HTTP/2 (or “H2” as the cool kids call it) has been ratified for months, and browsers already support or have committed to supporting the protocol. Everything we hear tells us that the new version of HTTP will provide significant performance benefits while requiring little to no change to our applications—all the problems with HTTP/1.x have seemingly been addressed; we no longer need the “hacks” that enabled us to circumvent them; and the Internet is about to be a happy place at last. But maybe we should put the pom-poms down for a minute. Deploying HTTP/2 may not be as easy as it seems since the protocol brings with it new complications and issues. Likewise, the new features the spec introduces may not work as seamlessly as we hope. Hooman Beheshti examines HTTP/2’s core features and how they relate to real-world conditions, discussing the positives, negatives, new caveats, and practical considerations for deploying HTTP/2. Topics include: The single-connection model and the impact of degraded network conditions on HTTP/2 versus HTTP/1 How server push interacts (or doesn’t) with modern browser caches What HTTP/2’s flow control mechanism means for server-to-client communication New considerations for deploying HPACK compression Difficulties in troubleshooting HTTP/2 communications, new tools, and new ways to use old tools

1. Hooman Beheshti
VP Technology
HTTP/2:
What no one’s telling you

2. some people are
starting to tell you!
Hooman Beheshti
VP Technology
HTTP/2:
What no one’s telling you

3. Everything will be
much faster!
You don’t need
to change
anything!
Google said
so!
You can stop
doing
optimizations!

4. 2 > 1.1

5. Goals
• Take an objective look at the protocol
• Practical considerations
• Share data
• Better understand the good
– And the bad?

6. HTTP/2
RFC 7540

7. Binary protocol

8. Connection

9. connection

10. A single connection
• single, long-lasting TCP connection
• Theoretically, this means better congestion
management between peers
• TLS (with ALPN)
• Connection reuse across domains (same IP and cert)

11. Streams

12. connection
stream
stream
stream
…

13. Streams
• Virtual channels for communication
– Translate roughly to a request/response exchange
– Client or server can initiate or terminate
• Stream IDs:
– Client: odd; server: even; 0: reserved
– Each ID has to be larger than the ones before it initiated
by the endpoint
– Cannot be reused

14. Frames

15. connection
stream
stream
stream
…
frame frame frame frame
frame frame frame frame
frame frame frame
frame frame frame
frame frame
frame frame frame

16. GET /thing HTTP/1.1
Host: www.example.com
User-Agent: Some_user_agent
HTTP/1.1 200 OK
Server: some_server
Content-Type: text/html
Content-Length: 1000
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
Request Response

17. GET /thing HTTP/1.1
Host: www.example.com
User-Agent: Some_user_agent
HTTP/1.1 200 OK
Server: some_server
Content-Type: text/html
Content-Length: 1000
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
HEADERS
Request Response

18. GET /thing HTTP/1.1
Host: www.example.com
User-Agent: Some_user_agent
HTTP/1.1 200 OK
Server: some_server
Content-Type: text/html
Content-Length: 1000
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
HEADERS
HEADERS
Request Response

19. GET /thing HTTP/1.1
Host: www.example.com
User-Agent: Some_user_agent
HTTP/1.1 200 OK
Server: some_server
Content-Type: text/html
Content-Length: 1000
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
html html html html html html
DATA
DATA
DATA
DATA
DATA
DATA
HEADERS
HEADERS
Request Response

20. DATA Carries request or response data
HEADERS
Carries request/response headers/trailers; can initiate a
stream
PRIORITY Indicates priority of a stream
RST_STREAM Terminates a stream
SETTINGS Defines parameters for the connection only
PUSH_PROMISE Signals peer for server push
PING Maintenance frame for checking RTT, connection, etc
GOAWAY For shutting down a connection
WINDOW_UPDATE Frame responsible for flow control adjustments
CONTINUATION Extends a HEADERS frame and can carry more headers

21. DATA Carries request or response data
HEADERS
Carries request/response headers/trailers; can initiate a
stream
PRIORITY Indicates priority of a stream
RST_STREAM Terminates a stream
SETTINGS Defines parameters for the connection only
PUSH_PROMISE Signals peer for server push
PING Maintenance frame for checking RTT, connection, etc
GOAWAY For shutting down a connection
WINDOW_UPDATE Frame responsible for flow control adjustments
CONTINUATION Extends a HEADERS frame and can carry more headers

