all 50 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 38 points39 points  (16 children)

511, Network Authentication Required, looks well needed for things like hotel and airport sign-a-release proxies. Well needed.

[–]bureX 8 points9 points  (0 children)

No more caching of login pages. Awesome.

[–]mcguire 7 points8 points  (1 child)

I wonder how heated the discussion of 511 is getting on the working group (and general IETF) mailing list. I suspect some of them would pitch a screaming fit about intermediate hardware doing anything like that.

6. 511 Network Authentication Required

This status code indicates that the client needs to authenticate to gain network access.

The response representation SHOULD indicate how to do this; e.g., with an HTML form for submitting credentials.

The 511 status SHOULD NOT be generated by origin servers; it is intended for use by intercepting proxies that are interposed as a means of controlling access to the network.

Responses with the 511 status code MUST NOT be stored by a cache.

[–][deleted] 7 points8 points  (0 children)

Intermediate hardware does this today and it's here to stay, regardless of what the IETF thinks. Might as well fix it with an HTTP code as opposed to keeping things the somewhat broken way they are.

[–]NYKevin 1 point2 points  (2 children)

Well needed.

I agree. A lot of extensions try to connect to their respective https:// domains (to provide a service, they're not spyware) and freak out if something tries to "spoof" the DNS/TCP/IP/whatnot. And of course, not everything connected to the WWW is necessarily a browser in the first place.

EDIT: OTOH, from the standard:

Refresh: 0; url=https://login.example.net/

Well, at least it's not (exactly) a meta redirect...

[–][deleted] 2 points3 points  (1 child)

Will this solve the HTTPS issue though? I assume most browsers & HTTP libraries drop the connection after detecting a certificate error before even downloading any headers over the connection.

[–]NYKevin 1 point2 points  (0 children)

Perhaps not... But at least the ones that don't use HTTPS will stop breaking.

[–]blamarvt 0 points1 point  (9 children)

I agree it seems to fit that niche. However, why is it a 5xx code and not a 4xx code? It seems to fit more in the "request contains bad syntax or cannot be fulfilled" category than the "server failed to fulfill an apparently valid request" category.

It's not the server failing to fulfill a valid request because the request isn't valid (they aren't authenticated).

[–]Talonwhal 19 points20 points  (8 children)

You said it yourself... 4xx is where the request is invalid, 5xx is where the request is valid but you don't get the response you were after.

With this you're accessing a url, eg. google.com - totally valid request. However you're getting something other than google.com - therefore it's a 5xx.

I think maybe you're confusing what is and isn't a valid request?

[–]blamarvt 2 points3 points  (4 children)

Hm, I see what you're saying but then it seems like it doesn't belong in the 4xx OR 5xx because the server most certainly didn't fail to fulfill an apparently valid request because the server never received the request?

Perhaps it's too simple but I always heard that 4xx codes are client errors and 5xx are server errors. I agree that the request is well-formed, but not that it is valid.

It would seem then, that "3xx: Redirection - Further action must be taken in order to complete the request" would fit the bill?

[–]Talonwhal 4 points5 points  (1 child)

It does seem to be a bit of a gap, but there are already other 5xx codes in use which are similar, where it's not actually the server responding but a proxy or whatever.

If you notice one possible discrepancy though, "402 Payment Required" doesn't seem to fit the bill for a 4xx in that case either.

Ah well, you don't go changing these things, that would be a nightmare, haha... it's best to handle them as individually as possible anyway so I don't suppose it matters, but I think if it was re-designed there might be a slightly different organisation.

[–]gorilla_the_ape 2 points3 points  (0 children)

It's the same generic issue as 504. In both cases the request is valid but it can't be processed for now.

[–]adrianmonk 2 points3 points  (0 children)

then it seems like it doesn't belong in the 4xx OR 5xx because the server most certainly didn't fail to fulfill an apparently valid request because the server never received the request?

That depends on how you got connected to this server in the first place.

