From 8d32e89b9ce1da93004c3bb1b24ea346a6093bbc Mon Sep 17 00:00:00 2001
From: philomathic_life <15947783+zacknewman@users.noreply.github.com>
Date: Mon, 22 Jul 2024 22:21:55 +0000
Subject: [PATCH 1/4] Update index.bs

Add topOrigin to the limited verification algorithm.
---
 index.bs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/index.bs b/index.bs
index d70ec37cf..bdc35f5e1 100644
--- a/index.bs
+++ b/index.bs
@@ -3832,6 +3832,7 @@ Verifiers may use the following algorithm to verify an encoded {{CollectedClient
     1. A byte string, |challenge|, that contains the challenge byte string that was given in the {{PublicKeyCredentialRequestOptions}} or {{PublicKeyCredentialCreationOptions}}.
     1. A string, |origin|, that contains the expected {{CollectedClientData/origin}} that issued the request to the user agent.
     1. A boolean, |crossOrigin|, that is true if, and only if, the request should have been performed within a cross-origin <{iframe}>.
+    1. A string, |topOrigin|, that contains the expected {{CollectedClientData/topOrigin}} that issued the request to the user agent if |crossOrigin| is true and if available.
 1. Let |expected| be an empty byte string.
 1. Append 0x7b2274797065223a (`{"type":`) to |expected|.
 1. Append [=CCDToString=](|type|) to |expected|.
@@ -3843,6 +3844,9 @@ Verifiers may use the following algorithm to verify an encoded {{CollectedClient
 1. Append 0x2c2263726f73734f726967696e223a (`,"crossOrigin":`) to |expected|.
 1. If |crossOrigin| is true:
     1. Append 0x74727565 (`true`) to |expected|.
+    1. If |topOrigin| is defined:
+        1. Append 0x2c22746f704f726967696e223a (`,"topOrigin":`) to |expected|.
+        1. Append [=CCDToString=](|topOrigin|) to |expected|.
 1. Otherwise, i.e. |crossOrigin| is false:
     1. Append 0x66616c7365 (`false`) to |expected|.
 1. If |expected| is not a prefix of |clientDataJSON| then the verification has failed.

From 9bb78e4f29bf19f5e224b94ba5641983c920f9ac Mon Sep 17 00:00:00 2001
From: philomathic_life <15947783+zacknewman@users.noreply.github.com>
Date: Wed, 7 Aug 2024 13:25:49 +0000
Subject: [PATCH 2/4] Specify topOrigin is optional in the defintions.

Co-authored-by: Emil Lundberg <emil@emlun.se>
---
 index.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index bdc35f5e1..915333b02 100644
--- a/index.bs
+++ b/index.bs
@@ -3832,7 +3832,7 @@ Verifiers may use the following algorithm to verify an encoded {{CollectedClient
     1. A byte string, |challenge|, that contains the challenge byte string that was given in the {{PublicKeyCredentialRequestOptions}} or {{PublicKeyCredentialCreationOptions}}.
     1. A string, |origin|, that contains the expected {{CollectedClientData/origin}} that issued the request to the user agent.
     1. A boolean, |crossOrigin|, that is true if, and only if, the request should have been performed within a cross-origin <{iframe}>.
-    1. A string, |topOrigin|, that contains the expected {{CollectedClientData/topOrigin}} that issued the request to the user agent if |crossOrigin| is true and if available.
+    1. An optional string, |topOrigin|, that contains the expected {{CollectedClientData/topOrigin}} that issued the request to the user agent if |crossOrigin| is true and if available.
 1. Let |expected| be an empty byte string.
 1. Append 0x7b2274797065223a (`{"type":`) to |expected|.
 1. Append [=CCDToString=](|type|) to |expected|.

From 213cb2444e984ea10cbe61bee293a394636e7fb3 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Wed, 14 Aug 2024 18:28:40 +0200
Subject: [PATCH 3/4] Make topOrigin verification backwards compatible with L2

