Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 159566 Expose JS error messages to window.onerror in authorized cross-origin scripts
Starred by 39 users Reported by i...@jameside.com, Nov 6 2012 Back to list
Status: Fixed
Owner: mkwst@chromium.org
Closed: Aug 2013
Cc: yu...@chromium.org
Components:
OS: Mac
Pri: 2
Type: Feature


Sign in to add a comment
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.2 Safari/537.17

Steps to reproduce the problem:
1. Create a page with <script src="http://anotherorigin.example.com/example.js" crossorigin=anonymous></script> and an window.onerror handler
2. Have anotherorigin.example.com serve the script with "Access-Control-Allow-Origin: *" and make example.js throw an error
3. Print out the message, stack, and line number of the error. The message says "Script error." and the stack and line number are cleared.

What is the expected behavior?
Preserve the error details since the cross-origin script was sent with an Access-Control-Allow-Origin that gives the page full access to the script anyway.

What went wrong?
Chrome currently rewrites all error messages with "Script error." and clears the stack trace and line number when passing an error to the window.onerror handler if the error originated in a cross-origin script. Firefox 14+ relaxed this constraint when a script is loaded with the crossorigin attribute (crossOrigin IDL property) and the server responds with the appropriate Access-Control-Allow-Origin header.

This is a feature request to support this behavior in Chrome/V8.

Did this work before? No 

Chrome version: 24.0.1312.2  Channel: dev
OS Version: OS X 10.8.2

WebKit currently supports the crossorigin attribute and crossOrigin property, but they are not integrated with the JS engine. There is currently an open bug in WebKit's bug tracker (#97499), but I imagine the right people are more likely to see it over here.

Related bugs:
 - https://bugs.webkit.org/show_bug.cgi?id=97499 [V8] Don't sanitize window.onerror information on crossorigin-enabled scripts
 - https://bugs.webkit.org/show_bug.cgi?id=70574 [JSC] Don't sanitize window.onerror information on crossorigin-enabled scripts
 - https://bugzilla.mozilla.org/show_bug.cgi?id=696301 Allow sites to enable x-domain window.onerror information
 
Comment 1 by i...@jameside.com, Nov 6 2012
The rationale for this is that it enables error logging with window.onerror for scripts served from a static subdomain or CDN. Error messages from Firefox and IE are relatively descriptive while Chrome currently reports "Script error." which is only useful to detect the presence of an error.
Comment 2 by i...@jameside.com, Jan 3 2013
Opera added support for this awhile ago as "CORE-44859 Allow sites to enable x-domain window.onerror information (implement <script crossorigin>)" (http://my.opera.com/desktopteam/blog/2012/08/03/summer-core-update) so Chrome is the last remaining major browser that doesn't support this feature at least in a nightly builds. 
My team and I would love to see this fixed.
Project Member Comment 4 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Webkit-JavaScript Cr-Content-JavaScript
Comment 5 by i...@jameside.com, Mar 19 2013
Is there additional information that could help prioritize this bug? Better error diagnosis is one of the best ways for us to improve the experience we ship to Chrome users, but currently we have to compromise between limited visibility into errors and performance degredation from serving JS from the origin. If a wide-scale example would help with testing, www.facebook.com requests static scripts with the crossorigin=anonymous attribute and the crossOrigin IDL property from a CDN with the appropriate CORS response.
Comment 6 by danno@chromium.org, Mar 19 2013
Owner: yangguo@chromium.org
Labels: -Type-Bug Type-Feature
Project Member Comment 8 by bugdroid1@chromium.org, Apr 5 2013
Labels: Cr-Blink
Project Member Comment 9 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content-JavaScript Cr-Blink-JavaScript
Comment 10 by yu...@chromium.org, May 13 2013
Cc: yu...@chromium.org
Labels: Hotlist-GoogleApps
Any updates on this?
That would be awesome to have!
Comment 13 by i...@jameside.com, Jun 20 2013
At Facebook we've seen some resource errors that have only been reported by Chrome users. These errors trigger window.onerror but not the script element's onerror handler, so more precise window.onerror messages would be quite helpful in this circumstance.
Thanks, Ide, for the additional information. Hearing that issues affect sites with large amounts of traffic helps bump them up in priority for us. Sorry that we haven't made progress on this particularly quickly up to this point.
Yang, when do you think you'll be able to take a look at this?
I haven't gotten around to this so far, but will add it to my queue.
Comment 17 by mkwst@chromium.org, Jul 23 2013
Owner: mkwst@chromium.org
I'm swiping this from you, Yang. Hope you don't mind.
Comment 18 by mkwst@chromium.org, Jul 23 2013
Status: Started
Summary: Expose JS error messages to window.onerror in authorized cross-origin scripts (was: Expose JS error messages and stack traces to window.onerror in authorized cross-origin scripts)
https://codereview.chromium.org/19596004/ is up for review.

