Network Working Group M. Belshe
Internet-Draft Twist
Intended status: Standards Track R. Peon
Expires: December 9, 2013 Google, Inc
June 7, 2013
SPDY Protocol
draft-mbelshe-httpbis-spdy-00
Abstract
This document describes SPDY, a protocol designed for low-latency
transport of content over the World Wide Web. SPDY introduces two
layers of protocol. The lower layer is a general purpose framing
layer which can be used atop a reliable transport (likely TCP) for
multiplexed, prioritized, and compressed data communication of many
concurrent streams. The upper layer of the protocol provides HTTP-
like semantics for compatibility with existing HTTP application
servers.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 9, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Belshe & Peon Expires December 9, 2013 [Page 1]
Internet-Draft SPDY June 2013
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Document Organization . . . . . . . . . . . . . . . . . . 4
1.2. Conventions and Terminology . . . . . . . . . . . . . . . 5
2. SPDY Framing Layer . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Connection . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2. Connection Header . . . . . . . . . . . . . . . . . . . . 6
2.3. Framing . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.1. Frame Header . . . . . . . . . . . . . . . . . . . . . 7
2.3.2. Frame Size . . . . . . . . . . . . . . . . . . . . . . 8
2.4. Streams . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4.1. Stream Creation . . . . . . . . . . . . . . . . . . . 9
2.4.2. Stream priority . . . . . . . . . . . . . . . . . . . 10
2.4.3. Stream half-close . . . . . . . . . . . . . . . . . . 10
2.4.4. Stream close . . . . . . . . . . . . . . . . . . . . . 11
2.5. Error Handling . . . . . . . . . . . . . . . . . . . . . . 11
2.5.1. Connection Error Handling . . . . . . . . . . . . . . 12
2.5.2. Stream Error Handling . . . . . . . . . . . . . . . . 12
2.5.3. Error Codes . . . . . . . . . . . . . . . . . . . . . 13
2.6. Name/Value Header Block . . . . . . . . . . . . . . . . . 13
2.6.1. Compression . . . . . . . . . . . . . . . . . . . . . 18
2.7. Frame Types . . . . . . . . . . . . . . . . . . . . . . . 20
2.7.1. DATA Frames . . . . . . . . . . . . . . . . . . . . . 21
2.7.2. HEADERS+PRIORITY . . . . . . . . . . . . . . . . . . . 21
2.7.3. PRIORITY . . . . . . . . . . . . . . . . . . . . . . . 22
2.7.4. RST_STREAM . . . . . . . . . . . . . . . . . . . . . . 22
2.7.5. SETTINGS . . . . . . . . . . . . . . . . . . . . . . . 23
2.7.6. PUSH_PROMISE . . . . . . . . . . . . . . . . . . . . . 26
2.7.7. PING . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.7.8. GOAWAY . . . . . . . . . . . . . . . . . . . . . . . . 28
2.7.9. HEADERS . . . . . . . . . . . . . . . . . . . . . . . 30
2.7.10. WINDOW_UPDATE . . . . . . . . . . . . . . . . . . . . 30
2.7.11. CREDENTIAL . . . . . . . . . . . . . . . . . . . . . . 34
3. HTTP Message Exchanges . . . . . . . . . . . . . . . . . . . . 36
3.1. Connection Management . . . . . . . . . . . . . . . . . . 36
3.2. HTTP Request/Response . . . . . . . . . . . . . . . . . . 36
3.2.1. HTTP Header Fields and SPDY Headers . . . . . . . . . 36
3.2.2. Request . . . . . . . . . . . . . . . . . . . . . . . 36
3.2.3. Response . . . . . . . . . . . . . . . . . . . . . . . 38
3.2.4. Authentication . . . . . . . . . . . . . . . . . . . . 39
3.3. Server Push Transactions . . . . . . . . . . . . . . . . . 40
3.3.1. Server implementation . . . . . . . . . . . . . . . . 41
Belshe & Peon Expires December 9, 2013 [Page 2]
Internet-Draft SPDY June 2013
3.3.2. Client implementation . . . . . . . . . . . . . . . . 42
4. WebSocket Layering over SPDY . . . . . . . . . . . . . . . . . 43
4.1. Connection Management . . . . . . . . . . . . . . . . . . 43
4.1.1. Opening Handshake . . . . . . . . . . . . . . . . . . 43
4.1.2. Closing Handshake . . . . . . . . . . . . . . . . . . 45
4.2. Bi-directional Communication . . . . . . . . . . . . . . . 46
4.2.1. Frame mapping . . . . . . . . . . . . . . . . . . . . 46
5. Design Rationale and Notes . . . . . . . . . . . . . . . . . . 47
5.1. Separation of Framing Layer and Application Layer . . . . 47
5.2. Error handling - Framing Layer . . . . . . . . . . . . . . 47
5.3. One Connection Per Domain . . . . . . . . . . . . . . . . 47
5.4. Fixed vs Variable Length Fields . . . . . . . . . . . . . 48
5.5. Compression Context(s) . . . . . . . . . . . . . . . . . . 48
5.6. Unidirectional streams . . . . . . . . . . . . . . . . . . 49
5.7. Data Compression . . . . . . . . . . . . . . . . . . . . . 49
5.8. Server Push . . . . . . . . . . . . . . . . . . . . . . . 49
6. Security Considerations . . . . . . . . . . . . . . . . . . . 49
6.1. Use of Same-origin constraints . . . . . . . . . . . . . . 49
6.2. HTTP Headers and SPDY Headers . . . . . . . . . . . . . . 50
6.3. Cross-Protocol Attacks . . . . . . . . . . . . . . . . . . 50
6.4. Server Push Implicit Headers . . . . . . . . . . . . . . . 50
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 50
7.1. Long Lived Connections . . . . . . . . . . . . . . . . . . 50
7.2. SETTINGS frame . . . . . . . . . . . . . . . . . . . . . . 50
8. Sub-protocol negotiation . . . . . . . . . . . . . . . . . . . 51
8.1. Supporting scheme negotiation using SETTINGS frame . . . . 51
9. Incompatibilities with SPDY draft #3 . . . . . . . . . . . . . 51
10. Requirements Notation . . . . . . . . . . . . . . . . . . . . 52
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 52
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 52
12.1. Normative References . . . . . . . . . . . . . . . . . . . 52
12.2. Informative References . . . . . . . . . . . . . . . . . . 54
Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . . 55
Belshe & Peon Expires December 9, 2013 [Page 3]
Internet-Draft SPDY June 2013
1. Introduction
One of the bottlenecks of HTTP implementations is that HTTP relies on
multiple connections for concurrency. This causes several problems,
including additional round trips for connection setup, slow-start
delays, and connection rationing by the client, where it tries to
avoid opening too many connections to any single server. HTTP
pipelining helps some, but only achieves partial multiplexing. In
addition, pipelining has proven non-deployable in existing browsers
due to intermediary interference.
SPDY adds a framing layer for multiplexing multiple, concurrent
streams across a single TCP connection (or any reliable transport
stream). The framing layer is optimized for HTTP-like request-
response streams, such that applications which run over HTTP today
can work over SPDY with little or no change on behalf of the web
application writer.
The SPDY connection offers four improvements over HTTP:
Multiplexed requests: There is no limit to the number of requests
that can be issued concurrently over a single SPDY connection.
Prioritized requests: Clients can request certain resources to be
delivered first. This avoids the problem of congesting the
network channel with non-critical resources when a high-priority
request is pending.
Compressed headers: Clients today send a significant amount of
redundant data in the form of HTTP headers. Because a single web
page may require 50 or 100 subrequests, this data is significant.
Server pushed streams: Server Push enables content to be pushed
from servers to clients without a request.
SPDY attempts to preserve the existing semantics of HTTP. All
features such as cookies, ETags, Vary headers, Content-Encoding
negotiations, etc work as they do with HTTP; SPDY only replaces the
way the data is written to the network.
1.1. Document Organization
The SPDY Specification is split into two parts: a framing layer
(Section 2), which multiplexes a single TCP connection into
independent frames of various types; and an HTTP layer (Section 3),
which specifies the mechanism for expressing HTTP interactions using
the framing layer. While some of the framing layer concepts are
isolated from HTTP, building a generic framing layer has not been a
Belshe & Peon Expires December 9, 2013 [Page 4]
Internet-Draft SPDY June 2013
goal. The framing layer is tailored to the needs of the HTTP
protocol and server push.
1.2. Conventions and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
All numeric values are in network byte order. Values are unsigned
unless otherwise indicated. Literal values are provided in decimal
or hexadecimal as appropriate. Hexadecimal literals are prefixed
with "0x" to distinguish them from decimal literals.
The following terms are used:
client: The endpoint initiating the SPDY connection.
connection: A transport-level connection between two endpoints.
endpoint: Either the client or server of the connection.
frame: The smallest unit of communication within an SPDY connection,
consisting of a header and a variable-length sequence of bytes
structured according to the frame type.
peer: An endpoint. When discussing a particular endpoint, "peer"
refers to the endpoint that is remote to the primary subject of
discussion.
receiver: An endpoint that is receiving frames.
sender: An endpoint that is transmitting frames.
server: The endpoint which did not initiate the SPDY connection.
connection error: An error on the SPDY connection.
stream: A bi-directional flow of frames across a virtual channel
within the SPDY connection.
stream error: An error on the individual SPDY stream.
2. SPDY Framing Layer
Belshe & Peon Expires December 9, 2013 [Page 5]
Internet-Draft SPDY June 2013
2.1. Connection
The SPDY framing layer runs atop a reliable transport layer such as
TCP [RFC0793]. The client is the TCP connection initiator. SPDY
connections are persistent connections.
For best performance, it is expected that non-battery operated
clients will leave open connections until the user navigates away
from all web pages referencing the connection, or until the server
closes the connection. Servers are encouraged to leave connections
open for as long as possible, but can terminate idle connections if
necessary. When either endpoint closes the transport-level
connection, it MUST first send a GOAWAY (Section 2.7.8) frame so that
the endpoints can reliably determine if requests finished before the
close. It is expected that battery-operated clients may have more
involved heuristics as to when a connection should be closed.
2.2. Connection Header
Upon establishment of a TCP connection and determination that SPDY
will be used by both peers to communicate, each endpoint MUST send a
connection header as a final confirmation and to establish the
default parameters for the SPDY connection.
The client connection header is a sequence of 24 octets (in hex
notation)
464f4f202a20485454502f322e300d0a0d0a42410d0a0d0a
(the string "FOO * HTTP/2.0\r\n\r\nBA\r\n\r\n") followed by a
SETTINGS frame (Section 2.7.5). The client sends the client
connection header immediately upon receipt of a 101 Switching
Protocols response (indicating a successful upgrade), or after
receiving a TLS Finished message from the server. If starting an
SPDY connection with prior knowledge of server support for the
protocol, the client connection header is sent upon connection
establishment.
The client connection header is selected so that a large
proportion of HTTP/1.1 or HTTP/1.0 servers and intermediaries do
not attempt to process further frames. Note that this does not
address the concerns raised in [TALKING].
The server connection header consists of just a SETTINGS frame
(Section 2.7.5) that MUST be the first frame the server sends in the
SPDY connection.
To avoid unnecessary latency, clients are permitted to send
Belshe & Peon Expires December 9, 2013 [Page 6]
Internet-Draft SPDY June 2013
additional frames to the server immediately after sending the client
connection header, without waiting to receive the server connection
header. It is important to note, however, that the server connection
header SETTINGS frame might include parameters that necessarily alter
how a client is expected to communicate with the server. Upon
receiving the SETTINGS frame, the client is expected to honor any
parameters established.
Clients and servers MUST terminate the TCP connection if either peer
does not begin with a valid connection header. A GOAWAY frame
(Section 2.7.8) MAY be omitted if it is clear that the peer is not
using SPDY.
2.3. Framing
Once the SPDY connection is established, clients and servers can
begin exchanging frames.
2.3.1. Frame Header
SPDY frames share a common base format consisting of an 8-byte header
followed by 0 to 65535 bytes of data.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length (16) | Type (8) | Flags (8) |
+-+-------------+---------------+-------------------------------+
|R| Stream Identifier (31) |
+-+-------------------------------------------------------------+
| Frame Data (0...) ...
+---------------------------------------------------------------+
Frame Header
The fields of the frame header are defined as:
Length: The length of the frame data expressed as an unsigned 16-bit
integer. The 8 bytes of the frame header are not included in this
value.
