From 6c88d698ae7d095617437e22e801b7ece7837d6d Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <github@rvanderhoff.org.uk>
Date: Fri, 7 Oct 2016 16:26:28 +0100
Subject: [PATCH] uia fallback example: check event origin

---
 specification/client_server_api.rst | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/specification/client_server_api.rst b/specification/client_server_api.rst
index 21e2d03e..d95164c5 100644
--- a/specification/client_server_api.rst
+++ b/specification/client_server_api.rst
@@ -637,10 +637,11 @@ handle unknown login types:
       var popupWindow;
 
       var eventListener = function(ev) {
-          if (ev.data !== "authDone" ) {
+          // check it's the right message from the right place.
+          if (ev.data !== "authDone" || ev.origin !== homeserverUrl) {
               return;
           }
-
+          
           // close the popup
           popupWindow.close();
           window.removeEventListener("message", eventListener);