I didn't know chrome didn't allow self-signed certificates. Since when?

The user can add self-signed certificates. Random websites using self-signed certificates won't work without that extra configuration from the user.

I'm pretty sure the old "thisisunsafe" trick will still work ...

Yeah, it's difficult for me to always add the qualifer, "HTTP/3 allows self-signed certs but no implementation that exists in any browser allows self signed certs".

Plenty of browsers allow self-signed certs—Firefox and Safari, to the best of my knowledge, treat HTTP/3 certs exactly the same as they treat HTTP/2 and HTTP/1.1 certs. Chrome has taken the position that it will no longer allow self-signed Root CAs for HTTP/3 websites, to prevent SSL interception with companies intercepting all of your traffic. For personal use, you can always whitelist an individual certificate using a CLI flag without allowing a trusted root CA

My testing in the past seems to indicate you're wrong. Firefox does not support setting up HTTP/3 connections without CA TLS. Unless they've changed it since version 115 esr. While the neqo lib they use for HTTP/3 does technically allow it unless you compile it yourself with all the flags required for it FF ships with neqo having CA TLS required and no support for self-signed certs when setting up HTTP/3 connections.

I'd love to be wrong or shown a newer version that does allow these things. It'd be a huge load off my mind.

The original comment was opposition to HTTP/3 because of mandatory secure connections.

In reality, the opposition is misdirected; it is Chrome that requires secure connections, not HTTP/3.

> Chrome does not. But that choice is orthogonal to protocol.

Which means HTTP/3 de facto doesn't support self-signed certificates. Once Chrome disables HTTP 1.1/2 which it will at some point in the name of security or performance, you'll only be able to exist on the web with a CA signed certificate.