Type: The 8-bit type of the frame. The frame type determines how
the remainder of the frame header and data are interpreted.
Implementations MUST ignore unsupported and unrecognized frame
types.
Belshe & Peon Expires December 9, 2013 [Page 7]
Internet-Draft SPDY June 2013
Flags: An 8-bit field reserved for frame-type specific boolean
flags.
The least significant bit (0x1) - the FINAL bit - is defined for
all frame types as an indication that this frame is the last the
endpoint will send for the identified stream. Setting this flag
causes the stream to enter the half-closed state (Section 2.4.3).
Implementations MUST process the FINAL bit for all frames whose
stream identifier field is not 0x0. The FINAL bit MUST NOT be set
on frames that use a stream identifier of 0.
The remaining flags can be assigned semantics specific to the
indicated frame type. Flags that have no defined semantics for a
particular frame type MUST be ignored, and MUST be left unset (0)
when sending.
R: A reserved 1-bit field. The semantics of this bit are undefined
and the bit MUST remain unset (0) when sending and MUST be ignored
when receiving.
Stream Identifier: A 31-bit stream identifier (see Section 2.4.1).
A value 0 is reserved for frames that are associated with the
connection as a whole as opposed to an individual stream.
The structure and content of the remaining frame data is dependent
entirely on the frame type.
2.3.2. Frame Size
Implementations with limited resources might not be capable of
processing large frame sizes. Such implementations MAY choose to
place additional limits on the maximum frame size. However, all
implementations MUST be capable of receiving and processing frames
containing at least 8192 octets of data. [[anchor5: Ed. Question:
Does this minimum include the 8-byte header or just the frame data?]]
An implementation MUST terminate a stream immediately if it is unable
to process a frame due it's size. This is done by sending an
RST_STREAM frame (Section 2.7.4) containing the FRAME_TOO_LARGE error
code.
[[anchor6: : Need a way to signal the maximum frame size; no way to
RST_STREAM on non-stream-related frames.]]Issue 28 [1]
2.4. Streams
A "stream" is an independent, bi-directional sequence of frames
exchanged between the client and server within a SPDY connection.
Belshe & Peon Expires December 9, 2013 [Page 8]
Internet-Draft SPDY June 2013
Streams have several important characteristics:
o Streams can be established and used unilaterally or shared by
either the client or server.
o Streams can be rejected or cancelled by either endpoint.
o Multiple types of frames can be sent by either endpoint within a
single stream.
o The order in which frames are sent within a stream is significant.
Recipients are required to process frames in the order they are
received.
o Streams optionally carry a set of name-value header pairs that are
expressed within the headers block of HEADERS+PRIORITY, HEADERS,
or PUSH_PROMISE frames.
o A single SPDY connection can contain multiple concurrently active
streams, with either endpoint interleaving frames from multiple
streams.
2.4.1. Stream Creation
There is no coordination or shared action between the client and
server required to create a stream. Rather, new streams are
established by sending a frame whose stream identifier field
references a previously unused stream identifier.
All streams are identified by an unsigned 31-bit integer. Streams
initiated by a client use odd numbered stream identifiers; those
initiated by the server use even numbered stream identifiers. A
stream identifier of zero MUST NOT be used to establish a new stream.
The identifier of a newly established stream MUST be numerically
greater than all previously established streams from that endpoint
within the SPDY connection, unless the identifier has been reserved
using a PUSH_PROMISE (Section 2.7.6) frame. An endpoint that
receives an unexpected stream identifier MUST respond with a
connection error (Section 2.5.1) of type PROTOCOL_ERROR.
A peer can limit the total number of concurrently active streams
using the SETTINGS_MAX_CONCURRENT_STREAMS parameters within a
SETTINGS frame. The maximum concurrent streams setting is specific
to each endpoint and applies only to the peer. That is, clients
specify the maximum number of concurrent streams the server can
initiate, and servers specify the maximum number of concurrent
streams the client can initiate. Peer endpoints MUST NOT exceed this
Belshe & Peon Expires December 9, 2013 [Page 9]
Internet-Draft SPDY June 2013
limit. All concurrently active streams initiated by an endpoint,
including streams that are half-open (Section 2.4.3) in any
direction, count toward that endpoint's limit.
Stream identifiers cannot be reused within a connection. Long-lived
connections can cause an endpoint to exhaust the available range of
stream identifiers. A client that is unable to establish a new
stream identifier can establish a new connection for new streams.
Either endpoint can request the early termination of an unwanted
stream by sending an RST_STREAM frame (Section 2.5.2) with an error
code of either REFUSED_STREAM (if no frames have been processed) or
CANCEL (if at least one frame has been processed). Such termination
might not take effect immediately as the peer might have sent
additional frames on the stream prior to receiving the termination
request.
2.4.2. Stream priority
The endpoint establishing a new stream can assign a priority for the
stream. Priority is represented as an unsigned 31-bit integer. 0
represents the highest priority and 2-1 represents the lowest
priority.
The purpose of this value is to allow the initiating endpoint to
request that frames for the stream be processed with higher priority
relative to any other concurrently active streams. That is, if an
endpoint receives interleaved frames for multiple streams, the
endpoint ought to make a best-effort attempt at processing frames for
higher priority streams before processing those for lower priority
streams.
Explicitly setting the priority for a stream does not guarantee any
particular processing order for the stream relative to any other
stream. Nor is there is any mechanism provided by which the
initiator of a stream can force or require a receiving endpoint to
process frames from one stream before processing frames from another.
2.4.3. Stream half-close
When an endpoint sends a frame for a stream with the FINAL flag set,
the stream is considered to be half-closed for that endpoint.
Subsequent frames MUST NOT be sent by that endpoint for the half
closed stream for the remaining duration of the SPDY connection.
When both endpoints have sent frames with the FINAL flag set, the
stream is considered to be fully closed.
If an endpoint receives additional frames for a stream that was
Belshe & Peon Expires December 9, 2013 [Page 10]
Internet-Draft SPDY June 2013
previously half-closed by the sending peer, the recipient MUST
respond with a stream error (Section 2.5.2) of type STREAM_CLOSED.
An endpoint that has not yet half-closed a stream by sending the
FINAL flag can continue sending frames on the stream.
It is not necessary for an endpoint to half-close a stream for which
it has not sent any frames. This allows endpoints to use fully
unidirectional streams that do not require explicit action or
acknowledgement from the receiver.
2.4.4. Stream close
Streams can be terminated in the following ways:
Normal termination: Normal stream termination occurs when both
client and server have half-closed the stream by sending a frame
containing a FINAL flag (Section 2.3.1).
Half-close on unidirectional stream: A stream that only has frames
sent in one direction can be tentatively considered to be closed
once a frame containing a FINAL flag is sent. The active sender
on the stream MUST be prepared to receive frames after closing the
stream.
Abrupt termination: Either peer can send a RST_STREAM control frame
at any time to terminate an active stream. RST_STREAM contains an
error code to indicate the reason for termination. A RST_STREAM
indicates that the sender will transmit no further data on the
stream and that the receiver is advised to cease transmission on
it.
The sender of a RST_STREAM frame MUST allow for frames that have
already been sent by the peer prior to the RST_STREAM being
processed. If in-transit frames alter connection state, these
frames cannot be safely discarded. See Stream Error Handling
(Section 2.5.2) for more details.
TCP connection teardown: If the TCP connection is torn down while
un-closed streams exist, then the endpoint MUST assume that the
stream was abnormally interrupted and may be incomplete.
2.5. Error Handling
SPDY framing permits two classes of error:
o An error condition that renders the entire connection unusable is
a connection error.
Belshe & Peon Expires December 9, 2013 [Page 11]
Internet-Draft SPDY June 2013
o An error in an individual stream is a stream error.
2.5.1. Connection Error Handling
A connection error is any error which prevents further processing of
the framing layer or which corrupts any connection state.
An endpoint that encounters a connection error MUST first send a
GOAWAY (Section 2.7.8) frame with the stream identifier of the last
stream that it successfully received from its peer. The GOAWAY frame
includes an error code that indicates why the connection is
terminating. After sending the GOAWAY frame, the endpoint MUST close
the TCP connection.
It is possible that the GOAWAY will not be reliably received by the
receiving endpoint. In the event of a connection error, GOAWAY only
provides a best-effort attempt to communicate with the peer about why
the connection is being terminated.
An endpoint can end a connection at any time. In particular, an
endpoint MAY choose to treat a stream error as a connection error if
the error is recurrent. Endpoints SHOULD send a GOAWAY frame when
ending a connection, as long as circumstances permit it.
2.5.2. Stream Error Handling
A stream error is an error related to a specific stream identifier
that does not affect processing of other streams at the framing
layer.
An endpoint that detects a stream error sends a RST_STREAM
(Section 2.7.4) frame that contains the stream identifier of the
stream where the error occurred. The RST_STREAM frame includes an
error code that indicates the type of error.
A RST_STREAM is the last frame that an endpoint can send on a stream.
The peer that sends the RST_STREAM frame MUST be prepared to receive
any frames that were sent or enqueued for sending by the remote peer.
These frames can be ignored, except where they modify connection
state (such as the state maintained for header compression
(Section 2.6)).
Normally, an endpoint SHOULD NOT send more than one RST_STREAM frame
for any stream. However, an endpoint MAY send additional RST_STREAM
frames if it receives frames on a closed stream after more than a
round trip time. This behavior is permitted to deal with misbehaving
implementations.
Belshe & Peon Expires December 9, 2013 [Page 12]
Internet-Draft SPDY June 2013
An endpoint MUST NOT send a RST_STREAM in response to an RST_STREAM
frame, to avoid looping.
2.5.3. Error Codes
Error codes are 32-bit fields that are used in RST_STREAM and GOAWAY
frames to convey the reasons for the stream or connection error.
Error codes share a common code space. Some error codes only apply
to specific conditions and have no defined semantics in certain frame
types.
The following error codes are defined:
NO_ERROR (0): The associated condition is not as a result of an
error. For example, a GOAWAY might include this code to indicate
graceful shutdown of a connection.
PROTOCOL_ERROR (1): The endpoint detected an unspecific protocol
error. This error is for use when a more specific error code is
not available.
INTERNAL_ERROR (2): The endpoint encountered an unexpected internal
error.
FLOW_CONTROL_ERROR (3): The endpoint detected that its peer violated
the flow control protocol.
INVALID_STREAM (4): The endpoint received a frame for an inactive
stream.
STREAM_CLOSED (5): The endpoint received a frame after a stream was
half-closed.
FRAME_TOO_LARGE (6): The endpoint received a frame that was larger
than the maximum size that it supports.
REFUSED_STREAM (7): The endpoint is refusing the stream before
processing its payload.
CANCEL (8): Used by the creator of a stream to indicate that the
stream is no longer needed.
2.6. Name/Value Header Block
A Name/Value Header Block augments the streams or group of streams
identified by the HEADERS+PRIORITY (Section 2.7.2), HEADERS
(Section 2.7.9), or PUSH_PROMISE (Section 2.7.6) frame stream with
Belshe & Peon Expires December 9, 2013 [Page 13]
Internet-Draft SPDY June 2013
additional metadata.
At the group level, a map of token-index to key-pair is maintained
for each defined group. There is no persistent mapping from
stream-id to header-group, instead each HeaderBlock includes
reference to the HeaderGroup that will be used in this particular set
of metadata.
The HeaderBlock compressor (described later) is subject to the
following constraints:
TotalHeaderStorageSize : default(16k)
MaxHeaderGroups: default(1)
MaxValEntries: default(64)
It is expected that either party will set these to larger values
immediately upon connection establishment using the SETTINGS frame.
A stream with a HeaderBlock which declares that it is using
HeaderGroup 'G' would use the following algorithm to interpret its
meta-data.
def compute_headers(stream):
headers = {}
for index in stream_group[G]:
headers[lru_lookup[index].key] = lru_lookup[index].val)
for {key, value} in ephemereal_headers_from_HeaderBlock:
headers[key] = value
return headers
A smart implementation will be able to interpret a headers frame
without reconstructing the headers, and thus be able to represent and
interpret headers with less memory and CPU.
