Support origin lock in cross-origin renderer
This adds a URL parameter to the cross-origin renderer that makes
it only accept messages from a given domain. This adds an extra
layer of security to the cross-origin iframe and is backwards
compatible in both directions.
