NEW 119508
Explicitly test same/cross-origin importScripts() effect on worker.onerror 
https://bugs.webkit.org/show_bug.cgi?id=119508
Summary Explicitly test same/cross-origin importScripts() effect on worker.onerror
Ryosuke Niwa
Reported 2013-08-05 19:56:02 PDT
Consider merging tests added in https://chromium.googlesource.com/chromium/blink/+/94edc6173e6605b221187d62bccf2f77d2a7818c We currently have a single test that checks behavior when calling importScripts() on a URL that redirects from same-origin to cross-origin. This patch adds tests for cross-origin and same-origin scripts, and updates the tests to use js-test-pre.js. Currently we have some weird behavior for cross-origin scripts. The message is sanitized, the URL is set to the worker JS file, and the line number is the call to 'importScripts'. Firefox has different weird behavior: the message is unsanitized, but the URL and line number are emptied. I think it's reasonable to leave the expectations as they are, but our eventual goal should be to sanitize these errors in the same way that we do normal cross-origin messages.
Attachments
Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2013-08-05 20:01:40 PDT
(In reply to comment #0) > Consider merging tests added in https://chromium.googlesource.com/chromium/blink/+/94edc6173e6605b221187d62bccf2f77d2a7818c > > We currently have a single test that checks behavior when calling > importScripts() on a URL that redirects from same-origin to cross-origin. > This patch adds tests for cross-origin and same-origin scripts, and updates > the tests to use js-test-pre.js. > > Currently we have some weird behavior for cross-origin scripts. The > message is sanitized, the URL is set to the worker JS file, and the line > number is the call to 'importScripts'. > > Firefox has different weird behavior: the message is unsanitized, but > the URL and line number are emptied. > > I think it's reasonable to leave the expectations as they are, but our > eventual goal should be to sanitize these errors in the same way that we > do normal cross-origin messages. The reason for cross origin sanitization in the normal case is that <script> allows cross origin loads, workers don't (sans the CORS bits)
Mike West
Comment 2 2013-08-07 03:20:18 PDT
Workers allow cross-origin loads via importScript. Exceptions generated inside the imported scripts are the case I was interested in at the time.
Mike West
Comment 3 2013-08-07 04:01:54 PDT
(In reply to comment #2) > Workers allow cross-origin loads via importScript. Exceptions generated inside the imported scripts are the case I was interested in at the time. That wasn't a clear comment, sorry. I know you know this, since you wrote a huge chunk of the code I'm poking at, but just for clarity: The point of adding the tests was to ensure that our sanitization does what's specced: for cross-origin exceptions, "... then set message to "Script error.", set location to the empty string, set line and col to 0, and set error object to null." Not a big bug, of course.
Note You need to log in before you can comment on or make changes to this bug.