mnot’s blog

Design depends largely on constraints.” — Charles Eames


Thursday, 5 December 2019

On RFC8674, the safe preference for HTTP

It’s become common for Web sites – particularly those that host third-party or user-generated content – to make a “safe” mode available, where content that might be objectionable is hidden. For example, a parent who wants to steer their child away from the rougher corners of the Internet might go to their search engine and put it in “safe” mode.

this entry’s page

Tuesday, 31 July 2018

How to Read an RFC

For better or worse, Requests for Comments (RFCs) are how we specify many protocols on the Internet. These documents are alternatively treated as holy texts by developers who parse them for hidden meanings, then shunned as irrelevant because they can’t be understood. This often leads to frustration and – more significantly – interoperability and security issues.

this entry’s page

Thursday, 11 May 2017

How to Think About HTTP Status Codes

There’s more than a little confusion and angst out there about HTTP status codes. I’ve received more than a few e-mails (and IMs, and DMs) over the years from stressed-out developers (once at 2am, their time!) asking something like this:

this entry’s page

Wednesday, 9 March 2016

Alternative Services

The IESG has approved “HTTP Alternative Services” for publication as a Proposed Standard.

this entry’s page

Friday, 18 December 2015

Why 451?

Today, the IESG approved publication of “An HTTP Status Code to Report Legal Obstacles”. It’ll be an RFC after some work by the RFC Editor and a few more process bits, but effectively you can start using it now.

this entry’s page

Wednesday, 25 March 2015

Improving Captive Portals

Yesterday at IETF92 in Dallas, we had a “Bar BoF” (i.e., informal meeting) about improving the behaviour and handling of Captive Portals — those login pages that you have to click through to get onto networks in hotels, airports, and many other places.

this entry’s page

Wednesday, 18 February 2015

HTTP/2 is Done

The IESG has formally approved the HTTP/2 and HPACK specifications, and they’re on their way to the RFC Editor, where they’ll soon be assigned RFC numbers, go through some editorial processes, and be published.

this entry’s page

Saturday, 27 December 2014

Why Intermediation is Important

A few months ago I went to the Internet Governance Forum, looking to understand more about the IGF and its attendees. One of the things I learned there was a different definition of “intermediary” — one that I think the standards community should pay close attention to.

this entry’s page

Saturday, 7 June 2014

RFC2616 is Dead

Don’t use RFC2616. Delete it from your hard drives, bookmarks, and burn (or responsibly recycle) any copies that are printed out.

this entry’s page

Monday, 17 March 2014

Trying out TLS for HTTP:// URLs

The IETF now considers “pervasive monitoring” to be an attack. As Snowden points out, one of the more effective ways to combat it is to use encryption everywhere you can, and “opportunistic encryption” keeps on coming up as one way to help that.

this entry’s page

Thursday, 30 January 2014

Nine Things to Expect from HTTP/2

HTTP/2 is getting close to being real, with lots of discussions and more implementations popping up every week. What does a new version of the Web’s protocol mean for you? Here are some early answers:

this entry’s page

Saturday, 4 January 2014

Strengthening HTTP: A Personal View

Recently, one of the hottest topics in the Internet protocol community has been whether the newest version of the Web’s protocol, HTTP/2, will require, encourage or indeed say anything about the use of encryption in response to the pervasive monitoring attacks revealed to the world by Edward Snowden.

this entry’s page

Wednesday, 15 May 2013

Indicating Problems in HTTP APIs

A common part of HTTP-based APIs is telling the client that something has gone wrong. Most APIs do this in some fashion, whether they call it a “Fault” (very SOAP-y), “Error” or whatever.

this entry’s page

Saturday, 4 August 2012

HTTP in Vancouver

The HTTPBIS Working Group is in a transitional phase; we’re rapidly finishing our revision of the HTTP/1.1 specification and just getting steam up on our next target, HTTP/2.0.

this entry’s page

Saturday, 31 March 2012

What's Next for HTTP

We had two great meetings of the HTTPbis Working Group in Paris this week — one to start wrapping up our work on HTTP/1.1, and another to launch some exciting new work on HTTP/2.0.

this entry’s page

Wednesday, 24 August 2011

Distributed Hungarian Notation doesn't Work

It used to be that when you registered a media type, a URI scheme, a HTTP header or another protocol element on the Internet, it was an opaque string that was a unique identifier, nothing more.

this entry’s page

Monday, 4 April 2011

HTTP POST: IETF Prague Edition

this entry’s page

Tuesday, 1 March 2011

Last Call: Content-Disposition

The IESG has received a request from the Hypertext Transfer Protocol Bis WG (httpbis) to consider the following document:

this entry’s page

Friday, 1 October 2010

HTTP Roundup: What’s Up with the Web’s Protocol

I’m going to try to start blogging more updates (kick me if I don’t!) about what’s happening in the world of HTTP.

this entry’s page

Friday, 23 July 2010

Thou Shalt Use TLS?

Since SPDY has surfaced, one of the oft-repeated topics has been its use of TLS; namely that the SPDY guys have said that they’ll require all traffic to go over it. Mike Belshe dives into all of the details in a new blog entry, but his summary is simple: “users want it.”

this entry’s page

Thursday, 6 May 2010

RFC5861: HTTP Stale Controls

On a bit of a roll, RFC5861: HTTP Stale Controls has (finally) been published as an Informational RFC.

this entry’s page

Wednesday, 7 April 2010

RFC5785: Well-Known URIs

One of the nagging theoretical problems in the Web architecture has been finding so-called “site-wide metadata”; i.e., finding something out about a Web site before you access it. We wrestled with this in P3P way back when, and the TAG took it up after that.

this entry’s page

Friday, 3 July 2009

Come to the Stockholm IETF!

The Stockholm IETF meeting is shaping up to be an interesting one (and not just because it’s in such a beautiful city).

this entry’s page

Thursday, 25 June 2009

The Resource Expert Droid

A (very) long time ago, I wrote the Cacheability Engine to help people figure out how a Web cache would treat their sites. It has a few bugs, but is generally useful for that purpose.

this entry’s page

Tuesday, 14 April 2009

Counting the ways that rev="canonical" hurts the Web

I had a lovely holiday weekend in Canberra with the family, without Web access. Perhaps I’ll blog about that soon — Canberra being in my opinion one of the nicest overlooked cities in the world — but that will have to wait. Going offline for a few days always brings a certain dread of what one’s inbox will hold when you get back, and this one was no exception.

this entry’s page

Tuesday, 24 February 2009

The FSF, IETF and Use Patents

Over the past few weeks the Free Software Foundation has had its knickers in a twist about TLS authentication — specifically, its patent encumbrance;

this entry’s page

Wednesday, 18 February 2009

Stop it with the X- Already!

UPDATE: RFC6648 is now the official word on this topic.

this entry’s page

Friday, 21 November 2008

OAuth in Minneapolis

There are lots of new “Web 2.0” specs emerging — many beginning with “o” — that are both exciting and concerning.

this entry’s page

Thursday, 16 October 2008


Metadata discovery is a nagging problem that’s been hanging around the Web for a while. There have been a few stabs at this problem (including at least one by yours truly), but no real progress.

this entry’s page

Friday, 4 July 2008

The WS-Empire Strikes Back... feebly

Here’s a gem on a little-used mailing list:

this entry’s page

Thursday, 15 May 2008

Atom gets a new audience

Huh. The Atom Format RFC has been out for a while, and as one of the authors, I get the odd mail now and again asking a question or just saying “thanks.”

this entry’s page

Wednesday, 2 April 2008

Moving the Goalposts: “Use” Patents and Standards

It’s become quite fashionable for large IT shops to give blanket Royalty-Free licenses for implementation of “core” technologies, such as XML, Web Services and Atom. I’ll refrain from linking to any of them, as the purpose of this post* is not to pick on any single one**.

this entry’s page

Sunday, 17 February 2008


It’s 7am, I’m sitting in the Auckland Koru Club on my way home and reading the minor kerfuffle regarding PATCH with interest.

this entry’s page

Friday, 4 January 2008

Cache Channels

The stale-while-revalidate and stale-if-error extensions aren’t the only fiddling we’ve been doing with the HTTP caching model. Now that Squid 2.7 is starting to see daylight, I can explain about a much more ambitious project — Cache Channels.

this entry’s page

Wednesday, 12 December 2007

Two HTTP Caching Extensions

We use caching extensively inside Yahoo! to improve scalability, latency and availability for back-end HTTP services, as I’ve discussed before.

this entry’s page

Sunday, 9 December 2007

Why Revise HTTP?

