Error Messages are not given to the onerror callback when script is hosted on different domain than site. The following Bug has regressed: https://bugs.webkit.org/show_bug.cgi?id=70574 Try Testcase http://trackjs.com/demo/bug.html in Safari 7.
<rdar://problem/30270046>
https://errorception.com/docs/cors
This also appears to affect window.onunhandledrejection, except that in that case, the event isn't fired at all.
https://stackoverflow.com/questions/45844565/script-error-errors-in-window-onerror-in-safari-only This bug was open in 2014. Is there any plan to fix it?
ScriptExecutionContext::dispatchErrorEvent checks for CORS. If a CachedScript is provided, it works as expected. If the error is thrown synchronously when executing a script, I think sanitization will work as expected. In the particular stackoverflow case, the exception is thrown in an event handler so we do not have any CachedScript at hand. In that case, we rely on the sourceURL which is cross-origin. One option is to continue relying on the existing mechanism and ensure we pass a CachedScript& everywhere. Another option is to try to retrieve the sanitization information directly from the Exception, like we are retrieving the sourceURL/line... from it. It seems to me the latter would scale better.