-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: do not enable HTTP/2 extended connect by default #71128
Comments
The change looks intentional (part of #49918). cc @WeidiDeng @neild |
I doubt this is actually intentional. It will break existing websocket implementations. If anything, the feature should be optional (off by default). Browsers will start trying to open websockets using h2, and it will fail unless there is code in the server to handle those requests. |
Related Issues Related Code Changes
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.) |
Here's a boiled down example that demonstrates the problem: https://gist.github.com/rthellend/e77264034eb761ccf32abd274792775a
|
This was added in https://go.dev/cl/610977. I'll leave it to @neild to say whether it is intentional/correct, but I also want to point out that #70728 was filed as a follow-up issue, which I've tentatively made a release blocker as well, and the CL has another comment about a potential deadlock with no issue. |
The exact proposal is here. And according to rsc, this should be on by default. To turn this flag off, #70728 is when the golang http2 client tries to use extended connect to establish a websocket connection over h2, which can only happen if user tries to use the new websocket upgrade mechanics. |
It's not clear to me that @rsc understood that this will break all websocket implementations when he said this didn't have to be opt-in.
|
### Description Disable http2 extended connect. http2 extended connect was added in x/net 0.33, and go1.24rc1. It breaks websockets. ### Type of change * [ ] New feature * [ ] Feature improvement * [ ] Bug fix * [ ] Documentation * [ ] Cleanup / refactoring * [x] Other (please explain) ### How is this change tested ? * [ ] Unit tests * [x] Manual tests (explain) * [ ] Tests are not needed ### Links to related issues golang/go#71128
### Description Disable http2 extended connect. http2 extended connect was added in x/net 0.33, and go1.24rc1. It breaks websockets. ### Type of change * [ ] New feature * [ ] Feature improvement * [ ] Bug fix * [ ] Documentation * [ ] Cleanup / refactoring * [x] Other (please explain) ### How is this change tested ? * [ ] Unit tests * [x] Manual tests (explain) * [ ] Tests are not needed ### Links to related issues golang/go#71128
To summarize: https://go-review.googlesource.com/c/net/+/610977 implements proposal #49918, adding support for HTTP/2 Extended CONNECT (RFC 8441) to x/net/http2. Extended CONNECT is a protocol extension permitting an HTTP/2 client to negotiate a protocol switch on an HTTP/2 stream. The primary (only?) use of extended CONNECT is to bootstrap the WebSocket protocol. Extended CONNECT support is negotiated while establishing an HTTP/2 connection. With this change, x/net/http2 servers now advertise support for extended CONNECT. Browsers interpret this as the server indicating support for WebSocket-over-HTTP/2. This causes problems, because WebSocket-over-HTTP/2 requires support from the server's WebSocket layer as well as the HTTP/2 layer. This indicates that, contrary to our belief, advertising extended CONNECT support is not a backwards-compatible change. We should revert the change to x/net to advertise extended CONNECT support by default, and add a mechanism by which servers can explicitly enable it. |
Change https://go.dev/cl/641475 mentions this issue: |
Browsers interpret a server advertising extended CONNECT support as indicating the server supports WebSockets-over-HTTP/2. However, WebSocket-over-HTTP/2 requires support from both the HTTP implementation and the WebSocket implementation, and existing Go WebSocket packages don't support HTTP/2. Disable extended CONNECT support by default, since advertising it is a non-backwards-compatible change. For golang/go#71128 For golang/go#49918 Change-Id: Ie7d3ee2cd48124836a00bad320752e78719ffc46 Reviewed-on: https://go-review.googlesource.com/c/net/+/641475 Auto-Submit: Damien Neil <dneil@google.com> Reviewed-by: Jonathan Amsterdam <jba@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry i i'm wrong, I do not fully get the link between go versions and golang.org/x packages versioning. For those having the issue, this has been introduced in golang.org/x/net v0.32.0 , so for me the http2xconnect flag is required although I'm building with go 22 or 23... Reverting to v0.31.0 fixes that (but brings back a known vulnerability 😭). Will the backport you are referring to also be part of a golang.org/x/net next version ? Thanks! |
Change https://go.dev/cl/642606 mentions this issue: |
Go version
go version 1.24rc1
Output of
go env
in your module/workspace:What did you do?
This change, which should be autogenerated appears to have picked up an unintended change to src/net/http/h2_bundle.go
https://go-review.googlesource.com/c/go/+/631336
https://go-review.googlesource.com/c/go/+/631336/2/src/net/http/h2_bundle.go
What did you see happen?
The change to h2_bundle.go that enables the Extended Connect Protocol is undocumented.
What did you expect to see?
The change should either be documented or removed.
The text was updated successfully, but these errors were encountered: