W3C home > Mailing lists > Public > public-script-coord@w3.org > July to September 2011

Re: Error Object, Stack, and Parking Garages

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 23 Aug 2011 03:33:23 -0400
Message-ID: <4E5357C3.3080801@mit.edu>
To: Garrett Smith <dhtmlkitchen@gmail.com>
CC: public-script-coord@w3.org
On 8/12/11 11:14 PM, Garrett Smith wrote:
> On 8/11/11, Boris Zbarsky<bzbarsky@mit.edu>  wrote:
>> On 8/12/11 12:12 AM, Garrett Smith wrote:
>>> When a script/DOM error occurs, the callback fires. The callback can
>>> access the callstack, message, and error from the error event.
>>
>> Subject to security restrictions when cross-origin scripts are involved,
>> just like the onerror handler is, yes?
>>
>
> Such that given a site on evil.com, you have<script src="//bofa.com"></script>?
>
> If so, would it be safe to generate a content-type error: "script
> error from bofa.com. Wrong content-type." - ?

No. Scripts are served with the "wrong" type all the time (if nothing 
else because there is no "right" type, really).  Worse yet, this is a 
problem even when linking to an actual script cross-site: the final URI 
of that script must not be leaked to the page that embeds the script, 
nor must any of the script's contents as much as possible.

-Boris
Received on Tuesday, 23 August 2011 07:34:03 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:04 UTC