danmarg

That's fair. I think my answer was over-indexing on Google's use case to some extent. For the case where a provider a) limits users to bound sessions and b) limits...

Most Windows machines _today_ do not have the capabilities for VBS--Statista tells me that Win11 is about 25% of Windows users (and there are [additional](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs) hardware requirements for VBS, but...

Thanks for that. Yes, you can do counters or timestamps.[^1] However, those fundamentally alter the threat model: an attacker can now pregenerate signed responses while having temporary access to the...

Yep, totally agreed that we should document this. And to be clear, I think we can optimize away some of those extra round trips by opportunistically serving "upcoming challenges" in...

I am not 100% sure I follow this conversation (and sorry for not responding earlier). I *think* the question is, "How does DBSC actually demotivate stealing the cookies, even though...

What do you mean by "a special header in the request?" In which request? Maybe easier to illustrate with an example. :)

Uh oh. As I read this, I think I've stepped into a can of worms. Three observations: 1. The explainer also contains this: `The server can also serve challenges ahead...

Oh, and to my comment > On the other hand, point 2 suggests to me that it's important that unexpected errors from refresh trigger DBSC session termination I think this...

@MattMenke2 I might be misreading you, but just to reiterate one point which may or may not be clear: as described [here](https://github.com/WICG/dbsc?tab=readme-ov-file#refresh-procedure), the `Sec-Session-Challenge` header is (normally) served *on refresh...

Yes, your point is similar to mine: the client knows this is a special “refresh” request, so the specific response code isn’t too important, as you say. On Thu, Sep...