operating system. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 19, 2013. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Brown & Cremin Expires April 19, 2013 [Page 1] Internet-Draft Device-Stock-UA HTTP Extension October 2012 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 3 3. Syntax Notations . . . . . . . . . . . . . . . . . . . . . . . 4 4. Device-Stock-UA . . . . . . . . . . . . . . . . . . . . . . . . 4 5. Use of Device-Stock-UA Header Field . . . . . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 5 9. Normative references . . . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6 Brown & Cremin Expires April 19, 2013 [Page 2] Internet-Draft Device-Stock-UA HTTP Extension October 2012 1. Introduction An optional header field, User-Agent was originally defined by Hypertext Transfer Protocol RFC 1945 (since superseded by [RFC2616]). Its intent was to enable statistical tracking, allow tracing of protocol violations, and provide a means for tailoring responses based on HTTP user agent limitations, quirks, and capabilities. Application developers have long used the user agent string to infer user agent capability. Increasingly, developers are relying on the user agent string to infer the capabilities of the hardware, firmware, and operating system on which the user agent runs. For example, the user agent string is sometimes used to infer the display size or whether the user agent allows access to the device file system. In some cases, the user agent string is used to infer which other software may be running in addition to the user agent, such as a bundled media player or mapping service. This works as follows: when the HTTP client includes a User-Agent header field, the value of the header field is compared to a datastore of stock or native user agent strings and known capabilities of the device on which it is known to run. Responses are then tailored based on the results supplied by this datastore. Such content negotiation assumes a one-to-one relationship between the value of the User-Agent header field and a device. However, many HTTP clients do not have such a relationship -- third-party web browsers that run on top of device operating system software, for example. To compensate for this, some third-party clients include an additional, non-standardized header field. The value of this header field is set to the user agent string of the device's native client. In practice, several different non-standard header fields are in use, for example: X-OperaMini-Phone-UA, used by Opera Software ASA; X-Device-User-Agent; and X-ATT-DeviceId, used by AT&T Inc. Applications can use such header fields, when available, to serve content optimized for a particular device, such as a mobile phone, electronic reader, or tablet computer. This document standardizes the syntax and semantics for the Device-Stock-UA header field for this purpose. 2. Notational Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this Brown & Cremin Expires April 19, 2013 [Page 3] Internet-Draft Device-Stock-UA HTTP Extension October 2012 document are to be interpreted as described in [RFC2119]. 3. Syntax Notations This specification uses the Augmented Backus-Naur Form (ABNF) notation of [RFC5234]. 4. Device-Stock-UA The Device-Stock-UA HTTP header field is an OPTIONAL header field that, when used, discloses the user agent of the native browser for a device or operating system. This is for statistical purposes, as well as to tailor responses to particular user agent or device constraints. When the Device-Stock-UA header field is included with a request, other non-standard header fields that report a user agent string may be included. Third-party browsers that use the same user agent string as the device's default browser SHOULD NOT include the Device-Stock-UA header field, i.e., its presence indicates the use of something other than the default browser user-agent string. If the user agent string for the default browser changes, as with an operating system update, the Device-Stock-UA header field SHOULD mirror this change. The parameter names are case-insensitive. The header field can be defined in augmented BNF syntax as: Device-Stock-UA = "Device-Stock-UA" ":" (User-Agent) User-Agent = Example: Device-Stock-UA: CERN-LineMode/2.15 libwww/2.17b3 The user-agent-string should be retrieved from the firmware, matching that of the HTTP client bundled with the firmware. Brown & Cremin Expires April 19, 2013 [Page 4] Internet-Draft Device-Stock-UA HTTP Extension October 2012 5. Use of Device-Stock-UA Header Field Entities that provide web analytics services SHOULD use the Device- Stock-UA header field (if present) in addition to the User-Agent header field in their identification of devices to ensure that devices are correctly measured. Content publishers may use the Device-Stock-UA header field (if present) rather than the User-Agent header field in order to infer the nature and capabilities of the underlying device rather than, or in addition to, the capabilities of the browser in question. Publishers of third-party HTTP-capable clients SHOULD include the Device-Stock-UA with each HTTP request in order to enable publishers to recognize the underlying device. 6. Security Considerations Because the Device-Stock-UA header field includes hardware and operating system/firmware information, it may help an attacker narrow the scope of an attack by first targeting client device specific vulnerabilities. The value of Device-Stock-UA may not correctly represent the hardware and software. It can easily be spoofed on the client or modified between the endpoints. This header field may reveal more specific information about the user agent than would otherwise be the case. This information could then be used for tracking purposes. 7. IANA Considerations This document specifies the HTTP header field listed below, which should be added to the permanent HTTP header field registry defined in [RFC3864]. Header field: Device-Stock-UA Applicable protocol: http/https Status: standard Author/Change controller: IETF (iesg@ietf.org) Internet Engineering Task Force Specification document(s): this specification Related information: none 8. Acknowledgments Thanks to Andreas Bovens, Hamish Graham, Bruce Lawson, Susan Nichols, Brown & Cremin Expires April 19, 2013 [Page 5] Internet-Draft Device-Stock-UA HTTP Extension October 2012 Martin Nilsson, and Andreas Petersson for their feedback. 9. Normative references [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration Procedures for Message Header Fields", BCP 90, RFC 3864, September 2004. [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008. [RFC6648] Saint-Andre, P., Crocker, D., and M. Nottingham, "Deprecating the "X-" Prefix and Similar Constructs in Application Protocols", BCP 178, RFC 6648, June 2012. Authors' Addresses Tiffany Brown Opera Software Gjerdrums vei 19 OSLO NO-0484 Email: tiffanyb@opera.com Ronan Cremin Afilias Technologies Limited 2 La Touche House Dublin 1 Email: rcremin@afilias.info Brown & Cremin Expires April 19, 2013 [Page 6]