RE: New Status Code -- 2xx Greedy Hotel?

Most authenticating proxies today will return a 407 and then a 403 if any automatically-provided credentials fail, so unsubscribing definitely seems like a bad idea on the part of the automated user-agent.

<<Good question. Most of the ones I've seen recently redirect initially
to a non-HTTPS site to avoid the certificate mismatch popup.>>

The certificate mismatch popup or blocking page will also appear when the ~redirect~ is received by the browser, so the user still gets the warning.  Worse still, they may choose not to proceed, and thus never see the "please give us money" page.

-Eric

-----Original Message-----
From: Mark Nottingham [mailto:mnot@mnot.net]
Sent: Thursday, March 15, 2007 9:30 AM
To: Eric Lawrence
Cc: ietf-http-wg@w3.org Group
Subject: Re: New Status Code -- 2xx Greedy Hotel?


On 15/03/2007, at 4:20 PM, Eric Lawrence wrote:

> I'm not sure why a 403 isn't appropriate (or at least more
> appropriate for 409) for this case?

If an automated agent (e.g., RSS aggregator) sees a 403, they might
take some action on it (e.g., unsubscribing, or calling the feed
'dead'), because they think that the resource itself has a problem.
Not sure if that's a huge issue, it could probably be handled well if
everyone gravitated towards 403 as the solution for this particular
problem. It seems to me that it's mostly a matter of education, and a
distinct status code might make that easier.

I agree that 403, or maybe 400, is the best existing status code to
use. 409 doesn't seem appropriate at all.

> In my mind, the much more interesting question is how to handle a
> HTTPS connection in this scenario.  The hotel never provides a
> certificate which correctly validates (since they can't get a
> wildcard certificate that matches every link the user might choose
> to initially visit).   The resulting certificate name mismatch
> leads to error dialogs, failed navigations, etc.

Good question. Most of the ones I've seen recently redirect initially
to a non-HTTPS site to avoid the certificate mismatch popup.

>
> Eric Lawrence
> Program Manager
> Internet Explorer Networking
>
> -----Original Message-----
> From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-
> request@w3.org] On Behalf Of Mark Nottingham
> Sent: Thursday, March 15, 2007 6:48 AM
> To: ietf-http-wg@w3.org Group
> Subject: New Status Code -- 2xx Greedy Hotel?
>
>
> After being in hotels for a few weeks, I'm starting to wonder whether
> a new 2xx HTTP status code could be defined whose semantic is "This
> isn't what you asked for, but here's some information about how to
> get network access so you can eventually get it."
>
> 2xx so that browsers will display it. AFAICT, they do; or at least,
> Safari and Firefox do (see <http://www.mnot.net/test/222.asis>). IE?
> 4xx might be more appropriate, but I despair of "friendly" error
> messages. (thought they could be padded, I suppose).
>
> A new status code so that feed aggregators, automated clients, etc.
> can differentiate what they asked for from your hotel / conference
> centre / etc. asking for cash in order to get network access, and not
> get horribly messed up as a result.
>
> It would also be useful in those cases where you get redirected
> somewhere to login and get a cookie for authentication; e.g., Yahoo!,
> Google, Amazon, etc. Same situation, but slightly different use case.
>
> Thoughts?
>
> --
> Mark Nottingham     http://www.mnot.net/
>
>


--
Mark Nottingham     http://www.mnot.net/

Received on Thursday, 15 March 2007 16:36:24 UTC