CORS for WebTransport: copy-paste server patterns
WebTransport sits in an odd spot for people who already know CORS. You expect the usual fetch() rules, preflights, and response headers. Then you try WebTransport over HTTP/3 and realize the model is related to CORS, but not the same shape. Browsers still care about origin-based access control, but WebTransport uses its own handshake rules instead of classic OPTIONS preflight. If you build browser-facing infrastructure, this distinction matters. A lot. ...