logoalt Hacker News

1shooneryesterday at 6:33 PM2 repliesview on HN

>So I’ve decided to try a blanket ban for this site: no unauthorised query strings.

His site returns (I think incorrectly) a 414 if a request includes a query string. If this protest is meant to advocate for the user, who presumably wasn't able to manage that string in the first place, why would you penalize them for it being there?

Why not just use it as a cue to tell users how they can make this decision themselves (e.g. through browser tools)?

Replies

jampekkayesterday at 6:43 PM

"You could argue that I’m abusing 414 URI Too Long. I respond that it’s funnier this way. Other options I considered were:

    400 Bad Request, the generic client error code, which is correct but boring;

    402 Payment Required, and honestly if you want to pay me to make a particular URL with query string work, I’m open to it;

    404 Not Found, but it’s too likely to have side effects, and it doesn’t convey the idea that the request was malformed, which is what I’m going for; and

    303 See Other with no Location header, which is extremely uncommon these days but legitimate. Or at least it was in RFC 2616 (“The different URI SHOULD be given by the Location field in the response”), but it was reworded in 7231 and 9110 in a way that assumes the presence of a Location header (“… as indicated by a URI in the Location header field”), while 301, 302, 307 and 308 say “the server SHOULD generate a Location header field”. Well, I reckon See Other with no Location header is fair enough. But URI Too Long was funnier."
https://chrismorgan.info/no-query-strings?foo
show 3 replies
bryanrasmussenyesterday at 6:42 PM

It's been years but I seem to remember there was a version of PLSQL server pages that would return 500 if you tried to pass in an unknown query string.