Messages sent through the window object can be intercepted by every source, and every source can emit messages.

Fixes:

1. No more HTML injection: The talk bubble no longer allows injecting HTML code.
2. Check origin: The synchronization script checks message origin and rejects messages coming from other websites.
3. Restrict message range effect : The messages allowed by the synchronization script have been restricted to things like “Change hat,” no longer allowing changing arbitrary settings.