The listener can register a number of callbacks and allow specific domains to call these callbacks.
This is done via evil cookie magic, but it seems to work. I'd be very interested in feedback. Do you have security concerns? is this a novel idea?