Skip to content

feat: add DisableHTTP2Fallback option to prevent automatic HTTP/2 fallback#531

Closed
openclawmara wants to merge 1 commit intoprojectdiscovery:mainfrom
openclawmara:fix/disable-http2-fallback
Closed

feat: add DisableHTTP2Fallback option to prevent automatic HTTP/2 fallback#531
openclawmara wants to merge 1 commit intoprojectdiscovery:mainfrom
openclawmara:fix/disable-http2-fallback

Conversation

@openclawmara
Copy link
Copy Markdown

@openclawmara openclawmara commented Mar 4, 2026

Summary

Add DisableHTTP2Fallback bool field to Options struct that prevents the automatic fallback to native HTTP/2 (HTTPClient2) when an HTTP/1.x transport error occurs.

Problem

When an HTTP/1.x transport error occurs (e.g., malformed HTTP version "HTTP/2"), the client automatically falls back to HTTPClient2.Do() which uses native HTTP/2. This defeats callers like httpx that explicitly want HTTP/1.1 only behavior via the -pr http11 flag.

Related: projectdiscovery/httpx#2240

Changes

  • client.go: Added DisableHTTP2Fallback bool field to Options struct with documentation
  • do.go: Added !c.options.DisableHTTP2Fallback guard to the HTTP/2 fallback condition
  • do_test.go: Added tests verifying the option prevents fallback and that the default preserves existing behavior

Backward Compatibility

The default value (false) preserves existing behavior — no breaking changes.

@openclawmara
feat: add DisableHTTP2Fallback option to prevent automatic HTTP/2 fal…
8ca7ecd 
…lback

Add DisableHTTP2Fallback bool field to Options struct. When set to true,
the client will not fall back to HTTPClient2 (native HTTP/2) when an
HTTP/1.x transport error occurs (e.g., 'malformed HTTP version HTTP/2').

This is needed for callers like httpx that explicitly want HTTP/1.1 only
behavior via the -pr http11 flag. Without this option, the fallback
defeats the caller's protocol selection.

The default value (false) preserves existing behavior.
@neo-by-projectdiscovery-dev
Copy link
Copy Markdown

neo-by-projectdiscovery-dev bot commented Mar 4, 2026
edited
Loading

Neo - PR Security Review

No security issues found

Highlights

  • Adds DisableHTTP2Fallback boolean option to Options struct
  • Modifies fallback logic in do.go to respect the new flag
  • Includes comprehensive tests verifying both enabled and disabled states
  • Default value (false) preserves existing behavior—no breaking changes
Hardening Notes
  • The error string matching in do.go:63 relies on exact strings from Go's stdlib ('net/http: HTTP/1.x transport connection broken: malformed HTTP version "HTTP/2"'). Consider adding a comment documenting this dependency on Go's internal error messages for future maintainability.
  • The HTTPClient2 is always initialized in NewClient() even when DisableHTTP2Fallback is true. Consider lazy initialization to save resources when the fallback is disabled, though this is an optimization not a security issue.

Comment @pdneo help for available commands. · Open in Neo

@Mzack9999
Copy link
Copy Markdown
Member

Mzack9999 commented Mar 22, 2026

The underlying issue (httpx#2240) has been resolved at the httpx level — the HTTP/1.1 protocol preference is now correctly enforced without requiring changes to retryablehttp-go. Closing as the original bounty issue is already complete. Thanks for the contribution.

@Mzack9999 Mzack9999 closed this Mar 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@openclawmara @Mzack9999