diff --git a/index.html b/index.html
index 3c96521..5a5b3f0 100644
--- a/index.html
+++ b/index.html
@@ -1424,7 +1424,7 @@
   <div class="head">
    <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
    <h1>Credential Management Level 1</h1>
-   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2017-06-08">8 June 2017</time></span></h2>
+   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2017-07-12">12 July 2017</time></span></h2>
    <div data-fill-with="spec-metadata">
     <dl>
      <dt>This version:
@@ -1530,7 +1530,7 @@ <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
       <li>
        <a href="#passwordcredential-algorithms"><span class="secno">3.3</span> <span class="content">Algorithms</span></a>
        <ol class="toc">
-        <li><a href="#collectfromcredentialstore-passwordcredential"><span class="secno">3.3.1</span> <span class="content"> <code>PasswordCredential</code>'s <code>[[CollectFromCredentialStore]](options)</code> </span></a>
+        <li><a href="#collectfromcredentialstore-passwordcredential"><span class="secno">3.3.1</span> <span class="content"> <code>PasswordCredential</code>'s <code>[[CollectFromCredentialStore]](origin, options)</code> </span></a>
         <li><a href="#create-passwordcredential"><span class="secno">3.3.2</span> <span class="content"> <code>PasswordCredential</code>'s <code>[[Create]](options)</code> </span></a>
         <li><a href="#store-passwordcredential"><span class="secno">3.3.3</span> <span class="content"> <code>PasswordCredential</code>'s <code>[[Store]](credential)</code> </span></a>
         <li><a href="#construct-passwordcredential-form"><span class="secno">3.3.4</span> <span class="content"> Create a <code>PasswordCredential</code> from an <code>HTMLFormElement</code> </span></a>
@@ -1549,7 +1549,7 @@ <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
       <li>
        <a href="#federatedcredential-algorithms"><span class="secno">4.2</span> <span class="content">Algorithms</span></a>
        <ol class="toc">
-        <li><a href="#collectfromcredentialstore-federatedcredential"><span class="secno">4.2.1</span> <span class="content"> <code>FederatedCredential</code>'s <code>[[CollectFromCredentialStore]](options)</code> </span></a>
+        <li><a href="#collectfromcredentialstore-federatedcredential"><span class="secno">4.2.1</span> <span class="content"> <code>FederatedCredential</code>'s <code>[[CollectFromCredentialStore]](origin, options)</code> </span></a>
         <li><a href="#create-federatedcredential"><span class="secno">4.2.2</span> <span class="content"> <code>FederatedCredential</code>'s <code>[[Create]](options)</code> </span></a>
         <li><a href="#store-federatedcredential"><span class="secno">4.2.3</span> <span class="content"> <code>FederatedCredential</code>'s <code>[[Store]](credential)</code> </span></a>
         <li><a href="#construct-federatedcredential-data"><span class="secno">4.2.4</span> <span class="content"> Create a <code>FederatedCredential</code> from <code>FederatedCredentialInit</code> </span></a>
@@ -1762,8 +1762,9 @@ <h3 class="heading settled" data-level="2.2" id="the-credential-interface"><span
     <h4 class="heading settled" data-level="2.2.1" id="credential-internal-methods"><span class="secno">2.2.1. </span><span class="content"><code>Credential</code> Internal Methods</span><a class="self-link" href="#credential-internal-methods"></a></h4>
     <p>Each <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a> created for interfaces which <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-inherit">inherit</a> from <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-8">Credential</a></code> defines several internal methods that allow retrieval and storage of <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-9">Credential</a></code> objects:</p>
     <section class="algorithm" data-algorithm="&apos;collect credentials&apos; internal method">
-      <dfn class="dfn-paneled idl-code" data-dfn-for="Credential" data-dfn-type="method" data-export="" id="dom-credential-collectfromcredentialstore-slot"><code>[[CollectFromCredentialStore]](options)</code></dfn> is called
-    with a <code class="idl"><a data-link-type="idl" href="#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions-1">CredentialRequestOptions</a></code>, and returns a set of <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-10">Credential</a></code> objects from the user
+      <dfn class="dfn-paneled idl-code" data-dfn-for="Credential" data-dfn-type="method" data-export="" id="dom-credential-collectfromcredentialstore-slot"><code>[[CollectFromCredentialStore]](origin, options)</code></dfn> is called
+    with an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a> and a <code class="idl"><a data-link-type="idl" href="#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions-1">CredentialRequestOptions</a></code>, and returns
+    a set of <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-10">Credential</a></code> objects from the user
     agent’s <a data-link-type="dfn" href="#concept-credential-store" id="ref-for-concept-credential-store-7">credential store</a> that match the options provided. If no matching <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-11">Credential</a></code> objects are available, the returned set will be empty. 
      <ul class="algorithm">
       <ol>
@@ -1773,8 +1774,9 @@ <h4 class="heading settled" data-level="2.2.1" id="credential-internal-methods">
      </ul>
     </section>
     <section class="algorithm" data-algorithm="&apos;discover credentials&apos; internal method">
-      <dfn class="dfn-paneled idl-code" data-dfn-for="Credential" data-dfn-type="method" data-export="" id="dom-credential-discoverfromexternalsource-slot"><code>[[DiscoverFromExternalSource]](options)</code></dfn> is called
-    with a <code class="idl"><a data-link-type="idl" href="#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions-2">CredentialRequestOptions</a></code> object. It returns a <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-12">Credential</a></code> if one can be
+      <dfn class="dfn-paneled idl-code" data-dfn-for="Credential" data-dfn-type="method" data-export="" id="dom-credential-discoverfromexternalsource-slot"><code>[[DiscoverFromExternalSource]](origin, options)</code></dfn> is called
+    with an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a> and a <code class="idl"><a data-link-type="idl" href="#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions-2">CredentialRequestOptions</a></code> object. 
+    It returns a <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-12">Credential</a></code> if one can be
     returned given the options provided, <code>null</code> if no credential is available, or an error if
     discovery fails (for example, incorrect options could produce a <code class="idl"><a data-link-type="idl" href="https://heycam.github.io/webidl/#exceptiondef-typeerror">TypeError</a></code>). If this
     kind of <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-13">Credential</a></code> is only <a data-link-type="dfn" href="#credential-effective" id="ref-for-credential-effective-3">effective</a> for a single use or a limited time, this
@@ -2141,11 +2143,13 @@ <h4 class="heading settled algorithm" data-algorithm="Request a Credential" data
       </ol>
      <li data-md="">
       <p>Let <var>p</var> be <a data-link-type="dfn" href="https://www.w3.org/2001/tag/doc/promises-guide/#a-new-promise">a new promise</a>.</p>
+     <li data-md="">
+      <p>Let <var>origin</var> be the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#current-settings-object">current settings object</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a>.</p>
      <li data-md="">
       <p>Run the following steps <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/infrastructure.html#in-parallel">in parallel</a>:</p>
       <ol>
        <li data-md="">
