Copyright © 2017 W3C® (MIT, ERCIM, Keio, Beihang). W3C liability, trademark and permissive document license rules apply.
WebSub provides a common mechanism for communication between publishers of any kind of Web content and their subscribers, based on HTTP web hooks. Subscription requests are relayed through hubs, which validate and verify the request. Hubs then distribute new and updated content to subscribers when it becomes available. WebSub was previously known as PubSubHubbub.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.
This document was published by the Social Web Working Group as a Proposed Recommendation. This document is intended to become a W3C Recommendation. Comments regarding this document are welcome. Please send them to public-socialweb@w3.org (subscribe, archives). The W3C Membership and other interested parties are invited to review the document and send comments to public-socialweb@w3.org (subscribe, archives) through 03 November 2017. Advisory Committee Representatives should consult their WBS questionnaires. Note that substantive technical comments were expected during the Candidate Recommendation review period that ended 02 October 2017.
Please see the Working Group's implementation report.
Publication as a Proposed Recommendation does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
This document is governed by the 1 March 2017 W3C Process Document.
The following features are at risk; if interoperable implementations are not found, they may be removed to advance the other features in this specification to Recommendation:
(This section is non-normative.)
Earlier versions of this protocol were called PubSubHubbub:
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", " SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
WebSub describes three roles: publishers, subscribers and hubs. This section describes the conformance criteria for each role.
A conforming subscriber:
A conforming hub:
hub.callback
, hub.mode
and hub.topic
.hub.secret
parameter.X-Hub-Signature
header if the subscription was made with a hub.secret
as described in Authenticated Content Distribution.For this specification to exit the CR stage, there must be at least two independent, interoperable implementations of each feature. Each feature may be implemented by a different set of products. There is no requirement that all features be implemented by a single product. For the purposes of this criterion, we define the following terms:
A WebSub Publisher is an implementation that advertises a topic and hub URL on one or more resource URLs. The conformance criteria are described in Conformance Classes above.
A WebSub Subscriber is an implementation that discovers the hub and topic URL given a resource URL, subscribes to updates at the hub, and accepts content distribution requests from the hub. The subscriber MAY support authenticated content distribution. The conformance criteria are described in Conformance Classes above.
A WebSub Hub is an implementation that handles subscription requests and delivers notifications to subscribers when the corresponding topic URL has been updated. Hubs MUST support subscription requests with a secret and deliver authenticated notifications when requested. Hubs MUST deliver the full contents of the topic URL in the notification, and MAY reduce the payload to a diff if the content type supports it. The conformance criteria are described in Conformance Classes above.
Each implementation must be developed by a different party and cannot share, reuse, or derive from code used by another qualifying implementation. Sections of code that have no bearing on the implementation of this specification are exempt from this requirement.
A Subscriber and Hub implementation are considered interoperable for a specific feature when the Hub takes the defined action that the Subscriber requests, the Subscriber gets the expected response from a Hub according to the feature, and the Hub sends the expected response to the Subscriber.
For the purposes of evaluating exit criteria, each of the following is considered a feature:
The discovery mechanism aims at identifying at least 2 URLs.
The protocol currently supports the following discovery mechanisms. Publishers MUST implement at least one of them:
GET /feed HTTP/1.1
Host: example.com
HTTP/1.1 200 Ok
Content-type: text/html
Link: <https://hub.example.com/>; rel="hub"
Link: <http://example.com/feed>; rel="self"
<!doctype html>
<html>
<head>
<link rel="hub" href="https://hub.example.com/">
<link rel="self" href="http://example.com/feed">
</head>
<body>
...
</body>
</html>
When perfoming discovery, subscribers MUST implement all three discovery mechanisms in the following order, stopping at the first match:
For practical purposes, it is important that the rel=self URL only offers a single representation. As the hub has no way of knowing what mime-type or language may have been requested by the subscriber upon discovery, it would not be able to perform notifications using the appropriate representation of the document.
It is, however, possible to perform content negotiation by returning an appropriate rel=self URL according to the HTTP headers used in the initial discovery request. For example, a request to /feed with an Accept header containing application/json could return a rel=self value of /feed.json.
The example below illustrates how a topic URL can return different Link headers depending on the Accept header that was sent.
GET /feed HTTP/1.1
Host: example.com
Accept: application/json
HTTP/1.1 200 Ok
Content-type: application/json
Link: </feed.json>; rel="self"
Link: <https://hub.example.com/>; rel="hub"
{
"items": [...]
