Make topOrigin verification backwards compatible with L2

index.bs

@@ -3837,6 +3837,14 @@ to verify an encoded {{CollectedClientData}} if they cannot support a full JSON
     1. A string, |origin|, that contains the expected {{CollectedClientData/origin}} that issued the request to the user agent.
     1. A boolean, |crossOrigin|, that is true if, and only if, the request should have been performed within a cross-origin <{iframe}>.
     1. An optional string, |topOrigin|, that contains the expected {{CollectedClientData/topOrigin}} that issued the request to the user agent if |crossOrigin| is true and if available.
+    1. A boolean, |requireTopOrigin|, that is [TRUE] if, and only if, the validation should fail
+        if |topOrigin| is defined and the {{CollectedClientData/topOrigin}} attribute is not present in |clientDataJSON|.
+
+        This means that the verification algorithm is backwards compatible
+        with the [[webauthn-2-20210408#clientdatajson-serialization|JSON-compatible serialization algorithm]]
+        in Web Authentication Level 2 [[webauthn-2-20210408]]
+        if, and only if, |requireTopOrigin| is [FALSE].
+
 1. Let |expected| be an empty byte string.
 1. Append 0x7b2274797065223a (`{"type":`) to |expected|.
 1. Append [=CCDToString=](|type|) to |expected|.
@@ -3864,7 +3872,12 @@ to verify an encoded {{CollectedClientData}} if they cannot support a full JSON
         :: The verification is successful.
 
         : otherwise
-        :: The verification has failed.
+        ::
+            1. If |requireTopOrigin| is [FALSE],
+                the verification result is the result of retrying the [=CollectedClientData/limited verification algorithm=]
+                with the same arguments except with the |topOrigin| argument undefined.
+
+            2. The verification has failed.
     </dl>
 
 #### Future development #### {#clientdatajson-development}