From e4f24d9b3d1ec57f2dad79d6c210285699f4bda8 Mon Sep 17 00:00:00 2001
From: Tim Cappalli <tim@cloudauth.dev>
Date: Wed, 26 Jun 2024 17:47:50 +0000
Subject: [PATCH] update RWO algo to support additional origins with the same
 label

---
 index.bs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/index.bs b/index.bs
index 8849efe65..57a2cec1b 100644
--- a/index.bs
+++ b/index.bs
@@ -4130,9 +4130,10 @@ To validate the calling origin is an authorized related origin for a given cerem
     1. Let |domain| be the [=effective domain=] of |url|. If that is null, [=continue=].
     1. Remove any [=public suffix=] from the end of |domain|, including private registries and unknown registries. If |domain| is now empty, [=continue=].
     1. Split |domain| into |labels| and let |label| be the right-most one.
+    1. If the [=set/size=] of |labelsSeen| is greater than or equal to |maxLabels| and |labelsSeen|does not [=contains|contain=] |label|, [=continue=].
     1. If |callerOrigin| and |url| are [=same origin=], return [TRUE].
-    1. [=set/Append=] |label| to |labelsSeen|.
-    1. If the [=set/size=] of |labelsSeen| is greater than or equal to |maxLabels|, [=break=].
+    1. If |labelsSeen| [=contains=] |label|, [=continue=].
+    1. If the [=set/size=] of |labelsSeen| is less than |maxLabels|, [=set/Append=] |label| to |labelsSeen|.
 1. Return [FALSE].
 
 # WebAuthn <dfn>Authenticator Model</dfn> # {#sctn-authenticator-model}