CINXE.COM

<!doctype html><html lang="en"> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <title>Origin-bound one-time codes delivered via SMS</title> <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport"> <link href="https://www.w3.org/StyleSheets/TR/2016/cg-draft" rel="stylesheet"> <meta content="Bikeshed version b94c7e755, updated Fri Feb 19 16:28:59 2021 -0800" name="generator"> <link href="https://wicg.github.io/sms-one-time-codes/" rel="canonical"> <meta content="2bb70db2550c4a4d76a4836f1b42d7abfca4ab82" name="document-revision"> <style>/* style-autolinks */ .css.css, .property.property, .descriptor.descriptor { color: var(--a-normal-text); font-size: inherit; font-family: inherit; } .css::before, .property::before, .descriptor::before { content: "‘"; } .css::after, .property::after, .descriptor::after { content: "’"; } .property, .descriptor { /* Don't wrap property and descriptor names */ white-space: nowrap; } .type { /* CSS value <type> */ font-style: italic; } pre .property::before, pre .property::after { content: ""; } [data-link-type="property"]::before, [data-link-type="propdesc"]::before, [data-link-type="descriptor"]::before, [data-link-type="value"]::before, [data-link-type="function"]::before, [data-link-type="at-rule"]::before, [data-link-type="selector"]::before, [data-link-type="maybe"]::before { content: "‘"; } [data-link-type="property"]::after, [data-link-type="propdesc"]::after, [data-link-type="descriptor"]::after, [data-link-type="value"]::after, [data-link-type="function"]::after, [data-link-type="at-rule"]::after, [data-link-type="selector"]::after, [data-link-type="maybe"]::after { content: "’"; } [data-link-type].production::before, [data-link-type].production::after, .prod [data-link-type]::before, .prod [data-link-type]::after { content: ""; } [data-link-type=element], [data-link-type=element-attr] { font-family: Menlo, Consolas, "DejaVu Sans Mono", monospace; font-size: .9em; } [data-link-type=element]::before { content: "<" } [data-link-type=element]::after { content: ">" } [data-link-type=biblio] { white-space: pre; }</style> <style>/* style-colors */ /* Any --*-text not paired with a --*-bg is assumed to have a transparent bg */ :root { color-scheme: light dark; --text: black; --bg: white; --unofficial-watermark: url(https://www.w3.org/StyleSheets/TR/2016/logos/UD-watermark); --logo-bg: #1a5e9a; --logo-active-bg: #c00; --logo-text: white; --tocnav-normal-text: #707070; --tocnav-normal-bg: var(--bg); --tocnav-hover-text: var(--tocnav-normal-text); --tocnav-hover-bg: #f8f8f8; --tocnav-active-text: #c00; --tocnav-active-bg: var(--tocnav-normal-bg); --tocsidebar-text: var(--text); --tocsidebar-bg: #f7f8f9; --tocsidebar-shadow: rgba(0,0,0,.1); --tocsidebar-heading-text: hsla(203,20%,40%,.7); --toclink-text: var(--text); --toclink-underline: #3980b5; --toclink-visited-text: var(--toclink-text); --toclink-visited-underline: #054572; --heading-text: #005a9c; --hr-text: var(--text); --algo-border: #def; --del-text: red; --del-bg: transparent; --ins-text: #080; --ins-bg: transparent; --a-normal-text: #034575; --a-normal-underline: #707070; --a-visited-text: var(--a-normal-text); --a-visited-underline: #bbb; --a-hover-bg: rgba(75%, 75%, 75%, .25); --a-active-text: #c00; --a-active-underline: #c00; --blockquote-border: silver; --blockquote-bg: transparent; --blockquote-text: currentcolor; --issue-border: #e05252; --issue-bg: #fbe9e9; --issue-text: var(--text); --issueheading-text: #831616; --example-border: #e0cb52; --example-bg: #fcfaee; --example-text: var(--text); --exampleheading-text: #574b0f; --note-border: #52e052; --note-bg: #e9fbe9; --note-text: var(--text); --noteheading-text: hsl(120, 70%, 30%); --notesummary-underline: silver; --assertion-border: #aaa; --assertion-bg: #eee; --assertion-text: black; --advisement-border: orange; --advisement-bg: #fec; --advisement-text: var(--text); --advisementheading-text: #b35f00; --warning-border: red; --warning-bg: hsla(40,100%,50%,0.95); --warning-text: var(--text); --amendment-border: #330099; --amendment-bg: #F5F0FF; --amendment-text: var(--text); --amendmentheading-text: #220066; --def-border: #8ccbf2; --def-bg: #def; --def-text: var(--text); --defrow-border: #bbd7e9; --datacell-border: silver; --indexinfo-text: #707070; --indextable-hover-text: black; --indextable-hover-bg: #f7f8f9; --outdatedspec-bg: rgba(0, 0, 0, .5); --outdatedspec-text: black; --outdated-bg: maroon; --outdated-text: white; --outdated-shadow: red; --editedrec-bg: darkorange; }</style> <style>/* style-counters */ body { counter-reset: example figure issue; } .issue { counter-increment: issue; } .issue:not(.no-marker)::before { content: "Issue " counter(issue); } .example { counter-increment: example; } .example:not(.no-marker)::before { content: "Example " counter(example); } .invalid.example:not(.no-marker)::before, .illegal.example:not(.no-marker)::before { content: "Invalid Example" counter(example); } figcaption { counter-increment: figure; } figcaption:not(.no-marker)::before { content: "Figure " counter(figure) " "; }</style> <style>/* style-dfn-panel */ :root { --dfnpanel-bg: #ddd; --dfnpanel-text: var(--text); } .dfn-panel { position: absolute; z-index: 35; height: auto; width: -webkit-fit-content; width: fit-content; max-width: 300px; max-height: 500px; overflow: auto; padding: 0.5em 0.75em; font: small Helvetica Neue, sans-serif, Droid Sans Fallback; background: var(--dfnpanel-bg); color: var(--dfnpanel-text); border: outset 0.2em; } .dfn-panel:not(.on) { display: none; } .dfn-panel * { margin: 0; padding: 0; text-indent: 0; } .dfn-panel > b { display: block; } .dfn-panel a { color: var(--dfnpanel-text); } .dfn-panel a:not(:hover) { text-decoration: none !important; border-bottom: none !important; } .dfn-panel > b + b { margin-top: 0.25em; } .dfn-panel ul { padding: 0; } .dfn-panel li { list-style: inside; } .dfn-panel.activated { display: inline-block; position: fixed; left: .5em; bottom: 2em; margin: 0 auto; max-width: calc(100vw - 1.5em - .4em - .5em); max-height: 30vh; } .dfn-paneled { cursor: pointer; } </style> <style>/* style-md-lists */ /* This is a weird hack for me not yet following the commonmark spec regarding paragraph and lists. */ [data-md] > :first-child { margin-top: 0; } [data-md] > :last-child { margin-bottom: 0; }</style> <style>/* style-selflinks */ :root { --selflink-text: white; --selflink-bg: gray; --selflink-hover-text: black; } .heading, .issue, .note, .example, li, dt { position: relative; } a.self-link { position: absolute; top: 0; left: calc(-1 * (3.5rem - 26px)); width: calc(3.5rem - 26px); height: 2em; text-align: center; border: none; transition: opacity .2s; opacity: .5; } a.self-link:hover { opacity: 1; } .heading > a.self-link { font-size: 83%; } li > a.self-link { left: calc(-1 * (3.5rem - 26px) - 2em); } dfn > a.self-link { top: auto; left: auto; opacity: 0; width: 1.5em; height: 1.5em; background: var(--selflink-bg); color: var(--selflink-text); font-style: normal; transition: opacity .2s, background-color .2s, color .2s; } dfn:hover > a.self-link { opacity: 1; } dfn > a.self-link:hover { color: var(--selflink-hover-text); } a.self-link::before { content: "¶"; } .heading > a.self-link::before { content: "§"; } dfn > a.self-link::before { content: "#"; } </style> <style>/* style-darkmode */ @media (prefers-color-scheme: dark) { :root { --text: #ddd; --bg: black; --unofficial-watermark: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='400' height='400'%3E%3Cg fill='%23100808' transform='translate(200 200) rotate(-45) translate(-200 -200)' stroke='%23100808' stroke-width='3'%3E%3Ctext x='50%25' y='220' style='font: bold 70px sans-serif; text-anchor: middle; letter-spacing: 6px;'%3EUNOFFICIAL%3C/text%3E%3Ctext x='50%25' y='305' style='font: bold 70px sans-serif; text-anchor: middle; letter-spacing: 