Require callers to pass top origin string instead of same origin flag #81
Description
WebAuthn level 3 allows cross-origin requests in some circumstances and added the topOrigin parameter to clientDataJson. The is_same_origin flag that we're currently passing can be derived from the origin and topOrigin strings.
Either neither or both of origin and topOrigin should be passed. If neither are passed, credentialsd should, eventually, determine the implicit origin of the request, or otherwise derive the is_same_origin flag based on the equality of the two. Callers without a distinction between origin and top-origin can just pass the same string.
This is a breaking API change.