<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Errors in CORS scripts are oversanitized"

   href="https://bugs.webkit.org/show_bug.cgi?id=151548">151548</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Errors in CORS scripts are oversanitized

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>JavaScriptCore

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>ekohler+webkit&#64;gmail.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>A page on domain A includes a script on domain B with `crossorigin=&quot;anonymous&quot;`. B serves the script with `Access-Control-Allow-Origin: *`. The script sets a `window.onerror` handler.

The expected behavior is that errors are not sanitized, and the `onerror` handler gets full error information. This is what happens in Chrome (46.0.2490.80) and Firefox (36.0.1, 42). I think older Safari versions also acted this way.

Safari (9.0.1 (11601.2.7.2) and nightly (r192726)) implements strictly less useful behavior. If the error occurs in the domain-A page, full error information is provided. But if the error occurs *in the domain-B script*, the error is sanitized.

Page showing the problem:

<a href="http://www.lcdf.org/~eddietwo/test-cors-script.html">http://www.lcdf.org/~eddietwo/test-cors-script.html</a>

Firefox output:

TypeError: cause_error.error is not a function

ReferenceError: x is not defined

Chrome output:

Uncaught TypeError: cause_error.error is not a function

Uncaught ReferenceError: x is not defined

Safari/WebKit output:

Script error.

ReferenceError: Can't find variable: x</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>