diff --git a/src/components/views/messages/MFileBody.js b/src/components/views/messages/MFileBody.js
index 90efe24df3..fbce53e07a 100644
--- a/src/components/views/messages/MFileBody.js
+++ b/src/components/views/messages/MFileBody.js
@@ -1,5 +1,6 @@
/*
Copyright 2015, 2016 OpenMarket Ltd
+Copyright 2018 New Vector Ltd
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -99,16 +100,27 @@ Tinter.registerTintable(updateTintedDownloadImage);
// overridable so that people running their own version of the client can
// choose a different renderer.
//
-// To that end the first version of the blob generation will be the following
+// To that end the current version of the blob generation is the following
// html:
//
//
//
// This waits to receive a message event sent using the window.postMessage API.
// When it receives the event it evals a javascript function in data.code and
-// runs the function passing the event as an argument.
+// runs the function passing the event as an argument. This version adds
+// support for a query parameter controlling the origin from which messages
+// will be processed as an extra layer of security (note that the default URL
+// is still 'v1' since it is backwards compatible).
//
// In particular it means that the rendering function can be written as a
// ordinary javascript function which then is turned into a string using
@@ -325,6 +337,7 @@ module.exports = React.createClass({
if (this.context.appConfig && this.context.appConfig.cross_origin_renderer_url) {
renderer_url = this.context.appConfig.cross_origin_renderer_url;
}
+ renderer_url += "?origin=" + encodeURIComponent(document.origin);
return (