Check window event origins

Fixes codescanning warnings:

- https://github.com/github/vscode-codeql/security/code-scanning/1
- https://github.com/github/vscode-codeql/security/code-scanning/2

Author: aeisenberg

extensions/ql-vscode/src/compare/view/Compare.tsx

@@ -31,10 +31,14 @@ export function Compare(_: {}): JSX.Element {
 
   useEffect(() => {
     window.addEventListener('message', (evt: MessageEvent) => {
-      const msg: ToCompareViewMessage = evt.data;
-      switch (msg.t) {
-        case 'setComparisons':
-          setComparison(msg);
+      if (evt.origin === window.origin) {
+        const msg: ToCompareViewMessage = evt.data;
+        switch (msg.t) {
+          case 'setComparisons':
+            setComparison(msg);
+        }
+      } else {
+        console.error(`Invalid event origin ${evt.origin}`);
       }
     });
   });
@@ -60,8 +64,8 @@ export function Compare(_: {}): JSX.Element {
         {hasRows ? (
           <CompareTable comparison={comparison}></CompareTable>
         ) : (
-          <div className="vscode-codeql__compare-message">{message}</div>
-        )}
+            <div className="vscode-codeql__compare-message">{message}</div>
+          )}
       </>
     );
   } catch (err) {

extensions/ql-vscode/src/view/results.tsx

@@ -275,7 +275,10 @@ class App extends React.Component<{}, ResultsViewState> {
 
   componentDidMount(): void {
     this.vscodeMessageHandler = (evt) =>
-      this.handleMessage(evt.data as IntoResultsViewMsg);
+      evt.origin === window.origin
+        ? this.handleMessage(evt.data as IntoResultsViewMsg)
+        : console.error(`Invalid event origin ${evt.origin}`);
+
     window.addEventListener('message', this.vscodeMessageHandler);
   }