The No-Vary-Search HTTP Caching Extension

The No-Vary-Search HTTP Caching Extension Google LLC

d@domenic.me

Google LLC

jbroman@chromium.org

Google LLC

nidhijaju@chromium.org

Web and Internet Transport HyperText Transfer Protocol http caching This specification defines an extension to HTTP Caching, changing how URI query parameters impact caching. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the HTTP Working Group mailing list (), which is archived at . Working Group information can be found at . Source for this draft and an issue tracker can be found at .

Introduction HTTP caching is based on reusing resources which match across a number of cache keys, with the most important one being the presented target URI (). However, sometimes multiple URIs can represent the same resource. This leads to caches not always being as helpful as they could be: if the cache contains a response under one URI, but the response is then requested under another, the cached version will be ignored. The "No-Vary-Search" response header field defines a caching extension, as described in , that tackles a specific subset of this general problem, for when different URIs that only differ in certain query parameters identify the same resource. It allows resources to declare that some or all parts of the query component do not semantically affect the served response, and thus can be ignored for cache matching purposes. For example, if the order of the query parameters do not affect which resource is identified, this is indicated using No-Vary-Search: key-order If the specific query parameters (e.g., ones indicating something for analytics) do not semantically affect the served resource, this is indicated using No-Vary-Search: params=("utm_source" "utm_medium" "utm_campaign") And if the resource instead wants to take an allowlist-based approach, where only certain known query parameters semantically affect the served response, they can use No-Vary-Search: except=("productId") Note that "cache busting" by sending unique query parameters to avoid retrieving a cached response can be made ineffective by the No-Vary-Search header field. defines the new response header field No-Vary-Search, using the framework. and illustrate the data model for how the field value can be represented in specifications, and the process for parsing the raw output from the structured field parser into that data model. gives the key algorithm for comparing if two URLs are equivalent under the influence of the header field; notably, it leans on the decomposition of the query component into keys and values given by the application/x-www-form-urlencoded format specified in . (As such, this header field is not useful for URLs whose query component does not follow that format.) Finally, explains how to extend to take this new equivalence into account.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. In this document, the terms "URI" and "URL" are used interchangeably, depending on context. "URI" is used in the context of , , and , whereas "URL" is used in the context of the algorithms specified in . This document also adopts some conventions and notation typical in WHATWG and W3C usage, especially as it relates to algorithms. See , and in particular:

its definition of lists, including the list literal notation « 1, 2, 3 ».
its definition of strings, including their representation as code units.

(Other concepts used are called out using inline references.)

HTTP header field definition The No-Vary-Search HTTP header field is a structured field whose value MUST be a dictionary (). It has the following authoring conformance requirements:

If present, the key-order entry's value MUST be a boolean ().
If present, the params entry's value MUST be an inner list of strings ().
If present, the except entry's value MUST be an inner list of strings ().
The except entry MUST NOT be present if the params entry is also present.

The dictionary MAY contain entries whose keys are not one of key-order, params, and except, but their meaning is not defined by this specification. Implementations of this specification will ignore such entries (but future documents might assign meaning to such entries).

Data model A URL variation config consists of the following:

no-vary params: either the special value wildcard or a list of strings
vary params: either the special value wildcard or a list of strings
vary on key order: a boolean

The default URL variation config is a URL variation config whose no-vary params is an empty list, vary params is wildcard, and vary on key order is true. The obtain a URL variation config algorithm () ensures that all URL variation configs obey the following constraints:

vary params is a list if and only if the no-vary params is wildcard; and
no-vary params is a list if and only if the vary params is wildcard.

Parsing

Parse a URL variation config To parse a URL variation config given value:

If value is null, then return the default URL variation config.
Let result be a new URL variation config.
Set result's vary on key order to true.
If value["key-order"] exists:
1. If value["key-order"] is not a boolean, then return the default URL variation config.
2. Set result's vary on key order to the boolean negation of value["key-order"].
If both value["params"] and value["except"] exist or neither exists, then return the default URL variation config.
If value["params"] exists:
1. If value["params"] is not an array, then return the default URL variation config.
2. If any item in value["params"] is not a string, then return the default URL variation config.
3. Set result's no-vary params to the result of applying parse a key () to each item in value["params"].
4. If any item in result's no-vary params is an error, then return the default URL variation config.
5. Set result's vary params to wildcard.
Otherwise, if value["except"] exists:
1. If value["except"] is not an array, then return the default URL variation config.
2. If any item in value["except"] is not a string, then return the default URL variation config.
3. Set result's vary params to the result of applying parse a key () to each item in value["except"].
4. If any item in result's vary params is an error, then return the default URL variation config.
5. Set result's no-vary params to wildcard.
Return result.

Obtain a URL variation config To obtain a URL variation config given a response response:

Let fieldValue be the result of getting a structured field value given `No-Vary-Search` and "dictionary" from response's header list.
Return the result of parsing a URL variation config () given fieldValue.