22. Protocol flow

23. HTTP/1
connection
request
response

24. HTTP/2
connection
(sid=1)
DATA
(sid=1)
DATA
(sid=1)
DATA
(sid=1)
HEADERS
(sid=1)
HEADERS

25. HTTP/1
connection
request
response

26. connection
request
response
HTTP/1
connection
request
response
connection
request
response
connection
request
response

27. HTTP/2
connection
(sid=3)
DATA
(sid=1)
DATA
(sid=5)
HEADERS
(sid=3)
DATA
(sid=1)
HEADERS
(sid=3)
HEADERS
(sid=11)
HEADERS
(sid=13)
HEADERS
(sid=15)
HEADERS
(sid=13)
DATA
(sid=13)
DATA
(sid=17)
HEADERS

29. HTTP/1.1

30. HTTP/1.1 HTTP/2

32. http://caniuse.com/#search=http2

33. Servers
• Apache & Nginx
• h2o
– https://h2o.examp1e.net/
• https://en.wikipedia.org/wiki/HTTP/2
• Talk to your CDNs

34. Performance

35. The perfect page

38. Private WebpageTest
5Mbps/1Mbps; 40ms latency
Chrome; h1 vs h2

39. Private WebpageTest
5Mbps/1Mbps; 40ms latency
Chrome; h1 vs h2
~270 runs each!!

41. Packet Loss!

48. Firefox

50. Slow 3G:
780Kbps/330Kbps
200ms latency

51. Firefox; Slow 3G: 780Kbps/330Kbps, 200ms latency

52. Firefox; 5Mbps/1Mbps, 40ms latency

53. 5Mbps/1Mbps, 40ms latency

54.
0% PLR 2% PLR
5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms 5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms
DocComplete h2 h2 h2 h2 h1 h1 h1 h1
Keeping score…

55.
0% PLR 2% PLR
5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms 5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms
DocComplete h2 h2 h2 h2 h1 h1 h1 h1
DCL Start h1 h1 h2 h1 h1 h1 h2 h1
Speed Index h2/h1 h2 h2 h2 h1 h1 h2 h2
Keeping score…

56. Why?

61. Head of line blocking in TCP

64. Real pages

65. Real pages
• 8 pages (from 8 real sites)
• 16 bandwidth/latency combinations
– Each with 0%, 0.5%, 1%, 2% PLR
• Firefox and Chrome, TLS only, collect all metrics
• 300-400 runs with each combination

66. Real pages
• 8 pages (from 8 real sites)
• 16 bandwidth/latency combinations
– Each with 0%, 0.5%, 1%, 2% PLR
• Firefox and Chrome, TLS only, collect all metrics
• 300-400 runs with each combination

68. Analysis
• 3 Types of pages, # of resources h1àh2:
– ~75% or higher
– ~half
– ~25% or lower
• 2 profiles (0%, 0.5%, 1%, 2% PLR):
– “Broadband”: 5Mbps/1Mbps/40ms
– “Slow 3G”: 780Kbps/330Kbps/200ms
• 3 Metrics
– Document Complete
– DOM Content Loaded Start
– Speed Index

69. Site1: Fastly customers page
130-135 requests to onload (~3MB)
~99 requests h1àh2 (2.5MB)

71. Site1; DocComplete; 5Mbps/1Mbps/40ms

72. Site1; DCL; 5Mbps/1Mbps/40ms

73. Site1; Speed Index; 5Mbps/1Mbps/40ms

74. Site1; DocComplete; 780Kbps/330Kbps/200ms

75. Site1; DCL; 780Kbps/330Kbps/200ms
***

76. Site1; Speed Index; 780Kbps/330Kbps/200ms

77. 0% PLR 2% PLR
5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms 5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms
Site1
(Fastly)
DocComplete h2 h2 h2 h1 h1 h1 h1 h1
DCL Start h2 h1 h2 h2 h2/h1 h1 h2 h2
Speed Index h1 h2 h2 h2 h1 h2/h1 h2/h1 h2

