Intent to Ship: Device Bound Session Credentials

16 views
Skip to first unread message

Chromestatus

unread,
4:31 PM (2 hours ago) 4:31 PM
to blin...@chromium.org, arn...@chromium.org, dru...@chromium.org, the...@chromium.org
Contact emails
dru...@chromium.org, the...@chromium.org, arn...@chromium.org

Explainer
https://github.com/w3c/webappsec-dbsc/blob/main/README.md

Specification
https://w3c.github.io/webappsec-dbsc

Summary
To enhance user security and combat session theft, Chrome is introducing [Device Bound Session Credentials (DBSC)](https://developer.chrome.com/docs/web-platform/device-bound-session-credentials). This feature allows websites to bind a user's session to their specific device, making it significantly harder for stolen session cookies to be used on other machines.

Blink component
Blink

Web Feature ID
Missing feature

Motivation
Reduce session theft by offering an alternative to long-lived cookie bearer tokens, that allows session authentication that is bound to the user's device. This makes the web safer for users in that it is less likely their identity is abused, since malware is forced to act locally and thus becomes easier to detect and mitigate. At the same time the goal is to disrupt the cookie theft ecosystem and force it to adapt to new protections.

Initial public proposal
https://github.com/WICG/proposals/issues/106

TAG review
https://github.com/w3ctag/design-reviews/issues/1052

TAG review status
Pending

Origin Trial Name
Device Bound Session Credentials

Chromium Trial Name
DeviceBoundSessionCredentials

Origin Trial documentation link
https://github.com/w3c/webappsec-dbsc/blob/main/README.md

WebFeature UseCounter name
kDeviceBoundSessionRegistered

Origin Trial Name
Device Bound Session Credentials 2

Chromium Trial Name
DeviceBoundSessionCredentials2

Origin Trial documentation link
https://github.com/w3c/webappsec-dbsc/blob/main/README.md

WebFeature UseCounter name
kDeviceBoundSessionRequestInScope

Risks


Interoperability and Compatibility
No information provided

Gecko: No signal (https://github.com/mozilla/standards-positions/issues/912)

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/281)

Web developers: Positive (https://github.com/mozilla/standards-positions/issues/912#issuecomment-2204012985)

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No information provided


Debuggability
No information provided

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
No
The initial support for TPMs is Windows-only. This feature will eventually support all platforms, as we integrate with the OS-specific key generation/usage mechanisms.

Is this feature fully tested by web-platform-tests?
No


Flag name on about://flags
enable-standard-device-bound-session-credentials, enable-standard-device-bound-session-persistence, enable-standard-device-bound-session-credentials-refresh quota

Finch feature name
DeviceBoundSessions

Rollout plan
Will ship enabled for all users

Requires code in //chrome?
False

Tracking bug
https://crbug.com/355059881

Estimated milestones
Shipping on desktop145
Origin trial desktop first135
Origin trial desktop last139
Origin trial desktop first142
Origin trial desktop last144
DevTrial on desktop135


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

No information provided

Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5140168270413824?gate=5110303886409728

Links to previous Intent discussions
Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/60bae138-43ee-4525-a549-461f241e9ae5n%40chromium.org
Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/515ba278-c5fc-4ee0-8e88-21f34851778an%40chromium.org
Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXLL9AD6SSyUXpDcSB9m8y9nVnnNzAMTK6qmui%3DzKnM8G_5A%40mail.gmail.com


This intent message was generated by Chrome Platform Status.

Daniel Rubery

unread,
4:56 PM (1 hour ago) 4:56 PM
to blink-dev, Chromestatus, arn...@chromium.org, dru...@chromium.org, the...@chromium.org
One correction here: our web platform tests are now complete.

Rick Byers

unread,
5:04 PM (1 hour ago) 5:04 PM
to Daniel Rubery, blink-dev, Chromestatus, arn...@chromium.org, the...@chromium.org
Very happy to see this shipping! Just a couple questions.

On Fri, Feb 6, 2026 at 4:56 PM Daniel Rubery <dru...@chromium.org> wrote:
One correction here: our web platform tests are now complete.

Thanks! Have a wpt.fyi URL? 

On Friday, February 6, 2026 at 1:31:57 PM UTC-8 Chromestatus wrote:
Contact emails
dru...@chromium.org, the...@chromium.org, arn...@chromium.org

Explainer
https://github.com/w3c/webappsec-dbsc/blob/main/README.md

Specification
https://w3c.github.io/webappsec-dbsc

Summary
To enhance user security and combat session theft, Chrome is introducing [Device Bound Session Credentials (DBSC)](https://developer.chrome.com/docs/web-platform/device-bound-session-credentials). This feature allows websites to bind a user's session to their specific device, making it significantly harder for stolen session cookies to be used on other machines.

Blink component
Blink

Web Feature ID
Missing feature

Motivation
Reduce session theft by offering an alternative to long-lived cookie bearer tokens, that allows session authentication that is bound to the user's device. This makes the web safer for users in that it is less likely their identity is abused, since malware is forced to act locally and thus becomes easier to detect and mitigate. At the same time the goal is to disrupt the cookie theft ecosystem and force it to adapt to new protections.

Initial public proposal
https://github.com/WICG/proposals/issues/106

TAG review
https://github.com/w3ctag/design-reviews/issues/1052

TAG review status
Pending

Please correct this to unsatisfied. 

I read the TAG feedback and interpret it as preferring a different architecture than what our customers have told us they prefer. Does that seem right? Or is there another reason why we disagree on the suggestion to prefer a lower-level design?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2e43fba2-6da6-4cce-817d-9dd998ccb50cn%40chromium.org.

Daniel Rubery

unread,
5:16 PM (1 hour ago) 5:16 PM
to Rick Byers, blink-dev, Chromestatus, arn...@chromium.org, the...@chromium.org
Thanks! Have a wpt.fyi URL? 

Here's our tests: https://wpt.fyi/results/device-bound-session-credentials?label=experimental&label=master&aligned. It seems there's something wrong with the harness there, so we'll look into that. (My guess is that it's a result of DBSC being Finch-controlled and using a VirtualTestSuite, which would improve the moment we ship)

Please correct this to unsatisfied

> I read the TAG feedback and interpret it as preferring a different architecture than what our customers have told us they prefer. Does that seem right? Or is there another reason why we disagree on the suggestion to prefer a lower-level design?

Corrected to "Issues open" (I don't see an Unsatisfied option). Your understanding is correct. We believe that the higher-level design makes it easier to deploy and more extensible for the future. Feedback from our Origin Trials certainly supports the ease of deployment.

Reply all
Reply to author
Forward
0 new messages