expected_origins in browser API

[jogu]

There are two outstanding questions around expected_origins in the browser API ( https://github.com/openid/OpenID4VP/pull/155 ):

1. https://github.com/openid/OpenID4VP/pull/155/files#r1640368803 - Kristina asked if using expected_origins in unsigned requests could provide some security benefits in some cases.

2. On the 18th June WG call it was discussed whether expected_origins should be considered as client metadata (i.e. we register a new client metadata parameter) that could be communicated in other ways, e.g. pulled from a federation entity id or pull from a .well-known location for the client (as well as being passed in signed requests in the client_metadata parameter) - i.e. treating it in a very similar way are redirect Uris are registered.

[lj-raidiam]

1. Probably not given that it can be modified by an attacker. Maybe inclusion of the origin sourced from the user_agent in the response could help?
2. These alternatives make sense provided that wallet can pull this info. We should then define wallet behavior should be given that this information might be available to it through different channels.