Re: [whatwg] Spec for handling runtime script errors doesn't seem to match reality from Simon Pieters on 2012-11-14 (public-whatwg-archive@w3.org from November 2012)

From: Simon Pieters <simonp@opera.com>
Date: Wed, 14 Nov 2012 12:34:37 +0100
To: "Boris Zbarsky" <bzbarsky@mit.edu>
Cc: whatwg <whatwg@lists.whatwg.org>, Olli Pettay <opettay@mozilla.com>
Message-ID: <op.wnrg3zv9idj3kv@simons-macbook-pro-2.local>

On Tue, 13 Nov 2012 18:19:18 +0100, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 11/13/12 3:31 AM, Simon Pieters wrote:
>> onload=function(){
>>    onerror=function(a,b,c){alert('parent: '+[a,b,c].join(' '));};
>>    frames[0].onerror=function(){alert('child: '+[a,b,c].join(' '));};
>>    frames[0].setTimeout(function(){ throw 'oops' }, 0);
>> };
> ...
>> Opera and Chrome use child and taint (alert says "child: Script error.
>> 0").
>
> OK.
>
>> Firefox uses child taints the url and line arguments but not the message
>> argument (alert says "child: uncaught exception: oops  0").
>
> Actually, Firefox is not tainting anything here.  A manually thrown  
> string exception like that in Spidermonkey just seems to not have a url  
> and line number attached to it.
>
> I believe right now Gecko uses the effective script origin for  
> determining whether to taint, so in your case the two pages are actually  
> same-origin for tainting purposes in Gecko.
>
>> IE8 uses parent and doesn't taint (alert says "parent: Exception thrown
>> and not caught http://example.org/001.html 7").
>
> Indeed.  I'm working on switching Gecko to using the parent in this case  
> (and still not tainting, of course).
>
>> I also tested the same as the above but with a string argument to
>> setTimeout with a syntax error.
>
> This one is simpler in terms of which error handler to use, because the  
> string is compiled in the child to start with.  Though I agree it's very  
> interesting for tainting purposes!
>
> What does Opera base its tainting decision on here, exactly?  The actual  
> origin of the script that made the setTimeout call (as opposed to the  
> origin it has due to being loaded by some web page)?  Or just its page's  
> origin?  Or does it track origins on individual strings?
>
> -Boris

I asked our implementor to answer this.

[[
Opera compares teh script's URL (the string that gets sent as second  
argument to onerror) with the security context of the document in which  
the onerror handler runs (in my example, basically  
frames[0].location.href).

The script's URL is the URL from which the script's source was fetched  
(the document for inline scripts or <script src="...">). The script's  
source in question is the source that contains the row where the error  
occurred (according to the information we'd send as argument to onerror).

For the case where frames[0].setTimeout is called with a string argument,  
we compile it in the frames[0] context, but send the called script's URL  
as the new script's URL.
]]

HTH

-- 
Simon Pieters
Opera Software

Received on Wednesday, 14 November 2012 12:14:30 UTC