w3c
diff --git a/‎ed/algorithms/webauthn-3.json
Lines changed: 19 additions & 7 deletions b/‎ed/algorithms/webauthn-3.json
Lines changed: 19 additions & 7 deletions
diff --git a/‎ed/ids/webauthn-3.json
Lines changed: 20 additions & 17 deletions b/‎ed/ids/webauthn-3.json
Lines changed: 20 additions & 17 deletions
@@ -1339,7 +1339,7 @@
         {
           "html": "<p>The inputs to the algorithm are:</p>",
           "ignored": [
-            "A bytestring, clientDataJSON, that contains clientDataJSON — the serialized CollectedClientData that is to be verified. A string, type, that contains the expected type. A byte string, challenge, that contains the challenge byte string that was given in the PublicKeyCredentialRequestOptions or PublicKeyCredentialCreationOptions. A string, origin, that contains the expected origin that issued the request to the user agent. A boolean, crossOrigin, that is true if, and only if, the request should have been performed within a cross-origin iframe."
+            "A bytestring, clientDataJSON, that contains clientDataJSON — the serialized CollectedClientData that is to be verified. A string, type, that contains the expected type. A byte string, challenge, that contains the challenge byte string that was given in the PublicKeyCredentialRequestOptions or PublicKeyCredentialCreationOptions. A string, origin, that contains the expected origin that issued the request to the user agent. An optional string, topOrigin, that contains the expected topOrigin that issued the request to the user agent, if available. A boolean, requireTopOrigin, that is true if, and only if, the verification should fail if topOrigin is defined and the topOrigin attribute is not present in clientDataJSON. This means that the verification algorithm is backwards compatible with the JSON-compatible serialization algorithm in Web Authentication Level 2 [webauthn-2-20210408] if, and only if, requireTopOrigin is false."
           ]
         },
         {
@@ -1370,16 +1370,28 @@
           "html": "<p>Append 0x2c2263726f73734f726967696e223a (<code>,\"crossOrigin\":</code>) to <var>expected</var>.</p>"
         },
         {
-          "html": "If <var>crossOrigin</var> is true:",
+          "html": "If <var>topOrigin</var> is defined:",
           "rationale": "append",
           "steps": [
             {
               "html": "<p>Append 0x74727565 (<code>true</code>) to <var>expected</var>.</p>"
+            },
+            {
+              "html": "If <var>requireTopOrigin</var> is true\nor if 0x2c22746f704f726967696e223a (<code>,\"topOrigin\":</code>) is a prefix\nof the substring of <var>clientDataJSON</var> beginning at the offset equal to the length of <var>expected</var>:",
+              "rationale": "append",
+              "steps": [
+                {
+                  "html": "<p>Append 0x2c22746f704f726967696e223a (<code>,\"topOrigin\":</code>) to <var>expected</var>.</p>"
+                },
+                {
+                  "html": "<p>Append <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#ccdtostring\" id=\"ref-for-ccdtostring⑦\">CCDToString</a>(<var>topOrigin</var>) to <var>expected</var>.</p>"
+                }
+              ]
             }
           ]
         },
         {
-          "html": "Otherwise, i.e. <var>crossOrigin</var> is false:",
+          "html": "Otherwise, i.e. <var>topOrigin</var> is not defined:",
           "rationale": "append",
           "steps": [
             {
@@ -1785,14 +1797,14 @@
           "html": "<a class=\"self-link\" href=\"https://w3c.github.io/webauthn/#rp-op-registering-a-new-credential-step-origin\"></a> Verify that the value of <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-origin\" id=\"ref-for-dom-collectedclientdata-origin⑦\">origin</a></code></code> is an <a data-link-type=\"dfn\" href=\"https://html.spec.whatwg.org/multipage/origin.html#concept-origin\" id=\"ref-for-concept-origin①④\">origin</a> expected by the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②④⑨\">Relying Party</a>.\n  See <a href=\"https://w3c.github.io/webauthn/#sctn-validating-origin\">§ 13.4.9 Validating the origin of a credential</a> for guidance."
