[Webkit-unassigned] [Bug 151548] New: Errors in CORS scripts are oversanitized

Sun Nov 22 10:39:13 PST 2015

https://bugs.webkit.org/show_bug.cgi?id=151548

            Bug ID: 151548
           Summary: Errors in CORS scripts are oversanitized
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ekohler+webkit at gmail.com

A page on domain A includes a script on domain B with `crossorigin="anonymous"`. B serves the script with `Access-Control-Allow-Origin: *`. The script sets a `window.onerror` handler.

The expected behavior is that errors are not sanitized, and the `onerror` handler gets full error information. This is what happens in Chrome (46.0.2490.80) and Firefox (36.0.1, 42). I think older Safari versions also acted this way.

Safari (9.0.1 (11601.2.7.2) and nightly (r192726)) implements strictly less useful behavior. If the error occurs in the domain-A page, full error information is provided. But if the error occurs *in the domain-B script*, the error is sanitized.

Page showing the problem:
http://www.lcdf.org/~eddietwo/test-cors-script.html

Firefox output:
TypeError: cause_error.error is not a function
ReferenceError: x is not defined

Chrome output:
Uncaught TypeError: cause_error.error is not a function
Uncaught ReferenceError: x is not defined

Safari/WebKit output:
Script error.
ReferenceError: Can't find variable: x

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20151122/37dd1d4b/attachment.html>