Consider following example where:
A - addon
B - evil.com
- C - good.com
- Instead of extending
window.postMessage
we could dispatch "add-on" event on the document that would provide an addonevent.source
that page could use to communicate. This way communication with add-on could not be initiated by client side, which has pros and cons. Problem is that page could miss event.