Re: Status code for censorship? from Tim Bray on 2012-06-11 (ietf-http-wg@w3.org from April to June 2012)

From: Tim Bray <tbray@textuality.com>
Date: Mon, 11 Jun 2012 08:39:44 -0700
To: James M Snell <jasnell@gmail.com>
Cc: Mark Nottingham <mnot@mnot.net>, Karl Dubost <karld@opera.com>, ietf-http-wg@w3.org
Message-ID: <CAHBU6iu+J9D_x710J2R2u3zwoxqJd92AsFzcE7wSce4+hKE0uQ@mail.gmail.com>

Well, the practical argument is programmer behavior, in the way that client
devs handle the codes.  I regularly see code along the lines of:

else if (status == 401)
 // do authent stuff
else if (status == 403)
 // apologize and explain
else if (status/100 == 5)
 // apologize for server misbehavior without many details (which would
probably not be helpful to end-user anyhow)

So we want a result like 403, not 5XX.  So 403 would not be flatly
incorrect, but I still think a new 4XX would be desirable. Would it be
used?  Well, in most web frameworks, you can already provide any old
integer status code, so I don’t think any infrastructure development would
be required.  I suspect the browser people would be happy to provide a
boilerplate message if the status code became official.

And finally, I am sure that some websites under government pressure would
be happy to lie and deny censorship exists, but I am quite certain that
lots of others would welcome the chance to make clear the responsibility
for the blockage. I would welcome being so informed in those situations.

So where’s the downside?

-T

On Mon, Jun 11, 2012 at 8:27 AM, James M Snell <jasnell@gmail.com> wrote:
> On Mon, Jun 11, 2012 at 4:09 AM, Mark Nottingham <mnot@mnot.net> wrote:
>>[snip]
>>> Censorship happens sometimes in other states through decision of laws
and/or regulations. For example, a network in a corporate environment
blocking certain sites through proxy (such as social networks). A library
blocking some sites through proxy to other users. In these cases, the
organization in charge of it might want to advertise it for reasons which
seem perfectly legible to them.
>>
>> Yes. However, as discussed, current status codes can be used for this,
and the HTML will explain what's going on. The one remaining motivation
that I can see would be a similar situation that got us 511; non-browser
devices that get confused by what's going on. However, since this isn't a
redirect, but just a refusal, it's less of an issue, practically.
>>
>
> True, however, with 511, there is a distinct practical action that the
> user-agent can take in response to the specific code... namely,
> authenticating with the network prior to retrying the request. There
> is no such clear response action with this.
>
> Further, one additional consideration is the case where a particular
> request is blocked through similar policy-driven action. A 4xx
> response would be perfectly reasonable in such cases. My initial
> inclination was to use a new 5xx code but the more I go through the
> cases, the more I think 403 is just fine.
>
> - James
>
>> Cheers,
>>
>>
>>
>> --
>> Mark Nottingham   http://www.mnot.net/
>>
>>
>>

Received on Monday, 11 June 2012 15:40:38 UTC