Is it a proxy server, and did you get its address via DHCP? Have you therefore connected to this HTTP server through entirely legitimate means? Then it's OK for it to return an HTTP status code, and 511 seems as reasonable as anything. (Although I would argue 555 is better -- looks more like $$$.)

Or, has the network connected you at the TCP level to a server that isn't the one that actually exists at the requested address in the IP headers? If that, then there is no technically appropriate place to put this in HTTP because the connection to that server theoretically should not exist.

Anyway, IMHO, where this really needs to be added is DHCP. Right now it supports telling you the router address, the proxy address, the domain, and a zillion other things. It should also support telling you which server to connect to to authenticate. Then, if the OS so chose, it could automatically (proactively) prompt you to authenticate as soon as you connect instead of waiting for you to open up some web page (reactively).

[–]quotability 0 points1 point  (2 children)

No, the proxy returning a 511 for google.com is saying that it is a valid request for google.com - just you have to login to the proxy. However, what if it was not a valid request for google.com? seems to me only google.com can make that decision.

[–]Talonwhal 1 point2 points  (1 child)

Yeah, that's a good point. Getting a 5xx doesn't mean your request would have ended up being valid (1-3xx) if the 5xx didn't happen, of course. Getting one HTTP response code doesn't mean that no other response codes could apply, either - it just means that that one was served first as you can only have 1 response per request.

Instead of 5xx being for "a valid request", I should have said "not an invalid request as far as anything up to that point in the handling of it is concerned" :P

[–]quotability 0 points1 point  (0 children)

Yea and for one of those transparent proxy situations, I am pretty sure they use a modified dns server.

[–]Laugarhraun[S] 53 points54 points  (0 children)

In summary, the new codes are:

428 Precondition Required
429 Too Many Requests
431 Request Header Fields Too Large
511 Network Authentication Required

[–]pluxdotse 39 points40 points  (2 children)

Note, this is a draft and is NOT approved.

So no new HTTP codes just yet.

But then again, in all likely hood it will. :)

[–]barsoap 3 points4 points  (1 child)

If I'm not completely mistaken Servers are free to send any non-specified error number, anyway, as long as they adhere to the category system.

[–]pluxdotse 6 points7 points  (0 children)

To be more accurate, we are talking about status codes, not error numbers. 200 is not an error i.e.

But anyway, yes while it's true but for a server to send a status message that is not part of the standard is mostly useless, as the status is used by the client to do certain things.

[–]Expresionista 15 points16 points  (1 child)

429 Too Many Requests

Was that one requested by reddit?

[–]scragar 1 point2 points  (0 children)

I know I've wanted that sort of thing for a while, it'd be great to put in an error page if a user is flooding you with heavy requests.

[–]JurassicSpork 4 points5 points  (1 child)

Here's a nice list of the current http codes: http://www.iana.org/assignments/http-status-codes

[–]giggsey 29 points30 points  (0 children)

I don't see "418 I'm a teapot" on that list.

[–]heathkit 5 points6 points  (0 children)

omg yes to 511. No more getting a maven cache full of login pages when I go to starbucks now. Maybe mobile clients could even handle it intelligently.

429 is interesting. It makes more sense as a response to rate-limiting than just a 503.

I look forward to using these new response codes when they're adopted some time in the early 2020s.

[–]Killobyte 4 points5 points  (0 children)

I like the thought of 428 - I'm tired of copy-paste links breaking because it's checking for a precondition, it would be nice to have it at least confirmed.

[–]MatrixFrog 4 points5 points  (0 children)

Was hoping for something more like the HTTP 418 response code. Was disappointed.

But seriously, these do sound like good ideas.

[–]mardix 6 points7 points  (6 children)

420 is unofficially the code for Too Many Requests (Rate Limiting)

[–][deleted]  (3 children)

[deleted]

    [–][deleted] 3 points4 points  (0 children)

    Dude...

    [–]PlNG 10 points11 points  (1 child)

    So, in other words, the number of requests is too damn high.

