IETF Logo Mail Archive

Re: [apps-discuss] draft-nottingham-http-problem

Erik Wilde <dret@berkeley.edu> Thu, 14 March 2013 22:18 UTC

Return-Path: <dret@berkeley.edu>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 717F921F9063 for <apps-discuss@ietfa.amsl.com>; Thu, 14 Mar 2013 15:18:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BtexIsSFCQ50 for <apps-discuss@ietfa.amsl.com>; Thu, 14 Mar 2013 15:18:02 -0700 (PDT)
Received: from cm02fe.IST.Berkeley.EDU (cm02fe.IST.Berkeley.EDU [169.229.218.143]) by ietfa.amsl.com (Postfix) with ESMTP id B0ED021F8F26 for <apps-discuss@ietf.org>; Thu, 14 Mar 2013 15:18:02 -0700 (PDT)
Received: from c-50-136-167-63.hsd1.ca.comcast.net ([50.136.167.63] helo=dretair.local) by cm02fe.ist.berkeley.edu with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (auth plain:dret@berkeley.edu) (envelope-from <dret@berkeley.edu>) id 1UGGTJ-0005vG-7l; Thu, 14 Mar 2013 15:18:02 -0700
Message-ID: <51424C92.8020100@berkeley.edu>
Date: Thu, 14 Mar 2013 15:17:54 -0700
From: Erik Wilde <dret@berkeley.edu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: apps-discuss@ietf.org
References: <06f33cf7-d3e6-4d64-b956-c7c35447a479@default>
In-Reply-To: <06f33cf7-d3e6-4d64-b956-c7c35447a479@default>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [apps-discuss] draft-nottingham-http-problem
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 22:18:03 -0000

hello ray.

On 2013-03-14 08:26 , Ray Polk wrote:
> True; error location & multiple errors are useful for validation of the body.  Those notions might also be useful for multiple input errors of other types as well, right?
> 403 - we return 403 when user agents provide incorrect CSRF prevention tokens &/or access_tokens &/or don't have permission.  we're required to inform UA of the issue (otherwise return 404); if both the CSRF token & access_token are wrong, we'd like to inform on both issues in one response; possibly specifying the erroneous query param or entity value.

when it comes to authentication, exposing too much detail definitely 
always may be a security issue. (the same is btw true for exposing 
implementation details such as software details/version, or even more 
detailed reports such as crash reports.)

> 406 - UA might have gotten more than one header wrong; so might be good to specify which headers were wrong in order to scope the required list of valid values

406 specifically talk about providing details in a content type capable 
of doing so. while services are free to use their own, they might as 
well choose to use an HTTP problem report. i am not sure whether this 
(since it's part of HTTP itself) might warrant some special handling in 
the problem report schema. it could be either this, or there could just 
be growing consensus about a problemType and how 406 are handled.

> 409 - where multiple fields violated some kind of scope/uniqueness constraint

i think this is very similar to the 406 situation.

> Multiple errors needn't be only with input (headers, query parameters, request body) either.  I could envision a request causing more than one top level error (say...406 & 409 at the same time).

that's simply impossible because of how HTTP works currently. why i do 
get your point, you can only report a 406 or a 409, and then include the 
details for that. we don't want to change HTTP error handling.

> So anyway, w/e was chosen for error location (errorPath / errorFragmentIdentifier / ...) might need to handle identifying header, query param, request entity field....matrix param?  ...path param?!  ...or should there be one response field per input type?  ...or...?

yes, but that would be up for the problemType to specify.

> Could you provide an example of using an anchor / frag id?  would it just be the json/yaml/xml/... field prefixed with a hash?

given that the context of an HTTP response is the request URI, i assume 
that using just a relative URI (starting with a hash) might be one way 
to go. on the other hand, such a relative URI would be a fragment of the 
*resource*, and not of the *request entity*, so maybe it would be a bad 
idea to do it like this. i am actually not quite sure how to best 
address this (since the request entity is not really a resource with a 
referencable URI), but maybe mark has some idea here.

thanks and cheers,

dret.

-- 
erik wilde | mailto:dret@berkeley.edu  -  tel:+1-510-2061079 |
            | UC Berkeley  -  School of Information (ISchool) |
            | http://dret.net/netdret http://twitter.com/dret |

v2.30.2 | Report a Bug | By Email | System Status