- What information might this feature expose to Web sites or other parties,
and for what purposes is that exposure necessary?
- This feature allows web developers to establish WebTransport over HTTP/3
sessions to servers. For the purpose this feature exposes the network
condition and error information to some extent.
- Do features in your specification expose the minimum amount of information
necessary to enable their intended uses?
- Yes. Also, we're careful of not exposing information for endpoints that
don't support WebTransport over HTTP/3 as much as possible. Please see
https://w3c.github.io/webtransport/#protocol-security for details.
- How do the features in your specification deal with personal information,
personally-identifiable information (PII), or information derived from
them?
- This feature itself doesn't deal with such sensitive information.
- How do the features in your specification deal with sensitive information?
- This feature itself doesn't deal with such sensitive information.
- Do the features in your specification introduce new state for an origin
that persists across browsing sessions?
- No. Also WebTransport doesn't interact with cookies and other persistent
state.
- Do the features in your specification expose information about the
underlying platform to origins?
- Does this specification allow an origin to send data to the underlying
platform?
- Yes, the feature uses network interfaces and can connect to localhost
if a cooperating server is running.
- Do features in this specification enable access to device sensors?
- What data do the features in this specification expose to an origin? Please
also document what data is identical to data exposed by other features, in the
same or different contexts.
- Arbitrary data sent from the server.
- Network errors (mostly opaque).
- Network information (indirectly).
- Do features in this specification enable new script execution/loading
mechanisms?
- Do features in this specification allow an origin to access other devices?
- Do features in this specification allow an origin some measure of control over
a user agent's native UI?
- What temporary identifiers do the features in this specification create or
expose to the web?
- As long as a WebTransport connection is open, the server can uniquely identify the client.
TLS session tickets may make it possible to identify the client across navigations. This
is very similar to a WebSocket connection.
The "pooling" feature, which is not yet fully specified, allows multiple WebTransport
sessions to share a single connection. This is very similar to connection reuse in HTTP.
The connection may survive navigation.
- How does this specification distinguish between behavior in first-party and
third-party contexts?
- The feature behaves in first-party and third-party contexts in the same way. WebTransport
notifies the server of origin of the context when a session is established, and we use
network partision keys when creating or pooling connections.
- How do the features in this specification work in the context of a browser’s
Private Browsing or Incognito mode?
- The feature doesn't interact with cookies, HTTP cache and authentication,
hence the feature works as usual in such a mode.
- Does this specification have both "Security Considerations" and "Privacy
Considerations" sections?
- Do features in your specification enable origins to downgrade default
security protections?
- What should this questionnaire have asked?