fix(L4): use location.origin for postMessage, one-shot UUID listener

- Content script sends UUID via location.origin instead of "*"
- Inpage UUID listener removes itself after first message to prevent
  malicious pages from overriding the persisted UUID

src/content/index.js

@@ -26,7 +26,7 @@ if (typeof browser !== "undefined") {
             uuid = crypto.randomUUID();
             storage.set({ eip6963Uuid: uuid });
         }
-        window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, "*");
+        window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, location.origin);
     });
 })();