Skip to content

Introduce new CSP keyword 'unsafe-webtransport-hashes' #683

New issue
New issue
Open
#791
Open
Introduce new CSP keyword 'unsafe-webtransport-hashes'#683
#791
Labels
needs concrete proposalMoving the issue forward requires someone to figure out a detailed plan
@jan-ivar

Description

@jan-ivar
jan-ivar
opened on Oct 8, 2024

From w3c/webtransport#59 (comment): WebTransport acts like fetch wrt connect-src: https://A.com for normal use like:

const wta = new WebTransport("https://A.com");

But the API also allows websites to connect using custom hashes:

const wtb = new WebTransport("https://B.com", {serverCertificateHashes: [{algorithm: "sha-256", value}]});

For this we think we need of a new CSP keyword directive, something like connect-certificate-hash: https://B.com/ e.g.

Content-Security-Policy: connect-src https://A.com/;
                         connect-certificate-hash: https://B.com/

The idea is:

  • if connect-src is absent, then custom certs are allowed
  • if connect-src is present, connect-certificate-hash is needed to allow custom certs

Does this make sense? Can someone help us with this?

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs concrete proposalMoving the issue forward requires someone to figure out a detailed plan

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions