http-headersrfciana

Who defines the rules of the internet (if not the RFCs) and where are they?

As far as I know, everything about the Internet is (or rather should be?) defined and documented in the RFCs. I found a listing of several HTTP-headers on mozilla.org (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers), which I assumed to be second-hand knowledge taken from the RFCs. However most of the security-related HTTP-headers are neither in the RFCs (source: https://www.rfc-editor.org/search/rfc_search_detail.php?title=Content-Security-Policy) nor in the HTTP-headers suggested by IANA (source: https://www.iana.org/assignments/message-headers/message-headers.xhtml)

  1. Is there a commitee that decides on such conventions and a central place where I can always find first-hand information about the rules of the internet?
  2. How do programmers of critical applications know which features they have to implement to keep their software up-to-date with the rest of the internet?
  3. How can programmers be sure their software is implemented perfectly according to the rules and works in harmony with the rest of the internet. E.g. somebody who programs an FTP-client (assuming they are not making use of libraries) has to make sure their understanding of the FTP-protocol is the same as that of every single FTP-server-application, right?
Solution

  • The RFCs stand as a final approved documentation. In your case the HTTP is under the HTTP Working Group so some new features which some browsers already support are being discussed in this group. Expanding the idea, some security headers present in HTTP may be from other groups and just referenced in HTTP RCFs. The Content Security Policy is documented in the RFC 7762 not that it's tagged as informational.

    1. Each area has its Working groups, in this case HTTP is nested in ART (Applications And Real-Time Area). Each of those groups compile, revise and publish new specifications. As an example you can see HTTP(httpbis) charter

    2. There's two options, implement based on the RCFs and its references or follow the Working Group directives and references. Using only RFCs is more secure and interoperable but will eventually be outdated until a new RFC is published.

    3. The only way is to implement what is documented under the RFCs. It's part o the internet concept, new features or standards will take a while to be fully documented and it's up to developer research and implement those.