Re: #487 Resubmission of 403 from Julian Reschke on 2013-07-01 (ietf-http-wg@w3.org from July to September 2013)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 01 Jul 2013 22:09:18 +0200
To: "Roy T. Fielding" <fielding@gbiv.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <51D1E1EE.7020903@gmx.de>

On 2013-07-01 19:36, Roy T. Fielding wrote:
>
> On Jun 30, 2013, at 9:17 AM, Julian Reschke wrote:
>
>> On 2013-06-20 17:54, Julian Reschke wrote:
>>>  From the ticket:
>>>
>>>> See comments in linked blog post; change
>>>>
>>>> "The client should not repeat the request with the same credentials."
>>>>
>>>> to
>>>>
>>>> "The client should not automatically repeat the request with the same
>>>> credentials."
>>>>
>>>> Since some flows using 403 may involve manipulating state somewhere
>>>> else, then resubmitting the request.
>>>
>>> ...where the blog post is:
>>> <http://www.mnot.net/blog/2013/05/15/http_problem>
>>>
>>> The current text is:
>>>
>>> "The 403 (Forbidden) status code indicates that the server understood
>>> the request but refuses to authorize it. A server that wishes to make
>>> public why the request has been forbidden can describe that reason in
>>> the response payload (if any).
>>>
>>> If authentication credentials were provided in the request, the server
>>> considers them insufficient to grant access. The client SHOULD NOT
>>> repeat the request with the same credentials. The client MAY repeat the
>>> request with new or different credentials. However, a request might be
>>> forbidden for reasons unrelated to the credentials.
>>>
>>> An origin server that wishes to "hide" the current existence of a
>>> forbidden target resource MAY instead respond with a status code of 404
>>> (Not Found)." --
>>> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-latest.html#status.403>
>>>
>>>
>>> It seems there's a bigger problem here:
>>>
>>> "If authentication credentials were provided in the request, the server
>>> considers them insufficient to grant access."
>>>
>>> This implies that *if* credentials have been provided, and the result is
>>> 403, it's due to the credentials.
>
> No, it does not.  Such a conclusion is not supportable by logic or
> English, and certainly not in programming languages, so I see no
> reason for a change here.  Read the entire paragraph.
 > ...

I did, and I still think it's misleading. Again:

"If authentication credentials were provided in the request, the server
considers them insufficient to grant access. The client SHOULD NOT
repeat the request with the same credentials. The client MAY repeat the
request with new or different credentials. However, a request might be
forbidden for reasons unrelated to the credentials."

So how does the client find out whether the credentials or something 
else caused the problem? In the first case, we say it SHOULD NOT repeat 
the request with the same credentials, in the second case we leave it 
somehow open.

Best regards, Julian

Received on Monday, 1 July 2013 20:09:49 UTC