[whatwg] window.onerror and cross-origin scripts
simonp at opera.com
Tue Sep 20 14:40:01 PDT 2011
We're implementing window.onerror in Opera. In order to not expose the URL
of redirects in cross-origin resources with window.onerror, errors from
cross-origin scripts are masked in Gecko and WebKit, i.e. instead of
invoking window.onerror with a useful error message, a URL and the line
number, it's invoked with "Script error.", "", 0.
This makes window.onerror rather useless for cross-origin scripts.
However, it is still possible to tell if the user is logged in or not if a
site serves a script for a particular URL when the user is logged in and
redirects to the home page or so when the user is not logged in. We have
found a bank site where this is possible. There are other ways to tell if
the user is logged in, however it seems we should try to keep them to a
minimum. Therefore we suggest that window.onerror should not be invoked at
all for errors in cross-origin scripts.
More information about the whatwg