6px;'%3EDRAFT%3C/text%3E%3C/g%3E%3C/svg%3E"); --logo-bg: #1a5e9a; --logo-active-bg: #c00; --logo-text: white; --tocnav-normal-text: #999; --tocnav-normal-bg: var(--bg); --tocnav-hover-text: var(--tocnav-normal-text); --tocnav-hover-bg: #080808; --tocnav-active-text: #f44; --tocnav-active-bg: var(--tocnav-normal-bg); --tocsidebar-text: var(--text); --tocsidebar-bg: #080808; --tocsidebar-shadow: rgba(255,255,255,.1); --tocsidebar-heading-text: hsla(203,20%,40%,.7); --toclink-text: var(--text); --toclink-underline: #6af; --toclink-visited-text: var(--toclink-text); --toclink-visited-underline: #054572; --heading-text: #8af; --hr-text: var(--text); --algo-border: #456; --del-text: #f44; --del-bg: transparent; --ins-text: #4a4; --ins-bg: transparent; --a-normal-text: #6af; --a-normal-underline: #555; --a-visited-text: var(--a-normal-text); --a-visited-underline: var(--a-normal-underline); --a-hover-bg: rgba(25%, 25%, 25%, .2); --a-active-text: #f44; --a-active-underline: var(--a-active-text); --borderedblock-bg: rgba(255, 255, 255, .05); --blockquote-border: silver; --blockquote-bg: var(--borderedblock-bg); --blockquote-text: currentcolor; --issue-border: #e05252; --issue-bg: var(--borderedblock-bg); --issue-text: var(--text); --issueheading-text: hsl(0deg, 70%, 70%); --example-border: hsl(50deg, 90%, 60%); --example-bg: var(--borderedblock-bg); --example-text: var(--text); --exampleheading-text: hsl(50deg, 70%, 70%); --note-border: hsl(120deg, 100%, 35%); --note-bg: var(--borderedblock-bg); --note-text: var(--text); --noteheading-text: hsl(120, 70%, 70%); --notesummary-underline: silver; --assertion-border: #444; --assertion-bg: var(--borderedblock-bg); --assertion-text: var(--text); --advisement-border: orange; --advisement-bg: #222218; --advisement-text: var(--text); --advisementheading-text: #f84; --warning-border: red; --warning-bg: hsla(40,100%,20%,0.95); --warning-text: var(--text); --amendment-border: #330099; --amendment-bg: #080010; --amendment-text: var(--text); --amendmentheading-text: #cc00ff; --def-border: #8ccbf2; --def-bg: #080818; --def-text: var(--text); --defrow-border: #136; --datacell-border: silver; --indexinfo-text: #aaa; --indextable-hover-text: var(--text); --indextable-hover-bg: #181818; --outdatedspec-bg: rgba(255, 255, 255, .5); --outdatedspec-text: black; --outdated-bg: maroon; --outdated-text: white; --outdated-shadow: red; --editedrec-bg: darkorange; } /* In case a transparent-bg image doesn't expect to be on a dark bg, which is quite common in practice... */ img { background: white; } } @media (prefers-color-scheme: dark) { :root { --selflink-text: black; --selflink-bg: silver; --selflink-hover-text: white; } } @media (prefers-color-scheme: dark) { :root { --dfnpanel-bg: #222; --dfnpanel-text: var(--text); } }</style> <body class="h-entry"> <div class="head"> <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p> <h1 class="p-name no-ref" id="title">Origin-bound one-time codes delivered via SMS</h1> <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Draft Community Group Report, <time class="dt-updated" datetime="2021-03-24">24 March 2021</time></span></h2> <div data-fill-with="spec-metadata"> <dl> <dt>This version: <dd><a class="u-url" href="https://wicg.github.io/sms-one-time-codes/">https://wicg.github.io/sms-one-time-codes/</a> <dt>Issue Tracking: <dd><a href="https://github.com/wicg/sms-one-time-codes/issues/">GitHub</a> <dt class="editor">Editors: <dd class="editor p-author h-card vcard" data-editor-id="40614"><a class="p-name fn u-email email" href="mailto:hober@apple.com">Theresa O’Connor</a> (<a class="p-org org" href="https://apple.com">Apple</a>) <dd class="editor p-author h-card vcard"><a class="p-name fn u-email email" href="mailto:goto@google.com">Sam Goto</a> (<a class="p-org org" href="https://google.com">Google</a>) </dl> </div> <div data-fill-with="warning"></div> <p class="copyright" data-fill-with="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2021 the Contributors to the Origin-bound one-time codes delivered via SMS Specification, published by the <a href="https://www.w3.org/community/wicg/">Web Platform Incubator Community Group</a> under the <a href="https://www.w3.org/community/about/agreements/cla/">W3C Community Contributor License Agreement (CLA)</a>. A human-readable <a href="http://www.w3.org/community/about/agreements/cla-deed/">summary</a> is available. </p> <hr title="Separator for header"> </div> <div class="p-summary" data-fill-with="abstract"> <h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2> <p>This specification defines a way to format SMS messages for use with browser autofill features such as HTML’s autocomplete=one-time-code.</p> </div> <div data-fill-with="at-risk"></div> <h2 class="no-num no-toc no-ref heading settled" id="status"><span class="content">Status of this document</span></h2> <div data-fill-with="status"> <p> This specification was published by the <a href="https://www.w3.org/community/wicg/">Web Platform Incubator Community Group</a>. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the <a href="https://www.w3.org/community/about/agreements/cla/">W3C Community Contributor License Agreement (CLA)</a> there is a limited opt-out and other conditions apply. Learn more about <a href="http://www.w3.org/community/">W3C Community and Business Groups</a>. </p> <p></p> </div> <div data-fill-with="at-risk"></div> <nav data-fill-with="table-of-contents" id="toc"> <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2> <ol class="toc" role="directory"> <li><a href="#intro"><span class="secno"></span> <span class="content">Introduction</span></a> <li><a href="#infra"><span class="secno">1</span> <span class="content">Infrastructure</span></a> <li> <a href="#origin-bound-one-time-codes"><span class="secno">2</span> <span class="content">Origin-bound one-time codes</span></a> <ol class="toc"> <li><a href="#usage"><span class="secno">2.1</span> <span class="content">Usage</span></a> </ol> <li> <a href="#format"><span class="secno">3</span> <span class="content">Message format</span></a> <ol class="toc"> <li><a href="#authoring"><span class="secno">3.1</span> <span class="content">Authoring</span></a> <li><a href="#parsing"><span class="secno">3.2</span> <span class="content">Parsing</span></a> </ol> <li><a href="#security-considerations"><span class="secno">4</span> <span class="content">Security considerations</span></a> <li><a href="#privacy-considerations"><span class="secno">5</span> <span class="content">Privacy considerations</span></a> <li><a href="#acknowedgements"><span class="secno"></span> <span class="content">Acknowledgements</span></a> <li> <a href="#w3c-conformance"><span class="secno"></span> <span class="content">Conformance</span></a> <ol class="toc"> <li><a href="#w3c-conventions"><span class="secno"></span> <span class="content">Document conventions</span></a> <li><a href="#w3c-conformant-algorithms"><span class="secno"></span> <span class="content">Conformant Algorithms</span></a> </ol> <li> <a href="#index"><span class="secno"></span> <span class="content">Index</span></a> <ol class="toc"> <li><a href="#index-defined-here"><span class="secno"></span> <span class="content">Terms defined by this specification</span></a> <li><a href="#index-defined-elsewhere"><span class="secno"></span> <span class="content">Terms defined by reference</span></a> </ol> <li> <a href="#references"><span class="secno"></span> <span class="content">References</span></a> <ol class="toc"> <li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a> <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a> </ol> </ol> </nav> <main> <div class="non-normative"> <h2 class="no-num heading settled" id="intro"><span class="content">Introduction</span></h2> <p><em>This section is non-normative.