Re: [whatwg] Spec for handling runtime script errors doesn't seem to match reality from Simon Pieters on 2012-11-13 (public-whatwg-archive@w3.org from November 2012)

From: Simon Pieters <simonp@opera.com>
Date: Tue, 13 Nov 2012 12:31:46 +0100
To: "Boris Zbarsky" <bzbarsky@mit.edu>
Cc: whatwg <whatwg@lists.whatwg.org>, Olli Pettay <opettay@mozilla.com>
Message-ID: <op.wnpma8oridj3kv@simons-macbook-pro-2.local>

On Mon, 12 Nov 2012 18:12:32 +0100, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 11/12/12 5:45 AM, Simon Pieters wrote:
>> I don't see any attachment. Maybe the whatwg list prunes them? Can you
>> send it to www-archive?
>
> Gah.
>
> Here's the entire test case:
>
> <iframe></iframe>
> <script>
>      window.onload = function() {
>        window.onerror = function(msg, file, line) {
>          alert('Parent handler: ' + msg + " " + file + " " + line);
>        }
>        frames[0].onerror = function(msg, file, line) {
>          alert('Subframe handler: ' + msg + " " + file + " " + line);
>        }
>        frames[0].setTimeout(function() { throw "oops"; }, 100);
>      }
> </script>

Thanks.

>> Do browsers use the script's origin per spec, or do they use the
>> function's global object's document's origin (for the purpose of
>> tainting the arguments)?
>
> This isn't even about origins and tainting so far; everything here is  
> same-origin.  It's purely about which onerror gets called.

Yes, I understand that. I was just taking it a step further. I've now  
tested it:

<!doctype html>
<script>
document.domain = 'example.org';
onload=function(){
   onerror=function(a,b,c){alert('parent: '+[a,b,c].join(' '));};
   frames[0].onerror=function(){alert('child: '+[a,b,c].join(' '));};
   frames[0].setTimeout(function(){ throw 'oops' }, 0);
};
</script>
parent<br>
<iframe src='http://www.example.org/child.html'></iframe>

<!doctype html>
<script>
document.domain = 'example.org';
</script>
child

Results:
Opera and Chrome use child and taint (alert says "child: Script error.   
0").
Firefox uses child taints the url and line arguments but not the message  
argument (alert says "child: uncaught exception: oops  0").
IE8 uses parent and doesn't taint (alert says "parent: Exception thrown  
and not caught http://example.org/001.html 7").

I also tested the same as the above but with a string argument to  
setTimeout with a syntax error.

Results:
Opera uses child and taints (alert says "child: Script error.  0").
Firefox and Chrome use child and don't taint (alert says "child:  
SyntaxError: syntax error http://example.org/002.html 7" and "child:  
Uncaught SyntaxError: Unexpected token )  1", respectively).
IE8 doesn't invoke either onerror handler but shows a "broken script" icon  
in the status bar (and attributes the error to child.html).

-- 
Simon Pieters
Opera Software

Received on Tuesday, 13 November 2012 11:33:29 UTC