...
Please note that this security mechanism does not prevent the injection of Widgets in third party unauthorized web sites, but blocks any communication done via Ajax calls to the underlying REST API. Public data will still be accessible when executing explicit calls to the REST API.
Domain restriction configuration, accessible via Point of sale > Gravity screen