Intent to Experiment: Device Bound Session Credentials

153 views
Skip to first unread message

Daniel Rubery

unread,
Aug 25, 2025, 7:21:20 PM (10 days ago) Aug 25
to blin...@chromium.org

Contact emails

dru...@chromium.org, the...@chromium.org, arn...@chromium.org


Explainer

https://github.com/w3c/webappsec-dbsc/blob/main/README.md


Specification

https://w3c.github.io/webappsec-dbsc


Summary

A way for websites to securely bind a session to a single device.


It will let servers have a session be securely bound to a device. The browser will renew the session periodically as requested by the server, with proof of possession of a private key.



Blink component

Blink


TAG review

https://github.com/w3ctag/design-reviews/issues/1052


TAG review status

Pending


Origin Trial Name

Device Bound Session Credentials 2


Chromium Trial Name

DeviceBoundSessionCredentials2


Origin Trial documentation link

https://github.com/w3c/webappsec-dbsc/blob/main/README.md


WebFeature UseCounter name

kDeviceBoundSessionRegistered


Origin Trial documentation link

https://github.com/w3c/webappsec-dbsc/blob/main/README.md


Risks



Interoperability and Compatibility



Gecko: No signal (https://github.com/mozilla/standards-positions/issues/912)


WebKit: No signal (https://github.com/WebKit/standards-positions/issues/281)


Web developers: Positive (https://github.com/mozilla/standards-positions/issues/912#issuecomment-2204012985)


Other signals:


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?



Goals for experimentation

We've added new functionality for securing SSO (https://w3c.github.io/webappsec-dbsc/#federated-sessions), along with a new cross-site side channel protection (https://w3c.github.io/webappsec-dbsc/#json-session-instructions-allowed_refresh_initiators). We'd like to validate that these features meet site owner needs before shipping DBSC.


Ongoing technical constraints



Debuggability



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No

The initial support for TPMs is Windows-only. This feature will eventually support all platforms, as we integrate with the OS-specific key generation/usage mechanisms.



Is this feature fully tested by web-platform-tests?

No


Flag name on about://flags

enable-standard-device-bound-session-credentials, enable-standard-device-bound-session-persistence, enable-standard-device-bound-session-credentials-refresh quota


Finch feature name

DeviceBoundSessions


Requires code in //chrome?

False


Estimated milestones

Shipping on desktop

145

Origin trial desktop first

135

Origin trial desktop last

139

Origin trial desktop first

142

Origin trial desktop last

144

DevTrial on desktop

135



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5140168270413824?gate=5111520589643776


Links to previous Intent discussions

Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/60bae138-43ee-4525-a549-461f241e9ae5n%40chromium.org

Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/515ba278-c5fc-4ee0-8e88-21f34851778an%40chromium.org



This intent message was generated by Chrome Platform Status.


Mike Taylor

unread,
Aug 26, 2025, 5:29:35 AM (10 days ago) Aug 26
to Daniel Rubery, blink-dev

LGTM to experiment from M142 to M144.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXLL9AD6SSyUXpDcSB9m8y9nVnnNzAMTK6qmui%3DzKnM8G_5A%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages