Validate CollectedClientData.crossOrigin in RP ops

index.bs

@@ -5939,6 +5939,10 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
       See [[#sctn-validating-origin]] for guidance.
     </li>
 
+1. If <code>|C|.{{CollectedClientData/crossOrigin}}</code> is present and set to [TRUE],
+    verify that the [=[RP]=] expects that this credential would have been created within an iframe
+    that is not [=same-origin with its ancestors=].
+
 1. If <code>|C|.{{CollectedClientData/topOrigin}}</code> is present:
 
     1. Verify that the [=[RP]=] expects that this credential would have been created within an iframe that is
@@ -6162,6 +6166,10 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
       See [[#sctn-validating-origin]] for guidance.
     </li>
 
+1. If <code>|C|.{{CollectedClientData/crossOrigin}}</code> is present and set to [TRUE],
+    verify that the [=[RP]=] expects that this credential would have been created within an iframe
+    that is not [=same-origin with its ancestors=].
+
 1. If <code>|C|.{{CollectedClientData/topOrigin}}</code> is present:
 
     1. Verify that the [=[RP]=] expects this credential to be used within an iframe that is not [=same-origin with its ancestors=].