The Name/Value Header Block is found in the HEADERS+PRIORITY,
HEADERS, and PUSH_PROMISE control frames, and shares a common format:
0 1 2 3..N N+1..K
+--------+--------+--------+=====+ +=====+
| HG(8) | next-lru-seq-num| Ops | ... | Ops |
+--------+--------+--------+=====+ +=====+
Ops are of the form:
+--------+--------+=========+
| OpCode | NumOps | Op Args |
Belshe & Peon Expires December 9, 2013 [Page 14]
Internet-Draft SPDY June 2013
+--------+--------+=========+
HG: (Header Group) An 8 bit unsigned integer specifying the header
group for this set of headers.
Ops: A number of operations. Operations will be detailed below.
The Opcode field indicates the type of operation.
0x0 (reserved) -- this is not used and is reserved in case a
token-based delimiter is required in the future.
0x1 (Toggle) indicates that the data which follows will be an lru-
index. That lru-index, if present in the current header-group
will be removed from the header group. If it is not present in
the current header group, it will be added to the current header
group. This opcode thus affects what parts of the data stored in
the LRU are interpreted as being visible in the current set of
headers for whatever frame includes the HeaderBlock
0x1 (Clone) indicates that the data which follows will be a key-
index and a string literal. The key-index is used to refer to a
pre-existing key, and thus the operation results in the storing of
the pre-existing key and the new value. The key-value will be
appended to the LRU, and the index in the LRU added to the current
header group.
0x2 (KVSto) indicates that the data which follows will be two
string literals. The first such string represents a new key to be
stored, and the second such string represents a value. As with
Clone, the key-value will be stored in the LRU with a new index,
and that index will be added to the current header group.
0x2 (Eref) indicates that the data which follows will be two
string literals. The first such string represents key, and the
second string represents a value. Unlike KVSto, the Eref does not
modify the compressor state-- it only specified a key-value which
will be interpreted as being part of the meta-data for the frame
which includes the HeaderBlock.
String are always encoded as a single bit, followed by data. If that
bit is '0', then what follows is 7-bit us-ascii, null-terminated. If
that bit is '1', then it is huffman encoded using a canonical
huffman-code and ends with an 'eof' character (which is not part of
the string). If the last bit of the EOF is not immediately before
the byte boundary, the remaining bits of that byte are padded with
zero. Strings in a request are encoded with a different huffman-
encoder than strings in a response, as the frequency of occurance in
Belshe & Peon Expires December 9, 2013 [Page 15]
Internet-Draft SPDY June 2013
these differ by quite a bit.
A string is either:
+-|============================|====================|--------+
|1| huffman-encoded-characters | huffman-eof-symbol |pad-bits|
+-|============================|====================|--------+
or
+-|-------+========+--------+
|0| 7 bit-ascii |00000000|
+-|-------+========+--------+
The NumOps field encodes one minus the number of operations that
follow. Since the field-width is 8 bits, a maximum of 256 ops can be
represented. If more than 256 operations are required, simply repeat
doing this until all operations have been encoded. It is expected
that this will be extremely rare.
Detail of an operation with an opcode of 0x1 (Toggle):
0 1
+--------+--------+
|00000001| NumOps |
+--------+--------+
repeated NumOps times
______/ \______
/ \
+--------+--------+
| LRU idx(16) |
+--------+--------+
Detail of an operation with an opcode of 0x2 (Clone):
Belshe & Peon Expires December 9, 2013 [Page 16]
Internet-Draft SPDY June 2013
0 1
+--------+--------+
|00000010| NumOps |
+--------+--------+
repeated NumOps times
___________/\___________
/ \
+--------+--------+========+
| Key idx(16) | String |
+--------+--------+========+
Detail of an operation with an opcode of 0x3 (KVSto):
0 1
+--------+--------+
|00000011| NumOps |
+--------+--------+
repeated NumOps times
_______/\______
/ \
+========+========+
| String | String |
+========+========+
Detail of an operation with an opcode of 0x4 (Eref):
0 1
+--------+--------+
|00000100| NumOps |
+--------+--------+
repeated NumOps times
_______/\______
/ \
+========+========+
| String | String |
+========+========+
Each header name must have at least one value. Header names are
encoded using the US-ASCII character set [ASCII] and must be all
Belshe & Peon Expires December 9, 2013 [Page 17]
Internet-Draft SPDY June 2013
lower case. The length of each name must be greater than zero. A
recipient of a zero-length name MUST issue a stream error
(Section 2.5.2) with the status code PROTOCOL_ERROR for the
stream-id.
Duplicate header names are allowed, but discouraged, except when
encoding a cookie or set-cookie.
2.6.1. Compression
The Name/Value Header Block is a section of the HEADERS+PRIORITY,
HEADERS, and PUSH_PROMISE frames used to carry header meta-data.
This block is always compressed using zlib compression. Within this
specification, any reference to 'zlib' is referring to the ZLIB
Compressed Data Format Specification Version 3.3 as part of RFC1950.
[RFC1950]
For each HEADERS compression instance, the initial state is
initialized using the following dictionary [UDELCOMPRESSION]:
Request 1 (for index.html):
HEADERS+PRIORITY 1, stream-group (G)=0
Header-block:
Store(0x1): level(C),index(0),k: ":method"
Store(0x1): level(C),index(0),v: "GET"
Store(0x1): level(C),index(1),k: ":version"
Store(0x1): level(C),index(1),v: "HTTP/1.1"
Store(0x1): level(C),index(2),k: "user-agent"
Store(0x1): level(C),index(2),v: "blah blah browser version blah blah"
Store(0x1): level(C),index(3),k: "accept-encoding"
Store(0x1): level(C),index(3),v: "sdch, bzip, compress"
Store(0x1): level(G),index(0),k: ":host"
Store(0x1): level(G),index(0),v: "www.foo.com"
Store(0x1): level(G),index(1),k: "cookie"
Store(0x1): level(G),index(1),v: "SOMELONGSTRINGTHATISMOSTLYOPAQUE;BLAJHBLA"
Store(0x1): level(G),index(2),k: ":path"
Store(0x1): level(G),index(2),v: "/index.html"
Store(0x1): level(G),index(3),k: "date"
Store(0x1): level(G),index(3),v: "Wed Jul 18 11:50:43 2012"
At this point the connection headers table looks like this:
0: ":method", "GET"
1: ":version", "HTTP/1.1"
2: "user-agent", "blah blah browser version blah blah"
3: "accept-encoding", "sdch, bzip, compress"
The stream-group table for group zero looks like this:
0: ":host", "www.foo.com"
Belshe & Peon Expires December 9, 2013 [Page 18]
Internet-Draft SPDY June 2013
1: "cookie", "SOMELONGSTRINGHTATISMOSTLYOPAQUE;BLAJHBLA"
2: ":path", "/index.html"
3: "date", "Wed Jul 18 11:50:43 2012"
Request 1 (on stream 1) would look like the following if forwarded on HTTP/1.1:
GET /index.html HTTP/1.1
host: www.foo.com
date: Wed Jul 18 11:50:43 2012
cookie: SOMELONGSTRINGTHATISMOSTLYOPAQUE;BLAJHBLA
user-agent: blah blah browser version blah blah
accept-encoding: sdch, bzip, compress
Request 2 (for index.js):
HEADERS+PRIORITY 3, stream-group (G)=0
Header-block:
Store(0x1): level(G),index(2),v: "/index.js"
Store(0x1): level(G),index(3),v: "Wed Jul 18 11:50:44 2012"
At this point the connection headers table is unchanged:
0: ":method", "GET"
1: ":version", "HTTP/1.1"
2: "user-agent", "blah blah browser version blah blah"
3: "accept-encoding", "sdch, bzip, compress"
The stream-group table for group zero looks like this:
0: ":host", "www.foo.com"
1: "cookie", "SOMELONGSTRINGHTATISMOSTLYOPAQUE;BLAJHBLA"
2: ":path", "/index.js"
3: "date", "Wed Jul 18 11:50:44 2012"
Both the path and the date have changed.
Request 2 (on stream 3) would look like the following if forwarded on HTTP/1.1:
GET /index.js HTTP/1.1
host: www.foo.com
date: Wed Jul 18 11:50:44 2012
cookie: SOMELONGSTRINGTHATISMOSTLYOPAQUE;BLAJHBLA
user-agent: blah blah browser version blah blah
accept-encoding: sdch, bzip, compress
Request 3 (for index.css):
HEADERS+PRIORITY 5, stream-group (G)=0
Header-block:
Store(0x1): level(G),index(2),v: "/index.css"
Store(0x1): level(G),index(3),v: "Wed Jul 18 11:50:44 PDT 2012"
Connection level-headers are implied.
Belshe & Peon Expires December 9, 2013 [Page 19]
Internet-Draft SPDY June 2013
Stream-group level headers are implied.
For this example, using TaCo (truncate and concatenate) wasn't useful.
If the user, however, changes the cookie on the next request...
Request 3 (for somepage.html):
HEADERS+PRIORITY 5, stream-group (G)=0
Header-block:
Store(0x1): level(G),index(2),v: "/somepage.html"
TaCo(0x1): level(G),index(1),v,TruncTo(40),"FOOBLA"
At this point the connection headers table remains unchanged.
0: ":method", "GET"
1: ":version", "HTTP/1.1"
2: "user-agent", "blah blah browser version blah blah"
3: "accept-encoding", "sdch, bzip, compress"
The stream-group table for group zero looks like this:
0: ":host", "www.foo.com"
1: "cookie", "SOMELONGSTRINGHTATISMOSTLYOPAQUE;FOOBLA"
2: ":path", "/somepate.html"
Both the path and the date have changed.
Request 3 (on stream 5) would look like the following if forwarded on HTTP/1.1:
GET /somepage.html HTTP/1.1
host: www.foo.com
date: Wed Jul 18 11:50:44 2012
cookie: SOMELONGSTRINGTHATISMOSTLYOPAQUE;FOOBLA
user-agent: blah blah browser version blah blah
accept-encoding: sdch, bzip, compress
2.7. Frame Types
This specification defines a number of frame types, each identified
by a unique 8-bit type code. Each frame type serves a distinct
purpose either in the establishment and management of the connection
as a whole, or of individual streams.
The transmission of specific frame types can alter the state of a
connection. If endpoints fail to maintain a synchronized view of the
connection state, successful communication within the connection will
no longer be possible. Therefore, it is important that endpoints
have a shared comprehension of how the state is affected by the use
any given frame. Accordingly, while it is expected that new frame
types will be introduced by extensions to this protocol, only frames
defined by this document are permitted to alter the connection state.
Belshe & Peon Expires December 9, 2013 [Page 20]
Internet-Draft SPDY June 2013
2.7.1. DATA Frames
DATA frames (type=0x0) convey arbitrary, variable-length sequences of
octets associated with a stream. One or more DATA frames are used,
for instance, to carry HTTP request or response payloads.
The DATA frame defines the following flag:
MSG_DONE (0x2): Bit 2 being set signifies that this frame represents
the last frame of a message. This is relevant for layering of
message-based protocols on top of SPDY.
DATA frames MUST be associated with a stream. If a DATA frame is
received whose stream identifier field is 0x0, the recipient MUST
respond with a connection error (Section 2.5.1) of type
PROTOCOL_ERROR.
2.7.2. HEADERS+PRIORITY
The HEADERS+PRIORITY frame (type=0x1) allows the sender to set header
fields and stream priority at the same time.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|X| Priority (31) |
+-+-------------------------------------------------------------+
| Header Block (*) ...
+---------------------------------------------------------------+
HEADERS+PRIORITY Frame Payload
The HEADERS+PRIORITY frame is identical to the HEADERS frame
(Section 2.7.9), preceded by a single reserved bit and a 31-bit
priority; see Section 2.4.2.
HEADERS+PRIORITY uses the same flags as the HEADERS frame, except
that a HEADERS+PRIORITY frame with a CONTINUES bit MUST be followed
by another HEADERS+PRIORITY frame. See HEADERS frame (Section 2.7.9)
for any flags.
HEADERS+PRIORITY frames MUST be associated with a stream. If a
HEADERS+PRIORITY frame is received whose stream identifier field is
0x0, the recipient MUST respond with a connection error
(Section 2.5.1) of type PROTOCOL_ERROR.
The HEADERS+PRIORITY frame modifies the connection state as defined
in Section 2.6.
Belshe & Peon Expires December 9, 2013 [Page 21]
Internet-Draft SPDY June 2013
2.7.3. PRIORITY
The PRIORITY frame (type=0x2) specifies the sender-advised priority
of a stream. It can be sent at any time for an existing stream.
This enables reprioritisation of existing streams.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|X| Priority (31) |
+-+-------------------------------------------------------------+
PRIORITY Frame Payload
The payload of a PRIORITY frame contains a single reserved bit and a
31-bit priority.
