From 221a6f00965e42c79fd9cd53034db4e9dab531f0 Mon Sep 17 00:00:00 2001
From: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com>
Date: Tue, 25 Nov 2025 16:18:52 -0500
Subject: [PATCH 1/6] Add an associated webtransport-hashes to request

---
 fetch.bs | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/fetch.bs b/fetch.bs
index a46852e0a..034caa190 100755
--- a/fetch.bs
+++ b/fetch.bs
@@ -2248,6 +2248,20 @@ Unless stated otherwise, it is false.
 
 <p class=note>This flag is for exclusive use by HTML's render-blocking mechanism. [[!HTML]]
 
+<p>A <a for=/>request</a> has an associated <dfn export for=request
+id=concept-request-webtransport-hashes>webtransport-hashes</dfn> (a
+<a for=/>list</a> of [=webtransport-hash=] items). Unless stated otherwise it is « ».
+
+<p>An <dfn export id=concept-webtransport-hash>webtransport-hash</dfn> is a
+<a for=/>tuple</a> that consists of
+<dfn export for=webtransport-hash id=concept-webtransport-hash-algorithm>algorithm</dfn>
+(a <a for=/>string</a>) and
+<dfn export for=webtransport-hash id=concept-webtransport-hash-value>value</dfn> (a <a for=/>byte sequence</a>).
+
+<p class=note>This list is for exclusive use by
+{{WebTransport/WebTransport(url, options)}} when options contains
+{{WebTransportOptions/serverCertificateHashes}}.
+
 <hr>
 
 <p>A <a for=/>request</a> has an associated

From 3c7c2a079061a4de8a450584c3b7d697c52ebca1 Mon Sep 17 00:00:00 2001
From: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com>
Date: Tue, 2 Dec 2025 17:29:48 -0500
Subject: [PATCH 2/6] Wire webtransport-hashes concept down to obtain a
 connection

---
 fetch.bs | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index 034caa190..1469fa143 100755
--- a/fetch.bs
+++ b/fetch.bs
@@ -2249,8 +2249,11 @@ Unless stated otherwise, it is false.
 <p class=note>This flag is for exclusive use by HTML's render-blocking mechanism. [[!HTML]]
 
 <p>A <a for=/>request</a> has an associated <dfn export for=request
-id=concept-request-webtransport-hashes>webtransport-hashes</dfn> (a
-<a for=/>list</a> of [=webtransport-hash=] items). Unless stated otherwise it is « ».
+id=concept-request-webtransport-hash-list>webtransport-hash list</dfn> (a
+<a for=/>webtransport-hash list</a>). Unless stated otherwise it is « ».
+
+<p>A <dfn export id=concept-webtransport-hash-list>webtransport-hash list</dfn> is a <a for=/>list</a> of zero or more
+<a for=/>webtransport-hashes</a>. It is initially « ».
 
 <p>An <dfn export id=concept-webtransport-hash>webtransport-hash</dfn> is a
 <a for=/>tuple</a> that consists of
@@ -3017,16 +3020,18 @@ steps:
 <p>To <dfn export id=concept-connection-obtain>obtain a connection</dfn>, given a
 <a>network partition key</a> <var>key</var>, <a for=/>URL</a> <var>url</var>, boolean
 <var>credentials</var>, an optional <a>new connection setting</a> <var>new</var> (default
-"<code>no</code>"), and an optional boolean
-<dfn export for="obtain a connection"><var>requireUnreliable</var></dfn> (default false), run these
+"<code>no</code>"), an optional boolean
+<dfn export for="obtain a connection"><var>requireUnreliable</var></dfn> (default false),
+and an optional <a for=/>webtransport-hash list</a> <var>webTransportHashes</var> (default []), run these
 steps:
-<!-- new's "yes-and-dedicated" and requireUnreliable have been added for WebTransport -->
+<!-- new's "yes-and-dedicated", requireUnreliable and webTransportHashes have been added for WebTransport -->
 
 <ol>
  <li>
   <p>If <var>new</var> is "<code>no</code>", then:
 