         },
         {
-          "html": "If <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin⑦\">topOrigin</a></code></code> is present:",
+          "html": "If <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin⑨\">topOrigin</a></code></code> is present:",
           "rationale": "verify",
           "steps": [
             {
               "html": "<p>Verify that the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②⑤⓪\">Relying Party</a> expects that this credential would have been created within an iframe that is\nnot <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors\" id=\"ref-for-same-origin-with-its-ancestors④\">same-origin with its ancestors</a>.</p>"
             },
             {
-              "html": "<p>Verify that the value of <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin⑧\">topOrigin</a></code></code> matches the <a data-link-type=\"dfn\" href=\"https://html.spec.whatwg.org/multipage/origin.html#concept-origin\" id=\"ref-for-concept-origin①⑤\">origin</a> of a page\nthat the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②⑤①\">Relying Party</a> expects to be sub-framed within.\nSee <a href=\"https://w3c.github.io/webauthn/#sctn-validating-origin\">§ 13.4.9 Validating the origin of a credential</a> for guidance.</p>"
+              "html": "<p>Verify that the value of <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin①⓪\">topOrigin</a></code></code> matches the <a data-link-type=\"dfn\" href=\"https://html.spec.whatwg.org/multipage/origin.html#concept-origin\" id=\"ref-for-concept-origin①⑤\">origin</a> of a page\nthat the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②⑤①\">Relying Party</a> expects to be sub-framed within.\nSee <a href=\"https://w3c.github.io/webauthn/#sctn-validating-origin\">§ 13.4.9 Validating the origin of a credential</a> for guidance.</p>"
             }
           ]
         },
@@ -1909,14 +1921,14 @@
           "html": "<a class=\"self-link\" href=\"https://w3c.github.io/webauthn/#rp-op-verifying-assertion-step-origin\"></a> Verify that the value of <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-origin\" id=\"ref-for-dom-collectedclientdata-origin⑧\">origin</a></code></code> is an <a data-link-type=\"dfn\" href=\"https://html.spec.whatwg.org/multipage/origin.html#concept-origin\" id=\"ref-for-concept-origin①⑥\">origin</a> expected by the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②⑦⑤\">Relying Party</a>.\n  See <a href=\"https://w3c.github.io/webauthn/#sctn-validating-origin\">§ 13.4.9 Validating the origin of a credential</a> for guidance."
         },
         {
-          "html": "If <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin⑨\">topOrigin</a></code></code> is present:",
+          "html": "If <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin①①\">topOrigin</a></code></code> is present:",
           "rationale": "verify",
           "steps": [
             {
               "html": "<p>Verify that the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②⑦⑥\">Relying Party</a> expects this credential to be used within an iframe that is not <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors\" id=\"ref-for-same-origin-with-its-ancestors⑤\">same-origin with its ancestors</a>.</p>"
             },
             {
-              "html": "<p>Verify that the value of <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin①⓪\">topOrigin</a></code></code> matches the <a data-link-type=\"dfn\" href=\"https://html.spec.whatwg.org/multipage/origin.html#concept-origin\" id=\"ref-for-concept-origin①⑦\">origin</a> of a page\nthat the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②⑦⑦\">Relying Party</a> expects to be sub-framed within.\nSee <a href=\"https://w3c.github.io/webauthn/#sctn-validating-origin\">§ 13.4.9 Validating the origin of a credential</a> for guidance.</p>"
+              "html": "<p>Verify that the value of <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin①②\">topOrigin</a></code></code> matches the <a data-link-type=\"dfn\" href=\"https://html.spec.whatwg.org/multipage/origin.html#concept-origin\" id=\"ref-for-concept-origin①⑦\">origin</a> of a page\nthat the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②⑦⑦\">Relying Party</a> expects to be sub-framed within.\nSee <a href=\"https://w3c.github.io/webauthn/#sctn-validating-origin\">§ 13.4.9 Validating the origin of a credential</a> for guidance.</p>"
