RFC 3023//4-

RFC 3023//4-

[1] RFC 3023RFC 2679 の差分, そしてその和訳。 詳しくは ..// 参照。

5 4. The Byte Order Mark (BOM) and Conversions to/from the UTF-16 Charset バイト順マーク (BOM) 及び UTF-16 charset への又は UTF-16 charset からの変換

   The XML Recommendation, in section Section 4.3.3, of [XML]  specifies that UTF-16 XML MIME entities
   in the charset "utf-16" MUST must begin with a byte order mark (BOM), which is the ZERO WIDTH NO-BREAK SPACE character, a
   hexadecimal octet sequence 0xFEFF 0xFE 0xFF (or 0xFFFE 0xFF 0xFE, depending on
   endian).  The XML Recommendation further states that the BOM is an
   encoding signature, and is not part of either the markup or the
   character data of the XML document.
   Due to the presence of the BOM, applications which that convert the UTF-16 encoding XML from "utf-16" to another a non-Unicode encoding SHOULD MUST strip the BOM before
   conversion.  Similarly, when converting from another encoding into
   UTF-16 "utf-16", the BOM SHOULD MUST be added after conversion is complete.

In addition to the charset "utf-16", [RFC2781] introduces "utf-16le" (little endian) and "utf-16be" (big endian) as well. The BOM is prohibited for these charsets. When an XML MIME entity is encoded in "utf-16le" or "utf-16be", it MUST NOT begin with the BOM but SHOULD contain an encoding declaration. Conversion from "utf-16" to "utf- 16be" or "utf-16le" and conversion in the other direction MUST strip or add the BOM, respectively.

5. Fragment Identifiers

Section 4.1 of [RFC2396] notes that the semantics of a fragment identifier (the part of a URI after a "#") is a property of the data resulting from a retrieval action, and that the format and interpretation of fragment identifiers is dependent on the media type of the retrieval result.

RFC 2396 の4.1節は、素片識別子 (URI# の後の部分) の意味は取出し動作の結果得られるデータの特性であり、 素片識別子の書式と解釈は取出し結果の媒体型に依存すると注記しています。

As of today, no established specifications define identifiers for XML media types. However, a working draft published by W3C, namely "XML Pointer Language (XPointer)", attempts to define fragment identifiers for text/xml and application/xml. The current specification for XPointer is available at http://www.w3.org/TR/xptr.

現在のところ、 XML 媒体型の識別しを定義する仕様書として確立されたものはありません。 しかし、 W3CXML 指示子言語 (XPointer) という作業原案を発表しており、 text/xmlapplication/xml の素片識別子を定義しようとしています。 XPointer の最新の仕様書は http://www.w3.org/TR/xptr から入手できます。

6. The Base URI

Section 5.1 of [RFC2396] specifies that the semantics of a relative URI reference embedded in a MIME entity is dependent on the base URI. The base URI is either (1) the base URI embedded in the MIME entity, (2) the base URI of the encapsulating MIME entity, (3) the URI used to retrieve the MIME entity, or (4) the application-dependent default base URI, where (1) has the highest precedence. [RFC2396] further specifies that the mechanism for embedding the base URI is dependent on the media type.

As of today, no established specifications define mechanisms for embedding the base URI in XML MIME entities. However, a Proposed Recommendation published by W3C, namely "XML Base", attempts to define such a mechanism for text/xml, application/xml, text/xml-external-parsed-entity, and application/xml-external-parsed-entity. The current specification for XML Base is available at http://www.w3.org/TR/xmlbase.

7. A Naming Convention for XML-Based Media Types

This document recommends the use of a naming convention (a suffix of '+xml') for identifying XML-based MIME media types, whatever their particular content may represent. This allows the use of generic XML processors and technologies on a wide variety of different XML document types at a minimum cost, using existing frameworks for media type registration.

Although the use of a suffix was not considered as part of the original MIME architecture, this choice is considered to provide the most functionality with the least potential for interoperability problems or lack of future extensibility. The alternatives to the ' +xml' suffix and the reason for its selection are described in Appendix A.

As XML development continues, new XML document types are appearing rapidly. Many of these XML document types would benefit from the identification possibilities of a more specific MIME media type than text/xml or application/xml can provide, and it is likely that many new media types for XML-based document types will be registered in the near and ongoing future.