-        <p>Let <var>credentials</var> be the result of <a data-link-type="abstract-op" href="#abstract-opdef-collect-credentials-from-the-credential-store" id="ref-for-abstract-opdef-collect-credentials-from-the-credential-store-1">collecting <code>Credential</code>s from the credential store</a>, given <var>options</var>.</p>
+        <p>Let <var>credentials</var> be the result of <a data-link-type="abstract-op" href="#abstract-opdef-collect-credentials-from-the-credential-store" id="ref-for-abstract-opdef-collect-credentials-from-the-credential-store-1">collecting <code>Credential</code>s from the credential store</a>, given <var>origin</var> and <var>options</var>.</p>
        <li data-md="">
         <p>If <var>credentials</var> is an <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-exception">exception</a>, <a data-link-type="dfn" href="https://www.w3.org/2001/tag/doc/promises-guide/#reject-promise">reject</a> <var>p</var> with <var>credentials</var>.</p>
        <li data-md="">
@@ -2155,7 +2159,7 @@ <h4 class="heading settled algorithm" data-algorithm="Request a Credential" data
          <li data-md="">
           <p><var>credentials</var>’ <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-size">size</a> is 1</p>
          <li data-md="">
-          <p><var>settings</var>’ <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a> does not <a data-link-type="dfn" href="#origin-requires-user-mediation" id="ref-for-origin-requires-user-mediation-2">require user mediation</a></p>
+          <p><var>origin</var> does not <a data-link-type="dfn" href="#origin-requires-user-mediation" id="ref-for-origin-requires-user-mediation-2">require user mediation</a></p>
          <li data-md="">
           <p><var>options</var> is <a data-link-type="dfn" href="#credentialrequestoptions-matchable-a-priori" id="ref-for-credentialrequestoptions-matchable-a-priori-2">matchable <i lang="la">a priori</i></a>.</p>
          <li data-md="">
@@ -2178,7 +2182,7 @@ <h4 class="heading settled algorithm" data-algorithm="Request a Credential" data
        <li data-md="">
         <p class="assertion">Assert: <var>choice</var> is an <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a>.</p>
        <li data-md="">
-        <p>Let <var>result</var> be the result of executing <var>choice</var>’s <code class="idl"><a data-link-type="idl" href="#dom-credential-discoverfromexternalsource-slot" id="ref-for-dom-credential-discoverfromexternalsource-slot-1">[[DiscoverFromExternalSource]](options)</a></code>, given <var>options</var>.</p>
+        <p>Let <var>result</var> be the result of executing <var>choice</var>’s <code class="idl"><a data-link-type="idl" href="#dom-credential-discoverfromexternalsource-slot" id="ref-for-dom-credential-discoverfromexternalsource-slot-1">[[DiscoverFromExternalSource]](origin, options)</a></code>, given <var>origin</var> and <var>options</var>.</p>
        <li data-md="">
         <p>If <var>result</var> is a <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-30">Credential</a></code> or <code>null</code>, resolve <var>p</var> with <var>result</var>.</p>
         <p>Otherwise, <a data-link-type="dfn" href="https://www.w3.org/2001/tag/doc/promises-guide/#reject-promise">reject</a> <var>p</var> with <var>result</var>.</p>
@@ -2187,7 +2191,8 @@ <h4 class="heading settled algorithm" data-algorithm="Request a Credential" data
       <p>Return <var>p</var>.</p>
     </ol>
     <h4 class="heading settled algorithm" data-algorithm="Collect Credentials from the credential store" data-level="2.5.2" id="algorithm-collect-known"><span class="secno">2.5.2. </span><span class="content">Collect <code>Credential</code>s from the credential store</span><a class="self-link" href="#algorithm-collect-known"></a></h4>
-    <p>Given a <code class="idl"><a data-link-type="idl" href="#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions-10">CredentialRequestOptions</a></code> (<var>options</var>), the user agent may <dfn class="dfn-paneled" data-dfn-type="abstract-op" data-export="" data-local-lt="collect local" id="abstract-opdef-collect-credentials-from-the-credential-store">collect <code>Credential</code>s from the credential store</dfn>,
+    <p>Given an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a> (<var>origin</var>) and
+  a <code class="idl"><a data-link-type="idl" href="#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions-10">CredentialRequestOptions</a></code> (<var>options</var>), the user agent may <dfn class="dfn-paneled" data-dfn-type="abstract-op" data-export="" data-local-lt="collect local" id="abstract-opdef-collect-credentials-from-the-credential-store">collect <code>Credential</code>s from the credential store</dfn>,
   returning a set of <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-31">Credential</a></code> objects stored by the user agent locally that match <var>options</var>’
   filter. If no such <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-32">Credential</a></code> objects are known, the returned set will be empty:</p>
     <ol class="algorithm">
@@ -2197,7 +2202,7 @@ <h4 class="heading settled algorithm" data-algorithm="Collect Credentials from t
       <p>For each <var>interface</var> in <var>options</var>’ <a data-link-type="dfn" href="#credentialrequestoptions-relevant-credential-interface-objects" id="ref-for-credentialrequestoptions-relevant-credential-interface-objects-2">relevant credential interface objects</a>:</p>
       <ol>
        <li data-md="">
-        <p>Let <var>r</var> be the result of executing <var>interface</var>’s <code class="idl"><a data-link-type="idl" href="#dom-credential-collectfromcredentialstore-slot" id="ref-for-dom-credential-collectfromcredentialstore-slot-1">[[CollectFromCredentialStore]](options)</a></code> internal method on <var>options</var>.</p>
+        <p>Let <var>r</var> be the result of executing <var>interface</var>’s <code class="idl"><a data-link-type="idl" href="#dom-credential-collectfromcredentialstore-slot" id="ref-for-dom-credential-collectfromcredentialstore-slot-1">[[CollectFromCredentialStore]](origin, options)</a></code> internal method on <var>origin</var> and <var>options</var>.</p>
        <li data-md="">
         <p>If <var>r</var> is an <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-exception">exception</a>, return <var>r</var>.</p>
        <li data-md="">
@@ -2524,11 +2529,12 @@ <h3 class="heading settled" data-level="3.2" id="passwordcredential-interface"><
 };
 </pre>
     <p><code class="idl"><a data-link-type="idl" href="#passwordcredential" id="ref-for-passwordcredential-9">PasswordCredential</a></code> objects are <a data-link-type="dfn" href="#credential-origin-bound" id="ref-for-credential-origin-bound-1">origin bound</a>.</p>
-    <p><code class="idl"><a data-link-type="idl" href="#passwordcredential" id="ref-for-passwordcredential-10">PasswordCredential</a></code>'s <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a> inherits <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-37">Credential</a></code>'s implementation of <code class="idl"><a data-link-type="idl" href="#dom-credential-discoverfromexternalsource-slot" id="ref-for-dom-credential-discoverfromexternalsource-slot-2">[[DiscoverFromExternalSource]](options)</a></code>, and defines its own implementation of <code class="idl"><a data-link-type="idl" href="#dom-passwordcredential-collectfromcredentialstore-slot" id="ref-for-dom-passwordcredential-collectfromcredentialstore-slot-1">[[CollectFromCredentialStore]](options)</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-passwordcredential-create-slot" id="ref-for-dom-passwordcredential-create-slot-1">[[Create]](options)</a></code>, and <code class="idl"><a data-link-type="idl" href="#dom-passwordcredential-store-slot" id="ref-for-dom-passwordcredential-store-slot-1">[[Store]](credential)</a></code>.</p>
