feat: support allowedOrigin option

[DriesOlbrechts]

Description

Currently the slice simulator accepts postMessage requests from any origin, this is not a direct issue, but when slices are made that do not sanitize for example html input. This can be abused to access the websites domain.

While this issue isn't on Prismic's side, adding this option, and strongly advocating for it's use in the documentation can prevent these attacks from being possible even when there are unsafe components.

This should still be implemented in the SliceSimulator component as well so developers can set the correct origin for their prismic dashboard.

I hope the issue is clear, let me know if not!

Checklist

• If my changes require tests, I added them.
• If my changes affect backward compatibility, it has been discussed.
• If my changes require an update to the CONTRIBUTING.md guide, I updated it.

---

Note

Medium Risk
Touches cross-window messaging behavior by adding optional origin filtering and targetOrigin restriction; misconfiguration could break iframe communication, but default keeps existing behavior.

Overview
Adds an optional allowedOrigin (default null) to ChannelReceiver/SimulatorAPI to restrict postMessage communication to a single trusted origin.

When set, inbound message events from other origins are ignored, ready() posts to the configured targetOrigin instead of *, and Connect requests can no longer override allowedOrigin. SimulatorManager now accepts/passes through allowedOrigin, with new tests covering defaults and origin enforcement.

^{Reviewed by Cursor Bugbot for commit 509585b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[lihbr]

Hi @DriesOlbrechts, thank you so much for opening this PR!

I'm trying to carve time to move forward with it, as I think there could be a way to allow messages from Prismic domains by default, which would make it secure by default for everyone :)

If this is of any pressing matter to you let me know!

[DriesOlbrechts]

Hi @lihbr ,

That would be even better! Thanks for looking at this!

[lihbr]

OK, I tried a few things and came up with #24

The approach is similar to yours, but transparent for users:

• When in development, all origins are allowed (allowing both Slice Machine and Prismic editor to connect)
• When in non-development, only Prismic domains are allowed

I didn't add the origin enforcement on messages sent by the receiver (i.e. Slice Simulator page):

• I don't think data could be extracted that way
• A malicious actor wouldn't be able to connect because of the _onPublicMessage gate anyway
• Everything happens through the shared port after

Let me know if that compromise is acceptable to you~

I also credited you as a co-author on my commit, so your contribution is not lost!

[DriesOlbrechts]

That all makes sense to me. It still removes the potential vulnerability!

Thank you!

[lihbr]

Awesome, released #24 as 0.2.2, you should be able to get it with npm update