- From: Thomson, Martin <Martin.Thomson@andrew.com>
- Date: Wed, 29 Sep 2010 09:45:29 +0800
- To: HTTP Working Group <ietf-http-wg@w3.org>
I've had a question about 403 from an engineer here, and I think that it's a valid one. The semantics of this header are well understood, but the actual text doesn't match that understanding. See: http://lists.w3.org/Archives/Public/ietf-http-wg/2010JulSep/0085.html Specifically, this point: > 403 -> this is forbidden for you, but authenticating as somebody else may help When compared with this sentence, from [1]: Authorization will not help and the request SHOULD NOT be repeated. This sentence appears to be false [2] for the bulk of the cases where this status code is used. If the user was authorized, then it really would help. I think that this is the actual intent: The server understood the request, but refuses to authorize it. Providing different user authentication credentials might be successful, but any credentials that were provided in the request are insufficient. I also have a small editorial nit: The other text here about providing feedback is a separate concept and can be given a separate paragraph: A server can [MAY?] instead provided a 404 (Not Found) status code to prevent clients from learning of the existence of the resource. Alternatively, a server can provide a representation containing the reasons that the request was not fulfilled if this information can be made public. Cheers, Martin [1] http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-11#section-8.4.4 [2] It seems that "Authorization" in this context refers to the HTTP header, rather than the concept. Either way, it's confusing.
Received on Wednesday, 29 September 2010 01:51:04 UTC