setting (though this was only for trusted origins anyways)
- Security fix (minor): For embedded API example, copy params to iframe
source without XSS risk (though params should already be XML-safe
given `encodeURIComponent` and lack of a single quote attribute context)
- Linting (LGTM): Flag origin-checked item as safe
- Refactoring: Destructuring, ellipsis
- Docs (JSDoc): Missing return value
fbffc86503