(Message HTTP-TOEDIT:465) Return-Path: frystyk@w3.org Received: by zorch.w3.org; id AA07011; Tue, 29 Oct 1996 15:55:26 -0500 Received: from big (big.w3.org [18.52.0.175]) by www10.w3.org (8.7.5/8.7.3) with SMTP id PAA18820 for ; Tue, 29 Oct 1996 15:55:27 -0500 (EST) Message-Id: <3.0b36.32.19961029155255.009836d0@pop.w3.org> X-Sender: frystyk@pop.w3.org X-Mailer: Windows Eudora Pro Version 3.0b36 (32) Date: Tue, 29 Oct 1996 15:52:56 -0500 To: jg@w3.org From: Henrik Frystyk Nielsen Subject: Re: Error in RFC 1945 and HTTP/1.1 draft Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Got this from Ari - I have added a page of HTTP/1.1 issues at http://www.w3.org/pub/WWW/Protocols/HTTP/Issues/Overview.html So that we don't loose track of them >Return-Path: luotonen@step.mcom.com >From: Ari Luotonen >Subject: Re: Error in RFC 1945 and HTTP/1.1 draft >To: fielding@liege.ICS.UCI.EDU (Roy T. Fielding) >Date: Tue, 29 Oct 1996 11:50:50 -0800 (PST) >Cc: frystyk@w3.org > > >> > Description for "404 Not found" says "403 Forbidden" can be used >> > instead. >> > >> > Current practice in all of Netscape, NCSA and CERN (if I recall) >> > servers (probably others, too), is to issue "404 Not found" in place >> > of "403 Forbidden". >> > >> > So the RFC doesn't reflect the current practice in that section. >> >> Hmmmm, as I recall, Henrik wanted this for servers where absence of a >> resource could reveal something about security or privacy. I thought this >> was configurable in CERN httpd, but I don't know for sure. Henrik? > >Right, we have the same goal, but the current practice was to do the >opposite -- issue a 404 Not found instead of 403 Not forbidden if >access is denied, regardless of whether the file exists or not. > >The reason it's this way is that a single file may be protected, while >all other files in the directory are not. Then someone can try to >access the protected file and get a "403 Forbidden" which reveals that >the file is there, because all other requests for truely non-existent >files return "404 Not found" (because *all* files (including >non-existent ones) we're protected, only that single one). > >Now, if we do "404 Not found" for all non-existent files and for all >files for which access is forbidden, you cannot make any conclusion of >whether the file exists or not based on the servers response. > >This is why it should be "404 Not found" and not "403 Forbidden". >"404 Not found" is also the more common current practice. > >Cheers, >-- >Ari Luotonen * * * Opinions my own, not Netscape's * * * >Netscape Communications Corp. ari@netscape.com >501 East Middlefield Road http://home.netscape.com/people/ari/ >Mountain View, CA 94043, USA Netscape Proxy Server Development >