- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 18 Dec 2012 10:48:36 -0800
- To: public-webappsec@w3.org
On 12/18/12 10:08 AM, Mike West wrote:
> When would a line-number not be available?
In general, this is implementation specific. In Gecko, if you have a
script that does:
var div = document.createElement("div");
div.setAttribute("onclick", "/* some code here */");
div.textContent = "Click me";
document.body.appendChild(div);
and then the user clicks the text, the "some code here" will run but not
have a useful line number associated with it. We could try to associate
the line number of the setAttribute call with that script, I suppose,
but we don't store line numbers with attributes like that at the moment,
so there would be some memory and performance hit to doing that.
> In theory it should be
> possible to grab a line number from script executing inline on a page,
> or of the call to `eval` that triggered whatever code violated the policy.
There are a lot more ways than that to enter script...
-Boris
Received on Tuesday, 18 December 2012 18:49:07 UTC