From: Michael Sweet <msweet@msweet.org> Sent: Wednesday, October 22, 2025 3:31 PM To: Ben Schwartz <bemasc@meta.com> ... >> B. Confirm the HTTP/1.1 parser state between requests. For example, an intermediary could inject a request like "TRACE /.well-known/barrier/$random HTTP/1.1" after each forwarded request, and check that the TRACE response is received correctly before forwarding the next request. > > Assuming that TRACE is supported end-to-end of course. The alternatives here largely depend on defining new protocol elements and upgrading both endpoints. Also, with some creativity we might be able to use another method like OPTIONS or HEAD. >> C. Document a simple profile of HTTP/2 (e.g. SETTINGS_HEADER_TABLE_SIZE=0, SETTINGS_MAX_CONCURRENT_STREAMS=1, etc.) > >... without header compression and multiple stream support, the only remaining advantage over HTTP/1.1 is keeping a connection alive after errors, so why bother adopting/implementing HTTP/2? For improved security due to unambiguous parsing! --Ben
Received on Wednesday, 22 October 2025 21:37:16 UTC