Contact emails [email protected], [email protected], [email protected]
Explainer https://github.com/w3c/webappsec-dbsc/blob/main/README.md Specification https://w3c.github.io/webappsec-dbsc Summary To enhance user security and combat session theft, Chrome is introducing [Device Bound Session Credentials (DBSC)](https://developer.chrome.com/docs/web-platform/device-bound-session-credentials). This feature allows websites to bind a user's session to their specific device, making it significantly harder for stolen session cookies to be used on other machines. Blink component Blink Web Feature ID Missing feature Motivation Reduce session theft by offering an alternative to long-lived cookie bearer tokens, that allows session authentication that is bound to the user's device. This makes the web safer for users in that it is less likely their identity is abused, since malware is forced to act locally and thus becomes easier to detect and mitigate. At the same time the goal is to disrupt the cookie theft ecosystem and force it to adapt to new protections. Initial public proposal https://github.com/WICG/proposals/issues/106 TAG review https://github.com/w3ctag/design-reviews/issues/1052 TAG review status Pending Origin Trial Name Device Bound Session Credentials Chromium Trial Name DeviceBoundSessionCredentials Origin Trial documentation link https://github.com/w3c/webappsec-dbsc/blob/main/README.md WebFeature UseCounter name kDeviceBoundSessionRegistered Origin Trial Name Device Bound Session Credentials 2 Chromium Trial Name DeviceBoundSessionCredentials2 Origin Trial documentation link https://github.com/w3c/webappsec-dbsc/blob/main/README.md WebFeature UseCounter name kDeviceBoundSessionRequestInScope Risks Interoperability and Compatibility No information provided Gecko: No signal (https://github.com/mozilla/standards-positions/issues/912) WebKit: No signal (https://github.com/WebKit/standards-positions/issues/281) Web developers: Positive (https://github.com/mozilla/standards-positions/issues/912#issuecomment-2204012985) Other signals: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? No information provided Debuggability No information provided Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? No The initial support for TPMs is Windows-only. This feature will eventually support all platforms, as we integrate with the OS-specific key generation/usage mechanisms. Is this feature fully tested by web-platform-tests? No Flag name on about://flags enable-standard-device-bound-session-credentials, enable-standard-device-bound-session-persistence, enable-standard-device-bound-session-credentials-refresh quota Finch feature name DeviceBoundSessions Rollout plan Will ship enabled for all users Requires code in //chrome? False Tracking bug https://crbug.com/355059881 Estimated milestones Shipping on desktop 145 Origin trial desktop first 135 Origin trial desktop last 139 Origin trial desktop first 142 Origin trial desktop last 144 DevTrial on desktop 135 Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (eg links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (eg, changing to naming or structure of the API in a non-backward-compatible way). No information provided Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5140168270413824?gate=5110303886409728 Links to previous Intent discussions Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/60bae138-43ee-4525-a549-461f241e9ae5n%40chromium.org Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/515ba278-c5fc-4ee0-8e88-21f34851778an%40chromium.org Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXLL9AD6SSyUXpDcSB9m8y9nVnnNzAMTK6qmui%3DzKnM8G_5A%40mail.gmail.com This intent message was generated by Chrome Platform Status. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69865dbe.2b0a0220.24bcd6.045e.GAE%40google.com.
