Slack: Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain

@fransrosen discovered a vulnerability which would allow an attacker running a malicious site to steal XOXS tokens. We resolved the postMessage and call-popup redirect issues, and performed a thorough investigation to confirm that this had never been exploited. Thanks @fransrosen for an interesti...