Merge pull request #612 from w3c/wilaw-patch-1

Redirection treated as a network error

index.bs

@@ -828,7 +828,7 @@ sequence<{{WebTransportHash}}> |serverCertificateHashes|, run these steps.
 1. Let |request| be a new [=/request=] whose [=request/URL=] is |url|, [=request/client=] is
    |client|, [=request/policy container=] is |client|'s
    [=environment settings object/policy container=], [=request/destination=] is an empty string,
-   and [=request/origin=] is |origin|.
+   [=request/origin=] is |origin| and [=request/redirect mode=] is "error". 
 1. Run <a>report Content Security Policy violations for |request|</a>.
 1. If [=should request be blocked by Content Security Policy?=] with |request| returns
    <b>"Blocked"</b>, or if |request| [=block bad port|should be blocked due to a bad port=]
@@ -857,6 +857,12 @@ sequence&lt;{{WebTransportHash}}&gt; |serverCertificateHashes|, run these steps.
     1. Let |error| be a newly [=DOMException/created=] {{WebTransportError}} whose
        {{WebTransportErrorOptions/source}} is `"session"`.
     1. [=Cleanup=] |transport| with |error|.
+
+       Note: Redirects are not followed. Network errors caused by redirection are intentionally
+       indistinguishable from other network errors.  In cross-origin contexts, this would reveal
+       information that would normally be blocked by CORS. In same-origin contexts, it might
+       encourage applications to abuse the handshake as a vector for passing information.
+
   1. Wait for |connection| to receive the first SETTINGS frame, and let |settings| be a dictionary that
      represents the SETTINGS frame.
   1. If |settings| doesn't contain SETTINGS_ENABLE_WEBTRANPORT with a value of 1, or it doesn't