The PRIORITY frame is associated with an existing stream. If a
PRIORITY frame is received with a stream identifier of 0x0, the
recipient MUST respond with a stream error (Section 2.5.2) of type
PROTOCOL_ERROR.
2.7.4. RST_STREAM
The RST_STREAM frame (type=0x3) allows for abnormal termination of a
stream. When sent by the initiator of a stream, it indicates that
they wish to cancel the stream. When sent by the receiver of a
stream, it indicates that either the receiver is rejecting the
stream, requesting that the stream be cancelled or that an error
condition has occurred.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Error Code (32) |
+---------------------------------------------------------------+
RST_STREAM Frame Payload
The RST_STREAM frame contains a single unsigned, 32-bit integer
identifying the error code (Section 2.5.3). The error code indicates
why the stream is being terminated.
No type-flags are defined.
The RST_STREAM frame fully terminates the referenced stream and
causes it to enter the closed state. After receiving a RST_STREAM on
a stream, the receiver MUST NOT send additional frames for that
Belshe & Peon Expires December 9, 2013 [Page 22]
Internet-Draft SPDY June 2013
stream. However, after sending the RST_STREAM, the sending endpoint
MUST be prepared to receive and process additional frames sent on the
stream that might have been sent by the peer prior to the arrival of
the RST_STREAM.
RST_STREAM frames MUST be associated with a stream. If a RST_STREAM
frame is received whose stream identifier field is 0x0 the recipient
MUST respond with a connection error (Section 2.5.1) of type
PROTOCOL_ERROR.
2.7.5. SETTINGS
The SETTINGS frame (type=0x4) conveys configuration parameters that
affect how endpoints communicate. The parameters are either
constraints on peer behavior or preferences.
SETTINGS frames MUST be sent at the start of a connection, and MAY be
sent at any other time by either endpoint over the lifetime of the
connection.
Implementations MUST support all of the settings defined by this
specification and MAY support additional settings defined by
extensions. Unsupported or unrecognized settings MUST be ignored.
New settings MUST NOT be defined or implemented in a way that
requires endpoints to understand them in order to communicate
successfully.
A SETTINGS frame is not required to include every defined setting;
senders can include only those parameters for which it has accurate
values and a need to convey. When multiple parameters are sent, they
SHOULD be sent in order of numerically lowest ID to highest ID. A
single SETTINGS frame MUST NOT contain multiple values for the same
ID. If the receiver of a SETTINGS frame discovers multiple values
for the same ID, it MUST ignore all values for that ID except the
first one.
Over the lifetime of a connection, an endpoint MAY send multiple
SETTINGS frames containing previously unspecified parameters or new
values for parameters whose values have already been established.
Only the most recent value provided setting value applies.
The SETTINGS frame defines the following flag:
CLEAR_PERSISTED (0x2): Bit 2 being set indicates a request to clear
any previously persisted settings before processing the settings.
Clients MUST NOT set this flag.
SETTINGS frames always apply to a connection, never a single stream.
Belshe & Peon Expires December 9, 2013 [Page 23]
Internet-Draft SPDY June 2013
The stream identifier for a settings frame MUST be zero. If an
endpoint receives a SETTINGS frame whose stream identifier field is
anything other than 0x0, the endpoint MUST respond with a connection
error (Section 2.5.1) of type PROTOCOL_ERROR.
2.7.5.1. Setting Format
The payload of a SETTINGS frame consists of zero or more settings.
Each setting consists of an 8-bit flags field specifying per-item
instructions, an unsigned 24-bit setting identifier, and an unsigned
32-bit value.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|SettingFlags(8)| Setting Identifier (24) |
+---------------+-----------------------------------------------+
| Value (32) |
+---------------------------------------------------------------+
Setting Format
Two flags are defined for the 8-bit flags field:
PERSIST_VALUE (0x1): Bit 1 (the least significant bit) being set
indicates a request from the server to the client to persist this
setting. A client MUST NOT set this flag.
PERSISTED (0x2): Bit 2 being set indicates that this setting is a
persisted setting being returned by the client to the server.
This also indicates that this setting is not a client setting, but
a value previously set by the server. A server MUST NOT set this
flag.
2.7.5.2. Setting Persistence
[[anchor10: Note that persistence of settings is under discussion in
the WG and might be removed in a future version of this document.]]
A server endpoint can request that configuration parameters sent to a
client in a SETTINGS frame are to be persisted by the client across
SPDY connections and returned to the server in any new SETTINGS frame
the client sends to the server in the current connection or any
future connections.
Persistence is requested on a per-setting basis by setting the
PERSIST_VALUE flag (0x1).
Belshe & Peon Expires December 9, 2013 [Page 24]
Internet-Draft SPDY June 2013
Client endpoints are not permitted to make such requests. Servers
MUST ignore any attempt by clients to request that a server persist
configuration parameters.
Persistence of configuration parameters is done on a per-origin basis
(see [RFC6454]). That is, when a client establishes a connection
with a server, and the server requests that the client maintain
persistent settings, the client SHOULD return the persisted settings
on all future connections to the same origin, IP address and TCP
port.
Whenever the client sends a SETTINGS frame in the current connection,
or establishes a new connection with the same origin, persisted
configuration parameters are sent with the PERSISTED flag (0x2) set
for each persisted parameter.
Persisted settings accumulate until the server requests that all
previously persisted settings are to be cleared by setting the
CLEAR_PERSISTED (0x2) flag on the SETTINGS frame.
For example, if the server sends IDs 1, 2, and 3 with the
FLAG_SETTINGS_PERSIST_VALUE in a first SETTINGS frame, and then sends
IDs 4 and 5 with the FLAG_SETTINGS_PERSIST_VALUE in a subsequent
SETTINGS frame, the client will return values for all 5 settings (1,
2, 3, 4, and 5 in this example) to the server.
2.7.5.3. Defined Settings
SETTINGS_UPLOAD_BANDWIDTH (1): indicates the sender's estimated
upload bandwidth for this connection. The value is an the
integral number of kilobytes per second that the sender predicts
as an expected maximum upload channel capacity.
SETTINGS_DOWNLOAD_BANDWIDTH (2): indicates the sender's estimated
download bandwidth for this connection. The value is an integral
number of kilobytes per second that the sender predicts as an
expected maximum download channel capacity.
SETTINGS_ROUND_TRIP_TIME (3): indicates the sender's estimated
round-trip-time for this connection. The round trip time is
defined as the minimum amount of time to send a control frame from
this client to the remote and receive a response. The value is
represented in milliseconds.
SETTINGS_MAX_CONCURRENT_STREAMS (4): indicates the maximum number of
concurrent streams that the sender will allow. This limit is
directional: it applies to the number of streams that the sender
permits the receiver to create. By default there is no limit. It
Belshe & Peon Expires December 9, 2013 [Page 25]
Internet-Draft SPDY June 2013
is recommended that this value be no smaller than 100, so as to
not unnecessarily limit parallelism.
SETTINGS_CURRENT_CWND (5): indicates the sender's current TCP CWND
value.
SETTINGS_DOWNLOAD_RETRANS_RATE (6): indicates the sender's
retransmission rate (bytes retransmitted / total bytes
transmitted).
SETTINGS_INITIAL_WINDOW_SIZE (7): indicates the sender's initial
stream window size (in bytes) for new streams.
SETTINGS_CLIENT_CERTIFICATE_VECTOR_SIZE (8): indicates the sender's
(which should be the server) size of the client certificate
vector.
SETTINGS_SUPPORTING_SCHEMES (9): indicates the sender's supported
overlayering protocol schemes. The corresponding value must be a
32-bit value, and which contains flags as follows:
bit 0: http
bit 1: https
bit 2: ws
bit 3: wss
SETTINGS_FLOW_CONTROL_OPTIONS (10): indicates that streams directed
to the sender will not be subject to flow control. The least
significant bit (0x1) is set to indicate that new streams are not
flow controlled. All other bits are reserved. This setting
applies to all streams, including existing streams. These bits
cannot be cleared once set, see Section 2.7.10.4.
2.7.6. PUSH_PROMISE
The PUSH_PROMISE frame (type=0x5) is used to notify the peer endpoint
in advance of streams the sender intends to initiate. The
PUSH_PROMISE frame includes the unsigned 31-bit identifier of the
stream the endpoint plans to create along with a minimal set of
headers that provide additional context for the stream. Section 3.3
contains a thorough description of the use of PUSH_PROMISE frames.
Belshe & Peon Expires December 9, 2013 [Page 26]
Internet-Draft SPDY June 2013
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|X| Promised-Stream-ID (31) |
+-+-------------------------------------------------------------+
| Header Block (*) ...
+---------------------------------------------------------------+
PUSH_PROMISE Payload Format
The payload of a PUSH_PROMISE includes a "Promised-Stream-ID". This
unsigned 31-bit integer identifies the stream the endpoint intends to
start sending frames for. The promised stream identifier MUST be a
valid choice for the next stream sent by the sender (see new stream
identifier (Section 2.4.1)).
PUSH_PROMISE frames MUST be associated with an existing stream. If
the stream identifier field specifies the value 0x0, a recipient MUST
respond with a connection error (Section 2.5.1) of type
PROTOCOL_ERROR.
The state of promised streams is bound to the state of the original
associated stream on which the PUSH_PROMISE frame were sent. If the
originating stream state changes to fully closed, all associated
promised streams fully close as well. [[anchor11: Ed. Note: We need
clarification on this point. How synchronized are the lifecycles of
streams and associated promised streams?]]
PUSH_PROMISE uses the same flags as the HEADERS frame, except that a
PUSH_PROMISE frame with a CONTINUES bit MUST be followed by another
PUSH_PROMISE frame. See HEADERS frame (Section 2.7.9) for any flags.
Promised streams are not required to be used in order promised. The
PUSH_PROMISE only reserves stream identifiers for later use.
Recipients of PUSH_PROMISE frames can choose to reject promised
streams by returning a RST_STREAM referencing the promised stream
identifier back to the sender of the PUSH_PROMISE.
The PUSH_PROMISE frame modifies the connection state as defined in
Section 2.6.
2.7.7. PING
The PING frame (type=0x6) is a mechanism for measuring a minimal
round-trip time from the sender, as well as determining whether an
idle connection is still functional. PING frames can be sent from
any endpoint.
Belshe & Peon Expires December 9, 2013 [Page 27]
Internet-Draft SPDY June 2013
PING frames consist of an arbitrary, variable-length sequence of
octets. Receivers of a PING send a response PING frame with the PONG
flag set and precisely the same sequence of octets back to the sender
as soon as possible.
Processing of PING frames SHOULD be performed with the highest
priority if there are additional frames waiting to be processed.
The PING frame defines one type-specific flag:
PONG (0x2): Bit 2 being set indicates that this PING frame is a PING
response. An endpoint MUST set this flag in PING responses. An
endpoint MUST NOT respond to PING frames containing this flag.
PING frames are not associated with any individual stream. If a PING
frame is received with a stream identifier field value other than
0x0, the recipient MUST respond with a connection error
(Section 2.5.1) of type PROTOCOL_ERROR.
2.7.8. GOAWAY
The GOAWAY frame (type=0x7) informs the remote peer to stop creating
streams on this connection. It can be sent from the client or the
server. Once sent, the sender will ignore frames sent on new streams
for the remainder of the connection. Receivers of a GOAWAY frame
MUST NOT open additional streams on the connection, although a new
connection can be established for new streams. The purpose of this
frame is to allow an endpoint to gracefully stop accepting new
streams (perhaps for a reboot or maintenance), while still finishing
processing of previously established streams.
There is an inherent race condition between an endpoint starting new
streams and the remote sending a GOAWAY frame. To deal with this
case, the GOAWAY contains the stream identifier of the last stream
which was processed on the sending endpoint in this connection. If
the receiver of the GOAWAY used streams that are newer than the
indicated stream identifier, they were not processed by the sender
and the receiver may treat the streams as though they had never been
created at all (hence the receiver may want to re-create the streams
later on a new connection).
Endpoints should always send a GOAWAY frame before closing a
connection so that the remote can know whether a stream has been
partially processed or not. (For example, if an HTTP client sends a
POST at the same time that a server closes a connection, the client
cannot know if the server started to process that POST request if the
server does not send a GOAWAY frame to indicate where it stopped
working).
