Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>The "Script error." happens in Firefox, Safari, and Chrome when an exception violates the browser's <a href="http://en.wikipedia.org/wiki/Same_origin_policy" rel="noreferrer">same-origin policy</a> - i.e. when the error occurs in a script that's hosted on a domain other than the domain of the current page.</p> <p>This behavior is intentional, to prevent scripts from leaking information to external domains. For an example of why this is necessary, imagine accidentally visiting <code>evilsite.com</code>, that serves up a page with <code>&lt;script src="yourbank.com/index.html"&gt;</code>. (yes, we're pointing that script tag at html, not JS). This will result in a script error, but the error is interesting because it can tell us if you're logged in or not. If you're logged in, the error might be <code>'Welcome Fred...' is undefined</code>, whereas if you're not it might be <code>'Please Login ...' is undefined</code>. Something along those lines.</p> <p>If evilsite.com does this for the top 20 or so bank institutions, they'd have a pretty good idea of which banking sites you visit, and could provide a much more targeted phishing page. (This is just one example, of course. But it illustrates why browsers shouldn't allow <em>any</em> data to cross domain boundaries.)</p> <p>I've tested this in the latest versions of Safari, Chrome, and Firefox - they all do this. IE9 does not - it treats x-origin exceptions the same as same-origin ones. (And Opera doesn't support onerror.)</p> <p>From the horses mouth: <a href="http://trac.webkit.org/browser/branches/chromium/648/Source/WebCore/dom/ScriptExecutionContext.cpp?rev=77122#L301" rel="noreferrer">WebKit source that checks origin</a> when passing exceptions to onerror(). And the <a href="https://dxr.mozilla.org/mozilla-beta/source/dom/base/nsJSEnvironment.cpp#464" rel="noreferrer">Firefox source that checks</a>.</p> <p><strong>UPDATE (10/21/11)</strong>: The <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=363897" rel="noreferrer">Firefox bug that tracks this issue</a> includes a link to the blog post that inspired this behavior. </p> <p><strong>UPDATE (12/2/14)</strong>: You can now enable full cross-domain error reporting on some browsers by specifying a <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script#attr-crossorigin" rel="noreferrer"><code>crossorigin</code> attribute</a> on script tags and having the server send the appropriate <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS" rel="noreferrer">CORS</a> HTTP response headers.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload