Move [[origin]] into Credential's dfn list#296
Open
marcoscaceres wants to merge 1 commit into
Open
Conversation
Previously, [[origin]] was defined in a floating paragraph outside the formal interface definition and only existed on subtypes that declared themselves "origin bound". This moves it into the dfn list alongside [[type]] and [[discovery]], with a default value of null. The slot is now universally present on all Credential objects. Subtypes that are origin bound (PasswordCredential, FederatedCredential) set it to the caller's origin at creation time. Subtypes that are not origin bound (e.g., PublicKeyCredential) leave it as null. Closes #295
This was referenced May 7, 2026
There was a problem hiding this comment.
Pull request overview
This PR updates the Credential Management spec text to formalize [[origin]] as a Credential internal slot in the dfn list (alongside [[type]] and [[discovery]]), and refines the definition of “origin bound” in terms of [[origin]] being non-null.
Changes:
- Adds
Credential/[[origin]]to theCredentialdfn list and defines “origin bound” via non-null[[origin]]. - Updates
PasswordCredentialandFederatedCredentialprose to describe[[origin]]being set at creation time. - Minor formatting/indentation adjustments in an algorithm list.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+503
to
+506
| :: The {{Credential}} [=interface object=] has an internal slot named `[[origin]]`, | ||
| which stores the [=origin=] for which the {{Credential}} may be [=effective=], or | ||
| null if the credential is not [=Credential/origin bound=]. Its value is null unless | ||
| otherwise specified by a subtype. |
|
|
||
| {{PasswordCredential}} objects are [=Credential/origin bound=]. | ||
| {{PasswordCredential}} objects are [=Credential/origin bound=]: their {{Credential/[[origin]]}} | ||
| slot is set to the caller's [=origin=] at creation time. |
|
|
||
| {{FederatedCredential}} objects are [=Credential/origin bound=]. | ||
| {{FederatedCredential}} objects are [=Credential/origin bound=]: their {{Credential/[[origin]]}} | ||
| slot is set to the caller's [=origin=] at creation time. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #295
Summary
[[origin]]internal slot definition from a floating prose paragraph into the formal dfn list alongside[[type]]and[[discovery]][[origin]]universally present on allCredentialobjects (default: null)[[origin]]slot is not nullPasswordCredentialandFederatedCredentialset[[origin]]to the caller's origin at creation timePublicKeyCredential) leave it as nullRationale
The previous pattern (conditionally present slot) was unusual and didn't match how
[[type]]and[[discovery]]are specified. A universal slot with a null default:credential.[[origin]]without first checking if the credential type is "origin bound"Credentialinternal slotsRelated: w3c-fedid/digital-credentials#508 (removing the "origin bound" declaration from
DigitalCredential, which declared it but never used it)Preview | Diff