The code below is triggering the Cross-document messaging domains should be carefully restricted rule. Is this a false positive?
window.top.postMessage(JSON.stringify(payload), 'https://' + this.yelp + '.yelp.com');
The targetOrigin is being specified yet it seems to treat this code like I’m passing in a wildcard?