Re: #487 Resubmission of 403
Julian Reschke <julian.reschke@gmx.de> Sun, 30 June 2013 16:19 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9157421F94E1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 30 Jun 2013 09:19:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.932
X-Spam-Level:
X-Spam-Status: No, score=-7.932 tagged_above=-999 required=5 tests=[AWL=2.667, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8sUsbXdWx5MO for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 30 Jun 2013 09:19:52 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 305AE21F94DF for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 30 Jun 2013 09:19:51 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UtKKK-0003pa-Ku for ietf-http-wg-dist@listhub.w3.org; Sun, 30 Jun 2013 16:18:12 +0000
Resent-Date: Sun, 30 Jun 2013 16:18:12 +0000
Resent-Message-Id: <E1UtKKK-0003pa-Ku@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1UtKK4-0003on-8M for ietf-http-wg@listhub.w3.org; Sun, 30 Jun 2013 16:17:56 +0000
Received: from mout.gmx.net ([212.227.15.18]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1UtKK3-0004uy-9L for ietf-http-wg@w3.org; Sun, 30 Jun 2013 16:17:56 +0000
Received: from mailout-de.gmx.net ([10.1.76.4]) by mrigmx.server.lan (mrigmx001) with ESMTP (Nemesis) id 0LrpCq-1UFHE620jO-013cob for <ietf-http-wg@w3.org>; Sun, 30 Jun 2013 18:17:28 +0200
Received: (qmail invoked by alias); 30 Jun 2013 16:17:28 -0000
Received: from p5DD94AD1.dip0.t-ipconnect.de (EHLO [192.168.2.117]) [93.217.74.209] by mail.gmx.net (mp004) with SMTP; 30 Jun 2013 18:17:28 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX181z55713o1f/LomRSH1zvo8awRHD1jHTmICLs+ny TcXsNg2rHwe7eH
Message-ID: <51D05A11.6070901@gmx.de>
Date: Sun, 30 Jun 2013 18:17:21 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: HTTP Working Group <ietf-http-wg@w3.org>
References: <51C325AB.7000801@gmx.de>
In-Reply-To: <51C325AB.7000801@gmx.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Received-SPF: pass client-ip=212.227.15.18; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-Spam-Status: No, score=-3.3
X-W3C-Hub-Spam-Report: AWL=-3.307, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UtKK3-0004uy-9L 27a73d716ac9dcd6c90f86a79f0dad76
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #487 Resubmission of 403
Archived-At: <http://www.w3.org/mid/51D05A11.6070901@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18430
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 2013-06-20 17:54, Julian Reschke wrote: > From the ticket: > >> See comments in linked blog post; change >> >> "The client should not repeat the request with the same credentials." >> >> to >> >> "The client should not automatically repeat the request with the same >> credentials." >> >> Since some flows using 403 may involve manipulating state somewhere >> else, then resubmitting the request. > > ...where the blog post is: > <http://www.mnot.net/blog/2013/05/15/http_problem> > > The current text is: > > "The 403 (Forbidden) status code indicates that the server understood > the request but refuses to authorize it. A server that wishes to make > public why the request has been forbidden can describe that reason in > the response payload (if any). > > If authentication credentials were provided in the request, the server > considers them insufficient to grant access. The client SHOULD NOT > repeat the request with the same credentials. The client MAY repeat the > request with new or different credentials. However, a request might be > forbidden for reasons unrelated to the credentials. > > An origin server that wishes to "hide" the current existence of a > forbidden target resource MAY instead respond with a status code of 404 > (Not Found)." -- > <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-latest.html#status.403> > > > It seems there's a bigger problem here: > > "If authentication credentials were provided in the request, the server > considers them insufficient to grant access." > > This implies that *if* credentials have been provided, and the result is > 403, it's due to the credentials. > ... Here's an attempt of rewriting the second paragraph: "Insufficient credentials can be a reason for refusing the request. In this case, the client SHOULD NOT repeat the request with the same credentials. However, a request might be forbidden for reasons unrelated to the credentials, and therefore the client has no reliable way to detect this situation." (I think this is more correct, but of course doesn't really help the recipient of the 403). Best regards, Julian
- #487 Resubmission of 403 Julian Reschke
- Re: #487 Resubmission of 403 Julian Reschke
- Re: #487 Resubmission of 403 Julian Reschke
- Re: #487 Resubmission of 403 Roy T. Fielding
- Re: #487 Resubmission of 403 Adrien W. de Croy