W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2011

[whatwg] window.onerror and cross-origin scripts

From: Simon Pieters <simonp@opera.com>
Date: Tue, 20 Sep 2011 23:40:01 +0200
Message-ID: <op.v14mgziwidj3kv@simon-pieterss-macbook.local>
We're implementing window.onerror in Opera. In order to not expose the URL  
of redirects in cross-origin resources with window.onerror, errors from  
cross-origin scripts are masked in Gecko and WebKit, i.e. instead of  
invoking window.onerror with a useful error message, a URL and the line  
number, it's invoked with "Script error.", "", 0.


This makes window.onerror rather useless for cross-origin scripts.  
However, it is still possible to tell if the user is logged in or not if a  
site serves a script for a particular URL when the user is logged in and  
redirects to the home page or so when the user is not logged in. We have  
found a bank site where this is possible. There are other ways to tell if  
the user is logged in, however it seems we should try to keep them to a  
minimum. Therefore we suggest that window.onerror should not be invoked at  
all for errors in cross-origin scripts.


Simon Pieters
Opera Software
Received on Tuesday, 20 September 2011 14:40:01 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:36 UTC