Don't overload 404 please

Today I clicked on a Google Plus link in my email, which opened a tab in Firefox. I'm logged into Google Plus in Chrome, not Firefox. What did the link do?


It didn't tell me "You need to be logged in to see this page" and prompt me log in. It didn't return 401 or 403. It just said "the server can't find this resource."

That's arguably wrong. The page does exist--I opened it in Chrome without a problem. So unless you're well versed in http status code arcana, a 404 in this case violates the rule of least surprise and feels like a bug.

The existence of a resource at a URI does not depend on the authentication state of the user agent accessing that URI. If a resource exists, but you're not allowed to view it, 404 is arguably not the right way to signify that--use 401, or 302 to a login page.

Sure, you could argue a 401 or 403 tells you too much--it may reveal that the page does exist, which you may want to hide from unauthenticated users, and 404 is appropriate for
[...] when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
In this case, 401 is arguably applicable, so 404 isn't right.

GitHub does the same thing. I hope this doesn't become a trend.

No comments:

Post a Comment