The JSON Meta Application Protocol (JMAP) base protocol (RFC 8620) provides the ability to upload and download arbitrary binary data via HTTP POST and GET on a defined endpoint. This binary data is called a "blob".
This extension adds additional ways to create and access blobs by making inline method calls within a standard JMAP request.
This extension also adds a reverse lookup mechanism to discover where blobs are referenced within other data types.
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9404.
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.
Sometimes JMAP [RFC 8620] interactions require creating a blob and then referencing it. In the same way that IMAP literals were extended by [RFC 7888], embedding small blobs directly into the JMAP method calls array can be an option for reducing round trips.
Likewise, when fetching an object, it can be useful to also fetch the raw content of that object without a separate round trip.
Since raw blobs may contain arbitrary binary data, this document defines a use of the base64 coding specified in [RFC 4648] for both creating and fetching blob data.
When JMAP is proxied through a system that applies additional access restrictions, it can be useful to know which objects reference any particular blob; this document defines a way to discover those references.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC 2119] [RFC 8174] when, and only when, they appear in all capitals, as shown here.
The definitions of JSON keys and datatypes in the document follow the conventions described in [RFC 8620].
The presence of the capability urn:ietf:params:jmap:blob in the accountCapabilities property of an account represents support for additional API methods on the Blob datatype. Servers that include the capability in one or more accountCapabilities properties MUST also include the property in the capabilities property.
The value of this property in the JMAP Session capabilities property MUST be an empty object.
The value of this property in an account's accountCapabilities property is an object that MUST contain the following information on server capabilities and permissions for that account:
The maximum size of the blob (in octets) that the server will allow to be created (including blobs created by concatenating multiple data sources together).
Clients MUST NOT attempt to create blobs larger than this size.
If this value is null, then clients are not required to limit the size of the blob they try to create, though servers can always reject creation of blobs regardless of size, e.g., due to lack of disk space or per-user rate limits.
The maximum number of DataSourceObjects allowed per creation in a Blob/upload.
Servers MUST allow at least 64 DataSourceObjects per creation.
An array of data type names that are supported for Blob/lookup. If the server does not support lookups, then this will be the empty list.
Note that the supportedTypeNames list may include private types that are not in the "JMAP Data Types" registry defined by this document. Clients MUST ignore type names they do not recognise.
An array of supported digest algorithms that are supported for Blob/get. If the server does not support calculating blob digests, then this will be the empty list. Algorithms in this list MUST be present in the "HTTP Digest Algorithm Values" registry defined by [RFC 3230]; however, in JMAP, they must be lowercased, e.g., "md5" rather than "MD5".
Clients SHOULD prefer algorithms listed earlier in this list.
A blob is a sequence of zero or more octets.
JMAP [RFC 8620] defines the Blob/copy method, which is unchanged by this specification and is selected by the urn:ietf:params:jmap:core capability.
The following JMAP methods are selected by the urn:ietf:params:jmap:blob capability.
This is similar to a Foo/set in [RFC 8620] in some ways. However, blobs cannot be updated or deleted, so only create is allowed in the method call. Also, blobs do not have state, so there is no state field present in the method response.
The id of the account in which the blobs will be created.
A map of creation id to UploadObjects.
The result is the same as for Foo/set in [RFC 8620], with created and notCreated objects mapping from the creation id.
The created objects contain:
The blobId that was created.
The media type as given in the creation (if any). If not provided, the server MAY perform content analysis and return one of the following: the calculated value, "application/octet-string", or null.
As per [RFC 8620], the size of the created blob in octets.
The created objects will also contain any other properties identical to those that would be returned in the JSON response of the upload endpoint described in [RFC 8620]. This may be extended in the future; in this document, it is anticipated that implementations will extend both the upload endpoint and the Blob/upload responses in the same way.
If there is a problem with a creation, then the server will return a notCreated response with a map from the failed creation id to a SetError object.
For each successful upload, servers MUST add an entry to the createdIds map (RFC 8620, Section 3.3) for the request; even if the caller did not explicitly pass a createdIds, the value must be available to later methods defined in the same Request Object. This allows the blobId to be used via back-reference in subsequent method calls.
The created blob will have the same lifetime and same expiry semantics as any other binary object created via the mechanism specified in RFC 8620, Section 6.
Uploads using this mechanism will be restricted by the maxUploadSize limit for JMAP requests specified by the server, and clients SHOULD consider using the upload mechanism defined by [RFC 8620] for blobs larger than a megabyte.
An array of zero or more octet sources in order (zero to create an empty blob). The result of each of these sources is concatenated in order to create the blob.
type: "String|null" (default: null)
A hint for media type of the data.
Exactly one of:
data:asText: "String|null" (raw octets, must be UTF-8)
data:asBase64: "String|null" (base64 representation of octets)
or a blobId source:
offset: "UnsignedInt|null" (MAY be zero)
length: "UnsignedInt|null" (MAY be zero)
If null, then offset is assumed to be zero.
If null, then length is the remaining octets in the blob.
If the range cannot be fully satisfied (i.e., it begins or extends past the end of the data in the blob), then the DataSourceObject is invalid and results in a notCreated response for this creation id.
If the data properties have any invalid references or invalid data contained in them, the server MUST NOT guess the user's intent and MUST reject the creation and return a notCreated response for that creation id.
Likewise, invalid characters in the base64 of data:asBase64 or invalid UTF-8 in data:asText MUST result in a notCreated response.
