Only receives window messages from the parent window (aka this.source)

[real2two]

Added a check to see if the event source (event.source) is the source/parent (this.source`) frame. This prevents DiscordSDK from picking from window messages from child iframes (iframes within the activity iframe).

If you were to run this code snippet within an iframe in a Discord activity's iframe, DiscordSDK would pick it up on the handleMessage function:

(window.parent.opener ?? window.parent).postMessage("custom value", "*");

The result of executing the following script above in a (sandboxed) iframe within the activity iframe:

This is something you wouldn't want to allow if you're displaying arbitrary iframes with user-generated content in your Discord activity, so I added a if (event.source !== this.source) return; under this code segement:

embedded-app-sdk/src/Discord.ts

Lines 275 to 276 in 2cb879a

	private handleMessage = (event: MessageEvent) => {
	if (!ALLOWED_ORIGINS.has(event.origin)) return;

I haven't fully tested this change and don't know if there's any unintended side-effects of it, but this change seems to be working for me currently.