From: Tavis R. <ta...@ca...> - 2002-01-02 19:40:49
|
well said. On Wednesday 02 January 2002 11:32, Mike Orr wrote: > On Wed, Jan 02, 2002 at 10:56:20AM -0800, Chuck Esterbrook wrote: > > On Wednesday 02 January 2002 10:04 am, Tavis Rudd wrote: > > > > I agree. Unless someone has an argument for 403 Forbidden, I > > > > prefer to just have 404 Not Found. > > > > > > I'm not sure we gain anything extra by returning a 404 instead > > > of 403. This is essentially security by obscurity, but it's > > > not clear what we're trying to obscure. Anyone familiar with > > > WebKit will know that .pyc files exist and that .py~ files > > > probably exist. What else might we be revealing? > > > > Regarding security, I prefer the position "What is the motivation > > for revealing internal details of the system?" If there is no > > such motivation, I don't reveal the detail. > > > > I think that's a safer approach than exposing unnecessary details > > of a system because we can't currently imagine any harm. > > Forbidden doesn't necessarily mean the file exists. It just means > the server is denying the request for some policy reason. For > instance, maybe there's a DENY FROM ALL on the entire directory, or > maybe your site is blacklisted, or maybe the maintainer is doing > updates and wants to lock that section out until he's done. > > Forbidden means "Go away! Scram! You're not wanted here!" Not > found may be interpreted as, "Oops, you may have mistyped the URL, > try again." > > On the other hand, if we want to pretend *.pyc and *.py~ aren't in > the webspace, maybe Not Found would be appropriate. > > I agree that we should follow Apache's model and use Forbidden for > any security-sensitive files like .webkit, whether or not they > exist. |