78. Site2
90-100 requests to onload (~1.7MB)
~47 requests h1àh2 (1.2MB)

80. Site2; DocComplete; 5Mbps/1Mbps/40ms

81. Site2; DCL; 5Mbps/1Mbps/40ms

82. Site2; Speed Index; 5Mbps/1Mbps/40ms

83. Site2; DocComplete; 780Kbps/330Kbps/200ms

84. Site2; DCL; 780Kbps/330Kbps/200ms

85. Site2; Speed Index; 780Kbps/330Kbps/200ms
***

86. 0% PLR 2% PLR
5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms 5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms
Site1
(Fastly)
DocComplete h2 h2 h2 h1 h1 h1 h1 h1
DCL Start h2 h1 h2 h2 h2/h1 h1 h2 h2
Speed Index h1 h2 h2 h2 h1 h2/h1 h2/h1 h2
Site2
DocComplete h2 h2 h2 h2 h1 h2/h1 h1 h1
DCL Start h2 h2 h2 h2 h1 h1 h1 h1
Speed Index h1 h2 h1 h2 h1 h2 h1 h2

87. Site3
176-212 requests to onload (~3.5MB)
~45-55 requests h1àh2 (2MB)

89. Site3; DocComplete; 5Mbps/1Mbps/40ms
***

90. Site3; DCL; 5Mbps/1Mbps/40ms

91. Site3; Speed Index; 5Mbps/1Mbps/40ms

92. Site3; DocComplete; 780Kbps/330Kbps/200ms

93. Site3; DCL; 780Kbps/330Kbps/200ms

94. Site3; Speed Index; 780Kbps/330Kbps/200ms

95. 0% PLR 2% PLR
5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms 5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms
Site1
(Fastly)
DocComplete h2 h2 h2 h1 h1 h1 h1 h1
DCL Start h2 h1 h2 h2 h2/h1 h1 h2 h2
Speed Index h1 h2 h2 h2 h1 h2/h1 h2/h1 h2
Site2
DocComplete h2 h2 h2 h2 h1 h2/h1 h1 h1
DCL Start h2 h2 h2 h2 h1 h1 h1 h1
Speed Index h1 h2 h1 h2 h1 h2 h1 h2
Site3
DocComplete h2 h2 h1 h2 h2 h2 h1 h1
DCL Start h2 h2 h2 h2 h2 h2 h2 h2
Speed Index h2 h2 h1 h1 h1/h2 h1/h2 h1 h1

96. 0% PLR 2% PLR
5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms 5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms
Site1a
(Fastly)
DocComplete h2 h2 h2 h1 h1 h1 h1 h1
DCL Start h2 h1 h2 h2 h2/h1 h1 h2 h2
Speed Index h1 h2 h2 h2 h1 h2/h1 h2/h1 h2
Site1b
DocComplete h2/h1 h2 h2 h2 h1 h2 h1 h2/h1
DCL Start h1 h2 h1 h1 h1 h2/h1 h1 h1
Speed Index h1 h2 h2 h1 h1 h2/h1 h1 h1
Site1c
DocComplete h1/h2 h2 h2 h2 h1 h1 h1 h1
DCL Start h1 h1/h2 h1 h1 h1 h2 h1 h1
Speed Index h2 h2 h1 h2 h1 h2 h1 h1
Site2a
DocComplete h2 h2 h2 h2 h1 h2/h1 h1 h1
DCL Start h2 h2 h2 h2 h1 h1 h1 h1
Speed Index h1 h2 h1 h2 h1 h2 h1 h2
Site2b
DocComplete h2 h2 h2 h2 h1 h1/h2 h1 h1
DCL Start h2 h2 h1 h2 h1 h2 h1 h2
Speed Index h2 h1/h2 h1 h1/h2 h2 h2 h1 h1
Site3a
DocComplete h2 h2 h1 h2 h2 h2 h1 h1
DCL Start h2 h2 h2 h2 h2 h2 h2 h2
Speed Index h2 h2 h1 h1 h1/h2 h1/h2 h1 h1
Site3b
DocComplete h2 h2 h2 h1/h2 h2 h2/h1 h2 h2
DCL Start h2 h2 h2 h2 h2 h2 h2 h2
Speed Index h1 h2 h1 h1 h1 h2 h1 h1
Site3c
DocComplete h1 h2 h2 h2 h1 h2 h2 h2
DCL Start h1/h2 h2 h1 h1/h2 h2/h1 h2 h1 h2/h1
Speed Index h1 h2 h2 h2 h2 h2 h2 h2

