Bootstrapping WebSockets with HTTP/2

The Hypertext Transfer Protocol (HTTP) provides compatible resource level semantics across different versions but it does not offer compatibility at the connection management level. Other protocols, such as WebSockets, that rely on connection management details of HTTP must be updated for new versions of HTTP. The WebSocket Protocol uses the HTTP/1.1 Upgrade mechanism to transition a TCP connection from HTTP into a WebSocket connection. A different approach must be taken with HTTP/2 . Due to the multiplexing nature of HTTP/2 it does not allow connection wide header and status codes such as the Upgrade and Connection request headers or the 101 response code. These are all required by the connection establishment process. A server offering both HTTP/1.1 and WebSocket services can do so from the same instance and same port although they require separate TCP connections. Moving a server to HTTP/2 and WebSocket services requires a separate port and protocol stack for the sole purpose of bootstrapping WebSockets. This is a significant administrative burden and may not even be possible in the case of large amounts of deployed markup pointing at the old single name and port. Being able to bootstrap WebSockets from HTTP/2 allows one server, one port, and one TCP connection to be shared by both protocols. This document extends the HTTP/2 CONNECT method. The extension allows the substitution of a new protocol name to connect to rather than the external host normally used by CONNECT. The result is a tunnel on a single HTTP/2 stream that can carry data for WebSockets (or any other protocol) while the other streams on the connection continue to carry HTTP/2 data. Streams that have been successfully established as protocol tunnels proceed to establish and utilize the WebSocket Protocol using the procedure defined by treating the stream as if were the connection in that specification. This tunneled stream will be multiplexed with other regular streams on the connection and enjoys the normal priority, cancellation, and flow control features of HTTP/2.

In this document, the key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” are to be interpreted as described in BCP 14, .

This document adds a new SETTINGS Parameter to those defined by Section 6.5.2. The new parameter is ENABLE_CONNECT_PROTOCOL (type = 0x8). The value of the parameter MUST be 0 or 1. Upon receipt of ENABLE_CONNECT_PROTOCOL with a value of 1 a client MAY use the Extended CONNECT definition of this document when creating new streams. Receipt of this parameter by a server does not have any impact. A sender MUST NOT send a ENABLE_CONNECT_PROTOCOL parameter with the value of 0 after previously sending a value of 1. The use of a SETTINGS Parameter to opt-in to an otherwise incompatible protocol change is a use of “Extending HTTP/2” defined by section 5.5 of . If a client were to use the provisions of the extended CONNECT method defined in this document without first receiving a ENABLE_CONNECT_PROTOCOL parameter with the value of 1 it would be a protocol violation.

The CONNECT Method of Section 8.3 is modified in the following ways: A new pseudo-header :protocol MAY be included on request HEADERS indicating the desired protocol to be spoken on the tunnel created by CONNECT. The pseudo-header is single valued and contains a value from the HTTP Upgrade Token Registry defined by . On requests bearing the :protocol pseudo-header, the :scheme and :path pseudo-header fields SHOULD be included. On requests bearing the :protocol pseudo-header, the :authority pseudo-header field is interpreted according to Section 8.1.2.3 instead of Section 8.3. In particular the server MUST not make a new TCP connection to the host and port indicated by the :authority. Upon receiving a CONNECT request bearing the :protocol pseudo-header the server establishes a tunnel to another service of the protocol type indicated by the pseudo-header. This service may or may not be co-located with the server.

The pseudo-header :protocol MUST be included in the CONNECT request and it MUST have a value of websocket to initiate a WebSocket connection on an HTTP/2 stream. Upon successfully establishing a protocol tunnel the client should proceed with The WebSocket Protocol using the HTTP/2 stream from the CONNECT transaction as if it were the TCP connection in . Negotiation of WebSocket version and sub-protocols is done unmodified within that stream.

A more native integration with HTTP/2 is certainly possible with larger additions to HTTP/2. This design was selected to minimize the solution complexity while still addressing the primary concern of not being able to run HTTP/2 and WebSockets on the same port and address.

This document does not change how WebSockets interacts with HTTP proxies. If a client wishing to speak WebSockets connects via HTTP/2 to a HTTP proxy it should continue to use a traditional (i.e. not with a :protocol pseudo-header) CONNECT to tunnel through that proxy to the WebSocket server via HTTP. The resulting version of HTTP on that tunnel determines whether WebSockets is initiated directly or via a modified CONNECT request described in this document.

ensures that non WebSockets clients, especially XMLHttpRequest based clients, cannot make a WebSocket connection. Its primary mechanism for doing that is the use of Sec- prefixed request headers that cannot be created by XMLHttpRequest based clients. This specification addresses that concern in two ways: The CONNECT method is prohibited from being used by XMLHttpRequest The use of a pseudo-header is something that is connection specific and HTTP/2 does not ever allow to be created outside of the protocol stack.

This document establishes a entry for the HTTP/2 Settings Registry that was established by Section 11.3 Name: ENABLE_CONNECT_PROTOCOL Code: 0x8 Initial Value: 0 Specification: This document

The 2017 HTTP Workshop had a very productive discussion that helped determine the key problem and acceptable level of solution complexity.