> Thanks! Have a wpt.fyi URL? Here's our tests: https://wpt.fyi/results/device-bound-session-credentials?label=experimental&label=master&aligned. It seems there's something wrong with the harness there, so we'll look into that. (My guess is that it's a result of DBSC being Finch-controlled and using a VirtualTestSuite, which would improve the moment we ship)
> Please correct this to unsatisfied. > I read the TAG feedback and interpret it as preferring a different architecture than what our customers have told us they prefer. Does that seem right? Or is there another reason why we disagree on the suggestion to prefer a lower-level design? Corrected to "Issues open" (I don't see an Unsatisfied option). Your understanding is correct. We believe that the higher-level design makes it easier to deploy and more extensible for the future. Feedback from our Origin Trials certainly supports the ease of deployment. On Fri, Feb 6, 2026 at 2:03 PM Rick Byers <[email protected]> wrote: > Very happy to see this shipping! Just a couple questions. > > On Fri, Feb 6, 2026 at 4:56 PM Daniel Rubery <[email protected]> wrote: > >> One correction here: our web platform tests are now complete. >> > > Thanks! Have a wpt.fyi URL? > > On Friday, February 6, 2026 at 1:31:57 PM UTC-8 Chromestatus wrote: >> >>> *Contact emails* >>> [email protected], [email protected], [email protected] >>> >>> *Explainer* >>> https://github.com/w3c/webappsec-dbsc/blob/main/README.md >>> >>> *Specification* >>> https://w3c.github.io/webappsec-dbsc >>> >>> *Summary* >>> To enhance user security and combat session theft, Chrome is introducing >>> [Device Bound Session Credentials (DBSC)]( >>> https://developer.chrome.com/docs/web-platform/device-bound-session-credentials). >>> This feature allows websites to bind a user's session to their specific >>> device, making it significantly harder for stolen session cookies to be >>> used on other machines. >>> >>> *Blink component* >>> Blink >>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%22> >>> >>> *Web Feature ID* >>> Missing feature >>> >>> *Motivation* >>> Reduce session theft by offering an alternative to long-lived cookie >>> bearer tokens, that allows session authentication that is bound to the >>> user's device. This makes the web safer for users in that it is less likely >>> their identity is abused, since malware is forced to act locally and thus >>> becomes easier to detect and mitigate. At the same time the goal is to >>> disrupt the cookie theft ecosystem and force it to adapt to new >>> protections. >>> >>> *Initial public proposal* >>> https://github.com/WICG/proposals/issues/106 >>> >>> *TAG review* >>> https://github.com/w3ctag/design-reviews/issues/1052 >>> >>> *TAG review status* >>> Pending >>> >> > Please correct this to unsatisfied. > > I read the TAG feedback and interpret it as preferring a different > architecture than what our customers have told us they prefer. Does that > seem right? Or is there another reason why we disagree on the suggestion to > prefer a lower-level design? > > >>> *Origin Trial Name* >>> Device Bound Session Credentials >>> >>> *Chromium Trial Name* >>> DeviceBoundSessionCredentials >>> >>> *Origin Trial documentation link* >>> https://github.com/w3c/webappsec-dbsc/blob/main/README.md >>> >>> *WebFeature UseCounter name* >>> kDeviceBoundSessionRegistered >>> >>> *Origin Trial Name* >>> Device Bound Session Credentials 2 >>> >>> *Chromium Trial Name* >>> DeviceBoundSessionCredentials2 >>> >>> *Origin Trial documentation link* >>> https://github.com/w3c/webappsec-dbsc/blob/main/README.md >>> >>> *WebFeature UseCounter name* >>> kDeviceBoundSessionRequestInScope >>> >>> *Risks* >>> >>> >>> *Interoperability and Compatibility* >>> *No information provided* >>> >>> *Gecko*: No signal ( >>> https://github.com/mozilla/standards-positions/issues/912) >>> >>> *WebKit*: No signal ( >>> https://github.com/WebKit/standards-positions/issues/281) >>> >>> *Web developers*: Positive ( >>> https://github.com/mozilla/standards-positions/issues/912#issuecomment-2204012985 >>> ) >>> >>> *Other signals*: >>> >>> *WebView application risks* >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> *No information provided* >>> >>> >>> *Debuggability* >>> *No information provided* >>> >>> *Will this feature be supported on all six Blink platforms (Windows, >>> Mac, Linux, ChromeOS, Android, and Android WebView)?* >>> No >>> The initial support for TPMs is Windows-only. This feature will >>> eventually support all platforms, as we integrate with the OS-specific key >>> generation/usage mechanisms. >>> >>> *Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* >>> No >>> >>> >>> *Flag name on about://flags* >>> enable-standard-device-bound-session-credentials, >>> enable-standard-device-bound-session-persistence, >>> enable-standard-device-bound-session-credentials-refresh quota >>> >>> *Finch feature name* >>> DeviceBoundSessions >>> >>> *Rollout plan* >>> Will ship enabled for all users >>> >>> *Requires code in //chrome?* >>> False >>> >>> *Tracking bug* >>> https://crbug.com/355059881 >>> >>> *Estimated milestones* >>> Shipping on desktop 145 >>> Origin trial desktop first 135 >>> Origin trial desktop last 139 >>> Origin trial desktop first 142 >>> Origin trial desktop last 144 >>> DevTrial on desktop 135 >>> >>> *Anticipated spec changes* >>> >>> Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way). >>> *No information provided* >>> >>> *Link to entry on the Chrome Platform Status* >>> https://chromestatus.com/feature/5140168270413824?gate=5110303886409728 >>> >>> *Links to previous Intent discussions* >>> Intent to Prototype: >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/60bae138-43ee-4525-a549-461f241e9ae5n%40chromium.org >>> Intent to Experiment: >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/515ba278-c5fc-4ee0-8e88-21f34851778an%40chromium.org >>> Intent to Experiment: >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXLL9AD6SSyUXpDcSB9m8y9nVnnNzAMTK6qmui%3DzKnM8G_5A%40mail.gmail.com >>> >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com>. >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2e43fba2-6da6-4cce-817d-9dd998ccb50cn%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2e43fba2-6da6-4cce-817d-9dd998ccb50cn%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXLL-NW9Giodb%3Dn57z88zusAUP5JdWqOsbyzd80G-kaaZZew%40mail.gmail.com.