Belshe & Peon Expires December 9, 2013 [Page 28]
Internet-Draft SPDY June 2013
After sending a GOAWAY frame, the sender can ignore frames for new
streams.
[[anchor12: Issue: connection state that is established by those
"ignored" frames cannot be ignored without the state in the two peers
becoming unsynchronized.]]
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|X| Last-Stream-ID (31) |
+-+-------------------------------------------------------------+
| Error Code (32) |
+---------------------------------------------------------------+
GOAWAY Payload Format
The GOAWAY frame does not define any type-specific flags.
The GOAWAY frame applies to the connection, not a specific stream.
The stream identifier MUST be zero.
The last stream identifier in the GOAWAY frame contains the highest
numbered stream identifier for which the sender of the GOAWAY frame
has received frames on and might have taken some action on. All
streams up to and including the identified stream might have been
processed in some way. The last stream identifier is set to 0 if no
streams were processed.
Note: In this case, "processed" means that some data from the
stream was passed to some higher layer of software that might have
taken some action as a result.
On streams with lower or equal numbered identifiers that do not close
completely prior to the connection being closed, re-attempting
requests, transactions, or any protocol activity is not possible
(with the exception of idempotent actions like HTTP GET, PUT, or
DELETE). Any protocol activity that uses higher numbered streams can
be safely retried using a new connection.
Activity on streams numbered lower or equal to the last stream
identifier might still complete successfully. The sender of a GOAWAY
frame gracefully shut down a connection by sending a GOAWAY frame,
maintaining the connection in an open state until all in-progress
streams complete.
The last stream ID MUST be 0 if no streams were acted upon.
Belshe & Peon Expires December 9, 2013 [Page 29]
Internet-Draft SPDY June 2013
The GOAWAY frame also contains a 32-bit error code (Section 2.5.3)
that contains the reason for closing the connection.
2.7.9. HEADERS
The HEADERS frame (type=0x8) provides header fields for a stream.
Any number of HEADERS frames can may be sent on an existing stream at
any time.
Additional type-specific flags for the HEADERS frame are:
CONTINUES (0x2): The CONTINUES bit indicates that this frame does
not contain the entire payload necessary to provide a complete set
of headers.
The payload for a complete set of headers is provided by a
sequence of HEADERS frames, terminated by a HEADERS frame without
the CONTINUES bit. Once the sequence terminates, the payload of
all HEADERS frames are concatenated and interpreted as a single
block.
A HEADERS frame that includes a CONTINUES bit MUST be followed by
a HEADERS frame for the same stream. A receiver MUST treat the
receipt of any other type of frame or a frame on a different
stream as a connection error (Section 2.5.1) of type
PROTOCOL_ERROR.
The payload of a HEADERS frame contains a Headers Block
(Section 2.6).
The HEADERS frame is associated with an existing stream. If a
HEADERS frame is received with a stream identifier of 0x0, the
recipient MUST respond with a stream error (Section 2.5.2) of type
PROTOCOL_ERROR.
The HEADERS frame changes the connection state as defined in
Section 2.6.
2.7.10. WINDOW_UPDATE
The WINDOW_UPDATE frame (type=0x9) is used to implement flow control.
Flow control operates at two levels: on each individual stream and on
the entire connection.
Both types of flow control are hop by hop; that is, only between the
two endpoints. Intermediaries do not forward WINDOW_UPDATE frames
between dependent connections. However, throttling of data transfer
Belshe & Peon Expires December 9, 2013 [Page 30]
Internet-Draft SPDY June 2013
by any receiver can indirectly cause the propagation of flow control
information toward the original sender.
Flow control only applies to frames that are identified as being
subject to flow control. Of the frame types defined in this
document, this includes only DATA frame. Frames that are exempt from
flow control MUST be accepted and processed, unless the receiver is
unable to assign resources to handling the frame. A receiver MAY
respond with a stream error (Section 2.5.2) or connection error
(Section 2.5.1) of type FLOW_CONTROL_ERROR if it is unable accept a
frame.
The following additional flags are defined for the WINDOW_UPDATE
frame:
END_FLOW_CONTROL (0x2): Bit 2 being set indicates that flow control
for the identified stream or connection has been ended; subsequent
frames do not need to be flow controlled.
The WINDOW_UPDATE frame can be specific to a stream or to the entire
connection. In the former case, the frame's stream identifier
indicates the affected stream; in the latter, the value "0" indicates
that the entire connection is the subject of the frame.
The payload of a WINDOW_UPDATE frame is a 32-bit value indicating the
additional number of bytes that the sender can transmit in addition
to the existing flow control window. The legal range for this field
is 1 to 2 - 1 (0x7fffffff) bytes; the most significant bit of this
value is reserved.
2.7.10.1. The Flow Control Window
Flow control in SPDY is implemented using a window kept by each
sender on every stream. The flow control window is a simple integer
value that indicates how many bytes of data the sender is permitted
to transmit; as such, its size is a measure of the buffering
capability of the receiver.
Two flow control windows are applicable; the stream flow control
window and the connection flow control window. The sender MUST NOT
send a flow controlled frame with a length that exceeds the space
available in either of the flow control windows advertised by the
receiver. Frames with zero length with the FINAL flag set (for
example, an empty data frame) MAY be sent if there is no available
space in either flow control window.
For flow control calculations, the 8 byte frame header is not
counted.
Belshe & Peon Expires December 9, 2013 [Page 31]
Internet-Draft SPDY June 2013
After sending a flow controlled frame, the sender reduces the space
available in both windows by the length of the transmitted frame.
The receiver of a frame sends a WINDOW_UPDATE frame as it consumes
data and frees up space in flow control windows. Separate
WINDOW_UPDATE frames are sent for the stream and connection level
flow control windows.
A sender that receives a WINDOW_UPDATE frame updates the
corresponding window by the amount specified in the frame.
A sender MUST NOT allow a flow control window to exceed 2 - 1 bytes.
If a sender receives a WINDOW_UPDATE that causes a flow control
window to exceed this maximum it MUST terminate either the stream or
the connection, as appropriate. For streams, the sender sends a
RST_STREAM with the error code of FLOW_CONTROL_ERROR code; for the
connection, a GOAWAY frame with a FLOW_CONTROL_ERROR code.
Flow controlled frames from the sender and WINDOW_UPDATE frames from
the receiver are completely asynchronous with respect to each other.
This property allows a receiver to aggressively update the window
size kept by the sender to prevent streams from stalling.
2.7.10.2. Initial Flow Control Window Size
When a SPDY connection is first established, new streams are created
with an initial flow control window size of 65535 bytes. The
connection flow control window is 65536 bytes. Both endpoints can
adjust the initial window size for new streams by including a value
for SETTINGS_INITIAL_WINDOW_SIZE in the SETTINGS frame that forms
part of the connection header.
Prior to receiving a SETTINGS frame that sets a value for
SETTINGS_INITIAL_WINDOW_SIZE, a client can only use the default
initial window size when sending flow controlled frames. Similarly,
the connection flow control window is set to the default initial
window size until a WINDOW_UPDATE frame is received.
A SETTINGS frame can alter the initial flow control window size for
all current streams. When the value of SETTINGS_INITIAL_WINDOW_SIZE
changes, a receiver MUST adjust the size of all flow control windows
that it maintains by the difference between the new value and the old
value.
A change to SETTINGS_INITIAL_WINDOW_SIZE could cause the available
space in a flow control window to become negative. A sender MUST
track the negative flow control window, and MUST NOT send new flow
controlled frames until it receives WINDOW_UPDATE frames that cause
Belshe & Peon Expires December 9, 2013 [Page 32]
Internet-Draft SPDY June 2013
the flow control window to become positive.
For example, if the server sets the initial window size to be 16KB,
and the client sends 64KB immediately on connection establishment,
the client will recalculate the available flow control window to be
-48KB on receipt of the SETTINGS frame. The client retains a
negative flow control window until WINDOW_UPDATE frames restore the
window to being positive, after which the client can resume sending.
2.7.10.3. Reducing the Stream Window Size
A receiver that wishes to use a smaller flow control window than the
current size can send a new SETTINGS frame. However, the receiver
MUST be prepared to receive data that exceeds this window size, since
the sender might send data that exceeds the lower limit prior to
processing the SETTINGS frame.
A receiver has two options for handling streams that exceed flow
control limits:
1. The receiver can immediately send RST_STREAM with
FLOW_CONTROL_ERROR error code for the affected streams.
2. The receiver can accept the streams and tolerate the resulting
head of line blocking, sending WINDOW_UPDATE frames as it
consumes data.
If a receiver decides to accept streams, both sides MUST recompute
the available flow control window based on the initial window size
sent in the SETTINGS.
2.7.10.4. Ending Flow Control
After a receiver reads in a frame that marks the end of a stream (for
example, a data stream with a FINAL flag set), it MUST cease
transmission of WINDOW_UPDATE frames for that stream. A sender is
not obligated to maintain the available flow control window for
streams that it is no longer sending on.
Flow control can be disabled for all streams or the connection using
the SETTINGS_FLOW_CONTROL_OPTIONS setting. An implementation that
does not wish to perform flow control can use this in the initial
SETTINGS exchange.
Flow control can be disabled for an individual stream or the overall
connection by sending a WINDOW_UPDATE with the END_FLOW_CONTROL flag
set. The payload of a WINDOW_UPDATE frame that has the
END_FLOW_CONTROL flag set is ignored.
Belshe & Peon Expires December 9, 2013 [Page 33]
Internet-Draft SPDY June 2013
Flow control cannot be enabled again once disabled. Any attempt to
re-enable flow control - by sending a WINDOW_UPDATE or by clearing
the bits on the SETTINGS_FLOW_CONTROL_OPTIONS setting - MUST be
rejected with a FLOW_CONTROL_ERROR error code.
2.7.11. CREDENTIAL
The CREDENTIAL control frame is used by the client to send additional
client certificates to the server. A SPDY client may decide to send
requests for resources from different origins on the same SPDY
connection if it decides that that server handles both origins. For
example if the IP address associated with both hostnames matches and
the SSL server certificate presented in the initial handshake is
valid for both hostnames. However, because the SSL connection can
contain at most one client certificate, the client needs a mechanism
to send additional client certificates to the server.
The server is required to maintain a vector of client certificates
associated with a SPDY connection. When the client needs to send a
client certificate to the server, it will send a CREDENTIAL frame
that specifies the index of the slot in which to store the
certificate as well as proof that the client posesses the
corresponding private key. The initial size of this vector must be
8. If the client provides a client certificate during the first TLS
handshake, the contents of this certificate must be copied into the
first slot (index 1) in the CREDENTIAL vector, though it may be
overwritten by subsequent CREDENTIAL frames. The server must
exclusively use the CREDENTIAL vector when evaluating the client
certificates associated with an origin. The server may change the
size of this vector by sending a SETTINGS frame with the setting
SETTINGS_CLIENT_CERTIFICATE_VECTOR_SIZE value specified. In the
event that the new size is smaller than the current size, truncation
occurs preserving lower-index slots as possible.
TLS renegotiation with client authentication is incompatible with
SPDY given the multiplexed nature of SPDY. Specifically, imagine
that the client has 2 requests outstanding to the server for two
different pages (in different tabs). When the renegotiation + client
certificate request comes in, the browser is unable to determine
which resource triggered the client certificate request, in order to
prompt the user accordingly.
Belshe & Peon Expires December 9, 2013 [Page 34]
Internet-Draft SPDY June 2013
0 1 2 3 4 5 6 7
+--------+--------+--------+--------+-|-------+--------+--------+--------+
| Length(16) | 0xa |Flags(8)|X| 0x0 | ->
+--------+--------+--------+--------+-|-------+--------+--------+--------+
8 9 10 11 12
+--------+--------+--------+--------+========+
| Slot(16) |Proof Length(16) | Proof | ->
+--------+--------+--------+--------+========+
/--Repeated to frame end--\
+--------+--------+========+
| Cert Length(16) | Cert |
+--------+--------+========+
Slot: The index in the server's client certificate vector where this
certificate should be stored. If there is already a certificate
stored at this index, it will be overwritten. The index is one
based, not zero based; zero is an invalid slot index.