+    <p><code class="idl"><a data-link-type="idl" href="#passwordcredential" id="ref-for-passwordcredential-10">PasswordCredential</a></code>'s <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a> inherits <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-37">Credential</a></code>'s implementation of <code class="idl"><a data-link-type="idl" href="#dom-credential-discoverfromexternalsource-slot" id="ref-for-dom-credential-discoverfromexternalsource-slot-2">[[DiscoverFromExternalSource]](origin, options)</a></code>, and defines its own implementation of <code class="idl"><a data-link-type="idl" href="#dom-passwordcredential-collectfromcredentialstore-slot" id="ref-for-dom-passwordcredential-collectfromcredentialstore-slot-1">[[CollectFromCredentialStore]](origin, options)</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-passwordcredential-create-slot" id="ref-for-dom-passwordcredential-create-slot-1">[[Create]](options)</a></code>, and <code class="idl"><a data-link-type="idl" href="#dom-passwordcredential-store-slot" id="ref-for-dom-passwordcredential-store-slot-1">[[Store]](credential)</a></code>.</p>
     <h3 class="heading settled" data-level="3.3" id="passwordcredential-algorithms"><span class="secno">3.3. </span><span class="content">Algorithms</span><a class="self-link" href="#passwordcredential-algorithms"></a></h3>
-    <h4 class="heading settled algorithm" data-algorithm="PasswordCredential&apos;s [[CollectFromCredentialStore]](options)" data-level="3.3.1" id="collectfromcredentialstore-passwordcredential"><span class="secno">3.3.1. </span><span class="content"> <code>PasswordCredential</code>'s <code>[[CollectFromCredentialStore]](options)</code> </span><a class="self-link" href="#collectfromcredentialstore-passwordcredential"></a></h4>
-    <p><dfn class="dfn-paneled idl-code" data-dfn-for="PasswordCredential" data-dfn-type="method" data-export="" id="dom-passwordcredential-collectfromcredentialstore-slot"><code>[[CollectFromCredentialStore]](options)</code></dfn> is called
-  with a <code class="idl"><a data-link-type="idl" href="#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions-12">CredentialRequestOptions</a></code> (<var>options</var>), and returns a set of <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-38">Credential</a></code> objects from
+    <h4 class="heading settled algorithm" data-algorithm="PasswordCredential&apos;s [[CollectFromCredentialStore]](origin, options)" data-level="3.3.1" id="collectfromcredentialstore-passwordcredential"><span class="secno">3.3.1. </span><span class="content"> <code>PasswordCredential</code>'s <code>[[CollectFromCredentialStore]](origin, options)</code> </span><a class="self-link" href="#collectfromcredentialstore-passwordcredential"></a></h4>
+    <p><dfn class="dfn-paneled idl-code" data-dfn-for="PasswordCredential" data-dfn-type="method" data-export="" id="dom-passwordcredential-collectfromcredentialstore-slot"><code>[[CollectFromCredentialStore]](origin, options)</code></dfn> is called
+  with an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a> (<var>origin</var>) and a <code class="idl"><a data-link-type="idl" href="#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions-12">CredentialRequestOptions</a></code> (<var>options</var>),
+  and returns a set of <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-38">Credential</a></code> objects from
   the <a data-link-type="dfn" href="#concept-credential-store" id="ref-for-concept-credential-store-14">credential store</a>. If no matching <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-39">Credential</a></code> objects are available, the returned set
   will be empty.</p>
     <ol class="algorithm">
@@ -2542,7 +2548,7 @@ <h4 class="heading settled algorithm" data-algorithm="PasswordCredential&apos;s
        <li data-md="">
         <p>The credential is a <code class="idl"><a data-link-type="idl" href="#passwordcredential" id="ref-for-passwordcredential-11">PasswordCredential</a></code></p>
        <li data-md="">
-        <p>The credential’s <code class="idl"><a data-link-type="idl" href="#dom-credential-origin-slot" id="ref-for-dom-credential-origin-slot-1">[[origin]]</a></code> is the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#same-origin">same origin</a> as the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#current-settings-object">current settings object</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a>.</p>
+        <p>The credential’s <code class="idl"><a data-link-type="idl" href="#dom-credential-origin-slot" id="ref-for-dom-credential-origin-slot-1">[[origin]]</a></code> is the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#same-origin">same origin</a> as <var>origin</var>.</p>
       </ol>
     </ol>
     <h4 class="heading settled algorithm" data-algorithm="PasswordCredential&apos;s [[Create]](options)" data-level="3.3.2" id="create-passwordcredential"><span class="secno">3.3.2. </span><span class="content"> <code>PasswordCredential</code>'s <code>[[Create]](options)</code> </span><a class="self-link" href="#create-passwordcredential"></a></h4>
@@ -2785,9 +2791,9 @@ <h3 class="heading settled" data-level="4.1" id="federatedcredential-interface">
 };
 </pre>
     <p><code class="idl"><a data-link-type="idl" href="#federatedcredential" id="ref-for-federatedcredential-6">FederatedCredential</a></code> objects are <a data-link-type="dfn" href="#credential-origin-bound" id="ref-for-credential-origin-bound-2">origin bound</a>.</p>
-    <p><code class="idl"><a data-link-type="idl" href="#federatedcredential" id="ref-for-federatedcredential-7">FederatedCredential</a></code>'s <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a> inherits <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-41">Credential</a></code>'s implementation of <code class="idl"><a data-link-type="idl" href="#dom-credential-discoverfromexternalsource-slot" id="ref-for-dom-credential-discoverfromexternalsource-slot-3">[[DiscoverFromExternalSource]](options)</a></code>, and defines its own implementation of <code class="idl"><a data-link-type="idl" href="#dom-federatedcredential-collectfromcredentialstore-slot" id="ref-for-dom-federatedcredential-collectfromcredentialstore-slot-1">[[CollectFromCredentialStore]](options)</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-federatedcredential-create-slot" id="ref-for-dom-federatedcredential-create-slot-1">[[Create]](options)</a></code>, and <code class="idl"><a data-link-type="idl" href="#dom-federatedcredential-store-slot" id="ref-for-dom-federatedcredential-store-slot-1">[[Store]](credential)</a></code>.</p>
+    <p><code class="idl"><a data-link-type="idl" href="#federatedcredential" id="ref-for-federatedcredential-7">FederatedCredential</a></code>'s <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a> inherits <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-41">Credential</a></code>'s implementation of <code class="idl"><a data-link-type="idl" href="#dom-credential-discoverfromexternalsource-slot" id="ref-for-dom-credential-discoverfromexternalsource-slot-3">[[DiscoverFromExternalSource]](origin, options)</a></code>, and defines its own implementation of <code class="idl"><a data-link-type="idl" href="#dom-federatedcredential-collectfromcredentialstore-slot" id="ref-for-dom-federatedcredential-collectfromcredentialstore-slot-1">[[CollectFromCredentialStore]](origin, options)</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-federatedcredential-create-slot" id="ref-for-dom-federatedcredential-create-slot-1">[[Create]](options)</a></code>, and <code class="idl"><a data-link-type="idl" href="#dom-federatedcredential-store-slot" id="ref-for-dom-federatedcredential-store-slot-1">[[Store]](credential)</a></code>.</p>
     <p class="note" role="note"><span>Note:</span> If, in the future, we teach the user agent to obtain authentication tokens on a user’s
-  behalf, we could do so by building an implementation of <code>[[DiscoverFromExternalSource]](options)</code>.</p>
+  behalf, we could do so by building an implementation of <code>[[DiscoverFromExternalSource]](origin, options)</code>.</p>
     <h4 class="heading settled" data-level="4.1.1" id="provider-identification"><span class="secno">4.1.1. </span><span class="content">Identifying Providers</span><a class="self-link" href="#provider-identification"></a></h4>
     <p>Every site should use the same identifier when referring to a specific federated identity
