W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2011

[whatwg] window.onerror and cross-origin scripts

From: Simon Pieters <simonp@opera.com>
Date: Thu, 22 Sep 2011 16:02:30 +0200
Message-ID: <op.v17qmg0sidj3kv@simon-pieterss-macbook.local>
On Wed, 21 Sep 2011 19:36:23 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:

> On 9/21/11 5:25 AM, Simon Pieters wrote:
>> Oops. Bogus testing on my part. We do support <script onload>. Will have
>> to investigate whether we should change our behavior for the
>> cross-origin case.
> One other thing.
> Are we talking about error events fired on the <script> element?
> Or error events fired on the window due to exceptions thrown by a script?
> Or both?
> Your initial post seemed to be about the latter, but expressed concerns  
> that are applicable to both to some extent....

I was talking about window.onerror. <script onerror> per spec fires for  
empty src="", unresolvable URL and network errors (DNS or 404). If we want  
to make onload always fire for cross-origin, it would make sense for  
<script onerror> to not fire for network errors. (Opera doesn't fire error  
on script, assuming my testing isn't bogus this time.)

I don't know if it's worth it to try to plug this hole this way, however.  
We won't be able to plug it everywhere, e.g. <img> will expose if an image  
is loaded. So masking onload/onerror for script just makes the feature  
less useful without solving the problem. Maybe we should instead focus on  
implementing the From-Origin header and try to get sites to use that.

Simon Pieters
Opera Software
Received on Thursday, 22 September 2011 07:02:30 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:36 UTC