fix: Update login URL construction in layoutauth.html and restrict postMessage targetOrigin in layout-designer-page.twig

ots-signs/views/layout-designer-page.twig

@@ -576,8 +576,9 @@
             ? document.getElementById('layout-editor').getAttribute('data-layout-id')
             : null;
 
-        // TODO: For production, restrict targetOrigin to your app's domain
-        var targetOrigin = '*';
+        // Restrict postMessage to the known React app origin.
+        // window.location.origin is the CMS origin; the parent app is on the same host.
+        var targetOrigin = window.location.origin;
 
         /**
          * Send a message to the parent window.