Handling of RFC7540 8.1.2.5

[valkum]

We ran into an issue where the HeaderMap returned in hyper as part of http::Request contains multiple entries for the cookie key.

The HTTP/2 spec states in 8.1.2.5:

If there are multiple Cookie header fields after decompression, these MUST be concatenated into a single octet string using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ") before being passed into a non-HTTP/2 context, such as an HTTP/1.1 connection, or a generic HTTP server application.

Currently, If I see this right, during decoding each header is simply appended to the HeaderMap (see https://github.com/hyperium/h2/blob/master/src/frame/headers.rs#L895C38-L895C38)

This HeaderMap ends up in the request that is passed to the user of h2 (/hyper) without merging the Cookie header. I created a simple repro at https://github.com/valkum/h2-cookie-violation You need go installed because curl currently does not use 8.1.2.5. but the go http2 seems to do that (similar to Browsers).

If, for any reason, this is an expected deviation from the spec, I guess h2 and possible hyper should get some docs about this deviation. It seems the current ecosystem (for using cookies in Rust) settled on using HeaderMap::get_all for Cookies.