example.com's change password functionality should be behind an authenticated page that requires a) the user be already logged in, and 2) the user's current password (for confirmation).
Whereas example.com's forgot/reset password functionality is usually a wide-open page anyone can reach to begin the process of password reset (more inline with what this spec seems to be describing).
> Currently, if the user of a password manager would like to change their password on example.com, basically all the password manager can do is load example.com in a browser tab and hope the user can figure out how to update their password themselves.
> The goal of this spec is to do the simplest possible thing to improve this situation.
It's an attempt to standardize the endpoint for changing a password. Which is kinda random for each website currently.
I did. My confusion arose from it. Something is clear to you that is not to me :)