Re: Proposal: 3xx (Unauthorized, See Other) status from Thomas Broyer on 2009-02-01 (ietf-http-wg@w3.org from January to March 2009)

From: Thomas Broyer <t.broyer@gmail.com>
Date: Sun, 1 Feb 2009 11:25:54 +0100
To: ietf-http-wg@w3.org
Message-ID: <a9699fd20902010225h29b09c9byc7f3b58214829afe@mail.gmail.com>

Hi Mark,

On Fri, Jan 23, 2009 at 1:25 AM, Mark Nottingham wrote:
>
> We're not chartered to do extension work, but you can certainly use the
> mailing list for review and discussion.
>
> BTW, this sounds a little bit like a previous discussion;
>  http://www.w3.org/mid/76F49FF4-54D7-4917-85A3-A0D648E57C7E@mnot.net

Thanks for the pointer!

For those interested, I conducted some tests on 5 browsers (IE7,
Safari 3.2.1, Opera 9.63, Firefox 3.0.5 and Chrome 1.0.154.46; all on
Windows Vista). The tests were done with *.asis files served first
with Apache mod_asis (to ensure proper HTTP) and then with a dummy
HTTP server [1] (to ensure no transformation on response headers).
Results were identical whichever the serving method. Here they are:

http://ltgt.net/tests/http-cookie-auth/location-in-401.asis
http://hg.ltgt.net/http-cookie-auth/raw-file/tip/tests/location-in-401.asis
No browser ever redirected to the given location (which is probably a
good thing). Given the use of WWW-Authenticate / Cookie, Opera showed
an error page. I also tried with a 401 without WWW-Authenticate in
Opera, and it then displayed the returned entity, just like the other
browsers.

http://ltgt.net/tests/http-cookie-auth/new-redirect-status.asis
http://hg.ltgt.net/http-cookie-auth/raw-file/tip/tests/new-redirect-status.asis
Only Safari honors the redirect, others just display the response as
if it had been sent with a 200 status.

http://ltgt.net/tests/http-cookie-auth/new-redirect-status-with-www-authentication.asis
http://hg.ltgt.net/http-cookie-auth/raw-file/tip/tests/new-redirect-status-with-www-authentication.asis
Same as above (note that Opera doesn't choke on the WWW-Authenticate
as it's not sent in a 401)

This tends to suggest that a 401 (or 407, or eventually 403 or 402, in
the case you reported two years ago) with a custom WWW-Authenticate
(or no WWW-Authenticate at all?) would be the solution with best
compatibility among existing browsers (I didn't tried other UAs, such
as wget); with a Refresh response header, "meta refresh" in the HTML
body and/or javascript if you want/need to redirect.

[1] http://hg.ltgt.net/http-cookie-auth/raw-file/tip/tests/asis.py

-- 
Thomas Broyer

Received on Sunday, 1 February 2009 10:26:31 UTC