[whatwg] window.onerror and cross-origin scripts

Simon Pieters simonp at opera.com
Thu Sep 22 07:02:30 PDT 2011


On Wed, 21 Sep 2011 19:36:23 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:

> On 9/21/11 5:25 AM, Simon Pieters wrote:
>> Oops. Bogus testing on my part. We do support <script onload>. Will have
>> to investigate whether we should change our behavior for the
>> cross-origin case.
>
> One other thing.
>
> Are we talking about error events fired on the <script> element?
>
> Or error events fired on the window due to exceptions thrown by a script?
>
> Or both?
>
> Your initial post seemed to be about the latter, but expressed concerns  
> that are applicable to both to some extent....

I was talking about window.onerror. <script onerror> per spec fires for  
empty src="", unresolvable URL and network errors (DNS or 404). If we want  
to make onload always fire for cross-origin, it would make sense for  
<script onerror> to not fire for network errors. (Opera doesn't fire error  
on script, assuming my testing isn't bogus this time.)

I don't know if it's worth it to try to plug this hole this way, however.  
We won't be able to plug it everywhere, e.g. <img> will expose if an image  
is loaded. So masking onload/onerror for script just makes the feature  
less useful without solving the problem. Maybe we should instead focus on  
implementing the From-Origin header and try to get sites to use that.

-- 
Simon Pieters
Opera Software



More information about the whatwg mailing list