From 905096b6b51210ceb430c58fd01938672219433f Mon Sep 17 00:00:00 2001
From: Micha <m.hobert@shopware.com>
Date: Tue, 17 Feb 2026 16:25:12 +0100
Subject: [PATCH] chore/fix-links

---
 .../guidelines/testing/store/quality-guidelines-apps/index.md   | 2 +-
 .../testing/store/quality-guidelines-plugins/index.md           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/resources/guidelines/testing/store/quality-guidelines-apps/index.md b/resources/guidelines/testing/store/quality-guidelines-apps/index.md
index 14726265c..5e4173fa4 100644
--- a/resources/guidelines/testing/store/quality-guidelines-apps/index.md
+++ b/resources/guidelines/testing/store/quality-guidelines-apps/index.md
@@ -392,7 +392,7 @@ For example, "Swag\\MyPlugin\\SwagMyPluginSW6" instead of "Swag\\MyPlugin\\SwagM
 
 ### Ensure cross-domain messages are sent to the intended domain
 
-["Cross-document messaging domains should be carefully restricted"](https://rules.sonarsource.com/javascript/RSPEC-2819)
+When using `postMessage()` or similar cross-window messaging APIs, verify the message origin (e.g. `event.origin`) and restrict target domains to trusted URLs instead of `'*'`. This prevents malicious sites from sending or receiving messages inappropriately.
 
 ### Class Shopware\Storefront\* not found
 
diff --git a/resources/guidelines/testing/store/quality-guidelines-plugins/index.md b/resources/guidelines/testing/store/quality-guidelines-plugins/index.md
index 643c20989..1af0424f5 100644
--- a/resources/guidelines/testing/store/quality-guidelines-plugins/index.md
+++ b/resources/guidelines/testing/store/quality-guidelines-plugins/index.md
@@ -433,7 +433,7 @@ Link: [Example of a valid composer.json](https://github.com/FriendsOfShopware/Fr
 
 ### Ensure cross-domain messages are sent to the intended domain
 
-Link: ["Cross-document messaging domains should be carefully restricted"](https://rules.sonarsource.com/javascript/RSPEC-2819)
+When using `postMessage()` or similar cross-window messaging APIs, verify the message origin (e.g. `event.origin`) and restrict target domains to trusted URLs instead of `'*'`. This prevents malicious sites from sending or receiving messages inappropriately.
 
 ### No bootstrapping file found. Expecting bootstrapping in