clientDataJSONWhen performing a registration or authentication with webauthn, it's critical that sites confirm that the returned clientDataJSON contains the challenge originally provided. Otherwise old messages can be replayed. Likewise, sites must check the origin member to confirm that the action is not being proxied by another site.
In order to implement this, sites should parse the JSON as a CollectedClientData structure and confirm that the type, challenge, and origin members (at least) are as expected.
Sites should not implement this by comparing the unparsed value of clientDataJSON against a template with the challenge value filled in. This would fail when new members are added to CollectedClientData in the future as the template would no longer be correct.
In order to guide sites away from doing this, Chromium will sometimes, randomly insert an extra member into clientDataJSON which references this documentation.