< draft-ietf-httpbis-http2-00.txt   draft-ietf-httpbis-http2-01.txt >
HTTPbis Working Group M. Belshe HTTPbis Working Group M. Belshe
Internet-Draft Twist Internet-Draft Twist
Expires: June 1, 2013 R. Peon Expires: July 26, 2013 R. Peon
Google, Inc Google, Inc
M. Thomson, Ed. M. Thomson, Ed.
Microsoft Microsoft
A. Melnikov, Ed. A. Melnikov, Ed.
Isode Ltd Isode Ltd
November 28, 2012 January 22, 2013
SPDY Protocol Hypertext Transfer Protocol version 2.0
draft-ietf-httpbis-http2-00 draft-ietf-httpbis-http2-01
Abstract Abstract
This document describes SPDY, a protocol designed for low-latency This document describes an optimised expression of the semantics of
transport of content over the World Wide Web. SPDY introduces two the HTTP protocol. The HTTP/2.0 encapsulation enables more efficient
layers of protocol. The lower layer is a general purpose framing transfer of resources over HTTP by providing compressed headers,
layer which can be used atop a reliable transport (likely TCP) for simultaneous requests, and unsolicited push of resources from server
multiplexed, prioritized, and compressed data communication of many to client.
concurrent streams. The upper layer of the protocol provides HTTP-
like RFC2616 [RFC2616] semantics for compatibility with existing HTTP This document is an alternative to, but does not obsolete
application servers. RFC{http-p1}. The HTTP protocol semantics described in RFC{http-
p2..p7} are unmodified.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
This draft is a work-in-progress, and does not yet reflect Working This draft is a work-in-progress, and does not yet reflect Working
Group consensus. Group consensus.
This first draft uses the SPDY Protocol as a starting point, as per This draft contains features from the SPDY Protocol as a starting
the Working Group's charter. Future drafts will add, remove and point, as per the Working Group's charter. Future drafts will add,
change text, based upon the Working Group's decisions. remove and change text, based upon the Working Group's decisions.
Discussion of this draft takes place on the HTTPBIS working group Discussion of this draft takes place on the HTTPBIS working group
mailing list (ietf-http-wg@w3.org), which is archived at mailing list (ietf-http-wg@w3.org), which is archived at
<http://lists.w3.org/Archives/Public/ietf-http-wg/>. <http://lists.w3.org/Archives/Public/ietf-http-wg/>.
The current issues list is at The current issues list is at
<http://tools.ietf.org/wg/httpbis/trac/report/21> and related <http://tools.ietf.org/wg/httpbis/trac/report/21> and related
documents (including fancy diffs) can be found at documents (including fancy diffs) can be found at
<http://tools.ietf.org/wg/httpbis/>. <http://tools.ietf.org/wg/httpbis/>.
skipping to change at page 2, line 16 skipping to change at page 2, line 17
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 1, 2013. This Internet-Draft will expire on July 26, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Document Organization . . . . . . . . . . . . . . . . . . 4 1.1. Document Organization . . . . . . . . . . . . . . . . . . 5
1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 6
2. SPDY Framing Layer . . . . . . . . . . . . . . . . . . . . . . 5 2. Starting HTTP/2.0 . . . . . . . . . . . . . . . . . . . . . . 6
2.1. Session (Connections) . . . . . . . . . . . . . . . . . . 5 2.1. HTTP/2.0 Version Identification . . . . . . . . . . . . . 6
2.2. Framing . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. Starting HTTP/2.0 for "http:" URIs . . . . . . . . . . . . 7
2.2.1. Control frames . . . . . . . . . . . . . . . . . . . . 6 2.3. Starting HTTP/2.0 for "https:" URIs . . . . . . . . . . . 8
2.2.2. Data frames . . . . . . . . . . . . . . . . . . . . . 7 3. HTTP/2.0 Framing Layer . . . . . . . . . . . . . . . . . . . . 8
2.3. Streams . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1. Session (Connections) . . . . . . . . . . . . . . . . . . 8
2.3.1. Stream frames . . . . . . . . . . . . . . . . . . . . 8 3.2. Framing . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3.2. Stream creation . . . . . . . . . . . . . . . . . . . 8 3.2.1. Control frames . . . . . . . . . . . . . . . . . . . . 9
2.3.3. Stream priority . . . . . . . . . . . . . . . . . . . 9 3.2.2. Data frames . . . . . . . . . . . . . . . . . . . . . 10
2.3.4. Stream headers . . . . . . . . . . . . . . . . . . . . 9 3.3. Streams . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3.5. Stream data exchange . . . . . . . . . . . . . . . . . 10 3.3.1. Stream frames . . . . . . . . . . . . . . . . . . . . 11
2.3.6. Stream half-close . . . . . . . . . . . . . . . . . . 10 3.3.2. Stream creation . . . . . . . . . . . . . . . . . . . 11
2.3.7. Stream close . . . . . . . . . . . . . . . . . . . . . 10 3.3.3. Stream priority . . . . . . . . . . . . . . . . . . . 12
2.4. Error Handling . . . . . . . . . . . . . . . . . . . . . . 11 3.3.4. Stream headers . . . . . . . . . . . . . . . . . . . . 12
2.4.1. Session Error Handling . . . . . . . . . . . . . . . . 11 3.3.5. Stream data exchange . . . . . . . . . . . . . . . . . 13
2.4.2. Stream Error Handling . . . . . . . . . . . . . . . . 11 3.3.6. Stream half-close . . . . . . . . . . . . . . . . . . 13
2.5. Data flow . . . . . . . . . . . . . . . . . . . . . . . . 12 3.3.7. Stream close . . . . . . . . . . . . . . . . . . . . . 13
2.6. Control frame types . . . . . . . . . . . . . . . . . . . 12 3.4. Error Handling . . . . . . . . . . . . . . . . . . . . . . 14
2.6.1. SYN_STREAM . . . . . . . . . . . . . . . . . . . . . . 12 3.4.1. Session Error Handling . . . . . . . . . . . . . . . . 14
2.6.2. SYN_REPLY . . . . . . . . . . . . . . . . . . . . . . 13 3.4.2. Stream Error Handling . . . . . . . . . . . . . . . . 14
2.6.3. RST_STREAM . . . . . . . . . . . . . . . . . . . . . . 14 3.5. Stream Flow Control . . . . . . . . . . . . . . . . . . . 15
2.6.4. SETTINGS . . . . . . . . . . . . . . . . . . . . . . . 16 3.5.1. Flow Control Principles . . . . . . . . . . . . . . . 15
2.6.5. PING . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.5.2. Basic Flow Control Algorithm . . . . . . . . . . . . . 16
2.6.6. GOAWAY . . . . . . . . . . . . . . . . . . . . . . . . 20 3.6. Control frame types . . . . . . . . . . . . . . . . . . . 16
2.6.7. HEADERS . . . . . . . . . . . . . . . . . . . . . . . 21 3.6.1. SYN_STREAM . . . . . . . . . . . . . . . . . . . . . . 16
2.6.8. WINDOW_UPDATE . . . . . . . . . . . . . . . . . . . . 22 3.6.2. SYN_REPLY . . . . . . . . . . . . . . . . . . . . . . 18
2.6.9. CREDENTIAL . . . . . . . . . . . . . . . . . . . . . . 24 3.6.3. RST_STREAM . . . . . . . . . . . . . . . . . . . . . . 19
2.6.10. Name/Value Header Block . . . . . . . . . . . . . . . 26 3.6.4. SETTINGS . . . . . . . . . . . . . . . . . . . . . . . 20
3. HTTP Layering over SPDY . . . . . . . . . . . . . . . . . . . 32 3.6.5. PING . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.1. Connection Management . . . . . . . . . . . . . . . . . . 32 3.6.6. GOAWAY . . . . . . . . . . . . . . . . . . . . . . . . 24
3.1.1. Use of GOAWAY . . . . . . . . . . . . . . . . . . . . 32 3.6.7. HEADERS . . . . . . . . . . . . . . . . . . . . . . . 25
3.2. HTTP Request/Response . . . . . . . . . . . . . . . . . . 33 3.6.8. WINDOW_UPDATE . . . . . . . . . . . . . . . . . . . . 26
3.2.1. Request . . . . . . . . . . . . . . . . . . . . . . . 33 3.6.9. CREDENTIAL . . . . . . . . . . . . . . . . . . . . . . 28
3.2.2. Response . . . . . . . . . . . . . . . . . . . . . . . 35 3.6.10. Name/Value Header Block . . . . . . . . . . . . . . . 30
3.2.3. Authentication . . . . . . . . . . . . . . . . . . . . 35 4. HTTP Layering over HTTP/2.0 . . . . . . . . . . . . . . . . . 36
3.3. Server Push Transactions . . . . . . . . . . . . . . . . . 36 4.1. Connection Management . . . . . . . . . . . . . . . . . . 36
3.3.1. Server implementation . . . . . . . . . . . . . . . . 37 4.1.1. Use of GOAWAY . . . . . . . . . . . . . . . . . . . . 36
3.3.2. Client implementation . . . . . . . . . . . . . . . . 38 4.2. HTTP Request/Response . . . . . . . . . . . . . . . . . . 37
4. Design Rationale and Notes . . . . . . . . . . . . . . . . . . 39 4.2.1. Request . . . . . . . . . . . . . . . . . . . . . . . 37
4.1. Separation of Framing Layer and Application Layer . . . . 39 4.2.2. Response . . . . . . . . . . . . . . . . . . . . . . . 39
4.2. Error handling - Framing Layer . . . . . . . . . . . . . . 39 4.2.3. Authentication . . . . . . . . . . . . . . . . . . . . 39
4.3. One Connection Per Domain . . . . . . . . . . . . . . . . 40 4.3. Server Push Transactions . . . . . . . . . . . . . . . . . 40
4.4. Fixed vs Variable Length Fields . . . . . . . . . . . . . 40 4.3.1. Server implementation . . . . . . . . . . . . . . . . 41
4.5. Compression Context(s) . . . . . . . . . . . . . . . . . . 41 4.3.2. Client implementation . . . . . . . . . . . . . . . . 42
4.6. Unidirectional streams . . . . . . . . . . . . . . . . . . 41 5. Design Rationale and Notes . . . . . . . . . . . . . . . . . . 43
4.7. Data Compression . . . . . . . . . . . . . . . . . . . . . 41 5.1. Separation of Framing Layer and Application Layer . . . . 43
4.8. Server Push . . . . . . . . . . . . . . . . . . . . . . . 42 5.2. Error handling - Framing Layer . . . . . . . . . . . . . . 43
5. Security Considerations . . . . . . . . . . . . . . . . . . . 42 5.3. One Connection Per Domain . . . . . . . . . . . . . . . . 44
5.1. Use of Same-origin constraints . . . . . . . . . . . . . . 42 5.4. Fixed vs Variable Length Fields . . . . . . . . . . . . . 44
5.2. HTTP Headers and SPDY Headers . . . . . . . . . . . . . . 42 5.5. Compression Context(s) . . . . . . . . . . . . . . . . . . 45
5.3. Cross-Protocol Attacks . . . . . . . . . . . . . . . . . . 42 5.6. Unidirectional streams . . . . . . . . . . . . . . . . . . 45
5.4. Server Push Implicit Headers . . . . . . . . . . . . . . . 42 5.7. Data Compression . . . . . . . . . . . . . . . . . . . . . 45
6. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 43 5.8. Server Push . . . . . . . . . . . . . . . . . . . . . . . 46
6.1. Long Lived Connections . . . . . . . . . . . . . . . . . . 43 6. Security Considerations . . . . . . . . . . . . . . . . . . . 46
6.2. SETTINGS frame . . . . . . . . . . . . . . . . . . . . . . 43 6.1. Use of Same-origin constraints . . . . . . . . . . . . . . 46
7. Incompatibilities with SPDY draft #2 . . . . . . . . . . . . . 43 6.2. HTTP Headers and HTTP/2.0 Headers . . . . . . . . . . . . 46
8. Requirements Notation . . . . . . . . . . . . . . . . . . . . 44 6.3. Cross-Protocol Attacks . . . . . . . . . . . . . . . . . . 46
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 44 6.4. Server Push Implicit Headers . . . . . . . . . . . . . . . 46
10. Normative References . . . . . . . . . . . . . . . . . . . . . 44 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 47
Appendix A. Change Log (to be removed by RFC Editor before 7.1. Long Lived Connections . . . . . . . . . . . . . . . . . . 47
publication) . . . . . . . . . . . . . . . . . . . . 45 7.2. SETTINGS frame . . . . . . . . . . . . . . . . . . . . . . 47
A.1. Since draft-mbelshe-httpbis-spdy-00 . . . . . . . . . . . 45
1. Overview
One of the bottlenecks of HTTP implementations is that HTTP relies on 8. Requirements Notation . . . . . . . . . . . . . . . . . . . . 47
multiple connections for concurrency. This causes several problems, 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 47
including additional round trips for connection setup, slow-start 10. Normative References . . . . . . . . . . . . . . . . . . . . . 48
delays, and connection rationing by the client, where it tries to Appendix A. Change Log (to be removed by RFC Editor before
avoid opening too many connections to any single server. HTTP publication) . . . . . . . . . . . . . . . . . . . . 49
pipelining helps some, but only achieves partial multiplexing. In A.1. Since draft-ietf-httpbis-http2-00 . . . . . . . . . . . . 49
addition, pipelining has proven non-deployable in existing browsers A.2. Since draft-mbelshe-httpbis-spdy-00 . . . . . . . . . . . 49
due to intermediary interference.
SPDY adds a framing layer for multiplexing multiple, concurrent 1. Introduction
streams across a single TCP connection (or any reliable transport
stream). The framing layer is optimized for HTTP-like request-
response streams, such that applications which run over HTTP today
can work over SPDY with little or no change on behalf of the web
application writer.
The SPDY session offers four improvements over HTTP: HTTP is a wildly successful protocol. HTTP/1.1 message encapsulation
[HTTP-p1] is optimized for implementation simplicity and
accessibility, not application performance. As such it has several
characteristics that have a negative overall effect on application
performance.
Multiplexed requests: There is no limit to the number of requests The HTTP/1.1 encapsulation ensures that only one request can be
that can be issued concurrently over a single SPDY connection. delivered at a time on a given connection. HTTP/1.1 pipelining,
which is not widely deployed, only partially addresses these
concerns. Clients that need to make multiple requests therefore use
commonly multiple connections to a server or servers in order to
reduce the overall latency of those requests.
Prioritized requests: Clients can request certain resources to be Furthermore, HTTP/1.1 headers are represented in an inefficient
delivered first. This avoids the problem of congesting the fashion, which, in addition to generating more or larger network
network channel with non-critical resources when a high-priority packets, can cause the small initial TCP window to fill more quickly
request is pending. than is ideal. This results in excessive latency where multiple
requests are made on a new TCP connection.
Compressed headers: Clients today send a significant amount of This document defines an optimized mapping of the HTTP semantics to a
redundant data in the form of HTTP headers. Because a single web TCP connection. This optimization reduces the latency costs of HTTP
page may require 50 or 100 subrequests, this data is significant. by allowing parallel requests on the same connection and by using an
efficient coding for HTTP headers. Prioritization of requests lets
more important requests complete faster, further improving
application performance.
Server pushed streams: Server Push enables content to be pushed HTTP/2.0 applications have an improved impact on network congestion
from servers to clients without a request. due to the use of fewer TCP connections to achieve the same effect.
Fewer TCP connections compete more fairly with other flows. Long-
lived connections are also more able to take better advantage of the
available network capacity, rather than operating in the slow start
phase of TCP.
SPDY attempts to preserve the existing semantics of HTTP. All The HTTP/2.0 encapsulation also enables more efficient processing of
features such as cookies, ETags, Vary headers, Content-Encoding messages by providing efficient message framing. Processing of
negotiations, etc work as they do with HTTP; SPDY only replaces the headers in HTTP/2.0 messages is more efficient (for entities that
way the data is written to the network. process many messages).
1.1. Document Organization 1.1. Document Organization
The SPDY Specification is split into two parts: a framing layer The HTTP/2.0 Specification is split into three parts: starting
(Section 2), which multiplexes a TCP connection into independent, HTTP/2.0 (Section 2), which covers how a HTTP/2.0 is started; a
length-prefixed frames, and an HTTP layer (Section 3), which framing layer (Section 3), which multiplexes a TCP connection into
specifies the mechanism for overlaying HTTP request/response pairs on independent, length-prefixed frames; and an HTTP layer (Section 4),
top of the framing layer. While some of the framing layer concepts which specifies the mechanism for overlaying HTTP request/response
are isolated from the HTTP layer, building a generic framing layer pairs on top of the framing layer. While some of the framing layer
has not been a goal. The framing layer is tailored to the needs of concepts are isolated from the HTTP layer, building a generic framing
the HTTP protocol and server push. layer has not been a goal. The framing layer is tailored to the
needs of the HTTP protocol and server push.
