SonarJs still shows warning about postMessage cross-domain issue

4.8k Views Asked by Clocher Zhong At 05 November 2025 at 02:01

The error message is "make sure this cross-domain message is being sent to the intended domain".

This check rule from RSPEC-2819

Authors should not use the wildcard keyword ( *) in the targetOrigin argument in messages that contain any confidential information, as otherwise there is no way to guarantee that the message is only delivered to the recipient to which it was intended.

I assume it demands * cannot be used as targetOrigin, But It still shows warning when I use intended domain as targetOrigin like below:

Please somebody can tell me how to pass this check,

Any help would be appreciated

Original Q&A

There are 2 best solutions below

Peska On 22 January 2019 at 07:53 BEST ANSWER

This rule detects only if a method postMessage is invoked on an object with a name containing window in it. Source code: PostMessageCheck.java. To bypass it, just assign your contentWindow object into different one, like this:

var content = this.elem.contentWindow;

content.postMessage('your message', window.location.origin);

Sarath On 24 June 2021 at 16:28

Have faced similar issue in sonarQube. Below fix worked. Just get rid of using window object using directly.

Actual code:

window.parent.postMessage("data", parenturl);

Fix:

var content=window;
content.parent.postMessage("data",parenturl);

SonarJs still shows warning about postMessage cross-domain issue

There are 2 best solutions below

Related Questions in SONARQUBE

Related Questions in ESLINT

Related Questions in SONARJS

Trending Questions

Popular # Hahtags

Popular Questions