Top frame origin should be passed to client platforms and credential managers for cross-origin requests

[timcappalli]

Both get and create calls are allowed in cross-origin iframes in the spec. These cross-origin requests can be confusing and even misleading to users.

Client platforms and credential managers may want to display both the calling origin and top origin to users in their UI.

Since the group previously decided against having client data-like construct (#95), we would need to need to figure out where to put it and add guidance on passing it downstream.

[hlflanagan]

Discussed on the DC API call - 11 August