Only the domains explicitly in the whitelist would be able to set the domain parameter. And if a.com sends ?domain=b.com, the back-end will set X-FRAME-OPTIONS: ALLOW-FROM b.com which will block a.com from loading in the frame. So not sure how this approach could be spoofed.

works for PayPal, as a lead engineer in Checkout. Opinions expressed herein belong to him and not his employer. daniel@bluesuncorp.co.uk

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store