Any reason not to do form validation within the iframe- either with some very trustworthy js, or even with a form submit and server side validation- and then postMessage to the parent a generic success/failure message so that the SPA app can continue accordingly? I think that would get you the same functionality without ever sending sensitive data to the parent.