Merge pull request #2166 from w3c/issue-2113-rp-ops-crossOrigin

Validate CollectedClientData.crossOrigin in RP ops
w3c · Oct 28, 2024 · 3c506d4 · 3c506d4
2 parents d6b0d2c + aa8728a
commit 3c506d4
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/index.bs b/index.bs
@@ -5948,6 +5948,10 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
       See [[#sctn-validating-origin]] for guidance.
     </li>
 
+1. If <code>|C|.{{CollectedClientData/crossOrigin}}</code> is present and set to [TRUE],
+    verify that the [=[RP]=] expects that this credential would have been created within an iframe
+    that is not [=same-origin with its ancestors=].
+
 1. If <code>|C|.{{CollectedClientData/topOrigin}}</code> is present:
 
     1. Verify that the [=[RP]=] expects that this credential would have been created within an iframe that is
@@ -6179,6 +6183,9 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
       See [[#sctn-validating-origin]] for guidance.
     </li>
 
+1. If <code>|C|.{{CollectedClientData/crossOrigin}}</code> is present and set to [TRUE],
+    verify that the [=[RP]=] expects this credential to be used within an iframe that is not [=same-origin with its ancestors=].
+
 1. If <code>|C|.{{CollectedClientData/topOrigin}}</code> is present:
 
     1. Verify that the [=[RP]=] expects this credential to be used within an iframe that is not [=same-origin with its ancestors=].