Contact emails drub...@chromium.org, thef...@chromium.org, arn...@chromium.org
Explainer https://github.com/w3c/webappsec-dbsc/blob/main/README.md Specification https://w3c.github.io/webappsec-dbsc Summary A way for websites to securely bind a session to a single device. It will let servers have a session be securely bound to a device. The browser will renew the session periodically as requested by the server, with proof of possession of a private key. Blink component Blink <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%22> TAG review https://github.com/w3ctag/design-reviews/issues/1052 TAG review status Pending Origin Trial Name Device Bound Session Credentials 2 Chromium Trial Name DeviceBoundSessionCredentials2 Origin Trial documentation link https://github.com/w3c/webappsec-dbsc/blob/main/README.md WebFeature UseCounter name kDeviceBoundSessionRegistered Origin Trial documentation link https://github.com/w3c/webappsec-dbsc/blob/main/README.md Risks Interoperability and Compatibility Gecko: No signal (https://github.com/mozilla/standards-positions/issues/912) WebKit: No signal (https://github.com/WebKit/standards-positions/issues/281) Web developers: Positive ( https://github.com/mozilla/standards-positions/issues/912#issuecomment-2204012985 ) Other signals: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? Goals for experimentation We've added new functionality for securing SSO ( https://w3c.github.io/webappsec-dbsc/#federated-sessions), along with a new cross-site side channel protection ( https://w3c.github.io/webappsec-dbsc/#json-session-instructions-allowed_refresh_initiators). We'd like to validate that these features meet site owner needs before shipping DBSC. Ongoing technical constraints Debuggability Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? No The initial support for TPMs is Windows-only. This feature will eventually support all platforms, as we integrate with the OS-specific key generation/usage mechanisms. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? No Flag name on about://flags enable-standard-device-bound-session-credentials, enable-standard-device-bound-session-persistence, enable-standard-device-bound-session-credentials-refresh quota Finch feature name DeviceBoundSessions Requires code in //chrome? False Estimated milestones Shipping on desktop 145 Origin trial desktop first 135 Origin trial desktop last 139 Origin trial desktop first 142 Origin trial desktop last 144 DevTrial on desktop 135 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5140168270413824?gate=5111520589643776 Links to previous Intent discussions Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/60bae138-43ee-4525-a549-461f241e9ae5n%40chromium.org Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/515ba278-c5fc-4ee0-8e88-21f34851778an%40chromium.org This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXLL9AD6SSyUXpDcSB9m8y9nVnnNzAMTK6qmui%3DzKnM8G_5A%40mail.gmail.com.
