G-04 — Broken postMessage origin allowlist (community.oppo.com / communityin.oppo.com)

Attacker origin: https://oppo.com.r0hn.de. The page /abroadList on community(in).oppo.com checks:
!(origin.indexOf("wanyol.com")<0 && origin.indexOf("oppo.com")<0)
Substring match → "https://oppo.com.r0hn.de" contains "oppo.com" → check passes.

Attacker auth token (paste real token cookie value from your authed community session):
Target: