This is some fancy stuff. Strictly speaking, these aren’t issues in the HTTP/2 protocol. However, with many websites using HTTP/1.1 for their backend communication, the translation from HTTP/2 to HTTP/1.1 becomes a major source of vulnerabilities due to insufficient validation.
Similarly, the spec lists restrictions for the Content-Length header but ignores the similarly problematic Transfer-Encoding header. In fact, straight out disallowing both might have been the better option.
A Mastodon instance for info/cyber security-minded people.