MAY"> MUST"> MUST NOT"> OPTIONAL"> RECOMMENDED"> REQUIRED"> SHALL"> SHALL NOT"> SHOULD"> SHOULD NOT"> ]> The HTTP QUERY Method greenbytes GmbH
Hafenweg 16 Münster48155 Germany julian.reschke@greenbytes.de https://greenbytes.de/tech/webdav/
malhotrasahib@gmail.com
jasnell@gmail.com
Akamai
mbishop@evequefou.be
Web and Internet Transport HTTP http query method This specification defines a new HTTP method, QUERY, as a safe, idempotent request method that can carry request content. Discussion of this draft takes place on the HTTP working group mailing list (ietf-http-wg@w3.org), which is archived at . Working Group information can be found at ; source code and issues list for this draft can be found at . The changes in this draft are summarized in .
This specification defines the HTTP QUERY request method as a means of making a safe, idempotent request that contains content. Most often, this is desirable when the data conveyed in a request is too voluminous to be encoded into the request's URI. For example, while this is an common and interoperable query: GET /feed?q=foo&limit=10&sort=-published HTTP/1.1 Host: example.org if the query parameters extend to several kilobytes or more of data it may not be, because many implementations place limits on their size. Often these limits are not known or discoverable ahead of time, because a request can pass through many uncoordinated systems. Additionally, expressing certain kinds of data in the target URI is inefficient, because it needs to be encoded to be a valid URI. Encoding query parameters directly into the request URI also effectively casts every possible combination of query inputs as distinct resources. Depending on the application, that may not be desirable. As an alternative to using GET, many implementations make use of the HTTP POST method to perform queries, as illustrated in the example below. In this case, the input parameters to the query operation are passed along within the request content as opposed to using the request URI. A typical use of HTTP POST for requesting a query: POST /feed HTTP/1.1 Host: example.org Content-Type: application/x-www-form-urlencoded q=foo&limit=10&sort=-published This variation, however, suffers from the same basic limitation as GET in that it is not readily apparent -- absent specific knowledge of the resource and server to which the request is being sent -- that a safe, idempotent query is being performed. The QUERY method provides a solution that spans the gap between the use of GET and POST, with the example above being expressed as: QUERY /feed HTTP/1.1 Host: example.org Content-Type: application/x-www-form-urlencoded q=foo&limit=10&sort=-published As with POST, the input to the query operation is passed along within the content of the request rather than as part of the request URI. Unlike POST, however, the method is explicitly safe and idempotent, allowing functions like caching and automatic retries to operate. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
The QUERY method is used to initiate a server-side query. Unlike the HTTP GET method, which requests that a server return a representation of the resource identified by the target URI (as defined by ), the QUERY method is used to ask the server to perform a query operation (described by the request content) over some set of data scoped to the target URI. The content returned in response to a QUERY cannot be assumed to be a representation of the resource identified by the target URI. The content of the request defines the query. Implementations &MAY; use a request content of any media type with the QUERY method, provided that it has appropriate query semantics. QUERY requests are both safe and idempotent with regards to the resource identified by the request URI. That is, QUERY requests do not alter the state of the targeted resource. However, while processing a QUERY request, a server can be expected to allocate computing and memory resources or even create additional HTTP resources through which the response can be retrieved. A successful response to a QUERY request is expected to provide some indication as to the final disposition of the operation. For instance, a successful query that yields no results can be represented by a 204 No Content response. If the response includes content, it is expected to describe the results of the operation.
Furthermore, a successful response can include a Content-Location header field (see ) containing an identifier for a resource corresponding to the results of the operation. This represents a claim from the server that a client can send a GET request for the indicated URI to retrieve the results of the query operation just performed. The indicated resource might be temporary. A server &MAY; create or locate a resource that identifies the query operation for future use. If the server does so, the URI of the resource can be included in the Location header field of the response (see ). This represents a claim that a client can send a GET request to the indicated URI to repeat the query operation just performed without resending the query parameters. This resource might be temporary; if a future request fails, the client can retry using the original QUERY resource and the previously submitted parameters again.
In some cases, the server may choose to respond indirectly to the QUERY request by redirecting the user agent to a different URI (see ). The semantics of the redirect response do not differ from other methods. For instance, a 303 (See Other) response would indicate that the Location field identifies an alternate URI from which the results can be retrieved using a GET request (this use case is also covered by the use of the Location response field in a 2xx response). On the other hand, response codes 307 (Temporary Redirect) and 308 (Permanent Redirect) can be used to request the user agent to redo the QUERY request on the URI specified by the Location field. Various non-normative examples of successful QUERY responses are illustrated in .
The semantics of the QUERY method change to a "conditional QUERY" if the request message includes an If-Modified-Since, If-Unmodified- Since, If-Match, If-None-Match, or If-Range header field (). A conditional QUERY requests that the query be performed only under the circumstances described by the conditional header field(s). It is important to note, however, that such conditions are evaluated against the state of the target resource itself as opposed to the collected results of the query operation.
The response to a QUERY method is cacheable; a cache &MAY; use it to satisfy subsequent QUERY requests as per ). The cache key for a query (see ) &MUST; incorporate the request content. When doing so, caches &SHOULD; first normalize request content to remove semantically insignificant differences, thereby improving cache efficiency, by:
  • Removing content encoding(s)
  • Normalizing based upon knowledge of format conventions, as indicated by the any media type suffix in the request's Content-Type field (e.g., "+json")
  • Normalizing based upon knowledge of the semantics of the content itself, as indicated by the request's Content-Type field.