While the benefits of specific MIME types for particular types of XML documents are significant, all XML documents share common structures and syntax that make possible common processing.

Some areas where 'generic' processing is useful include:

   o  Browsing - An XML browser can display any XML document with a
      provided [CSS] or [XSLT] style sheet, whatever the vocabulary of
      that document.
   o  Editing - Any XML editor can read, modify, and save any XML
      document.
   o  Fragment identification - XPointers (work in progress) can work
      with any XML document, whatever vocabulary it uses and whether or
      not it uses XPointer for its own fragment identification.
   o  Hypertext linking - XLink (work in progress) hypertext linking is
      designed to connect any XML documents, regardless of vocabulary.
   o  Searching - XML-oriented search engines, web crawlers, agents, and
      query tools should be able to read XML documents and extract the
      names and content of elements and attributes even if the tools are
      ignorant of the particular vocabulary used for elements and
      attributes.
   o  Storage - XML-oriented storage systems, which keep XML documents
      internally in a parsed form, should similarly be able to process,
      store, and recreate any XML document.
   o  Well-formedness and validity checking - An XML processor can
      confirm that any XML document is well-formed and that it is valid
      (i.e., conforms to its declared DTD or Schema).
   When a new media type is introduced for an XML-based format, the name
   of the media type SHOULD end with '+xml'.  This convention will allow
   applications that can process XML generically to detect that the MIME
   entity is supposed to be an XML document, verify this assumption by
   invoking some XML processor, and then process the XML document
   accordingly.  Applications may match for types that represent XML
   MIME entities by comparing the subtype to the pattern '*/*+xml'.  (Of
   course, 4 of the 5 media types defined in this document -- text/xml,
   application/xml, text/xml-external-parsed-entity, and
   application/xml-external-parsed-entity -- also represent XML MIME
   entities while not conforming to the '*/*+xml' pattern.)
      NOTE: Section 14.1 of HTTP[RFC2616] does not support Accept
      headers of the form "Accept: */*+xml" and so this header MUST NOT
      be used in this way.  Instead, content negotiation[RFC2703] could
      potentially be used if an XML-based MIME type were needed.
   XML generic processing is not always appropriate for XML-based media
   types.  For example, authors of some such media types may wish that
   the types remain entirely opaque except to applications that are
   specifically designed to deal with that media type.  By NOT following
   the naming convention '+xml', such media types can avoid XML-generic
   processing.  Since generic processing will be useful in many cases,
   however -- including in some situations that are difficult to predict
   ahead of time -- those registering media types SHOULD use the '+xml'
   convention unless they have a particularly compelling reason not to.
   The registration process for these media types is described in
   [RFC2048].  The registrar for the IETF tree will encourage new XML-
   based media type registrations in the IETF tree to follow this
   guideline.  Registrars for other trees SHOULD follow this convention
   in order to ensure maximum interoperability of their XML-based
   documents.  Similarly, media subtypes that do not represent XML MIME
   entities MUST NOT be allowed to register with a '+xml' suffix.

7.1 Referencing

   Registrations for new XML-based media types under the top-level type
   "text" SHOULD, in specifying the charset parameter and encoding
   considerations, define them as: "Same as [charset parameter /
   encoding considerations] of text/xml as specified in RFC 3023."
   Registrations for new XML-based media types under top-level types
   other than "text" SHOULD, in specifying the charset parameter and
   encoding considerations, define them as: "Same as [charset parameter
   / encoding considerations] of application/xml as specified in RFC
   3023."
   The use of the charset parameter is STRONGLY RECOMMENDED, since this
   information can be used by XML processors to determine
   authoritatively the charset of the XML MIME entity.
   These registrations SHOULD specify that the XML-based media type
   being registered has all of the security considerations described in
   RFC 3023 plus any additional considerations specific to that media
   type.
>These registrations SHOULD also make reference to RFC 3023 in
specifying magic numbers, fragment identifiers, base URIs, and use of
the BOM.
>These registrations MAY reference the text/xml registration in RFC
3023 in specifying interoperability considerations, if these
considerations are not overridden by issues specific to that media
type.

