kornel, I'm annoyed by the rants about HTTP/2 being "bad" for having one (already mitigated) issue, as if we foolishly left a better protocol behind.
HTTP/1 had a long history of request smuggling attacks due to its deceptively tricky to parse syntax. H/1 got hit by slow loris DoS. H/1 pipelining is forever unreliable — browser vendors have given up on it after years of trying, and getting silent data corruption. The "simple" protocol has created complexity of domain sharding and cookieless domains.