Brotli header is only sent on HTTPS connections

[Joe Duarte]

Hi all,

I've noticed that both Chrome and Firefox only include br in their Accept-Encoding header fields when HTTPS is used. They never include the Brotli header for unencrypted HTTP pages. Does anyone happen to know why? Why would better compression be reserved for secure sessions?

All browser vendors have decided to implement HTTP/2 as encrypted only, but I hadn't heard anything similar about Brotli. Note that the br header is not restricted to HTTP/2 sessions, which as I just mentioned are HTTPS only. Both Firefox and Chrome will send the br header for HTTP/1.1 connections, so long as they're HTTPS, e.g. GitHub.

Cheers,

Joe

https://twitter.com/ValidScience

[Guillaume Rossolini]

Hi,

I believe this is intentional, and part of the "encrypt the Web" movement.

They did state they would only enable powerful features when browsing over HTTPS.

Cheers,

[Evgenii Kliuchnikov]

Hello.

  Brotli is intentionally advertised only over HTTPS connection. Though the reason is more practical that promoting HTTPS: we tried to avoid data being spoiled by proxies.

  Earlier Chromium / Firefox developers tried to add "bzip2" content-encoding and were hit by incorrect proxy behaviour. Being aware of this incident we made a decision to allow brotli encoding only in environment that doesn't give proxies a chance to ruin users experience.

  But even with HTTPS we have had issues with Viruses / Anti-Viruses that spoil data after it is decoded but before it is decompressed.

   We understand that it may be inconvenient to debug... Now it is a little bit easier in Chromium-Canary - brotli encoding is advertised for localhost connections. Also, if for non-HTTP connection server responds with "content-encoding: br" Chromium accepts it (but Firefox does not).

[Joe Duarte]

Thanks Evgenii. That makes sense. What about QUIC? Will Chrome send the br accept header in a QUIC session?

JD

[elaw...@google.com]

Chrome advertises Brotli when the request's URL scheme is secure (HTTPS or WSS, although the latter not likely to be relevant), see https://cs.chromium.org/chromium/src/net/url_request/url_request_http_job.cc?q=brotli+accept-encoding&sq=package:chromium&l=724&dr=C