The call-stack bits will be addressed in crbug.com/147127. Possibly by me if I can find some time. :)
Project Member Comment 19 by bugdroid1@chromium.org, Jul 24 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=154839

------------------------------------------------------------------------
r154839 | mkwst@chromium.org | 2013-07-24T18:18:06.090596Z

Changed paths:
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/workers/resources/worker-importscripts-onerror-sameorigin.js?r1=154839&r2=154838&pathrev=154839
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/fast/js/resources/js-test-pre.js?r1=154839&r2=154838&pathrev=154839
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/workers/worker-importScripts-onerror-redirect-to-crossorigin.html?r1=154839&r2=154838&pathrev=154839
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/workers/worker-importScripts-onerror-crossorigin.html?r1=154839&r2=154838&pathrev=154839
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/workers/resources/worker-importscripts-onerror-redirect-to-crossorigin.js?r1=154839&r2=154838&pathrev=154839
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/workers/resources/worker-importscripts-onerror-crossorigin.js?r1=154839&r2=154838&pathrev=154839
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/workers/worker-importScriptsOnError.html?r1=154839&r2=154838&pathrev=154839
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/workers/resources/worker-importScripts-error.js?r1=154839&r2=154838&pathrev=154839
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/workers/worker-importScripts-onerror-sameorigin-expected.txt?r1=154839&r2=154838&pathrev=154839
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/resources/js-test-pre.js?r1=154839&r2=154838&pathrev=154839
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/workers/worker-importScripts-onerror-redirect-to-crossorigin-expected.txt?r1=154839&r2=154838&pathrev=154839
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/workers/worker-importScripts-onerror-crossorigin-expected.txt?r1=154839&r2=154838&pathrev=154839
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/workers/worker-importScripts-onerror-sameorigin.html?r1=154839&r2=154838&pathrev=154839

Explicitly test same/cross-origin importScripts() effect on worker.onerror.

We currently have a single test that checks behavior when calling
importScripts() on a URL that redirects from same-origin to cross-origin.
This patch adds tests for cross-origin and same-origin scripts, and updates
the tests to use js-test-pre.js.

Currently we have some weird behavior for cross-origin scripts. The
message is sanitized, the URL is set to the worker JS file, and the line
number is the call to 'importScripts'.

Firefox has different weird behavior: the message is unsanitized, but
the URL and line number are emptied.

I think it's reasonable to leave the expectations as they are, but our
eventual goal should be to sanitize these errors in the same way that we
do normal cross-origin messages.

BUG= 159566 
R=ch.dumez@sisa.samsung.com

Review URL: https://codereview.chromium.org/19514006
------------------------------------------------------------------------
Comment 20 by bro...@gmail.com, Jul 26 2013
FWIW, a basic test case can be found at http://www.broofa.com/tests/crossorigin/
Project Member Comment 21 by bugdroid1@chromium.org, Jul 27 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=155058

------------------------------------------------------------------------
r155058 | mkwst@chromium.org | 2013-07-27T22:19:12.183327Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/ScriptExecutionContext.cpp?r1=155058&r2=155057&pathrev=155058
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/ScriptExecutionContext.h?r1=155058&r2=155057&pathrev=155058

Drop CachedScript from ScriptExecutionContext.

The CachedScript* parameters to the various 'onerror' handler methods on
ScriptExecutionContext are an artifact of the JSC implementation in
WebKit. Blink will implement the sanitization functionality differently,
which means we can safely remove the CachedScript references to clean
things up a bit.

BUG= 159566 

Review URL: https://chromiumcodereview.appspot.com/20883003
------------------------------------------------------------------------
Comment 22 by mkwst@chromium.org, Jul 30 2013
https://code.google.com/p/v8/source/detail?r=15963 landed today. Once that patch rolls into Chromium, I hope to land https://codereview.chromium.org/19596004/ to enable the feature.
Project Member Comment 23 by bugdroid1@chromium.org, Aug 7 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/blink?view=rev&rev=155670

------------------------------------------------------------------------
r155670 | mkwst@chromium.org | 2013-08-07T09:26:20.236823Z

