W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

setTimeout error handling

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 28 Mar 2011 14:06:10 -0700
Message-ID: <BANLkTikMpBKAPzcJDtEcD3iqeUnjuJKkEA@mail.gmail.com>
To: public-web-security@w3.org
Sorry for spamming the list with lots of questions.  I'm just emailing
questions as they come up in the implementation.

[[
User-agents must prevent strings from being converted to ECMAScript
code, including calls to:

eval()
new Function() constructor
setTimeout() called with a String argument
setInterval() called with a String argument
]]

Suppose the page does call setTimeout with a string.  How should the
user agent handle the error?

For example, in Step 6 of
http://www.whatwg.org/specs/web-apps/current-work/#dom-windowtimers-settimeout,
the user agent is instructed to "Return handle".  Should that step
occur or should we return a null handle?  Should setTimeout throw an
exception?

There are similar questions for the other functions that convert
strings to code.

Also, what about non-ECMAScript code?  For example, if the user agent
supported VBScript as a scripting language (e.g., Internet Explorer),
should the user agent prevent strings from being turned into that sort
of code?

Proposal: We should return a null handle from setTimeout and
setInterval.  That lets the page detect the error would being so
drastic as to throw an exception.  We could also log to the error
console (and of course report via the reporting-uri) to make the error
more visible to developers.

Adam
Received on Monday, 28 March 2011 21:07:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 28 March 2011 21:07:17 GMT