}
GET /feed HTTP/1.1
Host: example.com
Accept: text/html
HTTP/1.1 200 Ok
Content-type: text/html
Link: </feed.html>; rel="self"
Link: <https://hub.example.com/>; rel="hub"
<html>
...
Similarly, the technique can also be used to return a different rel=self URL depending on the language requested by the Accept-Language header.
GET /feed HTTP/1.1
Host: example.com
Accept-Language: de-DE
HTTP/1.1 200 Ok
Content-type: text/html
Link: </feed-de.json>; rel="self"
Link: <https://hub.example.com/>; rel="hub"
{
"items": [...]
}
Subscribing to a topic URL consists of four parts that may occur immediately in sequence or have a delay.
Unsubscribing works in the same way, except with a single parameter changed to indicate the desire to unsubscribe. Also, the Hub will not validate unsubscription requests with the publisher.
Subscription is initiated by the subscriber making an HTTPS or HTTP POST [RFC7231] request to the hub URL. This request MUST have a Content-Type header of application/x-www-form-urlencoded (described in Section 4.10.22.6 [HTML5]), MUST use UTF-8 [Encoding] as the document character encoding, and MUST use the following parameters in its body, formatted accordingly:
Subscribers MAY also include additional HTTP [RFC7230] request parameters, as well as HTTP [RFC7230] Headers if they are required by the hub.
Hubs MUST ignore additional request parameters they do not understand.
Hubs MUST allow subscribers to re-request subscriptions that are already activated. Each subsequent request to a hub to subscribe or unsubscribe MUST override the previous subscription state for a specific topic URL and callback URL combination, but only once the action is verified (Section 4.3). If verification fails, the subscription state MUST be left unchanged. This is required so subscribers can renew their subscriptions before the lease seconds period is over without any interruption. The subscriber MAY use a new hub.secret value in a future subscription, and MAY make a new subscription without a hub.secret.
The topic and callback URLs MAY use HTTP or HTTPS [RFC7230] schemes. The topic URL MUST be the one advertised by the publisher in a Self Link Header during the discovery phase. (See Section 3 ). Hubs MAY refuse subscriptions if the topic URL does not correspond to the one advertised by the publisher. The topic URL can otherwise be free-form following the URL spec [WHATWG-URL]. Hubs MUST always decode non-reserved characters for these URL parameters; see section 1.2 on "Percent-encoded bytes" in [WHATWG-URL].
The callback URL SHOULD be an unguessable unique URL ([capability-urls]) and SHOULD use HTTPS [RFC7230]. The callback URL acts as authentication from the hub to the subscriber when confirming subscriptions and delivering notifications. Additionally, the callback SHOULD be unique (not re-used for multiple hubs) and changed when subscriptions are renewed.
The callback URL MAY contain arbitrary query string parameters (e.g., ?foo=bar&red=fish). Hubs MUST preserve the query string during subscription verification by appending new parameters to the end of the list using the & (ampersand) character to join. Existing parameters with names that overlap with those used by verification requests will not be overwritten. For event notification, the callback URL will be POSTed to including any query string parameters in the URL portion of the request, not as POST body parameters.
If the hub URL supports WebSub and is able to handle the subscription or unsubscription request, it MUST respond to a subscription request with an HTTP [RFC7231] 202 "Accepted" response to indicate that the request was received and will now be verified (Section 4.3 ) and validated (Section 4.2 ) by the hub. The hub SHOULD perform the verification and validation of intent as soon as possible.
If a hub finds any errors in the subscription request, an appropriate HTTP [RFC7231] error response code (4xx or 5xx) MUST be returned. In the event of an error, hubs SHOULD return a description of the error in the response body as plain text, used to assist the client developer in understanding the error. This is not meant to be shown to the end user. Hubs MAY decide to reject some callback URLs or topic URLs based on their own policies (e.g., domain authorization, topic URL port numbers). However, since verification and validation of intent are asynchronous steps that logically begin after the HTTP response has been returned, the HTTP response MUST NOT depend on the process or outcome of verification or validation.
If the hub URL is not able to handle subscription or unsubscription requests, it MAY redirect to another hub which supports WebSub. It does so by yielding an HTTP [RFC7231] 307 (temporary redirect) or 308 (permanent redirect) response. It MUST also include at least a HTTP [RFC7230] Location Header containing a preferred URL reference for the hub to use by the subscriber. The subscriber is expected to retry the subscription or unsubscription at the new hub URL.
