So, if you're a e-mail provider for multiple domains, to be able to run "persona" for your clients you now also have to run their website. That is stupid. I might be the MX for domain.com, but I might not run the website for domain.com. I might perhaps host it but that still doesn't mean I can put arbitrary content and scripts there. I probably don't even want to.
Why didn't they use something like https://persona.DOMAIN.COM/ , so that the email-provider running the MX for domain.com can also run the persona services for domain.com without doing anything with the website at domain.com ..