I am evaluating the Tweet Button share URL (
http://twitter.com/share?
url=...) for usage on mobile phones. When opening the URL on a Nokia
N95 with passing some value for the url parameter, I am replied with a
Basic authentication login (NOT the twitter web login). I checked what
might be the reason by tracing the HTTP requests and responses passed
between a (desktop) browser and the twitter service when opening the
same URL and noticed the following:
When passing no url parameter (or one with empty value), the service
returns HTTP status code 403, but returns HTML content nevertheless.
When passing non-empty url parameter value, the service returns HTTP
status code 401, but returns HTML content nevertheless (and does not
return the mandatory WWW-authenticate challenge header). While the 403
is ignored and the content (i.e. "invalid URL" message) is displayed
correctly on both desktop and mobile browsers, the mobile browser on
the Nokia N95 reacts to the 401 by replying with a Basic
authentication login. Of course, there is no way to pass this
challenge successfully. So question is: Why are these HTTP status
codes returned at all but not a 200 OK instead?