Add query parameter to restrict origin

README.md

@@ -4,16 +4,11 @@ UserContent
 A way to render user generated content with a different origin to the main application.
 This can be used to avoid XSS attacks.
 
-Version 1
----------
+This is used by Riot to display the download button for encrypted attachments
+in end-to-end encrypted chats. See
+https://github.com/vector-im/riot-web/blob/master/README.md#configjson for
+instructions on how to host your own version of this.
 
-```html
-<html>
-<head>
-<script>
-window.addEventListener("message", function(e){eval("("+e.data.code+")")(e)})
-</script>
-</head>
-<body></body>
-</html>
-```
+This is not an ideal solution for Riot: see
+https://github.com/vector-im/riot-web/issues/6173 for status on replacing
+this with something else.

v1.html

@@ -1,7 +1,28 @@
 <html>
 <head>
+<!--
+Hello! If you're reading this, perhaps you're wondering what this
+file is doing and why your Riot is using it.
+
+In short, this allows Riot to isolate potentially unsafe encrypted
+attachments into their own origin, away from your Riot. See
+https://github.com/matrix-org/usercontent/blob/master/README.md
+for more info, or https://github.com/vector-im/riot-web/blob/master/README.md#configjson
+if you'd like to host your own. See also https://github.com/vector-im/riot-web/issues/6173
+for progress on replacing this with something better.
+
+Stay curious!
+-->
 <script>
-window.addEventListener("message", function(e){eval("("+e.data.code+")")(e)})
+var params = window.location.search.substring(1).split('&');
+var lockOrigin;
+for (var i = 0; i < params.length; ++i) {
+    var parts = params[i].split('=');
+    if (parts[0] == 'origin') lockOrigin = decodeURIComponent(parts[1]);
+}
+window.onmessage=function(e){
+    if (lockOrigin && event.origin === lockOrigin) eval("("+e.data.code+")")(e);
+}
 </script>
 </head>
 <body></body>