iam-py-test1d ago

Two days ago, a proposal to add "unsafe-webtransport-hashes" to the Content Security Policy specification was merged.

https://github.com/w3c/webappsec-csp/issues/683
https://github.com/w3c/webappsec-csp/pull/791

Here is how I understand the proposal, based on reading it and the documentation for WebTransport. I'm by no means an expert on WebTransport - I had never heard of it before today.

WebTransport is intended to replace Web Sockets; it allows a website to connect to a server over HTTP/3.

One feature of WebTransport is serverCertificateHashes, which is passed as an argument when creating a new socket.
serverCertificateHashes allows a website to bypass the normal public key infrastructure, instead telling the browser what certificates to trust.
It does this, as the name suggests, by providing the hashes of the certificates.

There is, of course, an inherent risk which comes with replacing the existing PKI with DIY. Allowing websites to restrict usage of this feature helps mitigate some of this risk.

This proposal builds on the existing connect-src CSP policy, which controls technologies like XHR, Fetch, etc.

If a website does not set connect-src in its Content Security Policy or doesn't have a CSP, then it can use serverCertificateHashes as it wishes.

However, if it sets connect-src, then serverCertificateHashes is disallowed.

That is where unsafe-webtransport-hashes comes into play. A website can allow specific certificates to be used with serverCertificateHashes by specifying the hashes of those certificates in unsafe-webtransport-hashes, which is part of the CSP and falls under connect-src.

So, as I understand it:

  • no CSP or no connect-src: can use any certificates in serverCertificateHashes
  • connect-scr set but no unsafe-webtransport-hashes: can not use any certificate in serverCertificateHashes
  • connect-scr is set and contains unsafe-webtransport-hashes: only certificates allowlisted in the CSP are allowed for serverCertificateHashes, all others denied

All of this is based on reading the issue thread and doing a little background research. I probably got some of it, or all of it, wrong.
Point being; it is an interesting but very niche proposal.

#WebTransport #WebSecurity #ContentSecurityPolicy #CSP

Introduce new CSP keyword 'unsafe-webtransport-hashes' · Issue #683 · w3c/webappsec-csp

From w3c/webtransport#59 (comment): WebTransport acts like fetch wrt connect-src: https://A.com for normal use like: const wta = new WebTransport("https://A.com"); But the API also allows websites ...

GitHub
N-gated Hacker NewsNov 17
Hold onto your hats, because #WebTransport is here to almost, kind of, sort of, maybe, eventually bring UDP-like #data exchange to your #browser. 🚀 It's just like #UDP, but with extra steps, because who doesn't love unnecessary complexity? 🤯 Meanwhile, MDN's index page continues to be a labyrinthine journey through every web technology known to humankind. 😂
https://developer.mozilla.org/en-US/docs/Web/API/WebTransport_API #MDN #Complexity #HackerNews #ngated
WebTransport API - Web APIs | MDN

The WebTransport API provides a modern update to WebSockets, transmitting data between client and server using HTTP/3 Transport. WebTransport provides support for multiple streams, unidirectional streams, and out-of-order delivery. It enables reliable transport via streams and unreliable transport via UDP-like datagrams.

MDN Web Docs
Hacker NewsNov 17

WebTransport is almost here to allow UDP-like exchange in the browser

https://developer.mozilla.org/en-US/docs/Web/API/WebTransport_API

#HackerNews #WebTransport #UDP #Browser #Technology #Future #Internet #Development

WebTransport API - Web APIs | MDN

The WebTransport API provides a modern update to WebSockets, transmitting data between client and server using HTTP/3 Transport. WebTransport provides support for multiple streams, unidirectional streams, and out-of-order delivery. It enables reliable transport via streams and unreliable transport via UDP-like datagrams.

