diff --git a/specification/client_server_api.rst b/specification/client_server_api.rst
index 21e2d03e..d95164c5 100644
--- a/specification/client_server_api.rst
+++ b/specification/client_server_api.rst
@@ -637,10 +637,11 @@ handle unknown login types:
       var popupWindow;
 
       var eventListener = function(ev) {
-          if (ev.data !== "authDone" ) {
+          // check it's the right message from the right place.
+          if (ev.data !== "authDone" || ev.origin !== homeserverUrl) {
               return;
           }
-
+          
           // close the popup
           popupWindow.close();
           window.removeEventListener("message", eventListener);