From: <ir...@ms...> - 2002-01-02 19:27:43
|
On Wed, Jan 02, 2002 at 10:56:20AM -0800, Chuck Esterbrook wrote: > On Wednesday 02 January 2002 10:04 am, Tavis Rudd wrote: > > > I agree. Unless someone has an argument for 403 Forbidden, I prefer > > > to just have 404 Not Found. > > > > I'm not sure we gain anything extra by returning a 404 instead of > > 403. This is essentially security by obscurity, but it's not clear > > what we're trying to obscure. Anyone familiar with WebKit will know > > that .pyc files exist and that .py~ files probably exist. What else > > might we be revealing? > > Regarding security, I prefer the position "What is the motivation for > revealing internal details of the system?" If there is no such > motivation, I don't reveal the detail. > > I think that's a safer approach than exposing unnecessary details of a > system because we can't currently imagine any harm. Forbidden doesn't necessarily mean the file exists. It just means the server is denying the request for some policy reason. For instance, maybe there's a DENY FROM ALL on the entire directory, or maybe your site is blacklisted, or maybe the maintainer is doing updates and wants to lock that section out until he's done. Forbidden means "Go away! Scram! You're not wanted here!" Not found may be interpreted as, "Oops, you may have mistyped the URL, try again." On the other hand, if we want to pretend *.pyc and *.py~ aren't in the webspace, maybe Not Found would be appropriate. I agree that we should follow Apache's model and use Forbidden for any security-sensitive files like .webkit, whether or not they exist. -- -Mike (Iron) Orr, ir...@ms... (if mail problems: ms...@oz...) http://iron.cx/ English * Esperanto * Russkiy * Deutsch * Espan~ol |