   provider. For example, <a href="https://developers.facebook.com/docs/facebook-login/v2.0">Facebook Login</a> shouldn’t be referred to as "Facebook" and "Facebook Login" and "FB" and "FBL" and "Facebook.com"
@@ -2799,9 +2805,10 @@ <h4 class="heading settled" data-level="4.1.1" id="provider-identification"><spa
   user agents SHOULD accept them silently: <code>https://accounts.google.com/</code> is clearly
   intended to be the same as <code>https://accounts.google.com</code>.</p>
     <h3 class="heading settled" data-level="4.2" id="federatedcredential-algorithms"><span class="secno">4.2. </span><span class="content">Algorithms</span><a class="self-link" href="#federatedcredential-algorithms"></a></h3>
-    <h4 class="heading settled algorithm" data-algorithm="FederatedCredential&apos;s [[CollectFromCredentialStore]](options)" data-level="4.2.1" id="collectfromcredentialstore-federatedcredential"><span class="secno">4.2.1. </span><span class="content"> <code>FederatedCredential</code>'s <code>[[CollectFromCredentialStore]](options)</code> </span><a class="self-link" href="#collectfromcredentialstore-federatedcredential"></a></h4>
-    <p><dfn class="dfn-paneled idl-code" data-dfn-for="FederatedCredential" data-dfn-type="method" data-export="" id="dom-federatedcredential-collectfromcredentialstore-slot"><code>[[CollectFromCredentialStore]](options)</code></dfn> is called
-  with a <code class="idl"><a data-link-type="idl" href="#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions-15">CredentialRequestOptions</a></code> (<var>options</var>), and returns a set of <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-42">Credential</a></code> objects from
+    <h4 class="heading settled algorithm" data-algorithm="FederatedCredential&apos;s [[CollectFromCredentialStore]](origin, options)" data-level="4.2.1" id="collectfromcredentialstore-federatedcredential"><span class="secno">4.2.1. </span><span class="content"> <code>FederatedCredential</code>'s <code>[[CollectFromCredentialStore]](origin, options)</code> </span><a class="self-link" href="#collectfromcredentialstore-federatedcredential"></a></h4>
+    <p><dfn class="dfn-paneled idl-code" data-dfn-for="FederatedCredential" data-dfn-type="method" data-export="" id="dom-federatedcredential-collectfromcredentialstore-slot"><code>[[CollectFromCredentialStore]](origin, options)</code></dfn> is called
+  with an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a> (<var>origin</var>) and a <code class="idl"><a data-link-type="idl" href="#dictdef-credentialrequestoptions" id="ref-for-dictdef-credentialrequestoptions-15">CredentialRequestOptions</a></code> (<var>options</var>),
+  and returns a set of <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-42">Credential</a></code> objects from
   the <a data-link-type="dfn" href="#concept-credential-store" id="ref-for-concept-credential-store-19">credential store</a>. If no matching <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-43">Credential</a></code> objects are available, the returned set
   will be empty.</p>
     <ol class="algorithm">
@@ -2813,7 +2820,7 @@ <h4 class="heading settled algorithm" data-algorithm="FederatedCredential&apos;s
        <li data-md="">
         <p>The credential is a <code class="idl"><a data-link-type="idl" href="#federatedcredential" id="ref-for-federatedcredential-9">FederatedCredential</a></code></p>
        <li data-md="">
-        <p>The credential’s <code class="idl"><a data-link-type="idl" href="#dom-credential-origin-slot" id="ref-for-dom-credential-origin-slot-7">[[origin]]</a></code> is the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#same-origin">same origin</a> as the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#current-settings-object">current settings object</a>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a>.</p>
+        <p>The credential’s <code class="idl"><a data-link-type="idl" href="#dom-credential-origin-slot" id="ref-for-dom-credential-origin-slot-7">[[origin]]</a></code> is the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#same-origin">same origin</a> as <var>origin</var>.</p>
        <li data-md="">
         <p>If <var>options</var>["<code class="idl"><a data-link-type="idl" href="#dom-credentialrequestoptions-federated" id="ref-for-dom-credentialrequestoptions-federated-2">federated</a></code>"]["<code class="idl"><a data-link-type="idl" href="#dom-federatedcredentialrequestoptions-providers" id="ref-for-dom-federatedcredentialrequestoptions-providers-2">providers</a></code>"] <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#map-exists">exists</a>, its value <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-contain">contains</a> the credentials’s <code class="idl"><a data-link-type="idl" href="#dom-federatedcredential-provider" id="ref-for-dom-federatedcredential-provider-4">provider</a></code>.</p>
        <li data-md="">
@@ -3119,11 +3126,12 @@ <h3 class="heading settled" data-level="7.2" id="implementation-extension"><span
 </pre>
       </div>
      <li data-md="">
-      <p>Define appropriate <code class="idl"><a data-link-type="idl" href="#dom-credential-create-slot" id="ref-for-dom-credential-create-slot-2">[[Create]](options)</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-credential-collectfromcredentialstore-slot" id="ref-for-dom-credential-collectfromcredentialstore-slot-2">[[CollectFromCredentialStore]](options)</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-credential-discoverfromexternalsource-slot" id="ref-for-dom-credential-discoverfromexternalsource-slot-4">[[DiscoverFromExternalSource]](options)</a></code>, and <code class="idl"><a data-link-type="idl" href="#dom-credential-store-slot" id="ref-for-dom-credential-store-slot-2">[[Store]](credential)</a></code> methods on <code>ExampleCredential</code>'s <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a>. <code class="idl"><a data-link-type="idl" href="#dom-credential-collectfromcredentialstore-slot" id="ref-for-dom-credential-collectfromcredentialstore-slot-3">[[CollectFromCredentialStore]](options)</a></code> is appropriate for <a data-link-type="dfn" href="#concept-credential" id="ref-for-concept-credential-18">credentials</a> that remain <a data-link-type="dfn" href="#credential-effective" id="ref-for-credential-effective-4">effective</a> forever and
-  can therefore simply be copied out of the <a data-link-type="dfn" href="#concept-credential-store" id="ref-for-concept-credential-store-27">credential store</a>, while <code class="idl"><a data-link-type="idl" href="#dom-credential-discoverfromexternalsource-slot" id="ref-for-dom-credential-discoverfromexternalsource-slot-5">[[DiscoverFromExternalSource]](options)</a></code> is appropriate for <a data-link-type="dfn" href="#concept-credential" id="ref-for-concept-credential-19">credentials</a> that need to be re-generated from a <a data-link-type="dfn" href="#credential-source" id="ref-for-credential-source-2">credential source</a>.</p>
-      <div class="example" id="example-b597dd69">
-       <a class="self-link" href="#example-b597dd69"></a> <code>ExampleCredential</code>'s <code>[[CollectFromCredentialStore]](options)</code> internal method is called
-    with a CredentialRequestOptions object (<code>options</code>), and returns a set of <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-54">Credential</a></code> objects that match the options provided. If no matching <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-55">Credential</a></code> objects are
+      <p>Define appropriate <code class="idl"><a data-link-type="idl" href="#dom-credential-create-slot" id="ref-for-dom-credential-create-slot-2">[[Create]](options)</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-credential-collectfromcredentialstore-slot" id="ref-for-dom-credential-collectfromcredentialstore-slot-2">[[CollectFromCredentialStore]](origin, options)</a></code>, <code class="idl"><a data-link-type="idl" href="#dom-credential-discoverfromexternalsource-slot" id="ref-for-dom-credential-discoverfromexternalsource-slot-4">[[DiscoverFromExternalSource]](origin, options)</a></code>, and <code class="idl"><a data-link-type="idl" href="#dom-credential-store-slot" id="ref-for-dom-credential-store-slot-2">[[Store]](credential)</a></code> methods on <code>ExampleCredential</code>'s <a data-link-type="dfn" href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</a>. <code class="idl"><a data-link-type="idl" href="#dom-credential-collectfromcredentialstore-slot" id="ref-for-dom-credential-collectfromcredentialstore-slot-3">[[CollectFromCredentialStore]](origin, options)</a></code> is appropriate for <a data-link-type="dfn" href="#concept-credential" id="ref-for-concept-credential-18">credentials</a> that remain <a data-link-type="dfn" href="#credential-effective" id="ref-for-credential-effective-4">effective</a> forever and
+  can therefore simply be copied out of the <a data-link-type="dfn" href="#concept-credential-store" id="ref-for-concept-credential-store-27">credential store</a>, while <code class="idl"><a data-link-type="idl" href="#dom-credential-discoverfromexternalsource-slot" id="ref-for-dom-credential-discoverfromexternalsource-slot-5">[[DiscoverFromExternalSource]](origin, options)</a></code> is appropriate for <a data-link-type="dfn" href="#concept-credential" id="ref-for-concept-credential-19">credentials</a> that need to be re-generated from a <a data-link-type="dfn" href="#credential-source" id="ref-for-credential-source-2">credential source</a>.</p>
+      <div class="example" id="example-3e2299db">
+       <a class="self-link" href="#example-3e2299db"></a> <code>ExampleCredential</code>'s <code>[[CollectFromCredentialStore]](origin, options)</code> internal method is called
+    with an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin</a> (<code>origin</code>) and a CredentialRequestOptions
+    object (<code>options</code>), and returns a set of <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-54">Credential</a></code> objects that match the options provided. If no matching <code class="idl"><a data-link-type="idl" href="#credential" id="ref-for-credential-55">Credential</a></code> objects are
     available, the returned set will be empty. 
        <ol>
         <li data-md="">
@@ -3248,7 +3256,7 @@ <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="c
    <li><a href="#abstract-opdef-ask-the-user-to-choose-a-credential">ask to choose</a><span>, in §5.3</span>
    <li><a href="#abstract-opdef-collect-credentials-from-the-credential-store">collect Credentials from the credential store</a><span>, in §2.5.2</span>
    <li>
-    [[CollectFromCredentialStore]](options)
+    [[CollectFromCredentialStore]](origin, options)
     <ul>
      <li><a href="#dom-credential-collectfromcredentialstore-slot">method for Credential</a><span>, in §2.2.1</span>
      <li><a href="#dom-passwordcredential-collectfromcredentialstore-slot">method for PasswordCredential</a><span>, in §3.3.1</span>
@@ -3286,7 +3294,7 @@ <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="c
      <li><a href="#dom-credential-discovery-credential-store">enum-value for Credential/[[discovery]]</a><span>, in §2.2</span>
     </ul>
    <li><a href="#credentialuserdata">CredentialUserData</a><span>, in §2.2.2</span>
-   <li><a href="#dom-credential-discoverfromexternalsource-slot">[[DiscoverFromExternalSource]](options)</a><span>, in §2.2.1</span>
+   <li><a href="#dom-credential-discoverfromexternalsource-slot">[[DiscoverFromExternalSource]](origin, options)</a><span>, in §2.2.1</span>
    <li><a href="#dom-credential-discovery-slot">[[discovery]]</a><span>, in §2.2</span>
    <li><a href="#credential-effective">effective</a><span>, in §2</span>
    <li>
@@ -3708,11 +3716,11 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     <li><a href="#ref-for-concept-credential-store-11">2.5.5. Prevent Silent Access</a> <a href="#ref-for-concept-credential-store-12">(2)</a>
     <li><a href="#ref-for-concept-credential-store-13">3.1.1. Password-based Sign-in</a>
     <li><a href="#ref-for-concept-credential-store-14">3.3.1. 
-    PasswordCredential's [[CollectFromCredentialStore]](options) </a> <a href="#ref-for-concept-credential-store-15">(2)</a>
+    PasswordCredential's [[CollectFromCredentialStore]](origin, options) </a> <a href="#ref-for-concept-credential-store-15">(2)</a>
     <li><a href="#ref-for-concept-credential-store-16">3.3.3. 
     PasswordCredential's [[Store]](credential) </a> <a href="#ref-for-concept-credential-store-17">(2)</a> <a href="#ref-for-concept-credential-store-18">(3)</a>
     <li><a href="#ref-for-concept-credential-store-19">4.2.1. 
-    FederatedCredential's [[CollectFromCredentialStore]](options) </a> <a href="#ref-for-concept-credential-store-20">(2)</a>
+    FederatedCredential's [[CollectFromCredentialStore]](origin, options) </a> <a href="#ref-for-concept-credential-store-20">(2)</a>
     <li><a href="#ref-for-concept-credential-store-21">4.2.3. 
     FederatedCredential's [[Store]](credential) </a> <a href="#ref-for-concept-credential-store-22">(2)</a> <a href="#ref-for-concept-credential-store-23">(3)</a>
     <li><a href="#ref-for-concept-credential-store-24">5.2. Requiring User Mediation</a>
@@ -3725,9 +3733,9 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
    <b><a href="#abstract-opdef-credential-store-retrieve-a-list-of-credentials">#abstract-opdef-credential-store-retrieve-a-list-of-credentials</a></b><b>Referenced in:</b>
    <ul>
     <li><a href="#ref-for-abstract-opdef-credential-store-retrieve-a-list-of-credentials-1">3.3.1. 
-    PasswordCredential's [[CollectFromCredentialStore]](options) </a>
+    PasswordCredential's [[CollectFromCredentialStore]](origin, options) </a>
     <li><a href="#ref-for-abstract-opdef-credential-store-retrieve-a-list-of-credentials-2">4.2.1. 
-    FederatedCredential's [[CollectFromCredentialStore]](options) </a>
+    FederatedCredential's [[CollectFromCredentialStore]](origin, options) </a>
    </ul>
   </aside>
   <aside class="dfn-panel" data-for="origin-prevent-silent-access-flag">
@@ -3763,10 +3771,10 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     <li><a href="#ref-for-credential-34">2.5.4. Create a Credential</a> <a href="#ref-for-credential-35">(2)</a>
     <li><a href="#ref-for-credential-36">3.2. The PasswordCredential Interface</a> <a href="#ref-for-credential-37">(2)</a>
     <li><a href="#ref-for-credential-38">3.3.1. 
-    PasswordCredential's [[CollectFromCredentialStore]](options) </a> <a href="#ref-for-credential-39">(2)</a>
+    PasswordCredential's [[CollectFromCredentialStore]](origin, options) </a> <a href="#ref-for-credential-39">(2)</a>
     <li><a href="#ref-for-credential-40">4.1. The FederatedCredential Interface</a> <a href="#ref-for-credential-41">(2)</a>
     <li><a href="#ref-for-credential-42">4.2.1. 
-    FederatedCredential's [[CollectFromCredentialStore]](options) </a> <a href="#ref-for-credential-43">(2)</a>
+    FederatedCredential's [[CollectFromCredentialStore]](origin, options) </a> <a href="#ref-for-credential-43">(2)</a>
     <li><a href="#ref-for-credential-44">5.3. Credential Selection</a> <a href="#ref-for-credential-45">(2)</a> <a href="#ref-for-credential-46">(3)</a> <a href="#ref-for-credential-47">(4)</a> <a href="#ref-for-credential-48">(5)</a>
     <li><a href="#ref-for-credential-49">6.1. Cross-domain credential access</a>
     <li><a href="#ref-for-credential-50">6.7. Chooser Leakage</a> <a href="#ref-for-credential-51">(2)</a> <a href="#ref-for-credential-52">(3)</a>
@@ -3833,13 +3841,13 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
    <b><a href="#dom-credential-origin-slot">#dom-credential-origin-slot</a></b><b>Referenced in:</b>
    <ul>
     <li><a href="#ref-for-dom-credential-origin-slot-1">3.3.1. 
-    PasswordCredential's [[CollectFromCredentialStore]](options) </a>
+    PasswordCredential's [[CollectFromCredentialStore]](origin, options) </a>
     <li><a href="#ref-for-dom-credential-origin-slot-2">3.3.3. 
     PasswordCredential's [[Store]](credential) </a> <a href="#ref-for-dom-credential-origin-slot-3">(2)</a> <a href="#ref-for-dom-credential-origin-slot-4">(3)</a> <a href="#ref-for-dom-credential-origin-slot-5">(4)</a>