Changed paths:
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/script-crossorigin-onerror-information-expected.txt?r1=155670&r2=155669&pathrev=155670
   M http://src.chromium.org/viewvc/blink/trunk/Source/bindings/v8/ScriptController.cpp?r1=155670&r2=155669&pathrev=155670
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/ScriptLoader.cpp?r1=155670&r2=155669&pathrev=155670
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/script-onerror-no-crossorigin-no-cors-expected.txt?r1=155670&r2=155669&pathrev=155670
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/ScriptExecutionContext.cpp?r1=155670&r2=155669&pathrev=155670
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/script-onerror-crossorigin-cors.html?r1=155670&r2=155669&pathrev=155670
   M http://src.chromium.org/viewvc/blink/trunk/Source/bindings/v8/V8ScriptRunner.cpp?r1=155670&r2=155669&pathrev=155670
   M http://src.chromium.org/viewvc/blink/trunk/Source/bindings/v8/ScriptController.h?r1=155670&r2=155669&pathrev=155670
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/ScriptExecutionContext.h?r1=155670&r2=155669&pathrev=155670
   M http://src.chromium.org/viewvc/blink/trunk/Source/bindings/v8/V8ScriptRunner.h?r1=155670&r2=155669&pathrev=155670
   M http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/resources/cors-script.php?r1=155670&r2=155669&pathrev=155670
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/script-onerror-crossorigin-cors-expected.txt?r1=155670&r2=155669&pathrev=155670
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/script-onerror-crossorigin-no-cors.html?r1=155670&r2=155669&pathrev=155670
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/script-onerror-no-crossorigin-cors.html?r1=155670&r2=155669&pathrev=155670
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/script-no-crossorigin-onerror-should-be-sanitized.html?r1=155670&r2=155669&pathrev=155670
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/script-crossorigin-onerror-information.html?r1=155670&r2=155669&pathrev=155670
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/loader/CrossOriginAccessControl.h?r1=155670&r2=155669&pathrev=155670
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/script-onerror-crossorigin-no-cors-expected.txt?r1=155670&r2=155669&pathrev=155670
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/script-onerror-no-crossorigin-cors-expected.txt?r1=155670&r2=155669&pathrev=155670
   A http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/script-onerror-no-crossorigin-no-cors.html?r1=155670&r2=155669&pathrev=155670
   M http://src.chromium.org/viewvc/blink/trunk/Source/bindings/v8/V8Initializer.cpp?r1=155670&r2=155669&pathrev=155670
   M http://src.chromium.org/viewvc/blink/trunk/Source/bindings/v8/WorkerScriptController.cpp?r1=155670&r2=155669&pathrev=155670
   D http://src.chromium.org/viewvc/blink/trunk/LayoutTests/http/tests/security/script-no-crossorigin-onerror-should-be-sanitized-expected.txt?r1=155670&r2=155669&pathrev=155670
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/workers/WorkerMessagingProxy.cpp?r1=155670&r2=155669&pathrev=155670

Allow sites to enable detailed 'window.onerror' handlers for cross-domain scripts.

When triggering 'window.onerror', we currently sanitize the contents of
the error if the script in which the error occurred isn't from the same
origin as the document that loaded the script. Other major browsers (IE,
Firefox[1], and WebKit[2]) bypass this sanitization step iff the script
is served with appropriate 'Access-Control-Allow-Origin' headers that
grant the loading document access to the script's contents. Clever
developers agree[3] that this is a reasonable solution.

This patch aligns our behavior with those browsers by passing the
CORS state of a script through V8 so that it's available to us when
exceptions are thrown.

Note that this patch does not address the case of scripts imported
into Workers. Our behavior there is already poor; it will require a bit
more rework to correctly handle the basic case before moving on
to implementing CORS support.

Intent to Implement discussion at [4].

[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=696301
[2]: https://bugs.webkit.org/show_bug.cgi?id=70574
[3]: http://www.schemehostport.com/2011/10/x-script-origin-we-hardly-knew-ye.html
[4]: https://groups.google.com/a/chromium.org/d/msg/blink-dev/Li61lfcbWws/NuUUNofRciMJ

BUG= 159566 

Review URL: https://chromiumcodereview.appspot.com/19596004
------------------------------------------------------------------------
Mike, just to confirm, this is now enabled by default?
Comment 25 by mkwst@chromium.org, Aug 15 2013
Status: Fixed
This should be available in Canary, yes. I'm not entirely sure if it made the M30 branch or not.
As branch point was 8/12 and this landed 7/24, I'm fairly sure this made m30 comfortably.
Sign in to add a comment