andrewmusselman commented on issue #1016:
URL:
https://github.com/apache/tooling-trusted-releases/issues/1016#issuecomment-4203528335
## Resolution: Not Applicable — The Application Does Not Use postMessage
A full search of the repository's frontend code confirms that the
`postMessage` API is **not used anywhere** in this application. ASVS 3.5.5 is
N/A.
### Search Results
| Search target | Scope | Matches |
|---------------|-------|---------|
| `postMessage` | all `.ts`, `.js`, `.html` files | **0** |
| `addEventListener('message'` | all `.ts`, `.js`, `.html` files | **0** |
| `onmessage` | all `.ts`, `.js`, `.html` files | **0** |
| `window.opener` | all `.ts`, `.js`, `.html` files | **0** |
| `window.parent` | all `.ts`, `.js`, `.html` files | **0** |
| `iframe` | all `.ts`, `.js`, `.html` files | **0** |
The TypeScript source files in `atr/static/ts/` and the HTML templates in
`atr/templates/` contain no postMessage listeners, no postMessage calls, no
iframe embedding, and no cross-origin messaging of any kind.
### The Frontend Code That Exists
The application has three TypeScript modules:
- `atr/static/ts/create-a-jwt.ts` — JWT display with fetch + DOM manipulation
- `atr/static/ts/finish-selected-move.ts` — UI interaction handler
- `atr/static/ts/move-files.ts` — UI interaction handler
And ~20 HTML templates in `atr/templates/`. None of these contain any
`postMessage` usage, `message` event listeners, iframes, or cross-origin
communication patterns.
### Why This Was Filed
The audit agent did not have access to the frontend JavaScript/TypeScript
files or HTML templates (the same relevance filtering gap documented in #1131).
Without frontend code visibility, the agent:
1. Saw `template_folder` parameters in the Python blueprints, confirming
templates exist
2. Could not verify whether those templates contained `postMessage` handlers
3. Chose the conservative path — flagged it as unverifiable rather than
assuming compliance
This is the *safe* failure mode (flag rather than miss), but it produces a
false positive when the feature simply doesn't exist. With frontend file
access, the agent would have confirmed zero `postMessage` usage and marked ASVS
3.5.5 as N/A.
### Root Cause
Same as #1131 — the audit agent's relevance filtering excluded `.ts`, `.js`,
and `.html` files from the analysis scope. This is tracked in the audit tooling
bug report for relevance filtering improvements. The proposed security-keyword
force-include fix would not have helped here (since there are no security
keywords to match in files that don't use `postMessage`), but the file-type
diversity warning would have flagged the complete absence of frontend files
from the analysis.
**Closing as N/A.** The application does not use the `postMessage` API.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