</em></p> <p>Many websites deliver one-time codes over SMS. <a data-link-type="biblio" href="#biblio-gsm-sms">[GSM-SMS]</a></p> <p>Without a standard format for such messages, programmatic extraction of codes from them has to rely on heuristics, which are often unreliable and error-prone. Additionally, without a mechanism for associating such codes with specific websites, users might be tricked into providing the code to malicious sites.</p> <p>This specification defines a format for the delivery of one-time codes over SMS. This format associates the one-time code with a specific website.</p> </div> <h2 class="heading settled" data-level="1" id="infra"><span class="secno">1. </span><span class="content">Infrastructure</span><a class="self-link" href="#infra"></a></h2> <p>This specification depends on the Infra Standard. <a data-link-type="biblio" href="#biblio-infra">[INFRA]</a></p> <h2 class="heading settled" data-level="2" id="origin-bound-one-time-codes"><span class="secno">2. </span><span class="content">Origin-bound one-time codes</span><a class="self-link" href="#origin-bound-one-time-codes"></a></h2> <p>An <dfn class="dfn-paneled" data-dfn-type="dfn" data-export id="origin-bound-one-time-code">origin-bound one-time code</dfn> is a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#tuple" id="ref-for-tuple">tuple</a> consisting of a top-level origin (an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin">origin</a>), an embedded origin (an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①">origin</a> or <code>null</code>), and a code (a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#string" id="ref-for-string">string</a>).</p> <div class="example" id="example-2ef57750"> <a class="self-link" href="#example-2ef57750"></a> <p>((<code>"https"</code>, <code>"example.com"</code>, <code>null</code>, <code>null</code>), <code>null</code>, <code>"747723"</code>) is an <a data-link-type="dfn" href="#origin-bound-one-time-code" id="ref-for-origin-bound-one-time-code">origin-bound one-time code</a> whose top-level origin is (<code>"https"</code>, <code>"example.com"</code>, <code>null</code>, <code>null</code>), whose embedded origin is <code>null</code>, and whose code is <code>"747723"</code>.</p> </div> <div class="example" id="example-491d346f"> <a class="self-link" href="#example-491d346f"></a> <p>((<code>"https"</code>, <code>"example.com"</code>, <code>null</code>, <code>null</code>), (<code>"https"</code>, <code>"ecommerce.example"</code>, <code>null</code>, <code>null</code>), <code>"747723"</code>) is an <a data-link-type="dfn" href="#origin-bound-one-time-code" id="ref-for-origin-bound-one-time-code①">origin-bound one-time code</a> whose origin is (<code>"https"</code>, <code>"example.com"</code>, <code>null</code>, <code>null</code>), whose embedded origin is (<code>"https"</code>, <code>"ecommerce.example"</code>, <code>null</code>, <code>null</code>), and whose code is <code>"747723"</code>.</p> </div> <h3 class="heading settled" data-level="2.1" id="usage"><span class="secno">2.1. </span><span class="content">Usage</span><a class="self-link" href="#usage"></a></h3> <p>Many User Agents help users fill out forms on websites. Sites can use features like <a href="https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#attr-fe-autocomplete-one-time-code"><code>autocomplete=one-time-code</code></a> to hint to User Agents that they could assist the user with providing a one-time code to the website. <a data-link-type="biblio" href="#biblio-html">[HTML]</a></p> <p class="note" role="note"><span>Note:</span> This specification does not impose any requirements or restrictions on the use of one-time codes which are not <a data-link-type="dfn" href="#origin-bound-one-time-code" id="ref-for-origin-bound-one-time-code②">origin-bound one-time codes</a>.</p> <p>User Agents determine whether or not to assist the user to provide an origin-bound one-time code to a website with <a data-link-type="dfn" href="#origin-bound-one-time-code" id="ref-for-origin-bound-one-time-code③">origin-bound one-time code</a> <var>otc</var> and <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document">Document</a></code> <var>doc</var> by running these steps:</p> <ol> <li data-md> <p>If <var>doc</var> is not the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#active-document" id="ref-for-active-document">active document</a> of a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context">browsing context</a>, return failure.</p> <li data-md> <p>Let <var>context</var> be <var>doc</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#concept-document-bc" id="ref-for-concept-document-bc">browsing context</a>.</p> <li data-md> <p>If <var>context</var> is a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context" id="ref-for-top-level-browsing-context">top-level browsing context</a>. run these steps:</p> <ol> <li data-md> <p>If <var>otc</var>’s embedded origin is not <code>null</code>, return failure.</p> <li data-md> <p>If <var>otc</var>’s top-level origin is <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#same-origin" id="ref-for-same-origin">same origin</a> with <var>doc</var>’s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-document-origin" id="ref-for-concept-document-origin">origin</a>, return <code>"origin"</code>.</p> <li data-md> <p>If <var>otc</var>’s top-level origin is <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#same-site" id="ref-for-same-site">same site</a> with <var>doc</var>’s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-document-origin" id="ref-for-concept-document-origin①">origin</a>, return <code>"site"</code>.</p> <li data-md> <p>Return failure.</p> </ol> <li data-md> <p>If <var>otc</var>’s embedded origin is <code>null</code>, return failure.</p> <li data-md> <p>Let <var>match type</var> be <code>"origin"</code>.</p> <li data-md> <p>If <var>otc</var>’s embedded origin is not <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#same-origin" id="ref-for-same-origin①">same origin</a> with <var>doc</var>’s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-document-origin" id="ref-for-concept-document-origin②">origin</a>, set <var>match type</var> to <code>"site"</code>.</p> <li data-md> <p>If <var>otc</var>’s embedded origin is not <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#same-site" id="ref-for-same-site①">same site</a> with <var>doc</var>’s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-document-origin" id="ref-for-concept-document-origin③">origin</a>, return failure.</p> <li data-md> <p>Set <var>context</var> to its <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#parent-browsing-context" id="ref-for-parent-browsing-context">parent browsing context</a>.</p> <li data-md> <p>While <var>context</var> is not a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context" id="ref-for-top-level-browsing-context①">top-level browsing context</a>, run these steps:</p> <ol> <li data-md> <p>If <var>context</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#active-document" id="ref-for-active-document①">active document</a>'s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-document-origin" id="ref-for-concept-document-origin④">origin</a> is <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#same-origin" id="ref-for-same-origin②">same origin</a> with neither <var>otc</var>’s embedded origin nor <var>otc</var>’s top-level origin, set <var>match type</var> to <code>"site"</code>.</p> <li data-md> <p>If <var>context</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#active-document" id="ref-for-active-document②">active document</a>'s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-document-origin" id="ref-for-concept-document-origin⑤">origin</a> is <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#same-site" id="ref-for-same-site②">same site</a> with neither <var>otc</var>’s embedded origin nor <var>otc</var>’s top-level origin, return failure.