FP JavaScript S2819 with event.isTrusted

Report a False-positive / False-negative
,
#1

Using sonarcloud.

An alert is raised for S2819 - Verify the origin of the received message - critical vulnerability, even if event.isTrusted is used. event.isTrusted is true only for events generated by the browser code, not generated by users, so it can’t come from an untrusted origin.

window.addEventListener("message", (event) => {
// FP reported here
    if (event.isTrusted && event.data) {
      
        }
    }
#4

Hi Daniel,

Checking the event.isTrusted field is not sufficient.

When a malicious site opens a target site, looking to exploit some vulnerability, like a torrent download page, opening an eBanking URL:

var myTarget = window.open('https://big-bank.com/transactions/pay','myWindow');

The malicious page, can send messages to it using:

myTarget.postMessage(message, 'https://big-bank.com/transactions/pay');

Messages sent this way will have the field event.isTrusted property set to true.