Silent refresh event listener does not check messages for origin

[R3ZL]

Describe the bug
Event listener process login operation without checking the origin of message. It is potential vulnerability issue.

Code location: oauth-service.ts —> setupSilentRefreshEventListener

Expected behavior
setupSilentRefreshEventListener should check the message origin and do try login only if message origin is expected origin.

Explanation
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#security_concerns

[manfredsteyer]

There is now a new config property checkOrigin. If you set it to true, the origin will be checked too. The default value is false, but one of the next versions of this lib will default to true for the sake of security.