Use RFC2119 to put constraints on actors doing $foo, not on things being $bar or having $baz

[frivoal]

Only origins whose scheme is "https" may have a change password url.

This doesn't say what happens if origins who's scheme is "http" attempt to have one anyway.

I suggest deleting the "may" in the quoted sentence, and preferably also adding something that starts with "Clients must not [...]"

[ItsShadowCone]

Additionally, I wouldn't nail it to the https scheme, but rather to secure origins as per https://www.w3.org/TR/secure-contexts/ if security is important here.

As for what happens if an insecure origin attempts to have one: It's a well-known url, the simple solution is, clients SHOULD NOT attempt to resolve the change password url using this.

Also note that for privacy reasons, clients should only resolve change passwords URLs on explicit user input, I.e. Only after the user clicks change password, the password manager checks for an url, if it exists, opens it.

[hober]

Removed (in 20c613f) the sentence in question as it is now redundant with step 1 of the 'generate a change password url' algorithm added in b44bcc6. I believe these two changes also address the first two of Cl1608Ho's three points.

To Cl1608Ho's third point, I disagree. It's plausible that a client's UI could depend on the existence of a change password URL, so I don't want to disallow prefetching.

Resolving, as Florian's original point has been addressed. As always, please reopen if you'd like me to revisit.