97. 0% PLR 2% PLR
5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms 5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms
Site1a
(Fastly)
DocComplete h2 h2 h2 h1 h1 h1 h1 h1
DCL Start h2 h1 h2 h2 h2/h1 h1 h2 h2
Speed Index h1 h2 h2 h2 h1 h2/h1 h2/h1 h2
Site1b
DocComplete h2/h1 h2 h2 h2 h1 h2 h1 h2/h1
DCL Start h1 h2 h1 h1 h1 h2/h1 h1 h1
Speed Index h1 h2 h2 h1 h1 h2/h1 h1 h1
Site1c
DocComplete h1/h2 h2 h2 h2 h1 h1 h1 h1
DCL Start h1 h1/h2 h1 h1 h1 h2 h1 h1
Speed Index h2 h2 h1 h2 h1 h2 h1 h1
Site2a
DocComplete h2 h2 h2 h2 h1 h2/h1 h1 h1
DCL Start h2 h2 h2 h2 h1 h1 h1 h1
Speed Index h1 h2 h1 h2 h1 h2 h1 h2
Site2b
DocComplete h2 h2 h2 h2 h1 h1/h2 h1 h1
DCL Start h2 h2 h1 h2 h1 h2 h1 h2
Speed Index h2 h1/h2 h1 h1/h2 h2 h2 h1 h1
Site3a
DocComplete h2 h2 h1 h2 h2 h2 h1 h1
DCL Start h2 h2 h2 h2 h2 h2 h2 h2
Speed Index h2 h2 h1 h1 h1/h2 h1/h2 h1 h1
Site3b
DocComplete h2 h2 h2 h1/h2 h2 h2/h1 h2 h2
DCL Start h2 h2 h2 h2 h2 h2 h2 h2
Speed Index h1 h2 h1 h1 h1 h2 h1 h1
Site3c
DocComplete h1 h2 h2 h2 h1 h2 h2 h2
DCL Start h1/h2 h2 h1 h1/h2 h2/h1 h2 h1 h2/h1
Speed Index h1 h2 h2 h2 h2 h2 h2 h2

98. 0% PLR 2% PLR
5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms 5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms
Site1a
(Fastly)
DocComplete h2 h2 h2 h1 h1 h1 h1 h1
DCL Start h2 h1 h2 h2 h2/h1 h1 h2 h2
Speed Index h1 h2 h2 h2 h1 h2/h1 h2/h1 h2
Site1b
DocComplete h2/h1 h2 h2 h2 h1 h2 h1 h2/h1
DCL Start h1 h2 h1 h1 h1 h2/h1 h1 h1
Speed Index h1 h2 h2 h1 h1 h2/h1 h1 h1
Site1c
DocComplete h1/h2 h2 h2 h2 h1 h1 h1 h1
DCL Start h1 h1/h2 h1 h1 h1 h2 h1 h1
Speed Index h2 h2 h1 h2 h1 h2 h1 h1
Site2a
DocComplete h2 h2 h2 h2 h1 h2/h1 h1 h1
DCL Start h2 h2 h2 h2 h1 h1 h1 h1
Speed Index h1 h2 h1 h2 h1 h2 h1 h2
Site2b
DocComplete h2 h2 h2 h2 h1 h1/h2 h1 h1
DCL Start h2 h2 h1 h2 h1 h2 h1 h2
Speed Index h2 h1/h2 h1 h1/h2 h2 h2 h1 h1
Site3a
DocComplete h2 h2 h1 h2 h2 h2 h1 h1
DCL Start h2 h2 h2 h2 h2 h2 h2 h2
Speed Index h2 h2 h1 h1 h1/h2 h1/h2 h1 h1
Site3b
DocComplete h2 h2 h2 h1/h2 h2 h2/h1 h2 h2
DCL Start h2 h2 h2 h2 h2 h2 h2 h2
Speed Index h1 h2 h1 h1 h1 h2 h1 h1
Site3c
DocComplete h1 h2 h2 h2 h1 h2 h2 h2
DCL Start h1/h2 h2 h1 h1/h2 h2/h1 h2 h1 h2/h1
Speed Index h1 h2 h2 h2 h2 h2 h2 h2