</p> <li data-md> <p>Set <var>context</var> to its <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#parent-browsing-context" id="ref-for-parent-browsing-context①">parent browsing context</a>.</p> </ol> <li data-md> <p>If <var>context</var> is not a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context" id="ref-for-top-level-browsing-context②">top-level browsing context</a>, return failure.</p> <li data-md> <p>If <var>context</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#active-document" id="ref-for-active-document③">active document</a>'s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-document-origin" id="ref-for-concept-document-origin⑥">origin</a> is <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#same-origin" id="ref-for-same-origin③">same origin</a> with <var>otc</var>’s top-level origin, return <var>match type</var>.</p> <li data-md> <p>If <var>context</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#active-document" id="ref-for-active-document④">active document</a>'s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-document-origin" id="ref-for-concept-document-origin⑦">origin</a> is <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#same-site" id="ref-for-same-site③">same site</a> with <var>otc</var>’s top-level origin, return <code>"site"</code>.</p> <li data-md> <p>Return failure.</p> </ol> <p>If the above steps returned <code>"origin"</code> or <code>"site"</code>, the User Agent may assist the user with providing the <a data-link-type="dfn" href="#origin-bound-one-time-code" id="ref-for-origin-bound-one-time-code④">origin-bound one-time code</a>'s code to the website.</p> <p>If the above steps returned <code>"site"</code>, the User Agent should indicate the <a data-link-type="dfn" href="#origin-bound-one-time-code" id="ref-for-origin-bound-one-time-code⑤">origin-bound one-time code</a>'s top-level and embedded origins to the user when assisting them.</p> <p>If the above steps returned failure, the User Agent should not assist the user with providing the <a data-link-type="dfn" href="#origin-bound-one-time-code" id="ref-for-origin-bound-one-time-code⑥">origin-bound one-time code</a>'s code to the website.</p> <p class="note" role="note"><span>Note:</span> because the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme">schemes</a> of an <a data-link-type="dfn" href="#origin-bound-one-time-code" id="ref-for-origin-bound-one-time-code⑦">origin-bound one-time code</a>'s top-level and embedded origins are always <code>"https"</code>, assisting the user with providing <a data-link-type="dfn" href="#origin-bound-one-time-code" id="ref-for-origin-bound-one-time-code⑧">origin-bound one-time codes</a> is only available in <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#secure-context" id="ref-for-secure-context">secure contexts</a>.</p> <h2 class="heading settled" data-level="3" id="format"><span class="secno">3. </span><span class="content">Message format</span><a class="self-link" href="#format"></a></h2> <p>An <dfn class="dfn-paneled" data-dfn-type="dfn" data-export id="origin-bound-one-time-code-message">origin-bound one-time code message</dfn> is a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#string" id="ref-for-string①">string</a> for which <a data-link-type="dfn" href="#parse-an-origin-bound-one-time-code-message" id="ref-for-parse-an-origin-bound-one-time-code-message">parsing an origin-bound one-time code message</a> successfully returns an <a data-link-type="dfn" href="#origin-bound-one-time-code" id="ref-for-origin-bound-one-time-code⑨">origin-bound one-time code</a>.</p> <div class="non-normative"> <h3 class="heading settled" data-level="3.1" id="authoring"><span class="secno">3.1. </span><span class="content">Authoring</span><a class="self-link" href="#authoring"></a></h3> <p><em>This section is non-normative. <a href="#parsing">§ 3.2 Parsing</a> is the normative text.</em></p> <p><a data-link-type="dfn" href="#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message">Origin-bound one-time code messages</a> can optionally begin with human-readable <dfn class="dfn-paneled" data-dfn-for="origin-bound one-time code message" data-dfn-type="dfn" data-noexport id="origin-bound-one-time-code-message-explanatory-text">explanatory text</dfn>. This consists of all but the last line of the message. The last line of the message contains both a <dfn class="dfn-paneled" data-dfn-for="origin-bound one-time code message" data-dfn-type="dfn" data-noexport id="origin-bound-one-time-code-message-top-level-host">top-level host</dfn> and a <dfn class="dfn-paneled" data-dfn-for="origin-bound one-time code message" data-dfn-type="dfn" data-noexport id="origin-bound-one-time-code-message-code">code</dfn>, each prefixed with a sigil: U+0040 (@) before the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-top-level-host" id="ref-for-origin-bound-one-time-code-message-top-level-host">top-level host</a>, and U+0023 (#) before the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-code" id="ref-for-origin-bound-one-time-code-message-code">code</a>. Following the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-code" id="ref-for-origin-bound-one-time-code-message-code①">code</a>, an <dfn class="dfn-paneled" data-dfn-for="origin-bound one-time code message" data-dfn-type="dfn" data-noexport id="origin-bound-one-time-code-message-embedded-host">embedded host</dfn> can be specified. It is preceeded with a U+0040 (@) sigil.</p> <div class="example" id="example-bc23e26e"> <a class="self-link" href="#example-bc23e26e"></a> <p>In the following <a data-link-type="dfn" href="#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message①">origin-bound one-time code message</a>, the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-top-level-host" id="ref-for-origin-bound-one-time-code-message-top-level-host①">top-level host</a> is <code>"example.com"</code>, the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-code" id="ref-for-origin-bound-one-time-code-message-code②">code</a> is <code>"747723"</code>, no <a data-link-type="dfn" href="#origin-bound-one-time-code-message-embedded-host" id="ref-for-origin-bound-one-time-code-message-embedded-host">embedded host</a> is specified, and the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-explanatory-text" id="ref-for-origin-bound-one-time-code-message-explanatory-text">explanatory text</a> is <code>"747723 is your ExampleCo authentication code.\n\n"</code>.</p> <pre>"747723 is your ExampleCo authentication code. @example.com #747723" </pre> </div> <div class="example" id="example-f232dec7"> <a class="self-link" href="#example-f232dec7"></a> <p>In the following <a data-link-type="dfn" href="#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message②">origin-bound one-time code message</a>, the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-top-level-host" id="ref-for-origin-bound-one-time-code-message-top-level-host②">top-level host</a> is <code>"example.com"</code>, the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-code" id="ref-for-origin-bound-one-time-code-message-code③">code</a> is <code>"747723"</code>, the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-embedded-host" id="ref-for-origin-bound-one-time-code-message-embedded-host①">embedded host</a> is <code>"ecommerce.example"</code>, and the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-explanatory-text" id="ref-for-origin-bound-one-time-code-message-explanatory-text①">explanatory text</a> is <code>"747723 is your ExampleCo authentication code.\n\n"</code>.