[whatwg] window.onerror and cross-origin scripts

Simon Pieters simonp at opera.com
Tue Sep 20 14:40:01 PDT 2011


We're implementing window.onerror in Opera. In order to not expose the URL  
of redirects in cross-origin resources with window.onerror, errors from  
cross-origin scripts are masked in Gecko and WebKit, i.e. instead of  
invoking window.onerror with a useful error message, a URL and the line  
number, it's invoked with "Script error.", "", 0.

http://www.w3.org/Bugs/Public/show_bug.cgi?id=14177
https://bugzilla.mozilla.org/show_bug.cgi?id=568564

This makes window.onerror rather useless for cross-origin scripts.  
However, it is still possible to tell if the user is logged in or not if a  
site serves a script for a particular URL when the user is logged in and  
redirects to the home page or so when the user is not logged in. We have  
found a bank site where this is possible. There are other ways to tell if  
the user is logged in, however it seems we should try to keep them to a  
minimum. Therefore we suggest that window.onerror should not be invoked at  
all for errors in cross-origin scripts.

Thoughts?

-- 
Simon Pieters
Opera Software


More information about the whatwg mailing list