- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 13 Nov 2012 09:19:18 -0800
- To: Simon Pieters <simonp@opera.com>
- Cc: whatwg <whatwg@lists.whatwg.org>, Olli Pettay <opettay@mozilla.com>
On 11/13/12 3:31 AM, Simon Pieters wrote:
> onload=function(){
> onerror=function(a,b,c){alert('parent: '+[a,b,c].join(' '));};
> frames[0].onerror=function(){alert('child: '+[a,b,c].join(' '));};
> frames[0].setTimeout(function(){ throw 'oops' }, 0);
> };
...
> Opera and Chrome use child and taint (alert says "child: Script error.
> 0").
OK.
> Firefox uses child taints the url and line arguments but not the message
> argument (alert says "child: uncaught exception: oops 0").
Actually, Firefox is not tainting anything here. A manually thrown
string exception like that in Spidermonkey just seems to not have a url
and line number attached to it.
I believe right now Gecko uses the effective script origin for
determining whether to taint, so in your case the two pages are actually
same-origin for tainting purposes in Gecko.
> IE8 uses parent and doesn't taint (alert says "parent: Exception thrown
> and not caught http://example.org/001.html 7").
Indeed. I'm working on switching Gecko to using the parent in this case
(and still not tainting, of course).
> I also tested the same as the above but with a string argument to
> setTimeout with a syntax error.
This one is simpler in terms of which error handler to use, because the
string is compiled in the child to start with. Though I agree it's very
interesting for tainting purposes!
What does Opera base its tainting decision on here, exactly? The actual
origin of the script that made the setTimeout call (as opposed to the
origin it has due to being loaded by some web page)? Or just its page's
origin? Or does it track origins on individual strings?
-Boris
Received on Tuesday, 13 November 2012 17:28:15 UTC