
Why 451? - temp
https://www.mnot.net/blog/2015/12/18/451
======
jcrawfordor
I wonder about the applicability of this status code to 'friendly' blocking.
In my workplace, as in many others, we have a web proxy that blocks certain
requests for security or policy reasons. I would like it if the vendor
implemented something like this for its capture page, as it'd make it easier
to identify where requests are blocked and why in various logs. In particular,
user-agents could tell the user when a request is blocked for this reason,
which would be more robust than the HTML message it returns and would make
help-desk operations a lot easier - "this thing doesn't work and I get a
browser notice about blocking," instead of "this thing doesn't work" and then
having to dig through logs.

Just a thought about applications for this beyond the obvious (but less common
in the US) state censorship - it can be seen as a technical help for making
sure security and policy controls are clearly communicated to machines as well
as people, which makes it easier to figure out when those controls are
overbroad.

~~~
meowface
Sounds like you need to switch to a different proxy vendor. The one I'm
familiar creates a log with a specific policy deny status message, and other
information about the request to help determine why it was blocked, like the
categories it's classified under. It also provides the user with a block
message, listing the site's categories.

There's also no need for them to actually use status 451 for a feature like
that.

~~~
nothrabannosir
I think OPs point was not the proxy but the integration of the client. If your
browser gets a 451, it can (theoretically) give a better error message.

Not every resource is HTML; this would work for images, XHR, etc too.

No amount of changing proxy servers will help you with that.

------
tinalumfoil
> It is possible that certain legal authorities might wish to avoid
> transparency, and not only demand the restriction of access to certain
> resources, but also avoid disclosing that the demand was made.

Speaking of "transparency" why is the political explanation for this absent?
Are they trying to say current events and political opinions of authors didn't
play a role in this? The code number obviously wasn't chosen for purely
logical reasons.

~~~
kevinbowman
It's also possible that a site may misleadingly return 451 codes to indicate
that they've been censored when perhaps they haven't, maybe in order to
inflame a discussion or some other political maneuvering. So, not only can you
not trust that a missing 451 means no censorship, you also can't trust that a
present 451 means there is censorship.

------
nailer
Great idea but the 'Fahrenheit 451' allusion is against the HTTP spec. 400-499
is for client errors. A client requesting a resource from site that can't show
it for legal reasons is not the client's fault.

~~~
rocky1138
It could be that the client is in a location where showing it is against
censorship laws. In this case, the client is at fault.

~~~
JoshTriplett
In particular, just as the body of a 404 or 403 response can provide
information to the client about how to make the request successfully (e.g.
"did you mean one of these?" or "you need to log in", respectively), the body
of a 451 response could suggest what the client could do to make the request
successfully (e.g. "please try again from a less broken jurisdiction or over a
more secure path").

------
k_sze
Can't site operators also receive gag orders that forbid them from disclosing
that they are being censored, in which case they aren't even allowed to use
the 451 code, which defeats the purpose of the code?

~~~
btown
Yes, and from what I've gathered (IANAL), many fear that judges would not look
kindly on things that do not specifically leak "gagged" information, but go
against the spirit of gag orders (i.e. warrant canaries). The IETF's
"permission" certainly doesn't supercede state or federal governments. So in
practice this status code is cute, but it won't move the needle on reining in
state censorship any more than before.

~~~
pdkl95
Exactly - judges generally don't look kindly at "technicalities"[1] and
creative interpretations that are obviously created to work around a judicial
order.

Often, when legal issues are discussed on places like HN some people will jump
at some obvious trick to bypass the order (such as using status code 451).
There is a good chance that a judge will simply say you knew the gag order
forbid you from telling anyone you have a gag order, sending code 451
explicitly tells people about the gag order, so enjoy your contempt of court
penalties.

The traditional warrant canaries are a genius work around as it relies upon
the person potentially being gaged actively taking an action (it's a dead-man
trigger). In theory, it's a lot harder to make someone lie and forge new
warrant canaries as part of a gag order. Following the order and doing nothing
sends the message.

There is a time and place for challenging or evading legal requirements, but
it's a dangerous game to play and only with good legal advice.

[1] One exception might be _legal_ technicalities where you can show
precedent. It will probably still piss off the judge, but there is at least
reasonable chance of such a technicality-based argument will work. As usual,
YMMV, see a real lawyer.

------
edent
You can read the original HN discussion from 2012 at
[https://news.ycombinator.com/item?id=4099751](https://news.ycombinator.com/item?id=4099751)

(I had a small hand in creating this RFC.)

------
kijin
I'd love to see a Firefox add-on or Chrome extension that automatically
reissues the request through a proxy (such as Tor) if the response code is
451. Change proxies and repeat until a non-451 response is received.

This probably won't work in China, but it could be useful in countries with
only mild censorship, such as "right to be forgotten", porn filters, and
region-locked content.

------
unethical_ban
4xx errors are supposed to be client-side errors. 5xx is server-side. The
purpose of the code doesn't match the spec.

------
Theodores
Imagine a company breaks a relationship with a supplier, to then banish
reference of the former supplier from the website - on strict orders from the
supplier. Just to show them that orders have been followed I could set the
offending pages to return 451, as an in joke rather than 301 to the home page
(or even 404 which would mean they stay longer in the search results, hence
301).

Due to idiots like myself I think that signal to noise on this could be high.
In other circumstances, and 'for a laugh' I could make some expired pages
return 451 just to bring the novelty value of this new status code to a
colleague, then forget about it and leave some URLs out there in cyberspace,
forgotten about but returning 451.

Then this censorship crawler comes along, finds we have 451s for some internal
joke reason (and maybe a former supplier) to not get the joke (as it is only a
bot). Would the bot's owner then add an uptick in the censorship 'figures'?

------
iamandoni
I don't understand why there is a controversy at all here. This seems to at
least have a logical use case, which is more than we can say for status code
418
([https://tools.ietf.org/html/rfc2324](https://tools.ietf.org/html/rfc2324))

~~~
drivingmenuts
418 is a historical joke, so it doesn't really need a logical use case
(ideally, it should be handle the way joke PEPs are handled).

451 is a technical "solution" to a political problem - you can toss logic and
reason right out the window due to politics.

------
miander
I wonder if China will be one of the jurisdictions to forbid the use of this
status code?

------
throwaway_xx9
I like the idea of a legal response code, but is just one granular enough?

Likely there should be:

* censorship * rights * private * right to be forgotten * geo-limited.

~~~
dragonwriter
I think one response code is sufficient (more specific explanation of the
problem is an appropriate use for the response body.)

------
bsamuels
the body section of the article is blank on chrome 47, even highlighting the
text doesn't render it

------
cport1
Link isn't working for me anymore?

~~~
mnot
Sorry about that, the parent Apache process SEGV'd (running the experimental
mod_http2). Should be back up now, having fun with the coredump now.

~~~
voltagex_
I'd definitely read a writeup of debugging Apache2.

------
recuperandoaccs
Oi