</p> <pre>"747723 is your ExampleCo authentication code. @example.com #747723 @ecommerce.example" </pre> </div> <p>The order of fields in the last line is always <a data-link-type="dfn" href="#origin-bound-one-time-code-message-top-level-host" id="ref-for-origin-bound-one-time-code-message-top-level-host③">top-level host</a>, <a data-link-type="dfn" href="#origin-bound-one-time-code-message-code" id="ref-for-origin-bound-one-time-code-message-code④">code</a>, and <a data-link-type="dfn" href="#origin-bound-one-time-code-message-embedded-host" id="ref-for-origin-bound-one-time-code-message-embedded-host②">embedded host</a> (if present). Nothing can come before the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-top-level-host" id="ref-for-origin-bound-one-time-code-message-top-level-host④">top-level host</a> in the last line.</p> <div class="example" id="example-7595c275"> <a class="self-link" href="#example-7595c275"></a> <p>The message <code>"something @example.com #747723"</code> is not an <a data-link-type="dfn" href="#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message③">origin-bound one-time code message</a>, because it doesn’t start with the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-top-level-host" id="ref-for-origin-bound-one-time-code-message-top-level-host⑤">top-level host</a>.</p> </div> <div class="example" id="example-fffa3e96"> <a class="self-link" href="#example-fffa3e96"></a> <p>The message <code>"#747723 @ecommerce.example @example.com"</code> is not an <a data-link-type="dfn" href="#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message④">origin-bound one-time code message</a>, because the fields are in the wrong order.</p> </div> <p>Exactly one U+0020 (SPACE) separates the values in the last line of the message.</p> <div class="example" id="example-c620376b"> <a class="self-link" href="#example-c620376b"></a> <p>The message <code>"@example.com code #747723"</code> is not an <a data-link-type="dfn" href="#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message⑤">origin-bound one-time code message</a>, because several characters appear between the two values on the last line of the message.</p> </div> <p>Trailing text in the last line is ignored. This is because we might identify additional information to include in <a data-link-type="dfn" href="#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message⑥">origin-bound one-time code messages</a> in the future. If we do, new syntax could be introduced after the existing syntax in the last line.</p> <div class="example" id="example-fa704635"> <a class="self-link" href="#example-fa704635"></a> <p>In the <a data-link-type="dfn" href="#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message⑦">origin-bound one-time code message</a> <code>"@example.com #747723 @ecommerce.example $future"</code>, the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-top-level-host" id="ref-for-origin-bound-one-time-code-message-top-level-host⑥">top-level host</a> is <code>"example.com"</code>, the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-code" id="ref-for-origin-bound-one-time-code-message-code⑤">code</a> is <code>"747723"</code>, the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-embedded-host" id="ref-for-origin-bound-one-time-code-message-embedded-host③">embedded host</a> is <code>"ecommerce.example"</code>, and the <a data-link-type="dfn" href="#origin-bound-one-time-code-message-explanatory-text" id="ref-for-origin-bound-one-time-code-message-explanatory-text②">explanatory text</a> is <code>""</code>. The trailing text <code>" %future"</code> is ignored.</p> </div> </div> <h3 class="heading settled" data-level="3.2" id="parsing"><span class="secno">3.2. </span><span class="content">Parsing</span><a class="self-link" href="#parsing"></a></h3> <p>To <dfn class="dfn-paneled" data-dfn-type="dfn" data-export id="parse-an-origin-bound-one-time-code-message" type="abstract-op">parse an origin-bound one-time code message</dfn> from <var>message</var>, run these steps:</p> <ol> <li data-md> <p>Let <var>line</var> be the <a data-link-type="dfn" href="#last-line" id="ref-for-last-line">last line</a> of <var>message</var>, and <var>position</var> be 0.</p> <li data-md> <p>If <var>position</var> points past the end of <var>line</var>, return failure.</p> <li data-md> <p>Let <var>top-level host</var> be the result of <a data-link-type="dfn" href="#extract-a-marked-token" id="ref-for-extract-a-marked-token">extracting a marked token</a> from <var>line</var> at <var>position</var> with marker U+0040 (@).</p> <li data-md> <p>If <var>top-level host</var> is failure, return failure.</p> <li data-md> <p>Let <var>top-level origin</var> be the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin②">origin</a> (<code>"https"</code>, <var>top-level host</var>, <code>null</code>, <code>null</code>).</p> <li data-md> <p>If <var>position</var> points past the end of <var>line</var>, return failure.</p> <li data-md> <p>If the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#code-point" id="ref-for-code-point">code point</a> at <var>position</var> within <var>line</var> is not U+0020 (SPACE), return failure.</p> <li data-md> <p>Advance <var>position</var> by 1.</p> <li data-md> <p>If <var>position</var> points past the end of <var>line</var>, return failure.</p> <li data-md> <p>Let <var>code</var> be the result of <a data-link-type="dfn" href="#extract-a-marked-token" id="ref-for-extract-a-marked-token①">extracting a marked token</a> from <var>line</var> at <var>position</var> with marker U+0023 (#).</p> <li data-md> <p>If <var>code</var> is failure, return failure.</p> <li data-md> <p>Let <var>embedded origin</var> be null.</p> <li data-md> <p>If <var>position</var> does not point past the end of <var>line</var>, and if the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#code-point" id="ref-for-code-point①">code point</a> at <var>position</var> within <var>line</var> is U+0020 (SPACE), run the following steps:</p> <ol> <li data-md> <p>Advance <var>position</var> by 1.</p> <li data-md> <p>Let <var>embedded host</var> be the result of <a data-link-type="dfn" href="#extract-a-marked-token" id="ref-for-extract-a-marked-token②">extracting a marked token</a> from <var>line</var> at <var>position</var> with marker U+0040 (@).</p> <li data-md> <p>If <var>embedded host</var> is failure, set <var>embedded origin</var> to null. Otherwise, set <var>embedded origin</var> to the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin③">origin</a> (<code>"https"</code>, <var>embedded host</var>, <code>null</code>, <code>null</code>).</p> </ol> <li data-md> <p>Return the <a data-link-type="dfn" href="#origin-bound-one-time-code" id="ref-for-origin-bound-one-time-code①⓪">origin-bound one-time code</a> (<var>top-level origin</var>, <var>embedded origin</var>, <var>code</var>).</p> </ol> <p>To <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="extract-a-marked-token" type="abstract-op">extract a marked token</dfn> from <var>string</var> at <var>position</var> with <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#code-point" id="ref-for-code-point②">code point</a> <var>marker</var>, run the following steps:</p> <ol> <li data-md> <p>If <var>position</var> points past the end of <var>string</var>, return failure.</p> <li data-md> <p>If the <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#code-point" id="ref-for-code-point③">code point</a> at <var>position</var> within <var>string</var> is not <var>marker</var>, return failure.</p> <li data-md> <p>Advance <var>position</var> by 1.</p> <li data-md> <p>If <var>position</var> points past the end of <var>string</var>, return failure.</p> <li data-md> <p>Let <var>token</var> be the result of <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#collect-a-sequence-of-code-points" id="ref-for-collect-a-sequence-of-code-points">collecting a sequence of code points</a> which are not <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-whitespace" id="ref-for-ascii-whitespace">ASCII whitespace</a> from <var>string</var> with <var>position</var>.