Bug/Problem with CF stream

By allowing origin domains, one would expect that only the domain(s) entered in this field:

By coupling this with signed URL functionality (which hides your ID and shows a time-limited token), you would think that your videos are hardly downloaded or streamed elsewhere than your allowed origins!

Well… actually after the recent “iframe” change with CF this isn’t really like that anymore!!

We’ve seen that by entering this:
https://iframe.videodelivery.net/VIDEOTOKENGOESHERE

the video actually stream perfectly and can be downloaded!!!

The domain videodelivery.net is actually ANOTHER domain, not allowed in the “origin domains”.
So how is it possible that the video playing successfully?

This is clearly a way for anybody to bypass both CF signed URLs AND domain allowing protections!