As part of an effort to reduce the blast radius of cookie theft, a recent proposal called Device Bound Session Credentials aims to enable service providers to have very short session cookie lifetimes, and revalidate them using DBSC without bothering the user (at a cost of a potentially-preflighted round trip).

That’s great as short-lived cookies are less-exploitable cookies, e.g. in cases the user has local malware on their machine.

However, AFAICT, that doesn’t work well for FedCM. If the IDP’s session cookie has expired, the only option to renew the cookie is through a user-visible modal, which would create a sub-optimal user experience and add a lot of friction.

Would it be possible to create an IDP cookie renewal flow that doesn’t require a user-facing modal?
From a security perspective, that seems fine, as cookie expiration times are at the discretion of the IDP, so performing renewals without a modal doesn’t seem to degrade the user’s security, and will enable short-lived cookies which would augment it. We will of course need to distinguish cookie expiration from e.g. server-side cookie invalidation.

Thoughts?

/cc @gioele-antoci