I'm concerned with validating messages received via the IFrameCommunicator method. What event.origin should we be looking for on messages from the Accept Hosted form?
The communicator events are kicked off by the parent Authorize.Net iFrame. The domain will match the domain that you posted the token to. In the case of sandbox, that will be https://test.authorize.net, for production it should be https://accept.authorize.net