6 8. Examples

The examples below give the value of the MIME Content-type MIME header and the XML declaration (which includes the encoding declaration) inside the XML MIME entity. For UTF-16 examples, the Byte Order Mark character is denoted as "{BOM}", and the XML declaration is assumed to come at the beginning of the XML MIME entity, immediately following the BOM. Note that other MIME headers may be present, and the XML MIME entity may contain other data in addition to the XML declaration; the examples focus on the Content-type header and the encoding declaration for clarity.

68.1 Text/xml with UTF-8 Charset

   Content-type: text/xml; charset="utf-8"
   <?xml version="1.0" encoding="utf-8"?>
   This is the recommended charset value for use with text/xml.  Since
   the charset parameter is provided, MIME and XML processors must MUST treat
   the enclosed entity as UTF-8 encoded.
   If sent using a 7-bit transport (e.g., SMTP[RFC0821] ), the XML MIME
   entity must MUST use a content-transfer-encoding of either 
   quoted-printable or base64.  For an 8-bit clean transport (e.g., ESMTP, 8BITMIME
   ESMTP or NNTP), or a binary clean transport (e.g., HTTP), no
   content-transfer-encoding is necessary.

68.2 Text/xml with UTF-16 Charset

   Content-type: text/xml; charset="utf-16"
   {BOM}<?xml version='1.0' encoding='utf-16'?>
   or
   {BOM}<?xml version='1.0'?>

This is possible only when the XML MIME entity is transmitted via HTTP, which uses a MIME-like mechanism and is a binary-clean protocol, hence does not perform CR and LF transformations and allows NUL octets. This differs from typical text MIME type processing (see section 19.4.1 of HTTP 1.1 [RFC-2068] for details). As described in [RFC2781], the UTF-16 family MUST NOT be used with media types under the top-level type "text" except over HTTP (see section 19.4.1 of [RFC2616] for details).

Since HTTP is binary clean, no content-transfer-encoding is necessary.

8.3 Text/xml with UTF-16BE Charset

   Content-type: text/xml; charset="utf-16be"
   <?xml version='1.0' encoding='utf-16be'?>

Observe that the BOM does not exist. This is again possible only when the XML MIME entity is transmitted via HTTP.

6.3 8.4 Text/xml with ISO-2022-KR Charset

   Content-type: text/xml; charset="iso-2022-kr"
   <?xml version="1.0" encoding='iso-2022-kr'?>
   This example shows text/xml with a Korean charset (e.g., Hangul)
   encoded following the specification in DEL[-1557].  Since the charset
   parameter is provided, MIME and XML processors must MUST treat the
   enclosed entity as encoded per [RFC-1557]  RFC 1557.
   Since ISO-2022-KR has been defined to use only 7 bits of data, no
   content-transfer-encoding is necessary with any transport.

6.4 8.5 Text/xml with Omitted Charset

   Content-type: text/xml
   {BOM}<?xml version="1.0" encoding="utf-16"?>

or

   {BOM}<?xml version="1.0"?>
   This example shows text/xml with the charset parameter omitted.  In
   this case, MIME and XML processors must MUST assume the charset is "us-ascii", the default charset value for text media types specified in
   DEL[-2046].  The default of "us-ascii" holds even if the text/xml
   entity is transported using HTTP.
   Omitting the charset parameter is NOT RECOMMENDED for text/xml.  For
   example, even if the contents of the XML MIME entity are UTF-16 or
   UTF-8, or the XML MIME entity has an explicit encoding declaration,
   XML and MIME processors must [MUST assume the charset is "us-ascii".

6.5 8.6 Application/xml with UTF-16 Charset

   Content-type: application/xml; charset="utf-16"
   {BOM}<?xml version="1.0" encoding="utf-16"?>

or

   {BOM}<?xml version="1.0"?>
   This is a recommended charset value for use with application/xml.
   Since the charset parameter is provided, MIME and XML processors must MUST
   treat the enclosed entity as UTF-16 encoded.
   If sent using a 7-bit transport (e.g., SMTP) or an 8-bit clean
   transport (e.g., ESMTP, 8BITMIME ESMTP or NNTP), the XML MIME entity must MUST be
   encoded in quoted-printable or base64.  For a binary clean transport
   (e.g., HTTP), no content-transfer-encoding is necessary.

