-
Notifications
You must be signed in to change notification settings - Fork 41
Second Origin Trial Behavior Differences
Daniel Rubery edited this page Sep 8, 2025
·
3 revisions
This gives a short summary of what sites need to do to accommodate the changes between the first and second Origin Trial. The site-visible behavior differences are tracked in this bug hotlist. We divide the changes into “no compatibility implications”, “forward compatible”, and “breaking change” so that site operators can do as much as possible in advance.
- https://crbug.com/430338388 - Federated Key Sharing
- https://crbug.com/417401759 - Debug header
- https://crbug.com/409806999 - Allow empty refresh URLs
- https://crbug.com/412265468 - Session config should be optional on refresh
- https://crbug.com/406034853 - Allow all matching sessions to attempt to refresh even if one session's refresh failed
- https://crbug.com/407549284 - JWT typ should be dbsc+jwt
-
https://crbug.com/407752630 - Include
subin JWTs - https://crbug.com/438783634 - Use cached challenges during refresh for challenge handling instead of re-reading from refresh response
- https://crbug.com/438612663 - domain and path attributes in scope rules should be optional
-
https://crbug.com/433654029 - include_site should not be optional
- Sites should specify include_site in session config
-
https://crbug.com/436634293 - Session creation should fail validation if the provided origin is a URL
- Scope origins must be serializations of origins
-
https://crbug.com/417410430 - Limit contexts for registration/challenge
- Sites should have a bound cookie that’s available in all contexts they want to do registration or serve challenges
-
https://crbug.com/400455004 - Session creation should always fail on bad input
- Make sure that session config passes the new, stricter validation
-
https://crbug.com/384557793 - Add support for /.well-known/ during session registration
- For sites doing registration from a subdomain, serve a .well-known authorizing the registration
-
https://crbug.com/401184805 - Mitigated timing side channel
- For sites depending on refresh being initiated by third-party sites, add
allowed_refresh_initiatorsto the session config
- For sites depending on refresh being initiated by third-party sites, add
-
https://crbug.com/416191041 - Update header names in Chrome and explainer
- Sites can serve both Sec-Session-* and Secure-Session-* headers to be forwards compatible
-
https://crbug.com/407801066 - Refresh should not allow change in session id
- Sites need to do a full re-registration instead of trying to change the session id
-
https://crbug.com/442623885 - Update JWT fields
- Sites should only depend on the fields listed in the spec after https://github.com/w3c/webappsec-dbsc/pull/216
-
https://crbug.com/412265467 - Update challenge processing to use 403
- OT2 sessions will need a 403 to get a new signature, instead of 401. Sites can’t serve both 401 and 403, so they have to pick.
-
https://crbug.com/402020386 - Enforce unique session ids per site
- Sites that had multiple sessions with the same id will need to pick a new way to generate session ids.