Describe the bug
The window handler receives messages from any domain and resolves it as the RPC response.

Expected behavior
To check the message origin and act accordingly

https://github.com/open-rpc/client-js/blob/master/src/transports/PostMessageWindowTransport.ts#L49
Should check for message origin.

Security link: https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#security_concerns

if (event.origin !== "http://example.com") return;