| Internet-Draft | The HTTP BUTT Method | October 2022 |
| Andrews | Expires 1 April 2023 | [Page] |
This specification defines a new HTTP method, BUTT, as an unsafe method for communication with resource back-ends.¶
RFC EDITOR: please remove this section before publication¶
Discussion of this draft takes place on Twitter, because that's where it started.¶
This Internet-Draft is (not actually) submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts (such as, in this case, some rando with a GitHub Pages site). The list of current Internet-Drafts (which will not include this document) is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 1 April 2023.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
This specification defines the HTTP BUTT request method as a means of bypassing the abstraction that is the entire point of RESTful systems, and interacting with a resource's back-end directly.¶
Potential applications include SOAP, GraphQL or anything else that pipes its entire innards directly through a single method on a single endpoint.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. These words may also appear in this document in lower case as plain English words, absent their normative meanings.¶
The BUTT method tunnels back-end-resource-specific communication through HTTP, without pretense of abstraction.¶
While HTTP's POST method allows essentially arbitrary actions already, it was still created in the context of HTTP's resource abstraction. Some uses of POST do implement a resource interface at a suitable level of abstraction. However, many simply tunnel a completely separate interface using HTTP as a transport layer.¶
The HTTP ecosystem will benefit from expicitly distinguishing these two usages. Using HTTP BUTT makes it clear that the violation of resource abstraction is fully intentional, and only the exposed nature of the back-end is important to any interactions.¶
BUTT /database HTTP/1.1 Host: example.org Content-Length: 27 Content-Type: application/sql DROP TABLE important_table;
The BUTT method is neither safe nor idempotent. Both client and server are advised to guard against unwanted effects that could result from BUTT access, as documented by the back-end resource in question.¶
Responses to BUTT requests are never cacheable. Resources implementing the BUTT method are acknowledging that they are either uncacheable, or expect to implement a completely separate caching system after disregarding that of HTTP.¶
If a BUTT request passes through a cache and the Request-URI identifies one or more currently cached entities, those entries SHOULD be treated as stale.¶
Similarly, ETags and associated headers MUST NOT be relied upon to manage collisions or otherwise keep track of resource state for BUTT requests, and are likely to be unreliable for any HTTP interaction with a resource once a BUTT request has been received. The back-end is assumed to define its own mechanism for ETag-like functionality, if any¶
In general, intermediaries as defined in [RFC9110], Section 3.7 MUST NOT interfere with client-to-back-end BUTT communication in any way not explictly required by this specification, regardless of the intended benefits of HTTP as supported by intermediaries.¶
This specification introduces a new response header field Accept-Butt used to specify the document formats accepted by the server in HTTP BUTT requests. Accept-Butt SHOULD appear in the OPTIONS response for any resource that supports the use of the BUTT method. The presence of the Accept-Butt header in response to any method is an implicit indication that BUTT is allowed on the resource identified by the Request-URI. The presence of a specific document format in this header indicates that this specific format is allowed on the resource identified by the Request-URI.¶
The syntax for Accept-Butt headers, using the ABNF [RFC5234] syntax defined in [RFC9110], Section 12.5.1, is given by the following definition:¶
Accept-Butt = #media-range
Accept-Butt =/ "false"
¶
The Accept-Butt header specifies a media range as defined by HTTP [RFC9110]. The media range specifies a type of representation that can be BUTTed to the Request-URI.¶
Accept-Butt can also be set to the string "false", indicating that the back-end in question does not allow input in the form of a request body. However, if BUTT is also present in the Allow header, this indicates that the back-end MAY answer BUTT requests that do not include a request body with output.¶
This specification introduces the following response codes to handle response semantics unique to the BUTT method.¶
The 255 (Expulsive) status code indicates that the back-end has chosen to return more information than was requested. The requested information MUST be present in the response. However, the location of the requested information within the larger response body, as well as the syntax and semantics of the additional information, is back-end-defined.¶
While technically a successful result, it is RECOMMENDED to notify the system administrator that some form of tuning or maintenance might be in order.¶
The 455 (Inadequate Preparation) status code indicates that a BUTT request with a request body was made, and that despite the request body having an acceptable Content-Type, the back-end resource was not properly prepared to act on the given input. Back-ends SHOULD respond with information on what preparation is needed prior to re-trying the request, using an appropriate media type such as [RFC7807] HTTP Problem Details.¶
The 555 (Retentive) status code indicates that the back-end is refusing to respond as requested. No additional information is expected with this response, as the back-end may not be aware of the unconscious factors leading to the repressive state. It is RECOMMENDED to contact the system administrator to arrange appropriate therapy.¶
No two BUTTs are alike, therefore interoperabilty is not a consideration for this method.¶
Accessing a resource via its BUTT is inherently insecure. Protective measures are strongly advised for both client and server, but are beyond the scope of this specification.¶
IANA has updated the "Hypertext Transfer Protocol (HTTP) Method Registry" at <https://www.iana.org/assignments/http-methods> with the registration procedure of [RFC9110], Section 16.1.1 and the method names summarized in the following table.¶
| Method | Safe | Idempotent | Section |
|---|---|---|---|
| BUTT | no | no | Section 2 |
IANA has updated the "Hypertext Transfer Protocol (HTTP) Status Code Registry" at <https://www.iana.org/assignments/http-status-codes> with the registration procedure of [RFC9110], Section 16.2.1 and the status code values summarized in the following table.¶
| Value | Description | Section |
|---|---|---|
| 255 | Expulsive | Section 4.1 |
| 455 | Inadequate Preparation | Section 4.2 |
| 555 | Retentive | Section 4.3 |
IANA has updated the "Hypertext Transfer Protocol (HTTP) Field Name Registry" at <https://www.iana.org/assignments/http-fields with the registration procedure of [RFC9110], Section 16.3.1 and the field names listed in the following table.¶
| Field Name | Status | Section |
|---|---|---|
| Accept-Butt | permanent | {#accept-butt} |
This is all Kin Lane's fault for typo'ing "HTTP, but" as "HTTP butt" and tweeting about it.¶
Much of this document's text was shamelessly "adapted" from [I-D.ietf-httpbis-safe-method-w-body] and/or [I-D.wilde-accept-post], neither of which should be blamed for the actual contents of this document.¶
RFC EDITOR PLEASE DELETE THIS SECTION.¶