What protections does the xdm_e provide for remote procedure calls?

[Ransom Briggs]

Hello,

I only want to allow certain trusted domains to communicate with my provider, and it seemed easier to ban this on the server side.  So basically if the domain were not trusted, the backend would serve up up a provider page with error methods, otherwise I would serve up the protected methods.  What I was wondering is if the xdm_e parameter enforces a domain check before executing rpc methods, or would I still need to that in my Javascript methods using rpc.origin?  I assumed this was the purpose of xdm_e, but wanted to verify.

Thanks,

Ransom