On Wednesday 02 January 2002 11:32, Mike Orr wrote:
> On Wed, Jan 02, 2002 at 10:56:20AM -0800, Chuck Esterbrook wrote:
> > On Wednesday 02 January 2002 10:04 am, Tavis Rudd wrote:
> > > > I agree. Unless someone has an argument for 403 Forbidden, I
> > > > prefer to just have 404 Not Found.
> > >
> > > I'm not sure we gain anything extra by returning a 404 instead
> > > of 403. This is essentially security by obscurity, but it's
> > > not clear what we're trying to obscure. Anyone familiar with
> > > WebKit will know that .pyc files exist and that .py~ files
> > > probably exist. What else might we be revealing?
> > Regarding security, I prefer the position "What is the motivation
> > for revealing internal details of the system?" If there is no
> > such motivation, I don't reveal the detail.
> > I think that's a safer approach than exposing unnecessary details
> > of a system because we can't currently imagine any harm.
> Forbidden doesn't necessarily mean the file exists. It just means
> the server is denying the request for some policy reason. For
> instance, maybe there's a DENY FROM ALL on the entire directory, or
> maybe your site is blacklisted, or maybe the maintainer is doing
> updates and wants to lock that section out until he's done.
> Forbidden means "Go away! Scram! You're not wanted here!" Not
> found may be interpreted as, "Oops, you may have mistyped the URL,
> try again."
> On the other hand, if we want to pretend *.pyc and *.py~ aren't in
> the webspace, maybe Not Found would be appropriate.
> I agree that we should follow Apache's model and use Forbidden for
> any security-sensitive files like .webkit, whether or not they