Subscriptions MAY be validated by the Hubs who may require more details to accept or refuse a subscription. The Hub MAY also check with the publisher whether the subscription should be accepted.
If (and when), the subscription is accepted, the hub MUST perform the verification of intent of the subscriber.
If (and when), the subscription is denied, the hub MUST inform the subscriber by sending an HTTP [RFC7231] GET request to the subscriber's callback URL as given in the subscription request. This request has the following query string arguments appended (format described in Section 4 of [WHATWG-URL]):
Hubs may provide an additional HTTP [RFC7231] Location header (as described in section 7.1.2 of Hypertext Transfer Protocol [RFC7231]) to indicate that the subscriber may retry subscribing to a different hub.topic. This allows for limited distribution to specific groups or users in the context of social web applications.
The subscription MAY be denied by the hub at any point (even if it was previously accepted). The Subscriber SHOULD then consider that the subscription is not possible anymore.
In order to prevent an attacker from creating unwanted subscriptions on behalf of a subscriber (or unsubscribing desired ones), a hub must ensure that the subscriber did indeed send the subscription request.
The hub verifies a subscription request by sending an HTTP [RFC7231] GET request to the subscriber's callback URL as given in the subscription request. This request has the following query string arguments appended (format described in Section 4 of [WHATWG-URL]):
The subscriber MUST confirm that the hub.topic corresponds to a pending subscription or unsubscription that it wishes to carry out. If so, the subscriber MUST respond with an HTTP success (2xx) code with a response body equal to the hub.challenge parameter. If the subscriber does not agree with the action, the subscriber MUST respond with a 404 "Not Found" response.
The hub MUST consider other server response codes (3xx, 4xx, 5xx) to mean that the verification request has failed. If the subscriber returns an HTTP [RFC7231] success (2xx) but the content body does not match the hub.challenge parameter, the hub MUST also consider verification to have failed.
Hubs MAY make the hub.lease_seconds equal to the value the subscriber passed in their subscription request but MAY change the value depending on the hub's policies. To sustain a subscription, the subscriber MUST re-request the subscription on the hub before hub.lease_seconds seconds has elapsed.
Hubs MUST enforce lease expirations, and MUST NOT issue perpetual lease durations.
The spec uses GET vs POST to differentiate between the confirmation/denial of the subscription request and delivering the actual notification. While this is not considered "best practice" from a web architecture perspective, it does make implementation of the callback URL simpler. Since the POST body of the notification may be any arbitrary content type and only includes the actual content of the document, using the GET vs POST distinction to switch between handling these two modes makes implementations simpler.
The publisher MUST inform the hubs it previously designated when a topic has been updated. The hub and the publisher can agree on any mechanism, as long as the hub is eventually able send the updated payload to the subscribers.
If the publisher wishes to migrate existing subscriptions to a new topic URL, it can do so using HTTP redirects.
rel=self
URL and the new hub, and will subscribe to the new topic URL at the new hub.This does not require any participation on the part of the previous hub, and works whether or not the publisher changes hubs as well.
A content distribution request is sent from the Hub to the Subscriber when new content is available for a topic URL. The request is an HTTP [RFC7231] POST request from the hub to the subscriber's callback URL. The HTTP body of the POST request MUST include the payload of the notification. The content distribution request MUST have a Content-Type Header corresponding to the Content-Type of the topic, and MUST contain the full contents of the topic URL, with an exception allowed as described below.
For Atom ([RFC4287]) and RSS ([RSS-2.0]) feeds, the hub MAY remove already-delivered atom:entry
or rss:item
elements from the feed.
The request MUST include at least one Link Header [RFC5988] with rel=hub pointing to a Hub associated with the topic being updated. It MUST also include one Link Header [RFC5988] with rel=self set to the canonical URL of the topic being updated. The Hub SHOULD combine these headers into a single Link Header [RFC5988]. All these URLs are those resulting from the discovery process (Section 3). The subscriber MUST NOT use these Link headers to identify the subscription corresponding to the content distribution request, because the Link headers are metadata associated with the topic content, not with any particular subscription. A hub MAY use discovery from time to time to detect changes in a topic's canonical URL and Hub URLs. Any such changes will cause changes to the Link headers sent in subsequent content distribution requests.
