TinaCMS: Unvalidated window message origin allows session takeover

TinaCMS registered window message listeners that acted on event.data without verifying event.origin or event.source, and posted messages using non-specific target origins. Fixed by allow-listing trusted origins and verifying event.source, and posting only to explicit target origins.

Users of TinaCMS who have editing sessions or use the admin interface, as a malicious page can forge messages to drive the editor, inject preview content, or take over an authenticated editing session.

Upgrade to the fixed version that includes the changes from PR #7056.