#487 Resubmission of 403

Julian Reschke <julian.reschke@gmx.de> Thu, 20 June 2013 15:55 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E673721F9E49 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 20 Jun 2013 08:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.932
X-Spam-Level:
X-Spam-Status: No, score=-7.932 tagged_above=-999 required=5 tests=[AWL=2.667, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sqmpvIf7igpZ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 20 Jun 2013 08:55:44 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 7B52221F9E32 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 20 Jun 2013 08:55:33 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UphCU-0003TN-Jy for ietf-http-wg-dist@listhub.w3.org; Thu, 20 Jun 2013 15:55:06 +0000
Resent-Date: Thu, 20 Jun 2013 15:55:06 +0000
Resent-Message-Id: <E1UphCU-0003TN-Jy@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1UphCH-0002CZ-0h for ietf-http-wg@listhub.w3.org; Thu, 20 Jun 2013 15:54:53 +0000
Received: from mout.gmx.net ([212.227.17.22]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1UphCC-000871-93 for ietf-http-wg@w3.org; Thu, 20 Jun 2013 15:54:52 +0000
Received: from mailout-de.gmx.net ([10.1.76.2]) by mrigmx.server.lan (mrigmx002) with ESMTP (Nemesis) id 0MSFkr-1UiJbZ08ol-00TWlK for <ietf-http-wg@w3.org>; Thu, 20 Jun 2013 17:54:22 +0200
Received: (qmail invoked by alias); 20 Jun 2013 15:54:21 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.105]) [217.91.35.233] by mail.gmx.net (mp002) with SMTP; 20 Jun 2013 17:54:21 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18hK/xlMNchq7Lv0yNy/rocqMAnhJX6hwqf4uFUqT /1k6f9l5H+zRqn
Message-ID: <51C325AB.7000801@gmx.de>
Date: Thu, 20 Jun 2013 17:54:19 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Received-SPF: pass client-ip=212.227.17.22; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-3.422, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UphCC-000871-93 13eda2e4e2a7534caecfe29d3691a904
X-Original-To: ietf-http-wg@w3.org
Subject: #487 Resubmission of 403
Archived-At: <http://www.w3.org/mid/51C325AB.7000801@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18317
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

 From the ticket:

> See comments in linked blog post; change
>
> "The client should not repeat the request with the same credentials."
>
> to
>
> "The client should not automatically repeat the request with the same credentials."
>
> Since some flows using 403 may involve manipulating state somewhere else, then resubmitting the request.

...where the blog post is: 
<http://www.mnot.net/blog/2013/05/15/http_problem>

The current text is:

"The 403 (Forbidden) status code indicates that the server understood 
the request but refuses to authorize it. A server that wishes to make 
public why the request has been forbidden can describe that reason in 
the response payload (if any).

If authentication credentials were provided in the request, the server 
considers them insufficient to grant access. The client SHOULD NOT 
repeat the request with the same credentials. The client MAY repeat the 
request with new or different credentials. However, a request might be 
forbidden for reasons unrelated to the credentials.

An origin server that wishes to "hide" the current existence of a 
forbidden target resource MAY instead respond with a status code of 404 
(Not Found)." -- 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-latest.html#status.403>

It seems there's a bigger problem here:

"If authentication credentials were provided in the request, the server 
considers them insufficient to grant access."

This implies that *if* credentials have been provided, and the result is 
403, it's due to the credentials.

(Note that this text isn't from 2616 anyway)

Best regards, Julian