W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

403 description clarifications

From: Thomson, Martin <Martin.Thomson@andrew.com>
Date: Wed, 29 Sep 2010 09:45:29 +0800
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <8B0A9FCBB9832F43971E38010638454F03F1490FBC@SISPE7MB1.commscope.com>
I've had a question about 403 from an engineer here, and I think that it's a valid one.  The semantics of this header are well understood, but the actual text doesn't match that understanding.

See: http://lists.w3.org/Archives/Public/ietf-http-wg/2010JulSep/0085.html


Specifically, this point:

> 403 -> this is forbidden for you, but authenticating as somebody else may help

When compared with this sentence, from [1]:

   Authorization will not help and the request SHOULD NOT be repeated.

This sentence appears to be false [2] for the bulk of the cases where this status code is used.  If the user was authorized, then it really would help.

I think that this is the actual intent:

  The server understood the request, but refuses to authorize it.  Providing different user authentication credentials might be successful, but any credentials that were provided in the request are insufficient.


I also have a small editorial nit: The other text here about providing feedback is a separate concept and can be given a separate paragraph:

  A server can [MAY?] instead provided a 404 (Not Found) status code to prevent clients from learning of the existence of the resource.  Alternatively, a server can provide a representation containing the reasons that the request was not fulfilled if this information can be made public.


Cheers,
Martin

[1] http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-11#section-8.4.4

[2] It seems that "Authorization" in this context refers to the HTTP header, rather than the concept.  Either way, it's confusing.

Received on Wednesday, 29 September 2010 01:51:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:25 GMT