</p> <li data-md> <p>If <var>token</var> is the empty string, return failure.</p> <li data-md> <p>Return <var>token</var>.</p> </ol> <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="last-line" type="abstract-op">last line</dfn> of <var>string</var> is the result of running these steps:</p> <ol> <li data-md> <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#normalize-newlines" id="ref-for-normalize-newlines">Normalize newlines</a> in <var>string</var>.</p> <li data-md> <p>Let <var>lines</var> be the result of <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#strictly-split" id="ref-for-strictly-split">strictly splitting</a> <var>string</var> on U+000A (LF).</p> <li data-md> <p>Return the last item of <var>lines</var>.</p> </ol> <h2 class="heading settled" data-level="4" id="security-considerations"><span class="secno">4. </span><span class="content">Security considerations</span><a class="self-link" href="#security-considerations"></a></h2> <p>This specification attempts to mitigate the phishing risk associated with the delivery of one-time codes over SMS by enabling User Agents to know what website the one-time code is intended for.</p> <p>This specification does not attempt to mitigate other risks associated with the delivery of one-time codes over SMS, such as SMS spoofing, SIM swapping, SIM cloning, ISMI-catchers, or interception of the message by an untrusted party.</p> <p>Sites would do well to consider using non-SMS technologies such as <a data-link-type="biblio" href="#biblio-webauthn">[WEBAUTHN]</a> for authentication or verification.</p> <h2 class="heading settled" data-level="5" id="privacy-considerations"><span class="secno">5. </span><span class="content">Privacy considerations</span><a class="self-link" href="#privacy-considerations"></a></h2> <p>Any party which has access to a user’s SMS messages (such as the user’s cellular carrier, mobile operating system, or anyone who intercepted the message) can learn that the user has an account on the service identified in an <a data-link-type="dfn" href="#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message⑧">origin-bound one-time code message</a> delivered over SMS.</p> <p>On some platforms, User Agents might need access to all incoming SMS messages—even messages which are not <a data-link-type="dfn" href="#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message⑨">origin-bound one-time code messages</a>—in order to support the autofilling of <a data-link-type="dfn" href="#origin-bound-one-time-code" id="ref-for-origin-bound-one-time-code①①">origin-bound one-time codes</a> delivered over SMS in <a data-link-type="dfn" href="#origin-bound-one-time-code-message" id="ref-for-origin-bound-one-time-code-message①⓪">origin-bound one-time code messages</a>.</p> <h2 class="no-num heading settled" id="acknowedgements"><span class="content">Acknowledgements</span><a class="self-link" href="#acknowedgements"></a></h2> <p>Many thanks to Aaron Parecki, Elaine Knight, Eric Shepherd, Eryn Wells, Jay Mulani, Ricky Mondello, and Steven Soneff for their valuable feedback on this proposal.</p> </main> <div data-fill-with="conformance"> <h2 class="no-ref no-num heading settled" id="w3c-conformance"><span class="content">Conformance</span><a class="self-link" href="#w3c-conformance"></a></h2> <h3 class="no-ref no-num heading settled" id="w3c-conventions"><span class="content">Document conventions</span><a class="self-link" href="#w3c-conventions"></a></h3> <p>Conformance requirements are expressed with a combination of descriptive assertions and RFC 2119 terminology. The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this document are to be interpreted as described in RFC 2119. However, for readability, these words do not appear in all uppercase letters in this specification. </p> <p>All of the text of this specification is normative except sections explicitly marked as non-normative, examples, and notes. <a data-link-type="biblio" href="#biblio-rfc2119">[RFC2119]</a> </p> <p>Examples in this specification are introduced with the words “for example” or are set apart from the normative text with <code>class="example"</code>, like this: </p> <div class="example" id="w3c-example"> <a class="self-link" href="#w3c-example"></a> <p>This is an example of an informative example. </p> </div> <p>Informative notes begin with the word “Note” and are set apart from the normative text with <code>class="note"</code>, like this: </p> <p class="note" role="note">Note, this is an informative note. </p> <h3 class="no-ref no-num heading settled" id="w3c-conformant-algorithms"><span class="content">Conformant Algorithms</span><a class="self-link" href="#w3c-conformant-algorithms"></a></h3> <p>Requirements phrased in the imperative as part of algorithms (such as "strip any leading space characters" or "return false and abort these steps") are to be interpreted with the meaning of the key word ("must", "should", "may", etc) used in introducing the algorithm. </p> <p>Conformance requirements phrased as algorithms or specific steps can be implemented in any manner, so long as the end result is equivalent. In particular, the algorithms defined in this specification are intended to be easy to understand and are not intended to be performant. Implementers are encouraged to optimize. </p> </div> <script src="https://www.w3.org/scripts/TR/2016/fixup.js"></script> <h2 class="no-num no-ref heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2> <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="content">Terms defined by this specification</span><a class="self-link" href="#index-defined-here"></a></h3> <ul class="index"> <li><a href="#origin-bound-one-time-code-message-code">code</a><span>, in §3.1</span> <li><a href="#origin-bound-one-time-code-message-embedded-host">embedded host</a><span>, in §3.1</span> <li><a href="#origin-bound-one-time-code-message-explanatory-text">explanatory text</a><span>, in §3.1</span> <li><a href="#extract-a-marked-token">extract a marked token</a><span>, in §3.2</span> <li><a href="#last-line">last line</a><span>, in §3.2</span> <li><a href="#origin-bound-one-time-code">origin-bound one-time code</a><span>, in §2</span> <li><a href="#origin-bound-one-time-code-message">origin-bound one-time code message</a><span>, in §3</span> <li><a href="#parse-an-origin-bound-one-time-code-message">parse an origin-bound one-time code message</a><span>, in §3.2</span> <li><a href="#origin-bound-one-time-code-message-top-level-host">top-level host</a><span>, in §3.1</span> </ul> <aside class="dfn-panel" data-for="term-for-document"> <a href="https://dom.spec.whatwg.org/#document">https://dom.spec.whatwg.org/#document</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-document">2.1. Usage</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-concept-document-origin"> <a href="https://dom.spec.whatwg.org/#concept-document-origin">https://dom.spec.whatwg.org/#concept-document-origin</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-concept-document-origin">2.1. Usage</a> <a href="#ref-for-concept-document-origin①">(2)</a> <a href="#ref-for-concept-document-origin②">(3)</a> <a href="#ref-for-concept-document-origin③">(4)</a> <a href="#ref-for-concept-document-origin④">(5)</a> <a href="#ref-for-concept-document-origin⑤">(6)</a> <a href="#ref-for-concept-document-origin⑥">(7)</a> <a href="#ref-for-concept-document-origin⑦">(8)</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-active-document"> <a href="https://html.spec.whatwg.org/multipage/browsers.html#active-document">https://html.spec.whatwg.org/multipage/browsers.html#active-document</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-active-document">2.1. Usage</a> <a href="#ref-for-active-document①">(2)</a> <a href="#ref-for-active-document②">(3)</a> <a href="#ref-for-active-document③">(4)</a> <a