HTTP2 server push preloading does not send cookie data

1
votes

In light of Cloudflare's new support for HTTP2 server push, I'm attempting to preload an AJAX request which runs in Javascript at the end of the HTML body. Testing is done in Chrome Canary. The request is made in the headers, so it can be cached for immediate load when requested again.

The header is:

Link: </request>; rel=preload;

This successfully fires off to that https://www.example.org/request. The request headers it sends to that URL are:

Accept: */*

Referer: https://www.example.org/request

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2726.0 Safari/537.36

X-Requested-With: XMLHttpRequest

The problem is that cookie data isn't sent with the preload request, but is sent with the existing Javascript. I can find no information at all about how to fix this or even whether it is correct behaviour. There appears to be no mention of cookies in the spec, so presumably it should be handled as any other type of request.

1
xmlhttprequestpreloadserver-pushhttp2
Any chance you came up with a workaround you could add as an answer?jayphelps

1 Answers

1
votes

Server Push essentially pushes data TCP down to the client after just one TCP request from the client. The only opportunity the client the client gets to receive data from the client is in the initial request. Clients can't server push back to the server.

HTTP2 Server Push Diagram

When it comes to cookies; you will need to obtain them from the original request, when data is being pushed the server doesn't have an opportunity to receive additional headers. Server-Sent Events or WebSockets can help us here.

As stated in RFC 7540.

A complete header block consists of either:

 a single HEADERS or PUSH_PROMISE frame, with the END_HEADERS flag
set, or

 a HEADERS or PUSH_PROMISE frame with the END_HEADERS flag cleared
and one or more CONTINUATION frames, where the last CONTINUATION
frame has the END_HEADERS flag set.

Section PUSH_PROMISE 4.3 of that RFC goes into detail on how it can contain a header block fragments.

Let me leave you with the following quote:

HTTP 2.0 server push is not a replacement for technologies such as Server-Sent Events (SSE) or WebSocket. Resources delivered via HTTP 2.0 server push are processed by the browser but do not bubble up to the application code - there is no JavaScript API to get notifications for these events.

There are Node.js code examples on how you can implement this in: Innovating with HTTP 2.0 Server Push