A page on domain A includes a script on domain B with `crossorigin="anonymous"`. B serves the script with `Access-Control-Allow-Origin: *`. The script sets a `window.onerror` handler. The expected behavior is that errors are not sanitized, and the `onerror` handler gets full error information. This is what happens in Chrome (46.0.2490.80) and Firefox (36.0.1, 42). I think older Safari versions also acted this way. Safari (9.0.1 (11601.2.7.2) and nightly (r192726)) implements strictly less useful behavior. If the error occurs in the domain-A page, full error information is provided. But if the error occurs *in the domain-B script*, the error is sanitized. Page showing the problem: http://www.lcdf.org/~eddietwo/test-cors-script.html Firefox output: TypeError: cause_error.error is not a function ReferenceError: x is not defined Chrome output: Uncaught TypeError: cause_error.error is not a function Uncaught ReferenceError: x is not defined Safari/WebKit output: Script error. ReferenceError: Can't find variable: x
Still happens on Safari 9.1.1 on a El Capitan 10.11.5 Verified that this also affects iOS Safari 9.3 to 8.4 at least. This is a major issue. Ran into this trying to fix error reporting for JS errors coming from our scripts fetched from CDN(s). This makes Safari a black hole of bugs, where no error information escapes. Cannot believe that no one bothered to look into this for over a year.
The issue does not seem to be related with CORS checks per se but more on how we keep/retriev that information around. The main script element is inline so there is no CachedScript and The cachedScript passed to ScriptExecutionContext::sanitizeScriptError is the top-level script which is inline, so it is null. We rely solely on the source URL, which is the one of the cross-origin subresource, hence the issue. I am not sure of the best way to retrieve the related CachedScript here. Or even if that should be done that way. Any insight?
Created attachment 459864 [details] Safari 15.5 error differs from other browsers I was able to reproduce this bug using Safari 15.5 and all other browsers in the screenshots shows consistent error. Thanks!