[Bug 69713] HTTP/2 DATA frame with padding cause error when HEADERS contains content-length field.

Thu, 31 Jul 2025 23:49:28 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=69713

Nirbhay <nns15...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

--- Comment #5 from Nirbhay <nns15...@gmail.com> ---

**REGRESSION REPORT: HTTP/2 Data Frame Handling in 10.1.43 (Bug 69713)**

**Environment:**
- Tomcat Version: 10.1.43 (regression), 10.1.42 (works fine)
- Browser: Chrome/Firefox (both affected)
- Protocol: HTTP/2 over HTTP (port 8080)
- Content: Static files (HTML, CSS, JS)

**Issue Description:**
After upgrading from Tomcat 10.1.42 to 10.1.43, our web application's frontend
fails to load static resources due to HTTP/2 protocol errors.

**Error Symptoms:**
1. Browser Console: `ERR_HTTP2_PROTOCOL_ERROR 200 (OK)`
2. Frontend module loader timeouts: `Load timeout for modules:
text!/com/path/file.html`
3. HTTP status is 200, but browser rejects the response due to protocol
violation
4. Static files (HTML/CSS/JS) affected, dynamic content works

**Root Cause Analysis:**
The issue correlates directly with **Fix 69713**: "Correctly handle an HTTP/2
data frame that includes padding when the headers include a content-length."

**Suspected Problem:**
The fix appears to have introduced a regression in HTTP/2 frame construction
where:
- Data frames with both padding and content-length headers are malformed
- Browsers interpret these as HTTP/2 protocol violations
- The "fix" may be too strict or incorrectly handling frame boundaries/padding

**Reproduction:**
1. Deploy any web app with static files on Tomcat 10.1.43
2. Enable HTTP/2 (`<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />`)
3. Access static resources via frontend module loaders (RequireJS, AMD, etc.)
4. Observe ERR_HTTP2_PROTOCOL_ERROR in browser console

**Workaround:**
- Revert to Tomcat 10.1.42, or
- Disable HTTP/2 in server.xml

**Request:**
Please review the HTTP/2 data frame construction logic introduced in Fix 69713
for browser compatibility. The fix may be causing valid responses to be
formatted in a way that violates HTTP/2 specification from the browser's
perspective.

**Impact:**
Production web applications with HTTP/2 enabled cannot serve static content
reliably.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to