False-positive - 'Origins should be verified during cross-origin communications'

Hi there,

I noticed that SonarCloud is reporting false-positives for the following code:

#1 Window: pageshow event

window.addEventListener('pageshow', function (e) {
    ...
});

#2 Window: popstate event

window.addEventListener('popstate', function (e) {
   ...
}

#3 HTMLMediaElement: playing and HTMLMediaElement: ended events

window.addEventListener('playing', onMediaFilePlay, true);
window.addEventListener('ended', onMediaFinished, true);

#4 Document: keydown event

targetWindow.addEventListener('keydown', onKeyDown, true);

The error message is “Verify the message’s origin in this cross-origin communication”

However, for these examples, event.origin is ‘undefined’ as none of them listen to messages that are dispatched from window.postMessage.

Thanks.

Hi,

We already have the ticket for that FP on S2819 should only raise on the message type of event · Issue #2666 · SonarSource/SonarJS · GitHub, thanks for reporting anyway!