为什么网络浏览器不支持 h2c(没有 TLS 的 HTTP/2)? [英] Why do web browsers not support h2c (HTTP/2 without TLS)?

问题描述

我真的在网上搜索，我找不到网络浏览器不支持h2c(没有TLS的http/2)的原因.任何想法，不胜感激.

I really search the web, and I can not find the reason why web browsers do not support h2c (http/2 with no TLS). Any idea, appreciated.

稍微澄清一下http/2 with https 使用 ALPN(这称为 h2).http/2 with http 不需要 ALPN(这称为 h2c)，但几乎没有网络浏览器支持它.为什么会这样?

A little bit clarification http/2 with https uses ALPN (this is called h2). http/2 with http does not need ALPN(this is called h2c), but almost no web browser support it. Why is so?

我觉得对于很多资源来说，虽然真实性总是好的，但不需要保密(尽管有一些私有实现，但http主体的数字签名并未得到广泛支持).鉴于不需要保密，那么 h2c 确实是一件好事.

I feel that for many resources, there is no need for confidentiality though authenticity is always good (the digital signature of the http body is not widely supported though there are some private implementations). Given confidentiality is not needed, then h2c is really a good thing to have.

推荐答案

技术上

HTTP/2 比 HTTPS 更好、更容易处理有几个技术原因:

Technically

There are several technical reasons why HTTP/2 is much better and easier to handle over HTTPS:

1. 使用 ALPN 在 TLS 中进行 HTTP/2 协商要容易得多，并且不会像纯 HTTP 中的 Upgrade: 那样丢失往返.并且它不会受到纯文本 HTTP/2 的 POST 升级问题的困扰.
2. N% 的网络不支持请求中主动提供的 Upgrade: h2c 标头，而是响应 400 错误.
3. 在 TCP 端口 80 上执行 HTTP/1.1 以外的其他事情在 Y% 的情况下会中断，因为世界上到处都是帮助"并为此类连接替换/添加流中内容的中间盒.如果那不是 HTTP/1.1，事情就会崩溃(这也是为什么 brotli 也需要 HTTPS).

1. Doing HTTP/2 negotiation in TLS with ALPN is much easier and doesn't lose round-trips like Upgrade: in plain HTTP does. And it doesn't suffer from the upgrade problem on POST that you get with plain-text HTTP/2.
2. N% of the web doesn't support unsolicited Upgrade: h2cheaders in requests and instead respond with 400 errors.
3. Doing something else than HTTP/1.1 over TCP port 80 breaks in Y% of the cases since the world is full of middle-boxes that "help" out and replace/add things in-stream for such connections. If that then isn't HTTP/1.1, things break (this is also why brotli for example also requires HTTPS).

意识形态上

网络上有更多 HTTPS 的推动，一些较大的网络浏览器开发团队共享并部分参与其中.如果功能仅实现 HTTPS，这将被认为是一种奖励，因为它们可以作为网站和服务迁移到 HTTPS 的另一个动机.因此，一些团队从未非常努力地(如果有的话)让 HTTP/2 在没有 TLS 的情况下工作.

Ideologically

There's a push for more HTTPS on the web that is shared by and worked on in part by some of the larger web browser developer teams. That makes it considered a bonus if features are implemented HTTPS-only as they then work as yet another motivation for sites and services to move over to HTTPS. Thus, some teams never tried very hard (if at all) to make HTTP/2 work without TLS.

至少有一家浏览器供应商很早就表示打算通过纯文本 HTTP (h2c) 为用户实现和提供 HTTP/2.由于上述技术障碍，他们最终从未这样做过.

At least one browser vendor expressed its intention early on to implement and provide HTTP/2 for users done over plain-text HTTP (h2c). They ended up never doing this because of technical obstacles as mentioned above.

这篇关于为什么网络浏览器不支持 h2c(没有 TLS 的 HTTP/2)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！