Hello Volunteers,
Section 1.2 of our spec PDF says:
All servlet containers must support HTTP as a protocol for requests
and responses, but additional request/response-based protocols such as
HTTPS (HTTP over SSL) may be supported. The required versions of the
HTTP specification that a container must implement are HTTP/1.1 and
HTTP/2. When supporting HTTP/2, servlet containers must support the
"h2" protocol identifier (as specified in section 3.1 of the HTTP/2
RFC). This implies all servlet containers must support ALPN. Servlet
containers are not required to support the "h2c" protocol identifier
(as specified in section 3.1 of the HTTP/2 RFC).
I propose we amend this to require h2c, not just have it optional. This
gives the following revised text:
All servlet containers must support HTTP as a protocol for requests
and responses, but additional request/response-based protocols such as
HTTPS (HTTP over SSL) may be supported. The required versions of the
HTTP specification that a container must implement are HTTP/1.1 and
HTTP/2. When supporting HTTP/2, servlet containers must support the
"h2" and "h2c" protocol identifiers (as specified in section 3.1 of
the HTTP/2 RFC). This implies all servlet containers must support
ALPN.
I know there are all these arguments from PHK and others about moving
the world away from the potential of government interference, but
considering that many users deploy Servlets enitrely within secure data
centers, not requiring h2c is a mistake in my opinion.
I suspect most impls already do h2 and h2c anyway. I know GlassFish
does.
ACTION: Please respond by start of business Tuesday 18 April 2017. No
response means this proposal is ok.
Thanks,
Ed
--
| edward.burns_at_oracle.com | office: +1 407 458 0017
| 6 business days until planned start of Servlet 4.0 Public Review