Examples The following illustrates how various inputs are parsed, in terms of their impact on the resulting no-vary params and vary params:

Input	Result
`No-Vary-Search: params=("a")`	no-vary params: « "`a`" » vary params: wildcard
`No-Vary-Search: except=("x")`	no-vary params: wildcard vary params: « "`x`" »
`No-Vary-Search: params=()`	no-vary params: (empty list) vary params: wildcard
`No-Vary-Search: except=()`	no-vary params: wildcard vary params: (empty list)

The following inputs are all invalid and will cause the default URL variation config to be returned:

No-Vary-Search: key-order="not a boolean"
No-Vary-Search: params="not an inner list"
No-Vary-Search: params=(not-a-string)
No-Vary-Search: params=?0
No-Vary-Search: params=?1
No-Vary-Search: params=?1, except=("x")
No-Vary-Search: params=("a"), except=("x")
No-Vary-Search: params=(), except=()
No-Vary-Search: except="not an inner list"
No-Vary-Search: except=(not-a-string)
No-Vary-Search: except=?1

The following inputs are valid, but somewhat unconventional. They are shown alongside their more conventional form.

Input	Conventional form
`No-Vary-Search: key-order=?1`	`No-Vary-Search: key-order`
`No-Vary-Search: except=("x")`, key-order	`No-Vary-Search: key-order, except=("x")`
`No-Vary-Search: params=()`	(omit the header field)
`No-Vary-Search: key-order=?0`	(omit the header field)

Parse a key To parse a key given an ASCII string keyString:

Let keyBytes be the isomorphic encoding of keyString.
Replace any 0x2B (+) in keyBytes with 0x20 (SP).
Let keyBytesDecoded be the percent-decoding of keyBytes.
Let keyStringDecoded be the UTF-8 decoding without BOM of keyBytesDecoded.
Return keyStringDecoded.

Examples The parse a key algorithm allows encoding non-ASCII key strings in the ASCII structured header field format, similar to how the application/x-www-form-urlencoded format allows encoding an entire entry list of keys and values in a URI (which is restricted to ASCII characters). For example, No-Vary-Search: params=("%C3%A9+%E6%B0%97") will result in a URL variation config whose vary params are « "é 気" ». As explained in a later example, the canonicalization process during equivalence testing means this will treat as equivalent URIs such as:

https://example.com/?é 気=1
https://example.com/?é+気=2
https://example.com/?%C3%A9%20気=3
https://example.com/?%C3%A9+%E6%B0%97=4

and so on, since they all are parsed to having the same key "é 気".

Comparing Two URLs urlA and urlB are equivalent modulo variation config given a URL variation config variationConfig if the following algorithm returns true:

If the scheme, username, password, host, port, or path of urlA and urlB differ, then return false.
If variationConfig is equivalent to the default URL variation config, then:
1. If urlA's query equals urlB's query, then return true.
2. Return false.
In this case, even URL pairs that might appear the same after running the application/x-www-form-urlencoded parser on their queries, such as https://example.com/a and https://example.com/a?, or https://example.com/foo?a=b&&&c and https://example.com/foo?a=b&c=, will be treated as inequivalent.
Let searchParamsA and searchParamsB be empty lists.
If urlA's query is not null, then set searchParamsA to the result of running the application/x-www-form-urlencoded parser given the isomorphic encoding of urlA's query.
If urlB's query is not null, then set searchParamsB to the result of running the application/x-www-form-urlencoded parser given the isomorphic encoding of urlB's query.
If variationConfig's no-vary params is a list, then:
1. Set searchParamsA to a list containing those items pair in searchParamsA where variationConfig's no-vary params does not contain pair[0].
2. Set searchParamsB to a list containing those items pair in searchParamsB where variationConfig's no-vary params does not contain pair[0].
Otherwise, if variationConfig's vary params is a list, then:
1. Set searchParamsA to a list containing those items pair in searchParamsA where variationConfig's vary params contains pair[0].
2. Set searchParamsB to a list containing those items pair in searchParamsB where variationConfig's vary params contains pair[0].
If variationConfig's vary on key order is false, then:
1. Let keyLessThan be an algorithm taking as inputs two pairs (keyA, valueA) and (keyB, valueB), which returns whether keyA is code unit less than keyB.
2. Set searchParamsA to the result of sorting searchParamsA in ascending order with keyLessThan.
3. Set searchParamsB to the result of sorting searchParamsB in ascending order with keyLessThan.
If searchParamsA's size is not equal to searchParamsB's size, then return false.
Let i be 0.
While i < searchParamsA's size:
1. If searchParamsA[i][0] does not equal searchParamsB[i][0], then return false.
2. If searchParamsA[i][1] does not equal searchParamsB[i][1], then return false.
3. Set i to i + 1.
Return true.