The subscriber's callback URL MUST return an HTTP [RFC7231] 2xx response code to indicate a success. The subscriber's callback URL MAY return an HTTP 410 code to indicate that the subscription has been deleted, and the hub MAY terminate the subscription if it receives that code as a response. The hub MUST consider all other subscriber response codes as failures; that means subscribers MUST NOT use HTTP redirects for moving subscriptions. Subscribers SHOULD respond to notifications as quickly as possible; their success response code SHOULD only indicate receipt of the message, not acknowledgment that it was successfully processed by the subscriber. The response body from the subscriber MUST be ignored by the hub. Hubs SHOULD retry notifications up to self-imposed limits on the number of times and the overall time period to retry. When the failing delivery exceeds the hub's limits, the hub stops attempting to deliver that nofication. The hub MUST keep the subscription active until the end of the lease duration, and if a new update is published to the topic, MUST continue to retry delivery to the previously-failing subscriber.
If the subscriber supplied a value for hub.secret in their subscription request, the hub MUST generate an HMAC signature of the payload and include that signature in the request headers of the content distribution request. The X-Hub-Signature header's value MUST be in the form method=signature where method is one of the recognized algorithm names and signature is the hexadecimal representation of the signature. The signature MUST be computed using the HMAC algorithm [RFC6151] with the request body as the data and the hub.secret as the key.
The following algorithms are the initially registered algorithm names, based on the contents of the [FIPS-PUB-180-4] registry at the time of publishing.
In the future, an extension may be specified allowing subscribers to indicate which algorithms they can use for validation. As of this writing, most hubs sign with SHA-1, despite its known cryptographic weakness, in order to be interoperable with older subscribers.
When subscribers receive a content distribution request with the X-Hub-Signature header specified, they SHOULD recompute the signature with the shared secret using the same method (provided in the X-Hub-Signature header) as the hub. If the signature does not match, subscribers MUST locally ignore the message as invalid. Subscribers MAY still acknowledge this request with a 2xx response code in order to be able to process the message asynchronously and/or prevent brute-force attempts of the signature. Using this technique along with HTTPS [RFC2818] for subscription requests enables simple subscribers to receive authenticated notifications from hubs without the need for subscribers to run an HTTPS [RFC2818] server.
Please note however that this signature only ensures that the payload was not forged. Since the notification also includes headers, these should not be considered as safe by the subscriber, unless of course the subscriber uses HTTPS [RFC2818] callbacks.
Here is a summary of security considerations. It is important to note that WebSub is a server-to-server protocol which relies only on HTTP. It is strongly recommended to use HTTPS for all requests.
There are no specific security considerations for discovery.
First, subscribers SHOULD always favor the HTTPS URL for hubs (even if the URL is advertised as HTTP). Then the subscribers SHOULD use unique unguessable capability URLs for the callbacks, as well as make them available via HTTPS. Finally, subscribers SHOULD use a hub.secret when subscribing to allow signature of the content distribution. Hubs SHOULD enforce short lived hub.lease_seconds (10 days is a good default). When performing intent verification, the hub SHOULD use a random, single use hub.challenge.
The Hub MUST use the exact callback used by the subscriber (including the use of HTTPS). Hubs MUST sign their requests using the hub.secret supplied by subscribers if requested.
If the subscriber included a hub.secret in the subscription request, the subscriber SHOULD validate the hub's provided signature, and if they do so, they MUST use the server's stated signature mechanism, and discard notifications which fail the test.
If a subscriber does not use a secure notification URL (HTTPS), or if it is suspected that the TLS transport between the hub and subscriber may be compromised, then the integrity of the content delivery notification is only protected by the hub.secret and the hashing algorithm used. In this case, an appropriate hashing algorithm should be used based on the security requirements of the application. As SHA-1 has been demonstrated to be compromised as of the date of this publication, a minimum of SHA-256 should be used.
These questions provide an overview of security and privacy considerations for this specification as guided by Self-Review Questionnaire: Security and Privacy ([security-privacy-questionnaire]).
This section is non-normative.
.host-meta
discovery feature due to lack of implementations (Issue #97)hub.secret
should be cryptographically random and uniqueAccept-Language
header<link>
tags in the HTML <head> elementrel=self
URLs to support content negotiationhub.topic
must be the self
URL that was discoveredFrom
header on subscription requests