diff --git a/index.bs b/index.bs
index 748280acce..8731352dbd 100644
--- a/index.bs
+++ b/index.bs
@@ -696,7 +696,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
/ "'report-sample'" / "'unsafe-allow-redirects'"
/ "'wasm-unsafe-eval'" / "'trusted-types-eval'"
/ "'report-sha256'" / "'report-sha384'"
- / "'report-sha512'"
+ / "'report-sha512'" / "'unsafe-webtransport-hashes'"
ISSUE: Bikeshed `unsafe-allow-redirects`.
@@ -2215,14 +2215,23 @@ Content-Type: application/reports+json
1. Let |name| be the result of executing
[[#effective-directive-for-a-request]] on |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
+ 1. If the result of executing [[#should-directive-execute]] on |name|,
`connect-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-request-to-source-list]] on
- |request|, this directive's value, and
- |policy|, is "`Does Not Match`", return "`Blocked`".
+ 1. Let |source list| be directive's value.
- 4. Return "`Allowed`".
+ 1. If the result of executing [[#match-request-to-source-list]] on
+ |request|, |source list|, and |policy|, is "`Matches`", return
+ "`Allowed`".
+
+ 1. If |request|'s [=request/mode=] is "`webtransport`", |request|'s
+ unsafe-webtransport-hashes is not empty, and
+ |source list| [=list/contains=] a source expression which
+ is an ASCII case-insensitive match for the
+ `keyword-source`
+ "`'unsafe-webtransport-hashes'`", return "`Allowed`".
+
+ 1. Return "`Blocked`".
`connect-src` Post-request check
@@ -2236,14 +2245,23 @@ Content-Type: application/reports+json
1. Let |name| be the result of executing
[[#effective-directive-for-a-request]] on |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
+ 1. If the result of executing [[#should-directive-execute]] on |name|,
`connect-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-response-to-source-list]] on
- |response|, |request|, this directive's value,
- and |policy|, is "`Does Not Match`", return "`Blocked`".
+ 1. Let |source list| be directive's value.
- 4. Return "`Allowed`".
+ 1. If the result of executing [[#match-response-to-source-list]] on
+ |response|, |request|, |source list|, and |policy|, is "`Matches`",
+ return "`Allowed`".
+
+ 1. If |request|'s [=request/mode=] is "`webtransport`", |request|'s
+ unsafe-webtransport-hashes is not empty, and
+ |source list| [=list/contains=] a source expression which
+ is an ASCII case-insensitive match for the
+ `keyword-source`
+ "`'unsafe-webtransport-hashes'`", return "`Allowed`".
+
+ 1. Return "`Blocked`".
`default-src`
@@ -4262,6 +4280,27 @@ Content-Type: application/reports+json
9. Return "`Matches`".
+
+ Does a source list allow unsafe WebTransport hashes?
+
+
+ A source list
+ allows unsafe WebTransport hashes
+ if it contains the `keyword-source`
+ expression `'unsafe-webtransport-hashes'`, as described in the following
+ algorithm:
+
+ Given a source list |list|, the following
+ algorithm returns "`Allows`" if allowed and "`Does Not Allow`" otherwise.
+
+ 1. For each |expression| of |list|:
+
+ 1. If |expression| is an ASCII case-insensitive match for the
+ `keyword-source` "`'unsafe-webtransport-hashes'`",
+ return "`Allows`".
+
+ 2. Return "`Does Not Allow`".
+
Element Matching Algorithms