be65c659b2
The i-tag UUID used for webxdc coordination is attacker-controlled. Using it directly as the iframe.diy subdomain lets a malicious event author pick a subdomain that collides with another app's origin, gaining access to its localStorage/IndexedDB. Introduce a persistent random seed in localStorage (ditto:seed) and derive the subdomain as base36(HMAC-SHA256(seed, prefix|identifier)). The prefix (e.g. "webxdc") domain-separates different use-cases. The subdomain is stable per device+app but unpredictable to event authors.