This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Specification: https://html.spec.whatwg.org/multipage/workers.html Multipage: https://html.spec.whatwg.org/multipage/#importing-scripts-and-libraries Complete: https://html.spec.whatwg.org/#importing-scripts-and-libraries Referrer: https://html.spec.whatwg.org/multipage/ Comment: importScripts needs to consider the muted errors flag before propagating exceptions Posted from: 98.110.194.132 User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0) Gecko/20100101 Firefox/42.0
importScripts in a worker will rethrow exceptions caused by executing the script. This gives it an attack vector that does not exist for <script> tags, which can only get at exceptions thrown by a random script's execution via window.onerror. The spec has provisions for not leaking information to window.onerror: the muted errors flag. But in the importScripts case, the caller of importScripts can simply catch the propagated exception and examine it. What needs to happen is that in the cases when importScripts passes the muted errors flag to script creation it also needs to catch any exceptions thrown by the script and report generic exceptions to the caller in their place.
https://github.com/whatwg/html/pull/166