Issue with Rule S2819

javascript

(Emile Choghi) #1

The code below is triggering the Cross-document messaging domains should be carefully restricted rule. Is this a false positive?

window.top.postMessage(JSON.stringify(payload), 'https://' + this.yelp + '.yelp.com');

The targetOrigin is being specified yet it seems to treat this code like I’m passing in a wildcard?