[whatwg] Spec for handling runtime script errors doesn't seem to match reality

[Boris Zbarsky]

On 11/13/12 3:31 AM, Simon Pieters wrote:
> onload=function(){
>    onerror=function(a,b,c){alert('parent: '+[a,b,c].join(' '));};
>    frames[0].onerror=function(){alert('child: '+[a,b,c].join(' '));};
>    frames[0].setTimeout(function(){ throw 'oops' }, 0);
> };
...
> Opera and Chrome use child and taint (alert says "child: Script error.
> 0").

OK.

> Firefox uses child taints the url and line arguments but not the message
> argument (alert says "child: uncaught exception: oops  0").

Actually, Firefox is not tainting anything here.  A manually thrown 
string exception like that in Spidermonkey just seems to not have a url 
and line number attached to it.

I believe right now Gecko uses the effective script origin for 
determining whether to taint, so in your case the two pages are actually 
same-origin for tainting purposes in Gecko.

> IE8 uses parent and doesn't taint (alert says "parent: Exception thrown
> and not caught http://example.org/001.html 7").

Indeed.  I'm working on switching Gecko to using the parent in this case 
(and still not tainting, of course).

> I also tested the same as the above but with a string argument to
> setTimeout with a syntax error.

This one is simpler in terms of which error handler to use, because the 
string is compiled in the child to start with.  Though I agree it's very 
interesting for tainting purposes!

What does Opera base its tainting decision on here, exactly?  The actual 
origin of the script that made the setTimeout call (as opposed to the 
origin it has due to being loaded by some web page)?  Or just its page's 
origin?  Or does it track origins on individual strings?

-Boris