Just a thought about applications for this beyond the obvious (but less common in the US) state censorship - it can be seen as a technical help for making sure security and policy controls are clearly communicated to machines as well as people, which makes it easier to figure out when those controls are overbroad.
There's also no need for them to actually use status 451 for a feature like that.
Not every resource is HTML; this would work for images, XHR, etc too.
No amount of changing proxy servers will help you with that.
Speaking of "transparency" why is the political explanation for this absent? Are they trying to say current events and political opinions of authors didn't play a role in this? The code number obviously wasn't chosen for purely logical reasons.
In other words, the error has to do with the client’s request but it's not necessarily the client’s fault. For a similar example see the response code “410 Gone”:
The IETF's HTML RFC generator makes really nice documents.
FWIW, the RFC Editor is working on modernising the RFC format -- we'll even have non-ASCII characters soon!
The IETF generator links to plain-text and PDF versions of the RFC, diffs between the current version and previous versions of the document, errata applicable to the RFC, and uses a fixed-width font. These are all nice properties.
So. I'm glad that you're not in charge of the IETF's HTML RFC output. :)
5xx means that the client can, because there's a chance repeating the request will succeed. 4xx means the client shouldn't, because it needs to change in some fashion before it will work.
This is so that clients that don't understand a specific status code can fall back to the more generic x00 code and still behave sensibly.
This is because censorship is almost never global—instead, it's because something about your request (often, your country of origin) forbids you from receiving it.
In that context, 451 makes perfect sense.
"We can't serve you this because our jurisdiction forbids it" seems likely to arise more often.
That said, I also don't think the 4xx/5xx distinction matters as much here as the evocative implication of using 451 specifically.
Uh, it happens all the time. In fact, it's by far the most frequent kind of censorship.
Most major web services are based in a country with relatively lax censorship laws but still comply with censorship laws in other jurisdictions.
What is a good use case for HTTP 451 then?
Rarely does the calculus favor getting your entire site blocked because you refuse to censor one piece of content. At least by serving HTTP 451 you could also potentially offer suggestions like using Tor.
I really dislike it when, e.g., Ruby HTTP client libraries treat any non 2xx-3xx response as an exception.
If I'm wrong about this usage, like, say I have a REST endpoint that, when the client doesn't send bad data, but a request fails for some reason (upstream service rejected request), what kind of code is my endpoint supposed to return?
(I would say 4xx, and leave it at that, getting rid of the "client" part of "client error", and leaving 5xx for something like ISE, fatal error "maybe ain't your fault, or at all under your control, client-man!" But I'm happy to learn more.)
> In some jurisdictions, I suspect that censorious governments will disallow the use of 451, to hide what they're doing. We can't stop that (of course), but if your government does that, it sends a strong message to you as a citizen about what their intent is. That's worth knowing about, I think.
Often, when legal issues are discussed on places like HN some people will jump at some obvious trick to bypass the order (such as using status code 451). There is a good chance that a judge will simply say you knew the gag order forbid you from telling anyone you have a gag order, sending code 451 explicitly tells people about the gag order, so enjoy your contempt of court penalties.
The traditional warrant canaries are a genius work around as it relies upon the person potentially being gaged actively taking an action (it's a dead-man trigger). In theory, it's a lot harder to make someone lie and forge new warrant canaries as part of a gag order. Following the order and doing nothing sends the message.
There is a time and place for challenging or evading legal requirements, but it's a dangerous game to play and only with good legal advice.
 One exception might be legal technicalities where you can show precedent. It will probably still piss off the judge, but there is at least reasonable chance of such a technicality-based argument will work. As usual, YMMV, see a real lawyer.
Lets say /admin/ is a directory that exists on the site, but I am not authorized to access it. So site returns a 403 or, if you are sneaky and don't want to reveal the existence /admin/ to unauthorized users, you configured the server to return 404.
Go ahead a send a GET request for just /admin without the trailing slash. Assuming there isn't actually a file named "admin" and admin is actually a directory, by default most versions of Apache/IIS will return a 302 direct to /admin/. This reveals the existence of the directory, regardless of what status code you get when fetching /admin/.
I'm not sure the exactly why web servers behave this way. My educated guess is that when Apache/IIS service the request, they see the named entity is actually a directory, so there is no content to return. So they redirect you into the directory, so that either the directory contents can be displayed, or a default document can be sent instead.
Years ago, I worked on a web brute forcer which used this method to detect the existence of directories. The advantage is slightly more limited now with the rise of MVC where the entire path of a URL doesn't directly map to a file system path.
In neither case is 404 or 451 pointless just because 403 is sometimes used to restrict access to that information.
(I had a small hand in creating this RFC.)
This probably won't work in China, but it could be useful in countries with only mild censorship, such as "right to be forgotten", porn filters, and region-locked content.
Due to idiots like myself I think that signal to noise on this could be high. In other circumstances, and 'for a laugh' I could make some expired pages return 451 just to bring the novelty value of this new status code to a colleague, then forget about it and leave some URLs out there in cyberspace, forgotten about but returning 451.
Then this censorship crawler comes along, finds we have 451s for some internal joke reason (and maybe a former supplier) to not get the joke (as it is only a bot). Would the bot's owner then add an uptick in the censorship 'figures'?
451 is a technical "solution" to a political problem - you can toss logic and reason right out the window due to politics.
Likely there should be:
* right to be forgotten