151548 – Errors in CORS scripts are oversanitized

Bug 151548 - Errors in CORS scripts are oversanitized

Summary: Errors in CORS scripts are oversanitized

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-11-22 10:39 PST by Eddie Kohler
Modified:	2022-05-31 09:55 PDT (History)
CC List:	12 users (show)

See Also:

Attachments
Safari 15.5 error differs from other browsers (1.42 MB, image/png) 2022-05-30 09:30 PDT, Ahmad Saleem	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Eddie Kohler 2015-11-22 10:39:13 PST

A page on domain A includes a script on domain B with `crossorigin="anonymous"`. B serves the script with `Access-Control-Allow-Origin: *`. The script sets a `window.onerror` handler.

The expected behavior is that errors are not sanitized, and the `onerror` handler gets full error information. This is what happens in Chrome (46.0.2490.80) and Firefox (36.0.1, 42). I think older Safari versions also acted this way.

Safari (9.0.1 (11601.2.7.2) and nightly (r192726)) implements strictly less useful behavior. If the error occurs in the domain-A page, full error information is provided. But if the error occurs *in the domain-B script*, the error is sanitized.

Page showing the problem:
http://www.lcdf.org/~eddietwo/test-cors-script.html

Firefox output:
TypeError: cause_error.error is not a function
ReferenceError: x is not defined

Chrome output:
Uncaught TypeError: cause_error.error is not a function
Uncaught ReferenceError: x is not defined

Safari/WebKit output:
Script error.
ReferenceError: Can't find variable: x

Comment 1 Arthur Buldauskas 2016-11-30 07:43:01 PST

Still happens on Safari 9.1.1 on a El Capitan 10.11.5
Verified that this also affects iOS Safari 9.3 to 8.4 at least.

This is a major issue. Ran into this trying to fix error reporting for JS errors coming from our scripts fetched from CDN(s). This makes Safari a black hole of bugs, where no error information escapes. 


Cannot believe that no one bothered to look into this for over a year.

Comment 2 youenn fablet 2016-12-01 08:12:55 PST

The issue does not seem to be related with CORS checks per se but more on how we keep/retriev that information around.

The main script element is inline so there is no CachedScript and 
The cachedScript passed to ScriptExecutionContext::sanitizeScriptError is the top-level script which is inline, so it is null.

We rely solely on the source URL, which is the one of the cross-origin subresource, hence the issue.
I am not sure of the best way to retrieve the related CachedScript here.
Or even if that should be done that way.

Any insight?

Comment 3 Ahmad Saleem 2022-05-30 09:30:02 PDT

Created attachment 459864 [details]
Safari 15.5 error differs from other browsers

I was able to reproduce this bug using Safari 15.5 and all other browsers in the screenshots shows consistent error. Thanks!