Re: non-tls http2 client has to send settings twice?

On 10 December 2013 02:05, Dan Winship <> wrote:
> So it has to send its settings twice? (Or else send a pointless empty
> SETTINGS frame the second time?)

Yep.  Pros and cons considered (at some length) this is what we came up with.

> But is it really important that the client has the ability to provide
> settings prior to receiving any frames from the server, given that the
> server doesn't have the chance to do the same (and the server probably cares
> more about not having clients spam it than the client cares about not having
> the server spam it...)?

It's less a matter of importance, and more one of pragmatism.  Servers
already deal with this stuff.  And it's not an unbounded attack;
there's a default maximum on the receive window at both the TCP and
HTTP/2.0 connection layers.

We could protect the server further, sure.  Proposals have been made
<>, but after some
fairly lengthy discussions, they aren't moving (though the issue isn't
closed either).

Received on Tuesday, 10 December 2013 18:08:10 UTC