W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

RE: New Status Code -- 2xx Greedy Hotel?

From: Eric Lawrence <ericlaw@exchange.microsoft.com>
Date: Thu, 15 Mar 2007 09:33:07 -0700
To: Mark Nottingham <mnot@mnot.net>
CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <8301DE7F96C0074C8DA98484623D7E5113597B0856@DF-MASTIFF-MSG.exchange.corp.microsoft.com>

Most authenticating proxies today will return a 407 and then a 403 if any automatically-provided credentials fail, so unsubscribing definitely seems like a bad idea on the part of the automated user-agent.

<<Good question. Most of the ones I've seen recently redirect initially
to a non-HTTPS site to avoid the certificate mismatch popup.>>

The certificate mismatch popup or blocking page will also appear when the ~redirect~ is received by the browser, so the user still gets the warning.  Worse still, they may choose not to proceed, and thus never see the "please give us money" page.

-Eric

-----Original Message-----
From: Mark Nottingham [mailto:mnot@mnot.net]
Sent: Thursday, March 15, 2007 9:30 AM
To: Eric Lawrence
Cc: ietf-http-wg@w3.org Group
Subject: Re: New Status Code -- 2xx Greedy Hotel?


On 15/03/2007, at 4:20 PM, Eric Lawrence wrote:

> I'm not sure why a 403 isn't appropriate (or at least more
> appropriate for 409) for this case?

If an automated agent (e.g., RSS aggregator) sees a 403, they might
take some action on it (e.g., unsubscribing, or calling the feed
'dead'), because they think that the resource itself has a problem.
Not sure if that's a huge issue, it could probably be handled well if
everyone gravitated towards 403 as the solution for this particular
problem. It seems to me that it's mostly a matter of education, and a
distinct status code might make that easier.

I agree that 403, or maybe 400, is the best existing status code to
use. 409 doesn't seem appropriate at all.

> In my mind, the much more interesting question is how to handle a
> HTTPS connection in this scenario.  The hotel never provides a
> certificate which correctly validates (since they can't get a
> wildcard certificate that matches every link the user might choose
> to initially visit).   The resulting certificate name mismatch
> leads to error dialogs, failed navigations, etc.

Good question. Most of the ones I've seen recently redirect initially
to a non-HTTPS site to avoid the certificate mismatch popup.

>
> Eric Lawrence
> Program Manager
> Internet Explorer Networking
>
> -----Original Message-----
> From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-
> request@w3.org] On Behalf Of Mark Nottingham
> Sent: Thursday, March 15, 2007 6:48 AM
> To: ietf-http-wg@w3.org Group
> Subject: New Status Code -- 2xx Greedy Hotel?
>
>
> After being in hotels for a few weeks, I'm starting to wonder whether
> a new 2xx HTTP status code could be defined whose semantic is "This
> isn't what you asked for, but here's some information about how to
> get network access so you can eventually get it."
>
> 2xx so that browsers will display it. AFAICT, they do; or at least,
> Safari and Firefox do (see <http://www.mnot.net/test/222.asis>). IE?
> 4xx might be more appropriate, but I despair of "friendly" error
> messages. (thought they could be padded, I suppose).
>
> A new status code so that feed aggregators, automated clients, etc.
> can differentiate what they asked for from your hotel / conference
> centre / etc. asking for cash in order to get network access, and not
> get horribly messed up as a result.
>
> It would also be useful in those cases where you get redirected
> somewhere to login and get a cookie for authentication; e.g., Yahoo!,
> Google, Amazon, etc. Same situation, but slightly different use case.
>
> Thoughts?
>
> --
> Mark Nottingham     http://www.mnot.net/
>
>


--
Mark Nottingham     http://www.mnot.net/
Received on Thursday, 15 March 2007 16:36:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT