DescriptionAllow sites to enable detailed 'window.onerror' handlers for cross-domain scripts.
When triggering 'window.onerror', we currently sanitize the contents of
the error if the script in which the error occurred isn't from the same
origin as the document that loaded the script. Other major browsers (IE,
Firefox[1], and WebKit[2]) bypass this sanitization step iff the script
is served with appropriate 'Access-Control-Allow-Origin' headers that
grant the loading document access to the script's contents. Clever
developers agree[3] that this is a reasonable solution.
This patch aligns our behavior with those browsers by passing the
CORS state of a script through V8 so that it's available to us when
exceptions are thrown.
Note that this patch does not address the case of scripts imported
into Workers. Our behavior there is already poor; it will require a bit
more rework to correctly handle the basic case before moving on
to implementing CORS support.
Intent to Implement discussion at [4].
[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=696301
[2]: https://bugs.webkit.org/show_bug.cgi?id=70574
[3]: http://www.schemehostport.com/2011/10/x-script-origin-we-hardly-knew-ye.html
[4]: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Li61lfcbWws/NuUUNofRciMJ
BUG=159566
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=155670
Patch Set 1 #Patch Set 2 : WTF::HashSet FTW! #
Total comments: 1
Patch Set 3 : Rework. #
Total comments: 11
Patch Set 4 : Rebase. #Messages
Total messages: 28 (0 generated)
|