1

I was inspecting some of the HTTP exchanges between my browser and Google and it triggered this question.

In short, my browser (Firefox 36.0.4) is making HTTP/1.1 requests and Google is responding with HTTP/2.0; there is no attempt to respond in the requested protocol. I am aware that much of the HTTP/2.0 spec has already been implemented in a haphazard way through SPDY, but this seems like a poor neogitation with the client.

I thought that the purpose of declaring protocols in the header was that a server would be able to determine how it should respond to the client, which is in one of three ways:

1. the client has requested the server's preferred protocol, so the server continues with the request as normal

2. The client has requested another protocol version that the server supports, the server responds in the request protocol but includes an upgrade header indicating its preferred protocol. The client MAY request an upgrade at which point the server will send a 101 Switching Protocols response and switch to the preferred protocol.

3. The client has requested an unsupported or outdated protocol, the server sends a 426 Upgrade Required response with supported protocols (in descending order of preference) in the upgrade header; the client must repeat the request with a supported protocol.

4. The client reuested a major protocol version that is wholly unsupported; e.g. HTTP/2.x while the server only supports HTTP/1.x. The server responds with 505 HTTP Version Not Supported

The exchange with Google is not doing this; is this poor practice or am I missing something?

An example, selected at random:

https://plus.google.com/u/0/_/notifications/frame?querystring=blahblahblah

GET /u/0/_/notifications/frame?querystring=blahblahblah HTTP/1.1
Host: plus.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.google.co.uk/?gfe_rd=cr&ei=Lc8bVcXFOKbj8we_uIKYDg&gws_rd=ssl
Cookie: NID=67=iZxcMVTvg-6PsQIUpZ5tSPL-7-uJdls3vdci3afLmoLCpD5JOq0NfzhTnnpcCW9ymbXsn3GRGxfSgYlXGEk9XmnbUne0LCPrUc_ahhpc5wV6n-GZ8F7s-JS-JWgZWEwri-GaWXK1vgyRw7jMbqEiAUSRCzs1Fr1K6ZUIH0EpJdlwZD-K26MJNazpyHL_vZ5k4m8NrtFDkAoYPw; OTZ=2759671_52_56_123900_52_436380; SID=DQAAAP0AAAAqKgGz5aFNESd464Z_jUsmTi7JQfEKsuWkGZVJe8QvdbOPTZpL5ZNjKSsSSg9QvJglP-aMNLrgn2b7MsDF_4Z7Ebe1X347Cd3-j3ktLedgmq9nRO92hxEseqf974VNumrst-XqMj9Oq_xf-KDz-CDEJ1XiqWZYVHurV-IrXib5ei7x9dqlLF2NSPYLaCxlrwKdjCQX-FDDB03FWEuE7dIMYs3BQ-_NU5fG9os6I6r6ABy9mkiy84rraZFVthd38VJF5z2WYmgQ55QJPr9EDpSA5VKH1tbW6XyLjZLt5EEEj1xoqRF4EguRkIOiG8IiqRs49GnwqQSCpTw3ROW-jNDI; HSID=A7u8vyQI-v7jJSEbS; SSID=AOojY4hDLYgnSjUrK; APISID=z23KH1a0VsBukvMu/ARaOeOni08HfbGg6R; SAPISID=5iTgyxKDRPP7fNtF/AdiFbKNYN04h7n6cu; PREF=ID=cc54787f58f50d42:U=8e10581450dbe3b5:FF=0:LD=en:TM=1416091562:LM=1418086819:GM=1:S=0KVfl2hqkG8Psvwv; OGP=-5061451:-5061492:; OGPC=4061155-1:
Connection: keep-alive