             }
           ]
         },
 
@@ -3263,17 +3263,19 @@
     "https://w3c.github.io/webauthn/#ref-for-dictdef-publickeycredentialrequestoptions%E2%91%A0%E2%93%AA",
     "https://w3c.github.io/webauthn/#ref-for-dictdef-publickeycredentialcreationoptions%E2%91%A6",
     "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-origin%E2%91%A4",
-    "https://w3c.github.io/webauthn/#ref-for-the-iframe-element",
+    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A5",
+    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A6",
     "https://w3c.github.io/webauthn/#ref-for-ccdtostring%E2%91%A3",
     "https://w3c.github.io/webauthn/#ref-for-base64url-encoding%E2%91%A1%E2%91%A0",
     "https://w3c.github.io/webauthn/#ref-for-ccdtostring%E2%91%A4",
     "https://w3c.github.io/webauthn/#ref-for-ccdtostring%E2%91%A5",
+    "https://w3c.github.io/webauthn/#ref-for-ccdtostring%E2%91%A6",
     "https://w3c.github.io/webauthn/#clientdatajson-development",
     "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-type%E2%91%A5",
     "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-challenge%E2%91%A4",
     "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-origin%E2%91%A5",
     "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-crossorigin%E2%91%A5",
-    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A5",
+    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A7",
     "https://w3c.github.io/webauthn/#ref-for-dictdef-collectedclientdata%E2%91%A0%E2%91%A0",
     "https://w3c.github.io/webauthn/#ref-for-dictdef-collectedclientdata%E2%91%A0%E2%91%A1",
     "https://w3c.github.io/webauthn/#enum-credentialType",
@@ -3515,12 +3517,12 @@
     "https://w3c.github.io/webauthn/#ref-for-abstract-opdef-request-a-credential%E2%91%A0",
     "https://w3c.github.io/webauthn/#sctn-iframe-guidance",
     "https://w3c.github.io/webauthn/#ref-for-web-authentication-api%E2%91%A0%E2%91%A4",
+    "https://w3c.github.io/webauthn/#ref-for-the-iframe-element",
     "https://w3c.github.io/webauthn/#ref-for-the-iframe-element%E2%91%A0",
-    "https://w3c.github.io/webauthn/#ref-for-the-iframe-element%E2%91%A1",
     "https://w3c.github.io/webauthn/#ref-for-web-authentication-api%E2%91%A0%E2%91%A5",
     "https://w3c.github.io/webauthn/#ref-for-dom-publickeycredential-discoverfromexternalsource-slot%E2%91%A0%E2%91%A1",
     "https://w3c.github.io/webauthn/#ref-for-attr-iframe-allow",
-    "https://w3c.github.io/webauthn/#ref-for-the-iframe-element%E2%91%A2",
+    "https://w3c.github.io/webauthn/#ref-for-the-iframe-element%E2%91%A1",
     "https://w3c.github.io/webauthn/#ref-for-publickey-credentials-get-feature",
     "https://w3c.github.io/webauthn/#ref-for-attr-iframe-allow%E2%91%A0",
     "https://w3c.github.io/webauthn/#ref-for-relying-party%E2%91%A0%E2%91%A8%E2%91%A2",
@@ -4645,10 +4647,10 @@
     "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-origin%E2%91%A6",
     "https://w3c.github.io/webauthn/#ref-for-concept-origin%E2%91%A0%E2%91%A3",
     "https://w3c.github.io/webauthn/#ref-for-relying-party%E2%91%A1%E2%91%A3%E2%91%A8",
-    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A6",
+    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A8",
     "https://w3c.github.io/webauthn/#ref-for-relying-party%E2%91%A1%E2%91%A4%E2%93%AA",
     "https://w3c.github.io/webauthn/#ref-for-same-origin-with-its-ancestors%E2%91%A3",
-    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A7",
+    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A0%E2%93%AA",
     "https://w3c.github.io/webauthn/#ref-for-concept-origin%E2%91%A0%E2%91%A4",
     "https://w3c.github.io/webauthn/#ref-for-relying-party%E2%91%A1%E2%91%A4%E2%91%A0",
     "https://w3c.github.io/webauthn/#ref-for-dom-authenticatorresponse-clientdatajson%E2%91%A7",
@@ -4828,10 +4830,10 @@
     "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-origin%E2%91%A7",
     "https://w3c.github.io/webauthn/#ref-for-concept-origin%E2%91%A0%E2%91%A5",
     "https://w3c.github.io/webauthn/#ref-for-relying-party%E2%91%A1%E2%91%A6%E2%91%A4",
-    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A8",
+    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A0%E2%91%A0",
     "https://w3c.github.io/webauthn/#ref-for-relying-party%E2%91%A1%E2%91%A6%E2%91%A5",
     "https://w3c.github.io/webauthn/#ref-for-same-origin-with-its-ancestors%E2%91%A4",
