(I have just omitted various RFC references because “Sorry, new users can only put 2 links in a post.”)
Yes, that was to be the problem. DAVdroid did not send all cookies, but only some of them.
However, where do specs say that a 503 response is “standard-compliant behavior”? RFC 7231 6.6.4 says:
So, 503 doesn’t seem appropriate. If the behavior of enforcing cookies for stateless WebDAV is really intended (which I find strange), 403 + a textual explanation would be appropriate in my opinion:
Also, the whole cookie-forcing behavior seems quite strange to me:
- It seems to be consensus that CalDAV/CardDAV is not stateful (except when defined so, like for locking operations) and clients don’t have to support cookies.
- So we only have to look at the case where cookies are basically supported. In this case, Nextcloud insists on all cookies to be sent and refuses requests with 503 if not all cookies are sent. However, RFC 6265 makes quite clear that it’s up to the User-Agent which cookes are stored and which are not. For instance, you might think of a user/browser plugin which blocks certain cookies by name (but not all cookies).
So, in my opinion:
- Cookie support should not be required by Nextcloud CalDAV/CardDAV.
- It can’t be expected that a client accepts and serves all cookies, so cookies should only be used for optional tasks (like Horde uses a session cookie for grouping requests to one “sync session”).
- If Nextcloud does expect clients to accept and serve all cookies, requests should not be refused with 503, but with 403 plus an textual explanation what went wrong.