CGI returns OK for 403

Question

I wrote a simple script to serve custom HTTP error 403 page and I use the following code:

use CGI qw/:standard/;

print header(
  '-Status'        => 403,
  '-Type'          => 'text/html; charset=utf-8',
  '-Cache-Control' => 'private, no-cache, no-store, must-revalidate, max-age=0',
  '-Pragma'        => 'no-cache');

...

print $html;

I expected system to return Forbidden status text automatically in HTTP header.

Unfortunately it returns 403 OK instead of 403 Forbidden. Text phrase is more likely added by browser.

Sure, I can explicitly add the status text using '-Status' => '403 Forbidden', but I would still like to know why isn't this done automatically, and why I am getting OK status instead...

Is there a way to force Perl to add default (English) status text for selected response code?

Answer 1

Chrome is the culprit here. You can verify by running your snippet on the command line, which outputs the following headers:

Status: 403
Pragma: no-cache
Cache-control: private, no-cache, no-store, must-revalidate, max-age=0
Content-Type: text/html; charset=utf-8

Notice the status is plain-old 403.

CGI.pm does not know about the reason phrases recommended by the HTTP spec. Nor should it: they are merely recommendations (not defaults), and you can change them to whatever you want without affecting the protocol (403 Go away anyone?). According to the standard, clients are not required to even look at the reason phrase.

So no, unless you modify CGI.pm, there is no way to force Perl to add a reason phrase. Even if you do provide a reason phrase, browsers can do what they wish with them (although most browsers will probably behave sanely).