https://warpcast.com/horsefacts.eth/0x3ad31216

This is only possible if you do not validate the incoming URL in the frame data packet. For example, Yoink no longer works in @paulcowgill’s example because I started checking.

By verifying this value you can block all cross-frame calls, allow specific origins, or allow any origin. Most frames should check the URL.