1.2. Definitions 1.2. Definitions
client: The endpoint initiating the SPDY session. client: The endpoint initiating the HTTP/2.0 session.
connection: A transport-level connection between two endpoints. connection: A transport-level connection between two endpoints.
endpoint: Either the client or server of a connection. endpoint: Either the client or server of a connection.
frame: A header-prefixed sequence of bytes sent over a SPDY frame: A header-prefixed sequence of bytes sent over a HTTP/2.0
session. session.
server: The endpoint which did not initiate the SPDY session. server: The endpoint which did not initiate the HTTP/2.0 session.
session: A synonym for a connection. session: A synonym for a connection.
session error: An error on the SPDY session. session error: An error on the HTTP/2.0 session.
stream: A bi-directional flow of bytes across a virtual channel stream: A bi-directional flow of bytes across a virtual channel
within a SPDY session. within a HTTP/2.0 session.
stream error: An error on an individual SPDY stream. stream error: An error on an individual HTTP/2.0 stream.
2. SPDY Framing Layer 2. Starting HTTP/2.0
2.1. Session (Connections) Just as HTTP/1.1 does, HTTP/2.0 uses the "http:" and "https:" URI
schemes. An HTTP/2.0-capable client is therefore required to
discover whether a server (or intermediary) supports HTTP/2.0.
The SPDY framing layer (or "session") runs atop a reliable transport Different discovery mechanisms are defined for "http:" and "https:"
layer such as TCP [RFC0793]. The client is the TCP connection URIs. Discovery for "http:" URIs is described in Section 2.2;
initiator. SPDY connections are persistent connections. discovery for "https:" URIs is described in Section 2.3.
2.1. HTTP/2.0 Version Identification
HTTP/2.0 is identified in using the string "HTTP/2.0". This
identification is used in the HTTP/1.1 Upgrade header, in the TLS-NPN
[TLSNPN] [[TBD]] field and other places where protocol identification
is required.
[[Editor's Note: please remove the following text prior to the
publication of a final version of this document.]]
Only implementations of the final, published RFC can identify
themselves as "HTTP/2.0". Until such an RFC exists, implementations
MUST NOT identify themselves using "HTTP/2.0".
Examples and text throughout the rest of this document use "HTTP/2.0"
as a matter of editorial convenience only. Implementations of draft
versions MUST NOT identify using this string.
Implementations of draft versions of the protocol MUST add the
corresponding draft number to the identifier before the separator
('/'). For example, draft-ietf-httpbis-http2-03 is identified using
the string "HTTP-03/2.0".
Non-compatible experiments that are based on these draft versions
MUST include a further identifier. For example, an experimental
implementation of packet mood-based encoding based on
draft-ietf-httpbis-http2-07 might identify itself as "HTTP-07-
emo/2.0". Note that any label MUST conform with the "token" syntax
defined in Section 3.2.4 of [HTTP-p1]. Experimenters are encouraged
to coordinate their experiments on the ietf-http-wg@w3.org mailing
list.
2.2. Starting HTTP/2.0 for "http:" URIs
A client that makes a request to an "http:" URI without prior
knowledge about support for HTTP/2.0 uses the HTTP Upgrade mechanism
[HTTP-p2]. The client makes an HTTP/1.1 request that includes an
Upgrade header field identifying HTTP/2.0.
For example:
GET /default.htm HTTP/1.1
Host: server.example.com
Connection: Upgrade
Upgrade: HTTP/2.0
A server that does not support HTTP/2.0 can respond to the request as
though the Upgrade header field were absent:
HTTP/1.1 200 OK
Content-length: 243
Content-type: text/html
...
A server that supports HTTP/2.0 can accept the upgrade with a 101
(Switching Protocols) status code. After the empty line that
terminates the 101 response, the server can begin sending HTTP/2.0
frames. These frames MUST include a response to the request that
initiated the Upgrade.
HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: HTTP/2.0
[ HTTP/2.0 frames ...
A client can learn that a particular server supports HTTP/2.0 by
other means. A client MAY immediately send HTTP/2.0 frames to a
server that is known to support HTTP/2.0. [[Open Issue: This is not
definite. We may yet choose to perform negotiation for every
connection. Reasons include intermediaries; phased upgrade of load-
balanced server farms; etc...]] [[Open Issue: We need to enumerate
the ways that clients can learn of HTTP/2.0 support.]]
2.3. Starting HTTP/2.0 for "https:" URIs
[[TBD, maybe NPN]]
3. HTTP/2.0 Framing Layer
3.1. Session (Connections)
The HTTP/2.0 framing layer (or "session") runs atop a reliable
transport layer such as TCP [RFC0793]. The client is the TCP
connection initiator. HTTP/2.0 connections are persistent
connections.
For best performance, it is expected that clients will not close open For best performance, it is expected that clients will not close open
connections until the user navigates away from all web pages connections until the user navigates away from all web pages
referencing a connection, or until the server closes the connection. referencing a connection, or until the server closes the connection.
Servers are encouraged to leave connections open for as long as Servers are encouraged to leave connections open for as long as
possible, but can terminate idle connections if necessary. When possible, but can terminate idle connections if necessary. When
either endpoint closes the transport-level connection, it MUST first either endpoint closes the transport-level connection, it MUST first
send a GOAWAY (Section 2.6.6) frame so that the endpoints can send a GOAWAY (Section 3.6.6) frame so that the endpoints can
reliably determine if requests finished before the close. reliably determine if requests finished before the close.
2.2. Framing 3.2. Framing
Once the connection is established, clients and servers exchange Once the connection is established, clients and servers exchange
framed messages. There are two types of frames: control frames framed messages. There are two types of frames: control frames
(Section 2.2.1) and data frames (Section 2.2.2). Frames always have (Section 3.2.1) and data frames (Section 3.2.2). Frames always have
a common header which is 8 bytes in length. a common header which is 8 bytes in length.
The first bit is a control bit indicating whether a frame is a The first bit is a control bit indicating whether a frame is a
control frame or data frame. Control frames carry a version number, control frame or data frame. Control frames carry a version number,
a frame type, flags, and a length. Data frames contain the stream a frame type, flags, and a length. Data frames contain the stream
ID, flags, and the length for the payload carried after the common ID, flags, and the length for the payload carried after the common
header. The simple header is designed to make reading and writing of header. The simple header is designed to make reading and writing of
frames easy. frames easy.
All integer values, including length, version, and type, are in All integer values, including length, version, and type, are in
network byte order. SPDY does not enforce alignment of types in network byte order. HTTP/2.0 does not enforce alignment of types in
dynamically sized frames. dynamically sized frames.
2.2.1. Control frames 3.2.1. Control frames
+----------------------------------+ +----------------------------------+
|C| Version(15bits) | Type(16bits) | |C| Version(15bits) | Type(16bits) |
+----------------------------------+ +----------------------------------+
| Flags (8) | Length (24 bits) | | Flags (8) | Length (24 bits) |
+----------------------------------+ +----------------------------------+
| Data | | Data |
+----------------------------------+ +----------------------------------+
Control bit: The 'C' bit is a single bit indicating if this is a Control bit: The 'C' bit is a single bit indicating if this is a
control message. For control frames this value is always 1. control message. For control frames this value is always 1.
Version: The version number of the SPDY protocol. This document Version: The version number of the HTTP/2.0 protocol. This document
describes SPDY version 3. describes HTTP/2.0 version 3.
Type: The type of control frame. See Control Frames for the complete Type: The type of control frame. See Control Frames for the complete
list of control frames. list of control frames.
Flags: Flags related to this frame. Flags for control frames and Flags: Flags related to this frame. Flags for control frames and
data frames are different. data frames are different.
Length: An unsigned 24-bit value representing the number of bytes Length: An unsigned 24-bit value representing the number of bytes
after the length field. after the length field.
skipping to change at page 7, line 5 skipping to change at page 10, line 5
of this data is controlled by the control frame type. of this data is controlled by the control frame type.
Control frame processing requirements: Control frame processing requirements:
Note that full length control frames (16MB) can be large for Note that full length control frames (16MB) can be large for
implementations running on resource-limited hardware. In such implementations running on resource-limited hardware. In such
cases, implementations MAY limit the maximum length frame cases, implementations MAY limit the maximum length frame
supported. However, all implementations MUST be able to receive supported. However, all implementations MUST be able to receive
control frames of at least 8192 octets in length. control frames of at least 8192 octets in length.
2.2.2. Data frames 3.2.2. Data frames
+----------------------------------+ +----------------------------------+
|C| Stream-ID (31bits) | |C| Stream-ID (31bits) |
+----------------------------------+ +----------------------------------+
| Flags (8) | Length (24 bits) | | Flags (8) | Length (24 bits) |
+----------------------------------+ +----------------------------------+
| Data | | Data |
+----------------------------------+ +----------------------------------+
Control bit: For data frames this value is always 0. Control bit: For data frames this value is always 0.
Stream-ID: A 31-bit value identifying the stream. Stream-ID: A 31-bit value identifying the stream.
Flags: Flags related to this frame. Valid flags are: Flags: Flags related to this frame. Valid flags are:
0x01 = FLAG_FIN - signifies that this frame represents the last 0x01 = FLAG_FIN - signifies that this frame represents the last
frame to be transmitted on this stream. See Stream Close frame to be transmitted on this stream. See Stream Close
(Section 2.3.7) below. (Section 3.3.7) below.
0x02 = FLAG_COMPRESS - indicates that the data in this frame has 0x02 = FLAG_COMPRESS - indicates that the data in this frame has
been compressed. been compressed.
Length: An unsigned 24-bit value representing the number of bytes Length: An unsigned 24-bit value representing the number of bytes
after the length field. The total size of a data frame is 8 bytes + after the length field. The total size of a data frame is 8 bytes +
length. It is valid to have a zero-length data frame. length. It is valid to have a zero-length data frame.
Data: The variable-length data payload; the length was defined in the Data: The variable-length data payload; the length was defined in the
length field. length field.
Data frame processing requirements: Data frame processing requirements:
If an endpoint receives a data frame for a stream-id which is not If an endpoint receives a data frame for a stream-id which is not
open and the endpoint has not sent a GOAWAY (Section 2.6.6) frame, open and the endpoint has not sent a GOAWAY (Section 3.6.6) frame,
it MUST send issue a stream error (Section 2.4.2) with the error it MUST send issue a stream error (Section 3.4.2) with the error
code INVALID_STREAM for the stream-id. code INVALID_STREAM for the stream-id.
If the endpoint which created the stream receives a data frame If the endpoint which created the stream receives a data frame
before receiving a SYN_REPLY on that stream, it is a protocol before receiving a SYN_REPLY on that stream, it is a protocol
error, and the recipient MUST issue a stream error (Section 2.4.2) error, and the recipient MUST issue a stream error (Section 3.4.2)
with the status code PROTOCOL_ERROR for the stream-id. with the status code PROTOCOL_ERROR for the stream-id.
Implementors note: If an endpoint receives multiple data frames Implementors note: If an endpoint receives multiple data frames
for invalid stream-ids, it MAY close the session. for invalid stream-ids, it MAY close the session.
All SPDY endpoints MUST accept compressed data frames. All HTTP/2.0 endpoints MUST accept compressed data frames.
Compression of data frames is always done using zlib compression. Compression of data frames is always done using zlib compression.
Each stream initializes and uses its own compression context Each stream initializes and uses its own compression context
dedicated to use within that stream. Endpoints are encouraged to dedicated to use within that stream. Endpoints are encouraged to
use application level compression rather than SPDY stream level use application level compression rather than HTTP/2.0 stream
compression. level compression.
Each SPDY stream sending compressed frames creates its own zlib Each HTTP/2.0 stream sending compressed frames creates its own
context for that stream, and these compression contexts MUST be zlib context for that stream, and these compression contexts MUST
distinct from the compression contexts used with SYN_STREAM/ be distinct from the compression contexts used with SYN_STREAM/
SYN_REPLY/HEADER compression. (Thus, if both endpoints of a SYN_REPLY/HEADER compression. (Thus, if both endpoints of a
stream are compressing data on the stream, there will be two zlib stream are compressing data on the stream, there will be two zlib
contexts, one for sending and one for receiving). contexts, one for sending and one for receiving).
2.3. Streams 3.3. Streams
Streams are independent sequences of bi-directional data divided into Streams are independent sequences of bi-directional data divided into
frames with several properties: frames with several properties:
Streams may be created by either the client or server. Streams may be created by either the client or server.
Streams optionally carry a set of name/value header pairs. Streams optionally carry a set of name/value header pairs.
Streams can concurrently send data interleaved with other streams. Streams can concurrently send data interleaved with other streams.
Streams may be cancelled. Streams may be cancelled.
2.3.1. Stream frames 3.3.1. Stream frames
SPDY defines 3 control frames to manage the lifecycle of a stream: HTTP/2.0 defines 3 control frames to manage the lifecycle of a
stream:
SYN_STREAM - Open a new stream SYN_STREAM - Open a new stream
SYN_REPLY - Remote acknowledgement of a new, open stream SYN_REPLY - Remote acknowledgement of a new, open stream
RST_STREAM - Close a stream RST_STREAM - Close a stream
2.3.2. Stream creation 3.3.2. Stream creation
A stream is created by sending a control frame with the type set to A stream is created by sending a control frame with the type set to
SYN_STREAM (Section 2.6.1). If the server is initiating the stream, SYN_STREAM (Section 3.6.1). If the server is initiating the stream,
the Stream-ID must be even. If the client is initiating the stream, the Stream-ID must be even. If the client is initiating the stream,
the Stream-ID must be odd. 0 is not a valid Stream-ID. Stream-IDs the Stream-ID must be odd. 0 is not a valid Stream-ID. Stream-IDs
from each side of the connection must increase monotonically as new from each side of the connection must increase monotonically as new
streams are created. E.g. Stream 2 may be created after stream 3, streams are created. E.g. Stream 2 may be created after stream 3,
but stream 7 must not be created after stream 9. Stream IDs do not but stream 7 must not be created after stream 9. Stream IDs do not
wrap: when a client or server cannot create a new stream id without wrap: when a client or server cannot create a new stream id without
exceeding a 31 bit value, it MUST NOT create a new stream. exceeding a 31 bit value, it MUST NOT create a new stream.
The stream-id MUST increase with each new stream. If an endpoint The stream-id MUST increase with each new stream. If an endpoint
receives a SYN_STREAM with a stream id which is less than any receives a SYN_STREAM with a stream id which is less than any
previously received SYN_STREAM, it MUST issue a session error previously received SYN_STREAM, it MUST issue a session error
(Section 2.4.1) with the status PROTOCOL_ERROR. (Section 3.4.1) with the status PROTOCOL_ERROR.
It is a protocol error to send two SYN_STREAMs with the same It is a protocol error to send two SYN_STREAMs with the same
stream-id. If a recipient receives a second SYN_STREAM for the same stream-id. If a recipient receives a second SYN_STREAM for the same
stream, it MUST issue a stream error (Section 2.4.2) with the status stream, it MUST issue a stream error (Section 3.4.2) with the status
code PROTOCOL_ERROR. code PROTOCOL_ERROR.
Upon receipt of a SYN_STREAM, the recipient can reject the stream by Upon receipt of a SYN_STREAM, the recipient can reject the stream by
sending a stream error (Section 2.4.2) with the error code sending a stream error (Section 3.4.2) with the error code
REFUSED_STREAM. Note, however, that the creating endpoint may have REFUSED_STREAM. Note, however, that the creating endpoint may have
already sent additional frames for that stream which cannot be already sent additional frames for that stream which cannot be
immediately stopped. immediately stopped.
Once the stream is created, the creator may immediately send HEADERS Once the stream is created, the creator may immediately send HEADERS
or DATA frames for that stream, without needing to wait for the or DATA frames for that stream, without needing to wait for the
recipient to acknowledge. recipient to acknowledge.
2.3.2.1. Unidirectional streams 3.3.2.1. Unidirectional streams
When an endpoint creates a stream with the FLAG_UNIDIRECTIONAL flag When an endpoint creates a stream with the FLAG_UNIDIRECTIONAL flag
set, it creates a unidirectional stream which the creating endpoint set, it creates a unidirectional stream which the creating endpoint
can use to send frames, but the receiving endpoint cannot. The can use to send frames, but the receiving endpoint cannot. The
receiving endpoint is implicitly already in the half-closed receiving endpoint is implicitly already in the half-closed
(Section 2.3.6) state. (Section 3.3.6) state.
