[whatwg] window.onerror and cross-origin scripts

Bjoern Hoehrmann derhoermi at gmx.net
Tue Sep 20 15:19:32 PDT 2011

* Simon Pieters wrote:
>This makes window.onerror rather useless for cross-origin scripts.  
>However, it is still possible to tell if the user is logged in or not if a  
>site serves a script for a particular URL when the user is logged in and  
>redirects to the home page or so when the user is not logged in. We have  
>found a bank site where this is possible. There are other ways to tell if  
>the user is logged in, however it seems we should try to keep them to a  
>minimum. Therefore we suggest that window.onerror should not be invoked at  
>all for errors in cross-origin scripts.

I note there are at least two other ways to minimize the disclosure pro-
blem here, which is due to a bug on the bank's site, and it seems quite
likely there should be many more ways to check whether the script loaded
(like checking for global variables it sets, markup it might add, mess
with event listeners it might register, and so on): limit this to the
"cookie domain" and basing the decision on the media type of responses. 

Either would disclose more, but taking away the ability to issue alerts
when there are too many scripting errors (new browser update pushed to
users that you did not catch in advance is incompatible with script, as
an example) short of having people add "script_xy_loaded_okay" data to
the scripting environment, which might be a new source of leaks when it
is used incorrectly, is a bit of a problem, even if the rule that you do
not get errors from "cross-origin" loads is certainly the most simple.
Björn Höhrmann · mailto:bjoern at hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 

More information about the whatwg mailing list