Contact emails
[email protected], [email protected], [email protected], 
[email protected], [email protected]


Explainer
https://github.com/explainers-by-googlers/dbsc-js-api/tree/initial-draft


Specification
No information provided


Summary
Allows websites and Identity Providers to synchronously check the registration 
state of a Device Bound Session Credentials (DBSC) session. DBSC provides 
cryptographic protection against account hijacking by binding sessions to the 
user's device, but currently relies on asynchronous HTTP headers. This API 
provides deterministic guarantees of session establishment before granting 
access, enabling secure SSO handoffs and synchronous cookie issuance


Blink component
Blink>SecurityFeature


Web Feature ID
Missing feature


Motivation
When a server instructs the browser to start a DBSC session via HTTP headers, 
the frontend application is unaware of exactly when this registration 
completes. This asynchronous gap leads to two main challenges: 1. Premature 
Cookie Issuance: Relying Parties (RPs) must issue unbound authentication 
cookies immediately or implement complex polling mechanisms to wait for 
registration. 2. SSO Handoff Vulnerabilities: An Identity Provider (IdP) 
completing a login flow may redirect the user back to the RP before the IdP's 
own DBSC session is fully registered on the device.


Initial public proposal
https://github.com/WICG/dbsc-sso


Goals for experimentation
None


Requires code in //chrome?
False


Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6212149417476096?gate=5128723742457856


This intent message was generated by Chrome Platform Status.

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6a50d46c.606b822d.87713.008b.GAE%40google.com.

Reply via email to