- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 19 Jun 2008 12:02:36 -0500
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: timeless@gmail.com, "public-webapps@w3.org" <public-webapps@w3.org>
Julian Reschke wrote: > Could you please provide some more information or give an example about > when this would be the case? Here's a simple past example, if I understand your question correctly. One can set an onerror handler on Window that will trigger if an exception is thrown and not caught, and will also trigger on script parsing/compilation errors. For the latter case, the offending line of script is included in the exception object. Now consider the following HTML page: <script src="target.html"></script> Since most likely target.html is not actually valid JS, there will be a parse error, and the error object will contain the text on the line in question. For what it's worth, Gecko will now only include the text if the script the error is in and the onerror handler are same-origin. Until we started doing that, there was a cross-origin information leak. -Boris
Received on Thursday, 19 June 2008 17:03:22 UTC