Make sure this cross-domain message is being sent to the intended domain

Version : Sonar Cloud, Sonar For VScode

Sonar cloud complain error upon in webview


while sonar for javascript in visual studio code and also webstorm didn’t complain it .

Maybe other info : Cross-document messaging domains should be carefully restricted

It should explain as notice not status critical . Most of the problem js wouldn’t know it was a webview inside react -native or vuejs or react website . Pushing no post message parameter empty as wildcard is wrong.
So at least need to check if basic like “tel”,“goback” don’t have this issue error.

Hello @NobodyButMe-Haiya,

Welcome to the community!
It’s a bit hard for me to tell what is happening at this point. Could you send me:

  • a picture of the issue on SonarCloud
  • a snippet of code or even better a small reproducer project so that I can check if I reproduce
  • a log on the analysis on SonarLint side. You can find how to activate debug traces for IntelliJ and VSCode.


Thanks for reply .

  1. picture below from sonar cloud.

  2. Snippet

  1. Not produceable in VSCode Nor Webstorm

** Nodejs application which will be preview inside react native apps(web view) (private)


I am sorry but I still don’t have enough information to reproduce the problem. I understand that you cannot share the project where this happens, but it would be very useful if you could extract a small reproducer project. The idea is that you have the smallest possible project that raises this issue on SonarCloud and not in SonarLint.