The mediator can send a trusted credentialRequestOrigin value and that's useful, however, some other non-mediator party could send an invalid value. Wallets that receive CHAPI requests via url should not trust this value and should use the the origin in the protocols URL of choice instead.
dlongley
commented
6 days ago
The mediator can send a trusted
credentialRequestOriginvalue and that's useful, however, some other non-mediator party could send an invalid value. Wallets that receive CHAPI requests viaurlshould not trust this value and should use the the origin in theprotocolsURL of choice instead.