feat: enforce allowed message origin in non-development environment

[lihbr]

Resolves: #21

Description

This pull request builds on the idea of #21. When in a non-development environment, it enforces messages received by the receiver (i.e. Slice Simulator page on users' website) to come from a trusted origin: https enabled, Prismic-owned domain.

Checklist

• If my changes require tests, I added them.
• If my changes affect backward compatibility, it has been discussed.
• If my changes require an update to the CONTRIBUTING.md guide, I updated it.

Preview

How to QA ¹

---

Note

Medium Risk
Adds origin filtering to cross-window message handling; misconfiguration or missing allowlist entries could break iframe communication in production environments.

Overview
Adds an origin allowlist check to ChannelReceiver._onPublicMessage so that, outside development, incoming postMessage events are ignored unless they come from https:// and a set of trusted Prismic/Wroom-owned domains.

Updates ChannelReceiver tests to include origin in simulated events and adds coverage verifying that development accepts any origin while non-development rejects non-HTTPS and non-allowlisted domains.

^{Reviewed by Cursor Bugbot for commit 9c3678e. Bugbot is set up for automated code reviews on this repo. Configure here.}

Footnotes

1. Please use these labels when submitting a review:
   ❓ #ask: Ask a question.
   💡 #idea: Suggest an idea.
   ⚠️ #issue: Strongly suggest a change.
   🎉 #nice: Share a compliment. ↩