You should probably be checking "isTrusted" in postMessage listeners
window.postMessage and corresponding window.onmessage listeners enable secure communication between cross-origin windows, including IFRAMEs. The postMessage API is ubiquitous, used by popular JS widgets like media players (YouTube, Spotify) →