   <ol>
+   <li><p><a for=/>Assert</a>: <var>webTransportHashes</var> is empty.
    <li><p>Let <var>connections</var> be a set of <a>connections</a> in the user agent's
    <a>connection pool</a> whose <a for=connection>key</a> is <var>key</var>,
    <a for=connection>origin</a> is <var>url</var>'s <a for=url>origin</a>, and
@@ -3074,7 +3079,8 @@ steps:
     <p>Let <var>connection</var> be the result of running this step: run <a>create a connection</a>
     given <var>key</var>, <var>url</var>'s <a for=url>origin</a>, <var>credentials</var>,
     <var>proxy</var>, an <a>implementation-defined</a> <a for=/>host</a> from <var>hosts</var>,
-    <var>timingInfo</var>, and <var>requireUnreliable</var> an <a>implementation-defined</a> number
+    <var>timingInfo</var>, <var>requireUnreliable</var> and <var>webTransportHashes</var>
+    an <a>implementation-defined</a> number
     of times, <a>in parallel</a> from each other, and wait for at least 1 to return a value. In an
     <a>implementation-defined</a> manner, select a value to return from the returned values and
     return it. Any other returned values that are <a>connections</a> may be closed.
@@ -3108,8 +3114,9 @@ reused across <a>connections</a> whose <a for=connection>credentials</a> are fal
 <div algorithm>
 <p>To <dfn>create a connection</dfn>, given a <a for=/>network partition key</a> <var>key</var>,
 <a for=/>origin</a> <var>origin</var>, boolean <var>credentials</var>, string <var>proxy</var>,
-<a for=/>host</a> <var>host</var>, <a for=/>connection timing info</a> <var>timingInfo</var>, and
-boolean <var>requireUnreliable</var>, run these steps:
+<a for=/>host</a> <var>host</var>, <a for=/>connection timing info</a> <var>timingInfo</var>,
+boolean <var>requireUnreliable</var> and a <a for=/>webtransport-hash list</a>
+<var>webTransportHashes</var>, run these steps:
 
 <ol>
  <li><p>Set <var>timingInfo</var>'s <a for="connection timing info">connection start time</a> to the
@@ -3136,6 +3143,12 @@ boolean <var>requireUnreliable</var>, run these steps:
 
    <li><p>If <var>credentials</var> is false, then do not send a TLS client certificate.
 
+   <li><p>If <var>webTransportHashes</var> [=set/is empty|is not empty=], instead of using the
+     default certificate verification algorithm, consider the server certificate valid if it
+     meets the [=custom certificate requirements=] and if
+     [=verify a certificate hash|verifying the certificate hash=] against |webTransportHashes|
+     returns true. If either condition is not met, then return failure.
+
    <li><p>If establishing a connection does not succeed (e.g., a UDP, TCP, or TLS error), then
    return failure.
   </ul>

From 6614713e9816e9fd40f98808edacd9295bd392f6 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 18 Dec 2025 09:09:20 +0100
Subject: [PATCH 3/6] nits

---
 fetch.bs | 53 +++++++++++++++++++++++++----------------------------
 1 file changed, 25 insertions(+), 28 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index 1469fa143..c81070d5c 100755
--- a/fetch.bs
+++ b/fetch.bs
@@ -2248,22 +2248,18 @@ Unless stated otherwise, it is false.
 
 <p class=note>This flag is for exclusive use by HTML's render-blocking mechanism. [[!HTML]]
 
-<p>A <a for=/>request</a> has an associated <dfn export for=request
-id=concept-request-webtransport-hash-list>webtransport-hash list</dfn> (a
+<p>A <a for=/>request</a> has an associated <dfn export for=request>webtransport-hash list</dfn> (a
 <a for=/>webtransport-hash list</a>). Unless stated otherwise it is « ».
 
-<p>A <dfn export id=concept-webtransport-hash-list>webtransport-hash list</dfn> is a <a for=/>list</a> of zero or more
+<p>A <dfn export>webtransport-hash list</dfn> is a <a for=/>list</a> of zero or more
 <a for=/>webtransport-hashes</a>. It is initially « ».
 