href="#ref-for-active-document④">(5)</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-concept-document-bc"> <a href="https://html.spec.whatwg.org/multipage/browsers.html#concept-document-bc">https://html.spec.whatwg.org/multipage/browsers.html#concept-document-bc</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-concept-document-bc">2.1. Usage</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-concept-origin"> <a href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin">https://html.spec.whatwg.org/multipage/origin.html#concept-origin</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-concept-origin">2. Origin-bound one-time codes</a> <a href="#ref-for-concept-origin①">(2)</a> <li><a href="#ref-for-concept-origin②">3.2. Parsing</a> <a href="#ref-for-concept-origin③">(2)</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-parent-browsing-context"> <a href="https://html.spec.whatwg.org/multipage/browsers.html#parent-browsing-context">https://html.spec.whatwg.org/multipage/browsers.html#parent-browsing-context</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-parent-browsing-context">2.1. Usage</a> <a href="#ref-for-parent-browsing-context①">(2)</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-same-origin"> <a href="https://html.spec.whatwg.org/multipage/origin.html#same-origin">https://html.spec.whatwg.org/multipage/origin.html#same-origin</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-same-origin">2.1. Usage</a> <a href="#ref-for-same-origin①">(2)</a> <a href="#ref-for-same-origin②">(3)</a> <a href="#ref-for-same-origin③">(4)</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-same-site"> <a href="https://html.spec.whatwg.org/multipage/origin.html#same-site">https://html.spec.whatwg.org/multipage/origin.html#same-site</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-same-site">2.1. Usage</a> <a href="#ref-for-same-site①">(2)</a> <a href="#ref-for-same-site②">(3)</a> <a href="#ref-for-same-site③">(4)</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-secure-context"> <a href="https://html.spec.whatwg.org/multipage/webappapis.html#secure-context">https://html.spec.whatwg.org/multipage/webappapis.html#secure-context</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-secure-context">2.1. Usage</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-top-level-browsing-context"> <a href="https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context">https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-top-level-browsing-context">2.1. Usage</a> <a href="#ref-for-top-level-browsing-context①">(2)</a> <a href="#ref-for-top-level-browsing-context②">(3)</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-ascii-whitespace"> <a href="https://infra.spec.whatwg.org/#ascii-whitespace">https://infra.spec.whatwg.org/#ascii-whitespace</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-ascii-whitespace">3.2. Parsing</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-code-point"> <a href="https://infra.spec.whatwg.org/#code-point">https://infra.spec.whatwg.org/#code-point</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-code-point">3.2. Parsing</a> <a href="#ref-for-code-point①">(2)</a> <a href="#ref-for-code-point②">(3)</a> <a href="#ref-for-code-point③">(4)</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-collect-a-sequence-of-code-points"> <a href="https://infra.spec.whatwg.org/#collect-a-sequence-of-code-points">https://infra.spec.whatwg.org/#collect-a-sequence-of-code-points</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-collect-a-sequence-of-code-points">3.2. Parsing</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-normalize-newlines"> <a href="https://infra.spec.whatwg.org/#normalize-newlines">https://infra.spec.whatwg.org/#normalize-newlines</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-normalize-newlines">3.2. Parsing</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-strictly-split"> <a href="https://infra.spec.whatwg.org/#strictly-split">https://infra.spec.whatwg.org/#strictly-split</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-strictly-split">3.2. Parsing</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-string"> <a href="https://infra.spec.whatwg.org/#string">https://infra.spec.whatwg.org/#string</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-string">2. Origin-bound one-time codes</a> <li><a href="#ref-for-string①">3. Message format</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-tuple"> <a href="https://infra.spec.whatwg.org/#tuple">https://infra.spec.whatwg.org/#tuple</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-tuple">2. Origin-bound one-time codes</a> </ul> </aside> <aside class="dfn-panel" data-for="term-for-concept-url-scheme"> <a href="https://url.spec.whatwg.org/#concept-url-scheme">https://url.spec.whatwg.org/#concept-url-scheme</a><b>Referenced in:</b> <ul> <li><a href="#ref-for-concept-url-scheme">2.1. Usage</a> </ul> </aside> <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span class="content">Terms defined by reference</span><a class="self-link" href="#index-defined-elsewhere"></a></h3> <ul class="index"> <li> <a data-link-type="biblio">[DOM]</a> defines the following terms: <ul> <li><span class="dfn-paneled" id="term-for-document">Document</span> <li><span class="dfn-paneled" id="term-for-concept-document-origin">origin</span> </ul> <li> <a data-link-type="biblio">[HTML]</a> defines the following terms: <ul> <li><span class="dfn-paneled" id="term-for-active-document">active document</span> <li><span class="dfn-paneled" id="term-for-concept-document-bc">browsing context <small>(for Document)</small></span> <li><span class="dfn-paneled" id="term-for-concept-origin">origin</span> <li><span class="dfn-paneled" id="term-for-parent-browsing-context">parent browsing context</span> <li><span class="dfn-paneled" id="term-for-same-origin">same origin</span> <li><span class="dfn-paneled" id="term-for-same-site">same site</span> <li><span class="dfn-paneled" id="term-for-secure-context">secure context</span> <li><span class="dfn-paneled" id="term-for-top-level-browsing-context">top-level browsing context</span> </ul> <li> <a data-link-type="biblio">[INFRA]</a> defines the following terms: <ul> <li><span class="dfn-paneled" id="term-for-ascii-whitespace">ascii whitespace</span> <li><span class="dfn-paneled" id="term-for-code-point">code point</span> <li><span class="dfn-paneled" id="term-for-collect-a-sequence-of-code-points">collecting a sequence of code points</span> <li><span class="dfn-paneled" id="term-for-normalize-newlines">normalize newlines</span> <li><span class="dfn-paneled" id="term-for-strictly-split">strictly split a string</span> <li><span class="dfn-paneled" id="term-for-string">string</span> <li><span class="dfn-paneled" id="term-for-tuple">tuple</span> </ul> <li> <a data-link-type="biblio">[URL]</a> defines the following terms: <ul> <li><span class="dfn-paneled" id="term-for-concept-url-scheme">scheme</span> </ul> </ul> <h2 class="no-num no-ref heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2> <h3 class="no-num no-ref heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3> <dl> <dt id="biblio-dom">[DOM] <dd>Anne van Kesteren. <a href="https://dom.spec.whatwg.org/">DOM Standard</a>. Living Standard. URL: <a href="https://dom.spec.whatwg.org/">https://dom.spec.whatwg.org/</a> <dt id="biblio-html">[HTML] <dd>Anne van Kesteren; et al. <a href="https://html.spec.whatwg.org/multipage/">HTML Standard</a>. Living Standard. URL: <a href="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a> <dt id="biblio-infra">[INFRA] <dd>Anne van Kesteren; Domenic Denicola. <a href="https://infra.spec.whatwg.org/">Infra Standard</a>. Living Standard. URL: <a href="https://infra.spec.whatwg.org/">https://infra.spec.whatwg.org/</a> <dt id="biblio-rfc2119">[RFC2119] <dd>S. Bradner. <a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a> </dl> <h3 class="no-num no-ref heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3> <dl> <dt id="biblio-gsm-sms">[GSM-SMS] <dd>Richard Burbidge. <a href="http://www.3gpp.org/ftp/Specs/html-info/23040.htm">Technical realization of the Short Message Service (SMS)</a>. URL: <a href="http://www.3gpp.org/ftp/Specs/html-info/23040.htm">http://www.3gpp.org/ftp/Specs/html-info/23040.htm</a> <dt id="biblio-url">[URL] <dd>Anne van Kesteren. <a href="https://url.spec.whatwg.org/">URL Standard</a>. Living Standard. URL: <a href="https://url.spec.whatwg.org/">https://url.spec.whatwg.org/</a> <dt id="biblio-webauthn">[WEBAUTHN] <dd>Dirk Balfanz; et al. <a href="https://www.w3.org/TR/webauthn-1/">Web Authentication:An API for accessing Public Key Credentials Level 1</a>. 