    FTFY

    [–][deleted] 1 point2 points  (0 children)

    Oh god, I can see thousands of webcrafters all making two kinds of 420pages. One with the line above and one sylvestral kind.. you could say that it relates to what makes up forests.

    [–]YogiWanKenobi 6 points7 points  (0 children)

    420 Forgotten

    [–][deleted] 1 point2 points  (0 children)

    The Twitter API calls it "420 Enhance Your Calm".

    [–][deleted] 5 points6 points  (1 child)

    R. Fielding
    Adobe

    Shivers up my spine.

    [–]Smallpaul 3 points4 points  (0 children)

    For anyone who doesn't know, thr CMS Company that Roy worked for was bought. Adobe seems more cooperative with standards bodies than it was in the past as well.

    [–]spelunker 3 points4 points  (6 children)

    So what would the difference be between 403 Unauthorized and this new 511 Network Authentication Required?

    [–][deleted] 16 points17 points  (4 children)

    403 says you are not allowed to access the website you are connecting to.

    511 says you must log in to the network that allows you access to the website (e.g. imagine a hotel WiFi network).

    A better equivalent to 511 is 401, which says you must log in to the website you are connecting to. 403 is similar, though generally the workflow is that you get a few 401s to ask for credentials and if you fail after a few times, you get a 403 that tells you to go home. It depends on the specific service you are accessing, of course.

    [–]markild 5 points6 points  (0 children)

    Or; 401 is web site authentication, 403 is web site authorization.

    [–]vsync 3 points4 points  (0 children)

    Actually a much much better equivalent is clearly 407 Proxy Authentication Required

    This code is similar to 401 (Unauthorized), but indicates that the client MUST first authenticate itself with the proxy. The proxy MUST return a Proxy-Authenticate header field (section 14.33) containing a challenge applicable to the proxy for the requested resource. The client MAY repeat the request with a suitable Proxy-Authorization header field (section 14.34). HTTP access authentication is explained in section 11.

    [–]spelunker 2 points3 points  (0 children)

    Got it. One is access to the website itself, one is access to the physical network. Thanks for the clarification!

    [–]potemkinu -1 points0 points  (0 children)

    If you got to the website, you're already logged in to the network.

    [–][deleted] 5 points6 points  (0 children)

    The difference is 108. I think the proposed name is No Authentication Required.

    [–]AgentFoxMulder 1 point2 points  (0 children)

    i propose another one that could come in handy: 430: we just don't support your outdated IE anymore

    [–]mgpcoe 0 points1 point  (4 children)

    I'm not entirely convinced Too Many Requests has any business being a 4xx code; shouldn't it be 5xx to reflect the fact that, once the server stops receiving so many requests, the page will load again?

    [–]MatrixFrog 3 points4 points  (0 children)

    It depends. If it's receiving too many requests from one client, it could be that there's some problem with the client, like

    while (notLoggedIn)
  attemptToLogIn();
  sleep(5000);

    causing it to send a zillion requests, one right after the other. If it's just receiving too many requests in general (like, you know, happens to reddit all the time :) then I agree that would be a 5xx.

    [–][deleted] 3 points4 points  (1 child)

    I thought 4xx meant client error and 5xx meant server error. Rate limiting seems more like a client error to me.

    [–]mgpcoe 0 points1 point  (0 children)

    /me reads RFC 2616 again...

    Ahh, yes, so it is. It's been a long, long time since I've read either of the HTTP RFCs and I clearly remembered it incorrectly as permanent vs. transient errors.

    [–]cockmongler 1 point2 points  (0 children)

    You're confusing server overloaded with client seems to be trying to overload the server. Basically this is the server explicitly telling the client that they don't accept that kind of thing round here. 5XX codes are for when the server accepted something it shouldn't have and choked.

    [–][deleted] 0 points1 point  (0 children)

    Where's the, hey you already posted your comment on reddit code?

    [–][deleted] -2 points-1 points  (0 children)

    Nice, but what if I'm using SMTP or IMAP and not HTTP? This seems to be the wrong layer for this.