8.7 Application/xml with UTF-16BE Charset

   Content-type: application/xml; charset="utf-16be"
   <?xml version='1.0' encoding='utf-16be'?>
   Observe that the BOM does not exist.  Since the charset parameter is
   provided, MIME and XML processors MUST treat the enclosed entity as
   UTF-16BE encoded.

6.6 8.8 Application/xml with ISO-2022-KR Charset

   Content-type: application/xml; charset="iso-2022-kr"
   <?xml version="1.0" encoding="iso-2022-kr"?>
   This example shows application/xml with a Korean charset (e.g.,
   Hangul) encoded following the specification in DEL[-1557].  Since the
   charset parameter is provided, MIME and XML processors must MUST treat the
   enclosed entity as encoded per [RFC-1557]  RFC 1557, independent of whether the
   XML MIME entity has an internal encoding declaration (this example
   does show such a declaration, which agrees with the charset
   parameter).
   Since ISO-2022-KR has been defined to use only 7 bits of data, no
   content-transfer-encoding is necessary with any transport.

6.7 8.9 Application/xml with Omitted Charset and UTF-16 XML MIME Entity

   Content-type: application/xml
   {BOM}<?xml version='1.0' encoding="utf-16"?>

or

   {BOM}<?xml version='1.0'?>
   For this example, the XML MIME entity begins with a BOM.  Since the
   charset has been omitted, a conforming XML processor follows the
   requirements of DEL[REC-XML], section 4.3.3.  Specifically, the XML
   processor reads the BOM, and thus knows deterministically that the
   charset encoding is UTF-16.
   An XML-unaware MIME processor should SHOULD make no assumptions about the
   charset of the XML MIME entity.

6.8 8.10 Application/xml with Omitted Charset and UTF-8 Entity

   Content-type: application/xml
   <?xml version='1.0'?>
   In this example, the charset parameter has been omitted, and there is
   no BOM.  Since there is no BOM, the XML processor follows the
   requirements in section 4.3.3 of [XML] , and optionally applies the
   mechanism described in Appendix F (which is non-normative) of DEL[REC-XML]
   to determine the charset encoding of UTF-8.  The XML MIME entity does
   not contain an encoding declaration, but since the encoding is UTF-8,
   this is still a conforming XML MIME entity.
   An XML-unaware MIME processor should SHOULD make no assumptions about the
   charset of the XML MIME entity.

6.9 8.11 Application/xml with Omitted Charset and Internal Encoding Declaration

   Content-type: application/xml
   <?xml version='1.0' encoding="ISO-10646-UCS-4"?>
   <?xml version='1.0' encoding="iso-10646-ucs-4"?>
   In this example, the charset parameter has been omitted, and there is
   no BOM.  However, the XML MIME entity does have an encoding
   declaration inside the XML MIME entity that specifies the entity's
   charset.  Following the requirements in section 4.3.3 of [XML] , and
   optionally applying the mechanism described in Appendix F (non-
   normative) of DEL[REC-XML], the XML processor determines the charset of the
   XML MIME entity (in this example, UCS-4).
   An XML-unaware MIME processor should SHOULD make no assumptions about the
   charset of the XML MIME entity.

8.12 Text/xml-external-parsed-entity with UTF-8 Charset

   Content-type: text/xml-external-parsed-entity; charset="utf-8"
   <?xml encoding="utf-8"?>
   This is the recommended charset value for use with text/xml-
   external-parsed-entity.  Since the charset parameter is provided,
   MIME and XML processors MUST treat the enclosed entity as UTF-8
   encoded.
   If sent using a 7-bit transport (e.g., SMTP), the XML MIME entity
   MUST use a content-transfer-encoding of either quoted-printable or
   base64.  For an 8-bit clean transport (e.g., 8BITMIME ESMTP or NNTP),
   or a binary clean transport (e.g., HTTP) no content-transfer-encoding
   is necessary.

8.13 Application/xml-external-parsed-entity with UTF-16 Charset

   Content-type: application/xml-external-parsed-entity;
    charset="utf-16"

   {BOM}<?xml encoding="utf-16"?>

or

または

   {BOM}<?xml?>

編注: Errata http://www.rfc-editor.org/errata.html で削除されました。

This is a recommended charset value for use with application/xml-external-parsed-entity. Since the charset parameter is provided, MIME and XML processors MUST treat the enclosed entity as UTF-16 encoded.

