W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Invalid HTTP2 preface handling?

From: Greg Wilkins <gregw@intalio.com>
Date: Wed, 11 Feb 2015 10:48:51 +1100
Message-ID: <CAH_y2NE5Sa625XEec5WXJ7LdjK+h1b4M=Fc-_iGj2ZQKa1q_jg@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Section 3.5 says:

   Clients and servers MUST treat an invalid connection preface as a
   connection error (Section 5.4.1
<http://tools.ietf.org/html/draft-ietf-httpbis-http2-16#section-5.4.1>)
of type PROTOCOL_ERROR.  A GOAWAY
   frame (Section 6.8
<http://tools.ietf.org/html/draft-ietf-httpbis-http2-16#section-6.8>)
MAY be omitted in this case, since an invalid
   preface indicates that the peer is not using HTTP/2.

I'm wondering what would be the problem if on an invalid preface, the
server check if it is actually a valid HTTP/1 request and if so, then to
proceed on that basis?     This would allow a server to converse a HTTP/1
client that is pointed at a HTTP/2 port - it could be application specific
if that conversation was an error message or just a normal HTTP/1
conversation.

Is there some attack we would be enabling if we allowed such behaviour in
our server?  Anything else undesirable about doing this?

regards


-- 
Greg Wilkins <gregw@intalio.com>  @  Webtide - *an Intalio subsidiary*
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.
Received on Tuesday, 10 February 2015 23:49:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC