Re: #487 Resubmission of 403
"Roy T. Fielding" <fielding@gbiv.com> Mon, 01 July 2013 17:38 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F5A811E80E8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 1 Jul 2013 10:38:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f6sAfJ+Jh2jI for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 1 Jul 2013 10:38:26 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 6E30121F9AB3 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 1 Jul 2013 10:38:20 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Uti27-0001a5-Hp for ietf-http-wg-dist@listhub.w3.org; Mon, 01 Jul 2013 17:36:59 +0000
Resent-Date: Mon, 01 Jul 2013 17:36:59 +0000
Resent-Message-Id: <E1Uti27-0001a5-Hp@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <fielding@gbiv.com>) id 1Uti21-0001XV-W2 for ietf-http-wg@listhub.w3.org; Mon, 01 Jul 2013 17:36:53 +0000
Received: from caiajhbdcbhh.dreamhost.com ([208.97.132.177] helo=homiemail-a73.g.dreamhost.com) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <fielding@gbiv.com>) id 1Uti1r-0000TF-VX for ietf-http-wg@w3.org; Mon, 01 Jul 2013 17:36:53 +0000
Received: from homiemail-a73.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a73.g.dreamhost.com (Postfix) with ESMTP id 164221F0085; Mon, 1 Jul 2013 10:36:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gbiv.com; h=subject :mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=gbiv.com; bh=bW2GOQ6Nk6mZ28YWMKUCnP26xtQ=; b=dwub583jz9lfoST6dz8PsC+AaFem AqqCxa9t6zESJF9v9KnZ97mTl8Vsx9X+PaBIfifYZflLo6R/9kjJvXCUuu/R57Q9 Hu0ngtmIhzM+R1OAzyEoRBL+Mfc5tJ7e8BfrJA/8ZLGn5M0D4gSBnRbjMz2yNXsD Ig5fpTs7XJbYeJo=
Received: from [192.168.1.84] (99-21-208-82.lightspeed.irvnca.sbcglobal.net [99.21.208.82]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: fielding@gbiv.com) by homiemail-a73.g.dreamhost.com (Postfix) with ESMTPSA id DF5A61F0081; Mon, 1 Jul 2013 10:36:22 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="iso-8859-1"
From: "Roy T. Fielding" <fielding@gbiv.com>
In-Reply-To: <51D05A11.6070901@gmx.de>
Date: Mon, 01 Jul 2013 10:36:22 -0700
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FA296D41-D992-47B3-957C-DA584A0A30F1@gbiv.com>
References: <51C325AB.7000801@gmx.de> <51D05A11.6070901@gmx.de>
To: Julian Reschke <julian.reschke@gmx.de>
X-Mailer: Apple Mail (2.1283)
Received-SPF: none client-ip=208.97.132.177; envelope-from=fielding@gbiv.com; helo=homiemail-a73.g.dreamhost.com
X-W3C-Hub-Spam-Status: No, score=-4.5
X-W3C-Hub-Spam-Report: AWL=-2.460, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: lisa.w3.org 1Uti1r-0000TF-VX cca63695558f206e4a34a39ec6600eeb
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #487 Resubmission of 403
Archived-At: <http://www.w3.org/mid/FA296D41-D992-47B3-957C-DA584A0A30F1@gbiv.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18444
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Jun 30, 2013, at 9:17 AM, Julian Reschke wrote: > On 2013-06-20 17:54, Julian Reschke wrote: >> From the ticket: >> >>> See comments in linked blog post; change >>> >>> "The client should not repeat the request with the same credentials." >>> >>> to >>> >>> "The client should not automatically repeat the request with the same >>> credentials." >>> >>> Since some flows using 403 may involve manipulating state somewhere >>> else, then resubmitting the request. >> >> ...where the blog post is: >> <http://www.mnot.net/blog/2013/05/15/http_problem> >> >> The current text is: >> >> "The 403 (Forbidden) status code indicates that the server understood >> the request but refuses to authorize it. A server that wishes to make >> public why the request has been forbidden can describe that reason in >> the response payload (if any). >> >> If authentication credentials were provided in the request, the server >> considers them insufficient to grant access. The client SHOULD NOT >> repeat the request with the same credentials. The client MAY repeat the >> request with new or different credentials. However, a request might be >> forbidden for reasons unrelated to the credentials. >> >> An origin server that wishes to "hide" the current existence of a >> forbidden target resource MAY instead respond with a status code of 404 >> (Not Found)." -- >> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-latest.html#status.403> >> >> >> It seems there's a bigger problem here: >> >> "If authentication credentials were provided in the request, the server >> considers them insufficient to grant access." >> >> This implies that *if* credentials have been provided, and the result is >> 403, it's due to the credentials. No, it does not. Such a conclusion is not supportable by logic or English, and certainly not in programming languages, so I see no reason for a change here. Read the entire paragraph. >> ... > > Here's an attempt of rewriting the second paragraph: > > "Insufficient credentials can be a reason for refusing the request. In this case, the client SHOULD NOT repeat the request with the same credentials. However, a request might be forbidden for reasons unrelated to the credentials, and therefore the client has no reliable way to detect this situation." No, that is just making a mountain out of a molehill. 403 means forbidden. One reason for forbidding is that the credentials provided are for a user that is forbidden. The correct way to state that is as written in the spec -- the credentials are insufficient to gain access. That does not mean the credentials caused the 403; it means they were not sufficient to overcome the 403. A client is fully capable of detecting whether it sent credentials and either using a different set (if possible) or halting accordingly. It is not the client's job to "detect" why the 403 is received. ....Roy
- #487 Resubmission of 403 Julian Reschke
- Re: #487 Resubmission of 403 Julian Reschke
- Re: #487 Resubmission of 403 Julian Reschke
- Re: #487 Resubmission of 403 Roy T. Fielding
- Re: #487 Resubmission of 403 Adrien W. de Croy