-<p>An <dfn export id=concept-webtransport-hash>webtransport-hash</dfn> is a
-<a for=/>tuple</a> that consists of
-<dfn export for=webtransport-hash id=concept-webtransport-hash-algorithm>algorithm</dfn>
-(a <a for=/>string</a>) and
-<dfn export for=webtransport-hash id=concept-webtransport-hash-value>value</dfn> (a <a for=/>byte sequence</a>).
+<p>An <dfn export id=concept-webtransport-hash>webtransport-hash</dfn> is a <a for=/>tuple</a>
+consisting of an <dfn export for=webtransport-hash>algorithm</dfn> (a <a for=/>string</a>) and a
+<dfn export for=webtransport-hash>value</dfn> (a <a for=/>byte sequence</a>).
 
-<p class=note>This list is for exclusive use by
-{{WebTransport/WebTransport(url, options)}} when options contains
-{{WebTransportOptions/serverCertificateHashes}}.
+<p class=note>This list is for exclusive use by {{WebTransport/WebTransport(url, options)}} when
+<var ignore>options</var> contains {{WebTransportOptions/serverCertificateHashes}}.
 
 <hr>
 
@@ -3021,17 +3017,18 @@ steps:
 <a>network partition key</a> <var>key</var>, <a for=/>URL</a> <var>url</var>, boolean
 <var>credentials</var>, an optional <a>new connection setting</a> <var>new</var> (default
 "<code>no</code>"), an optional boolean
-<dfn export for="obtain a connection"><var>requireUnreliable</var></dfn> (default false),
-and an optional <a for=/>webtransport-hash list</a> <var>webTransportHashes</var> (default []), run these
-steps:
+<dfn export for="obtain a connection"><var>requireUnreliable</var></dfn> (default false), and an
+optional <a for=/>webtransport-hash list</a>
+<dfn export for="obtain a connection"><var>webTransportHashes</var></dfn> (default « »):
 <!-- new's "yes-and-dedicated", requireUnreliable and webTransportHashes have been added for WebTransport -->
 
 <ol>
  <li>
-  <p>If <var>new</var> is "<code>no</code>", then:
+  <p>If <var>new</var> is "<code>no</code>":
 
   <ol>
-   <li><p><a for=/>Assert</a>: <var>webTransportHashes</var> is empty.
+   <li><p><a for=/>Assert</a>: <var>webTransportHashes</var> <a for=list>is empty</a>.
+
    <li><p>Let <var>connections</var> be a set of <a>connections</a> in the user agent's
    <a>connection pool</a> whose <a for=connection>key</a> is <var>key</var>,
    <a for=connection>origin</a> is <var>url</var>'s <a for=url>origin</a>, and
@@ -3079,11 +3076,11 @@ steps:
     <p>Let <var>connection</var> be the result of running this step: run <a>create a connection</a>
     given <var>key</var>, <var>url</var>'s <a for=url>origin</a>, <var>credentials</var>,
     <var>proxy</var>, an <a>implementation-defined</a> <a for=/>host</a> from <var>hosts</var>,
-    <var>timingInfo</var>, <var>requireUnreliable</var> and <var>webTransportHashes</var>
-    an <a>implementation-defined</a> number
-    of times, <a>in parallel</a> from each other, and wait for at least 1 to return a value. In an
-    <a>implementation-defined</a> manner, select a value to return from the returned values and
-    return it. Any other returned values that are <a>connections</a> may be closed.
+    <var>timingInfo</var>, <var>requireUnreliable</var>, and <var>webTransportHashes</var> an
+    <a>implementation-defined</a> number of times, <a>in parallel</a> from each other, and wait for
+    at least 1 to return a value. In an <a>implementation-defined</a> manner, select a value to
+    return from the returned values and return it. Any other returned values that are
+    <a>connections</a> may be closed.
 
     <p class=note>Essentially this allows an implementation to pick one or more
     <a for=/>IP addresses</a> from the return value of <a>resolve an origin</a> (assuming
@@ -3115,8 +3112,8 @@ reused across <a>connections</a> whose <a for=connection>credentials</a> are fal
 <p>To <dfn>create a connection</dfn>, given a <a for=/>network partition key</a> <var>key</var>,
 <a for=/>origin</a> <var>origin</var>, boolean <var>credentials</var>, string <var>proxy</var>,
 <a for=/>host</a> <var>host</var>, <a for=/>connection timing info</a> <var>timingInfo</var>,
-boolean <var>requireUnreliable</var> and a <a for=/>webtransport-hash list</a>
-<var>webTransportHashes</var>, run these steps:
+boolean <var>requireUnreliable</var>, and a <a for=/>webtransport-hash list</a>
+<var>webTransportHashes</var>:
 
 <ol>
  <li><p>Set <var>timingInfo</var>'s <a for="connection timing info">connection start time</a> to the
@@ -3143,11 +3140,11 @@ boolean <var>requireUnreliable</var> and a <a for=/>webtransport-hash list</a>
 
    <li><p>If <var>credentials</var> is false, then do not send a TLS client certificate.
 
