惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tenable Blog
博客园_首页
Vercel News
Vercel News
WordPress大学
WordPress大学
美团技术团队
G
Google Developers Blog
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
Y
Y Combinator Blog
博客园 - 【当耐特】
量子位
酷 壳 – CoolShell
酷 壳 – CoolShell
The Cloudflare Blog
T
The Blog of Author Tim Ferriss
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Google DeepMind News
Google DeepMind News
云风的 BLOG
云风的 BLOG
腾讯CDC
M
MIT News - Artificial intelligence
爱范儿
爱范儿
Recent Announcements
Recent Announcements
雷峰网
雷峰网
Last Week in AI
Last Week in AI
宝玉的分享
宝玉的分享
The Register - Security
The Register - Security
Jina AI
Jina AI
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Hugging Face - Blog
Hugging Face - Blog
P
Privacy & Cybersecurity Law Blog
Recorded Future
Recorded Future
Help Net Security
Help Net Security
N
News and Events Feed by Topic
博客园 - Franky
P
Proofpoint News Feed
L
LINUX DO - 热门话题
S
SegmentFault 最新的问题
The GitHub Blog
The GitHub Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
月光博客
月光博客
D
Docker
Google DeepMind News
Google DeepMind News
有赞技术团队
有赞技术团队
IT之家
IT之家
Security Latest
Security Latest
L
LangChain Blog
V
V2EX
阮一峰的网络日志
阮一峰的网络日志
J
Java Code Geeks

Mike West

Web Platform Security @ CMS Security Summit 2020 XSS (No, the _other_ Frontend Security - Frontend Conference, Zürich 2013 Securing the Client Side Content Security Policy: Feature Detection Chrome connects to three random domains at startup. Nerdy New Year Making Your Web Apps Accessible Using HTML5 and ChromeVox GDD Keynote: The HTML5 Demos
Debugging runtime errors with
Mike West · 2013-08-08 · via Mike West

After working with Blink’s implementation of window.onerror a little bit over the last week or so, I’m somewhat amazed that anyone ever used it for anything at all. For those of you to whom the API is news, the current implementation in Chrome’s stable channel (28) looks a little bit like this:

window.onerror = function (message, filename, lineno) {
    // Do some centralized error reporting here, for example, by POSTing
    // the error message, filename, and line number to a collection
    // server for later processing.
  
    return true; // The exception is handled, not reported to the user.
};

...

throw new Error('OMG!');

‘window.onerror’ acts something like a global try/catch block, allowing you to gracefully handle uncaught exceptions you didn’t expect to see. This, in theory, is brilliant.

Two issues have made it less than brilliant in practice:

  1. Unlike a local try/catch block, the window.onerror handler doesn’t have direct access to the exception object, and is executed in the global context rather than locally where the error occurred. That means that developers don’t have access to a call stack, and can’t build a call stack themselves by walking up the chain of a method’s callers.

  2. Browsers go to great lengths to sanitize the data provided to the handler in order to prevent unintentional data leakage from cross-origin scripts. If you host your JavaScript on a CDN (as you ought), you’ll get “Script error.”, “”, and 0 in the above handler. That’s not particularly helpful.

There are a few other concerns, but those are the big two. I’m happy to say that recent patches have addressed many of the concerns in Blink.

  1. Christophe Dumez added the column number to the handler.

  2. After a lot of back-and-forth, Hixie added an ‘error’ parameter to the onerror handler in the WHATWG spec. This, as you might imagine, contains the exception that was thrown, just as you’d get in a catch block. The Blink implementation landed last week, which means that you can now access the stack trace in your handler via something like the following:

    window.onerror = function (message, filename, lineno, colno, error) {
        console.log("This is a stack trace! Wow! --> %s", error.stack);
    };
    
  3. Blink now follows Mozilla’s and WebKit’s practice of enabling full detail in exceptions generated from cross-origin scripts that are served with proper access-control headers and attributes. If you add a crossorigin attribute to a script tag, and serve that script with an Access-Control-Allow-Origin header that allows access to the document loading the script, then you’ll be given unsanitized data in your error handlers. That might look something like this:

    <script crossorigin="anonymous" src="http://cdn.example.com/script.js"></script>
    

    Note that this is a bit tricky: you’ll need to make quite sure that your server is properly configured. If a script has a crossorigin attribute but the server doesn’t send appropriate CORS headers, the script load will fail miserably.

  4. Stringification of custom errors is (slightly) improved for the case where an Error object is directly set as the prototype of your custom error. Handlebars, for instance, created a Handlebars.Exception object with code like this:

    Handlebars.Exception.prototype = new Error();
    

    V8 didn’t support that very well in window.onerror: the stringification looked something like [object Object], which wasn’t particularly useful for anyone. Now you’ll get the expected message, as long as you haven’t overridden the toString method.

  5. I’m still knee-deep in the Worker implementation, which is a bit of mess really. I expect to fix the sanitization shortly, and I think it shouldn’t be too difficult to add the error property to the Worker’s onerror handler.

I think this set of changes will make centralized error reporting a bit more realisticly possible in the near future. I’d love for you folks to start banging on these initial implementations now so that I can fix bugs and clean up edge-cases now, before these start rolling into Stable. When you see a bug please do file it at http://crbug.com/new, and ping me the bug ID (+Mike West, @mikewest, or mkwst@chromium.org).

Enjoy Blink’s newly more-usable error reporting!