HTTP/2.0 200 OK
Alternate-Protocol: 443:quic,p=0.5
Cache-Control: private, max-age=0
content-security-policy-report-only: script-src 'unsafe-inline' 'unsafe-eval' 'self' https://*.googleapis.com https://*.gstatic.com https://apis.google.com https://www.google-analytics.com https://www.googletagmanager.com https://*.talkgadget.google.com https://pagead2.googleadservices.com https://pagead2.googlesyndication.com https://tpc.googlesyndication.com https://s.ytimg.com https://www.youtube.com https://clients1.google.com https://www.google.com;report-uri /_/cspreport/es_oz_20150330.18_p0
Content-Type: text/html; charset=utf-8
Date: Wed, 01 Apr 2015 10:57:55 GMT
Expires: Wed, 01 Apr 2015 10:57:55 GMT
Server: GSE
x-content-type-options: nosniff
x-ua-compatible: IE=edge, chrome=1
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: h2-15
Improve this question
4
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Super User, Web Applications Stack Exchange or Unix & Linux Stack Exchange would be a better place to ask. Commented Apr 1, 2015 at 10:51
  • Can you show an example request/response pair that shows the behavior you describe? Commented Apr 1, 2015 at 10:52
  • @jww It is about programming and development; it's about how to implement HTTP. If you would rather it be asked elsewhere though, who am I to argue? Commented Apr 1, 2015 at 10:59
  • @CodeCaster I've added an example exchange to my question Commented Apr 1, 2015 at 11:06

2 Answers 2

Reset to default
1

This is a https request. The client announced the support for HTTP/2.0 with the ALPN (formerly NPN) extension in the SSL handshake. Therefore the server knows that the client can do HTTP/2.0. If this extension is not given the server is not allowed to reply with a higher major HTTP version compared to the client request.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Aaahh it all makes sense now; Google is right and all is well. Thank you.
0

The HTTP version in the response is an advertisement of the capabilities of the server, not the actual protocol version of the response. The protocol version of the response is the one that has been sent with the request.

In the past (but perhaps even nowadays) it was common for an old client to send a HTTP/1.0 request, and have the server respond in this way:

GET / HTTP/1.0
User-Agent: Netscape/1.0

HTTP/1.1 200 OK
Content-Length: 0

<connection closed>

The server advertised that it was able to speak HTTP/1.1, but behaved as HTTP/1.0 in the response (by closing the connection).

The same is happening in your case: you make a HTTP/1.1 request, the server advertises that it can speak HTTP/2.0 and responds with the HTTP/1.1 response format.

A smart client receiving that response could start speaking HTTP/2.0 to that server.

Improve this answer

5 Comments

Thank you, that is certainly what Google are doing. However, this was not at all clear from the spec. RFC7230 section 3.1.2 states that the response status line consists of "the protocol version, a space (SP), the status code"; I had taken the protocol version to be the version used by the response. But you seem to indicate that the server should use it as a statement of its preferred protocol. Am I correct?
I just checked the upgrade header definition and I'm quite sure that Google are not spec. compliant here. It says, "A server MAY send an Upgrade header field in any other response to advertise that it implements support for upgrading to the listed protocols, in order of descending preference, when appropriate for a future request." So if the upgrade header is for advertising ability, surely the status line should indicate the protocol of the response? Is this a common practice vs specification issue?
My guess is that Google servers do not implement HTTP/2.0 upgrade. They can speak HTTP/2.0 when negotiated over TLS, but not in clear text. Therefore it would be wrong for them to send an Upgrade header in any other response (and it would be wasteful to send it for every response), because they don't support upgrading to HTTP/2.0, they only support negotiating HTTP/2.0. Yet, the server is able to speak HTTP/2.0 so it tells so in responses.
That's makes sense and would be a viable reason; though I'm still unsure whether the protocol in the status line should be the current version or the preferred version. Regardless, this has clarified it enough that I know I'm not woefully misunderstanding anything. Thanks
The protocol in the status line is the protocol supported by the client/server. The server is allowed to reply with a different minor version, but not with a different major version, unless it knows that the client supports this version. See my response how the server knows that the client supports HTTP/2.0.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.