2.3.2.2. Bidirectional streams 3.3.2.2. Bidirectional streams
SYN_STREAM frames which do not use the FLAG_UNIDIRECTIONAL flag are SYN_STREAM frames which do not use the FLAG_UNIDIRECTIONAL flag are
bidirectional streams. Both endpoints can send data on a bi- bidirectional streams. Both endpoints can send data on a bi-
directional stream. directional stream.
2.3.3. Stream priority 3.3.3. Stream priority
The creator of a stream assigns a priority for that stream. Priority The creator of a stream assigns a priority for that stream. Priority
is represented as an integer from 0 to 7. 0 represents the highest is represented as an integer from 0 to 7. 0 represents the highest
priority and 7 represents the lowest priority. priority and 7 represents the lowest priority.
The sender and recipient SHOULD use best-effort to process streams in The sender and recipient SHOULD use best-effort to process streams in
the order of highest priority to lowest priority. the order of highest priority to lowest priority.
2.3.4. Stream headers 3.3.4. Stream headers
Streams carry optional sets of name/value pair headers which carry Streams carry optional sets of name/value pair headers which carry
metadata about the stream. After the stream has been created, and as metadata about the stream. After the stream has been created, and as
long as the sender is not closed (Section 2.3.7) or half-closed long as the sender is not closed (Section 3.3.7) or half-closed
(Section 2.3.6), each side may send HEADERS frame(s) containing the (Section 3.3.6), each side may send HEADERS frame(s) containing the
header data. Header data can be sent in multiple HEADERS frames, and header data. Header data can be sent in multiple HEADERS frames, and
HEADERS frames may be interleaved with data frames. HEADERS frames may be interleaved with data frames.
2.3.5. Stream data exchange 3.3.5. Stream data exchange
Once a stream is created, it can be used to send arbitrary amounts of Once a stream is created, it can be used to send arbitrary amounts of
data. Generally this means that a series of data frames will be sent data. Generally this means that a series of data frames will be sent
on the stream until a frame containing the FLAG_FIN flag is set. The on the stream until a frame containing the FLAG_FIN flag is set. The
FLAG_FIN can be set on a SYN_STREAM (Section 2.6.1), SYN_REPLY FLAG_FIN can be set on a SYN_STREAM (Section 3.6.1), SYN_REPLY
(Section 2.6.2), HEADERS (Section 2.6.7) or a DATA (Section 2.2.2) (Section 3.6.2), HEADERS (Section 3.6.7) or a DATA (Section 3.2.2)
frame. Once the FLAG_FIN has been sent, the stream is considered to frame. Once the FLAG_FIN has been sent, the stream is considered to
be half-closed. be half-closed.
2.3.6. Stream half-close 3.3.6. Stream half-close
When one side of the stream sends a frame with the FLAG_FIN flag set, When one side of the stream sends a frame with the FLAG_FIN flag set,
the stream is half-closed from that endpoint. The sender of the the stream is half-closed from that endpoint. The sender of the
FLAG_FIN MUST NOT send further frames on that stream. When both FLAG_FIN MUST NOT send further frames on that stream. When both
sides have half-closed, the stream is closed. sides have half-closed, the stream is closed.
If an endpoint receives a data frame after the stream is half-closed If an endpoint receives a data frame after the stream is half-closed
from the sender (e.g. the endpoint has already received a prior frame from the sender (e.g. the endpoint has already received a prior frame
for the stream with the FIN flag set), it MUST send a RST_STREAM to for the stream with the FIN flag set), it MUST send a RST_STREAM to
the sender with the status STREAM_ALREADY_CLOSED. the sender with the status STREAM_ALREADY_CLOSED.
2.3.7. Stream close 3.3.7. Stream close
There are 3 ways that streams can be terminated: There are 3 ways that streams can be terminated:
Normal termination: Normal stream termination occurs when both Normal termination: Normal stream termination occurs when both
sender and recipient have half-closed the stream by sending a sender and recipient have half-closed the stream by sending a
FLAG_FIN. FLAG_FIN.
Abrupt termination: Either the client or server can send a Abrupt termination: Either the client or server can send a
RST_STREAM control frame at any time. A RST_STREAM contains an RST_STREAM control frame at any time. A RST_STREAM contains an
error code to indicate the reason for failure. When a RST_STREAM error code to indicate the reason for failure. When a RST_STREAM
is sent from the stream originator, it indicates a failure to is sent from the stream originator, it indicates a failure to
complete the stream and that no further data will be sent on the complete the stream and that no further data will be sent on the
stream. When a RST_STREAM is sent from the stream recipient, the stream. When a RST_STREAM is sent from the stream recipient, the
sender, upon receipt, should stop sending any data on the stream. sender, upon receipt, should stop sending any data on the stream.
The stream recipient should be aware that there is a race between The stream recipient should be aware that there is a race between
data already in transit from the sender and the time the data already in transit from the sender and the time the
RST_STREAM is received. See Stream Error Handling (Section 2.4.2) RST_STREAM is received. See Stream Error Handling (Section 3.4.2)
TCP connection teardown: If the TCP connection is torn down while TCP connection teardown: If the TCP connection is torn down while
un-closed streams exist, then the endpoint must assume that the un-closed streams exist, then the endpoint must assume that the
stream was abnormally interrupted and may be incomplete. stream was abnormally interrupted and may be incomplete.
If an endpoint receives a data frame after the stream is closed, it If an endpoint receives a data frame after the stream is closed, it
must send a RST_STREAM to the sender with the status PROTOCOL_ERROR. must send a RST_STREAM to the sender with the status PROTOCOL_ERROR.
2.4. Error Handling 3.4. Error Handling
The SPDY framing layer has only two types of errors, and they are The HTTP/2.0 framing layer has only two types of errors, and they are
always handled consistently. Any reference in this specification to always handled consistently. Any reference in this specification to
"issue a session error" refers to Section 2.4.1. Any reference to "issue a session error" refers to Section 3.4.1. Any reference to
"issue a stream error" refers to Section 2.4.2. "issue a stream error" refers to Section 3.4.2.
2.4.1. Session Error Handling 3.4.1. Session Error Handling
A session error is any error which prevents further processing of the A session error is any error which prevents further processing of the
framing layer or which corrupts the session compression state. When framing layer or which corrupts the session compression state. When
a session error occurs, the endpoint encountering the error MUST a session error occurs, the endpoint encountering the error MUST
first send a GOAWAY (Section 2.6.6) frame with the stream id of most first send a GOAWAY (Section 3.6.6) frame with the stream id of most
recently received stream from the remote endpoint, and the error code recently received stream from the remote endpoint, and the error code
for why the session is terminating. After sending the GOAWAY frame, for why the session is terminating. After sending the GOAWAY frame,
the endpoint MUST close the TCP connection. the endpoint MUST close the TCP connection.
Note that the session compression state is dependent upon both Note that the session compression state is dependent upon both
endpoints always processing all compressed data. If an endpoint endpoints always processing all compressed data. If an endpoint
partially processes a frame containing compressed data without partially processes a frame containing compressed data without
updating compression state properly, future control frames which use updating compression state properly, future control frames which use
compression will be always be errored. Implementations SHOULD always compression will be always be errored. Implementations SHOULD always
try to process compressed data so that errors which could be handled try to process compressed data so that errors which could be handled
as stream errors do not become session errors. as stream errors do not become session errors.
Note that because this GOAWAY is sent during a session error case, it Note that because this GOAWAY is sent during a session error case, it
is possible that the GOAWAY will not be reliably received by the is possible that the GOAWAY will not be reliably received by the
receiving endpoint. It is a best-effort attempt to communicate with receiving endpoint. It is a best-effort attempt to communicate with
the remote about why the session is going down. the remote about why the session is going down.
2.4.2. Stream Error Handling 3.4.2. Stream Error Handling
A stream error is an error related to a specific stream-id which does A stream error is an error related to a specific stream-id which does
not affect processing of other streams at the framing layer. Upon a not affect processing of other streams at the framing layer. Upon a
stream error, the endpoint MUST send a RST_STREAM (Section 2.6.3) stream error, the endpoint MUST send a RST_STREAM (Section 3.6.3)
frame which contains the stream id of the stream where the error frame which contains the stream id of the stream where the error
occurred and the error status which caused the error. After sending occurred and the error status which caused the error. After sending
the RST_STREAM, the stream is closed to the sending endpoint. After the RST_STREAM, the stream is closed to the sending endpoint. After
sending the RST_STREAM, if the sender receives any frames other than sending the RST_STREAM, if the sender receives any frames other than
a RST_STREAM for that stream id, it will result in sending additional a RST_STREAM for that stream id, it will result in sending additional
RST_STREAM frames. An endpoint MUST NOT send a RST_STREAM in RST_STREAM frames. An endpoint MUST NOT send a RST_STREAM in
response to an RST_STREAM, as doing so would lead to RST_STREAM response to an RST_STREAM, as doing so would lead to RST_STREAM
loops. Sending a RST_STREAM does not cause the SPDY session to be loops. Sending a RST_STREAM does not cause the HTTP/2.0 session to
closed. be closed.
If an endpoint has multiple RST_STREAM frames to send in succession If an endpoint has multiple RST_STREAM frames to send in succession
for the same stream-id and the same error code, it MAY coalesce them for the same stream-id and the same error code, it MAY coalesce them
into a single RST_STREAM frame. (This can happen if a stream is into a single RST_STREAM frame. (This can happen if a stream is
closed, but the remote sends multiple data frames. There is no closed, but the remote sends multiple data frames. There is no
reason to send a RST_STREAM for each frame in succession). reason to send a RST_STREAM for each frame in succession).
2.5. Data flow 3.5. Stream Flow Control
Because TCP provides a single stream of data on which SPDY Multiplexing streams introduces contention for access to the shared
multiplexes multiple logical streams, clients and servers must TCP connection. Stream contention can result in streams being
intelligently interleave data messages for concurrent sessions. blocked by other streams. A flow control scheme ensures that streams
do not destructively interfere with other streams on the same TCP
connection.
2.6. Control frame types 3.5.1. Flow Control Principles
2.6.1. SYN_STREAM Experience with TCP congestion control has shown that algorithms can
evolve over time to become more sophisticated without requiring
protocol changes. TCP congestion control and its evolution is
clearly different from HTTP/2.0 flow control, though the evolution of
TCP congestion control algorithms shows that a similar approach could
be feasible for HTTP/2.0 flow control.
HTTP/2.0 stream flow control aims to allow for future improvements to
flow control algorithms without requiring protocol changes. The
following principles guide the HTTP/2.0 design:
1. Flow control is hop-by-hop, not end-to-end.
2. Flow control is based on window update messages. Receivers
advertise how many octets they are prepared to receive on a
stream. This is a credit-based scheme.
3. Flow control is directional with overall control provided by the
receiver. A receiver MAY choose to set any window size that it
desires for each stream [[TBD: ... and for the overall
connection]]. A sender MUST respect flow control limits imposed
by a receiver. Clients, servers and intermediaries all
independently advertise their flow control preferences as a
receiver and abide by the flow control limits set by their peer
when sending.
4. Flow control can be disabled by a receiver. A receiver can
choose to either disable flow control, or to declare an infinite
flow control limit. [[TBD: determine whether just one mechanism
is sufficient, and then which alternative]]
5. HTTP/2.0 standardizes only the format of the window update
message (Section 3.6.8). This does not stipulate how a receiver
decides when to send this message or the value that it sends.
Nor does it specify how a sender chooses to send packets.
Implementations are able to select any algorithm that suits their
needs. An example flow control algorithm is described in
Section 3.5.2.
Implementations are also responsible for managing how requests and
responses are sent based on priority; choosing how to avoid head of
line blocking for requests; and managing the creation of new streams.
Algorithm choices for these could interact with any flow control
algorithm.
3.5.2. Basic Flow Control Algorithm
This section describes a basic flow control algorithm. This
algorithm is provided as an example, implementations can use any
algorithm that complies with flow control requirements.
[[Algorithm TBD]]
3.6. Control frame types
3.6.1. SYN_STREAM
The SYN_STREAM control frame allows the sender to asynchronously The SYN_STREAM control frame allows the sender to asynchronously
create a stream between the endpoints. See Stream Creation create a stream between the endpoints. See Stream Creation
(Section 2.3.2) (Section 3.3.2)
+------------------------------------+ +------------------------------------+
|1| version | 1 | |1| version | 1 |
+------------------------------------+ +------------------------------------+
| Flags (8) | Length (24 bits) | | Flags (8) | Length (24 bits) |
+------------------------------------+ +------------------------------------+
|X| Stream-ID (31bits) | |X| Stream-ID (31bits) |
+------------------------------------+ +------------------------------------+
|X| Associated-To-Stream-ID (31bits) | |X| Associated-To-Stream-ID (31bits) |
+------------------------------------+ +------------------------------------+
| Pri|Unused | Slot | | | Pri|Unused | Slot | |
skipping to change at page 12, line 50 skipping to change at page 17, line 31
| Length of value (int32) | | | Length of value (int32) | |
+------------------------------------+ | +------------------------------------+ |
| Value (string) | | | Value (string) | |
+------------------------------------+ | +------------------------------------+ |
| (repeats) | <+ | (repeats) | <+
Flags: Flags related to this frame. Valid flags are: Flags: Flags related to this frame. Valid flags are:
0x01 = FLAG_FIN - marks this frame as the last frame to be 0x01 = FLAG_FIN - marks this frame as the last frame to be
transmitted on this stream and puts the sender in the half-closed transmitted on this stream and puts the sender in the half-closed
(Section 2.3.6) state. (Section 3.3.6) state.
0x02 = FLAG_UNIDIRECTIONAL - a stream created with this flag puts 0x02 = FLAG_UNIDIRECTIONAL - a stream created with this flag puts
the recipient in the half-closed (Section 2.3.6) state. the recipient in the half-closed (Section 3.3.6) state.
Length: The length is the number of bytes which follow the length Length: The length is the number of bytes which follow the length
field in the frame. For SYN_STREAM frames, this is 10 bytes plus the field in the frame. For SYN_STREAM frames, this is 10 bytes plus the
length of the compressed Name/Value block. length of the compressed Name/Value block.
Stream-ID: The 31-bit identifier for this stream. This stream-id Stream-ID: The 31-bit identifier for this stream. This stream-id
will be used in frames which are part of this stream. will be used in frames which are part of this stream.
Associated-To-Stream-ID: The 31-bit identifier for a stream which Associated-To-Stream-ID: The 31-bit identifier for a stream which
this stream is associated to. If this stream is independent of all this stream is associated to. If this stream is independent of all
other streams, it should be 0. other streams, it should be 0.
Priority: A 3-bit priority (Section 2.3.3) field. Priority: A 3-bit priority (Section 3.3.3) field.
Unused: 5 bits of unused space, reserved for future use. Unused: 5 bits of unused space, reserved for future use.
Slot: An 8 bit unsigned integer specifying the index in the server's Slot: An 8 bit unsigned integer specifying the index in the server's
CREDENTIAL vector of the client certificate to be used for this CREDENTIAL vector of the client certificate to be used for this
request. see CREDENTIAL frame (Section 2.6.9). The value 0 means no request. see CREDENTIAL frame (Section 3.6.9). The value 0 means no
client certificate should be associated with this stream. client certificate should be associated with this stream.
Name/Value Header Block: A set of name/value pairs carried as part of Name/Value Header Block: A set of name/value pairs carried as part of
the SYN_STREAM. see Name/Value Header Block (Section 2.6.10). the SYN_STREAM. see Name/Value Header Block (Section 3.6.10).
If an endpoint receives a SYN_STREAM which is larger than the If an endpoint receives a SYN_STREAM which is larger than the
implementation supports, it MAY send a RST_STREAM with error code implementation supports, it MAY send a RST_STREAM with error code
FRAME_TOO_LARGE. All implementations MUST support the minimum size FRAME_TOO_LARGE. All implementations MUST support the minimum size
limits defined in the Control Frames section (Section 2.2.1). limits defined in the Control Frames section (Section 3.2.1).
2.6.2. SYN_REPLY 3.6.2. SYN_REPLY
SYN_REPLY indicates the acceptance of a stream creation by the SYN_REPLY indicates the acceptance of a stream creation by the
recipient of a SYN_STREAM frame. recipient of a SYN_STREAM frame.
