Lack of witness-sdk postMessage origin validation

The Reclaim web witness SDK does not validate the origin of incoming postMessage events. Thus, anyone can use the witness-sdk in any way to trigger proof generation, which can be a risk if there is a bug in the postMessage event.

In fact, this led to a vulnerability, discussed in Finding .