4 March 2019. REC. URL: <a href="https://www.w3.org/TR/webauthn-1/">https://www.w3.org/TR/webauthn-1/</a> </dl> <aside class="dfn-panel" data-for="origin-bound-one-time-code"> <b><a href="#origin-bound-one-time-code">#origin-bound-one-time-code</a></b><b>Referenced in:</b> <ul> <li><a href="#ref-for-origin-bound-one-time-code">2. Origin-bound one-time codes</a> <a href="#ref-for-origin-bound-one-time-code①">(2)</a> <li><a href="#ref-for-origin-bound-one-time-code②">2.1. Usage</a> <a href="#ref-for-origin-bound-one-time-code③">(2)</a> <a href="#ref-for-origin-bound-one-time-code④">(3)</a> <a href="#ref-for-origin-bound-one-time-code⑤">(4)</a> <a href="#ref-for-origin-bound-one-time-code⑥">(5)</a> <a href="#ref-for-origin-bound-one-time-code⑦">(6)</a> <a href="#ref-for-origin-bound-one-time-code⑧">(7)</a> <li><a href="#ref-for-origin-bound-one-time-code⑨">3. Message format</a> <li><a href="#ref-for-origin-bound-one-time-code①⓪">3.2. Parsing</a> <li><a href="#ref-for-origin-bound-one-time-code①①">5. Privacy considerations</a> </ul> </aside> <aside class="dfn-panel" data-for="origin-bound-one-time-code-message"> <b><a href="#origin-bound-one-time-code-message">#origin-bound-one-time-code-message</a></b><b>Referenced in:</b> <ul> <li><a href="#ref-for-origin-bound-one-time-code-message">3.1. Authoring</a> <a href="#ref-for-origin-bound-one-time-code-message①">(2)</a> <a href="#ref-for-origin-bound-one-time-code-message②">(3)</a> <a href="#ref-for-origin-bound-one-time-code-message③">(4)</a> <a href="#ref-for-origin-bound-one-time-code-message④">(5)</a> <a href="#ref-for-origin-bound-one-time-code-message⑤">(6)</a> <a href="#ref-for-origin-bound-one-time-code-message⑥">(7)</a> <a href="#ref-for-origin-bound-one-time-code-message⑦">(8)</a> <li><a href="#ref-for-origin-bound-one-time-code-message⑧">5. Privacy considerations</a> <a href="#ref-for-origin-bound-one-time-code-message⑨">(2)</a> <a href="#ref-for-origin-bound-one-time-code-message①⓪">(3)</a> </ul> </aside> <aside class="dfn-panel" data-for="origin-bound-one-time-code-message-explanatory-text"> <b><a href="#origin-bound-one-time-code-message-explanatory-text">#origin-bound-one-time-code-message-explanatory-text</a></b><b>Referenced in:</b> <ul> <li><a href="#ref-for-origin-bound-one-time-code-message-explanatory-text">3.1. Authoring</a> <a href="#ref-for-origin-bound-one-time-code-message-explanatory-text①">(2)</a> <a href="#ref-for-origin-bound-one-time-code-message-explanatory-text②">(3)</a> </ul> </aside> <aside class="dfn-panel" data-for="origin-bound-one-time-code-message-top-level-host"> <b><a href="#origin-bound-one-time-code-message-top-level-host">#origin-bound-one-time-code-message-top-level-host</a></b><b>Referenced in:</b> <ul> <li><a href="#ref-for-origin-bound-one-time-code-message-top-level-host">3.1. Authoring</a> <a href="#ref-for-origin-bound-one-time-code-message-top-level-host①">(2)</a> <a href="#ref-for-origin-bound-one-time-code-message-top-level-host②">(3)</a> <a href="#ref-for-origin-bound-one-time-code-message-top-level-host③">(4)</a> <a href="#ref-for-origin-bound-one-time-code-message-top-level-host④">(5)</a> <a href="#ref-for-origin-bound-one-time-code-message-top-level-host⑤">(6)</a> <a href="#ref-for-origin-bound-one-time-code-message-top-level-host⑥">(7)</a> </ul> </aside> <aside class="dfn-panel" data-for="origin-bound-one-time-code-message-code"> <b><a href="#origin-bound-one-time-code-message-code">#origin-bound-one-time-code-message-code</a></b><b>Referenced in:</b> <ul> <li><a href="#ref-for-origin-bound-one-time-code-message-code">3.1. Authoring</a> <a href="#ref-for-origin-bound-one-time-code-message-code①">(2)</a> <a href="#ref-for-origin-bound-one-time-code-message-code②">(3)</a> <a href="#ref-for-origin-bound-one-time-code-message-code③">(4)</a> <a href="#ref-for-origin-bound-one-time-code-message-code④">(5)</a> <a href="#ref-for-origin-bound-one-time-code-message-code⑤">(6)</a> </ul> </aside> <aside class="dfn-panel" data-for="origin-bound-one-time-code-message-embedded-host"> <b><a href="#origin-bound-one-time-code-message-embedded-host">#origin-bound-one-time-code-message-embedded-host</a></b><b>Referenced in:</b> <ul> <li><a href="#ref-for-origin-bound-one-time-code-message-embedded-host">3.1. Authoring</a> <a href="#ref-for-origin-bound-one-time-code-message-embedded-host①">(2)</a> <a href="#ref-for-origin-bound-one-time-code-message-embedded-host②">(3)</a> <a href="#ref-for-origin-bound-one-time-code-message-embedded-host③">(4)</a> </ul> </aside> <aside class="dfn-panel" data-for="parse-an-origin-bound-one-time-code-message"> <b><a href="#parse-an-origin-bound-one-time-code-message">#parse-an-origin-bound-one-time-code-message</a></b><b>Referenced in:</b> <ul> <li><a href="#ref-for-parse-an-origin-bound-one-time-code-message">3. Message format</a> </ul> </aside> <aside class="dfn-panel" data-for="extract-a-marked-token"> <b><a href="#extract-a-marked-token">#extract-a-marked-token</a></b><b>Referenced in:</b> <ul> <li><a href="#ref-for-extract-a-marked-token">3.2. Parsing</a> <a href="#ref-for-extract-a-marked-token①">(2)</a> <a href="#ref-for-extract-a-marked-token②">(3)</a> </ul> </aside> <aside class="dfn-panel" data-for="last-line"> <b><a href="#last-line">#last-line</a></b><b>Referenced in:</b> <ul> <li><a href="#ref-for-last-line">3.2. Parsing</a> </ul> </aside> <script>/* script-dfn-panel */ document.body.addEventListener("click", function(e) { var queryAll = function(sel) { return [].slice.call(document.querySelectorAll(sel)); } // Find the dfn element or panel, if any, that was clicked on. var el = e.target; var target; var hitALink = false; while(el.parentElement) { if(el.tagName == "A") { // Clicking on a link in a <dfn> shouldn't summon the panel hitALink = true; } if(el.classList.contains("dfn-paneled")) { target = "dfn"; break; } if(el.classList.contains("dfn-panel")) { target = "dfn-panel"; break; } el = el.parentElement; } if(target != "dfn-panel") { // Turn off any currently "on" or "activated" panels. queryAll(".dfn-panel.on, .dfn-panel.activated").forEach(function(el){ el.classList.remove("on"); el.classList.remove("activated"); }); } if(target == "dfn" && !hitALink) { // open the panel var dfnPanel = document.querySelector(".dfn-panel[data-for='" + el.id + "']"); if(dfnPanel) { dfnPanel.classList.add("on"); var rect = el.getBoundingClientRect(); dfnPanel.style.left = window.scrollX + rect.right + 5 + "px"; dfnPanel.style.top = window.scrollY + rect.top + "px"; var panelRect = dfnPanel.getBoundingClientRect(); var panelWidth = panelRect.right - panelRect.left; if(panelRect.right > document.body.scrollWidth && (rect.left - (panelWidth + 5)) > 0) { // Reposition, because the panel is overflowing dfnPanel.style.left = window.scrollX + rect.left - (panelWidth + 5) + "px"; } } else { console.log("Couldn't find .dfn-panel[data-for='" + el.id + "']"); } } else if(target == "dfn-panel") { // Switch it to "activated" state, which pins it. el.classList.add("activated"); el.style.left = null; el.style.top = null; } }); </script>