99. 0% PLR 2% PLR
5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms 5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms
Site1a
(Fastly)
DocComplete h2 h2 h2 h1 h1 h1 h1 h1
DCL Start h2 h1 h2 h2 h2/h1 h1 h2 h2
Speed Index h1 h2 h2 h2 h1 h2/h1 h2/h1 h2
Site1b
DocComplete h2/h1 h2 h2 h2 h1 h2 h1 h2/h1
DCL Start h1 h2 h1 h1 h1 h2/h1 h1 h1
Speed Index h1 h2 h2 h1 h1 h2/h1 h1 h1
Site1c
DocComplete h1/h2 h2 h2 h2 h1 h1 h1 h1
DCL Start h1 h1/h2 h1 h1 h1 h2 h1 h1
Speed Index h2 h2 h1 h2 h1 h2 h1 h1
Site2a
DocComplete h2 h2 h2 h2 h1 h2/h1 h1 h1
DCL Start h2 h2 h2 h2 h1 h1 h1 h1
Speed Index h1 h2 h1 h2 h1 h2 h1 h2
Site2b
DocComplete h2 h2 h2 h2 h1 h1/h2 h1 h1
DCL Start h2 h2 h1 h2 h1 h2 h1 h2
Speed Index h2 h1/h2 h1 h1/h2 h2 h2 h1 h1
Site3a
DocComplete h2 h2 h1 h2 h2 h2 h1 h1
DCL Start h2 h2 h2 h2 h2 h2 h2 h2
Speed Index h2 h2 h1 h1 h1/h2 h1/h2 h1 h1
Site3b
DocComplete h2 h2 h2 h1/h2 h2 h2/h1 h2 h2
DCL Start h2 h2 h2 h2 h2 h2 h2 h2
Speed Index h1 h2 h1 h1 h1 h2 h1 h1
Site3c
DocComplete h1 h2 h2 h2 h1 h2 h2 h2
DCL Start h1/h2 h2 h1 h1/h2 h2/h1 h2 h1 h2/h1
Speed Index h1 h2 h2 h2 h2 h2 h2 h2

100. Trends?
• Metrics later in the page seem to get affected more
by packet loss (?)
• Lots of exceptions
– Sometimes h2 holds up even under loss conditions
– Sometimes h1 wins even when there’s no loss
• Firefox and Chrome don’t always behave the same

101. PLR in the real world

103. Some reading…
• http://c3lab.poliba.it/images/3/3b/QUIC_SAC15.pdf
• https://www.usenix.org/system/files/conference/nsdi14/nsdi14-paper-
wang_xiao_sophia.pdf
• http://arxiv.org/pdf/1507.06562v1.pdf
• http://nl.cs.montana.edu/lab/publications/Goel_H2_extended.pdf
• https://99designs.com.au/tech-blog/blog/2016/07/14/real-world-
http-2-400gb-of-images-per-day/

104. Now what?

105. Caution!
• we’re not going to draw big conclusions, other than:
– Packet loss seems to matter
– h2 isn’t always faster!
• This was all simulated
– PLR is different in the real world
– Users have a mix of connection profiles
– Nothing beats real world data
• Your mileage may (and will) vary

106. Don’t listen to anyone!!

107. Don’t listen to anyone!!

108. https://speakerdeck.com/patrickhamann/http2-what-where-why-and-when-smashing-conference-march-2016

109. https://speakerdeck.com/patrickhamann/http2-what-where-why-and-when-smashing-conference-march-2016

110. https://github.com/fastlyhoo/wpt_h1vsh2

111. https://github.com/fastlyhoo/wpt_h1vsh2

112. QUIC

114. Server push

115. Server push basics
• Ability to “push” a resource to the client before
the client requests it
– And before the client knows it needs it
– Only servers can push
• Hop-by-hop

116. SETTINGS

117. PUSH_PROMISE

118. connection
HEADERS (sid=1)
GET /index.html
time
DATA (sid=2) DATA (sid=1) DATA (sid=2)
DATA (sid=2) DATA (sid=2)HEADERS (sid=2)
PUSH_PROMISE(sid=1)
Promised sid=2
GET /css1.css
<request headers>
DATA (sid=1) DATA (sid=1) DATA (sid=1)HEADERS (sid=1)

121. Server Push
• What do we push?
– Outside the scope of the protocol
• Push and browser caches don’t necessarily play
well together
– RST_STREAM ?
– Even if the browser rejected, it’s too late

122. No push – first view

123. No push – repeat view

124. Push – first view
Pushed

125. Push – repeat view
Pushed

126. Use cases

127. Essential resources for this page
• Similar to <Link rel=“preload”>
• Save 1xRTT

128. Push:
No Push:

129. Push during server think time
• Push assets to the browser while the server is
“thinking”
– Backend processing
– Time to deliver HTML from origin through a CDN

131. Push during server think time
• Push assets to the browser while the server is
“thinking”
– Backend processing
– Time to deliver HTML from origin through a CDN
• https://blog.yoav.ws/being_pushy/
• This isn’t a trivial thing to do; ask your CDN
about support

132. Next navigation?
h$ps://w3c.github.io/resource-hints/

133. We still have some questions
• What do we push?
– Still unclear…
– https://docs.google.com/document/d/
1K0NykTXBbbbTlv60t5MyJvXjqKGsCVNYHyLEXIxYMv0/
edit
• What if it’s already in the browser cache?
– H2O: CASPER
– Cache Digests:
• https://tools.ietf.org/html/draft-ietf-httpbis-cache-digest-00

134. Other use cases?
h$ps://www.facebook.com/atscaleevents/videos/1775942979345465/

135. HPACK

136. HPACK (RFC 7541)
• Addresses the header bloat problem
• Two primary mechanisms
– All headers (name=value) are Huffman encoded
– Indexed tables at each peer

137. Tables
• Static table
– Defined by the RFC, never changes
• Dynamic table
– Built during the connection and maintained by each
side
– FIFO

138. +-------+-----------------------------+---------------+
| Index | Header Name | Header Value |
+-------+-----------------------------+---------------+
| 1 | :authority | |
| 2 | :method | GET |
| 3 | :method | POST |
| 4 | :path | / |
| 5 | :path | /index.html |
| 6 | :scheme | http |
| 7 | :scheme | https |
| 8 | :status | 200 |
| 9 | :status | 204 |
| 10 | :status | 206 |
| 11 | :status | 304 |
| 12 | :status | 400 |
| 13 | :status | 404 |
| 14 | :status | 500 |
| 15 | accept-charset | |
| 16 | accept-encoding | gzip, deflate |
| 17 | accept-language | |
| 18 | accept-ranges | |
| 19 | accept | |
| 20 | access-control-allow-origin | |
| 21 | age | |
| 22 | allow | |
| 23 | authorization | |
| 24 | cache-control | |
| 25 | content-disposition | |
| 26 | content-encoding | |
| 27 | content-language | |
| 28 | content-length | |
| 29 | content-location | |
| 30 | content-range | |
+-------+-----------------------------+---------------+
Table 1: Static Table Entries
+-------+-----------------------------+---------------+
| Index | Header Name | Header Value |
+-------+-----------------------------+---------------+
| 31 | content-type | |
| 32 | cookie | |
| 33 | date | |
| 34 | etag | |
| 35 | expect | |
| 36 | expires | |
| 37 | from | |
| 38 | host | |
| 39 | if-match | |
| 40 | if-modified-since | |
| 41 | if-none-match | |
| 42 | if-range | |
| 43 | if-unmodified-since | |
| 44 | last-modified | |
| 45 | link | |
| 46 | location | |
| 47 | max-forwards | |
| 48 | proxy-authenticate | |
| 49 | proxy-authorization | |
| 50 | range | |
| 51 | referer | |
| 52 | refresh | |
| 53 | retry-after | |
| 54 | server | |
| 55 | set-cookie | |
| 56 | strict-transport-security | |
| 57 | transfer-encoding | |
| 58 | user-agent | |
| 59 | vary | |
| 60 | via | |
| 61 | www-authenticate | |
+-------+-----------------------------+---------------+
Table 1: Static Table Entries

