- From: Simon Pieters <simonp@opera.com>
- Date: Tue, 13 Nov 2012 12:31:46 +0100
- To: "Boris Zbarsky" <bzbarsky@mit.edu>
- Cc: whatwg <whatwg@lists.whatwg.org>, Olli Pettay <opettay@mozilla.com>
On Mon, 12 Nov 2012 18:12:32 +0100, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 11/12/12 5:45 AM, Simon Pieters wrote: >> I don't see any attachment. Maybe the whatwg list prunes them? Can you >> send it to www-archive? > > Gah. > > Here's the entire test case: > > <iframe></iframe> > <script> > window.onload = function() { > window.onerror = function(msg, file, line) { > alert('Parent handler: ' + msg + " " + file + " " + line); > } > frames[0].onerror = function(msg, file, line) { > alert('Subframe handler: ' + msg + " " + file + " " + line); > } > frames[0].setTimeout(function() { throw "oops"; }, 100); > } > </script> Thanks. >> Do browsers use the script's origin per spec, or do they use the >> function's global object's document's origin (for the purpose of >> tainting the arguments)? > > This isn't even about origins and tainting so far; everything here is > same-origin. It's purely about which onerror gets called. Yes, I understand that. I was just taking it a step further. I've now tested it: <!doctype html> <script> document.domain = 'example.org'; onload=function(){ onerror=function(a,b,c){alert('parent: '+[a,b,c].join(' '));}; frames[0].onerror=function(){alert('child: '+[a,b,c].join(' '));}; frames[0].setTimeout(function(){ throw 'oops' }, 0); }; </script> parent<br> <iframe src='http://www.example.org/child.html'></iframe> <!doctype html> <script> document.domain = 'example.org'; </script> child Results: Opera and Chrome use child and taint (alert says "child: Script error. 0"). Firefox uses child taints the url and line arguments but not the message argument (alert says "child: uncaught exception: oops 0"). IE8 uses parent and doesn't taint (alert says "parent: Exception thrown and not caught http://example.org/001.html 7"). I also tested the same as the above but with a string argument to setTimeout with a syntax error. Results: Opera uses child and taints (alert says "child: Script error. 0"). Firefox and Chrome use child and don't taint (alert says "child: SyntaxError: syntax error http://example.org/002.html 7" and "child: Uncaught SyntaxError: Unexpected token ) 1", respectively). IE8 doesn't invoke either onerror handler but shows a "broken script" icon in the status bar (and attributes the error to child.html). -- Simon Pieters Opera Software
Received on Tuesday, 13 November 2012 11:33:29 UTC