神秘的“脚本错误".在 Chrome 和 Firefox 中用 JavaScript 报告 [英] Cryptic "Script Error." reported in Javascript in Chrome and Firefox
问题描述
我有一个脚本可以检测我网站上的 Javascript 错误并将它们发送到我的后端进行报告.它报告遇到的第一个错误、假定的行号和时间.
编辑以包含文档类型:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.facebook.com/2008/fbml>...
由于这个脚本,我非常清楚我网站上发生的任何 javascript 错误.最大的罪魁祸首之一是脚本错误".在第 0 行. 在 Chrome 10+ 和 Firefox 3+ 中.Internet Explorer 中不存在此错误(或者可能称为其他错误?).
更正 (5/23/2013):这个脚本错误,第 0 行"错误现在出现在 IE7 和其他版本的 IE 中.可能是最近 IE 安全补丁的结果,因为这种行为以前不存在.
有谁知道这个错误是什么意思或导致它的原因是什么?它发生在我整个页面加载的 0.25% 左右,占报告错误的一半.
脚本错误".当异常违反浏览器的同源政策时,会在 Firefox、Safari 和 Chrome 中发生 - 即错误发生在托管在当前页面域以外的域上的脚本中.
此行为是有意为之,以防止脚本将信息泄露到外部域.举个例子说明为什么这是必要的,想象一下不小心访问了 evilsite.com,它提供了一个带有 <script src="yourbank.com/index.html"> 的页面代码>.(是的,我们将该脚本标记指向 html,而不是 JS).这将导致脚本错误,但该错误很有趣,因为它可以告诉我们您是否已登录.如果您已登录,错误可能是 'Welcome Fred...' is undefined,而如果不是,则错误可能是 'Please Login ...' is undefined.类似的东西.
如果 evilsite.com 为前 20 名左右的银行机构执行此操作,他们就会很清楚您访问哪些银行网站,并且可以提供更有针对性的网络钓鱼页面.(当然,这只是一个例子.但它说明了为什么浏览器不应该允许任何数据跨越域边界.)
我已经在最新版本的 Safari、Chrome 和 Firefox 中对此进行了测试 - 他们都这样做.IE9 没有——它把 x-origin 异常和同源异常一样对待.(而且 Opera 不支持 onerror.)
来自马口:在将异常传递给 onerror() 时检查来源的 WebKit 源.以及 Firefox 源代码检查.>
更新 (10/21/11):Firefox跟踪此问题的错误 包含指向激发此行为的博客文章的链接.
更新 (12/2/14):您现在可以通过指定 crossorigin 属性 在脚本标签上,并让服务器发送适当的CORS HTTP 响应标头.
I have a script that detects Javascript errors on my website and sends them to my backend for reporting. It reports the first error encountered, the supposed line number, and the time.
EDIT to include doctype:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
...
<script type="text/javascript">
//<![CDATA[
// for debugging javascript!
(function(window){
window.onerror = function(msg, url, ln) {
//transform errors
if (typeof(msg) === 'object' && msg.srcElement && msg.target) {
if(msg.srcElement == '[object HTMLScriptElement]' && msg.target == '[object HTMLScriptElement]'){
msg = 'Error loading script';
}else{
msg = 'Event Error - target:' + msg.target + ' srcElement:' + msg.srcElement;
}
}
msg = msg.toString();
//ignore errors
if(msg.indexOf("Location.toString") > -1){
return;
}
if(msg.indexOf("Error loading script") > -1){
return;
}
//report errors
window.onerror = function(){};
(new Image()).src = "/jserror.php?msg=" + encodeURIComponent(msg) + "&url=" + encodeURIComponent(url || document.location.toString().replace(/#.*$/, "")) + "&ln=" + parseInt(ln || 0) + "&r=" + (+new Date());
};
})(window);
//]]>
</script>
Because of this script, I'm acutely aware of any javascript errors that are happening on my site. One of by biggest offenders is "Script Error." on line 0. in Chrome 10+, and Firefox 3+. This error doesn't exist (or may be called something else?) in Internet Explorer.
Correction (5/23/2013): This "Script Error, Line 0" error is now showing up in IE7 and possibly other versions of IE. Possibly a result of a recent IE security patch as this behavior previously did not exist.
Does anyone have any idea what this error means or what causes it? It happens on about 0.25% of my overall pageloads, and represents half the reported errors.
The "Script error." happens in Firefox, Safari, and Chrome when an exception violates the browser's same-origin policy - i.e. when the error occurs in a script that's hosted on a domain other than the domain of the current page.
This behavior is intentional, to prevent scripts from leaking information to external domains. For an example of why this is necessary, imagine accidentally visiting evilsite.com, that serves up a page with <script src="yourbank.com/index.html">. (yes, we're pointing that script tag at html, not JS). This will result in a script error, but the error is interesting because it can tell us if you're logged in or not. If you're logged in, the error might be 'Welcome Fred...' is undefined, whereas if you're not it might be 'Please Login ...' is undefined. Something along those lines.
If evilsite.com does this for the top 20 or so bank institutions, they'd have a pretty good idea of which banking sites you visit, and could provide a much more targeted phishing page. (This is just one example, of course. But it illustrates why browsers shouldn't allow any data to cross domain boundaries.)
I've tested this in the latest versions of Safari, Chrome, and Firefox - they all do this. IE9 does not - it treats x-origin exceptions the same as same-origin ones. (And Opera doesn't support onerror.)
From the horses mouth: WebKit source that checks origin when passing exceptions to onerror(). And the Firefox source that checks.
UPDATE (10/21/11): The Firefox bug that tracks this issue includes a link to the blog post that inspired this behavior.
UPDATE (12/2/14): You can now enable full cross-domain error reporting on some browsers by specifying a crossorigin attribute on script tags and having the server send the appropriate CORS HTTP response headers.
这篇关于神秘的“脚本错误".在 Chrome 和 Firefox 中用 JavaScript 报告的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
