Re: [w3ctag/design-reviews] Device-Bound Session Credentials Analysis (PR #1094)

@martinthomson commented on this pull request.



> +Consider that a site could serve up HTML for `/foo/page.html`,
+which might be able to recognize that the cookie is due for a refresh.
+The response could forcibly expire the cookie
+and force a fetch for a resource at `/foo/bar` in the background.
+That fetch would cause the session refresh to occur,
+without necessarily delaying the page load.
+
+A similar approach is possible under the alternative design.
+Any resource could accept a cookie that the server wants to refresh
+if that resource is less critical to protect.
+This is more flexible because it is not tied to specific path prefixes.
+It could instead be for other reasons,
+such as whether the request is for protected information or actions.
+Resources can then trigger asynchronous fetches to refresh cookies,
+ahead of when any critical resources need to be fetched.
+

```suggestion

#### Clearing State

The explainer suggests that `Clear-Site-Data`
with either the `cookies` or `storage` tokens
causes the session to terminate.
We think that if this is logically a cookie,
then only the `cookies` token needs to act on that state.

It might be reasonable to specify a new token for clearing the signature key,
so that cookies might be cleared independently.
As the original proposal didn't include that option, we haven't either.
We can see how the DBSC(E) extension —
which has a more complex enrollment process —
might benefit from key retention.

```

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/pull/1094#pullrequestreview-2890232008
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/pull/1094/review/2890232008@github.com>