Note that any such normalization is performed solely for the purpose of generating a cache key; it does not change the request itself.
The "Accept-Query" response header field &MAY; be used by a resource to directly signal support for the QUERY method while identifying the specific query format media type(s) that may be used. Accept-Query = 1#media-type The Accept-Query header field specifies a comma-separated listing of media types (with optional parameters) as defined by . field syntax currently discussed in The order of types listed by the Accept-Query header field is not significant. Accept-Query's value applies to every URI on the server that shares the same path; in other words, the query component is ignored. If requests to the same resource return different Accept-Query values, the most recently received fresh (per ) value is used.
The non-normative examples in this section make use of a simple, hypothetical plain-text based query syntax based on SQL with results returned as comma-separated values. This is done for illustration purposes only. Implementations are free to use any format they wish on both the request and response.
A simple query with a direct response: QUERY /contacts HTTP/1.1 Host: example.org Content-Type: example/query Accept: text/csv select surname, givenname, email limit 10 Response: HTTP/1.1 200 OK Content-Type: text/csv surname, givenname, email Smith, John, john.smith@example.org Jones, Sally, sally.jones@example.com Dubois, Camille, camille.dubois@example.net
A simple query with a direct response: QUERY /contacts HTTP/1.1 Host: example.org Content-Type: example/query Accept: text/csv select surname, givenname, email limit 10 Response: HTTP/1.1 200 OK Content-Type: text/csv Content-Location: /contacts/responses/42 Location: /contacts/queries/17 surname, givenname, email Smith, John, john.smith@example.org Jones, Sally, sally.jones@example.com Dubois, Camille, camille.dubois@example.net A subsequent GET request on /contacts/responses/42 would return the same response, until the server decides to remove that resource. A GET request on /contacts/queries/17 however would execute the same query again, and return a fresh result for that query: GET /contacts/queries/17 HTTP/1.1 Host: example.org Accept: text/csv Response: HTTP/1.1 200 OK Content-Type: text/csv Content-Location: /contacts/responses/43 surname, givenname, email Jones, Sally, sally.jones@example.com Dubois, Camille, camille.dubois@example.net
A simple query with an Indirect Response (303 See Other): QUERY /contacts HTTP/1.1 Host: example.org Content-Type: example/query Accept: text/csv select surname, givenname, email limit 10 Response: HTTP/1.1 303 See Other Location: /contacts/query123 Retrieval of the Query Response: GET /contacts/query123 HTTP/1.1 Host: example.org Response: HTTP/1.1 200 OK Content-Type: text/csv surname, givenname, email Smith, John, john.smith@example.org Jones, Sally, sally.jones@example.com Dubois, Camille, camille.dubois@example.net
A simple query being redirected: QUERY /contacts HTTP/1.1 Host: example.org Content-Type: example/query Accept: text/csv select surname, givenname, email limit 10 Response: HTTP/1.1 308 Moved Permanently Location: /morecontacts Redirected request: QUERY /morecontacts HTTP/1.1 Host: example.org Content-Type: example/query Accept: text/csv select surname, givenname, email limit 10 Response: HTTP/1.1 200 OK Content-Type: text/csv surname, givenname, email Smith, John, john.smith@example.org Jones, Sally, sally.jones@example.com Dubois, Camille, camille.dubois@example.net
The QUERY method is subject to the same general security considerations as all HTTP methods as described in . The QUERY method can be used as an alternative to passing query information in the query portion of a URI. This is preferred in some cases, as the URI is more likely to be logged than the request content. If a server creates a temporary resource to represent the results of a QUERY request (e.g., for use in the Location or Content-Location field) and the request contains sensitive information that cannot be logged, then the URI of this resource &SHOULD; be chosen such that it does not include any sensitive portions of the original request content.
IANA is requested to add the QUERY method to the HTTP Method Registry at (see ).
Method Name Safe Idempotent Specification
QUERY Yes Yes
IANA is requested to add the Accept-Query field to the HTTP Field Name Registry at (see ).
Field Name Status Structured Type Reference Comments
Accept-Query permanent of this document. field syntax currently discussed in
HTTP Semantics HTTP Caching
  • Use "example/query" media type instead of undefined "text/query" ()
  • In , adjust the grammar to just define the field value ()
  • Update to latest HTTP core spec, and adjust terminology accordingly ()
  • Reference RFC 8174 and markup bcp14 terms ()
  • Update HTTP reference ()
  • Relax restriction of generic XML media type in request content ()
  • Add minimal description of cacheability ()
  • Use "QUERY" as method name ()
  • Update HTTP reference ()
  • In , slightly rephrase statement about significance of ordering ()
  • Throughout: use "content" instead of "payload" or "body" ()
  • Updated references ()
  • In , clarify scope ()
  • Describe role of Content-Location and Location fields ()
  • Added Mike Bishop as author ()
  • Use "target URI" instead of "effective request URI" ()
  • Updated language and examples about redirects and method rewriting ()
  • Add QUERY example to introduction ()
  • Update "Sensitive information in QUERY URLs" ()
  • Field registration for "Accept-Query" ()