Question about RFC7540 (HTTP/2) section 10.5.1

Hello

I am a developer of this HTML5 game upload site https://game.nicovideo.jp/atsumaru/ <https://game.nicovideo.jp/atsumaru/>
I have some question about RFC7540 section 10.5.1.
Why server "CAN" send an HTTP 431 status code when receives a larger header block (not MUST)?

In http/1.1 connection, server MUST respond 4xx status code when receives a larger header.(RFC7230)
So, if user access a site that can upload any javascript code, and get large cookies, then we can send customized HTTP 4xx response which contains erasing cookie code.
But, in http/2, server does not need to send HTTP 431 response, we will not have a chance to erase cookies.

In actual implementaion, nginx will terminate http/2 session with ENHANCE_YOUR_CALM error without any HTTP responses, so chrome will display "cannot connect to server", 
So, we cannot send response which contains erasing cookie code to user who plays a game contains "Cookie Bomb".

So, we have two questions.
first question: why changed the text from "CAN" to "MUST" when recieves a large cookies(headers).
second question: is this problem an implementation issue or a specification problem?

Sincerely,

Kazuki Yasufuku

-- 
*******************************************

Kazuki Yasufuku

Software Engeneer, UGC game platform section

DWANGO Co., Ltd.
E-MAIL:kazuki_yasufuku@dwango.co.jp <mailto:E-MAIL%3Akazuki_yasufuku@dwango.co.jp>
*******************************************

Received on Friday, 6 April 2018 14:15:22 UTC