Bug 132945 - Don't sanitize window.onerror information on crossorigin-enabled scripts
Summary: Don't sanitize window.onerror information on crossorigin-enabled scripts
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: Macintosh OS X 10.9
: P2 Normal
Assignee: Nobody
URL: https://codepen.io/astashov/pen/yoEvRB
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2014-05-15 02:00 PDT by Walt
Modified: 2019-01-18 15:33 PST (History)
13 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Walt 2014-05-15 02:00:21 PDT
Error Messages are not given to the onerror callback when script is hosted on different domain than site.
The following Bug has regressed: https://bugs.webkit.org/show_bug.cgi?id=70574
Try Testcase http://trackjs.com/demo/bug.html in Safari 7.
Comment 1 Radar WebKit Bug Importer 2017-01-30 12:52:45 PST
<rdar://problem/30270046>
Comment 2 Chris Dumez 2017-01-31 09:52:37 PST
https://errorception.com/docs/cors
Comment 3 Jonathan Clem 2018-11-15 15:27:38 PST
This also appears to affect window.onunhandledrejection, except that in that case, the event isn't fired at all.
Comment 4 bryct 2019-01-18 08:53:15 PST
https://stackoverflow.com/questions/45844565/script-error-errors-in-window-onerror-in-safari-only

This bug was open in 2014.  Is there any plan to fix it?
Comment 5 youenn fablet 2019-01-18 10:13:05 PST
ScriptExecutionContext::dispatchErrorEvent checks for CORS.
If a CachedScript is provided, it works as expected.

If the error is thrown synchronously when executing a script, I think sanitization will work as expected.

In the particular stackoverflow case, the exception is thrown in an event handler so we do not have any CachedScript at hand.
In that case, we rely on the sourceURL which is cross-origin.

One option is to continue relying on the existing mechanism and ensure we pass a CachedScript& everywhere.
Another option is to try to retrieve the sanitization information directly from the Exception, like we are retrieving the sourceURL/line... from it. It seems to me the latter would scale better.