为什么Web浏览器不支持h2c（没有TLS的HTTP / 2）？ [英] Why do web browsers not support h2c (HTTP/2 without TLS)?

问题描述

我真的在网上搜索，我找不到网页浏览器不支持h2c（没有TLS的http / 2）的原因。任何想法，赞赏。

I really search the web, and I can not find the reason why web browsers do not support h2c (http/2 with no TLS). Any idea, appreciated.

稍微澄清
http / 2，https使用ALPN（这称为h2）。使用http的
http / 2不需要ALPN（这称为h2c），但几乎没有Web浏览器支持它。为什么会这样？

A little bit clarification http/2 with https uses ALPN (this is called h2). http/2 with http does not need ALPN(this is called h2c), but almost no web browser support it. Why is so?

我觉得对于很多资源，虽然真实性总是好的，但不需要保密（http体的数字签名虽然不受广泛支持）有一些私人实施）。鉴于不需要保密，那么h2c确实是一件好事。

I feel that for many resources, there is no need for confidentiality though authenticity is always good (the digital signature of the http body is not widely supported though there are some private implementations). Given confidentiality is not needed, then h2c is really a good thing to have.

推荐答案

技术上

HTTP / 2通过HTTPS更好更容易处理有几个技术原因：

Technically

There are several technical reasons why HTTP/2 is much better and easier to handle over HTTPS:

1. 执行HTTP / 2在TLS中使用ALPN进行协商要容易得多，并且不会丢失普通HTTP中的升级：等往返行程。并且它不会受到使用纯文本HTTP / 2获得的POST升级问题的影响。


2. N％的网络不支持未经请求的升级：h2c 请求中的标头，而是响应400个错误。


3. 通过TCP端口80执行除HTTP / 1.1之外的其他操作会在Y％的情况下中断世界上到处都是中间盒，可以帮助并替换/添加内容以进行此类连接。如果那不是HTTP / 1.1，事情就会中断（这也是为什么brotli例如也需要HTTPS）。

1. Doing HTTP/2 negotiation in TLS with ALPN is much easier and doesn't lose round-trips like Upgrade: in plain HTTP does. And it doesn't suffer from the upgrade problem on POST that you get with plain-text HTTP/2.
2. N% of the web doesn't support unsolicited Upgrade: h2cheaders in requests and instead respond with 400 errors.
3. Doing something else than HTTP/1.1 over TCP port 80 breaks in Y% of the cases since the world is full of middle-boxes that "help" out and replace/add things in-stream for such connections. If that then isn't HTTP/1.1, things break (this is also why brotli for example also requires HTTPS).

意识形态

在网络上推动更多的HTTPS，由一些较大的网络浏览器开发团队共享和部分工作。如果功能仅通过HTTPS实现，那么它就会被视为奖励，因为它们是网站和服务转移到HTTPS的另一个动机。因此，有些团队从未尝试过非常努力（如果有的话）在没有TLS的情况下使HTTP / 2工作。

Ideologically

There's a push for more HTTPS on the web that is shared by and worked on in part by some of the larger web browser developer teams. That makes it considered a bonus if features are implemented HTTPS-only as they then work as yet another motivation for sites and services to move over to HTTPS. Thus, some teams never tried very hard (if at all) to make HTTP/2 work without TLS.

至少有一家浏览器供应商早期表示有意为通过纯文本HTTP（h2c）完成的用户实施和提供HTTP / 2。由于上面提到的技术障碍，他们最终从未这样做过。

At least one browser vendor expressed its intention early on to implement and provide HTTP/2 for users done over plain-text HTTP (h2c). They ended up never doing this because of technical obstacles as mentioned above.

这篇关于为什么Web浏览器不支持h2c（没有TLS的HTTP / 2）？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！