- From: Simon Pieters <simonp@opera.com>
- Date: Tue, 20 Sep 2011 23:40:01 +0200
We're implementing window.onerror in Opera. In order to not expose the URL of redirects in cross-origin resources with window.onerror, errors from cross-origin scripts are masked in Gecko and WebKit, i.e. instead of invoking window.onerror with a useful error message, a URL and the line number, it's invoked with "Script error.", "", 0. http://www.w3.org/Bugs/Public/show_bug.cgi?id=14177 https://bugzilla.mozilla.org/show_bug.cgi?id=568564 This makes window.onerror rather useless for cross-origin scripts. However, it is still possible to tell if the user is logged in or not if a site serves a script for a particular URL when the user is logged in and redirects to the home page or so when the user is not logged in. We have found a bank site where this is possible. There are other ways to tell if the user is logged in, however it seems we should try to keep them to a minimum. Therefore we suggest that window.onerror should not be invoked at all for errors in cross-origin scripts. Thoughts? -- Simon Pieters Opera Software
Received on Tuesday, 20 September 2011 14:40:01 UTC