Modernizing the sandbox sample: Handlebars update and messaging hardening

[RinZ27]

Refining the sandbox sample to reflect modern standards would be beneficial for developers learning from this repo. Noticed that the api-samples/sandbox directory still relies on Handlebars 1.0.0-beta.6, which dates back to 2012. Using such an ancient version in a current sample might lead developers to inadvertently include insecure or unmaintained dependencies in their own extensions.

Tightening the communication logic by replacing postMessage("*") with an explicit origin check would also set a better security precedent. Even though the sandbox environment provides isolation, showcasing a restricted origin check helps prevent developers from copy-pasting wildcard patterns into non-sandboxed contexts.

Would you be open to a PR that updates the library to a stable version and implements more restrictive messaging? Just wanted to check if this is something you'd like to see updated to keep the samples aligned with current best practices.

クローズするから

[oliverdunk]

Thanks for opening an issue to discuss this! Updating Handlebars sounds great in general - feel free to investigate that although please loop back before opening a PR if you find it will lead to any unexpected complexity. Tightening the communication logic also sounds good, although from memory I think this might be required to communicate with an extension origin, since we don't support targeting those specifically. If so, I think we can leave it.

[RinZ27]

@oliverdunk You're spot on! I've verified that chrome-extension:// isn't supported as a targetOrigin in postMessage, so using * is indeed necessary for this communication flow. I'll leave that part as is, but I'll add a small comment in the code to explain why—I think that'll be a nice bit of "hidden" documentation for anyone using the sample.

I'm moving forward with the Handlebars update now and will loop back if I hit any unexpected complexity. Thanks again!