Intent to Prototype: Device Bound Session Credentials (DBSC) JavaScript API

21 views
Skip to first unread message

Chromestatus

unread,
7:16 AM (3 hours ago) 7:16 AM
to blin...@chromium.org, amrabo...@google.com, alex...@chromium.org, amrabo...@chromium.org, ant...@google.com, dbsc...@google.com, sbo...@google.com
Contact emails
amrabo...@chromium.org, alex...@chromium.org, ant...@google.com, sbo...@google.com, dbsc...@google.com

Explainer
https://github.com/explainers-by-googlers/dbsc-js-api/tree/initial-draft

Specification
No information provided

Summary
Allows websites and Identity Providers to synchronously check the registration state of a Device Bound Session Credentials (DBSC) session. DBSC provides cryptographic protection against account hijacking by binding sessions to the user's device, but currently relies on asynchronous HTTP headers. This API provides deterministic guarantees of session establishment before granting access, enabling secure SSO handoffs and synchronous cookie issuance

Blink component
Blink>SecurityFeature

Web Feature ID
Missing feature

Motivation
When a server instructs the browser to start a DBSC session via HTTP headers, the frontend application is unaware of exactly when this registration completes. This asynchronous gap leads to two main challenges: 1. Premature Cookie Issuance: Relying Parties (RPs) must issue unbound authentication cookies immediately or implement complex polling mechanisms to wait for registration. 2. SSO Handoff Vulnerabilities: An Identity Provider (IdP) completing a login flow may redirect the user back to the RP before the IdP's own DBSC session is fully registered on the device.

Initial public proposal
https://github.com/WICG/dbsc-sso

Goals for experimentation
None

Requires code in //chrome?
False

Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6212149417476096?gate=5128723742457856

This intent message was generated by Chrome Platform Status.
Reply all
Reply to author
Forward
0 new messages