Re: #487 Resubmission of 403

Julian Reschke <julian.reschke@gmx.de> Mon, 01 July 2013 20:10 UTC

Resent-Date: Mon, 01 Jul 2013 20:09:55 +0000
Resent-Message-Id: <E1UtkQ7-0003Do-2T@frink.w3.org>
Message-ID: <51D1E1EE.7020903@gmx.de>
Date: Mon, 01 Jul 2013 22:09:18 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: "Roy T. Fielding" <fielding@gbiv.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
References: <51C325AB.7000801@gmx.de> <51D05A11.6070901@gmx.de> <FA296D41-D992-47B3-957C-DA584A0A30F1@gbiv.com>
In-Reply-To: <FA296D41-D992-47B3-957C-DA584A0A30F1@gbiv.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=212.227.15.18; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
Subject: Re: #487 Resubmission of 403
Archived-At: <http://www.w3.org/mid/51D1E1EE.7020903@gmx.de>
Resent-From: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list

On 2013-07-01 19:36, Roy T. Fielding wrote:
>
> On Jun 30, 2013, at 9:17 AM, Julian Reschke wrote:
>
>> On 2013-06-20 17:54, Julian Reschke wrote:
>>>  From the ticket:
>>>
>>>> See comments in linked blog post; change
>>>>
>>>> "The client should not repeat the request with the same credentials."
>>>>
>>>> to
>>>>
>>>> "The client should not automatically repeat the request with the same
>>>> credentials."
>>>>
>>>> Since some flows using 403 may involve manipulating state somewhere
>>>> else, then resubmitting the request.
>>>
>>> ...where the blog post is:
>>> <http://www.mnot.net/blog/2013/05/15/http_problem>
>>>
>>> The current text is:
>>>
>>> "The 403 (Forbidden) status code indicates that the server understood
>>> the request but refuses to authorize it. A server that wishes to make
>>> public why the request has been forbidden can describe that reason in
>>> the response payload (if any).
>>>
>>> If authentication credentials were provided in the request, the server
>>> considers them insufficient to grant access. The client SHOULD NOT
>>> repeat the request with the same credentials. The client MAY repeat the
>>> request with new or different credentials. However, a request might be
>>> forbidden for reasons unrelated to the credentials.
>>>
>>> An origin server that wishes to "hide" the current existence of a
>>> forbidden target resource MAY instead respond with a status code of 404
>>> (Not Found)." --
>>> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-latest.html#status.403>
>>>
>>>
>>> It seems there's a bigger problem here:
>>>
>>> "If authentication credentials were provided in the request, the server
>>> considers them insufficient to grant access."
>>>
>>> This implies that *if* credentials have been provided, and the result is
>>> 403, it's due to the credentials.
>
> No, it does not.  Such a conclusion is not supportable by logic or
> English, and certainly not in programming languages, so I see no
> reason for a change here.  Read the entire paragraph.
 > ...

I did, and I still think it's misleading. Again:

"If authentication credentials were provided in the request, the server
considers them insufficient to grant access. The client SHOULD NOT
repeat the request with the same credentials. The client MAY repeat the
request with new or different credentials. However, a request might be
forbidden for reasons unrelated to the credentials."

So how does the client find out whether the credentials or something 
else caused the problem? In the first case, we say it SHOULD NOT repeat 
the request with the same credentials, in the second case we leave it 
somehow open.

Best regards, Julian

#487 Resubmission of 403 Julian Reschke
Re: #487 Resubmission of 403 Julian Reschke
Re: #487 Resubmission of 403 Julian Reschke
Re: #487 Resubmission of 403 Roy T. Fielding
Re: #487 Resubmission of 403 Adrien W. de Croy