SonarJs 仍然显示有关 postMessage 跨域问题的警告
SonarJs still shows warning about postMessage cross-domain issue
错误信息是"make sure this cross-domain message is being sent to the intended domain"。
此检查规则来自RSPEC-2819
Authors should not use the wildcard keyword ( *) in the targetOrigin argument in messages that contain any confidential information, as otherwise there is no way to guarantee that the message is only delivered to the recipient to which it was intended.
我假设它要求 * 不能用作 targetOrigin,但是当我将预期域用作 targetOrigin 时它仍然显示警告,如下所示:
请有人告诉我如何通过此检查,
如有任何帮助,我们将不胜感激
此规则仅检测是否在名称中包含 window 的对象上调用方法 postMessage。源代码:PostMessageCheck.java。要绕过它,只需将您的 contentWindow 对象分配给不同的对象,如下所示:
var content = this.elem.contentWindow;
content.postMessage('your message', window.location.origin);
在 sonarQube 中遇到过类似的问题。下面的修复工作。直接摆脱使用 window 对象。
实际代码:
window.parent.postMessage("data", parenturl);
修复:
var content=window;
content.parent.postMessage("data",parenturl);
错误信息是"make sure this cross-domain message is being sent to the intended domain"。
此检查规则来自RSPEC-2819
Authors should not use the wildcard keyword ( *) in the targetOrigin argument in messages that contain any confidential information, as otherwise there is no way to guarantee that the message is only delivered to the recipient to which it was intended.
我假设它要求 * 不能用作 targetOrigin,但是当我将预期域用作 targetOrigin 时它仍然显示警告,如下所示:
请有人告诉我如何通过此检查,
如有任何帮助,我们将不胜感激
此规则仅检测是否在名称中包含 window 的对象上调用方法 postMessage。源代码:PostMessageCheck.java。要绕过它,只需将您的 contentWindow 对象分配给不同的对象,如下所示:
var content = this.elem.contentWindow;
content.postMessage('your message', window.location.origin);
在 sonarQube 中遇到过类似的问题。下面的修复工作。直接摆脱使用 window 对象。
实际代码:
window.parent.postMessage("data", parenturl);
修复:
var content=window;
content.parent.postMessage("data",parenturl);