Issue with Rule S2819

Emile_Choghi · November 13, 2018, 7:44pm

The code below is triggering the Cross-document messaging domains should be carefully restricted rule. Is this a false positive?

window.top.postMessage(JSON.stringify(payload), 'https://' + this.yelp + '.yelp.com');

The targetOrigin is being specified yet it seems to treat this code like I’m passing in a wildcard?

Lena · July 1, 2019, 2:06pm

That’s a good point. I’ve converted the type of that rule into Security Hotspot (see RSPEC-2819)

system · April 8, 2021, 9:29am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.