W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2011

[whatwg] window.onerror and cross-origin scripts

From: Simon Pieters <simonp@opera.com>
Date: Fri, 23 Sep 2011 09:16:43 +0200
Message-ID: <op.v182h5eoidj3kv@simon-pieterss-macbook.local>
On Thu, 22 Sep 2011 16:02:30 +0200, Simon Pieters <simonp at opera.com> wrote:

> I was talking about window.onerror. <script onerror> per spec fires for  
> empty src="", unresolvable URL and network errors (DNS or 404). If we  
> want to make onload always fire for cross-origin, it would make sense  
> for <script onerror> to not fire for network errors. (Opera doesn't fire  
> error on script, assuming my testing isn't bogus this time.)
> I don't know if it's worth it to try to plug this hole this way,  
> however. We won't be able to plug it everywhere, e.g. <img> will expose  
> if an image is loaded. So masking onload/onerror for script just makes  
> the feature less useful without solving the problem. Maybe we should  
> instead focus on implementing the From-Origin header and try to get  
> sites to use that.

It was pointed out to me that the following site expects an error event  
for a cross-origin script (which returns 404):


which tries to load http://lp.longtailvideo.com/5/%20gapro/%20gapro.js

Simon Pieters
Opera Software
Received on Friday, 23 September 2011 00:16:43 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:36 UTC