Proof: Cryptographic proof that the client has possession of the
private key associated with the certificate. The format is a TLS
digitally-signed element
(http://tools.ietf.org/html/rfc5246#section-4.7). The signature
algorithm must be the same as that used in the CertificateVerify
message. However, since the MD5+SHA1 signature type used in TLS 1.0
connections can not be correctly encoded in a digitally-signed
element, SHA1 must be used when MD5+SHA1 was used in the SSL
connection. The signature is calculated over a 32 byte TLS extractor
value (http://tools.ietf.org/html/rfc5705) with a label of "EXPORTER
SPDY certificate proof" using the empty string as context. ForRSA
certificates the signature would be a PKCS#1 v1.5 signature. For
ECDSA, it would be an ECDSA-Sig-Value
(http://tools.ietf.org/html/rfc5480#appendix-A). For a 1024-bit RSA
key, the CREDENTIAL message would be ~500 bytes.
Certificate: The certificate chain, starting with the leaf
certificate. Each certificate must be encoded as a 32 bit length,
followed by a DER encoded certificate. The certificate must be of
the same type (RSA, ECDSA, etc) as the client certificate associated
with the SSL connection.
If the server receives a request for a resource with unacceptable
credential (either missing or invalid), it must reply with a
RST_STREAM frame with the status code INVALID_CREDENTIALS. Upon
receipt of a RST_STREAM frame with INVALID_CREDENTIALS, the client
should initiate a new stream directly to the requested origin and
resend the request. Note, SPDY does not allow the server to request
Belshe & Peon Expires December 9, 2013 [Page 35]
Internet-Draft SPDY June 2013
different client authentication for different resources in the same
origin.
If the server receives an invalid CREDENTIAL frame, it MUST respond
with a GOAWAY frame and shutdown the connection.
3. HTTP Message Exchanges
SPDY is intended to be as compatible as possible with current web-
based applications. This means that, from the perspective of the
server business logic or application API, the features of HTTP are
unchanged. To achieve this, all of the application request and
response header semantics are preserved, although the syntax of
conveying those semantics has changed. Thus, the rules from HTTP/1.1
([HTTP-p1], [HTTP-p2], [HTTP-p4], [HTTP-p5], [HTTP-p6], and
[HTTP-p7]) apply with the changes in the sections below.
3.1. Connection Management
Clients SHOULD NOT open more than one SPDY connection to a given
origin ([RFC6454]) concurrently.
Note that it is possible for one SPDY connection to be finishing
(e.g. a GOAWAY frame has been sent, but not all streams have
finished), while another SPDY connection is starting.
3.2. HTTP Request/Response
3.2.1. HTTP Header Fields and SPDY Headers
At the application level, HTTP uses name-value pairs in its header
fields. Because SPDY merges the existing HTTP header fields with
SPDY headers, there is a possibility that some HTTP applications
already use a particular header field name. To avoid any conflicts,
all header fields introduced for layering HTTP over SPDY are prefixed
with ":". ":" is not a valid sequence in HTTP/1.* header field
naming, preventing any possible conflict.
3.2.2. Request
The client initiates a request by sending a HEADERS+PRIORITY frame.
Requests that do not contain a body MUST set the FINAL flag,
indicating that the client intends to send no further data on this
stream, unless the server intends to push resources (see
Section 3.3). HEADERS+PRIORITY frame does not contain the FINAL flag
for requests that contain a body. The body of a request follows as a
series of DATA frames. The last DATA frame sets the FINAL flag to
indicate the end of the body.
Belshe & Peon Expires December 9, 2013 [Page 36]
Internet-Draft SPDY June 2013
The header fields included in the HEADERS+PRIORITY frame contain all
of the HTTP header fields associated with an HTTP request. The
definitions of these headers are largely unchanged relative to
HTTP/1.1, with a few notable exceptions:
o The HTTP/1.1 request-line has been split into two separate header
fields named :method and :path, whose values specify the HTTP
method for the request and the request-target, respectively. The
HTTP-version component of the request-line is removed entirely
from the headers.
o The host and optional port portions of the request URI (see
[RFC3986], Section 3.2), is specified using the new :host header
field. [[anchor19: Ed. Note: it needs to be clarified whether or
not this replaces the existing HTTP/1.1 Host header.]]
o A new :scheme header field has been added to specify the scheme
portion of the request-target (e.g. "https")
o All header field names MUST be lowercased, and the definitions of
all header field names defined by HTTP/1.1 are updated to be all
lowercase.
o The Connection, Host, Keep-Alive, Proxy-Connection, and Transfer-
Encoding header fields are no longer valid and MUST NOT be sent.
All HTTP Requests MUST include the ":method", ":path", ":host", and
":scheme" header fields.
Header fields whose names begin with ":" (whether defined in this
document or future extensions to this document) MUST appear before
any other header fields.
If a client sends a HEADERS+PRIORITY frame that omits a mandatory
header, the server MUST reply with a HTTP 400 Bad Request reply.
[[anchor20: Ed: why PROTOCOL_ERROR on missing ":status" in the
response, but HTTP 400 here?]]
If a server receives a request where the sum of the data frame
payload lengths does not equal the size of the Content-Length header
field, the server MUST return a 400 (Bad Request) error.
Although POSTs are inherently chunked, POST requests SHOULD also be
accompanied by a Content-Length header field. First, it informs the
server of how much data to expect, which the server can use to track
overall progress and provide appropriate user feedback. More
importantly, some HTTP server implementations fail to correctly
process requests that omit the Content-Length header field. Many
Belshe & Peon Expires December 9, 2013 [Page 37]
Internet-Draft SPDY June 2013
existing clients send a Content-Length header field, and some server
implementations have come to depend upon its presence.
A client provides priority in requests as a hint to the server. A
server SHOULD attempt to provide responses to higher priority
requests before lower priority requests. A server could send lower
priority responses during periods that higher priority responses are
unavailable to ensure better utilization of a connection.
If the server receives a data frame prior to a HEADERS+PRIORITY frame
the server MUST treat this as a stream error (Section 2.5.2) of type
PROTOCOL_ERROR.
3.2.3. Response
The server responds to a client request using the same stream
identifier that was used by the request. An HTTP response begins
with a HEADERS frame. An HTTP response body consists of a series of
DATA frames. The last data frame contains a FINAL flag to indicate
the end of the response. A response that contains no body (such as a
204 or 304 response) consists only of a HEADERS frame that contains
the FINAL flag to indicate no further data will be sent on the
stream.
The response status line is unfolded into name-value pairs like
other HTTP header fields and must be present:
":status": The HTTP response status code (e.g. "200" or "200 OK")
All header field names starting with ":" (whether defined in this
document or future extensions to this document) MUST appear before
any other header fields.
All header field names MUST be all lowercase.
The Connection, Keep-Alive, Proxy-Connection, and Transfer-
Encoding header fields are not valid and MUST NOT be sent.
Responses MAY be accompanied by a Content-Length header field for
advisory purposes. This allows clients to learn the full size of
an entity prior to receiving all the data frames. This can help
in, for example, reporting progress.
If a client receives a response where the sum of the data frame
payload length does not equal the size of the Content-Length
header field, the client MUST ignore the content length header
field. [[anchor21: Ed: See.]]issue 46 [2]
Belshe & Peon Expires December 9, 2013 [Page 38]
Internet-Draft SPDY June 2013
If a client receives a response with an absent or duplicated status
header, the client MUST treat this as a stream error (Section 2.5.2)
of type PROTOCOL_ERROR.
If the client receives a data frame prior to a HEADERS frame the
client MUST treat this as a stream error (Section 2.5.2) of type
PROTOCOL_ERROR.
Clients MUST support gzip compression. Regardless of the value of
the Accept-Encoding header field, a server MAY send responses with
gzip or deflate encoding. A compressed response MUST still bear an
appropriate Content-Encoding header field.
3.2.4. Authentication
When a client sends a request to an origin server that requires
authentication, the server can reply with a "401 Unauthorized"
response, and include a WWW-Authenticate challenge header that
defines the authentication scheme to be used. The client then
retries the request with an Authorization header appropriate to the
specified authentication scheme.
There are four options for proxy authentication, Basic, Digest, NTLM
and Negotiate (SPNEGO). The first two options were defined in
RFC2617 [RFC2617], and are stateless. The second two options were
developed by Microsoft and specified in RFC4559 [RFC4559], and are
stateful; otherwise known as multi-round authentication, or
connection authentication.
3.2.4.1. Stateless Authentication
Stateless Authentication over SPDY is identical to how it is
performed over HTTP. If multiple SPDY streams are concurrently sent
to a single server, each will authenticate independently, similar to
how two HTTP connections would independently authenticate to a proxy
server.
3.2.4.2. Stateful Authentication
Unfortunately, the stateful authentication mechanisms were
implemented and defined in a such a way that directly violates
RFC2617 - they do not include a "realm" as part of the request. This
is problematic in SPDY because it makes it impossible for a client to
disambiguate two concurrent server authentication challenges.
To deal with this case, SPDY servers using Stateful Authentication
MUST implement one of two changes:
Belshe & Peon Expires December 9, 2013 [Page 39]
Internet-Draft SPDY June 2013
Servers can add a "realm=<desired realm>" header so that the two
authentication requests can be disambiguated and run concurrently.
Unfortunately, given how these mechanisms work, this is probably
not practical.
Upon sending the first stateful challenge response, the server
MUST buffer and defer all further frames which are not part of
completing the challenge until the challenge has completed.
Completing the authentication challenge may take multiple round
trips. Once the client receives a "401 Authenticate" response for
a stateful authentication type, it MUST stop sending new requests
to the server until the authentication has completed by receiving
a non-401 response on at least one stream.
3.3. Server Push Transactions
SPDY enables a server to send multiple replies to a client for a
single request. The rationale for this feature is that sometimes a
server knows that it will need to send multiple resources in response
to a single request. Without server push features, the client must
first download the primary resource, then discover the secondary
resource(s), and request them.
Server push is an optional feature. The
SETTINGS_MAX_CONCURRENT_STREAMS setting from the client limits the
number of resources that can be concurrently pushed by a server.
Server push can be disabled by clients that do not wish to receive
pushed resources by advertising a SETTINGS_MAX_CONCURRENT_STREAMS
SETTING (Section 2.7.5) of zero. This prevents servers from creating
the streams necessary to push resources.
Clients receiving a pushed response MUST validate that the server is
authorized to push the resource using the same-origin policy
([RFC6454]). For example, a SPDY connection to "example.com" is
generally [[anchor24: Ed: weaselly use of "generally", needs better
definition]] not permitted to push a response for "www.example.org".
A client that accepts pushed resources caches those resources as
though they were responses to GET requests.
Pushing of resources avoids the round-trip delay, but also creates a
potential race where a server can be pushing content which a client
is in the process of requesting. The PUSH_PROMISE frame reduces the
chances of this condition occurring, while retaining the performance
benefit.
Pushed responses are associated with a request at the SPDY framing
layer. The PUSH_PROMISE is sent on the stream for the associated
Belshe & Peon Expires December 9, 2013 [Page 40]
Internet-Draft SPDY June 2013
request, which allows a receiver to correlate the pushed resource
with a request. The pushed stream inherits all of the request header
fields from the associated stream with the exception of resource
identification header fields (":host", ":scheme", and ":path"), which
are provided as part of the PUSH_PROMISE frame.
Pushed resources always have an associated ":method" of "GET". A
cache MUST store these inherited and implied request header fields
with the cached resource.
3.3.1. Server implementation
NOTE(willchan): Resolve the MAX_CONCURRENT_STREAMS limit with HTTP2
which deletes the text in the paragraph below. This section will not
be updated until we resolve that.
When the server intends to push a resource to the user-agent, it
promises that it will opens a new stream in the future (but not now)
by sending a PUSH_PROMISE frame. The PUSH_PROMISE frame MUST include
an Associated-To-Stream-ID, Prmoised-Stream-ID, and MUST ensure that
headers for ":scheme", ":host", ":path" representing the URL for the
resource being pushed are either already present in the implied
headers context (i.e. the request headers), or it must override the
headers which do not match the pushed resource. The ":path" MUST
always be different from the originally request resource. The
stream-IDs represented in the Promised-Stream-ID field MUST NOT count
towards the MAX_CONCURRENT_STREAMS limit. When the server is ready
to send the resource, it will send a HEADERS frame with the stream-ID
indicated by the Promised-Stream-ID sent in the PUSH_PROMISE frame
earlier. As with any other HEADERS frame, subsequent headers may
follow in other HEADERS frames. The purpose of the association is so
that the user-agent can differentiate which request induced the
pushed stream; without it, if the user-agent had two tabs open to the
same page, each pushing unique content under a fixed URL, the user-
agent would not be able to differentiate the requests.
The Associated-To-Stream-ID must be the ID of an existing, open
stream. The reason for this restriction is to have a clear endpoint
for pushed content. If the user-agent requested a resource on stream
11, the server replies on stream 11. It can push any number of
additional streams to the client before sending a FLAG_FIN on stream
11. However, once the originating stream is closed no further push
streams may be associated with it. The pushed streams do not need to
be closed (FIN set) before the originating stream is closed, they
only need to be created before the originating stream closes.
To prevent a race condition with the client, the server must only use
the client certificate of the associated stream when pushing
Belshe & Peon Expires December 9, 2013 [Page 41]
Internet-Draft SPDY June 2013
resources.
It is illegal for a server to push a resource with the Associated-To-
Stream-ID of 0, or with a Slot that is not 0.
To minimize race conditions with the client, the HEADERS+PRIORITY for
the pushed resources MUST be sent prior to sending any content which
could allow the client to discover the pushed resource and request
it.
The server MUST only push resources which would have been returned
from a GET request.
Note: If the server does not have all of the Name/Value Response
headers available at the time it issues the HEADERS frame for the
pushed resource, it may later use an additional HEADERS frame to
augment the name/value pairs to be associated with the pushed stream.
The subsequent HEADERS frame(s) must not contain a header for
':host', ':scheme', or ':path' (e.g. the server can't change the
identity of the resource to be pushed). The HEADERS frame must not
contain duplicate headers with a previously sent HEADERS frame. The
server must send a HEADERS frame including the scheme/host/port
headers before sending any data frames on the stream.
3.3.2. Client implementation
When fetching a resource the client has 3 possibilities:
1. the resource is not being pushed
2. the resource is being pushed, but the data has not yet arrived
3. the resource is being pushed, and the data has started to arrive
A client SHOULD NOT issue GET requests for a resource that has been
promised. A client is instead advised to wait for the pushed
resource to arrive.
When a client receives a PUSH_PROMISE frame from the server without
the ":host", ":scheme", and ":path" header fields, it MUST treat this
as a stream error (Section 2.5.2) of type PROTOCOL_ERROR.
To cancel individual server push streams, the client can issue a
stream error (Section 2.5.2) of type CANCEL. After receiving a
PUSH_PROMISE frame, the client is able to cancel the pushed resource
before receiving any frames on the promised stream. The server
ceases transmission of the pushed resource; if the server has not
commenced transmission, it does not start.
Belshe & Peon Expires December 9, 2013 [Page 42]
Internet-Draft SPDY June 2013
To cancel all server push streams related to a request, the client
may issue a stream error (Section 2.5.2) of type CANCEL on the
associated-stream-id. By cancelling that stream, the server MUST
immediately stop sending frames for any streams with
in-association-to for the original stream. [[anchor27: Ed: Triggering
side-effects on stream reset is going to be problematic for the
framing layer. Purely from a design perspective, it's a layering
violation. More practically speaking, the base request stream might
already be removed. Special handling logic would be required.]]
A client can choose to time out pushed streams if the server does not
provide the resource in a timely fashion. A stream error
(Section 2.5.2) of type CANCEL can be used to stop a timed out push.
If the server sends a HEADERS frame containing header fields that
duplicate values on a previous HEADERS or PUSH_PROMISE frames on the
same stream, the client MUST treat this as a stream error
(Section 2.5.2) of type PROTOCOL_ERROR.
If the server sends a HEADERS frame after sending a data frame for
the same stream, the client MAY ignore the HEADERS frame. Ignoring
the HEADERS frame after a data frame prevents handling of HTTP's
trailing header fields ([HTTP-p1]).
4. WebSocket Layering over SPDY
With this layering, a client and sever can share one connection for
both of HTTP requests and WebSockets.
4.1. Connection Management
4.1.1. Opening Handshake
4.1.1.1. Handshake Request
The client initiates an opening handshake by sending a HEADERS+
PRIORITY frame. The HEADERS+PRIORITY frame MUST NOT set the FLAG_FIN
because WebSocket intends to establish a bi-directional communication
port and to send arbitrary data after success in opening handshake.
The HEADERS+PRIORITY Name/Value section will contain all of the
following headers which are associated with The WebSocket protocol
[RFC6455] opening handshake. Upgrade, Connection, Sec-WebSocket-Key,
and Sec-WebSocket-Version headers MUST NOT be included because we do
not have to take care of protocol upgrading or verification over
HTTP.
The following name/value pairs MUST be present in every request:
Belshe & Peon Expires December 9, 2013 [Page 43]
Internet-Draft SPDY June 2013
":path" - /resource name/ as used in the "Client Requirements"
section of the WebSocket protocol specification. (See RFC6455
[RFC6455])
":host" - /host:port/ (e.g. "www.google.com:1234") as used in the
"Client Requirements" section of the WebSocket protocol
specification. (See RFC6455 [RFC6455])
":version" - the WebSocket protocol version of this request.
(MUST be "WebSocket/8", "WebSocket/13", or so. The number MUST be
matched with the Sec-WebSocket-Version header. See RFC6455
[RFC6455])
":scheme" - the scheme portion of the URI. (MUST be "ws" or
"wss". See also /secure/ flag in RFC6455 [RFC6455])
":origin" - /origin/ as used in the "Client Requirements" section
of the WebSocket protocol specification. (See RFC6455 [RFC6455])
In addition, the following OPTIONAL name/value pairs MAY be present:
":sec-websocket-protocol" - the Sec-WebSocket-Protocol header (See
RFC6455 [RFC6455])
":sec-websocket-extensions" - the Sec-WebSocket-Extensions header
(See RFC6455 [RFC6455])
Also, other HTTP compatible header name/value pairs MAY be present.
All header keys MUST be lowercase.
4.1.1.2. Handshake Response
The server responds to a client request with a HEADERS frame. If the
server intends to allow the client connection, HEADERS frame MUST NOT
set the FLAG_FIN and MUST have ":status" containing "101". But, an
unsuccessful response MUST set the FLAG_FIN and MUST have ":status"
containing non-"101" code. The server MAY fail the opening handshake
because of an unexpected header value or a missing mandatory header
name.
The client MAY send some data to the server before receiving the
successful response. The server MUST ignore this data when opening
handshake fails. After sending successful response, the server can
send arbitrary data frames at any time.
The response status line is unfolded into name/value pairs like other
WebSocket headers and MUST be present:
Belshe & Peon Expires December 9, 2013 [Page 44]
Internet-Draft SPDY June 2013
":status" - The WebSocket or fallback HTTP response status code
(e.g. "101" or "101 Switching Protocols". See RFC6455 [RFC6455])
In addition, the following OPTIONAL name/value pairs MAY be present:
":sec-websocket-protocol" - the Sec-WebSocket-Protocol header (See
RFC6455 [RFC6455])
":sec-websocket-extensions" - the Sec-WebSocket-Extensions header
(See RFC6455 [RFC6455])
Also, other HTTP compatible header name/value pairs MAY be present.
All header names MUST be lowercase. The successful server response
MUST have ":status" containing "101".
If the handshake fails, the client MUST send a SPDY data frame with
empty data field to avoid abnormal SPDY connection termination. The
SPDY data frame MUST set the FLAG_FIN to indicate the client intends
to send no further data on this stream.
4.1.2. Closing Handshake
4.1.2.1. Normal Termination
In normal termination, WebSocket connection close frame RFC6455
[RFC6455] will be sent as a SPDY data frame with FLAG_FIN set. The
closing handshake is based on WebSocket protocol specification. Both
of a server and a client will initiate it then the other end MUST
respond it by connection close frame with FLAG_FIN set.
4.1.2.2. Abnormal Termination and CloseEvent Handling
In abnormal termination, RST_STREAM SHOULD be handled as connection
close frame. It means that JavaScript API provides CloseEvent (See,
The WebSocket API [WEBSOCKETAPI]) when a client receives RST_STREAM.
Its code field SHOULD be 1006 (Abnormal Closure). The GOAWAY control
frame with non-zero status code SHOULD be also handled in the same
way. The status code of RST_STREAM and GOAWAY frames SHOULD be
encoded to UTF-8 string with its frame type for its reason field.
(e.g. "SPDY/3 RST_STREAM (5)" or "SPDY/3 GOAWAY (1)")
If a server works as protocol bridge to the WebSocket protocol, it
MAY send a close frame which contains the above status code and the
above reason to a backend WebSocket server.
Belshe & Peon Expires December 9, 2013 [Page 45]
Internet-Draft SPDY June 2013
4.2. Bi-directional Communication
After the opening handshake, the client and the server can send
arbitrary WebSocket control and data frames. Continuation frame,
text frame, binary frame, connection close frame, ping frame, and
pong frame are valid WebSocket frames. These WebSocket frames are
mapped into each SPDY HEADERS frame and DATA frames as follow.
4.2.1. Frame mapping
One WebSocket frame is mapped into one proceeding SPDY HEADERS frame
and following plural SPDY data frames. The SPDY HEADERS frame must
contain WebSocket frame fields and following SPDY data frames contain
payload data. These data frames are free to be reframed.
This plan doesn't care about overheads. But HEADERS frame are
compressed by shared dictionary with other HEADERS+PRIORITY, HEADERS,
and other PUSH_PROMISE frames in the same SPDY connection.
Optimistically, it reduces framing overheads.
The following name/value pairs MUST be present in SPDY HEADERS
frames:
":opcode" - The WebSocket frame opcode (See RFC6455 [RFC6455])
":length" - The WebSocket frame payload length in decimal (See
RFC6455 [RFC6455])
":fin" - The WebSocket frame fin (See RFC6455 [RFC6455])
In addition, the following OPTIONAL name/value pairs MAY be present:
":rsv1" - The WebSocket frame rsv1
":rsv2" - The WebSocket frame rsv2
":rsv3" - The WebSocket frame rsv3 (See RFC6455 [RFC6455]). These
values must contain "0" or "1". When a key doesn't exist, the
value is considered to be "0". Thus, ony enabled bits may appear
here.
":masking-key" - The WebSocket frame masking-key (See RFC6455
[RFC6455]) in hexadecimal (e.g. "deadbeaf"). When this key/value
exist, the WebSocket frame mask (See RFC6455 [RFC6455]) is
considered to be 1 and following payload data MUST be masked(See
RFC6455 [RFC6455]), otherwise the WebSocket frame mask is
considered to be 0.
Belshe & Peon Expires December 9, 2013 [Page 46]
Internet-Draft SPDY June 2013
5. Design Rationale and Notes
Authors' notes: The notes in this section have no bearing on the SPDY
protocol as specified within this document, and none of these notes
should be considered authoritative about how the protocol works.
However, these notes may prove useful in future debates about how to
resolve protocol ambiguities or how to evolve the protocol going
forward. They may be removed before the final draft.
5.1. Separation of Framing Layer and Application Layer
Readers may note that this specification sometimes blends the framing
layer (Section 2) with requirements of a specific application - HTTP
(Section 3). This is reflected in the request/response nature of the
streams, the definition of the HEADERS and compression contexts which
are very similar to HTTP, and other areas as well.
This blending is intentional - the primary goal of this protocol is
to create a low-latency protocol for use with HTTP. Isolating the
two layers is convenient for description of the protocol and how it
relates to existing HTTP implementations. However, the ability to
reuse the SPDY framing layer is a non goal.
5.2. Error handling - Framing Layer
Error handling at the SPDY layer splits errors into two groups: Those
that affect an individual SPDY stream, and those that do not.
When an error is confined to a single stream, but general framing is
in tact, SPDY attempts to use the RST_STREAM as a mechanism to
invalidate the stream but move forward without aborting the
connection altogether.
For errors occuring outside of a single stream context, SPDY assumes
the entire connection is hosed. In this case, the endpoint detecting
the error should initiate a connection close.
5.3. One Connection Per Domain
SPDY attempts to use fewer connections than other protocols have
traditionally used. The rationale for this behavior is because it is
very difficult to provide a consistent level of service (e.g. TCP
slow-start), prioritization, or optimal compression when the client
is connecting to the server through multiple channels.
Through lab measurements, we have seen consistent latency benefits by
using fewer connections from the client. The overall number of
packets sent by SPDY can be as much as 40% less than HTTP. Handling
Belshe & Peon Expires December 9, 2013 [Page 47]
Internet-Draft SPDY June 2013
large numbers of concurrent connections on the server also does
become a scalability problem, and SPDY reduces this load.
The use of multiple connections is not without benefit, however.
