Blog

WebTransport over HTTP/3: CORS, cross-origin datagrams, and bidirectional streams versus WebSocket

WebTransport uses custom TLS and ALPN negotiation—origin checks still apply before exposing streams to browsers.

Published: 2028-02-08Updated: 2028-02-101 min read

webtransporthttp3cors

Firewall

UDP port 443 must be open for QUIC—corporate networks may block WebTransport entirely.

MTU issues can fragment packets—separate from CORS but similar user-visible failure modes.

Low-latency game code often mixes WebTransport with WebRTC—each path needs its own CORS or ICE policy docs.

Replay protection on datagrams must not rely on browser CORS alone.