[whatwg] window.onerror and cross-origin scripts
simonp at opera.com
Thu Sep 22 07:02:30 PDT 2011
On Wed, 21 Sep 2011 19:36:23 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 9/21/11 5:25 AM, Simon Pieters wrote:
>> Oops. Bogus testing on my part. We do support <script onload>. Will have
>> to investigate whether we should change our behavior for the
>> cross-origin case.
> One other thing.
> Are we talking about error events fired on the <script> element?
> Or error events fired on the window due to exceptions thrown by a script?
> Or both?
> Your initial post seemed to be about the latter, but expressed concerns
> that are applicable to both to some extent....
I was talking about window.onerror. <script onerror> per spec fires for
empty src="", unresolvable URL and network errors (DNS or 404). If we want
to make onload always fire for cross-origin, it would make sense for
<script onerror> to not fire for network errors. (Opera doesn't fire error
on script, assuming my testing isn't bogus this time.)
I don't know if it's worth it to try to plug this hole this way, however.
We won't be able to plug it everywhere, e.g. <img> will expose if an image
is loaded. So masking onload/onerror for script just makes the feature
less useful without solving the problem. Maybe we should instead focus on
implementing the From-Origin header and try to get sites to use that.
More information about the whatwg