Re: [dbsc] ... session ID from Daniel Rubery on 2025-10-03 (public-webappsec@w3.org from October 2025)

From: Daniel Rubery <drubery@google.com>
Date: Fri, 3 Oct 2025 11:58:26 -0700
To: Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <CAB3P8h_wXb6sy2Uqmgy2BPgKCFXWH6HP_eQ3sCzq5wqB4Bx+_g@mail.gmail.com>

Thanks for the feedback! I do think there's some overlap between FedCM
session and Device Bound Session, given that they are both attempting to
codify a more abstract notion of "login session". Longer-term, I could see
some integration between the two (perhaps FedCM can start a DBSC session?).
But neither can fully subsume the other, given that FedCM focuses on
federated login, and DBSC is focused on preventing cookie theft.

I don't think there's a high risk of confusion with media session or LLM
session, unless those start having login/authentication implications. The
term "session" there is used in a very different context than "session" for
DBSC.

Received on Friday, 3 October 2025 18:58:43 UTC