Skip to content

Add 'unsafe-webtransport-hashes' keyword to connect-src #791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add 'unsafe-webtransport-hashes' keyword to connect-src #791

wants to merge 3 commits into from

Conversation

@jan-ivar
Copy link
Member

@jan-ivar jan-ivar commented Nov 25, 2025
edited by pr-preview bot
Loading

Fixes #683. Assumes an unsafe-webtransport-hashes flag on request (seems simplest post w3c/webtransport#697).

@dveditz @annevk @martinthomson WDYT?

Preview | Diff

annevk
annevk reviewed Nov 25, 2025
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks reasonable overall. @antosart probably needs to review.

antosart
antosart reviewed Nov 25, 2025
View reviewed changes
Copy link
Member

@antosart antosart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we also need to adapt the post-request check? The interaction between fetch an webtransport is not totally clear to me, but I guess it would also go through https://fetch.spec.whatwg.org/#ref-for-should-block-response%E2%91%A0 ?

@antosart
Copy link
Member

antosart commented Nov 25, 2025

Also, we probably need WPTs.

@mikewest after conversations at TPAC, do we already have an updated process for changes to the spec?

@mikewest
Copy link
Member

mikewest commented Nov 25, 2025

No, it's been on my list since TPAC, but I haven't gotten a proposal out yet.

Certainly will require WPT coverage and signals from other vendors, though. I think we have the latter here, but not the former?

@jan-ivar
Copy link
Member Author

jan-ivar commented Nov 25, 2025

I've added the post-request check and used "unsafe-webtransport-hashes is not empty" for now. Thanks for the reviews!

(Unless there are any takers) I'll work on WPT next!

antosart
antosart reviewed Nov 26, 2025
View reviewed changes
index.bs
9. Return "`Matches`".
</ol>

<h5 id="allow-unsafe-webtransport-hashes" algorithm>
Copy link
Member

@antosart antosart Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this algorithm is not needed anymore

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@annevk annevk annevk left review comments

@antosart antosart antosart left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Introduce new CSP keyword 'unsafe-webtransport-hashes'

4 participants

@jan-ivar @antosart @mikewest @annevk