-    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A0%E2%93%AA",
+    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A0%E2%91%A1",
     "https://w3c.github.io/webauthn/#ref-for-concept-origin%E2%91%A0%E2%91%A6",
     "https://w3c.github.io/webauthn/#ref-for-relying-party%E2%91%A1%E2%91%A6%E2%91%A6",
     "https://w3c.github.io/webauthn/#rp-op-verifying-assertion-step-rpid-hash",
@@ -6136,7 +6138,7 @@
     "https://w3c.github.io/webauthn/#ref-for-relying-party%E2%91%A2%E2%91%A3%E2%91%A0",
     "https://w3c.github.io/webauthn/#ref-for-relying-party%E2%91%A2%E2%91%A3%E2%91%A1",
     "https://w3c.github.io/webauthn/#sctn-seccons-visibility",
-    "https://w3c.github.io/webauthn/#ref-for-the-iframe-element%E2%91%A3",
+    "https://w3c.github.io/webauthn/#ref-for-the-iframe-element%E2%91%A2",
     "https://w3c.github.io/webauthn/#ui-redressing",
     "https://w3c.github.io/webauthn/#ref-for-relying-party%E2%91%A2%E2%91%A3%E2%91%A2",
     "https://w3c.github.io/webauthn/#ref-for-relying-party%E2%91%A2%E2%91%A3%E2%91%A3",
@@ -6307,19 +6309,19 @@
     "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-origin%E2%91%A0%E2%91%A8",
     "https://w3c.github.io/webauthn/#ref-for-relying-party%E2%91%A2%E2%91%A6%E2%91%A7",
     "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-origin%E2%91%A1%E2%93%AA",
-    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A0%E2%91%A0",
+    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A0%E2%91%A2",
     "https://w3c.github.io/webauthn/#ref-for-client-data%E2%91%A0%E2%91%A4",
-    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A0%E2%91%A1",
+    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A0%E2%91%A3",
     "https://w3c.github.io/webauthn/#ref-for-relying-party%E2%91%A2%E2%91%A6%E2%91%A8",
     "https://w3c.github.io/webauthn/#ref-for-relying-party%E2%91%A2%E2%91%A7%E2%93%AA",
-    "https://w3c.github.io/webauthn/#ref-for-the-iframe-element%E2%91%A4",
-    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A0%E2%91%A2",
-    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-origin%E2%91%A1%E2%91%A0",
-    "https://w3c.github.io/webauthn/#ref-for-the-iframe-element%E2%91%A5",
-    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A0%E2%91%A3",
-    "https://w3c.github.io/webauthn/#ref-for-the-iframe-element%E2%91%A6",
+    "https://w3c.github.io/webauthn/#ref-for-the-iframe-element%E2%91%A3",
     "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A0%E2%91%A4",
+    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-origin%E2%91%A1%E2%91%A0",
+    "https://w3c.github.io/webauthn/#ref-for-the-iframe-element%E2%91%A4",
     "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A0%E2%91%A5",
+    "https://w3c.github.io/webauthn/#ref-for-the-iframe-element%E2%91%A5",
+    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A0%E2%91%A6",
+    "https://w3c.github.io/webauthn/#ref-for-dom-collectedclientdata-toporigin%E2%91%A0%E2%91%A7",
     "https://w3c.github.io/webauthn/#sctn-privacy-considerations",
     "https://w3c.github.io/webauthn/#ref-for-authenticator%E2%91%A2%E2%93%AA%E2%91%A4",
     "https://w3c.github.io/webauthn/#ref-for-client%E2%91%A0%E2%91%A0%E2%91%A6",
@@ -6886,6 +6888,7 @@
     "https://w3c.github.io/webauthn/#biblio-tpmv2-part3",
     "https://w3c.github.io/webauthn/#biblio-url",
     "https://w3c.github.io/webauthn/#biblio-wcag21",
+    "https://w3c.github.io/webauthn/#biblio-webauthn-2-20210408",
     "https://w3c.github.io/webauthn/#biblio-webdriver",
     "https://w3c.github.io/webauthn/#biblio-webidl",
     "https://w3c.github.io/webauthn/#informative",
Original file line number	Diff line number	Diff line change
`@@ -1339,7 +1339,7 @@`
`1339`	`1339`	`{`
`1340`	`1340`	`"html": "<p>The inputs to the algorithm are:</p>",`
`1341`	`1341`	`"ignored": [`
`1342`		- "A bytestring, clientDataJSON, that contains clientDataJSON — the serialized CollectedClientData that is to be verified. A string, type, that contains the expected type. A byte string, challenge, that contains the challenge byte string that was given in the PublicKeyCredentialRequestOptions or PublicKeyCredentialCreationOptions. A string, origin, that contains the expected origin that issued the request to the user agent. A boolean, crossOrigin, that is true if, and only if, the request should have been performed within a cross-origin iframe."
