Re: [blink-dev] Intent to Experiment: Device Bound Session Credentials

[Mike Taylor]

LGTM to experiment from M142 to M144.

On 8/26/25 12:20 a.m., Daniel Rubery wrote:

        Contact emails

drub...@chromium.org, thef...@chromium.org, arn...@chromium.org


        Explainer

https://github.com/w3c/webappsec-dbsc/blob/main/README.md <https://github.com/w3c/webappsec-dbsc/blob/main/README.md>

        Specification

https://w3c.github.io/webappsec-dbsc <https://w3c.github.io/webappsec-dbsc>

        Summary

A way for websites to securely bind a session to a single device.

It will let servers have a session be securely bound to a device. The browser will renew the session periodically as requested by the server, with proof of possession of a private key.

        Blink component

Blink <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%22>

        TAG review

https://github.com/w3ctag/design-reviews/issues/1052 <https://github.com/w3ctag/design-reviews/issues/1052>

        TAG review status

Pending


        Origin Trial Name

Device Bound Session Credentials 2


        Chromium Trial Name

DeviceBoundSessionCredentials2


        Origin Trial documentation link

https://github.com/w3c/webappsec-dbsc/blob/main/README.md


        WebFeature UseCounter name

kDeviceBoundSessionRegistered


        Origin Trial documentation link

https://github.com/w3c/webappsec-dbsc/blob/main/README.md


        Risks



        Interoperability and Compatibility

Gecko: No signal (https://github.com/mozilla/standards-positions/issues/912 <https://github.com/mozilla/standards-positions/issues/912>)

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/281 <https://github.com/WebKit/standards-positions/issues/281>)

Web developers: Positive (https://github.com/mozilla/standards-positions/issues/912#issuecomment-2204012985 <https://github.com/mozilla/standards-positions/issues/912#issuecomment-2204012985>)

Other signals:


        WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

        Goals for experimentation

We've added new functionality for securing SSO (https://w3c.github.io/webappsec-dbsc/#federated-sessions), along with a new cross-site side channel protection (https://w3c.github.io/webappsec-dbsc/#json-session-instructions-allowed_refresh_initiators). We'd like to validate that these features meet site owner needs before shipping DBSC.

        Ongoing technical constraints



        Debuggability



        Will this feature be supported on all six Blink platforms
        (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No

The initial support for TPMs is Windows-only. This feature will eventually support all platforms, as we integrate with the OS-specific key generation/usage mechanisms.

        Is this feature fully tested by web-platform-tests
        
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?

No


        Flag name on about://flags

enable-standard-device-bound-session-credentials, enable-standard-device-bound-session-persistence, enable-standard-device-bound-session-credentials-refresh quota

        Finch feature name

DeviceBoundSessions


        Requires code in //chrome?

False


        Estimated milestones

Shipping on desktop

        

145

Origin trial desktop first

        

135

Origin trial desktop last

        

139

Origin trial desktop first

        

142

Origin trial desktop last

        

144

DevTrial on desktop

        

135



        Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5140168270413824?gate=5111520589643776 <https://chromestatus.com/feature/5140168270413824?gate=5111520589643776>

        Links to previous Intent discussions

Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/60bae138-43ee-4525-a549-461f241e9ae5n%40chromium.org <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/60bae138-43ee-4525-a549-461f241e9ae5n%40chromium.org>

Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/515ba278-c5fc-4ee0-8e88-21f34851778an%40chromium.org <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/515ba278-c5fc-4ee0-8e88-21f34851778an%40chromium.org>

This intent message was generated by Chrome Platform Status <https://chromestatus.com/>.

--

You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXLL9AD6SSyUXpDcSB9m8y9nVnnNzAMTK6qmui%3DzKnM8G_5A%40mail.gmail.com <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXLL9AD6SSyUXpDcSB9m8y9nVnnNzAMTK6qmui%3DzKnM8G_5A%40mail.gmail.com?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/04c19705-b6e9-45a1-8ac3-34b3b79a2e44%40chromium.org.