W3C home > Mailing lists > Public > public-script-coord@w3.org > July to September 2011

Re: Error Object, Stack, and Parking Garages

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 23 Aug 2011 03:33:23 -0400
Message-ID: <4E5357C3.3080801@mit.edu>
To: Garrett Smith <dhtmlkitchen@gmail.com>
CC: public-script-coord@w3.org
On 8/12/11 11:14 PM, Garrett Smith wrote:
> On 8/11/11, Boris Zbarsky<bzbarsky@mit.edu>  wrote:
>> On 8/12/11 12:12 AM, Garrett Smith wrote:
>>> When a script/DOM error occurs, the callback fires. The callback can
>>> access the callstack, message, and error from the error event.
>> Subject to security restrictions when cross-origin scripts are involved,
>> just like the onerror handler is, yes?
> Such that given a site on evil.com, you have<script src="//bofa.com"></script>?
> If so, would it be safe to generate a content-type error: "script
> error from bofa.com. Wrong content-type." - ?

No. Scripts are served with the "wrong" type all the time (if nothing 
else because there is no "right" type, really).  Worse yet, this is a 
problem even when linking to an actual script cross-site: the final URI 
of that script must not be leaked to the page that embeds the script, 
nor must any of the script's contents as much as possible.

Received on Tuesday, 23 August 2011 07:34:03 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:37:45 UTC