	`1342`	+ "A bytestring, clientDataJSON, that contains clientDataJSON — the serialized CollectedClientData that is to be verified. A string, type, that contains the expected type. A byte string, challenge, that contains the challenge byte string that was given in the PublicKeyCredentialRequestOptions or PublicKeyCredentialCreationOptions. A string, origin, that contains the expected origin that issued the request to the user agent. An optional string, topOrigin, that contains the expected topOrigin that issued the request to the user agent, if available. A boolean, requireTopOrigin, that is true if, and only if, the verification should fail if topOrigin is defined and the topOrigin attribute is not present in clientDataJSON. This means that the verification algorithm is backwards compatible with the JSON-compatible serialization algorithm in Web Authentication Level 2 [webauthn-2-20210408] if, and only if, requireTopOrigin is false."
`1343`	`1343`	`]`
`1344`	`1344`	`},`
`1345`	`1345`	`{`
`@@ -1370,16 +1370,28 @@`
`1370`	`1370`	`"html": "<p>Append 0x2c2263726f73734f726967696e223a (<code>,\"crossOrigin\":</code>) to <var>expected</var>.</p>"`
`1371`	`1371`	`},`
`1372`	`1372`	`{`
`1373`		`- "html": "If <var>crossOrigin</var> is true:",`
	`1373`	`+ "html": "If <var>topOrigin</var> is defined:",`
`1374`	`1374`	`"rationale": "append",`
`1375`	`1375`	`"steps": [`
`1376`	`1376`	`{`
`1377`	`1377`	`"html": "<p>Append 0x74727565 (<code>true</code>) to <var>expected</var>.</p>"`
	`1378`	`+ },`
	`1379`	`+ {`
	`1380`	`+ "html": "If <var>requireTopOrigin</var> is true\nor if 0x2c22746f704f726967696e223a (<code>,\"topOrigin\":</code>) is a prefix\nof the substring of <var>clientDataJSON</var> beginning at the offset equal to the length of <var>expected</var>:",`
	`1381`	`+ "rationale": "append",`
	`1382`	`+ "steps": [`
	`1383`	`+ {`
	`1384`	`+ "html": "<p>Append 0x2c22746f704f726967696e223a (<code>,\"topOrigin\":</code>) to <var>expected</var>.</p>"`
	`1385`	`+ },`
	`1386`	`+ {`
	`1387`	`+ "html": "<p>Append <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#ccdtostring\" id=\"ref-for-ccdtostring⑦\">CCDToString</a>(<var>topOrigin</var>) to <var>expected</var>.</p>"`
	`1388`	`+ }`
	`1389`	`+ ]`
`1378`	`1390`	`}`
`1379`	`1391`	`]`
`1380`	`1392`	`},`
`1381`	`1393`	`{`
`1382`		`- "html": "Otherwise, i.e. <var>crossOrigin</var> is false:",`
	`1394`	`+ "html": "Otherwise, i.e. <var>topOrigin</var> is not defined:",`
`1383`	`1395`	`"rationale": "append",`
`1384`	`1396`	`"steps": [`
`1385`	`1397`	`{`
`@@ -1785,14 +1797,14 @@`
`1785`	`1797`	"html": "<a class=\"self-link\" href=\"https://w3c.github.io/webauthn/#rp-op-registering-a-new-credential-step-origin\"></a> Verify that the value of <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-origin\" id=\"ref-for-dom-collectedclientdata-origin⑦\">origin</a></code></code> is an <a data-link-type=\"dfn\" href=\"https://html.spec.whatwg.org/multipage/origin.html#concept-origin\" id=\"ref-for-concept-origin①④\">origin</a> expected by the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②④⑨\">Relying Party</a>.\n See <a href=\"https://w3c.github.io/webauthn/#sctn-validating-origin\">§ 13.4.9 Validating the origin of a credential</a> for guidance."