MDN Web Docs
GripNewsNov 17
🌗 WebTransport API:現代化雙向即時通訊新選擇
➤ 告別 WebSocket 的延遲,迎接 HTTP/3 帶來的低延遲與高效率網頁通訊
https://developer.mozilla.org/en-US/docs/Web/API/WebTransport_API
本文介紹了 WebTransport API,這是一個透過 HTTP/3 和 QUIC 協定實現的現代化網頁通訊介面,旨在取代 WebSocket。WebTransport 支援多重串流、單向串流以及無序傳輸,並能透過串流提供可靠傳輸,或透過類似 UDP 的資料包提供不可靠但快速的傳輸。文章詳述瞭如何初始化連線、處理連線關閉、以及利用 datagrams 進行不可靠傳輸和利用 streams 進行可靠傳輸,包括單向串流的建立與接收。
+ 太好了,總算有比 WebSocket 更快的東西了!期待瀏覽器的完整支援。
+ HTTP/3 的 QUIC 協定聽起來很有潛力,特別是網路切換不斷線的部分,這對行動應用非常重要。
#WebTransport #API #HTTP3 #QUIC #即時通訊
WebTransport API - Web APIs | MDN

The WebTransport API provides a modern update to WebSockets, transmitting data between client and server using HTTP/3 Transport. WebTransport provides support for multiple streams, unidirectional streams, and out-of-order delivery. It enables reliable transport via streams and unreliable transport via UDP-like datagrams.

MDN Web Docs
 Qiita - 人気の記事Oct 21

日刊IETF (2025-10-20) 第1部
https://qiita.com/tetsuko_room/items/9c33402203a38a7d4a2f?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #IPv6 #ietf #WebTransport #internet_draft #日刊IETF

日刊IETF (2025-10-20) 第1部 - Qiita

こんにちは、GMOコネクトの名もなきエンジニアです。 よろしくお願いします! 今日は...443件もの投稿があり、震え散らかしています笑 日刊IETFは、I-D AnnounceやIETF Announceに投稿されたメールをサマリーし続けるという修行的な活動です!! 今回...

Qiita
dacdacJul 27, 2025
https://juejin.cn/post/7121581378671476773

https://developer.mozilla.org/zh-CN/docs/Web/API/WebTransport

#web #http #websocket #WebTransport #http3 #quic
Show thread@reiver ⊼ (Charles) Jul 26, 2025

2/

Using HTTPS rather than HTTP is NOT a cost free choice. HTTPS is A LOT slower than HTTP.

And, there are times when one does NOT need encryption (and thus HTTP would be sufficient).

It would have been preferable to be able to choose HTTP (rather than HTTPS) — to choose not to encrypt — for those situations.

#WebTransport

@reiver ⊼ (Charles) Jul 26, 2025

1/

WebTransport seems interesting.

https://developer.mozilla.org/en-US/docs/Web/API/WebTransport

However, this seems like a poor design choice (by the creators of WebTransport):

"Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers."

...

#WebTransport

WebTransport - Web APIs | MDN

The WebTransport interface of the WebTransport API provides functionality to enable a user agent to connect to an HTTP/3 server, initiate reliable and unreliable transport in either or both directions, and close the connection once it is no longer needed.

MDN Web Docs
Gamedev.jsFeb 26, 2025

The new 0.16 version of the open source Node.js multiplayer framework, #Colyseus, is introducing #StateView, experimental support for #WebTransport, and more.

https://gamedevjs.com/tools/colyseus-0-16-released/

#gamedev #gamedevjs #node #nodejs #OpenSource #update

Colyseus 0.16 released - Gamedev.js

The new 0.16 version of the open source Node.js multiplayer framework, Colyseus, is introducing StateView, experimental support for WebTransport, and more. This version brings a new iteration of the @colyseus/schema library, introducing the StateView API, deprecating @filter(), and providing quality of life improvements to the framework. Especially the experimental WebTransport support seems like something worth

Gamedev.js - Web Game Development community
JSDev SpaceJan 16, 2025
Exploring the WebTransport API: A New Era of Web Communication https://jsdev.space/webtransport-api/ #javascript #webtransport
Exploring the WebTransport API: A New Era of Web Communication

Explore the world of JavaScript at our blog, your ultimate resource for guides, tutorials, and articles. Uncover the latest insights, tips, and trends.

JavaScript Development Space - Master JS and NodeJS