From ee3f5edab92b0ca14dc0b3c98862f721bddaf7d5 Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Wed, 18 Feb 2026 08:01:45 -0800
Subject: fix: disable HTTP/2 in SafeClient to avoid unhandled response frame
 errors

---
 internal/safehttp/safehttp.go | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'internal/safehttp/safehttp.go')

diff --git a/internal/safehttp/safehttp.go b/internal/safehttp/safehttp.go
index f2c316b..eade405 100644
--- a/internal/safehttp/safehttp.go
+++ b/internal/safehttp/safehttp.go
@@ -2,6 +2,7 @@ package safehttp
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net"
 	"net/http"
@@ -82,6 +83,11 @@ func NewSafeClient(timeout time.Duration) *http.Client {
 	transport.DialContext = SafeDialer(dialer)
 	transport.Proxy = nil // Disable proxy to ensure SSRF checks are not bypassed
 
+	// Disable HTTP/2 to avoid "unhandled response frame type" errors from servers with
+	// non-standard HTTP/2 implementations, which is common among various RSS feed hosts.
+	transport.ForceAttemptHTTP2 = false
+	transport.TLSNextProto = make(map[string]func(string, *tls.Conn) http.RoundTripper)
+
 	return &http.Client{
 		Timeout:   timeout,
 		Transport: transport,
-- 
cgit v1.2.3