between iframe and the react web application, they use web messaging between to give the authenticated session data. The origin of this data is not checked, this code is all inside the @auth0/react-spa, what can be done to mitigate this security risk? any information would be super helpful