Re: [451] #80: Distinguishing intermediaries from origins

Interesting.  I’ve been thinking of this in the context of my current day
job at AWS. [OBLIGATORY DISCLOSURE: Not speaking for. Not asking anyone.
They probably think I’m crazy, etc]

Someone cold have a web site pasted together with a combination of s3
static hosting, Lambda API gateway, various database services, CloudFront,
and route53 DNS. Except for, lots of people don't, they get those services
from lots of different vendors; I offer the list to outline how many pieces
make up a web app.  Now, a legal threat might be made against pretty well
any link in this chain, and figuring out whether to use 451 or 452 could be
hard.  BUT, it would be useful to know where the legal blockage is

451's technical goal is to allow crawlers and other automated agents to
detect and report on legal blockages.  For such tracking, there are two
things it would be useful to know:
1. The resource being blocked
2. Who actually is interposing the blockage

The combination of the URI and the 451 code take care of #1.

As for #2, this feels like a job for an HTTP header, say
“Blocker-for-legal-reasons”.  It should take a list value in the case that
there are multiple entities blocking a request, something that wouldn't be
terribly surprising.  That leaves the question of what sort of values are
appropriate to identify the entities doing the blocking.  URIs are the most
obvious candidates.

Anyone got a pointer to an I-D or RFC that they think does a good job of
specifying a new header?  Rather than argue about abstractions, I’ll draft
up some language to see what such a header would look like.

On Mon, Aug 24, 2015 at 1:19 AM, Poul-Henning Kamp <>

> --------
> In message <>,
> nicol
> writes:
> >> For the ISP there would be considerable benefits to making it look
> >> like origin censorship:  It would reduce help-desk workload, it
> >> would deflect blame for a controversial practice away from the ISP
> >> etc.  etc.
> >
> >That only works if the user considers the signal to be reliable.
> >If one lies about it he won't.
> >
> >So to actually reduce helpdesk workload an ISP needs to be very
> >clear and clean on who blocks what, because otherwise people will
> >just call the helpdesk by default.
> And sending "451 Not Allowed by Origin" would certainly do that.
> --
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.

- Tim Bray (If you’d like to send me a private message, see

Received on Tuesday, 25 August 2015 15:53:59 UTC