- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 20 Jun 2013 17:54:19 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
From the ticket: > See comments in linked blog post; change > > "The client should not repeat the request with the same credentials." > > to > > "The client should not automatically repeat the request with the same credentials." > > Since some flows using 403 may involve manipulating state somewhere else, then resubmitting the request. ...where the blog post is: <http://www.mnot.net/blog/2013/05/15/http_problem> The current text is: "The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any). If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials. An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found)." -- <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-latest.html#status.403> It seems there's a bigger problem here: "If authentication credentials were provided in the request, the server considers them insufficient to grant access." This implies that *if* credentials have been provided, and the result is 403, it's due to the credentials. (Note that this text isn't from 2616 anyway) Best regards, Julian
Received on Thursday, 20 June 2013 15:54:53 UTC