     <li><a href="#ref-for-dom-credential-origin-slot-6">3.3.5. 
     Create a PasswordCredential from PasswordCredentialData </a>
     <li><a href="#ref-for-dom-credential-origin-slot-7">4.2.1. 
-    FederatedCredential's [[CollectFromCredentialStore]](options) </a>
+    FederatedCredential's [[CollectFromCredentialStore]](origin, options) </a>
     <li><a href="#ref-for-dom-credential-origin-slot-8">4.2.3. 
     FederatedCredential's [[Store]](credential) </a> <a href="#ref-for-dom-credential-origin-slot-9">(2)</a> <a href="#ref-for-dom-credential-origin-slot-10">(3)</a> <a href="#ref-for-dom-credential-origin-slot-11">(4)</a>
     <li><a href="#ref-for-dom-credential-origin-slot-12">4.2.4. 
@@ -4030,12 +4038,12 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     <li><a href="#ref-for-dictdef-credentialrequestoptions-10">2.5.2. Collect Credentials from the credential store</a>
     <li><a href="#ref-for-dictdef-credentialrequestoptions-11">3.2. The PasswordCredential Interface</a>
     <li><a href="#ref-for-dictdef-credentialrequestoptions-12">3.3.1. 
-    PasswordCredential's [[CollectFromCredentialStore]](options) </a>
+    PasswordCredential's [[CollectFromCredentialStore]](origin, options) </a>
     <li><a href="#ref-for-dictdef-credentialrequestoptions-13">3.3.6. 
     CredentialRequestOptions Matching for PasswordCredential </a>
     <li><a href="#ref-for-dictdef-credentialrequestoptions-14">4.1. The FederatedCredential Interface</a>
     <li><a href="#ref-for-dictdef-credentialrequestoptions-15">4.2.1. 
-    FederatedCredential's [[CollectFromCredentialStore]](options) </a>
+    FederatedCredential's [[CollectFromCredentialStore]](origin, options) </a>
     <li><a href="#ref-for-dictdef-credentialrequestoptions-16">5.3. Credential Selection</a>
     <li><a href="#ref-for-dictdef-credentialrequestoptions-17">7.2. Extension Points</a>
    </ul>
@@ -4153,7 +4161,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     <li><a href="#ref-for-passwordcredential-4">3.1.3. Change Password</a>
     <li><a href="#ref-for-passwordcredential-5">3.2. The PasswordCredential Interface</a> <a href="#ref-for-passwordcredential-6">(2)</a> <a href="#ref-for-passwordcredential-7">(3)</a> <a href="#ref-for-passwordcredential-8">(4)</a> <a href="#ref-for-passwordcredential-9">(5)</a> <a href="#ref-for-passwordcredential-10">(6)</a>
     <li><a href="#ref-for-passwordcredential-11">3.3.1. 
-    PasswordCredential's [[CollectFromCredentialStore]](options) </a>
+    PasswordCredential's [[CollectFromCredentialStore]](origin, options) </a>
     <li><a href="#ref-for-passwordcredential-12">3.3.2. 
     PasswordCredential's [[Create]](options) </a> <a href="#ref-for-passwordcredential-13">(2)</a>
     <li><a href="#ref-for-passwordcredential-14">3.3.3. 
@@ -4171,7 +4179,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
    <ul>
     <li><a href="#ref-for-dom-credentialrequestoptions-password-1">3.1.1. Password-based Sign-in</a> <a href="#ref-for-dom-credentialrequestoptions-password-2">(2)</a>
     <li><a href="#ref-for-dom-credentialrequestoptions-password-3">3.3.1. 
-    PasswordCredential's [[CollectFromCredentialStore]](options) </a> <a href="#ref-for-dom-credentialrequestoptions-password-4">(2)</a>
+    PasswordCredential's [[CollectFromCredentialStore]](origin, options) </a> <a href="#ref-for-dom-credentialrequestoptions-password-4">(2)</a>
     <li><a href="#ref-for-dom-credentialrequestoptions-password-5">3.3.6. 
     CredentialRequestOptions Matching for PasswordCredential </a>
    </ul>
@@ -4297,7 +4305,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     <li><a href="#ref-for-federatedcredential-2">4.1. The FederatedCredential Interface</a> <a href="#ref-for-federatedcredential-3">(2)</a> <a href="#ref-for-federatedcredential-4">(3)</a> <a href="#ref-for-federatedcredential-5">(4)</a> <a href="#ref-for-federatedcredential-6">(5)</a> <a href="#ref-for-federatedcredential-7">(6)</a>
     <li><a href="#ref-for-federatedcredential-8">4.1.1. Identifying Providers</a>
     <li><a href="#ref-for-federatedcredential-9">4.2.1. 
-    FederatedCredential's [[CollectFromCredentialStore]](options) </a>
+    FederatedCredential's [[CollectFromCredentialStore]](origin, options) </a>
     <li><a href="#ref-for-federatedcredential-10">4.2.2. 
     FederatedCredential's [[Create]](options) </a>
     <li><a href="#ref-for-federatedcredential-11">4.2.3. 
@@ -4319,21 +4327,21 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
    <ul>
     <li><a href="#ref-for-dom-federatedcredentialrequestoptions-providers-1">4.1.1. Identifying Providers</a>
     <li><a href="#ref-for-dom-federatedcredentialrequestoptions-providers-2">4.2.1. 
-    FederatedCredential's [[CollectFromCredentialStore]](options) </a>
+    FederatedCredential's [[CollectFromCredentialStore]](origin, options) </a>
    </ul>
   </aside>
   <aside class="dfn-panel" data-for="dom-federatedcredentialrequestoptions-protocols">
    <b><a href="#dom-federatedcredentialrequestoptions-protocols">#dom-federatedcredentialrequestoptions-protocols</a></b><b>Referenced in:</b>
    <ul>
     <li><a href="#ref-for-dom-federatedcredentialrequestoptions-protocols-1">4.2.1. 
-    FederatedCredential's [[CollectFromCredentialStore]](options) </a>
+    FederatedCredential's [[CollectFromCredentialStore]](origin, options) </a>
    </ul>
   </aside>
   <aside class="dfn-panel" data-for="dom-credentialrequestoptions-federated">
    <b><a href="#dom-credentialrequestoptions-federated">#dom-credentialrequestoptions-federated</a></b><b>Referenced in:</b>
    <ul>
     <li><a href="#ref-for-dom-credentialrequestoptions-federated-1">4.2.1. 
-    FederatedCredential's [[CollectFromCredentialStore]](options) </a> <a href="#ref-for-dom-credentialrequestoptions-federated-2">(2)</a> <a href="#ref-for-dom-credentialrequestoptions-federated-3">(3)</a>
+    FederatedCredential's [[CollectFromCredentialStore]](origin, options) </a> <a href="#ref-for-dom-credentialrequestoptions-federated-2">(2)</a> <a href="#ref-for-dom-credentialrequestoptions-federated-3">(3)</a>
    </ul>
   </aside>
   <aside class="dfn-panel" data-for="dom-federatedcredential-provider">
@@ -4342,7 +4350,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
     <li><a href="#ref-for-dom-federatedcredential-provider-1">4.1. The FederatedCredential Interface</a> <a href="#ref-for-dom-federatedcredential-provider-2">(2)</a>
     <li><a href="#ref-for-dom-federatedcredential-provider-3">4.1.1. Identifying Providers</a>
     <li><a href="#ref-for-dom-federatedcredential-provider-4">4.2.1. 
-    FederatedCredential's [[CollectFromCredentialStore]](options) </a>
+    FederatedCredential's [[CollectFromCredentialStore]](origin, options) </a>
     <li><a href="#ref-for-dom-federatedcredential-provider-5">4.2.3. 
     FederatedCredential's [[Store]](credential) </a> <a href="#ref-for-dom-federatedcredential-provider-6">(2)</a> <a href="#ref-for-dom-federatedcredential-provider-7">(3)</a> <a href="#ref-for-dom-federatedcredential-provider-8">(4)</a>
     <li><a href="#ref-for-dom-federatedcredential-provider-9">4.2.4. 
@@ -4354,7 +4362,7 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
    <ul>
     <li><a href="#ref-for-dom-federatedcredential-protocol-1">4.1. The FederatedCredential Interface</a>
     <li><a href="#ref-for-dom-federatedcredential-protocol-2">4.2.1. 
-    FederatedCredential's [[CollectFromCredentialStore]](options) </a>
+    FederatedCredential's [[CollectFromCredentialStore]](origin, options) </a>
     <li><a href="#ref-for-dom-federatedcredential-protocol-3">4.2.3. 
     FederatedCredential's [[Store]](credential) </a> <a href="#ref-for-dom-federatedcredential-protocol-4">(2)</a>
    </ul>
diff --git a/index.src.html b/index.src.html
index bdb2527..d86781f 100644
--- a/index.src.html
+++ b/index.src.html
@@ -284,8 +284,9 @@ <h1>Credential Management Level 1</h1>
   defines several internal methods that allow retrieval and storage of {{Credential}} objects:
 
