- From: Daniel Rubery <notifications@github.com>
- Date: Thu, 24 Jul 2025 10:07:30 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/1052/3114217687@github.com>
drubery left a comment (w3ctag/design-reviews#1052) Thanks to the TAG for discussion at the WebAppSec meeting! We had one action item on our side to work through decoupling some of the DBSC behaviors: - Indicating a scope of requests to be signed instead of just one URL - Making proactive refresh built into the spec to accommodate something like "stale-while-revalidate" Given DBSC config is a JSON schema, these are just some new keys in the config and thinking through the defaults. We'll come back with a concrete suggestion shortly. In the meantime, I wanted to reiterate one point from Arnar that is important but I hadn't communicated previously. Not all requests are unchanged by redirecting to the challenge endpoint and back. In particular, form submission is very commonly a POST request with a body. On redirect, that body will have to be preserved somewhere on the server side, and discarded if authorization fails. This is a large cost for site operators since it's significant new behavior on endpoints that handle the request body. With DBSC as we've spec'd it, we don't have that complexity because we choose to defer the POST request. Do you agree with our estimation of the costs of redirect-based flows? Does deferral fit into your Signed cookie proposal? -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/1052#issuecomment-3114217687 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/1052/3114217687@github.com>
Received on Thursday, 24 July 2025 17:07:34 UTC