diff --git a/app/assets/javascripts/web-dev-listener.js b/app/assets/javascripts/web-dev-listener.js
index 6303b18f9..8e48688b7 100644
--- a/app/assets/javascripts/web-dev-listener.js
+++ b/app/assets/javascripts/web-dev-listener.js
@@ -7,15 +7,20 @@ var virtualDOM;
 var goalStates;
 
 var allowedOrigins = [
-    'https://codecombat.com',
-    'http://localhost:3000',
-    'http://direct.codecombat.com',
-    'http://staging.codecombat.com'
+    /https:\/\/codecombat\.com/,
+    /http:\/\/localhost:3000/,
+    /http:\/\/direct\.codecombat\.com/,
+    /http:\/\/staging\.codecombat\.com/,
+    /http:\/\/codecombat-staging-codecombat\.runnableapp\.com/,
 ];
 
 function receiveMessage(event) {
     var origin = event.origin || event.originalEvent.origin; // For Chrome, the origin property is in the event.originalEvent object.
-    if (allowedOrigins.indexOf(origin) == -1) {
+    var allowed = false;
+    allowedOrigins.forEach(function(pattern) {
+	allowed = allowed || pattern.test(origin);
+    });
+    if (!allowed) {
         console.log('Ignoring message from bad origin:', origin);
         return;
     }
diff --git a/app/views/play/level/WebSurfaceView.coffee b/app/views/play/level/WebSurfaceView.coffee
index 07b7d6a94..e43399d95 100644
--- a/app/views/play/level/WebSurfaceView.coffee
+++ b/app/views/play/level/WebSurfaceView.coffee
@@ -50,7 +50,7 @@ module.exports = class WebSurfaceView extends CocoView
 
   onIframeMessage: (e) =>
     origin = e.origin or e.originalEvent.origin
-    unless origin in ['https://codecombat.com', 'http://localhost:3000']
+    unless origin is window.location.origin
       return console.log 'Ignoring message from bad origin:', origin
     unless event.source is @iframe.contentWindow
       return console.log 'Ignoring message from somewhere other than our iframe:', event.source