-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
h2spec http2/8 tests should accept 400 Bad Request #120
Comments
The following works for me to allow 400 Bad Request in
|
I think not sending a RST_STREAM/GOAWAY is incorrect, unfortunately. Based on:
and
and from § 5.4.2:
This implies that:
|
As I mentioned in #126 (comment), I think the way h2spec reports the last seen frame is a little misleading sometimes. It's not that the HEADERS/DATA frames are always invalid, it's that it never saw the frame it expected to. |
@KingMob I think you cut the RFC quote short, skipping relevant information.
is part of the paragraph which starts with "Intermediaries" and is instructions for intermediaries
As I wrote in the original post:
|
I considered that for a few minutes, because it's a little unclear. But there's a few reasons I think servers are required to do more than send a response. First, the preceding sentence mentions intermediaries, but "Malformed requests or responses that are detected MUST be treated as a stream error (Section 5.4.2) of type PROTOCOL_ERROR" itself does not. Second, the next sentence says "For malformed requests, a server MAY send an HTTP response prior to closing or resetting the stream", which implies that the server will in fact, be "closing or resetting the stream." It doesn't seem optional. Finally, not sending a RST_STREAM (or GOAWAY) would conflict with the part of §5.4.2 I quoted above:
Now this isn't perfectly clear, either. There's no MUST, but otherwise, it does say that an endpoint that detects a stream error will be sending a RST_STREAM (or a GOAWAY, since that's always allowed by §5.4.1) Most of the language points to expectations that RST_STREAM/GOAWAY is expected, and a response is optional, but only if followed by a RST_STREAM/GOAWAY, so that's what I'm going with. But you know, why argue, when we can ask the authors? I'll email them and see what they say. |
Sure, please ask for clarification. And thank you for referencing the newer RFC 9113.
That sentence was in RFC 7540, too. Please note it says "... prior to closing or resetting the stream." Sending an HTTP response and closing the stream does not result in RST_STREAM; resetting the stream would result in RST_STREAM. Herein lies the difference. As a web server developer, I would prefer to send 400 Bad Request and close the stream so that the client knows it received a complete HTTP response, rather than resetting the stream, in which case the client did not necessarily receive a complete HTTP response. 400 Bad Request is (slightly) more precise than RST_STREAM with the (more generic) PROTOCOL_ERROR. |
The HTTP Working Group weighed in, and surprisingly (at least to me), there was no consensus. Even the people who disagreed with Glenn's interpretation agreed it was defensible from the RFC as written, so I'm onboard with this issue, though I'll personally be going with the suggestion to follow a response with a RST_STREAM for Aleph. |
(Thank you very much for h2spec!)
h2spec http2/8
tests should accept 400 Bad Request in addition to accepting RST_STREAM or GOAWAY.My server responds with 400 Bad Request, and
h2spec http2/8
tests fail withRFC 7540 Section 8.1.2.6. Malformed Requests and Responses
While intermediates must send PROTOCOL_ERROR, origin servers may send a response, e.g. 400 Bad Request which tells the client "do not retry this request unmodified", instead of the generic HTTP/2 error PROTOCOL_ERROR which is less precise.
Please allow 400 Bad Request as a valid response.
(If you agree, please post so and I might learn some golang and submit a PR. :))
The text was updated successfully, but these errors were encountered: