Origins (scheme + host + optional port, no path) allowed to embed this business's Sessions widgets and complete the business-pinned sign-in flow. Enforced as Content-Security-Policy: frame-ancestors on the embed auth route. Returned only to authenticated staff of the business; non-staff callers see an empty list.