Re: #487 Resubmission of 403 from Julian Reschke on 2013-06-30 (ietf-http-wg@w3.org from April to June 2013)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 30 Jun 2013 18:17:21 +0200
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <51D05A11.6070901@gmx.de>

On 2013-06-20 17:54, Julian Reschke wrote:
>  From the ticket:
>
>> See comments in linked blog post; change
>>
>> "The client should not repeat the request with the same credentials."
>>
>> to
>>
>> "The client should not automatically repeat the request with the same
>> credentials."
>>
>> Since some flows using 403 may involve manipulating state somewhere
>> else, then resubmitting the request.
>
> ...where the blog post is:
> <http://www.mnot.net/blog/2013/05/15/http_problem>
>
> The current text is:
>
> "The 403 (Forbidden) status code indicates that the server understood
> the request but refuses to authorize it. A server that wishes to make
> public why the request has been forbidden can describe that reason in
> the response payload (if any).
>
> If authentication credentials were provided in the request, the server
> considers them insufficient to grant access. The client SHOULD NOT
> repeat the request with the same credentials. The client MAY repeat the
> request with new or different credentials. However, a request might be
> forbidden for reasons unrelated to the credentials.
>
> An origin server that wishes to "hide" the current existence of a
> forbidden target resource MAY instead respond with a status code of 404
> (Not Found)." --
> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-latest.html#status.403>
>
>
> It seems there's a bigger problem here:
>
> "If authentication credentials were provided in the request, the server
> considers them insufficient to grant access."
>
> This implies that *if* credentials have been provided, and the result is
> 403, it's due to the credentials.
> ...

Here's an attempt of rewriting the second paragraph:

"Insufficient credentials can be a reason for refusing the request. In 
this case, the client SHOULD NOT repeat the request with the same 
credentials. However, a request might be forbidden for reasons unrelated 
to the credentials, and therefore the client has no reliable way to 
detect this situation."

(I think this is more correct, but of course doesn't really help the 
recipient of the 403).

Best regards, Julian

Received on Sunday, 30 June 2013 16:17:56 UTC