Browser display of 403 responses bodies on CONNECT from Adrien de Croy on 2015-06-17 (ietf-http-wg@w3.org from April to June 2015)

From: Adrien de Croy <adrien@qbik.com>
Date: Wed, 17 Jun 2015 20:47:23 +0000
To: "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <em92969e6a-d68c-4e51-abe8-3aea4b41fc85@bodybag>

Hi all

we're seeing nowadays many browsers don't display the content of a 403 
denial response to a CONNECT request, instead displaying some generic 
home-baked browser warning about being unable to make a connection.

This is causing quite a bit of trouble.

Is there any language in the RFC that encourages or discourages this 
behaviour, or should there be?

Personally I view this behaviour as undesirable at best and certainly 
confusing for customers as they see a page for a blocked http request 
explaining why the proxy blocked it, but not so for https requests.

I understand some proxies fake up the TLS connection in order to pipe 
back a block page, but this is a very undesirable way to resolve this 
issue, and has many side-effects (cert warnings etc).


Section 3.3 of RFC7230 discusses bodies on 2xx responses to CONNECT, but 
not other response codes.

Section 4.3.6 of RFC7231 (CONNECT) doesn't cover this either.

Section 3.1 of 7235 mentions in the context of a 401 that the 
representation should be presented to the user, but we can't use that 
instead as it has side-effects of popping login dialogs.  Interestingly 
the prose for 407 doesn't contain this recommendation either.  Maybe we 
need a general section on how clients should deal with bodies on error 
responses.


Regards

Adrien

Received on Wednesday, 17 June 2015 20:49:49 UTC