Contact emails [email protected], [email protected], [email protected], [email protected], [email protected]
Explainer https://github.com/explainers-by-googlers/dbsc-js-api/tree/initial-draft Specification No information provided Summary Allows websites and Identity Providers to synchronously check the registration state of a Device Bound Session Credentials (DBSC) session. DBSC provides cryptographic protection against account hijacking by binding sessions to the user's device, but currently relies on asynchronous HTTP headers. This API provides deterministic guarantees of session establishment before granting access, enabling secure SSO handoffs and synchronous cookie issuance Blink component Blink>SecurityFeature Web Feature ID Missing feature Motivation When a server instructs the browser to start a DBSC session via HTTP headers, the frontend application is unaware of exactly when this registration completes. This asynchronous gap leads to two main challenges: 1. Premature Cookie Issuance: Relying Parties (RPs) must issue unbound authentication cookies immediately or implement complex polling mechanisms to wait for registration. 2. SSO Handoff Vulnerabilities: An Identity Provider (IdP) completing a login flow may redirect the user back to the RP before the IdP's own DBSC session is fully registered on the device. Initial public proposal https://github.com/WICG/dbsc-sso Goals for experimentation None Requires code in //chrome? False Estimated milestones No milestones specified Link to entry on the Chrome Platform Status https://chromestatus.com/feature/6212149417476096?gate=5128723742457856 This intent message was generated by Chrome Platform Status. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6a50d46c.606b822d.87713.008b.GAE%40google.com.
