DBSC Origin Trial

[Daniel Rubery]

Device Bound Session Credentials (DBSC) has officially begun an Origin Trial! This allows you to test DBSC on real user machines. The trial is running in Chrome version M135 and above, which begins its rollout to Stable on April 1, and is already available on Chrome Canary, Dev, and Beta. We have scheduled the trial to run through M139, so it ends with the M140 release in early September. At this time, we only have support for Windows machines with Trusted Platform Modules (TPM).

It’s strongly recommended that you start with some manual developer testing by following the steps at https://github.com/w3c/webappsec-dbsc/wiki/Testing-early-versions-of-DBSC. Note that DevTools integration is not complete yet, so debugging must be done through a combination of Chrome histograms and net logging. The explainer and draft spec are useful references here.

Once manual developer testing is working, the only changes needed to support DBSC for real users is to get an Origin Trial token at https://developer.chrome.com/origintrials/#/view_trial/3911939226324697089. This token should be added to any pages serving DBSC headers (Sec-Session-Registration and the use of Sec-Session-Challenge for caching challenges), but it is not necessary on the refresh and registration endpoints.

We’re excited to hear any feedback about the ergonomics of the header-based API. Please open issues on the Github repo if you’re having trouble or have feedback.

Thanks,

DBSC team