-   <li><p>If <var>webTransportHashes</var> [=set/is empty|is not empty=], instead of using the
-     default certificate verification algorithm, consider the server certificate valid if it
-     meets the [=custom certificate requirements=] and if
-     [=verify a certificate hash|verifying the certificate hash=] against |webTransportHashes|
-     returns true. If either condition is not met, then return failure.
+   <li><p>If <var>webTransportHashes</var> [=set/is not empty=], instead of using the default
+   certificate verification algorithm, consider the server certificate valid if it meets the
+   [=custom certificate requirements=] and if
+   [=verify a certificate hash|verifying the certificate hash=] against |webTransportHashes| returns
+   true. If either condition is not met, then return failure.
 
    <li><p>If establishing a connection does not succeed (e.g., a UDP, TCP, or TLS error), then
    return failure.

From 6f4756bce718d680f17ad1d47a33c75e3e40be8a Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 18 Dec 2025 09:13:45 +0100
Subject: [PATCH 4/6] Update fetch.bs

---
 fetch.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fetch.bs b/fetch.bs
index c81070d5c..f8e116f81 100755
--- a/fetch.bs
+++ b/fetch.bs
@@ -2254,7 +2254,7 @@ Unless stated otherwise, it is false.
 <p>A <dfn export>webtransport-hash list</dfn> is a <a for=/>list</a> of zero or more
 <a for=/>webtransport-hashes</a>. It is initially « ».
 
-<p>An <dfn export id=concept-webtransport-hash>webtransport-hash</dfn> is a <a for=/>tuple</a>
+<p>A <dfn export id=concept-webtransport-hash>webtransport-hash</dfn> is a <a for=/>tuple</a>
 consisting of an <dfn export for=webtransport-hash>algorithm</dfn> (a <a for=/>string</a>) and a
 <dfn export for=webtransport-hash>value</dfn> (a <a for=/>byte sequence</a>).
 

From b868e229875c95258a550e2b1279299cda8046b6 Mon Sep 17 00:00:00 2001
From: Jan-Ivar Bruaroey <jan-ivar@users.noreply.github.com>
Date: Mon, 12 Jan 2026 20:43:19 -0500
Subject: [PATCH 5/6] s/webtransport-hash/WebTransport-hash/ and use [=list/is
 not empty=]

---
 fetch.bs | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index f8e116f81..60c501d10 100755
--- a/fetch.bs
+++ b/fetch.bs
@@ -2248,15 +2248,15 @@ Unless stated otherwise, it is false.
 
 <p class=note>This flag is for exclusive use by HTML's render-blocking mechanism. [[!HTML]]
 
-<p>A <a for=/>request</a> has an associated <dfn export for=request>webtransport-hash list</dfn> (a
-<a for=/>webtransport-hash list</a>). Unless stated otherwise it is « ».
+<p>A <a for=/>request</a> has an associated <dfn export for=request>WebTransport-hash list</dfn> (a
+<a for=/>WebTransport-hash list</a>). Unless stated otherwise it is « ».
 
-<p>A <dfn export>webtransport-hash list</dfn> is a <a for=/>list</a> of zero or more
-<a for=/>webtransport-hashes</a>. It is initially « ».
+<p>A <dfn export>WebTransport-hash list</dfn> is a <a for=/>list</a> of zero or more
+<a for=/>WebTransport-hashes</a>. It is initially « ».
 