139. Performance benefits

140. Performance benefits
Bytes BrowseràServer

141. Performance benefits
Bytes BrowseràServer
Bytes BrowseràServer

142. https://blogs.dropbox.com/tech/2016/05/enabling-http2-for-dropbox-web-services-experiences-and-observations/

143. HPACK – things to know
• Default size is 4K
– For the entire dynamic table
– Site-wide headers proposal:
• https://tools.ietf.org/html/draft-nottingham-site-wide-headers-00
• Compression context is set per connection
– New connection starts from scratch with static table and builds new dynamic table
• An attack vector
– https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
• Can’t turn it off
– Without it, pipelining would be very difficult

144. content-security-policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net
https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval'
https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://
publish.twitter.com https://ton.twitter.com 'unsafe-inline' https://syndication.twitter.com
https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-
analytics.com 'self'; font-src https://twitter.com https://*.twimg.com data: https://
ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://
netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://
ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com
https://*.twimg.com https://api.twitter.com https://pay.twitter.com https://
analytics.twitter.com https://media.riffsy.com https://upload.twitter.com https://
api.mapbox.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://
*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://
platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self';
object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://
staticxx.facebook.com https://twitter.com https://*.twimg.com https://
5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://
www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co
twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com
https://s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://
graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com data: https://
lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://
ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com
https://www.google.com https://stats.g.doubleclick.net https://*.tiles.mapbox.com https://
www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?
a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;

145. content-security-policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net
https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval'
https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://
publish.twitter.com https://ton.twitter.com 'unsafe-inline' https://syndication.twitter.com
https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-
analytics.com 'self'; font-src https://twitter.com https://*.twimg.com data: https://
ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://
netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://
ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com
https://*.twimg.com https://api.twitter.com https://pay.twitter.com https://
analytics.twitter.com https://media.riffsy.com https://upload.twitter.com https://
api.mapbox.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://
*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://
platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self';
object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://
staticxx.facebook.com https://twitter.com https://*.twimg.com https://
5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://
www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co
twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com
https://s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://
graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com data: https://
lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://
ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com
https://www.google.com https://stats.g.doubleclick.net https://*.tiles.mapbox.com https://
www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?
a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
2.2KB

146. HPACK – things to know
• Default size is 4K
– For the entire dynamic table
– Site-wide headers proposal:
• https://tools.ietf.org/html/draft-nottingham-site-wide-headers-00
• Compression context is set per connection
– New connection starts from scratch with static table and builds new dynamic table
• An attack vector
– https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
• Can’t turn it off
– Without it, pipelining would be very difficult

148. Tools and resources

149. http://chimera.labs.oreilly.com/books/1230000000545

150. HTTP/2 and SPDY indicator
• Chrome:
– https://chrome.google.com/webstore/detail/http2-and-spdy-
indicator/mpbpobfflnpcgagjijhmgnchggcjblin?hl=en
• Firefox:
– https://addons.mozilla.org/en-us/firefox/addon/spdy-indicator/

151. Chrome DevTools

152. Chrome net-internals

153. wireshark
Using the TLS key file:
h$ps://jimshaver.net/2015/02/11/decrypMng-tls-browser-traffic-with-wireshark-the-easy-way/

154. cURL

155. https://nghttp2.org/
nghttp

156. Others
• h2c (and wiretapping):
– https://github.com/fstab/h2c
• h2a: reverse proxy
– https://github.com/summerwind/h2a
• Conformance:
– https://github.com/summerwind/h2spec
• Charles proxy
– https://www.charlesproxy.com
• http-wg
– https://github.com/http2/http2-spec/wiki/Tools

157. Summary and takeaways
• h2 is complicated, but hopefully better for us going forward
– Browser protocol?
• Not everything will be as easy/fast as we’d like
• We still have a lot of learning to do
• We need to start thinking about how to build applications to best
leverage the new protocol
• You can help!

158. Thank you!