---
 index.bs | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/index.bs b/index.bs
index 915333b02..52044d0bc 100644
--- a/index.bs
+++ b/index.bs
@@ -3833,6 +3833,14 @@ Verifiers may use the following algorithm to verify an encoded {{CollectedClient
     1. A string, |origin|, that contains the expected {{CollectedClientData/origin}} that issued the request to the user agent.
     1. A boolean, |crossOrigin|, that is true if, and only if, the request should have been performed within a cross-origin <{iframe}>.
     1. An optional string, |topOrigin|, that contains the expected {{CollectedClientData/topOrigin}} that issued the request to the user agent if |crossOrigin| is true and if available.
+    1. A boolean, |requireTopOrigin|, that is true if, and only if, the verification should fail
+        if |topOrigin| is defined and the {{CollectedClientData/topOrigin}} attribute is not present in |clientDataJSON|.
+
+        This means that the verification algorithm is backwards compatible
+        with the [[webauthn-2-20210408#clientdatajson-serialization|JSON-compatible serialization algorithm]]
+        in Web Authentication Level 2 [[webauthn-2-20210408]]
+        if, and only if, |requireTopOrigin| is [FALSE].
+
 1. Let |expected| be an empty byte string.
 1. Append 0x7b2274797065223a (`{"type":`) to |expected|.
 1. Append [=CCDToString=](|type|) to |expected|.
@@ -3845,8 +3853,11 @@ Verifiers may use the following algorithm to verify an encoded {{CollectedClient
 1. If |crossOrigin| is true:
     1. Append 0x74727565 (`true`) to |expected|.
     1. If |topOrigin| is defined:
-        1. Append 0x2c22746f704f726967696e223a (`,"topOrigin":`) to |expected|.
-        1. Append [=CCDToString=](|topOrigin|) to |expected|.
+        1. If |requireTopOrigin| is true
+            or if 0x2c22746f704f726967696e223a (`,"topOrigin":`) is a prefix
+            of the substring of |clientDataJSON| beginning at the offset equal to the length of |expected|:
+            1. Append 0x2c22746f704f726967696e223a (`,"topOrigin":`) to |expected|.
+            1. Append [=CCDToString=](|topOrigin|) to |expected|.
 1. Otherwise, i.e. |crossOrigin| is false:
     1. Append 0x66616c7365 (`false`) to |expected|.
 1. If |expected| is not a prefix of |clientDataJSON| then the verification has failed.

From 60fc0e8549bb3b14eee037a3f446d271dca04351 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Wed, 14 Aug 2024 18:34:24 +0200
Subject: [PATCH 4/4] Infer crossOrigin argument from topOrigin

---
 index.bs | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/index.bs b/index.bs
index 52044d0bc..1b61fb278 100644
--- a/index.bs
+++ b/index.bs
@@ -3831,8 +3831,7 @@ Verifiers may use the following algorithm to verify an encoded {{CollectedClient
     1. A string, |type|, that contains the expected {{CollectedClientData/type}}.
     1. A byte string, |challenge|, that contains the challenge byte string that was given in the {{PublicKeyCredentialRequestOptions}} or {{PublicKeyCredentialCreationOptions}}.
     1. A string, |origin|, that contains the expected {{CollectedClientData/origin}} that issued the request to the user agent.
-    1. A boolean, |crossOrigin|, that is true if, and only if, the request should have been performed within a cross-origin <{iframe}>.
-    1. An optional string, |topOrigin|, that contains the expected {{CollectedClientData/topOrigin}} that issued the request to the user agent if |crossOrigin| is true and if available.
+    1. An optional string, |topOrigin|, that contains the expected {{CollectedClientData/topOrigin}} that issued the request to the user agent, if available.
     1. A boolean, |requireTopOrigin|, that is true if, and only if, the verification should fail
         if |topOrigin| is defined and the {{CollectedClientData/topOrigin}} attribute is not present in |clientDataJSON|.
 
@@ -3850,15 +3849,14 @@ Verifiers may use the following algorithm to verify an encoded {{CollectedClient
 1. Append 0x2c226f726967696e223a (`,"origin":`) to |expected|.
 1. Append [=CCDToString=](|origin|) to |expected|.
 1. Append 0x2c2263726f73734f726967696e223a (`,"crossOrigin":`) to |expected|.
-1. If |crossOrigin| is true:
+1. If |topOrigin| is defined:
     1. Append 0x74727565 (`true`) to |expected|.
-    1. If |topOrigin| is defined:
-        1. If |requireTopOrigin| is true
-            or if 0x2c22746f704f726967696e223a (`,"topOrigin":`) is a prefix
-            of the substring of |clientDataJSON| beginning at the offset equal to the length of |expected|:
-            1. Append 0x2c22746f704f726967696e223a (`,"topOrigin":`) to |expected|.
-            1. Append [=CCDToString=](|topOrigin|) to |expected|.
-1. Otherwise, i.e. |crossOrigin| is false:
+    1. If |requireTopOrigin| is true
+        or if 0x2c22746f704f726967696e223a (`,"topOrigin":`) is a prefix
+        of the substring of |clientDataJSON| beginning at the offset equal to the length of |expected|:
+        1. Append 0x2c22746f704f726967696e223a (`,"topOrigin":`) to |expected|.
+        1. Append [=CCDToString=](|topOrigin|) to |expected|.
+1. Otherwise, i.e. |topOrigin| is not defined:
     1. Append 0x66616c7365 (`false`) to |expected|.
 1. If |expected| is not a prefix of |clientDataJSON| then the verification has failed.
 1. If |clientDataJSON| is not at least one byte longer than |expected| then the verification has failed.