It is envisaged that the definition for DataSourceObject might be extended in the future, for example, to fetch external content.
A server MUST accept at least 64 DataSourceObjects per create, as described in Section 3.1 of this document.
A standard JMAP get, with two additional optional parameters:
Start this many octets into the blob data. If null or unspecified, this defaults to zero.
Return at most this many octets of the blob data. If null or unspecified, then all remaining octets in the blob are returned. This can be considered equivalent to an infinitely large length value, except that the isTruncated warning is not given unless the start offset is past the end of the blob.
data (returns data:asText if the selected octets are valid UTF-8 or data:asBase64)
digest:<algorithm> (where <algorithm> is one of the named algorithms in the supportedDigestAlgorithms capability)
If not given, the properties default to data and size.
The raw octets of the selected range if they are valid UTF-8; otherwise, null.
The base64 encoding of the octets in the selected range.
The base64 encoding of the digest of the octets in the selected range, calculated using the named algorithm.
isEncodingProblem: "Boolean" (default: false)
isTruncated: "Boolean" (default: false)
The number of octets in the entire blob.
The size value MUST always be the number of octets in the underlying blob, regardless of offset and length.
The data fields contain a representation of the octets within the selected range that are present in the blob. If the octets selected are not valid UTF-8 (including truncating in the middle of a multi-octet sequence) and data or data:asText was requested, then the key isEncodingProblemMUST be set to true, and the data:asText response value MUST be null. In the case where data was requested and the data is not valid UTF-8, then data:asBase64MUST be returned.
If the selected range requests data outside the blob (i.e., the offset+length is larger than the blob), then the result is either just the octets from the offset to the end of the blob or an empty string if the offset is past the end of the blob. Either way, the isTruncated property in the result MUST be set to true to tell the client that the requested range could not be fully satisfied. If digest was requested, any digest is calculated on the octets that would be returned for a data field.
Servers SHOULD store the size for blobs in a format that is efficient to read, and clients SHOULD limit their request to just the size parameter if that is all they need, as fetching blob content could be significantly more expensive and slower for the server.
In this example, a blob containing the string "The quick brown fox jumped over the lazy dog." has blobId Gc0854fb9fb03c41cce3802cb0d220529e6eef94e.
The first method call requests just the size for multiple blobs, and the second requests both the size and a short range of the data for one of the blobs.
Given a list of blobIds, this method does a reverse lookup in each of the provided type names to find the list of Ids within that data type that reference the provided blob.
Since different datatypes will have different semantics of "contains", the definition of "reference" is somewhat loose but roughly means "you could discover this blobId by looking at this object or at other objects recursively contained within this object".
For example, with a server that supports [RFC 8621], if a Mailbox references a blob and if any Emails within that Mailbox reference the blobId, then the Mailbox references that blobId. For any Thread that references an Email that references a blobId, it can be said that the Thread references the blobId.
However, this does not mean that if an Email references a Mailbox in its mailboxIds property, then any blobId referenced by other Emails in that Mailbox are also referenced by the initial Email.
The id of the account used for the call.
A list of names from the "JMAP Data Types" registry or defined by private extensions that the client has requested. Only names for which "Can reference blobs" is true may be specified, and the capability that defines each type must also be used by the overall JMAP request in which this method is called.
If a type name is not known by the server, or the associated capability has not been requested, then the server returns an "unknownDataType" error.
A list of blobId values to be looked for.
A list of BlobInfo objects.
A map from type name to a list of Ids of that data type (e.g., the name "Email" maps to a list of emailIds).
If a blob is not visible to a user or does not exist on the server at all, then the server MUST still return an empty array for each type as this doesn't leak any information about whether the blob is on the server but not visible to the requesting user.
All security considerations for JMAP [RFC 8620] apply to this specification. Additional considerations specific to the data types and functionality introduced by this document are described here.
JSON parsers are not all consistent in handling non-UTF-8 data. JMAP requires that all JSON data be UTF-8 encoded, so servers MUST only return a null value if data:asText is requested for a range of octets that is not valid UTF-8 and set isEncodingProblem: true.
Servers MUST apply any access controls, such that if the authenticated user would be unable to discover the blobId by making queries, then this fact cannot be discovered via a Blob/lookup. For example, if an Email exists in a Mailbox that the authenticated user does not have access to see, then that emailId MUST NOT be returned in a lookup for a blob that is referenced by that email.
The server MUST NOT trust that the data given to a Blob/upload is a well-formed instance of the specified media type. Also, if the server attempts to parse the given blob, only hardened parsers designed to deal with arbitrary untrusted data should be used. The server SHOULD NOT reject data on the grounds that it is not a valid specimen of the stated type.
With carefully chosen data sources, Blob/upload can be used to recreate dangerous content on the far side of security scanners (anti-virus or exfiltration scanners, for example) that may be watching the upload endpoint. Server implementations SHOULD provide a hook to allow security scanners to check the resulting blob after concatenating the data sources in the same way that they do for the upload endpoint.
Digest algorithms can be expensive for servers to calculate. Servers that share resources between multiple users should track resource usage by clients and rate-limit expensive operations to avoid resource starvation.
The registration policy for this registry is "Specification Required" [RFC 8126]. Either an RFC or a similarly stable reference document defines a JMAP Data Type and associated capability.
IANA will appoint designated experts to review requests for additions to this registry, with guidance to allow any registration that provides a stable document describing the capability and control over the URI namespace to which the capability URI points.