dbsc
dbsc copied to clipboard
WICG
The concept of DSBC seems very interesting from a point of view of protecting users from the cookie theft. Although, I came up with two questions, regarding the server side....
In the first JWT, it looks like `"jti": "nonce"` should be `"jti": "challenge from Sec-Session-Challenge header"` `"key":"public key"` is vague. Perhaps use a `jwk`? Why is the session ID not...
Hello Team, I may be wrong, but I wanted to understand why IP address binding to cookie cant be enough to solve this problem? Server maintains a cookie with the...
The draft proposal currently specifies: > This API—which allows background "pings" to the refresh endpoint when the user is not directly active—must not enable long-term tracking of a user when...
I'm not sure exactly how I'd be able to assist in such an endeavor, but I'd like to throw my hat in the ring for support. Session cookies are part...
This scheme is a little bit redundant for a redirect-based auth. We need an extra roundtrip to initiate the binding, but we can save this roundtrip, if we will remember...
In startsession we deliver authorization artifact in two different ways as Authorization header and as part of JWT body. https://github.com/WICG/dbsc?tab=readme-ov-file#start-session I think we need to have one way of doing...
We are planning an origin trial for DBSC towards the end of 2024. If you re interested in signing up for this you can subscribe to this issue and we...
This seems only tangentially related to the rest of the document so maybe it deserves a more detailed explanation: > ### Interaction with Inactive Documents (BFCache, Prerendering) > When a...
I interpret Non-Goal as "If OS supports the device binding, it should be secure, otherwise - no'. However, it is not clear for me, and I believe should be explicitly...