| Internet-Draft | Media Type Suffixes | June 2024 |
| Sporny & Guy | Expires 21 December 2024 | [Page] |
This document updates RFC 6838 "Media Type Specifications and Registration Procedures" to provide additional clarifications on how to interpret and register media types with suffixes.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 21 December 2024.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
As written, RFC 6838 [RFC6838] permits the registration of media type subtype names which contain any number of occurrences of the "+" character. RFC 6838 defines the characters following the first "+" character to be a structured syntax suffix, but does not define anything further about how to interpret subtype names containing more than one "+" character.¶
This document updates RFC 6838 to clarify that using more than one "+" character is not allowed. It also provides additional guidance that might be useful to specification authors that are registering media types with structured suffixes.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This section is an addition to RFC 6838.¶
A structured suffix is defined as all of the characters to the right of the left-most "+" sign in a media type, including the left-most "+" sign itself. The structured suffix MUST NOT contain more than one "+" sign. As an example, given the "application/foo+bar" media type: "application" is the top-level type, "foo" is the base subtype name, and "+bar" is the structured suffix. A media type such as "application/foo+bar+baz" is not allowed.¶
This section is an addition to RFC 6838.¶
There are a few common patterns that are utilized for media types that use structured suffixes. These patterns include expressing that the data associated with a media type:¶
While it is conceivable that suffixes such as "+xml+zip" are possible, such usage is NOT RECOMMENDED due to the large number of combinatorial possibilities that could occur and the negative impact that might have on security considerations for toolchains that attempt to safely process all of the possibilities.¶
This section is an addition to RFC 6838.¶
The syntax and semantics for fragment identifiers are specified in the "Fragment Identifier Considerations" column in the IANA Structured Syntax Suffixes registry. In general, when processing fragment identifiers associated with a structured syntax suffix, the following rules SHOULD be followed:¶
The following paragraphs are additional guidance to Section 4.2.8 "Structured Syntax Name Suffixes", in RFC 6838.¶
Media types that make use of a named structured syntax, or similar separator such as a dash "-", MUST ensure that the registration is semantically aligned, from a data model perspective, with existing base subtype names in the media type registry. For example, for the media types "application/foo+bar" and "application/foo+baz", the expectation is that the semantics suggested by the base subtype name "application/foo" are the same between both media types. The Designated Expert MUST reject a registration if they believe the semantics for a media type registration does not align with existing base subtype names in the media type registry.¶
Registrants MUST prove to the Designated Expert, such as through an email to a public mailing list or issue tracker comment, that they have consent from the existing Change Controller for the associated base subtype name to register the new media type.¶
This section replaces Section 6.2 "Structured Syntax Suffix Registration Template" in RFC 6838.¶
This template describes the fields that must be supplied in a structured syntax suffix registration request:¶
This section is an addition to Section 7 "Security Considerations" in RFC 6838.¶
If a toolchain chooses to process a provided media type by using the selected structured suffix processing rules, it cannot presume that a document that is valid per the decoding rules associated with the structured suffix will be valid for a recognized subset of the structured suffix. For example, presuming a media type of "application/foo+bar", a toolchain cannot presume that a valid "+bar" document will also be a valid "application/foo" document. On the other hand, presuming a media type of "application/foo+bar", a toolchain can presume that a valid "application/foo+bar" document will also be a valid "+bar" document.¶
If a toolchain chooses to process a provided media type by using the selected structured suffix processing rules, it cannot presume that fragment identifier semantics will be the same across a recognized subset of the structured suffix. For example, presuming a media type of "application/foo+bar", a toolchain cannot presume that the fragment semantics for a "+bar" document will be the same as for an "application/foo+bar" document.¶
Toolchains cannot assume that the security characteristics of processing based on structured suffixes will be the same for the entire media type. For example, presuming a media type of "application/foo+bar", a toolchain cannot presume that the security characteristics for a "+bar" document will be the same as for a "application/foo+bar" document.¶
It is conceivable that an attacker could utilize structured suffixes in a way that tricks unsuspecting toolchains into skipping important security checks and allowing viruses to propagate. For example, an attacker might utilize an "application/vnd.ms-excel.addin.macroEnabled.12+zip" structured suffix to trigger an unzip process that might then directly invoke Microsoft Excel, bypassing anti-virus tooling that would otherwise block a macro-enabled MS Excel file containing a virus of some kind from being scanned or opened.¶
Enterprising attackers might take advantage of toolchains that partially process media types in this manner. Toolchains that process media types based purely on a structured suffix need to ensure that further processing does not blindly trust the decoded data, and that proper magic header or file structure checking is performed, before allowing the decoded data to drive operations that might negatively impact the application environment or operating system.¶
[RFC6838] established the Registration Procedure for the Structured Syntax Suffixes Registry as "Expert Review". However, since the inception of the registry, the Designated Experts have been operating as if the Registration Procedure is "Specification Required" given that a specification is required in the registration template for the "References" entry, which defines how the structured suffix is to be used. Every entry in the Structured Syntax Suffixes Registry contains at least one reference to a specification. Furthermore, this document updates the Structured Syntax Suffixes Registry Registration Template to include links to specifications for most fields. Therefore, there is a clear requirement for at least one specification when performing a Structured Syntax Suffix registration.¶
This section updates the Registration Procedure for the Structured Syntax Suffixes Registry to "Specification Required" and instructs IANA to update the existing registry to reflect this change.¶
The editors would like to thank the following individuals for feedback on the specification (in alphabetical order): Harald Alvestrand, Amanda Baber, Martin J. Dürst, Ivan Herman, Graham Klyne, Murray S. Kucherawy, Darrel Miller, Mark Nottingham, Roberto Polli, Orie Steele, and Ted Thibodeau Jr.¶