+------------------------------------+ +------------------------------------+
|1| version | 2 | |1| version | 2 |
+------------------------------------+ +------------------------------------+
| Flags (8) | Length (24 bits) | | Flags (8) | Length (24 bits) |
+------------------------------------+ +------------------------------------+
|X| Stream-ID (31bits) | |X| Stream-ID (31bits) |
skipping to change at page 14, line 28 skipping to change at page 18, line 44
| Length of value (int32) | | | Length of value (int32) | |
+------------------------------------+ | +------------------------------------+ |
| Value (string) | | | Value (string) | |
+------------------------------------+ | +------------------------------------+ |
| (repeats) | <+ | (repeats) | <+
Flags: Flags related to this frame. Valid flags are: Flags: Flags related to this frame. Valid flags are:
0x01 = FLAG_FIN - marks this frame as the last frame to be 0x01 = FLAG_FIN - marks this frame as the last frame to be
transmitted on this stream and puts the sender in the half-closed transmitted on this stream and puts the sender in the half-closed
(Section 2.3.6) state. (Section 3.3.6) state.
Length: The length is the number of bytes which follow the length Length: The length is the number of bytes which follow the length
field in the frame. For SYN_REPLY frames, this is 4 bytes plus the field in the frame. For SYN_REPLY frames, this is 4 bytes plus the
length of the compressed Name/Value block. length of the compressed Name/Value block.
Stream-ID: The 31-bit identifier for this stream. Stream-ID: The 31-bit identifier for this stream.
If an endpoint receives multiple SYN_REPLY frames for the same active If an endpoint receives multiple SYN_REPLY frames for the same active
stream ID, it MUST issue a stream error (Section 2.4.2) with the stream ID, it MUST issue a stream error (Section 3.4.2) with the
error code STREAM_IN_USE. error code STREAM_IN_USE.
Name/Value Header Block: A set of name/value pairs carried as part of Name/Value Header Block: A set of name/value pairs carried as part of
the SYN_STREAM. see Name/Value Header Block (Section 2.6.10). the SYN_STREAM. see Name/Value Header Block (Section 3.6.10).
If an endpoint receives a SYN_REPLY which is larger than the If an endpoint receives a SYN_REPLY which is larger than the
implementation supports, it MAY send a RST_STREAM with error code implementation supports, it MAY send a RST_STREAM with error code
FRAME_TOO_LARGE. All implementations MUST support the minimum size FRAME_TOO_LARGE. All implementations MUST support the minimum size
limits defined in the Control Frames section (Section 2.2.1). limits defined in the Control Frames section (Section 3.2.1).
2.6.3. RST_STREAM 3.6.3. RST_STREAM
The RST_STREAM frame allows for abnormal termination of a stream. The RST_STREAM frame allows for abnormal termination of a stream.
When sent by the creator of a stream, it indicates the creator wishes When sent by the creator of a stream, it indicates the creator wishes
to cancel the stream. When sent by the recipient of a stream, it to cancel the stream. When sent by the recipient of a stream, it
indicates an error or that the recipient did not want to accept the indicates an error or that the recipient did not want to accept the
stream, so the stream should be closed. stream, so the stream should be closed.
+----------------------------------+ +----------------------------------+
|1| version | 3 | |1| version | 3 |
+----------------------------------+ +----------------------------------+
skipping to change at page 15, line 39 skipping to change at page 20, line 9
1 - PROTOCOL_ERROR. This is a generic error, and should only be 1 - PROTOCOL_ERROR. This is a generic error, and should only be
used if a more specific error is not available. used if a more specific error is not available.
2 - INVALID_STREAM. This is returned when a frame is received for 2 - INVALID_STREAM. This is returned when a frame is received for
a stream which is not active. a stream which is not active.
3 - REFUSED_STREAM. Indicates that the stream was refused before 3 - REFUSED_STREAM. Indicates that the stream was refused before
any processing has been done on the stream. any processing has been done on the stream.
4 - UNSUPPORTED_VERSION. Indicates that the recipient of a stream 4 - UNSUPPORTED_VERSION. Indicates that the recipient of a stream
does not support the SPDY version requested. does not support the HTTP/2.0 version requested.
5 - CANCEL. Used by the creator of a stream to indicate that the 5 - CANCEL. Used by the creator of a stream to indicate that the
stream is no longer needed. stream is no longer needed.
6 - INTERNAL_ERROR. This is a generic error which can be used 6 - INTERNAL_ERROR. This is a generic error which can be used
when the implementation has internally failed, not due to anything when the implementation has internally failed, not due to anything
in the protocol. in the protocol.
7 - FLOW_CONTROL_ERROR. The endpoint detected that its peer 7 - FLOW_CONTROL_ERROR. The endpoint detected that its peer
violated the flow control protocol. violated the flow control protocol.
skipping to change at page 16, line 28 skipping to change at page 20, line 44
the compressed portion of those frames, then the compression state the compressed portion of those frames, then the compression state
will be out-of-sync with the other endpoint. In this case, will be out-of-sync with the other endpoint. In this case,
senders of FRAME_TOO_LARGE MUST close the session. senders of FRAME_TOO_LARGE MUST close the session.
Note: 0 is not a valid status code for a RST_STREAM. Note: 0 is not a valid status code for a RST_STREAM.
After receiving a RST_STREAM on a stream, the recipient must not send After receiving a RST_STREAM on a stream, the recipient must not send
additional frames for that stream, and the stream moves into the additional frames for that stream, and the stream moves into the
closed state. closed state.
2.6.4. SETTINGS 3.6.4. SETTINGS
A SETTINGS frame contains a set of id/value pairs for communicating A SETTINGS frame contains a set of id/value pairs for communicating
configuration data about how the two endpoints may communicate. configuration data about how the two endpoints may communicate.
SETTINGS frames can be sent at any time by either endpoint, are SETTINGS frames can be sent at any time by either endpoint, are
optionally sent, and are fully asynchronous. When the server is the optionally sent, and are fully asynchronous. When the server is the
sender, the sender can request that configuration data be persisted sender, the sender can request that configuration data be persisted
by the client across SPDY sessions and returned to the server in by the client across HTTP/2.0 sessions and returned to the server in
future communications. future communications.
Persistence of SETTINGS ID/Value pairs is done on a per origin/IP Persistence of SETTINGS ID/Value pairs is done on a per origin/IP
pair (the "origin" is the set of scheme, host, and port from the URI. pair (the "origin" is the set of scheme, host, and port from the URI.
See [RFC6454]). That is, when a client connects to a server, and the See [RFC6454]). That is, when a client connects to a server, and the
server persists settings within the client, the client SHOULD return server persists settings within the client, the client SHOULD return
the persisted settings on future connections to the same origin AND the persisted settings on future connections to the same origin AND
IP address and TCP port. Clients MUST NOT request servers to use the IP address and TCP port. Clients MUST NOT request servers to use the
persistence features of the SETTINGS frames, and servers MUST ignore persistence features of the SETTINGS frames, and servers MUST ignore
persistence related flags sent by a client. persistence related flags sent by a client.
skipping to change at page 17, line 17 skipping to change at page 21, line 26
+----------------------------------+ +----------------------------------+
| Flags (8) | Length (24 bits) | | Flags (8) | Length (24 bits) |
+----------------------------------+ +----------------------------------+
| Number of entries | | Number of entries |
+----------------------------------+ +----------------------------------+
| ID/Value Pairs | | ID/Value Pairs |
| ... | | ... |
Control bit: The control bit is always 1 for this message. Control bit: The control bit is always 1 for this message.
Version: The SPDY version number. Version: The HTTP/2.0 version number.
Type: The message type for a SETTINGS message is 4. Type: The message type for a SETTINGS message is 4.
Flags: FLAG_SETTINGS_CLEAR_SETTINGS (0x1): When set, the client Flags: FLAG_SETTINGS_CLEAR_SETTINGS (0x1): When set, the client
should clear any previously persisted SETTINGS ID/Value pairs. If should clear any previously persisted SETTINGS ID/Value pairs. If
this frame contains ID/Value pairs with the this frame contains ID/Value pairs with the
FLAG_SETTINGS_PERSIST_VALUE set, then the client will first clear its FLAG_SETTINGS_PERSIST_VALUE set, then the client will first clear its
existing, persisted settings, and then persist the values with the existing, persisted settings, and then persist the values with the
flag set which are contained within this frame. Because persistence flag set which are contained within this frame. Because persistence
is only implemented on the client, this flag can only be used when is only implemented on the client, this flag can only be used when
skipping to change at page 18, line 46 skipping to change at page 23, line 6
6 - SETTINGS_DOWNLOAD_RETRANS_RATE allows the sender to inform 6 - SETTINGS_DOWNLOAD_RETRANS_RATE allows the sender to inform
the remote endpoint the retransmission rate (bytes the remote endpoint the retransmission rate (bytes
retransmitted / total bytes transmitted). retransmitted / total bytes transmitted).
7 - SETTINGS_INITIAL_WINDOW_SIZE allows the sender to inform 7 - SETTINGS_INITIAL_WINDOW_SIZE allows the sender to inform
the remote endpoint the initial window size (in bytes) for new the remote endpoint the initial window size (in bytes) for new
streams. streams.
8 - SETTINGS_CLIENT_CERTIFICATE_VECTOR_SIZE allows the server 8 - SETTINGS_CLIENT_CERTIFICATE_VECTOR_SIZE allows the server
to inform the client if the new size of the client certificate to inform the client of the new size of the client certificate
vector. vector.
Value: A 32-bit value. Value: A 32-bit value.
The message is intentionally extensible for future information which The message is intentionally extensible for future information which
may improve client-server communications. The sender does not need may improve client-server communications. The sender does not need
to send every type of ID/value. It must only send those for which it to send every type of ID/value. It must only send those for which it
has accurate values to convey. When multiple ID/value pairs are has accurate values to convey. When multiple ID/value pairs are
sent, they should be sent in order of lowest id to highest id. A sent, they should be sent in order of lowest id to highest id. A
single SETTINGS frame MUST not contain multiple values for the same single SETTINGS frame MUST not contain multiple values for the same
skipping to change at page 19, line 20 skipping to change at page 23, line 29
A server may send multiple SETTINGS frames containing different ID/ A server may send multiple SETTINGS frames containing different ID/
Value pairs. When the same ID/Value is sent twice, the most recent Value pairs. When the same ID/Value is sent twice, the most recent
value overrides any previously sent values. If the server sends IDs value overrides any previously sent values. If the server sends IDs
1, 2, and 3 with the FLAG_SETTINGS_PERSIST_VALUE in a first SETTINGS 1, 2, and 3 with the FLAG_SETTINGS_PERSIST_VALUE in a first SETTINGS
frame, and then sends IDs 4 and 5 with the frame, and then sends IDs 4 and 5 with the
FLAG_SETTINGS_PERSIST_VALUE, when the client returns the persisted FLAG_SETTINGS_PERSIST_VALUE, when the client returns the persisted
state on its next SETTINGS frame, it SHOULD send all 5 settings (1, state on its next SETTINGS frame, it SHOULD send all 5 settings (1,
2, 3, 4, and 5 in this example) to the server. 2, 3, 4, and 5 in this example) to the server.
2.6.5. PING 3.6.5. PING
The PING control frame is a mechanism for measuring a minimal round- The PING control frame is a mechanism for measuring a minimal round-
trip time from the sender. It can be sent from the client or the trip time from the sender. It can be sent from the client or the
server. Recipients of a PING frame should send an identical frame to server. Recipients of a PING frame should send an identical frame to
the sender as soon as possible (if there is other pending data the sender as soon as possible (if there is other pending data
waiting to be sent, PING should take highest priority). Each ping waiting to be sent, PING should take highest priority). Each ping
sent by a sender should use a unique ID. sent by a sender should use a unique ID.
+----------------------------------+ +----------------------------------+
|1| version | 6 | |1| version | 6 |
+----------------------------------+ +----------------------------------+
| 0 (flags) | 4 (length) | | 0 (flags) | 4 (length) |
+----------------------------------| +----------------------------------|
| 32-bit ID | | 32-bit ID |
+----------------------------------+ +----------------------------------+
Control bit: The control bit is always 1 for this message. Control bit: The control bit is always 1 for this message.
Version: The SPDY version number. Version: The HTTP/2.0 version number.
Type: The message type for a PING message is 6. Type: The message type for a PING message is 6.
Length: This frame is always 4 bytes long. Length: This frame is always 4 bytes long.
ID: A unique ID for this ping, represented as an unsigned 32 bit ID: A unique ID for this ping, represented as an unsigned 32 bit
value. When the client initiates a ping, it must use an odd numbered value. When the client initiates a ping, it must use an odd numbered
ID. When the server initiates a ping, it must use an even numbered ID. When the server initiates a ping, it must use an even numbered
ping. Use of odd/even IDs is required in order to avoid accidental ping. Use of odd/even IDs is required in order to avoid accidental
looping on PINGs (where each side initiates an identical PING at the looping on PINGs (where each side initiates an identical PING at the
same time). same time).
Note: If a sender uses all possible PING ids (e.g. has sent all 2^31 Note: If a sender uses all possible PING ids (e.g. has sent all 2^31
possible IDs), it can wrap and start re-using IDs. possible IDs), it can wrap and start re-using IDs.
If a server receives an even numbered PING which it did not initiate, If a server receives an even numbered PING which it did not initiate,
it must ignore the PING. If a client receives an odd numbered PING it must ignore the PING. If a client receives an odd numbered PING
which it did not initiate, it must ignore the PING. which it did not initiate, it must ignore the PING.
2.6.6. GOAWAY 3.6.6. GOAWAY
The GOAWAY control frame is a mechanism to tell the remote side of The GOAWAY control frame is a mechanism to tell the remote side of
the connection to stop creating streams on this session. It can be the connection to stop creating streams on this session. It can be
sent from the client or the server. Once sent, the sender will not sent from the client or the server. Once sent, the sender will not
respond to any new SYN_STREAMs on this session. Recipients of a respond to any new SYN_STREAMs on this session. Recipients of a
GOAWAY frame must not send additional streams on this session, GOAWAY frame must not send additional streams on this session,
although a new session can be established for new streams. The although a new session can be established for new streams. The
purpose of this message is to allow an endpoint to gracefully stop purpose of this message is to allow an endpoint to gracefully stop
accepting new streams (perhaps for a reboot or maintenance), while accepting new streams (perhaps for a reboot or maintenance), while
still finishing processing of previously established streams. still finishing processing of previously established streams.
skipping to change at page 21, line 8 skipping to change at page 25, line 17
+----------------------------------+ +----------------------------------+
| 0 (flags) | 8 (length) | | 0 (flags) | 8 (length) |
+----------------------------------| +----------------------------------|
|X| Last-good-stream-ID (31 bits) | |X| Last-good-stream-ID (31 bits) |
+----------------------------------+ +----------------------------------+
| Status code | | Status code |
+----------------------------------+ +----------------------------------+
Control bit: The control bit is always 1 for this message. Control bit: The control bit is always 1 for this message.
Version: The SPDY version number. Version: The HTTP/2.0 version number.
Type: The message type for a GOAWAY message is 7. Type: The message type for a GOAWAY message is 7.
Length: This frame is always 8 bytes long. Length: This frame is always 8 bytes long.
Last-good-stream-Id: The last stream id which was replied to (with Last-good-stream-Id: The last stream id which was replied to (with
either a SYN_REPLY or RST_STREAM) by the sender of the GOAWAY either a SYN_REPLY or RST_STREAM) by the sender of the GOAWAY
message. If no streams were replied to, this value MUST be 0. message. If no streams were replied to, this value MUST be 0.
Status: The reason for closing the session. Status: The reason for closing the session.
0 - OK. This is a normal session teardown. 0 - OK. This is a normal session teardown.
1 - PROTOCOL_ERROR. This is a generic error, and should only be 1 - PROTOCOL_ERROR. This is a generic error, and should only be
used if a more specific error is not available. used if a more specific error is not available.
11 - INTERNAL_ERROR. This is a generic error which can be used 2 - INTERNAL_ERROR. This is a generic error which can be used
when the implementation has internally failed, not due to anything when the implementation has internally failed, not due to anything
in the protocol. in the protocol.
2.6.7. HEADERS 3.6.7. HEADERS
The HEADERS frame augments a stream with additional headers. It may The HEADERS frame augments a stream with additional headers. It may
be optionally sent on an existing stream at any time. Specific be optionally sent on an existing stream at any time. Specific
application of the headers in this frame is application-dependent. application of the headers in this frame is application-dependent.
The name/value header block within this frame is compressed. The name/value header block within this frame is compressed.
+------------------------------------+ +------------------------------------+
|1| version | 8 | |1| version | 8 |
+------------------------------------+ +------------------------------------+
| Flags (8) | Length (24 bits) | | Flags (8) | Length (24 bits) |
skipping to change at page 22, line 28 skipping to change at page 26, line 28
| Length of value (int32) | | | Length of value (int32) | |
+------------------------------------+ | +------------------------------------+ |
| Value (string) | | | Value (string) | |
+------------------------------------+ | +------------------------------------+ |
| (repeats) | <+ | (repeats) | <+
Flags: Flags related to this frame. Valid flags are: Flags: Flags related to this frame. Valid flags are:
0x01 = FLAG_FIN - marks this frame as the last frame to be 0x01 = FLAG_FIN - marks this frame as the last frame to be
transmitted on this stream and puts the sender in the half-closed transmitted on this stream and puts the sender in the half-closed
(Section 2.3.6) state. (Section 3.3.6) state.
Length: An unsigned 24 bit value representing the number of bytes Length: An unsigned 24 bit value representing the number of bytes
after the length field. The minimum length of the length field is 4 after the length field. The minimum length of the length field is 4
(when the number of name value pairs is 0). (when the number of name value pairs is 0).
Stream-ID: The stream this HEADERS block is associated with. Stream-ID: The stream this HEADERS block is associated with.
Name/Value Header Block: A set of name/value pairs carried as part of Name/Value Header Block: A set of name/value pairs carried as part of
the SYN_STREAM. see Name/Value Header Block (Section 2.6.10). the SYN_STREAM. see Name/Value Header Block (Section 3.6.10).
2.6.8. WINDOW_UPDATE 3.6.8. WINDOW_UPDATE
The WINDOW_UPDATE control frame is used to implement per stream flow The WINDOW_UPDATE control frame is used to implement per stream flow
control in SPDY. Flow control in SPDY is per hop, that is, only control in HTTP/2.0. Flow control in HTTP/2.0 is per hop, that is,
between the two endpoints of a SPDY connection. If there are one or only between the two endpoints of a HTTP/2.0 connection. If there
more intermediaries between the client and the origin server, flow are one or more intermediaries between the client and the origin
control signals are not explicitly forwarded by the intermediaries. server, flow control signals are not explicitly forwarded by the
(However, throttling of data transfer by any recipient may have the intermediaries. (However, throttling of data transfer by any
effect of indirectly propagating flow control information upstream recipient may have the effect of indirectly propagating flow control
back to the original sender.) Flow control only applies to the data information upstream back to the original sender.) Flow control only
portion of data frames. Recipients must buffer all control frames. applies to the data portion of data frames. Recipients must buffer
If a recipient fails to buffer an entire control frame, it MUST issue all control frames. If a recipient fails to buffer an entire control
a stream error (Section 2.4.2) with the status code frame, it MUST issue a stream error (Section 3.4.2) with the status
FLOW_CONTROL_ERROR for the stream. code FLOW_CONTROL_ERROR for the stream.
Flow control in SPDY is implemented by a data transfer window kept by Flow control in HTTP/2.0 is implemented by a data transfer window
the sender of each stream. The data transfer window is a simple kept by the sender of each stream. The data transfer window is a
uint32 that indicates how many bytes of data the sender can transmit. simple uint32 that indicates how many bytes of data the sender can
After a stream is created, but before any data frames have been transmit. After a stream is created, but before any data frames have
transmitted, the sender begins with the initial window size. This been transmitted, the sender begins with the initial window size.
window size is a measure of the buffering capability of the This window size is a measure of the buffering capability of the
recipient. The sender must not send a data frame with data length recipient. The sender must not send a data frame with data length
greater than the transfer window size. After sending each data greater than the transfer window size. After sending each data
frame, the sender decrements its transfer window size by the amount frame, the sender decrements its transfer window size by the amount
of data transmitted. When the window size becomes less than or equal of data transmitted. When the window size becomes less than or equal
to 0, the sender must pause transmitting data frames. At the other to 0, the sender must pause transmitting data frames. At the other
end of the stream, the recipient sends a WINDOW_UPDATE control back end of the stream, the recipient sends a WINDOW_UPDATE control back
to notify the sender that it has consumed some data and freed up to notify the sender that it has consumed some data and freed up
buffer space to receive more data. buffer space to receive more data.
+----------------------------------+ +----------------------------------+
skipping to change at page 23, line 32 skipping to change at page 27, line 32
+----------------------------------+ +----------------------------------+
| 0 (flags) | 8 (length) | | 0 (flags) | 8 (length) |
+----------------------------------+ +----------------------------------+
|X| Stream-ID (31-bits) | |X| Stream-ID (31-bits) |
+----------------------------------+ +----------------------------------+
|X| Delta-Window-Size (31-bits) | |X| Delta-Window-Size (31-bits) |
+----------------------------------+ +----------------------------------+
Control bit: The control bit is always 1 for this message. Control bit: The control bit is always 1 for this message.
Version: The SPDY version number. Version: The HTTP/2.0 version number.
Type: The message type for a WINDOW_UPDATE message is 9. Type: The message type for a WINDOW_UPDATE message is 9.
Length: The length field is always 8 for this frame (there are 8 Length: The length field is always 8 for this frame (there are 8
bytes after the length field). bytes after the length field).
Stream-ID: The stream ID that this WINDOW_UPDATE control frame is Stream-ID: The stream ID that this WINDOW_UPDATE control frame is
for. for.
Delta-Window-Size: The additional number of bytes that the sender can Delta-Window-Size: The additional number of bytes that the sender can
transmit in addition to existing remaining window size. The legal transmit in addition to existing remaining window size. The legal
range for this field is 1 to 2^31 - 1 (0x7fffffff) bytes. range for this field is 1 to 2^31 - 1 (0x7fffffff) bytes.
The window size as kept by the sender must never exceed 2^31 The window size as kept by the sender must never exceed 2^31
(although it can become negative in one special case). If a sender (although it can become negative in one special case). If a sender
receives a WINDOW_UPDATE that causes the its window size to exceed receives a WINDOW_UPDATE that causes the its window size to exceed
this limit, it must send RST_STREAM with status code this limit, it must send RST_STREAM with status code
FLOW_CONTROL_ERROR to terminate the stream. FLOW_CONTROL_ERROR to terminate the stream.
When a SPDY connection is first established, the default initial When a HTTP/2.0 connection is first established, the default initial
window size for all streams is 64KB. An endpoint can use the window size for all streams is 64KB. An endpoint can use the
SETTINGS control frame to adjust the initial window size for the SETTINGS control frame to adjust the initial window size for the
connection. That is, its peer can start out using the 64KB default connection. That is, its peer can start out using the 64KB default
initial window size when sending data frames before receiving the initial window size when sending data frames before receiving the
SETTINGS. Because SETTINGS is asynchronous, there may be a race SETTINGS. Because SETTINGS is asynchronous, there may be a race
condition if the recipient wants to decrease the initial window size, condition if the recipient wants to decrease the initial window size,
but its peer immediately sends 64KB on the creation of a new but its peer immediately sends 64KB on the creation of a new
connection, before waiting for the SETTINGS to arrive. This is one connection, before waiting for the SETTINGS to arrive. This is one
case where the window size kept by the sender will become negative. case where the window size kept by the sender will become negative.
Once the sender detects this condition, it must stop sending data Once the sender detects this condition, it must stop sending data
skipping to change at page 24, line 45 skipping to change at page 28, line 45
the end of the data stream, it should not send WINDOW_UPDATE frames the end of the data stream, it should not send WINDOW_UPDATE frames
as it consumes the last data frame. A sender should ignore all the as it consumes the last data frame. A sender should ignore all the
WINDOW_UPDATE frames associated with the stream after it send the WINDOW_UPDATE frames associated with the stream after it send the
last frame for the stream. last frame for the stream.
The data frames from the sender and the WINDOW_UPDATE frames from the The data frames from the sender and the WINDOW_UPDATE frames from the
recipient are completely asynchronous with respect to each other. recipient are completely asynchronous with respect to each other.
This property allows a recipient to aggressively update the window This property allows a recipient to aggressively update the window
size kept by the sender to prevent the stream from stalling. size kept by the sender to prevent the stream from stalling.
2.6.9. CREDENTIAL 3.6.9. CREDENTIAL
The CREDENTIAL control frame is used by the client to send additional The CREDENTIAL control frame is used by the client to send additional
client certificates to the server. A SPDY client may decide to send client certificates to the server. A HTTP/2.0 client may decide to
requests for resources from different origins on the same SPDY send requests for resources from different origins on the same
session if it decides that that server handles both origins. For HTTP/2.0 session if it decides that that server handles both origins.
example if the IP address associated with both hostnames matches and For example if the IP address associated with both hostnames matches
the SSL server certificate presented in the initial handshake is and the SSL server certificate presented in the initial handshake is
valid for both hostnames. However, because the SSL connection can valid for both hostnames. However, because the SSL connection can
contain at most one client certificate, the client needs a mechanism contain at most one client certificate, the client needs a mechanism
to send additional client certificates to the server. to send additional client certificates to the server.
The server is required to maintain a vector of client certificates The server is required to maintain a vector of client certificates
associated with a SPDY session. When the client needs to send a associated with a HTTP/2.0 session. When the client needs to send a
client certificate to the server, it will send a CREDENTIAL frame client certificate to the server, it will send a CREDENTIAL frame
that specifies the index of the slot in which to store the that specifies the index of the slot in which to store the
certificate as well as proof that the client posesses the certificate as well as proof that the client posesses the
corresponding private key. The initial size of this vector must be corresponding private key. The initial size of this vector must be
8. If the client provides a client certificate during the first TLS 8. If the client provides a client certificate during the first TLS
handshake, the contents of this certificate must be copied into the handshake, the contents of this certificate must be copied into the
first slot (index 1) in the CREDENTIAL vector, though it may be first slot (index 1) in the CREDENTIAL vector, though it may be
overwritten by subsequent CREDENTIAL frames. The server must overwritten by subsequent CREDENTIAL frames. The server must
exclusively use the CREDNETIAL vector when evaluating the client exclusively use the CREDENTIAL vector when evaluating the client
certificates associated with an origin. The server may change the certificates associated with an origin. The server may change the
size of this vector by sending a SETTINGS frame with the setting size of this vector by sending a SETTINGS frame with the setting
SETTINGS_CLIENT_CERTIFICATE_VECTOR_SIZE value specified. In the SETTINGS_CLIENT_CERTIFICATE_VECTOR_SIZE value specified. In the
event that the new size is smaller than the current size, truncation event that the new size is smaller than the current size, truncation
occurs preserving lower-index slots as possible. occurs preserving lower-index slots as possible.
TLS renegotiation with client authentication is incompatible with TLS renegotiation with client authentication is incompatible with
SPDY given the multiplexed nature of SPDY. Specifically, imagine HTTP/2.0 given the multiplexed nature of HTTP/2.0. Specifically,
that the client has 2 requests outstanding to the server for two imagine that the client has 2 requests outstanding to the server for
different pages (in different tabs). When the renegotiation + client two different pages (in different tabs). When the renegotiation +
certificate request comes in, the browser is unable to determine client certificate request comes in, the browser is unable to
which resource triggered the client certificate request, in order to determine which resource triggered the client certificate request, in
prompt the user accordingly. order to prompt the user accordingly.
+----------------------------------+ +----------------------------------+
|1|000000000000001|0000000000001011| |1|000000000000001|0000000000001011|
+----------------------------------+ +----------------------------------+
| flags (8) | Length (24 bits) | | flags (8) | Length (24 bits) |
+----------------------------------+ +----------------------------------+
| Slot (16 bits) | | | Slot (16 bits) | |
+-----------------+ | +-----------------+ |
| Proof Length (32 bits) | | Proof Length (32 bits) |
+----------------------------------+ +----------------------------------+
skipping to change at page 26, line 16 skipping to change at page 30, line 16
Proof: Cryptographic proof that the client has possession of the Proof: Cryptographic proof that the client has possession of the
private key associated with the certificate. The format is a TLS private key associated with the certificate. The format is a TLS
digitally-signed element ([RFC5246], Section 4.7). The signature digitally-signed element ([RFC5246], Section 4.7). The signature
algorithm must be the same as that used in the CertificateVerify algorithm must be the same as that used in the CertificateVerify
message. However, since the MD5+SHA1 signature type used in TLS 1.0 message. However, since the MD5+SHA1 signature type used in TLS 1.0
connections can not be correctly encoded in a digitally-signed connections can not be correctly encoded in a digitally-signed
element, SHA1 must be used when MD5+SHA1 was used in the SSL element, SHA1 must be used when MD5+SHA1 was used in the SSL
connection. The signature is calculated over a 32 byte TLS extractor connection. The signature is calculated over a 32 byte TLS extractor
value (http://tools.ietf.org/html/rfc5705) with a label of "EXPORTER value (http://tools.ietf.org/html/rfc5705) with a label of "EXPORTER
SPDY certificate proof" using the empty string as context. ForRSA HTTP/2.0 certificate proof" using the empty string as context.
certificates the signature would be a PKCS#1 v1.5 signature. For ForRSA certificates the signature would be a PKCS#1 v1.5 signature.
ECDSA, it would be an ECDSA-Sig-Value For ECDSA, it would be an ECDSA-Sig-Value
(http://tools.ietf.org/html/rfc5480#appendix-A). For a 1024-bit RSA (http://tools.ietf.org/html/rfc5480#appendix-A). For a 1024-bit RSA
key, the CREDENTIAL message would be ~500 bytes. key, the CREDENTIAL message would be ~500 bytes.
Certificate: The certificate chain, starting with the leaf Certificate: The certificate chain, starting with the leaf
certificate. Each certificate must be encoded as a 32 bit length, certificate. Each certificate must be encoded as a 32 bit length,
followed by a DER encoded certificate. The certificate must be of followed by a DER encoded certificate. The certificate must be of
the same type (RSA, ECDSA, etc) as the client certificate associated the same type (RSA, ECDSA, etc) as the client certificate associated
with the SSL connection. with the SSL connection.
If the server receives a request for a resource with unacceptable If the server receives a request for a resource with unacceptable
credential (either missing or invalid), it must reply with a credential (either missing or invalid), it must reply with a
RST_STREAM frame with the status code INVALID_CREDENTIALS. Upon RST_STREAM frame with the status code INVALID_CREDENTIALS. Upon
receipt of a RST_STREAM frame with INVALID_CREDENTIALS, the client receipt of a RST_STREAM frame with INVALID_CREDENTIALS, the client
should initiate a new stream directly to the requested origin and should initiate a new stream directly to the requested origin and
resend the request. Note, SPDY does not allow the server to request resend the request. Note, HTTP/2.0 does not allow the server to
different client authentication for different resources in the same request different client authentication for different resources in
origin. the same origin.
If the server receives an invalid CREDENTIAL frame, it MUST respond If the server receives an invalid CREDENTIAL frame, it MUST respond
with a GOAWAY frame and shutdown the session. with a GOAWAY frame and shutdown the session.
2.6.10. Name/Value Header Block 3.6.10. Name/Value Header Block
The Name/Value Header Block is found in the SYN_STREAM, SYN_REPLY and The Name/Value Header Block is found in the SYN_STREAM, SYN_REPLY and
HEADERS control frames, and shares a common format: HEADERS control frames, and shares a common format:
+------------------------------------+ +------------------------------------+
| Number of Name/Value pairs (int32) | | Number of Name/Value pairs (int32) |
+------------------------------------+ +------------------------------------+
| Length of name (int32) | | Length of name (int32) |
+------------------------------------+ +------------------------------------+
| Name (string) | | Name (string) |
skipping to change at page 27, line 25 skipping to change at page 31, line 25
+------------------------------------+ +------------------------------------+
| (repeats) | | (repeats) |
Number of Name/Value pairs: The number of repeating name/value pairs Number of Name/Value pairs: The number of repeating name/value pairs
following this field. following this field.
List of Name/Value pairs: List of Name/Value pairs:
Length of Name: a 32-bit value containing the number of octets in Length of Name: a 32-bit value containing the number of octets in
the name field. Note that in practice, this length must not the name field. Note that in practice, this length must not
exceed 2^24, as that is the maximum size of a SPDY frame. exceed 2^24, as that is the maximum size of a HTTP/2.0 frame.
Name: 0 or more octets, 8-bit sequences of data, excluding 0. Name: 0 or more octets, 8-bit sequences of data, excluding 0.
Length of Value: a 32-bit value containing the number of octets in Length of Value: a 32-bit value containing the number of octets in
the value field. Note that in practice, this length must not the value field. Note that in practice, this length must not
exceed 2^24, as that is the maximum size of a SPDY frame. exceed 2^24, as that is the maximum size of a HTTP/2.0 frame.
Value: 0 or more octets, 8-bit sequences of data, excluding 0. Value: 0 or more octets, 8-bit sequences of data, excluding 0.
Each header name must have at least one value. Header names are Each header name must have at least one value. Header names are
encoded using the US-ASCII character set [ASCII] and must be all encoded using the US-ASCII character set [ASCII] and must be all
lower case. The length of each name must be greater than zero. A lower case. The length of each name must be greater than zero. A
recipient of a zero-length name MUST issue a stream error recipient of a zero-length name MUST issue a stream error
(Section 2.4.2) with the status code PROTOCOL_ERROR for the (Section 3.4.2) with the status code PROTOCOL_ERROR for the
stream-id. stream-id.
Duplicate header names are not allowed. To send two identically Duplicate header names are not allowed. To send two identically
named headers, send a header with two values, where the values are named headers, send a header with two values, where the values are
separated by a single NUL (0) byte. A header value can either be separated by a single NUL (0) byte. A header value can either be
empty (e.g. the length is zero) or it can contain multiple, NUL- empty (e.g. the length is zero) or it can contain multiple, NUL-
separated values, each with length greater than zero. The value separated values, each with length greater than zero. The value
never starts nor ends with a NUL character. Recipients of illegal never starts nor ends with a NUL character. Recipients of illegal
value fields MUST issue a stream error (Section 2.4.2) with the value fields MUST issue a stream error (Section 3.4.2) with the
status code PROTOCOL_ERROR for the stream-id. status code PROTOCOL_ERROR for the stream-id.
2.6.10.1. Compression 3.6.10.1. Compression
The Name/Value Header Block is a section of the SYN_STREAM, The Name/Value Header Block is a section of the SYN_STREAM,
SYN_REPLY, and HEADERS frames used to carry header meta-data. This SYN_REPLY, and HEADERS frames used to carry header meta-data. This
block is always compressed using zlib compression. Within this block is always compressed using zlib compression. Within this
specification, any reference to 'zlib' is referring to the ZLIB specification, any reference to 'zlib' is referring to the ZLIB
Compressed Data Format Specification Version 3.3 as part of RFC1950. Compressed Data Format Specification Version 3.3 as part of RFC1950.
[RFC1950] [RFC1950]
For each HEADERS compression instance, the initial state is For each HEADERS compression instance, the initial state is
initialized using the following dictionary [UDELCOMPRESSION]: initialized using the following dictionary [UDELCOMPRESSION]:
<CODE BEGINS> <CODE BEGINS>
const unsigned char SPDY_dictionary_txt[] = { const unsigned char http2_dictionary_txt[] = {
0x00, 0x00, 0x00, 0x07, 0x6f, 0x70, 0x74, 0x69, \\ - - - - o p t i 0x00, 0x00, 0x00, 0x07, 0x6f, 0x70, 0x74, 0x69, \\ - - - - o p t i
0x6f, 0x6e, 0x73, 0x00, 0x00, 0x00, 0x04, 0x68, \\ o n s - - - - h 0x6f, 0x6e, 0x73, 0x00, 0x00, 0x00, 0x04, 0x68, \\ o n s - - - - h
0x65, 0x61, 0x64, 0x00, 0x00, 0x00, 0x04, 0x70, \\ e a d - - - - p 0x65, 0x61, 0x64, 0x00, 0x00, 0x00, 0x04, 0x70, \\ e a d - - - - p
0x6f, 0x73, 0x74, 0x00, 0x00, 0x00, 0x03, 0x70, \\ o s t - - - - p 0x6f, 0x73, 0x74, 0x00, 0x00, 0x00, 0x03, 0x70, \\ o s t - - - - p
0x75, 0x74, 0x00, 0x00, 0x00, 0x06, 0x64, 0x65, \\ u t - - - - d e 0x75, 0x74, 0x00, 0x00, 0x00, 0x06, 0x64, 0x65, \\ u t - - - - d e
0x6c, 0x65, 0x74, 0x65, 0x00, 0x00, 0x00, 0x05, \\ l e t e - - - - 0x6c, 0x65, 0x74, 0x65, 0x00, 0x00, 0x00, 0x05, \\ l e t e - - - -
0x74, 0x72, 0x61, 0x63, 0x65, 0x00, 0x00, 0x00, \\ t r a c e - - - 0x74, 0x72, 0x61, 0x63, 0x65, 0x00, 0x00, 0x00, \\ t r a c e - - -
0x06, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x00, \\ - a c c e p t - 0x06, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x00, \\ - a c c e p t -
0x00, 0x00, 0x0e, 0x61, 0x63, 0x63, 0x65, 0x70, \\ - - - a c c e p 0x00, 0x00, 0x0e, 0x61, 0x63, 0x63, 0x65, 0x70, \\ - - - a c c e p
0x74, 0x2d, 0x63, 0x68, 0x61, 0x72, 0x73, 0x65, \\ t - c h a r s e 0x74, 0x2d, 0x63, 0x68, 0x61, 0x72, 0x73, 0x65, \\ t - c h a r s e
skipping to change at page 32, line 11 skipping to change at page 36, line 11
0x68, 0x61, 0x72, 0x73, 0x65, 0x74, 0x3d, 0x69, \\ h a r s e t - i 0x68, 0x61, 0x72, 0x73, 0x65, 0x74, 0x3d, 0x69, \\ h a r s e t - i
0x73, 0x6f, 0x2d, 0x38, 0x38, 0x35, 0x39, 0x2d, \\ s o - 8 8 5 9 - 0x73, 0x6f, 0x2d, 0x38, 0x38, 0x35, 0x39, 0x2d, \\ s o - 8 8 5 9 -
0x31, 0x2c, 0x75, 0x74, 0x66, 0x2d, 0x2c, 0x2a, \\ 1 - u t f - - - 0x31, 0x2c, 0x75, 0x74, 0x66, 0x2d, 0x2c, 0x2a, \\ 1 - u t f - - -
0x2c, 0x65, 0x6e, 0x71, 0x3d, 0x30, 0x2e \\ - e n q - 0 - 0x2c, 0x65, 0x6e, 0x71, 0x3d, 0x30, 0x2e \\ - e n q - 0 -
}; };
<CODE ENDS> <CODE ENDS>
The entire contents of the name/value header block is compressed The entire contents of the name/value header block is compressed
using zlib. There is a single zlib stream for all name value pairs using zlib. There is a single zlib stream for all name value pairs
in one direction on a connection. SPDY uses a SYNC_FLUSH between in one direction on a connection. HTTP/2.0 uses a SYNC_FLUSH between
each compressed frame. each compressed frame.
Implementation notes: the compression engine can be tuned to favor Implementation notes: the compression engine can be tuned to favor
speed or size. Optimizing for size increases memory use and CPU speed or size. Optimizing for size increases memory use and CPU
consumption. Because header blocks are generally small, implementors consumption. Because header blocks are generally small, implementors
may want to reduce the window-size of the compression engine from the may want to reduce the window-size of the compression engine from the
default 15bits (a 32KB window) to more like 11bits (a 2KB window). default 15bits (a 32KB window) to more like 11bits (a 2KB window).
The exact setting is chosen by the compressor, the decompressor will The exact setting is chosen by the compressor, the decompressor will
work with any setting. work with any setting.
3. HTTP Layering over SPDY 4. HTTP Layering over HTTP/2.0
SPDY is intended to be as compatible as possible with current web- HTTP/2.0 is intended to be as compatible as possible with current
based applications. This means that, from the perspective of the web-based applications. This means that, from the perspective of the
server business logic or application API, the features of HTTP are server business logic or application API, the features of HTTP are
unchanged. To achieve this, all of the application request and unchanged. To achieve this, all of the application request and
response header semantics are preserved, although the syntax of response header semantics are preserved, although the syntax of
conveying those semantics has changed. Thus, the rules from the conveying those semantics has changed. Thus, the rules from the
HTTP/1.1 specification in RFC2616 [RFC2616] apply with the changes in HTTP/1.1 specification in RFC2616 [RFC2616] apply with the changes in
the sections below. the sections below.
3.1. Connection Management 4.1. Connection Management
Clients SHOULD NOT open more than one SPDY session to a given origin Clients SHOULD NOT open more than one HTTP/2.0 session to a given
[RFC6454] concurrently. origin [RFC6454] concurrently.
Note that it is possible for one SPDY session to be finishing (e.g. a Note that it is possible for one HTTP/2.0 session to be finishing
GOAWAY message has been sent, but not all streams have finished), (e.g. a GOAWAY message has been sent, but not all streams have
while another SPDY session is starting. finished), while another HTTP/2.0 session is starting.
3.1.1. Use of GOAWAY 4.1.1. Use of GOAWAY
SPDY provides a GOAWAY message which can be used when closing a HTTP/2.0 provides a GOAWAY message which can be used when closing a
connection from either the client or server. Without a server GOAWAY connection from either the client or server. Without a server GOAWAY
message, HTTP has a race condition where the client sends a request message, HTTP has a race condition where the client sends a request
(a new SYN_STREAM) just as the server is closing the connection, and (a new SYN_STREAM) just as the server is closing the connection, and
the client cannot know if the server received the stream or not. By the client cannot know if the server received the stream or not. By
using the last-stream-id in the GOAWAY, servers can indicate to the using the last-stream-id in the GOAWAY, servers can indicate to the
client if a request was processed or not. client if a request was processed or not.
Note that some servers will choose to send the GOAWAY and immediately Note that some servers will choose to send the GOAWAY and immediately
terminate the connection without waiting for active streams to terminate the connection without waiting for active streams to
finish. The client will be able to determine this because SPDY finish. The client will be able to determine this because HTTP/2.0
streams are determinstically closed. This abrupt termination will streams are determinstically closed. This abrupt termination will
force the client to heuristically decide whether to retry the pending force the client to heuristically decide whether to retry the pending
requests. Clients always need to be capable of dealing with this requests. Clients always need to be capable of dealing with this
case because they must deal with accidental connection termination case because they must deal with accidental connection termination
cases, which are the same as the server never having sent a GOAWAY. cases, which are the same as the server never having sent a GOAWAY.
More sophisticated servers will use GOAWAY to implement a graceful More sophisticated servers will use GOAWAY to implement a graceful
teardown. They will send the GOAWAY and provide some time for the teardown. They will send the GOAWAY and provide some time for the
active streams to finish before terminating the connection. active streams to finish before terminating the connection.
If a SPDY client closes the connection, it should also send a GOAWAY If a HTTP/2.0 client closes the connection, it should also send a
message. This allows the server to know if any server-push streams GOAWAY message. This allows the server to know if any server-push
were received by the client. streams were received by the client.
If the endpoint closing the connection has not received any If the endpoint closing the connection has not received any
SYN_STREAMs from the remote, the GOAWAY will contain a last-stream-id SYN_STREAMs from the remote, the GOAWAY will contain a last-stream-id
of 0. of 0.
3.2. HTTP Request/Response 4.2. HTTP Request/Response
3.2.1. Request 4.2.1. Request
The client initiates a request by sending a SYN_STREAM frame. For The client initiates a request by sending a SYN_STREAM frame. For
requests which do not contain a body, the SYN_STREAM frame MUST set requests which do not contain a body, the SYN_STREAM frame MUST set
the FLAG_FIN, indicating that the client intends to send no further the FLAG_FIN, indicating that the client intends to send no further
data on this stream. For requests which do contain a body, the data on this stream. For requests which do contain a body, the
SYN_STREAM will not contain the FLAG_FIN, and the body will follow SYN_STREAM will not contain the FLAG_FIN, and the body will follow
the SYN_STREAM in a series of DATA frames. The last DATA frame will the SYN_STREAM in a series of DATA frames. The last DATA frame will
set the FLAG_FIN to indicate the end of the body. set the FLAG_FIN to indicate the end of the body.
The SYN_STREAM Name/Value section will contain all of the HTTP The SYN_STREAM Name/Value section will contain all of the HTTP
headers which are associated with an HTTP request. The header block headers which are associated with an HTTP request. The header block
in SPDY is mostly unchanged from today's HTTP header block, with the in HTTP/2.0 is mostly unchanged from today's HTTP header block, with
following differences: the following differences:
The first line of the request is unfolded into name/value pairs The first line of the request is unfolded into name/value pairs
like other HTTP headers and MUST be present: like other HTTP headers and MUST be present:
":method" - the HTTP method for this request (e.g. "GET", ":method" - the HTTP method for this request (e.g. "GET",
"POST", "HEAD", etc) "POST", "HEAD", etc)
":path" - the url-path for this url with "/" prefixed. (See ":path" - the url-path for this url with "/" prefixed. (See
RFC1738 [RFC1738]). For example, for RFC1738 [RFC1738]). For example, for
"http://www.google.com/search?q=dogs" the path would be "http://www.google.com/search?q=dogs" the path would be
skipping to change at page 34, line 37 skipping to change at page 38, line 37
If a server receives a request where the sum of the data frame If a server receives a request where the sum of the data frame
payload lengths does not equal the size of the Content-Length payload lengths does not equal the size of the Content-Length
header, the server MUST return a 400 (Bad Request) error. header, the server MUST return a 400 (Bad Request) error.
POST-specific changes: POST-specific changes:
Although POSTs are inherently chunked, POST requests SHOULD Although POSTs are inherently chunked, POST requests SHOULD
also be accompanied by a Content-Length header. There are two also be accompanied by a Content-Length header. There are two
reasons for this: First, it assists with upload progress meters reasons for this: First, it assists with upload progress meters
for an improved user experience. But second, we know from for an improved user experience. But second, we know from
early versions of SPDY that failure to send a content length early versions of HTTP/2.0 that failure to send a content
header is incompatible with many existing HTTP server length header is incompatible with many existing HTTP server
implementations. Existing user-agents do not omit the Content- implementations. Existing user-agents do not omit the Content-
Length header, and server implementations have come to depend Length header, and server implementations have come to depend
upon this. upon this.
The user-agent is free to prioritize requests as it sees fit. If the The user-agent is free to prioritize requests as it sees fit. If the
user-agent cannot make progress without receiving a resource, it user-agent cannot make progress without receiving a resource, it
should attempt to raise the priority of that resource. Resources should attempt to raise the priority of that resource. Resources
such as images, SHOULD generally use the lowest priority. such as images, SHOULD generally use the lowest priority.
If a client sends a SYN_STREAM without all of the method, host, path, If a client sends a SYN_STREAM without all of the method, host, path,
scheme, and version headers, the server MUST reply with a HTTP 400 scheme, and version headers, the server MUST reply with a HTTP 400
Bad Request reply. Bad Request reply.
3.2.2. Response 4.2.2. Response
The server responds to a client request with a SYN_REPLY frame. The server responds to a client request with a SYN_REPLY frame.
Symmetric to the client's upload stream, server will send data after Symmetric to the client's upload stream, server will send data after
the SYN_REPLY frame via a series of DATA frames, and the last data the SYN_REPLY frame via a series of DATA frames, and the last data
frame will contain the FLAG_FIN to indicate successful end-of-stream. frame will contain the FLAG_FIN to indicate successful end-of-stream.
If a response (like a 202 or 204 response) contains no body, the If a response (like a 202 or 204 response) contains no body, the
SYN_REPLY frame may contain the FLAG_FIN flag to indicate no further SYN_REPLY frame may contain the FLAG_FIN flag to indicate no further
data will be sent on the stream. data will be sent on the stream.
The response status line is unfolded into name/value pairs like The response status line is unfolded into name/value pairs like
skipping to change at page 35, line 39 skipping to change at page 39, line 39
advisory purposes. (e.g. for UI progress meters) advisory purposes. (e.g. for UI progress meters)
If a client receives a response where the sum of the data frame If a client receives a response where the sum of the data frame
payload lengths does not equal the size of the Content-Length payload lengths does not equal the size of the Content-Length
header, the client MUST ignore the content length header. header, the client MUST ignore the content length header.
If a client receives a SYN_REPLY without a status or without a If a client receives a SYN_REPLY without a status or without a
version header, the client must reply with a RST_STREAM frame version header, the client must reply with a RST_STREAM frame
indicating a PROTOCOL ERROR. indicating a PROTOCOL ERROR.
3.2.3. Authentication 4.2.3. Authentication
When a client sends a request to an origin server that requires When a client sends a request to an origin server that requires
authentication, the server can reply with a "401 Unauthorized" authentication, the server can reply with a "401 Unauthorized"
response, and include a WWW-Authenticate challenge header that response, and include a WWW-Authenticate challenge header that
defines the authentication scheme to be used. The client then defines the authentication scheme to be used. The client then
retries the request with an Authorization header appropriate to the retries the request with an Authorization header appropriate to the
specified authentication scheme. specified authentication scheme.
There are four options for proxy authentication, Basic, Digest, NTLM There are four options for proxy authentication, Basic, Digest, NTLM
and Negotiate (SPNEGO). The first two options were defined in and Negotiate (SPNEGO). The first two options were defined in
RFC2617 [RFC2617], and are stateless. The second two options were RFC2617 [RFC2617], and are stateless. The second two options were
developed by Microsoft and specified in RFC4559 [RFC4559], and are developed by Microsoft and specified in RFC4559 [RFC4559], and are
stateful; otherwise known as multi-round authentication, or stateful; otherwise known as multi-round authentication, or
connection authentication. connection authentication.
3.2.3.1. Stateless Authentication 4.2.3.1. Stateless Authentication
Stateless Authentication over SPDY is identical to how it is Stateless Authentication over HTTP/2.0 is identical to how it is
performed over HTTP. If multiple SPDY streams are concurrently sent performed over HTTP. If multiple HTTP/2.0 streams are concurrently
to a single server, each will authenticate independently, similar to sent to a single server, each will authenticate independently,
how two HTTP connections would independently authenticate to a proxy similar to how two HTTP connections would independently authenticate
server. to a proxy server.
3.2.3.2. Stateful Authentication 4.2.3.2. Stateful Authentication
Unfortunately, the stateful authentication mechanisms were Unfortunately, the stateful authentication mechanisms were
implemented and defined in a such a way that directly violates implemented and defined in a such a way that directly violates
RFC2617 - they do not include a "realm" as part of the request. This RFC2617 - they do not include a "realm" as part of the request. This
is problematic in SPDY because it makes it impossible for a client to is problematic in HTTP/2.0 because it makes it impossible for a
disambiguate two concurrent server authentication challenges. client to disambiguate two concurrent server authentication
challenges.
To deal with this case, SPDY servers using Stateful Authentication To deal with this case, HTTP/2.0 servers using Stateful
MUST implement one of two changes: Authentication MUST implement one of two changes:
Servers can add a "realm=<desired realm>" header so that the two Servers can add a "realm=<desired realm>" header so that the two
authentication requests can be disambiguated and run concurrently. authentication requests can be disambiguated and run concurrently.
Unfortunately, given how these mechanisms work, this is probably Unfortunately, given how these mechanisms work, this is probably
not practical. not practical.
Upon sending the first stateful challenge response, the server Upon sending the first stateful challenge response, the server
MUST buffer and defer all further frames which are not part of MUST buffer and defer all further frames which are not part of
completing the challenge until the challenge has completed. completing the challenge until the challenge has completed.
Completing the authentication challenge may take multiple round Completing the authentication challenge may take multiple round
trips. Once the client receives a "401 Authenticate" response for trips. Once the client receives a "401 Authenticate" response for
a stateful authentication type, it MUST stop sending new requests a stateful authentication type, it MUST stop sending new requests
to the server until the authentication has completed by receiving to the server until the authentication has completed by receiving
a non-401 response on at least one stream. a non-401 response on at least one stream.
3.3. Server Push Transactions 4.3. Server Push Transactions
SPDY enables a server to send multiple replies to a client for a HTTP/2.0 enables a server to send multiple replies to a client for a
single request. The rationale for this feature is that sometimes a single request. The rationale for this feature is that sometimes a
server knows that it will need to send multiple resources in response server knows that it will need to send multiple resources in response
to a single request. Without server push features, the client must to a single request. Without server push features, the client must
first download the primary resource, then discover the secondary first download the primary resource, then discover the secondary
resource(s), and request them. Pushing of resources avoids the resource(s), and request them. Pushing of resources avoids the
round-trip delay, but also creates a potential race where a server round-trip delay, but also creates a potential race where a server
can be pushing content which a user-agent is in the process of can be pushing content which a user-agent is in the process of
requesting. The following mechanics attempt to prevent the race requesting. The following mechanics attempt to prevent the race
condition while enabling the performance benefit. condition while enabling the performance benefit.
Browsers receiving a pushed response MUST validate that the server is Browsers receiving a pushed response MUST validate that the server is
authorized to push the URL using the browser same-origin [RFC6454] authorized to push the URL using the browser same-origin [RFC6454]
policy. For example, a SPDY connection to www.foo.com is generally policy. For example, a HTTP/2.0 connection to www.foo.com is
not permitted to push a response for www.evil.com. generally not permitted to push a response for www.evil.com.
If the browser accepts a pushed response (e.g. it does not send a If the browser accepts a pushed response (e.g. it does not send a
RST_STREAM), the browser MUST attempt to cache the pushed response in RST_STREAM), the browser MUST attempt to cache the pushed response in
same way that it would cache any other response. This means same way that it would cache any other response. This means
validating the response headers and inserting into the disk cache. validating the response headers and inserting into the disk cache.
Because pushed responses have no request, they have no request Because pushed responses have no request, they have no request
headers associated with them. At the framing layer, SPDY pushed headers associated with them. At the framing layer, HTTP/2.0 pushed
streams contain an "associated-stream-id" which indicates the streams contain an "associated-stream-id" which indicates the
requested stream for which the pushed stream is related. The pushed requested stream for which the pushed stream is related. The pushed
stream inherits all of the headers from the associated-stream-id with stream inherits all of the headers from the associated-stream-id with
the exception of ":host", ":scheme", and ":path", which are provided the exception of ":host", ":scheme", and ":path", which are provided
as part of the pushed response stream headers. The browser MUST as part of the pushed response stream headers. The browser MUST
store these inherited and implied request headers with the cached store these inherited and implied request headers with the cached
resource. resource.
Implementation note: With server push, it is theoretically possible Implementation note: With server push, it is theoretically possible
for servers to push unreasonable amounts of content or resources to for servers to push unreasonable amounts of content or resources to
the user-agent. Browsers MUST implement throttles to protect against the user-agent. Browsers MUST implement throttles to protect against
unreasonable push attacks. unreasonable push attacks.
3.3.1. Server implementation 4.3.1. Server implementation
When the server intends to push a resource to the user-agent, it When the server intends to push a resource to the user-agent, it
opens a new stream by sending a unidirectional SYN_STREAM. The opens a new stream by sending a unidirectional SYN_STREAM. The
SYN_STREAM MUST include an Associated-To-Stream-ID, and MUST set the SYN_STREAM MUST include an Associated-To-Stream-ID, and MUST set the
FLAG_UNIDIRECTIONAL flag. The SYN_STREAM MUST include headers for FLAG_UNIDIRECTIONAL flag. The SYN_STREAM MUST include headers for
":scheme", ":host", ":path", which represent the URL for the resource ":scheme", ":host", ":path", which represent the URL for the resource
being pushed. Subsequent headers may follow in HEADERS frames. The being pushed. Subsequent headers may follow in HEADERS frames. The
purpose of the association is so that the user-agent can purpose of the association is so that the user-agent can
differentiate which request induced the pushed stream; without it, if differentiate which request induced the pushed stream; without it, if
the user-agent had two tabs open to the same page, each pushing the user-agent had two tabs open to the same page, each pushing
skipping to change at page 38, line 27 skipping to change at page 42, line 27
headers available at the time it issues the HEADERS frame for the headers available at the time it issues the HEADERS frame for the
pushed resource, it may later use an additional HEADERS frame to pushed resource, it may later use an additional HEADERS frame to
augment the name/value pairs to be associated with the pushed stream. augment the name/value pairs to be associated with the pushed stream.
The subsequent HEADERS frame(s) must not contain a header for The subsequent HEADERS frame(s) must not contain a header for
':host', ':scheme', or ':path' (e.g. the server can't change the ':host', ':scheme', or ':path' (e.g. the server can't change the
identity of the resource to be pushed). The HEADERS frame must not identity of the resource to be pushed). The HEADERS frame must not
contain duplicate headers with a previously sent HEADERS frame. The contain duplicate headers with a previously sent HEADERS frame. The
server must send a HEADERS frame including the scheme/host/port server must send a HEADERS frame including the scheme/host/port
headers before sending any data frames on the stream. headers before sending any data frames on the stream.
3.3.2. Client implementation 4.3.2. Client implementation
When fetching a resource the client has 3 possibilities: When fetching a resource the client has 3 possibilities:
the resource is not being pushed the resource is not being pushed
the resource is being pushed, but the data has not yet arrived the resource is being pushed, but the data has not yet arrived
the resource is being pushed, and the data has started to arrive the resource is being pushed, and the data has started to arrive
When a SYN_STREAM and HEADERS frame which contains an Associated-To- When a SYN_STREAM and HEADERS frame which contains an Associated-To-
Stream-ID is received, the client must not issue GET requests for the Stream-ID is received, the client must not issue GET requests for the
resource in the pushed stream, and instead wait for the pushed stream resource in the pushed stream, and instead wait for the pushed stream
to arrive. to arrive.
If a client receives a server push stream with stream-id 0, it MUST If a client receives a server push stream with stream-id 0, it MUST
issue a session error (Section 2.4.1) with the status code issue a session error (Section 3.4.1) with the status code
PROTOCOL_ERROR. PROTOCOL_ERROR.
When a client receives a SYN_STREAM from the server without a the When a client receives a SYN_STREAM from the server without a the
':host', ':scheme', and ':path' headers in the Name/Value section, it ':host', ':scheme', and ':path' headers in the Name/Value section, it
MUST reply with a RST_STREAM with error code HTTP_PROTOCOL_ERROR. MUST reply with a RST_STREAM with error code HTTP_PROTOCOL_ERROR.
To cancel individual server push streams, the client can issue a To cancel individual server push streams, the client can issue a
stream error (Section 2.4.2) with error code CANCEL. Upon receipt, stream error (Section 3.4.2) with error code CANCEL. Upon receipt,
the server MUST stop sending on this stream immediately (this is an the server MUST stop sending on this stream immediately (this is an
Abrupt termination). Abrupt termination).
To cancel all server push streams related to a request, the client To cancel all server push streams related to a request, the client
may issue a stream error (Section 2.4.2) with error code CANCEL on may issue a stream error (Section 3.4.2) with error code CANCEL on
the associated-stream-id. By cancelling that stream, the server MUST the associated-stream-id. By cancelling that stream, the server MUST
immediately stop sending frames for any streams with immediately stop sending frames for any streams with
in-association-to for the original stream. in-association-to for the original stream.
If the server sends a HEADER frame containing duplicate headers with If the server sends a HEADER frame containing duplicate headers with
a previous HEADERS frame for the same stream, the client must issue a a previous HEADERS frame for the same stream, the client must issue a
stream error (Section 2.4.2) with error code PROTOCOL ERROR. stream error (Section 3.4.2) with error code PROTOCOL ERROR.
If the server sends a HEADERS frame after sending a data frame for If the server sends a HEADERS frame after sending a data frame for
the same stream, the client MAY ignore the HEADERS frame. Ignoring the same stream, the client MAY ignore the HEADERS frame. Ignoring
the HEADERS frame after a data frame prevents handling of HTTP's the HEADERS frame after a data frame prevents handling of HTTP's
trailing headers trailing headers
(http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.40). (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.40).
4. Design Rationale and Notes 5. Design Rationale and Notes
Authors' notes: The notes in this section have no bearing on the SPDY Authors' notes: The notes in this section have no bearing on the
protocol as specified within this document, and none of these notes HTTP/2.0 protocol as specified within this document, and none of
should be considered authoritative about how the protocol works. these notes should be considered authoritative about how the protocol
However, these notes may prove useful in future debates about how to works. However, these notes may prove useful in future debates about
resolve protocol ambiguities or how to evolve the protocol going how to resolve protocol ambiguities or how to evolve the protocol
forward. They may be removed before the final draft. going forward. They may be removed before the final draft.
4.1. Separation of Framing Layer and Application Layer 5.1. Separation of Framing Layer and Application Layer
Readers may note that this specification sometimes blends the framing Readers may note that this specification sometimes blends the framing
layer (Section 2) with requirements of a specific application - HTTP layer (Section 3) with requirements of a specific application - HTTP
(Section 3). This is reflected in the request/response nature of the (Section 4). This is reflected in the request/response nature of the
streams, the definition of the HEADERS and compression contexts which streams, the definition of the HEADERS and compression contexts which
are very similar to HTTP, and other areas as well. are very similar to HTTP, and other areas as well.
This blending is intentional - the primary goal of this protocol is This blending is intentional - the primary goal of this protocol is
to create a low-latency protocol for use with HTTP. Isolating the to create a low-latency protocol for use with HTTP. Isolating the
two layers is convenient for description of the protocol and how it two layers is convenient for description of the protocol and how it
relates to existing HTTP implementations. However, the ability to relates to existing HTTP implementations. However, the ability to
reuse the SPDY framing layer is a non goal. reuse the HTTP/2.0 framing layer is a non goal.
4.2. Error handling - Framing Layer 5.2. Error handling - Framing Layer
Error handling at the SPDY layer splits errors into two groups: Those Error handling at the HTTP/2.0 layer splits errors into two groups:
that affect an individual SPDY stream, and those that do not. Those that affect an individual HTTP/2.0 stream, and those that do
not.
When an error is confined to a single stream, but general framing is When an error is confined to a single stream, but general framing is
in tact, SPDY attempts to use the RST_STREAM as a mechanism to in tact, HTTP/2.0 attempts to use the RST_STREAM as a mechanism to
invalidate the stream but move forward without aborting the invalidate the stream but move forward without aborting the
connection altogether. connection altogether.
For errors occuring outside of a single stream context, SPDY assumes For errors occuring outside of a single stream context, HTTP/2.0
the entire session is hosed. In this case, the endpoint detecting assumes the entire session is hosed. In this case, the endpoint
the error should initiate a connection close. detecting the error should initiate a connection close.
4.3. One Connection Per Domain 5.3. One Connection Per Domain
SPDY attempts to use fewer connections than other protocols have HTTP/2.0 attempts to use fewer connections than other protocols have
traditionally used. The rationale for this behavior is because it is traditionally used. The rationale for this behavior is because it is
very difficult to provide a consistent level of service (e.g. TCP very difficult to provide a consistent level of service (e.g. TCP
slow-start), prioritization, or optimal compression when the client slow-start), prioritization, or optimal compression when the client
is connecting to the server through multiple channels. is connecting to the server through multiple channels.
Through lab measurements, we have seen consistent latency benefits by Through lab measurements, we have seen consistent latency benefits by
using fewer connections from the client. The overall number of using fewer connections from the client. The overall number of
packets sent by SPDY can be as much as 40% less than HTTP. Handling packets sent by HTTP/2.0 can be as much as 40% less than HTTP.
large numbers of concurrent connections on the server also does Handling large numbers of concurrent connections on the server also
become a scalability problem, and SPDY reduces this load. does become a scalability problem, and HTTP/2.0 reduces this load.
The use of multiple connections is not without benefit, however. The use of multiple connections is not without benefit, however.
Because SPDY multiplexes multiple, independent streams onto a single Because HTTP/2.0 multiplexes multiple, independent streams onto a
stream, it creates a potential for head-of-line blocking problems at single stream, it creates a potential for head-of-line blocking
the transport level. In tests so far, the negative effects of head- problems at the transport level. In tests so far, the negative
of-line blocking (especially in the presence of packet loss) is effects of head-of-line blocking (especially in the presence of
outweighed by the benefits of compression and prioritization. packet loss) is outweighed by the benefits of compression and
prioritization.
4.4. Fixed vs Variable Length Fields 5.4. Fixed vs Variable Length Fields
SPDY favors use of fixed length 32bit fields in cases where smaller, HTTP/2.0 favors use of fixed length 32bit fields in cases where
variable length encodings could have been used. To some, this seems smaller, variable length encodings could have been used. To some,
like a tragic waste of bandwidth. SPDY choses the simple encoding this seems like a tragic waste of bandwidth. HTTP/2.0 choses the
for speed and simplicity. simple encoding for speed and simplicity.
The goal of SPDY is to reduce latency on the network. The overhead The goal of HTTP/2.0 is to reduce latency on the network. The
of SPDY frames is generally quite low. Each data frame is only an 8 overhead of HTTP/2.0 frames is generally quite low. Each data frame
byte overhead for a 1452 byte payload (~0.6%). At the time of this is only an 8 byte overhead for a 1452 byte payload (~0.6%). At the
writing, bandwidth is already plentiful, and there is a strong trend time of this writing, bandwidth is already plentiful, and there is a
indicating that bandwidth will continue to increase. With an average strong trend indicating that bandwidth will continue to increase.
worldwide bandwidth of 1Mbps, and assuming that a variable length With an average worldwide bandwidth of 1Mbps, and assuming that a
encoding could reduce the overhead by 50%, the latency saved by using variable length encoding could reduce the overhead by 50%, the
a variable length encoding would be less than 100 nanoseconds. More latency saved by using a variable length encoding would be less than
interesting are the effects when the larger encodings force a packet 100 nanoseconds. More interesting are the effects when the larger
boundary, in which case a round-trip could be induced. However, by encodings force a packet boundary, in which case a round-trip could
addressing other aspects of SPDY and TCP interactions, we believe be induced. However, by addressing other aspects of HTTP/2.0 and TCP
this is completely mitigated. interactions, we believe this is completely mitigated.
4.5. Compression Context(s) 5.5. Compression Context(s)
When isolating the compression contexts used for communicating with When isolating the compression contexts used for communicating with
multiple origins, we had a few choices to make. We could have multiple origins, we had a few choices to make. We could have
maintained a map (or list) of compression contexts usable for each maintained a map (or list) of compression contexts usable for each
origin. The basic case is easy - each HEADERS frame would need to origin. The basic case is easy - each HEADERS frame would need to
identify the context to use for that frame. However, compression identify the context to use for that frame. However, compression
contexts are not cheap, so the lifecycle of each context would need contexts are not cheap, so the lifecycle of each context would need
to be bounded. For proxy servers, where we could churn through many to be bounded. For proxy servers, where we could churn through many
contexts, this would be a concern. We considered using a static set contexts, this would be a concern. We considered using a static set
of contexts, say 16 of them, which would bound the memory use. We of contexts, say 16 of them, which would bound the memory use. We
also considered dynamic contexts, which could be created on the fly, also considered dynamic contexts, which could be created on the fly,
and would need to be subsequently destroyed. All of these are and would need to be subsequently destroyed. All of these are
complicated, and ultimately we decided that such a mechanism creates complicated, and ultimately we decided that such a mechanism creates
too many problems to solve. too many problems to solve.
Alternatively, we've chosen the simple approach, which is to simply Alternatively, we've chosen the simple approach, which is to simply
provide a flag for resetting the compression context. For the common provide a flag for resetting the compression context. For the common
case (no proxy), this fine because most requests are to the same case (no proxy), this fine because most requests are to the same
origin and we never need to reset the context. For cases where we origin and we never need to reset the context. For cases where we
are using two different origins over a single SPDY session, we simply are using two different origins over a single HTTP/2.0 session, we
reset the compression state between each transition. simply reset the compression state between each transition.
4.6. Unidirectional streams 5.6. Unidirectional streams
Many readers notice that unidirectional streams are both a bit Many readers notice that unidirectional streams are both a bit
confusing in concept and also somewhat redundant. If the recipient confusing in concept and also somewhat redundant. If the recipient
of a stream doesn't wish to send data on a stream, it could simply of a stream doesn't wish to send data on a stream, it could simply
send a SYN_REPLY with the FLAG_FIN bit set. The FLAG_UNIDIRECTIONAL send a SYN_REPLY with the FLAG_FIN bit set. The FLAG_UNIDIRECTIONAL
is, therefore, not necessary. is, therefore, not necessary.
It is true that we don't need the UNIDIRECTIONAL markings. It is It is true that we don't need the UNIDIRECTIONAL markings. It is
added because it avoids the recipient of pushed streams from needing added because it avoids the recipient of pushed streams from needing
to send a set of empty frames (e.g. the SYN_STREAM w/ FLAG_FIN) which to send a set of empty frames (e.g. the SYN_STREAM w/ FLAG_FIN) which
otherwise serve no purpose. otherwise serve no purpose.
4.7. Data Compression 5.7. Data Compression
Generic compression of data portion of the streams (as opposed to Generic compression of data portion of the streams (as opposed to
compression of the headers) without knowing the content of the stream compression of the headers) without knowing the content of the stream
is redundant. There is no value in compressing a stream which is is redundant. There is no value in compressing a stream which is
already compressed. Because of this, SPDY does allow data already compressed. Because of this, HTTP/2.0 does allow data
compression to be optional. We included it because study of existing compression to be optional. We included it because study of existing
websites shows that many sites are not using compression as they websites shows that many sites are not using compression as they
should, and users suffer because of it. We wanted a mechanism where, should, and users suffer because of it. We wanted a mechanism where,
at the SPDY layer, site administrators could simply force compression at the HTTP/2.0 layer, site administrators could simply force
- it is better to compress twice than to not compress. compression - it is better to compress twice than to not compress.
Overall, however, with this feature being optional and sometimes Overall, however, with this feature being optional and sometimes
redundant, it is unclear if it is useful at all. We will likely redundant, it is unclear if it is useful at all. We will likely
remove it from the specification. remove it from the specification.
4.8. Server Push 5.8. Server Push
A subtle but important point is that server push streams must be A subtle but important point is that server push streams must be
declared before the associated stream is closed. The reason for this declared before the associated stream is closed. The reason for this
is so that proxies have a lifetime for which they can discard is so that proxies have a lifetime for which they can discard
information about previous streams. If a pushed stream could information about previous streams. If a pushed stream could
associate itself with an already-closed stream, then endpoints would associate itself with an already-closed stream, then endpoints would
not have a specific lifecycle for when they could disavow knowledge not have a specific lifecycle for when they could disavow knowledge
of the streams which went before. of the streams which went before.
5. Security Considerations 6. Security Considerations
5.1. Use of Same-origin constraints 6.1. Use of Same-origin constraints
This specification uses the same-origin policy [RFC6454] in all cases This specification uses the same-origin policy [RFC6454] in all cases
where verification of content is required. where verification of content is required.
5.2. HTTP Headers and SPDY Headers 6.2. HTTP Headers and HTTP/2.0 Headers
At the application level, HTTP uses name/value pairs in its headers. At the application level, HTTP uses name/value pairs in its headers.
Because SPDY merges the existing HTTP headers with SPDY headers, Because HTTP/2.0 merges the existing HTTP headers with HTTP/2.0
there is a possibility that some HTTP applications already use a headers, there is a possibility that some HTTP applications already
particular header name. To avoid any conflicts, all headers use a particular header name. To avoid any conflicts, all headers
introduced for layering HTTP over SPDY are prefixed with ":". ":" is introduced for layering HTTP over HTTP/2.0 are prefixed with ":". ":"
not a valid sequence in HTTP header naming, preventing any possible is not a valid sequence in HTTP header naming, preventing any
conflict. possible conflict.
5.3. Cross-Protocol Attacks 6.3. Cross-Protocol Attacks
By utilizing TLS, we believe that SPDY introduces no new cross- By utilizing TLS, we believe that HTTP/2.0 introduces no new cross-
protocol attacks. TLS encrypts the contents of all transmission protocol attacks. TLS encrypts the contents of all transmission
(except the handshake itself), making it difficult for attackers to (except the handshake itself), making it difficult for attackers to
control the data which could be used in a cross-protocol attack. control the data which could be used in a cross-protocol attack.
5.4. Server Push Implicit Headers 6.4. Server Push Implicit Headers
Pushed resources do not have an associated request. In order for Pushed resources do not have an associated request. In order for
existing HTTP cache control validations (such as the Vary header) to existing HTTP cache control validations (such as the Vary header) to
work, however, all cached resources must have a set of request work, however, all cached resources must have a set of request
headers. For this reason, browsers MUST be careful to inherit headers. For this reason, browsers MUST be careful to inherit
request headers from the associated stream for the push. This request headers from the associated stream for the push. This
includes the 'Cookie' header. includes the 'Cookie' header.
6. Privacy Considerations 7. Privacy Considerations
6.1. Long Lived Connections 7.1. Long Lived Connections
SPDY aims to keep connections open longer between clients and servers HTTP/2.0 aims to keep connections open longer between clients and
in order to reduce the latency when a user makes a request. The servers in order to reduce the latency when a user makes a request.
maintenance of these connections over time could be used to expose The maintenance of these connections over time could be used to
private information. For example, a user using a browser hours after expose private information. For example, a user using a browser
the previous user stopped using that browser may be able to learn hours after the previous user stopped using that browser may be able
about what the previous user was doing. This is a problem with HTTP to learn about what the previous user was doing. This is a problem
in its current form as well, however the short lived connections make with HTTP in its current form as well, however the short lived
it less of a risk. connections make it less of a risk.
6.2. SETTINGS frame 7.2. SETTINGS frame
The SPDY SETTINGS frame allows servers to store out-of-band The HTTP/2.0 SETTINGS frame allows servers to store out-of-band
transmitted information about the communication between client and transmitted information about the communication between client and
server on the client. Although this is intended only to be used to server on the client. Although this is intended only to be used to
reduce latency, renegade servers could use it as a mechanism to store reduce latency, renegade servers could use it as a mechanism to store
identifying information about the client in future requests. identifying information about the client in future requests.
Clients implementing privacy modes, such as Google Chrome's Clients implementing privacy modes, such as Google Chrome's
"incognito mode", may wish to disable client-persisted SETTINGS "incognito mode", may wish to disable client-persisted SETTINGS
storage. storage.
Clients MUST clear persisted SETTINGS information when clearing the Clients MUST clear persisted SETTINGS information when clearing the
cookies. cookies.
TODO: Put range maximums on each type of setting to limit TODO: Put range maximums on each type of setting to limit
inappropriate uses. inappropriate uses.
7. Incompatibilities with SPDY draft #2
Here is a list of the major changes between this draft and draft #2.
Addition of flow control
Increased 16 bit length fields in SYN_STREAM and SYN_REPLY to 32
bits.
Changed definition of compression for DATA frames
Updated compression dictionary
Fixed off-by-one on the compression dictionary for headers
Increased priority field from 2bits to 3bits.
Removed NOOP frame
Split the request "url" into "scheme", "host", and "path"
Added the requirement that POSTs contain content-length.
Removed wasted 16bits of unused space from the end of the
SYN_REPLY and HEADERS frames.
Fixed bug: Priorities were described backward (0 was lowest
instead of highest).
Fixed bug: Name/Value header counts were duplicated in both the
Name Value header block and also the containing frame.
8. Requirements Notation 8. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
9. Acknowledgements 9. Acknowledgements
Many individuals have contributed to the design and evolution of This document includes substantial input from the following
SPDY: Adam Langley, Wan-Teh Chang, Jim Morrison, Mark Nottingham, individuals:
Alyssa Wilk, Costin Manolache, William Chan, Vitaliy Lvin, Joe Chan,
Adam Barth, Ryan Hamilton, Gavin Peters, Kent Alstad, Kevin Lindsay, o Adam Langley, Wan-Teh Chang, Jim Morrison, Mark Nottingham, Alyssa
Paul Amer, Fan Yang, Jonathan Leighton. Wilk, Costin Manolache, William Chan, Vitaliy Lvin, Joe Chan, Adam
Barth, Ryan Hamilton, Gavin Peters, Kent Alstad, Kevin Lindsay,
Paul Amer, Fan Yang, Jonathan Leighton (SPDY contributors).
o Gabriel Montenegro and Willy Tarreau (Upgrade mechanism)
o William Chan, Salvatore Loreto, Osama Mazahir, Gabriel Montenegro,
Jitu Padhye, Roberto Peon, Rob Trace (Flow control principles)
o Mark Nottingham and Julian Reschke
10. Normative References 10. Normative References
[ASCII] "US-ASCII. Coded Character Set - 7-Bit American [ASCII] "US-ASCII. Coded Character Set - 7-Bit American
Standard Code for Information Interchange. Standard Code for Information Interchange.
Standard ANSI X3.4-1986, ANSI, 1986.". Standard ANSI X3.4-1986, ANSI, 1986.".
[HTTP-p1] Fielding, R. and J. Reschke, "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
draft-ietf-httpbis-p1-messaging-21 (work in
progress), October 2012.
[HTTP-p2] Fielding, R. and J. Reschke, "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content",
draft-ietf-httpbis-p2-semantics-21 (work in
progress), October 2012.
[RFC0793] Postel, J., "Transmission Control Protocol", [RFC0793] Postel, J., "Transmission Control Protocol",
STD 7, RFC 793, September 1981. STD 7, RFC 793, September 1981.
[RFC1738] Berners-Lee, T., Masinter, L., and M. McCahill, [RFC1738] Berners-Lee, T., Masinter, L., and M. McCahill,
"Uniform Resource Locators (URL)", RFC 1738, "Uniform Resource Locators (URL)", RFC 1738,
December 1994. December 1994.
[RFC1950] Deutsch, L. and J. Gailly, "ZLIB Compressed Data [RFC1950] Deutsch, L. and J. Gailly, "ZLIB Compressed Data
Format Specification version 3.3", RFC 1950, Format Specification version 3.3", RFC 1950,
May 1996. May 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to [RFC2119] Bradner, S., "Key words for use in RFCs to
Indicate Requirement Levels", BCP 14, RFC 2119, Indicate Requirement Levels", BCP 14, RFC 2119,
March 1997. March 1997.
[RFC2285] Mandeville, R., "Benchmarking Terminology for LAN
Switching Devices", RFC 2285, February 1998.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, Masinter, L., Leach, P., and T. Berners-Lee,
"Hypertext Transfer Protocol -- HTTP/1.1", "Hypertext Transfer Protocol -- HTTP/1.1",
RFC 2616, June 1999. RFC 2616, June 1999.
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J.,
Lawrence, S., Leach, P., Luotonen, A., and L. Lawrence, S., Leach, P., Luotonen, A., and L.
Stewart, "HTTP Authentication: Basic and Digest Stewart, "HTTP Authentication: Basic and Digest
Access Authentication", RFC 2617, June 1999. Access Authentication", RFC 2617, June 1999.
[RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D.,
Mikkelsen, J., and T. Wright, "Transport Layer
Security (TLS) Extensions", RFC 4366, April 2006.
[RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO- [RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-
based Kerberos and NTLM HTTP Authentication in based Kerberos and NTLM HTTP Authentication in
Microsoft Windows", RFC 4559, June 2006. Microsoft Windows", RFC 4559, June 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer
Security (TLS) Protocol Version 1.2", RFC 5246, Security (TLS) Protocol Version 1.2", RFC 5246,
August 2008. August 2008.
[RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454,
December 2011. December 2011.
skipping to change at page 45, line 45 skipping to change at page 49, line 27
draft-agl-tls-nextprotoneg-01 (work in progress), draft-agl-tls-nextprotoneg-01 (work in progress),
August 2010. August 2010.
[UDELCOMPRESSION] Yang, F., Amer, P., and J. Leighton, "A [UDELCOMPRESSION] Yang, F., Amer, P., and J. Leighton, "A
Methodology to Derive SPDY's Initial Dictionary Methodology to Derive SPDY's Initial Dictionary
for Zlib Compression", <http://www.eecis.udel.edu/ for Zlib Compression", <http://www.eecis.udel.edu/
~amer/PEL/poc/pdf/SPDY-Fan.pdf>. ~amer/PEL/poc/pdf/SPDY-Fan.pdf>.
Appendix A. Change Log (to be removed by RFC Editor before publication) Appendix A. Change Log (to be removed by RFC Editor before publication)
A.1. Since draft-mbelshe-httpbis-spdy-00 A.1. Since draft-ietf-httpbis-http2-00
Changed title throughout.
Removed section on Incompatibilities with SPDY draft#2.
Changed INTERNAL_ERROR on GOAWAY to have a value of 2 <https://
groups.google.com/forum/?fromgroups#!topic/spdy-dev/cfUef2gL3iU>.
Replaced abstract and introduction.
Added section on starting HTTP/2.0, including upgrade mechanism.
Removed unused references.
Added flow control principles (Section 3.5.1) based on <http://
tools.ietf.org/html/draft-montenegro-httpbis-http2-fc-principles-01>.
A.2. Since draft-mbelshe-httpbis-spdy-00
Adopted as base for draft-ietf-httpbis-http2. Adopted as base for draft-ietf-httpbis-http2.
Updated authors/editors list. Updated authors/editors list.
Added status note. Added status note.
Authors' Addresses Authors' Addresses
Mike Belshe Mike Belshe
 End of changes. 187 change blocks. 
431 lines changed or deleted 587 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/