Examples Due to how the application/x-www-form-urlencoded parser canonicalizes query strings, there are some cases where query strings which do not appear obviously equivalent, will end up being treated as equivalent after parsing. So, for example, given any non-default value for No-Vary-Search, such as No-Vary-Search: key-order, we will have the following equivalences:

First Query	Second Query	Explanation
null	`?`	A null query is parsed the same as an empty string
`?a=x`	`?%61=%78`	Parsing performs percent-decoding
`?a=é`	`?a=%C3%A9`	Parsing performs percent-decoding
`?a=%f6`	`?a=%ef%bf%bd`	Both values are parsed as U+FFFD ( )
`?a=x&&&&`	`?a=x`	Parsing splits on `&` and discards empty strings
`?a=`	`?a`	Both parse as having an empty string value for `a`
`?a=%20`	`?a= &`	`%20` is parsed as U+0020 SPACE
`?a=+`	`?a= &`	`+` is parsed as U+0020 SPACE

Caching If a cache implements this specification, the presented target URI requirement in :

the presented target URI () and that of the stored response match, and

is replaced with:

the presented target URI () and that of the stored response match or are equivalent modulo URL variation config, and

Cache implementations MAY fail to reuse a stored response whose target URI matches only modulo URL variation config, if the cache has more recently stored a response which:

has a target URI which is equal to the presented target URI, excluding the query, and
has a non-empty value for the No-Vary-Search field, and
has a No-Vary-Search field value different from the stored response being considered for reuse.

Caches aren't required to reuse stored responses, generally. However, the above expressly empowers caches to, if it is advantageous for performance or other reasons, search a smaller number of stored responses. That is, because caches might store more than one response for a given pathname, they need a way to efficiently look up the No-Vary-Search value without accessing all cached responses. Such a cache might take steps like the following to identify a stored response in a performant way, before checking the other conditions in :

Let exactMatch be cache[presentedTargetURI]. If it is a stored response that can be reused, return it.
Let targetPath be presentedTargetURI, with query parameters removed.
Let lastNVS be mostRecentNVS[targetPath]. If it does not exist, return null.
Let simplifiedURL be the result of simplifying presentedTargetURI according to lastNVS (by removing query parameters which are not significant, and stable sorting parameters by key, if key order is to be be ignored).
Let nvsMatch be cache[simplifiedURL]. If it does not exist, return null. (It is assumed that this was written when storing in the cache, in addition to the exact URL.)
Let variationConfig be obtained () from nvsMatch.
If nvsMatch's target URI and presentedTargetURI are not equivalent modulo URL variation config () given variationConfig, then return null.
If nvsMatch is a stored response that can be reused, return it. Otherwise, return null.

To aid cache implementation efficiency, servers SHOULD NOT send different non-empty values for the No-Vary-Search field in response to requests for a given pathname over time, unless there is a need to update how they handle the query component. Doing so would cause cache implementations that use a strategy like the above to miss some stored responses that could otherwise have been reused.

Security Considerations The main risk to be aware of is the impact of mismatched URLs. In particular, this could cause the user to see a response that was originally fetched from a URL different from the one displayed when they hovered a link, or the URL displayed in the URL bar. However, since the impact is limited to query parameters, this does not cross the relevant security boundary, which is the origin . (Or perhaps just the host, from the perspective of web browser security UI. ) Indeed, we have already given origins complete control over how they present the (URL, response body) pair, including on the client side via technology such as history.replaceState() or service workers.

Privacy Considerations This proposal is adjacent to the highly-privacy-relevant space of navigational tracking, which often uses query parameters to pass along user identifiers. However, we believe this proposal itself does not have privacy impacts. It does not interfere with existing navigational tracking mitigations, or any known future ones being contemplated. Indeed, if a page were to encode user identifiers in its URI, the only ability this proposal gives is to reduce such user tracking by preventing server processing of such user IDs (since the server is bypassed in favor of the cache).

IANA Considerations

HTTP Field Names IANA is requested to enter the following into the Hypertext Transfer Protocol (HTTP) Field Name Registry (https://www.iana.org/assignments/http-fields/http-fields.xhtml):

Field Name:: No-Vary-Search
Status:: permanent
Structured Type:: Dictionary
Reference:: this document
Comments:: (none)

References Normative References Uniform Resource Identifier (URI): Generic Syntax HTTP Semantics HTTP Caching Fetch Living Standard Apple Inc. n.d. WHATWG Structured Field Values for HTTP Encoding Living Standard Apple Inc. n.d. WHATWG Infra Living Standard Apple Inc. Google LLC n.d. WHATWG URL Living Standard Apple Inc. n.d. WHATWG Key words for use in RFCs to Indicate Requirement Levels Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words Informative References HTML Living Standard Apple Inc. n.d. WHATWG Navigational-Tracking Mitigations Brave Software, Inc. Google LLC n.d. W3C Privacy CG

Acknowledgments This document benefited from valuable reviews and suggestions by:

Adam Rice
Julian Reschke
Kevin McNee
Liviu Tinta
Mark Nottingham
Martin Thomson
Valentin Gosu