`1786`	`1798`	`},`
`1787`	`1799`	`{`
`1788`		`- "html": "If <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin⑦\">topOrigin</a></code></code> is present:",`
	`1800`	`+ "html": "If <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin⑨\">topOrigin</a></code></code> is present:",`
`1789`	`1801`	`"rationale": "verify",`
`1790`	`1802`	`"steps": [`
`1791`	`1803`	`{`
`1792`	`1804`	`"html": "<p>Verify that the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②⑤⓪\">Relying Party</a> expects that this credential would have been created within an iframe that is\nnot <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors\" id=\"ref-for-same-origin-with-its-ancestors④\">same-origin with its ancestors</a>.</p>"`
`1793`	`1805`	`},`
`1794`	`1806`	`{`
`1795`		- "html": "<p>Verify that the value of <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin⑧\">topOrigin</a></code></code> matches the <a data-link-type=\"dfn\" href=\"https://html.spec.whatwg.org/multipage/origin.html#concept-origin\" id=\"ref-for-concept-origin①⑤\">origin</a> of a page\nthat the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②⑤①\">Relying Party</a> expects to be sub-framed within.\nSee <a href=\"https://w3c.github.io/webauthn/#sctn-validating-origin\">§ 13.4.9 Validating the origin of a credential</a> for guidance.</p>"
	`1807`	+ "html": "<p>Verify that the value of <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin①⓪\">topOrigin</a></code></code> matches the <a data-link-type=\"dfn\" href=\"https://html.spec.whatwg.org/multipage/origin.html#concept-origin\" id=\"ref-for-concept-origin①⑤\">origin</a> of a page\nthat the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②⑤①\">Relying Party</a> expects to be sub-framed within.\nSee <a href=\"https://w3c.github.io/webauthn/#sctn-validating-origin\">§ 13.4.9 Validating the origin of a credential</a> for guidance.</p>"
`1796`	`1808`	`}`
`1797`	`1809`	`]`
`1798`	`1810`	`},`
`@@ -1909,14 +1921,14 @@`
`1909`	`1921`	"html": "<a class=\"self-link\" href=\"https://w3c.github.io/webauthn/#rp-op-verifying-assertion-step-origin\"></a> Verify that the value of <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-origin\" id=\"ref-for-dom-collectedclientdata-origin⑧\">origin</a></code></code> is an <a data-link-type=\"dfn\" href=\"https://html.spec.whatwg.org/multipage/origin.html#concept-origin\" id=\"ref-for-concept-origin①⑥\">origin</a> expected by the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②⑦⑤\">Relying Party</a>.\n See <a href=\"https://w3c.github.io/webauthn/#sctn-validating-origin\">§ 13.4.9 Validating the origin of a credential</a> for guidance."
`1910`	`1922`	`},`
`1911`	`1923`	`{`
`1912`		`- "html": "If <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin⑨\">topOrigin</a></code></code> is present:",`
	`1924`	`+ "html": "If <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin①①\">topOrigin</a></code></code> is present:",`
`1913`	`1925`	`"rationale": "verify",`
`1914`	`1926`	`"steps": [`
`1915`	`1927`	`{`
`1916`	`1928`	`"html": "<p>Verify that the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②⑦⑥\">Relying Party</a> expects this credential to be used within an iframe that is not <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors\" id=\"ref-for-same-origin-with-its-ancestors⑤\">same-origin with its ancestors</a>.</p>"`
`1917`	`1929`	`},`
`1918`	`1930`	`{`
`1919`		- "html": "<p>Verify that the value of <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin①⓪\">topOrigin</a></code></code> matches the <a data-link-type=\"dfn\" href=\"https://html.spec.whatwg.org/multipage/origin.html#concept-origin\" id=\"ref-for-concept-origin①⑦\">origin</a> of a page\nthat the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②⑦⑦\">Relying Party</a> expects to be sub-framed within.\nSee <a href=\"https://w3c.github.io/webauthn/#sctn-validating-origin\">§ 13.4.9 Validating the origin of a credential</a> for guidance.</p>"
	`1931`	+ "html": "<p>Verify that the value of <code><var>C</var>.<code class=\"idl\"><a data-link-type=\"idl\" href=\"https://w3c.github.io/webauthn/#dom-collectedclientdata-toporigin\" id=\"ref-for-dom-collectedclientdata-toporigin①②\">topOrigin</a></code></code> matches the <a data-link-type=\"dfn\" href=\"https://html.spec.whatwg.org/multipage/origin.html#concept-origin\" id=\"ref-for-concept-origin①⑦\">origin</a> of a page\nthat the <a data-link-type=\"dfn\" href=\"https://w3c.github.io/webauthn/#relying-party\" id=\"ref-for-relying-party②⑦⑦\">Relying Party</a> expects to be sub-framed within.\nSee <a href=\"https://w3c.github.io/webauthn/#sctn-validating-origin\">§ 13.4.9 Validating the origin of a credential</a> for guidance.</p>"
`1920`	`1932`	`}`
`1921`	`1933`	`]`
`1922`	`1934`	`},`