これは application/xml-external-parsed-entity で使う推奨 charset 値です。 charset 引数がしていされていますから、 MIME 及び XML の処理系は囲まれている実体が UTF-16 で符号化されたものとして扱わなければなりません

If sent using a 7-bit transport (e.g., SMTP) or an 8-bit clean transport (e.g., 8BITMIME ESMTP or NNTP), the XML MIME entity MUST be encoded in quoted-printable or base64. For a binary clean transport (e.g., HTTP), no content-transfer-encoding is necessary.

7ビット転送路 (たとえば SMTP) または8-bit clean転送路 (たとえば 8BITMIME ESMTP や NNTP) を使って送るときには、 XML MIME 実体は quoted-printable 又は base64 で符号化しなければなりませんbinary clean転送路 (たとえば HTTP) では、content transfer encodingは不要です。

8.14 Application/xml-external-parsed-entity with UTF-16BE Charset

   Content-type: application/xml-external-parsed-entity;
    charset="utf-16be"
   <?xml encoding="utf-16be"?>
   Since the charset parameter is provided, MIME and XML processors MUST
   treat the enclosed entity as UTF-16BE encoded.

8.15 Application/xml-dtd

   Content-type: application/xml-dtd; charset="utf-8"
   <?xml encoding="utf-8"?>
   Charset "utf-8" is a recommended charset value for use with
   application/xml-dtd.  Since the charset parameter is provided, MIME
   and XML processors MUST treat the enclosed entity as UTF-8 encoded.

8.16 Application/mathml+xml

   Content-type: application/mathml+xml
   <?xml version="1.0" ?>
   MathML documents are XML documents whose content describes
   mathematical information, as defined by [MathML].  As a format based
   on XML, MathML documents SHOULD use the '+xml' suffix convention in
   their MIME content-type identifier.  However, no content type has yet
   been registered for MathML and so this media type should not be used
   until such registration has been completed.

8.17 Application/xslt+xml

   Content-type: application/xslt+xml
   <?xml version="1.0" ?>
   Extensible Stylesheet Language (XSLT) documents are XML documents
   whose content describes stylesheets for other XML documents, as
   defined by [XSLT].  As a format based on XML, XSLT documents SHOULD
   use the '+xml' suffix convention in their MIME content-type
   identifier.  However, no content type has yet been registered for
   XSLT and so this media type should not be used until such
   registration has been completed.

8.18 Application/rdf+xml

   Content-type: application/rdf+xml
   <?xml version="1.0" ?>
   RDF documents identified using this MIME type are XML documents whose
   content describes metadata, as defined by [RDF].  As a format based
   on XML, RDF documents SHOULD use the '+xml' suffix convention in
   their MIME content-type identifier.  However, no content type has yet
   been registered for RDF and so this media type should not be used
   until such registration has been completed.

8.19 Image/svg+xml

   Content-type: image/svg+xml
   <?xml version="1.0" ?>
   Scalable Vector Graphics (SVG) documents are XML documents whose
   content describes graphical information, as defined by [SVG].  As a
   format based on XML, SVG documents SHOULD use the '+xml' suffix
   convention in their MIME content-type identifier.  However, no
   content type has yet been registered for SVG and so this media type
   should not be used until such registration has been completed.

8.20 INCONSISTENT EXAMPLE: Text/xml with UTF-8 Charset

   Content-type: text/xml; charset="utf-8"
   <?xml version="1.0" encoding="iso-8859-1"?>
   Since the charset parameter is provided in the Content-Type header,
   MIME and XML processors MUST treat the enclosed entity as UTF-8
   encoded.  That is, the "iso-8859-1" encoding MUST be ignored.
   Processors generating XML MIME entities MUST NOT label conflicting
   charset information between the MIME Content-Type and the XML
   declaration.

9. IANA Considerations

As described in Section 7, this document updates the [RFC2048] registration process for XML-based MIME types.

4 10. Security Considerations

XML, as a subset of SGML, has all of the same security considerations as specified in DEL[-1874], and likely more, due to its expected ubiquitous deployment.

