Clarify that allowed_refresh_initiators is only out-of-scope hosts (#228)

drubery · Daniel Rubery · web-flow · commit 6c338b84d65a · 2025-10-09T15:14:20.000-07:00
This is pretty clear in #algo-request-allows-refresh, but its not clear
in the field description.

Co-authored-by: Daniel Rubery &lt;drubery@chromium.org&gt;
diff --git a/spec.bs b/spec.bs
@@ -1115,9 +1115,11 @@ At the root of the JSON object, the following keys can exist:
     [=continue=] key is false.
 
   : <dfn>allowed_refresh_initiators</dfn>
-  :: a [=list=] of [=strings=] describing which hosts are allowed to initiate
-    DBSC refreshes. See [[#algo-request-allows-refresh]] for details. This key
-    is OPTIONAL; if not present, the default value will be an empty list.
+  :: a [=list=] of [=strings=] describing which out-of-scope hosts are allowed
+    to initiate DBSC refreshes. Out-of-scope is defined based on the scope's
+    origin and include_site values. See [[#algo-request-allows-refresh]] for
+    details. This key is OPTIONAL; if not present, the default value will be an
+    empty list.
 </dl>
 
 <div class="example" id="secure-session-instruction-example">
