Implemented admin auth origin check

[SimonBackx]

refs https://github.com/TryGhost/Team/issues/1694

• Added replacements option to @tryghost/minifier + updated documentation and name of 'options' param which was a bit confusing.
• At compile time, we'll replace '{{SITE_ORIGIN}}' with the actual and JS encoded origin string.
• Block requests to the auth frame with the wrong origin, but log a warning for now to make debugging easier.

Question:

• Are we 100% sure that the Ghost site is always hosted on the url which is configured in the site config? Because locally, it also doesn't redirect to the configured site. Technically, it is possible to host it on a different domain, no?

[codecov]

Codecov Report

Merging #15135 (91fd711) into main (59c750a) will increase coverage by 0.00%.
The diff coverage is 72.72%.

❗ Current head 91fd711 differs from pull request most recent head 9378f88. Consider uploading reports for the commit 9378f88 to get more accurate results

@@           Coverage Diff           @@
##             main   #15135   +/-   ##
=======================================
  Coverage   58.09%   58.10%           
=======================================
  Files         734      734           
  Lines       61658    61694   +36     
  Branches     5360     5362    +2     
=======================================
+ Hits        35820    35846   +26     
- Misses      25787    25798   +11     
+ Partials       51       50    -1     

Impacted Files	Coverage Δ
...ore/frontend/services/admin-auth-assets/service.js	50.45% <36.84%> (-2.23%)	⬇️
ghost/minifier/lib/minifier.js	100.00% <100.00%> (ø)
...core/core/frontend/services/rendering/templates.js	60.69% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[allouis]

We also need to pass the origin to the postMessage call as the second argument, rather than '*'