There doesn't appear to be a programmatic way to define a whitelist of origins that the iframe will accept requests from. This is something that's recommended by the postMessage (API documentation)[https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage]. It suggests that the receiver of function should "always verify the sender's identity".
By whitelisting, it prevents xdlocalstore from leaking potentially sensitive information
There doesn't appear to be a programmatic way to define a whitelist of origins that the iframe will accept requests from. This is something that's recommended by the
postMessage(API documentation)[https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage]. It suggests that the receiver of function should "always verify the sender's identity".By whitelisting, it prevents xdlocalstore from leaking potentially sensitive information