We noticed that the current draft does not specify which navigations should be affected by .well-known/change-password. I can think of several possibilities:
All navigations
All navigations in the main frame
Only navigations triggered by the browser (e.g. via a "Change password" button") - but not those triggered by a user-typed URL nor from links nor site-initiated navigations.
My intuition would go with 2 as this allows a website like https://passwords.google.com to just redirect to example.com/.well-known/change-password in the assumption that the user won't be greeted by a 404.
I can also see a reason for 3: In this case there would be less special casing for site-initiated navigations. Also browser extensions would probably have more control.
I don't see a lot of value in 1 (supporting the spec for iframes).
We noticed that the current draft does not specify which navigations should be affected by .well-known/change-password. I can think of several possibilities:
My intuition would go with 2 as this allows a website like https://passwords.google.com to just redirect to example.com/.well-known/change-password in the assumption that the user won't be greeted by a 404.
I can also see a reason for 3: In this case there would be less special casing for site-initiated navigations. Also browser extensions would probably have more control.
I don't see a lot of value in 1 (supporting the spec for iframes).
WDYT? @rmondello @hober