One correction here: our web platform tests are now complete. On Friday, February 6, 2026 at 1:31:57 PM UTC-8 Chromestatus wrote:
> *Contact emails* > [email protected], [email protected], [email protected] > > *Explainer* > https://github.com/w3c/webappsec-dbsc/blob/main/README.md > > *Specification* > https://w3c.github.io/webappsec-dbsc > > *Summary* > To enhance user security and combat session theft, Chrome is introducing > [Device Bound Session Credentials (DBSC)]( > https://developer.chrome.com/docs/web-platform/device-bound-session-credentials). > > This feature allows websites to bind a user's session to their specific > device, making it significantly harder for stolen session cookies to be > used on other machines. > > *Blink component* > Blink > <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%22> > > *Web Feature ID* > Missing feature > > *Motivation* > Reduce session theft by offering an alternative to long-lived cookie > bearer tokens, that allows session authentication that is bound to the > user's device. This makes the web safer for users in that it is less likely > their identity is abused, since malware is forced to act locally and thus > becomes easier to detect and mitigate. At the same time the goal is to > disrupt the cookie theft ecosystem and force it to adapt to new > protections. > > *Initial public proposal* > https://github.com/WICG/proposals/issues/106 > > *TAG review* > https://github.com/w3ctag/design-reviews/issues/1052 > > *TAG review status* > Pending > > *Origin Trial Name* > Device Bound Session Credentials > > *Chromium Trial Name* > DeviceBoundSessionCredentials > > *Origin Trial documentation link* > https://github.com/w3c/webappsec-dbsc/blob/main/README.md > > *WebFeature UseCounter name* > kDeviceBoundSessionRegistered > > *Origin Trial Name* > Device Bound Session Credentials 2 > > *Chromium Trial Name* > DeviceBoundSessionCredentials2 > > *Origin Trial documentation link* > https://github.com/w3c/webappsec-dbsc/blob/main/README.md > > *WebFeature UseCounter name* > kDeviceBoundSessionRequestInScope > > *Risks* > > > *Interoperability and Compatibility* > *No information provided* > > *Gecko*: No signal ( > https://github.com/mozilla/standards-positions/issues/912) > > *WebKit*: No signal ( > https://github.com/WebKit/standards-positions/issues/281) > > *Web developers*: Positive ( > https://github.com/mozilla/standards-positions/issues/912#issuecomment-2204012985 > ) > > *Other signals*: > > *WebView application risks* > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > *No information provided* > > > *Debuggability* > *No information provided* > > *Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)?* > No > The initial support for TPMs is Windows-only. This feature will eventually > support all platforms, as we integrate with the OS-specific key > generation/usage mechanisms. > > *Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* > No > > > *Flag name on about://flags* > enable-standard-device-bound-session-credentials, > enable-standard-device-bound-session-persistence, > enable-standard-device-bound-session-credentials-refresh quota > > *Finch feature name* > DeviceBoundSessions > > *Rollout plan* > Will ship enabled for all users > > *Requires code in //chrome?* > False > > *Tracking bug* > https://crbug.com/355059881 > > *Estimated milestones* > Shipping on desktop 145 > Origin trial desktop first 135 > Origin trial desktop last 139 > Origin trial desktop first 142 > Origin trial desktop last 144 > DevTrial on desktop 135 > > *Anticipated spec changes* > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > *No information provided* > > *Link to entry on the Chrome Platform Status* > https://chromestatus.com/feature/5140168270413824?gate=5110303886409728 > > *Links to previous Intent discussions* > Intent to Prototype: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/60bae138-43ee-4525-a549-461f241e9ae5n%40chromium.org > Intent to Experiment: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/515ba278-c5fc-4ee0-8e88-21f34851778an%40chromium.org > Intent to Experiment: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXLL9AD6SSyUXpDcSB9m8y9nVnnNzAMTK6qmui%3DzKnM8G_5A%40mail.gmail.com > > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com>. > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2e43fba2-6da6-4cce-817d-9dd998ccb50cn%40chromium.org.
