Harden browser bridge messaging

[KaannKara]

Summary

• add a per-browser bridge token to provider-originated WebView messages and ignore messages without the current token
• preserve the original bridge postMessage function inside the injected provider closure
• serialize native bridge replies as a JavaScript string literal instead of concatenating raw JSON into a quoted callback
• add focused coverage for token-gated bridge messages and safe callback script generation

Testing

• git diff --check
• node --check resources/js/provider.js
• JAVA_HOME=/opt/homebrew/opt/openjdk@17/libexec/openjdk.jdk/Contents/Home SHADOW_NS_REGEXP='^legacy.status-im.browser.core-test$' SHADOW_OUTPUT_TO=target/browser_core_test/test.js TARGET=clojure corepack yarn shadow-cljs compile mocks && corepack yarn shadow-cljs compile test
• node --require ./test-resources/override.js target/browser_core_test/test.js (blocked locally: missing lib/binding/status_nodejs_addon.node; requires status-go-library/native binding)
• make test-unit (blocked locally: status-go-library Nix setup failed at sha256sum on macOS)