- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 13 Nov 2012 09:19:18 -0800
- To: Simon Pieters <simonp@opera.com>
- Cc: whatwg <whatwg@lists.whatwg.org>, Olli Pettay <opettay@mozilla.com>
On 11/13/12 3:31 AM, Simon Pieters wrote: > onload=function(){ > onerror=function(a,b,c){alert('parent: '+[a,b,c].join(' '));}; > frames[0].onerror=function(){alert('child: '+[a,b,c].join(' '));}; > frames[0].setTimeout(function(){ throw 'oops' }, 0); > }; ... > Opera and Chrome use child and taint (alert says "child: Script error. > 0"). OK. > Firefox uses child taints the url and line arguments but not the message > argument (alert says "child: uncaught exception: oops 0"). Actually, Firefox is not tainting anything here. A manually thrown string exception like that in Spidermonkey just seems to not have a url and line number attached to it. I believe right now Gecko uses the effective script origin for determining whether to taint, so in your case the two pages are actually same-origin for tainting purposes in Gecko. > IE8 uses parent and doesn't taint (alert says "parent: Exception thrown > and not caught http://example.org/001.html 7"). Indeed. I'm working on switching Gecko to using the parent in this case (and still not tainting, of course). > I also tested the same as the above but with a string argument to > setTimeout with a syntax error. This one is simpler in terms of which error handler to use, because the string is compiled in the child to start with. Though I agree it's very interesting for tainting purposes! What does Opera base its tainting decision on here, exactly? The actual origin of the script that made the setTimeout call (as opposed to the origin it has due to being loaded by some web page)? Or just its page's origin? Or does it track origins on individual strings? -Boris
Received on Tuesday, 13 November 2012 17:28:15 UTC