False-positive - 'Origins should be verified during cross-origin communications'

Report a bug False-positive
,
#1

Hi there,

I noticed that SonarCloud is reporting false-positives for the following code:

#1 Window: pageshow event

window.addEventListener('pageshow', function (e) {
    ...
});

#2 Window: popstate event

window.addEventListener('popstate', function (e) {
   ...
}

#3 HTMLMediaElement: playing and HTMLMediaElement: ended events

window.addEventListener('playing', onMediaFilePlay, true);
window.addEventListener('ended', onMediaFinished, true);

#4 Document: keydown event

targetWindow.addEventListener('keydown', onKeyDown, true);

The error message is “Verify the message’s origin in this cross-origin communication”

However, for these examples, event.origin is ‘undefined’ as none of them listen to messages that are dispatched from window.postMessage.

Thanks.

1 Like
#3

Hi,

We already have the ticket for that FP on S2819 should only raise on the message type of event · Issue #2666 · SonarSource/SonarJS · GitHub, thanks for reporting anyway!

1 Like