- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 23 Aug 2011 03:33:23 -0400
- To: Garrett Smith <dhtmlkitchen@gmail.com>
- CC: public-script-coord@w3.org
On 8/12/11 11:14 PM, Garrett Smith wrote: > On 8/11/11, Boris Zbarsky<bzbarsky@mit.edu> wrote: >> On 8/12/11 12:12 AM, Garrett Smith wrote: >>> When a script/DOM error occurs, the callback fires. The callback can >>> access the callstack, message, and error from the error event. >> >> Subject to security restrictions when cross-origin scripts are involved, >> just like the onerror handler is, yes? >> > > Such that given a site on evil.com, you have<script src="//bofa.com"></script>? > > If so, would it be safe to generate a content-type error: "script > error from bofa.com. Wrong content-type." - ? No. Scripts are served with the "wrong" type all the time (if nothing else because there is no "right" type, really). Worse yet, this is a problem even when linking to an actual script cross-site: the final URI of that script must not be leaked to the page that embeds the script, nor must any of the script's contents as much as possible. -Boris
Received on Tuesday, 23 August 2011 07:34:03 UTC