   To paraphrase section 3 of [RFC-1874]  RFC 1874, XML MIME entities contain
   information to be parsed and processed by the recipient's XML system.
   These entities may contain and such systems may permit explicit
   system level commands to be executed while processing the data.  To
   the extent that an XML system will execute arbitrary command strings,
   recipients of XML MIME entities may be a risk.  In general, it may be
   possible to specify commands that perform unauthorized file
   operations or make changes to the display processor's environment
   that affect subsequent operations.
   In general, any information stored outside of the direct control of
   the user -- including CSS style sheets, XSL transformations, entity
   declarations, and DTDs -- can be a source of insecurity, by either
   obvious or subtle means.  For example, a tiny "whiteout attack"
   modification made to a "master" style sheet could make words in
   critical locations disappear in user documents, without directly
   modifying the user document or the stylesheet it references.  Thus,
   the security of any XML document is vitally dependent on all of the
   documents recursively referenced by that document.
   The entity lists and DTDs for XHTML 1.0[XHTML], for instance, are
   likely to be a commonly used set of information.  Many developers
   will use and trust them, few of whom will know much about the level
   of security on the W3C's servers, or on any similarly trusted
   repository.
   The simplest attack involves adding declarations that break
   validation.  Adding extraneous declarations to a list of character
   entities can effectively "break the contract" used by documents.  A
   tiny change that produces a fatal error in a DTD could halt XML
   processing on a large scale.  Extraneous declarations are fairly
   obvious, but more sophisticated tricks, like changing attributes from
   being optional to required, can be difficult to track down.  Perhaps
   the most dangerous option available to crackers is redefining default
   values for attributes: e.g., if developers have relied on defaulted
   attributes for security, a relatively small change might expose
   enormous quantities of information.
   Apart from the structural possibilities, another option, "entity
   spoofing," can be used to insert text into documents, vandalizing and
   perhaps conveying an unintended message.  Because XML 1.0 permits
   multiple entity declarations, and the first declaration takes
   precedence, it's possible to insert malicious content where an entity
   is used, such as by inserting the full text of Winnie the Pooh in
   every occurrence of &mdash;.
   Use of the digital signatures work currently underway by the xmldsig
   working group may eventually ameliorate the dangers of referencing
   external documents not under one's own control.
   Use of XML is expected to be varied, and widespread.  XML is under
   scrutiny by a wide range of communities for use as a common syntax
   for community-specific metadata.  For example, the Dublin
   Core[RFC2413]  group is using XML for document metadata, and a new
   effort has begun which that is considering use of XML for medical
   information.  Other groups view XML as a mechanism for marshalling
   parameters for remote procedure calls.  More uses of XML will
   undoubtedly arise.
   Security considerations will vary by domain of use.  For example, XML
   medical records will have much more stringent privacy and security
   considerations than XML library metadata.  Similarly, use of XML as a
   parameter marshalling syntax necessitates a case by case security
   review.
   XML may also have some of the same security concerns as plain text.
   Like plain text, XML can contain escape sequences which that, when
   displayed, have the potential to change the display processor
   environment in ways that adversely affect subsequent operations.
   Possible effects include, but are not limited to, locking the
   keyboard, changing display parameters so subsequent displayed text is
   unreadable, or even changing display parameters to deliberately
   obscure or distort subsequent displayed material so that its meaning
   is lost or altered.  Display processors should SHOULD either filter such
   material from displayed text or else make sure to reset all important
   settings after a given display operation is complete.
   Some terminal devices have keys whose output, when pressed, can be
   changed by sending the display processor a character sequence.  If
   this is possible the display of a text object containing such
   character sequences could reprogram keys to perform some illicit or
   dangerous action when the key is subsequently pressed by the user.
   In some cases not only can keys be programmed, they can be triggered
   remotely, making it possible for a text display operation to directly
   perform some unwanted action.  As such, the ability to program keys
   should SHOULD be blocked either by filtering or by disabling the ability to
   program keys entirely.
   Note that it is also possible to construct XML documents which that make
   use of what XML terms "entity references" (using the XML meaning of
   the term "entity", which differs from the MIME definition of this term as described in Section 2), to construct repeated
   expansions of text.  Recursive expansions are prohibited by DEL[REC-XML] and
   XML processors are required to detect them.  However, even 
   non-recursive expansions may cause problems with the finite computing
   resources of computers, if they are performed many times.

License

RFCのライセンス

メモ