404 VS 403指数目录丢失时 [英] 404 vs 403 when directory index is missing

问题描述

这主要是关于国米preT HTTP规范的最好办法一个哲学问题。如果没有目录索引（例如，index.html）的目录中返回404或403？ （403是Apache的默认设置。）

This is mostly a philosophical question about the best way to interpret the HTTP spec. Should a directory with no directory index (e.g. index.html) return 404 or 403? (403 is the default in Apache.)

例如，假设下面的网址，并且可触及：

For example, suppose the following URLs exist and are accessible:

http://example.com/files/file_1/
http://example.com/files/file_2/

但没有什么：

http://example.com/files/

（假设我们正在使用301重定向强制尾随斜线的所有URL）。

(Assume we're using 301s to force trailing slashes for all URLs.)

我想几件事情要考虑：

• 默认情况下，阿帕奇在这种情况下返回403。这对我来说显著。他们已经想过这个东西，他们为使用403的决定。


• 根据W3C，403的意思是服务器理解请求，但是拒绝完成它。我认为这意味着你应该返回403如果URL是有意义的，但仍然被禁止。


• 403可能会导致信息泄露，如果客户端正确地猜测该URL映射到磁盘上的真实目录。


• http://example.com/files/ 不是一种资源，而且它在内部映射到一个目录不应该是相关的状态的事实code。


• 如果您间preT URL方案从客户端的角度定义的目录结构的 的，内部实行仍然是无关紧要的，但也许是外观确实应该对状态有些关系codeS。也许，即使你创建相同的URL结构不使用目录内，您还是应该使用403s，因为它是关于一个目录结构的客户的感受。

• By default, Apache returns 403 in this scenario. That's significant to me. They've thought about this stuff, and they made the decision to use 403.
• According to W3C, 403 means "The server understood the request, but is refusing to fulfill it." I take that to mean you should return 403 if the URL is meaningful but nonetheless forbidden.
• 403 might result in information disclosure if the client correctly guesses that the URL maps to a real directory on disk.
• http://example.com/files/ isn't a resource, and the fact that it internally maps to a directory shouldn't be relevant to the status code.
• If you interpret the URL scheme as defining a directory structure from the client's perspective, the internal implementation is still irrelevant, but perhaps the outward appearance should indeed have some bearing on the status codes. Maybe, even if you created the same URL structure without using directories internally, you should still use 403s, because it's about the client's perception of a directory structure.

在平衡，你认为什么是最好的方法？难道只说：资源是一种资源，如果它不存在，这是一个404？或者我们应该说，如果有斜线，它看起来像一个目录到客户端，因此这是一个403如果没有指标？

In the balance, what do you think is the best approach? Should we just say "a resource is a resource, and if it doesn't exist, it's a 404?" Or should we say, "if it has slashes, it looks like a directory to the client, and therefore it's a 403 if there's no index?"

如果您在403营是，你认为你应该走出自己的路，即使内部实现不使用目录返回403s？举个例子，你有这个URL动态Web应用程序： http://example.com/users/joe ，它映射到一些code，它生成乔的个人资料页。假设你不写东西，列出所有的用户，应 http://example.com/users/ 返回403？ （很多如果不是所有的web框架在这种情况下返回404）。

If you're in the 403 camp, do you think you should go out of your way to return 403s even if the internal implementation doesn't use directories? Suppose, for example, that you have a dynamic web app with this URL: http://example.com/users/joe, which maps to some code that generates the profile page for Joe. Assuming you don't write something that lists all users, should http://example.com/users/ return 403? (Many if not all web frameworks return 404 in this case.)

推荐答案

第一步回答，这是指的 RFC 2616：HTTP / 1.1 。具体谈到 403段禁止并的404未找​​到。

The first step to answering this is to refer to RFC 2616: HTTP/1.1. Specifically the sections talking about 403 Forbidden and 404 Not Found.

  
• 10.4.4 403禁止

  

服务器理解请求，但是拒绝执行它。授权不会帮助和请求不应该重复。如果请求方法不是HEAD并且服务器希望为什么要求没有得到满足，使公共的，但描述了在实体拒绝的原因。如果服务器不希望提供给客户这些信息，状态code 404（未找到）可以用来代替。

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.

  
• 10.4.5 404未找​​到

  

服务器没有找到任何匹配的Request-URI。没有任何迹象表明，给出的条件是否是暂时的还是永久的。如果服务器知道应该使用410（）状态code，通过一些内部配置机制，即旧的资源是永久不可用，也没有转发地址。此状态code是常用的当服务器不希望透露究竟为什么请求被拒绝，或者在没有其他响应都是适用的。

The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.

这个我间pretation是，404是更普遍的错误code，只是说：有什么也没有。 403说，有什么都没有，不要再试一次！

My interpretation of this is that 404 is the more general error code that just says "there's nothing there". 403 says "there's nothing there, don't try again!".

原因之一，可能的Apache目录上返回403没有明确的索引文件是自动索引（即，列出它的所有文件）将被禁用（a.k.a禁止）。在这种情况下，说：这列出目录中的所有文件禁止更有意义比说：没有目录。

One reason why Apache might return 403 on directories without explicit index files is that auto-indexing (i.e. listing all files in it) is disabled (a.k.a "forbidden"). In that case saying "listing all files in this directory is forbidden" makes more sense than saying "there is no directory".

这篇关于404 VS 403指数目录丢失时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！