28961 2015-07-16 17:33:52 +0000 importScripts needs to consider the muted errors flag before propagating exceptions 2015-09-22 06:56:00 +0000 1 1 1 Unclassified WHATWG HTML unspecified Other other RESOLVED MOVED https://html.spec.whatwg.org/#importing-scripts-and-libraries P3 normal Unsorted 1 contributor ian annevk bzbarsky mike contributor oldest_to_newest 122153 0 contributor 2015-07-16 17:33:52 +0000 Specification: https://html.spec.whatwg.org/multipage/workers.html Multipage: https://html.spec.whatwg.org/multipage/#importing-scripts-and-libraries Complete: https://html.spec.whatwg.org/#importing-scripts-and-libraries Referrer: https://html.spec.whatwg.org/multipage/ Comment: importScripts needs to consider the muted errors flag before propagating exceptions Posted from: 98.110.194.132 User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0) Gecko/20100101 Firefox/42.0 122154 1 bzbarsky 2015-07-16 17:36:14 +0000 importScripts in a worker will rethrow exceptions caused by executing the script. This gives it an attack vector that does not exist for <script> tags, which can only get at exceptions thrown by a random script's execution via window.onerror. The spec has provisions for not leaking information to window.onerror: the muted errors flag. But in the importScripts case, the caller of importScripts can simply catch the propagated exception and examine it. What needs to happen is that in the cases when importScripts passes the muted errors flag to script creation it also needs to catch any exceptions thrown by the script and report generic exceptions to the caller in their place. 123271 2 annevk 2015-09-22 06:56:00 +0000 https://github.com/whatwg/html/pull/166