Dick Hardt
Dick Hardt
Signed-off-by: Dick Hardt
If the app can claim and own a URI on a platform, it MUST use that mechanism
An attacker could pass a client generated parameter that is too long for the server potentially. Should this be mentioned in security considerations, or would that be considered a general...
It seems like it would be beneficial for the OAuth 2 pattern of separate access and refresh flows to fit into the DBSC pattern. In this separation, the policy of...
As I understand it, refreshing the cookies requires the browser to acquire a new challenge, sign it, and then present it While the server can respond with a `Sec-Session-Challenge` header...
Per JWT best practices explicitly type the JWT, such as `"typ":"dbsc+jwt"` see https://datatracker.ietf.org/doc/html/rfc8725#name-use-explicit-typing
unclear what the `excluded scope` property is in the credentials response from the server and how it applies to the cookies
It looks like there was thought to have a Login Status API? https://github.com/WICG/dbsc?tab=readme-ov-file#login-status-api This seems like it could be useful for web frameworks that have a login status in their...
To remove latency from calling APIs where the cookie has expired and the browser does the refresh adding latency, I would likely set a timer to POST to /securesession/refresh on...