-<p>A <dfn export id=concept-webtransport-hash>webtransport-hash</dfn> is a <a for=/>tuple</a>
-consisting of an <dfn export for=webtransport-hash>algorithm</dfn> (a <a for=/>string</a>) and a
-<dfn export for=webtransport-hash>value</dfn> (a <a for=/>byte sequence</a>).
+<p>A <dfn export id=concept-WebTransport-hash>WebTransport-hash</dfn> is a <a for=/>tuple</a>
+consisting of an <dfn export for=WebTransport-hash>algorithm</dfn> (a <a for=/>string</a>) and a
+<dfn export for=WebTransport-hash>value</dfn> (a <a for=/>byte sequence</a>).
 
 <p class=note>This list is for exclusive use by {{WebTransport/WebTransport(url, options)}} when
 <var ignore>options</var> contains {{WebTransportOptions/serverCertificateHashes}}.
@@ -3018,7 +3018,7 @@ steps:
 <var>credentials</var>, an optional <a>new connection setting</a> <var>new</var> (default
 "<code>no</code>"), an optional boolean
 <dfn export for="obtain a connection"><var>requireUnreliable</var></dfn> (default false), and an
-optional <a for=/>webtransport-hash list</a>
+optional <a for=/>WebTransport-hash list</a>
 <dfn export for="obtain a connection"><var>webTransportHashes</var></dfn> (default « »):
 <!-- new's "yes-and-dedicated", requireUnreliable and webTransportHashes have been added for WebTransport -->
 
@@ -3112,7 +3112,7 @@ reused across <a>connections</a> whose <a for=connection>credentials</a> are fal
 <p>To <dfn>create a connection</dfn>, given a <a for=/>network partition key</a> <var>key</var>,
 <a for=/>origin</a> <var>origin</var>, boolean <var>credentials</var>, string <var>proxy</var>,
 <a for=/>host</a> <var>host</var>, <a for=/>connection timing info</a> <var>timingInfo</var>,
-boolean <var>requireUnreliable</var>, and a <a for=/>webtransport-hash list</a>
+boolean <var>requireUnreliable</var>, and a <a for=/>WebTransport-hash list</a>
 <var>webTransportHashes</var>:
 
 <ol>
@@ -3140,7 +3140,7 @@ boolean <var>requireUnreliable</var>, and a <a for=/>webtransport-hash list</a>
 
    <li><p>If <var>credentials</var> is false, then do not send a TLS client certificate.
 
-   <li><p>If <var>webTransportHashes</var> [=set/is not empty=], instead of using the default
+   <li><p>If <var>webTransportHashes</var> [=list/is not empty=], instead of using the default
    certificate verification algorithm, consider the server certificate valid if it meets the
    [=custom certificate requirements=] and if
    [=verify a certificate hash|verifying the certificate hash=] against |webTransportHashes| returns

From 1a73ec311a2d850f15da5e183a51812d2c50aceb Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 28 Jan 2026 14:10:52 +0100
Subject: [PATCH 6/6] nits

---
 fetch.bs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fetch.bs b/fetch.bs
index 60c501d10..800a7ceb7 100755
--- a/fetch.bs
+++ b/fetch.bs
@@ -2252,7 +2252,7 @@ Unless stated otherwise, it is false.
 <a for=/>WebTransport-hash list</a>). Unless stated otherwise it is « ».
 
 <p>A <dfn export>WebTransport-hash list</dfn> is a <a for=/>list</a> of zero or more
-<a for=/>WebTransport-hashes</a>. It is initially « ».
+<a for=/>WebTransport-hashes</a>.
 
 <p>A <dfn export id=concept-WebTransport-hash>WebTransport-hash</dfn> is a <a for=/>tuple</a>
 consisting of an <dfn export for=WebTransport-hash>algorithm</dfn> (a <a for=/>string</a>) and a
@@ -3020,7 +3020,7 @@ steps:
 <dfn export for="obtain a connection"><var>requireUnreliable</var></dfn> (default false), and an
 optional <a for=/>WebTransport-hash list</a>
 <dfn export for="obtain a connection"><var>webTransportHashes</var></dfn> (default « »):
-<!-- new's "yes-and-dedicated", requireUnreliable and webTransportHashes have been added for WebTransport -->
+<!-- new's "yes-and-dedicated", requireUnreliable, and webTransportHashes have been added for WebTransport -->
 
 <ol>
  <li>