Contact emails drub...@chromium.org, thef...@chromium.org, arn...@chromium.org
Explainer https://github.com/w3c/webappsec-dbsc/blob/main/README.md Specification https://w3c.github.io/webappsec-dbsc Summary A way for websites to securely bind a session to a single device. It will let servers have a session be securely bound to a device. The browser will renew the session periodically as requested by the server, with proof of possession of a private key. Blink component Blink <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%22> TAG review https://github.com/w3ctag/design-reviews/issues/1052 TAG review status Pending Origin Trial documentation link https://github.com/w3c/webappsec-dbsc/blob/main/README.md Risks When the experiment comes to an end, Chrome will no longer refresh any bound cookies. Sites should not enforce DBSC in a way that makes this difficult for users (e.g. triggering logouts). Interoperability and Compatibility *Gecko*: No signal ( https://github.com/mozilla/standards-positions/issues/912) *WebKit*: No signal ( https://github.com/WebKit/standards-positions/issues/281) *Web developers*: Positive ( https://github.com/mozilla/standards-positions/issues/912#issuecomment-2204012985 ) *Other signals*: WebView application risks None, not currently shipping on WebView Goals for experimentation We want overall feedback on the header-based API. Note that error handling during session refresh is complex. It is not yet recommended that sites enforce strictly on the presence of device bound cookies (e.g. logging users out if they're missing). The error rate should be sufficiently low to understand if the API is unclear or overly complex. Debuggability Requests are visible in chrome://net-export, and more information is available as UMA histograms at chrome://histograms#Net.DeviceBoundSessions Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?No The initial support for TPMs is Windows-only. This feature will eventually support all platforms, as we integrate with the OS-specific key generation/usage mechanisms. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? Yes Flag name on about://flags enable-standard-device-bound-session-credentials, enable-standard-device-bound-session-persistence, enable-standard-device-bound-session-credentials-refresh quota Finch feature name DeviceBoundSessions Requires code in //chrome? False Estimated milestones Shipping on desktop 143 Origin trial desktop first 135 DevTrial on desktop 135 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5140168270413824?gate=5106323928121344 Links to previous Intent discussions Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/60bae138-43ee-4525-a549-461f241e9ae5n%40chromium.org This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/515ba278-c5fc-4ee0-8e88-21f34851778an%40chromium.org.
