- From: Eric Lawrence <ericlaw@exchange.microsoft.com>
- Date: Thu, 15 Mar 2007 09:33:07 -0700
- To: Mark Nottingham <mnot@mnot.net>
- CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Most authenticating proxies today will return a 407 and then a 403 if any automatically-provided credentials fail, so unsubscribing definitely seems like a bad idea on the part of the automated user-agent. <<Good question. Most of the ones I've seen recently redirect initially to a non-HTTPS site to avoid the certificate mismatch popup.>> The certificate mismatch popup or blocking page will also appear when the ~redirect~ is received by the browser, so the user still gets the warning. Worse still, they may choose not to proceed, and thus never see the "please give us money" page. -Eric -----Original Message----- From: Mark Nottingham [mailto:mnot@mnot.net] Sent: Thursday, March 15, 2007 9:30 AM To: Eric Lawrence Cc: ietf-http-wg@w3.org Group Subject: Re: New Status Code -- 2xx Greedy Hotel? On 15/03/2007, at 4:20 PM, Eric Lawrence wrote: > I'm not sure why a 403 isn't appropriate (or at least more > appropriate for 409) for this case? If an automated agent (e.g., RSS aggregator) sees a 403, they might take some action on it (e.g., unsubscribing, or calling the feed 'dead'), because they think that the resource itself has a problem. Not sure if that's a huge issue, it could probably be handled well if everyone gravitated towards 403 as the solution for this particular problem. It seems to me that it's mostly a matter of education, and a distinct status code might make that easier. I agree that 403, or maybe 400, is the best existing status code to use. 409 doesn't seem appropriate at all. > In my mind, the much more interesting question is how to handle a > HTTPS connection in this scenario. The hotel never provides a > certificate which correctly validates (since they can't get a > wildcard certificate that matches every link the user might choose > to initially visit). The resulting certificate name mismatch > leads to error dialogs, failed navigations, etc. Good question. Most of the ones I've seen recently redirect initially to a non-HTTPS site to avoid the certificate mismatch popup. > > Eric Lawrence > Program Manager > Internet Explorer Networking > > -----Original Message----- > From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg- > request@w3.org] On Behalf Of Mark Nottingham > Sent: Thursday, March 15, 2007 6:48 AM > To: ietf-http-wg@w3.org Group > Subject: New Status Code -- 2xx Greedy Hotel? > > > After being in hotels for a few weeks, I'm starting to wonder whether > a new 2xx HTTP status code could be defined whose semantic is "This > isn't what you asked for, but here's some information about how to > get network access so you can eventually get it." > > 2xx so that browsers will display it. AFAICT, they do; or at least, > Safari and Firefox do (see <http://www.mnot.net/test/222.asis>). IE? > 4xx might be more appropriate, but I despair of "friendly" error > messages. (thought they could be padded, I suppose). > > A new status code so that feed aggregators, automated clients, etc. > can differentiate what they asked for from your hotel / conference > centre / etc. asking for cash in order to get network access, and not > get horribly messed up as a result. > > It would also be useful in those cases where you get redirected > somewhere to login and get a cookie for authentication; e.g., Yahoo!, > Google, Amazon, etc. Same situation, but slightly different use case. > > Thoughts? > > -- > Mark Nottingham http://www.mnot.net/ > > -- Mark Nottingham http://www.mnot.net/
Received on Thursday, 15 March 2007 16:36:24 UTC