WICG
WebRequest SecurityInfo in Controlled Frame
Introduction
Web apps sometimes need to establish secure raw TCP/UDP connections (e.g., via Direct Sockets) for custom protocols, often to support legacy servers that cannot be updated to modern alternatives like WebTransport. Unlike standard HTTPS, these raw sockets don't have a built-in mechanism to verify the server's TLS certificate against a trusted root store.
This proposal introduces a WebRequest SecurityInfo API for ControlledFrame. It allows a web app to intercept an HTTPS, WSS or WebTransport request to a server, retrieve the server's certificate fingerprint (as verified by the browser), and then use that fingerprint to manually verify the certificate of a separate raw TCP/UDP connection to the same server. This provides a simple way for the app to confirm it's talking to the correct server.
Feedback
I welcome feedback in this thread, but encourage you to file bugs against the Explainer.
This API would be highly valuable for Citrix Virtualization use case involving verification of certificates issued by public CAs. Many of our enterprise customers operate public-facing environments where TLS/DTLS endpoints use certificates signed by publicly trusted certificate authorities. A standardized Web API for certificate verification would enable us to programmatically validate these certificates during (D)TLS session establishment, enhancing security assurances and improving interoperability across our deployments.