   <section algorithm="'collect credentials' internal method">
-    <dfn for="Credential" method export>\[[CollectFromCredentialStore]](options)</dfn> is called
-    with a {{CredentialRequestOptions}}, and returns a set of {{Credential}} objects from the user
+    <dfn for="Credential" method export>\[[CollectFromCredentialStore]](origin, options)</dfn> is called
+    with an [=environment settings object/origin=] and a {{CredentialRequestOptions}}, and returns
+    a set of {{Credential}} objects from the user
     agent's [=credential store=] that match the options provided. If no matching {{Credential}}
     objects are available, the returned set will be empty.
 
@@ -295,8 +296,9 @@ <h1>Credential Management Level 1</h1>
   </section>
 
   <section algorithm="'discover credentials' internal method">
-    <dfn for="Credential" method export>\[[DiscoverFromExternalSource]](options)</dfn> is called
-    with a {{CredentialRequestOptions}} object. It returns a {{Credential}} if one can be
+    <dfn for="Credential" method export>\[[DiscoverFromExternalSource]](origin, options)</dfn> is called
+    with an [=environment settings object/origin=] and a {{CredentialRequestOptions}} object. 
+    It returns a {{Credential}} if one can be
     returned given the options provided, `null` if no credential is available, or an error if
     discovery fails (for example, incorrect options could produce a {{TypeError}}). If this
     kind of {{Credential}} is only [=effective=] for a single use or a limited time, this
@@ -691,11 +693,13 @@ <h4 id="algorithm-request" algorithm>Request a `Credential`</h4>
             [=active document=] in a [=top-level browsing context=].
 
     4.  Let |p| be [=a new promise=].
-   
-    5.  Run the following steps [=in parallel=]: 
+
+    5.  Let |origin| be the [=current settings object=]'s [=environment settings object/origin=].
+
+    6.  Run the following steps [=in parallel=]:
 
         1.  Let |credentials| be the result of <a abstract-op lt="collect local">collecting
-            `Credential`s from the credential store</a>, given |options|.
+            `Credential`s from the credential store</a>, given |origin| and |options|.
 
         2.  If |credentials| is an [=exception=], [=reject=] |p| with |credentials|.
 
@@ -704,8 +708,7 @@ <h4 id="algorithm-request" algorithm>Request a `Credential`</h4>
 
             1.  |credentials|' [=set/size=] is 1
 
-            2.  |settings|' [=environment settings object/origin=] does not
-                [=origin/requires user mediation|require user mediation=]
+            2.  |origin| does not [=origin/requires user mediation|require user mediation=]
 
             3.  |options| is <a>matchable <i lang="la">a priori</i></a>.
 
@@ -729,18 +732,19 @@ <h4 id="algorithm-request" algorithm>Request a `Credential`</h4>
         7.  Assert: |choice| is an [=interface object=].
 
         8.  Let |result| be the result of executing |choice|'s
-            {{[[DiscoverFromExternalSource]](options)}}, given |options|.
+            {{[[DiscoverFromExternalSource]](origin, options)}}, given |origin| and |options|.
 
         9.  If |result| is a {{Credential}} or `null`, resolve |p| with |result|.
 
             Otherwise, [=reject=] |p| with |result|.
 
-    6.  Return |p|.
+    7.  Return |p|.
   </ol>
 
   <h4 id="algorithm-collect-known" algorithm>Collect `Credential`s from the credential store</h4>
 
-  Given a {{CredentialRequestOptions}} (|options|), the user agent may
+  Given an [=environment settings object/origin=] (|origin|) and
+  a {{CredentialRequestOptions}} (|options|), the user agent may
   <dfn abstract-op local-lt="collect local">collect `Credential`s from the credential store</dfn>,
   returning a set of {{Credential}} objects stored by the user agent locally that match |options|'
   filter. If no such {{Credential}} objects are known, the returned set will be empty:
@@ -751,7 +755,8 @@ <h4 id="algorithm-collect-known" algorithm>Collect `Credential`s from the creden
     2.  For each |interface| in |options|' <a>relevant credential interface objects</a>:
 
         1.  Let |r| be the result of executing |interface|'s
-            {{Credential/[[CollectFromCredentialStore]](options)}} internal method on |options|.
+            {{Credential/[[CollectFromCredentialStore]](origin, options)}} internal method on
+            |origin| and |options|.
 
