fix: cross-origin

src/utils/const.ts

@@ -2,13 +2,9 @@ export const IS_DEV = process.env.NODE_ENV === 'development';
 
 export const PARAM_MODE = (new URL(window.location.href).searchParams.get('mode') || '') as 'window' | 'iframe' | '';
 
-const trustOriginStr = __TRUST_ORIGIN__;
+export const trustOrigins = __TRUST_ORIGIN__
+  .split(',')
+  .map(s => s.trim())
+  .filter(Boolean);
 
-export const TRUST_ALL_ORIGIN = trustOriginStr.trim() === '*';
-
-export const trustOrigins = new Set(
-  trustOriginStr
-    .split(',')
-    .map(s => s.trim())
-    .filter(Boolean),
-);
+export const TRUST_ALL_ORIGIN = trustOrigins.includes('*');

src/utils/postMessage.ts

@@ -14,11 +14,7 @@ export const postQrMessage = (data: Omit<QrMessage, 'mode'>) => {
     console.error('No target window');
     return;
   }
-  const origin = targetWindow.location.origin;
-  if (!TRUST_ALL_ORIGIN && !trustOrigins.has(origin)) {
-    console.warn('Untrusted origin:', origin);
-    return;
-  }
   const message: QrMessage = { ...data, mode: PARAM_MODE };
-  targetWindow.postMessage(message, origin);
+  if (TRUST_ALL_ORIGIN) targetWindow.postMessage(message, '*');
+  else trustOrigins.forEach(origin => targetWindow.postMessage(message, origin));
 };