2.2.1 Custom HTTP Headers

The following HTTP header MUST be included in all WOPI requests.

Header

Description

Authorization

Defined in [RFC2616]. This header MUST have the value "Bearer " + <token> as specified in section 2.2.3. Note that there MUST be a space between "Bearer" and <token>.

The following HTTP headers can be included with all WOPI requests.

Header

Description

X-WOPI-AppEndpoint

A string specifying the endpoint of the WOPI client sending the request. This string MUST NOT be used for anything other than logging.

X-WOPI-ClientVersion

A string specifying the version of the WOPI client. There is no standard for how this string is to be formatted. This string MUST NOT be used for anything other than logging.

X-WOPI-MachineName

A string indicating the name of the machine making the call, which MUST NOT be used for anything other than logging.

X-WOPI-PerfTraceRequested

A Boolean value that indicates that the WOPI client has requested the WOPI server to return a value for X-WOPI-PerfTrace.

X-WOPI-CorrelationId

A string that the WOPI server uses when logging server activity to correlate that activity with WOPI client activity.

X-WOPI-UsingRestrictedScenario

A restricted scenario is a case where a user is able to operate on a file in a limited way. For example, a user might be allowed to change a file in the course of filling out a form while not having permission to freely edit the file. The value of this header varies depending on the scenario. The value of this header is determined through convention understood by the client and server implementer.

The header MUST be present and the value MUST be correct in cases where the WOPI action (see section 3.1.5.1.1.2.2.4) represents a restricted scenario.

X-WOPI-Proof

A set of data signed using a SHA256 (A 256 bit SHA-2-encoded [FIPS180-2]) encryption algorithm. The value of X-WOPI-Proof is decrypted using the values provided in ct_proof-key (section 3.1.5.1.1.2.2.5) in Discovery (section 3.1.5.1.1) as the public key.

The value of X-WOPI-Proof MUST match the following pattern:

4 bytes in network byte order representing the length of the <token> (see section 2.2.3) as an integer + the <token> represented in UTF-8 [UNICODE] +

4 bytes in network byte order representing the length of the URL of the WOPI request as an integer + the absolute URL of the WOPI request in uppercase +

4 bytes in network byte order representing the length of X-WOPI-TimeStamp (see this section) + the value of X-WOPI-TimeStamp

This data is then signed as described above.

The intent of passing this header is to allow the WOPI server to validate that the WOPI request originated from the WOPI client that provided the public key in Discovery via ct_proof-key.

X-WOPI-ProofOld

A set of data signed using a SHA256 (A 256 bit SHA-2-encoded [FIPS180-2]) encryption algorithm. The value of X-WOPI-ProofOld is decrypted using the values provided in ct_proof-key (section 3.1.5.1.1.2.2.5) in Discovery (section 3.1.5.1.1) as the public key.

The value of X-WOPI-ProofOld MUST match the following pattern:

4 bytes in network byte order representing the length of the <token> (see section 2.2.3) as an integer + the <token> represented in UTF-8 [UNICODE] +

4 bytes in network byte order representing the length of the URL of the WOPI request as an integer + the absolute URL of the WOPI request in uppercase +

4 bytes in network byte order representing the length of X-WOPI-TimeStamp (see this section) + the value of X-WOPI-TimeStamp

This data is then signed as described above.

The intent of passing this header is to allow the WOPI server to validate that the WOPI request originated from the WOPI client that provided the public key in Discovery via ct_proof-key.

X-WOPI-TimeStamp

A 64-bit integer that represents the number of 100-nanosecond intervals that have elapsed between 12:00:00 midnight, January 1, 0001 and the time of the request. The WOPI client MUST include this HTTP header if it includes X-WOPI-Proof or X-WOPI-ProofOld.

The following HTTP headers can be included with all WOPI responses.

Header

Description

X-WOPI-HostEndpoint

A string specifying the endpoint of the WOPI server handling the request. This string MUST NOT be used for anything other than logging.

X-WOPI-ServerVersion

A string specifying the version of the WOPI server and MUST be included with all WOPI responses. There is no standard for how this string is to be formatted. This string MUST NOT be used for anything other than logging.

X-WOPI-MachineName

A string specifying the name of the WOPI server and MUST be included with all WOPI responses, which MUST NOT be used for anything other than logging.

X-WOPI-PerfTrace

A string that the WOPI client uses to track performance data. It is included in a WOPI response if the header X-WOPI-PerfTraceRequested in the request is present and equal to "true".

X-WOPI-ServerError

A string indicating that an error occurred while processing the WOPI request, which is included in a WOPI response if the status code is 500. This string can include details about the error, and MUST NOT be used for anything other than logging.