To improve security on the embedded marketplace apps it would be good to have us at least add a custom property to the REQUEST_USER_DATA postMessage that you will echo back to us. That way we can verify that property and process the message accordingly.

It is already unsecure to embed pages outside of a sandbox and seemingly no true security policies but this will give us some extra control.