Proposing a feature ID for Device Bound Session Credentials

[drubery]

Specification

https://w3c.github.io/webappsec-dbsc/

Description

A protocol for sites to regularly request proof of possession of a private key. When user agents store key pairs in a TPM, this allows for a strong protection against cookie theft.

Documentation

https://developer.chrome.com/docs/web-platform/device-bound-session-credentials

Browser support

As of 2026-02-16, shipped in Chrome https://chromestatus.com/feature/5140168270413824

[ddbeck]

Thanks for filing this issue, @drubery.

I'm thinking aloud here about how to mint this feature:

If I'm reading the Chrome Platform Status entry correctly, it appears that this shipped for Windows only in Chrome 145. And it looks to be shipping for macOS in Chrome 147.

I suppose this needs new browser-compat-data (BCD) keys for these headers:

• Secure-Session-Challenge
• Secure-Session-Registration
• Sec-Secure-Session-Id
• Secure-Session-Response
• Secure-Session-Skipped

Since they're currently OS-limited, this will probably start out marked as partially implemented in BCD.

The description in web-features is likely to be something like:

Device bound session credentials is a protocol to request proof of possession of a private key held in a Trusted Platform Module (TPM). Regularly confirming key possession can help protect against cookie theft.

[drubery]

Partially-implemented sounds reasonable to me. Our spec does not require user agents to use a TPM though, so can we strike the words "held in a Trusted Platform Module"? Otherwise I'm also happy with that description.

We also have two more headers for DBSC: Secure-Session-Challenge and Secure-Session-Skipped.

[ddbeck]

I sent mdn/browser-compat-data#29161 upstream, to capture the support information.