window.addEventListener("message", function(event) {
  const allowedSuffix = ".{{ primary_domain }}";
  const origin = event.origin;

  // 1. Only allow messages from *.{{ primary_domain }}
  if (!origin.endsWith(allowedSuffix)) return;

  const data = event.data;

  // 2. Only process valid iframeLocationChange messages
  if (data && data.type === "iframeLocationChange" && typeof data.href === "string") {
    try {
      const hrefUrl = new URL(data.href);

      // 3. Only allow redirects to *.{{ primary_domain }}
      if (!hrefUrl.hostname.endsWith(allowedSuffix)) return;

      // 4. Update the ?iframe= parameter in the browser URL
      const newUrl = new URL(window.location);
      newUrl.searchParams.set("iframe", hrefUrl.href);
      window.history.replaceState({}, "", newUrl);
    } catch (e) {
      // Invalid or malformed URL – ignore
    }
  }
});

{% if enable_debug | bool %}
console.log("[iframe-sync] Listener for iframe messages is active.");
{% endif %}