I haven’t talked about it here much, but I’ve spent a fair amount of time over the last year and a half working with people in the IETF to get RFC2616 — the HTTP specification — revised.

this entry’s page

Saturday, 8 September 2007


Feed Paging and Archiving (nee Feed History) has finally made it to a standards-track RFC.

this entry’s page

Wednesday, 10 May 2006


Anne-Thomas Manes extolls the virtues of WS-*;

this entry’s page

Thursday, 20 April 2006

DOM vs. Web

Back at the W3C Technical Plenary, I argued that Working Groups need to concentrate on making more Web-friendly specifications. Here’s an example of one such lapse causing security problems on today’s Web.

this entry’s page

Friday, 7 April 2006

Are Namespaces (and mU) Necessary?

It’s become axiomatic in some circles — especially in WS-* land, as well as in many other uses of XML — that the preferred (or only) means of offering extensibility is through URI-based namespaces, along with a flag to tell consumers when an extension needs to be understood (a.k.a. mustUnderstand).

this entry’s page

Wednesday, 15 March 2006

WS-Transfer, WAKA and the Web

Microsoft and friends (of the keep your enemy closer variety, I suspect) have submitted WS-Transfer to the W3C. I found the Team comment interesting; e.g.,

this entry’s page

Wednesday, 10 August 2005

Separating the Data Model from its Serialisation

For some time, I’ve noticed that people defining XML formats spend an inordinate amount of time talking about the structure of the format. This is especially apparent in standards working groups, where hours — no, days — can be spent agonizing over whether to make something an attribute or an element.

this entry’s page

Friday, 22 July 2005

Transformational Standards

Don Box (whose blog doesn’t seem to be taking comments any more, so I’ll do it over here) points out some very cool technology he’s using, Microsoft’s Office Communicator. Sounds very slick, I’m jealous (with my old tech phone line and last year’s GSM mobile)!

this entry’s page

Friday, 15 July 2005

Don’t use the ‘feed’ URI Scheme

It’s been covered before elsewhere, but just a friendly reminder: ‘feed’ URIs are bad for the Web, as are any that are used solely for dispatch (e.g., ‘itms’, ‘ pcast’).

this entry’s page

Monday, 27 June 2005

Perspectives on the Addressing Experiment

I don’t talk much about it here, but I’m honoured to be the Chair of the W3C Web Services Addressing Working Group. This is something of an experiment for the W3C, so I gave an update on its progress as part of a panel discussion at the Advisory Committee meeting a few weeks ago. I’d like to share some of what I presented there.

this entry’s page

Monday, 7 February 2005

The Map is Not the Territory

Werner makes an excellent point;

this entry’s page

Monday, 24 January 2005


I’m intrigued by the JSON effort. While many people (and vendors) have chosen XML for data interchange because it’s not platform- or vendor-specific, these folks have chosen the other path; by leveraging the serialisation of data structures in ECMAScript (nee JavaScript) — a nearly ubiquitous language, on every desktop that has a browser — they get an automatic installed base and at least one API for free.

this entry’s page

Sunday, 23 January 2005

WS-Who's on First?

There are MEPs in SOAP and MEPs in WSDL; both describe patterns of messages, but at potentially different layers.

this entry’s page

Wednesday, 19 January 2005

On How Google Fixed Comment Spam

More than a year after my modest suggestion, Google takes a step to fix comment spam. Hopefully, other people who re-publish Web content (like mailing list archives) will start doing this as well.

this entry’s page

Wednesday, 8 September 2004

HTTP Header Registries

Ever wonder where the heck a particular HTTP header is defined?

this entry’s page

Thursday, 2 September 2004

Innocent Fraud

…I have learned that to be right and useful, one must accept a continuing divergence between approved belief — what I have elsewhere called conventional wisdom — and the reality. And in the end, not surprisingly, it is the reality that counts.

this entry’s page

Saturday, 23 August 2003

Registering Media Types

I’ve had a fairly large and annoying bee in my bonnet for the past few months, regarding media type registration. It started buzzing when I tried (and failed) to register a media type for RSS, and has continued to grow as I attempt to do the same for SOAP, on behalf of the XML Protocol Working Group.

this entry’s page

Sunday, 22 June 2003

Economics of standards

Looks like a good to-read list: John Beatty: Economics of Standards

this entry’s page

Wednesday, 28 May 2003

While we're talking about standards...

I agree with just about everything that Jim Waldo says here (at least for protocol standards). Well said!

this entry’s page

Sunday, 10 November 2002

IETF Transparency

Finally, the IESG puts its money where its mouth is; this tool allows you to see the status and individual AD’s comments about a particular I-D. It’s only a start, but at least you have some idea of what’s going on, instead of being left out in the cold.

this entry’s page