Geek Answers Handbook

Should I use HTTP 4xx to indicate HTML form errors?

I spent 20 minutes debugging some (django) unit tests. I tested the POST of the view, and I was expecting a return code of 302, after which I claimed that the database entity clots were just as expected. It turns out that the recently merged commit added a new form field, and my tests were unsuccessful because I did not include the correct form data.

The problem is that the tests did not run because the HTTP return code was 200, not 302, and I could only solve the problem by printing an HTTP response and viewing it. Besides the annoyance of having to view HTML to solve the problem, 200 seems to be the wrong code for POST that is not being processed. A 4xx error (client error) seems more appropriate. Also, this would lead to debugging the cinch test, as the response code would point me directly to the problem.

I read about using 422 (Unprocessable Entity) as a possible return code in the REST API, but I can not find any evidence of its use in HTML representations / handlers.

My question is: does anyone else do this, and if not, why not?

[ UPDATE 1 ]

Just to clarify, this question is about HTML forms, not the API.

This is also a question about HTTP response codes per se - not Django. This is what I use. I removed the django tag.

[ UPDATE 2 ]

Some further explanation with W3C links ( http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html ):

10.2 Successful 2xx

This class of status code indicates that the client request has been successfully accepted, understood, and accepted.

10.4 4xx Client Error

The 4xx class code class is designed for cases where the client seems to be wrong.

10.4.1 400 Bad request

The request could not be understood by the server due to incorrect syntax.

And from https://tools.ietf.org/html/rfc4918#page-78

11.2. 422 Unprocess entity

Status code 422 (raw entity) means the server understands the content type of the request object (therefore, 415 (Unsupported media type) is not suitable), and the syntax of the request object is correct (thus, 400 (failed request) status code is not suitable), but not I was able to process the contained instructions. For example, this error condition may occur if the XML body of the request contains well-formed (that is, syntactically correct) but semantically erroneous XML instructions.

[ UPDATE 3 ]

Delving into this, 422 is an extension of WebDAV [1], which may explain its ambiguity. However, since Twitter uses 420 for its own purposes, I think I will do whatever I want. But it will start at 4.

[ UPDATE 4 ]

Notes on using custom response codes and how to process them (if they are not recognized) are from the HTTP 1.1 specification ( http://tools.ietf.org/html/rfc2616#section-6.1.1 ):

HTTP status codes are extensible. HTTP applications are not required to understand the meaning of all registered status codes, although such an understanding is obviously desirable. However, applications MUST understand the class of any status code, as indicated in the first digit, and consider any unrecognized answer as equivalent to x00 of this class, except that the unrecognized answer MUST NOT be cached. For example, if the unrecognized status code 431 is accepted by the client, he can safely assume that there was something wrong with his request as if he received the status code 400. In such cases, user agents MUST provide the user with an object that was returned with an answer, as this organization is likely to read information that will explain unusual status.

[1] https://tools.ietf.org/html/rfc4918

+6
source share
4 answers

You are right that 200 is wrong if the result is not successful.

I also argue that a page with success redirecting to the result should be 303, not 302.

4xx is correct for client error. 422 seems correct to me. In any case, do not invent new 4xx codes without registering them through IANA.

+1
source

It seems that an acceptable answer has not been accepted, which, frankly, is a bit surprising. Form validation is such a cornerstone of web development that the fact that there is no response code to illustrate the validation error seems like a missed opportunity. This is especially true for the spread of automated testing. It seems inappropriate to test the response by examining the HTML content for the error message, rather than just testing the response code.

I adhere to my statement on the question that 200 is the wrong response code for a request that does not comply with business rules, and that 302 is also inappropriate. (If the form fails verification, then it should not update any state on the server, therefore it is idempotent, and there is no need to use the PRG template so that users cannot resubmit the form.)

So, given that there is no β€œapproved” method, I am currently testing (literally) my own - 421. I will report if we encounter problems using non-standard HTTP status codes.

If there are no updates, we use it in the production process, it works, and you can do the same.

+1
source

Obviously, some POST requests of the form should lead to an HTTP 4xx error (for example, an incorrect URL, the absence of an expected field, inability to send a cookie), but erroneous passwords or accidental exclusion of required fields are extremely common and are expected in the application.

It is not clear from any specification that every form cancellation problem should be an HTTP error.

I assume that my intuition is that if the server sends the form to the client and the client promptly responds with a correctly formed POST request to this form with all the expected fields, the usual business logic violation should not be an HTTP error.

The situation seems even less certain if the client side of the script uses HTTP as a transport mechanism. For instance. if JSON-RPC requests send form details, the server-side function is called successfully and the response returned to the caller seems to be successful 200.

Anecdotal: logging in with bad credentials yields 200 from Facebook, Google and Wikipedia and 204 from Amazon.

Ideally, the IETF will clear this with the help of the RFC, perhaps add an HTTP error code so that "the operation is not completed due to form invalidation failure" or extends the definition of 422 to cover this.

0
source

POST returns 200 if you are not redirecting. 302 is not sent automatically in the headers after the POST request, so you need to send the header ( https://docs.djangoproject.com/en/dev/ref/request-response/#django.http.HttpResponse ) manually, and the code will not be transmitted according to the form.

The reason for redirecting back to the form (or something else) with code 302 is to prevent the browser from re-sending data again when updating or viewing the history.

-1
source

More articles:


All Articles