         2.  If |r| is an [=exception=], return |r|.
 
@@ -1133,19 +1138,20 @@ <h4 id="algorithm-prevent-silent-access" algorithm>Prevent Silent Access</h4>
   {{PasswordCredential}} objects are [=Credential/origin bound=].
 
   {{PasswordCredential}}'s [=interface object=] inherits {{Credential}}'s implementation of
-  {{Credential/[[DiscoverFromExternalSource]](options)}}, and defines its own implementation of
-  {{PasswordCredential/[[CollectFromCredentialStore]](options)}},
+  {{Credential/[[DiscoverFromExternalSource]](origin, options)}}, and defines its own implementation of
+  {{PasswordCredential/[[CollectFromCredentialStore]](origin, options)}},
   {{PasswordCredential/[[Create]](options)}}, and
   {{PasswordCredential/[[Store]](credential)}}.
 
   ## Algorithms ## {#passwordcredential-algorithms}
 
   <h4 algorithm id="collectfromcredentialstore-passwordcredential">
-    `PasswordCredential`'s `[[CollectFromCredentialStore]](options)`
+    `PasswordCredential`'s `[[CollectFromCredentialStore]](origin, options)`
   </h4>
 
-  <dfn for="PasswordCredential" method>\[[CollectFromCredentialStore]](options)</dfn> is called
-  with a {{CredentialRequestOptions}} (|options|), and returns a set of {{Credential}} objects from
+  <dfn for="PasswordCredential" method>\[[CollectFromCredentialStore]](origin, options)</dfn> is called
+  with an [=environment settings object/origin=] (|origin|) and a {{CredentialRequestOptions}} (|options|),
+  and returns a set of {{Credential}} objects from
   the [=credential store=]. If no matching {{Credential}} objects are available, the returned set
   will be empty.
 
@@ -1158,8 +1164,7 @@ <h4 algorithm id="collectfromcredentialstore-passwordcredential">
         credentials from the [=credential store=] that match the following filter:
 
         1.  The credential is a {{PasswordCredential}}
-        2.  The credential's {{Credential/[[origin]]}} is the [=same origin=] as the
-            [=current settings object=]'s [=environment settings object/origin=].
+        2.  The credential's {{Credential/[[origin]]}} is the [=same origin=] as |origin|.
   </ol>
 
   <h4 algorithm id="create-passwordcredential">
@@ -1437,13 +1442,13 @@ <h4 algorithm id="passwordcredential-matching">
   {{FederatedCredential}} objects are [=Credential/origin bound=].
 
   {{FederatedCredential}}'s [=interface object=] inherits {{Credential}}'s implementation of
-  {{Credential/[[DiscoverFromExternalSource]](options)}}, and defines its own implementation of
-  {{FederatedCredential/[[CollectFromCredentialStore]](options)}},
+  {{Credential/[[DiscoverFromExternalSource]](origin, options)}}, and defines its own implementation of
+  {{FederatedCredential/[[CollectFromCredentialStore]](origin, options)}},
   {{FederatedCredential/[[Create]](options)}}, and
   {{FederatedCredential/[[Store]](credential)}}.
 
   Note: If, in the future, we teach the user agent to obtain authentication tokens on a user's
-  behalf, we could do so by building an implementation of `[[DiscoverFromExternalSource]](options)`.
+  behalf, we could do so by building an implementation of `[[DiscoverFromExternalSource]](origin, options)`.
 
   ### Identifying Providers ### {#provider-identification}
 
@@ -1468,11 +1473,12 @@ <h4 algorithm id="passwordcredential-matching">
   ## Algorithms ## {#federatedcredential-algorithms}
 
   <h4 algorithm id="collectfromcredentialstore-federatedcredential">
-    `FederatedCredential`'s `[[CollectFromCredentialStore]](options)`
+    `FederatedCredential`'s `[[CollectFromCredentialStore]](origin, options)`
   </h4>
 
-  <dfn for="FederatedCredential" method>\[[CollectFromCredentialStore]](options)</dfn> is called
-  with a {{CredentialRequestOptions}} (|options|), and returns a set of {{Credential}} objects from
+  <dfn for="FederatedCredential" method>\[[CollectFromCredentialStore]](origin, options)</dfn> is called
+  with an [=environment settings object/origin=] (|origin|) and a {{CredentialRequestOptions}} (|options|),
+  and returns a set of {{Credential}} objects from
   the [=credential store=]. If no matching {{Credential}} objects are available, the returned set
   will be empty.
 
@@ -1483,8 +1489,7 @@ <h4 algorithm id="collectfromcredentialstore-federatedcredential">
         credentials from the [=credential store=] that match the following filter:
 
         1.  The credential is a {{FederatedCredential}}
-        2.  The credential's {{Credential/[[origin]]}} is the [=same origin=] as the
-            [=current settings object=]'s [=environment settings object/origin=].
+        2.  The credential's {{Credential/[[origin]]}} is the [=same origin=] as |origin|.
         3.  If |options|["{{CredentialRequestOptions/federated}}"]["{{FederatedCredentialRequestOptions/providers}}"]
             [=map/exists=], its value [=list/contains=] the credentials's {{FederatedCredential/provider}}.
         4.  If |options|["{{CredentialRequestOptions/federated}}"]["{{FederatedCredentialRequestOptions/protocols}}"]
@@ -1893,18 +1898,19 @@ <h4 algorithm id="construct-federatedcredential-data">
       </div>
 
   2.  Define appropriate {{Credential/[[Create]](options)}},
-      {{Credential/[[CollectFromCredentialStore]](options)}},
-      {{Credential/[[DiscoverFromExternalSource]](options)}}, and
+      {{Credential/[[CollectFromCredentialStore]](origin, options)}},
+      {{Credential/[[DiscoverFromExternalSource]](origin, options)}}, and
       {{Credential/[[Store]](credential)}} methods on `ExampleCredential`'s
-      [=interface object=]. {{Credential/[[CollectFromCredentialStore]](options)}}
+      [=interface object=]. {{Credential/[[CollectFromCredentialStore]](origin, options)}}
       is appropriate for [=credentials=] that remain [=effective=] forever and
       can therefore simply be copied out of the [=credential store=], while
-      {{Credential/[[DiscoverFromExternalSource]](options)}} is appropriate for
+      {{Credential/[[DiscoverFromExternalSource]](origin, options)}} is appropriate for
       [=credentials=] that need to be re-generated from a [=credential source=].
 
       <div class="example">
-        `ExampleCredential`'s `[[CollectFromCredentialStore]](options)` internal method is called
-        with a CredentialRequestOptions object (`options`), and returns a set of {{Credential}}
+        `ExampleCredential`'s `[[CollectFromCredentialStore]](origin, options)` internal method is called
+        with an [=environment settings object/origin=] (`origin`) and a CredentialRequestOptions
+        object (`options`), and returns a set of {{Credential}}
         objects that match the options provided. If no matching {{Credential}} objects are
         available, the returned set will be empty.