Because SPDY multiplexes multiple, independent streams onto a single
stream, it creates a potential for head-of-line blocking problems at
the transport level. In tests so far, the negative effects of head-
of-line blocking (especially in the presence of packet loss) is
outweighed by the benefits of compression and prioritization.
5.4. Fixed vs Variable Length Fields
SPDY favors use of fixed length 32bit fields in cases where smaller,
variable length encodings could have been used. To some, this seems
like a tragic waste of bandwidth. SPDY choses the simple encoding
for speed and simplicity.
The goal of SPDY is to reduce latency on the network. The overhead
of SPDY frames is generally quite low. Each data frame is only an 8
byte overhead for a 1452 byte payload (~0.6%). At the time of this
writing, bandwidth is already plentiful, and there is a strong trend
indicating that bandwidth will continue to increase. With an average
worldwide bandwidth of 1Mbps, and assuming that a variable length
encoding could reduce the overhead by 50%, the latency saved by using
a variable length encoding would be less than 100 nanoseconds. More
interesting are the effects when the larger encodings force a packet
boundary, in which case a round-trip could be induced. However, by
addressing other aspects of SPDY and TCP interactions, we believe
this is completely mitigated.
5.5. Compression Context(s)
When isolating the compression contexts used for communicating with
multiple origins, we had a few choices to make. We could have
maintained a map (or list) of compression contexts usable for each
origin. The basic case is easy - each HEADERS frame would need to
identify the context to use for that frame. However, compression
contexts are not cheap, so the lifecycle of each context would need
to be bounded. For proxy servers, where we could churn through many
contexts, this would be a concern. We considered using a static set
of contexts, say 16 of them, which would bound the memory use. We
also considered dynamic contexts, which could be created on the fly,
and would need to be subsequently destroyed. All of these are
complicated, and ultimately we decided that such a mechanism creates
too many problems to solve.
Alternatively, we've chosen the simple approach, which is to simply
provide a flag for resetting the compression context. For the common
Belshe & Peon Expires December 9, 2013 [Page 48]
Internet-Draft SPDY June 2013
case (no proxy), this fine because most requests are to the same
origin and we never need to reset the context. For cases where we
are using two different origins over a single SPDY connection, we
simply reset the compression state between each transition.
5.6. Unidirectional streams
Besides providing a clear endpoint for unidirectional streams,
Associated-To-Stream-ID also avoids the recipient of pushed streams
from needing to send a set of empty frames (e.g. the HEADERS+PRIORITY
w/ FLAG_FIN) to signal that it doesn't wish to send data on the
stream.
5.7. Data Compression
Generic compression of data portion of the streams (as opposed to
compression of the headers) without knowing the content of the stream
is redundant. There is no value in compressing a stream which is
already compressed. Because of this, SPDY initially allowed data
compression to be optional. We included it because study of existing
websites shows that many sites are not using compression as they
should, and users suffer because of it. We wanted a mechanism where,
at the SPDY layer, site administrators could simply force compression
- it is better to compress twice than to not compress.
Overall, however, with this feature being optional and sometimes
redundant, it was unclear if it was useful at all. We removed it
from the specification.
5.8. Server Push
A subtle but important point is that server push streams must be
declared before the associated stream is closed. The reason for this
is so that proxies have a lifetime for which they can discard
information about previous streams. If a pushed stream could
associate itself with an already-closed stream, then endpoints would
not have a specific lifecycle for when they could disavow knowledge
of the streams which went before.
6. Security Considerations
6.1. Use of Same-origin constraints
This specification uses the same-origin policy [RFC6454] in all cases
where verification of content is required.
Belshe & Peon Expires December 9, 2013 [Page 49]
Internet-Draft SPDY June 2013
6.2. HTTP Headers and SPDY Headers
At the application level, HTTP uses name/value pairs in its headers.
Because SPDY merges the existing HTTP headers with SPDY headers,
there is a possibility that some HTTP applications already use a
particular header name. To avoid any conflicts, all headers
introduced for layering HTTP over SPDY are prefixed with ":". ":" is
not a valid sequence in HTTP header naming, preventing any possible
conflict.
6.3. Cross-Protocol Attacks
By utilizing TLS, we believe that SPDY introduces no new cross-
protocol attacks. TLS encrypts the contents of all transmission
(except the handshake itself), making it difficult for attackers to
control the data which could be used in a cross-protocol attack.
6.4. Server Push Implicit Headers
Pushed resources do not have an associated request. In order for
existing HTTP cache control validations (such as the Vary header) to
work, however, all cached resources must have a set of request
headers. For this reason, browsers MUST be careful to inherit
request headers from the associated stream for the push. This
includes the 'Cookie' header.
7. Privacy Considerations
7.1. Long Lived Connections
SPDY aims to keep connections open longer between clients and servers
in order to reduce the latency when a user makes a request. The
maintenance of these connections over time could be used to expose
private information. For example, a user using a browser hours after
the previous user stopped using that browser may be able to learn
about what the previous user was doing. This is a problem with HTTP
in its current form as well, however the short lived connections make
it less of a risk.
7.2. SETTINGS frame
The SPDY SETTINGS frame allows servers to store out-of-band
transmitted information about the communication between client and
server on the client. Although this is intended only to be used to
reduce latency, renegade servers could use it as a mechanism to store
identifying information about the client in future requests.
Clients implementing privacy modes, such as Google Chrome's
Belshe & Peon Expires December 9, 2013 [Page 50]
Internet-Draft SPDY June 2013
"incognito mode", may wish to disable client-persisted SETTINGS
storage.
Clients MUST clear persisted SETTINGS information when clearing the
cookies.
TODO: Put range maximums on each type of setting to limit
inappropriate uses.
8. Sub-protocol negotiation
8.1. Supporting scheme negotiation using SETTINGS frame
By default, a client can send HEADERS+PRIORITY frames on http and
https schemes, but if it want to send them on other schemes, it MUST
wait for a server sending SETTINGS frame which specify declaring
schemes. Thus, a server SHOULD send a SETTINGS frame as soon as
possible whether it supports other schemes or not.
9. Incompatibilities with SPDY draft #3
Here is a list of the major changes between this draft #3 and this
draft
DONE: Different, more precise, notation style used to describe all
frames.
DONE: Downsizing various fields in all messages... this will
definitely need debate
DONE: Removal of Version field from all messages.
DONE: Reordered fields in all messages. All messages now share a
common header of: length, flags, control-bit, 31-bit-payload. All
control frames include an 8th byte, which is the opcode.
DONE: Addition of end-of-message delimiter flag in data frames
DONE: Modification of server push; addition of PUSH_PROMISE frame
add a push frame, removed the 'associated-stream-id' field from
SYN frame
ONGOING: Significant modifications to how headers are transported.
This involved changes to all frames incorporating HEADER blocks,
and changes to the HEADER blocks themselves.
ONGOING: Different header compression technique which uses less
CPU for proxies and which should result in competitive compression
Belshe & Peon Expires December 9, 2013 [Page 51]
Internet-Draft SPDY June 2013
TODO: Addition of end-of-header-section delimiter flag in any
frame which has a header block
ONGOING: Definition of cert-data push
ONGOING: Definition of name-resolution push
ONGOING: Redefining prioritization
TODO: Modification of flow-control; allow two-levels of flow
control so as to allow greater stream concurrency safely
TODO: Add the 'blocked-on-flow-control' notification. Experience
has shown that limits are too easy to get wrong, and this helps to
self-correct this problem
TODO: Modification of flow-control; headers-blocks (thus syn-
stream) gets its own pool of memory, separate from data frames
TODO: Everything after the first header-block-section possibly
treated as flow-control
TODO: Connection-error status code added for UNRECOGNIZED_SCHEME
for new streams. This triggers when the recipient doesn't know
how to handle a stream of that type.
10. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
11. Acknowledgements
Many individuals have contributed to the design and evolution of
SPDY: Adam Langley, Wan-Teh Chang, Jim Morrison, Mark Nottingham,
Alyssa Wilk, Costin Manolache, William Chan, Vitaliy Lvin, Joe Chan,
Adam Barth, Ryan Hamilton, Gavin Peters, Kent Alstad, Kevin Lindsay,
Paul Amer, Fan Yang, Jonathan Leighton, Alex Strom
12. References
12.1. Normative References
[ASCII] "US-ASCII. Coded Character Set - 7-Bit American
Standard Code for Information Interchange.
Standard ANSI X3.4-1986, ANSI, 1986.".
Belshe & Peon Expires December 9, 2013 [Page 52]
Internet-Draft SPDY June 2013
[HTTP-p1] Fielding, R. and J. Reschke, "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
draft-ietf-httpbis-p1-messaging-22 (work in
progress), February 2013.
[HTTP-p2] Fielding, R. and J. Reschke, "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content",
draft-ietf-httpbis-p2-semantics-22 (work in
progress), February 2013.
[HTTP-p4] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext
Transfer Protocol (HTTP/1.1): Conditional
Requests", draft-ietf-httpbis-p4-conditional-22
(work in progress), February 2013.
[HTTP-p5] Fielding, R., Ed., Lafon, Y., Ed., and J. Reschke,
Ed., "Hypertext Transfer Protocol (HTTP/1.1):
Range Requests", draft-ietf-httpbis-p5-range-22
(work in progress), February 2013.
[HTTP-p6] Fielding, R., Ed., Nottingham, M., Ed., and J.
Reschke, Ed., "Hypertext Transfer Protocol
(HTTP/1.1): Caching",
draft-ietf-httpbis-p6-cache-22 (work in progress),
February 2013.
[HTTP-p7] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext
Transfer Protocol (HTTP/1.1): Authentication",
draft-ietf-httpbis-p7-auth-22 (work in progress),
February 2013.
[RFC0793] Postel, J., "Transmission Control Protocol",
STD 7, RFC 793, September 1981.
[RFC1950] Deutsch, L. and J-L. Gailly, "ZLIB Compressed Data
Format Specification version 3.3", RFC 1950,
May 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to
Indicate Requirement Levels", BCP 14, RFC 2119,
March 1997.
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J.,
Lawrence, S., Leach, P., Luotonen, A., and L.
Stewart, "HTTP Authentication: Basic and Digest
Access Authentication", RFC 2617, June 1999.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter,
Belshe & Peon Expires December 9, 2013 [Page 53]
Internet-Draft SPDY June 2013
"Uniform Resource Identifier (URI): Generic
Syntax", STD 66, RFC 3986, January 2005.
[RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D.,
Mikkelsen, J., and T. Wright, "Transport Layer
Security (TLS) Extensions", RFC 4366, April 2006.
[RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-
based Kerberos and NTLM HTTP Authentication in
Microsoft Windows", RFC 4559, June 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer
Security (TLS) Protocol Version 1.2", RFC 5246,
August 2008.
[RFC6454] Barth, A., "The Web Origin Concept", RFC 6454,
December 2011.
[RFC6455] Fette, I. and A. Melnikov, "The WebSocket
Protocol", RFC 6455, December 2011.
[TLSNPN] Langley, A., "TLS Next Protocol Negotiation", <htt
p://tools.ietf.org/html/
draft-agl-tls-nextprotoneg-01>.
[UDELCOMPRESSION] Yang, F., Amer, P., and J. Leighton, "A
Methodology to Derive SPDY's Initial Dictionary
for Zlib Compression", <http://www.eecis.udel.edu/
~amer/PEL/poc/pdf/SPDY-Fan.pdf>.
[WEBSOCKETAPI] Hickson, I., "The WebSocket API",
<http://www.w3.org/TR/websockets/>.
12.2. Informative References
[TALKING] Huang, L-S., Chen, E., Barth, A., Rescorla, E.,
and C. Jackson, "Talking to Yourself for Fun and
Profit", 2011,
<http://w2spconf.com/2011/papers/websocket.pdf>.
URIs
[1] <https://github.com/http2/http2-spec/issues/28>
[2] <https://github.com/http2/http2-spec/issues/46>
Belshe & Peon Expires December 9, 2013 [Page 54]
Internet-Draft SPDY June 2013
Appendix A. Changes
To be removed by RFC Editor before publication
Authors' Addresses
Mike Belshe
Twist
EMail: mbelshe@chromium.org
Roberto Peon
Google, Inc
EMail: fenix@google.com
Belshe & Peon Expires December 9, 2013 [Page 55]
Html markup produced by rfcmarkup 1.90, available from
http://tools.ietf.org/tools/rfcmarkup/