惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

人人都是产品经理
人人都是产品经理
D
Docker
GbyAI
GbyAI
B
Blog RSS Feed
博客园 - 司徒正美
博客园 - Franky
美团技术团队
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
aimingoo的专栏
aimingoo的专栏
C
Check Point Blog
IT之家
IT之家
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
AI
AI
O
OpenAI News
Attack and Defense Labs
Attack and Defense Labs
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Tailwind CSS Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
S
Secure Thoughts
博客园 - 聂微东
L
LINUX DO - 最新话题
U
Unit 42
SecWiki News
SecWiki News
A
Arctic Wolf
Schneier on Security
Schneier on Security
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
Visual Studio Blog
量子位
The Cloudflare Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
大猫的无限游戏
大猫的无限游戏
Google DeepMind News
Google DeepMind News
G
Google Developers Blog
T
Threat Research - Cisco Blogs
TaoSecurity Blog
TaoSecurity Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
B
Blog
博客园 - 【当耐特】
C
CERT Recently Published Vulnerability Notes
Scott Helme
Scott Helme
Last Week in AI
Last Week in AI
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Microsoft Security Blog
Microsoft Security Blog
Apple Machine Learning Research
Apple Machine Learning Research
F
Full Disclosure
Hacker News: Ask HN
Hacker News: Ask HN
A
About on SuperTechFans
博客园 - 三生石上(FineUI控件)
Latest news
Latest news

Mike West

Web Platform Security @ CMS Security Summit 2020 XSS (No, the _other_ Frontend Security - Frontend Conference, Zürich 2013 Securing the Client Side Content Security Policy: Feature Detection Chrome connects to three random domains at startup. Nerdy New Year Making Your Web Apps Accessible Using HTML5 and ChromeVox GDD Keynote: The HTML5 Demos
Debugging runtime errors with
Mike West · 2013-08-08 · via Mike West

After working with Blink’s implementation of window.onerror a little bit over the last week or so, I’m somewhat amazed that anyone ever used it for anything at all. For those of you to whom the API is news, the current implementation in Chrome’s stable channel (28) looks a little bit like this:

window.onerror = function (message, filename, lineno) {
    // Do some centralized error reporting here, for example, by POSTing
    // the error message, filename, and line number to a collection
    // server for later processing.
  
    return true; // The exception is handled, not reported to the user.
};

...

throw new Error('OMG!');

‘window.onerror’ acts something like a global try/catch block, allowing you to gracefully handle uncaught exceptions you didn’t expect to see. This, in theory, is brilliant.

Two issues have made it less than brilliant in practice:

  1. Unlike a local try/catch block, the window.onerror handler doesn’t have direct access to the exception object, and is executed in the global context rather than locally where the error occurred. That means that developers don’t have access to a call stack, and can’t build a call stack themselves by walking up the chain of a method’s callers.

  2. Browsers go to great lengths to sanitize the data provided to the handler in order to prevent unintentional data leakage from cross-origin scripts. If you host your JavaScript on a CDN (as you ought), you’ll get “Script error.”, “”, and 0 in the above handler. That’s not particularly helpful.

There are a few other concerns, but those are the big two. I’m happy to say that recent patches have addressed many of the concerns in Blink.

  1. Christophe Dumez added the column number to the handler.

  2. After a lot of back-and-forth, Hixie added an ‘error’ parameter to the onerror handler in the WHATWG spec. This, as you might imagine, contains the exception that was thrown, just as you’d get in a catch block. The Blink implementation landed last week, which means that you can now access the stack trace in your handler via something like the following:

    window.onerror = function (message, filename, lineno, colno, error) {
        console.log("This is a stack trace! Wow! --> %s", error.stack);
    };
    
  3. Blink now follows Mozilla’s and WebKit’s practice of enabling full detail in exceptions generated from cross-origin scripts that are served with proper access-control headers and attributes. If you add a crossorigin attribute to a script tag, and serve that script with an Access-Control-Allow-Origin header that allows access to the document loading the script, then you’ll be given unsanitized data in your error handlers. That might look something like this:

    <script crossorigin="anonymous" src="http://cdn.example.com/script.js"></script>
    

    Note that this is a bit tricky: you’ll need to make quite sure that your server is properly configured. If a script has a crossorigin attribute but the server doesn’t send appropriate CORS headers, the script load will fail miserably.

  4. Stringification of custom errors is (slightly) improved for the case where an Error object is directly set as the prototype of your custom error. Handlebars, for instance, created a Handlebars.Exception object with code like this:

    Handlebars.Exception.prototype = new Error();
    

    V8 didn’t support that very well in window.onerror: the stringification looked something like [object Object], which wasn’t particularly useful for anyone. Now you’ll get the expected message, as long as you haven’t overridden the toString method.

  5. I’m still knee-deep in the Worker implementation, which is a bit of mess really. I expect to fix the sanitization shortly, and I think it shouldn’t be too difficult to add the error property to the Worker’s onerror handler.

I think this set of changes will make centralized error reporting a bit more realisticly possible in the near future. I’d love for you folks to start banging on these initial implementations now so that I can fix bugs and clean up edge-cases now, before these start rolling into Stable. When you see a bug please do file it at http://crbug.com/new, and ping me the bug ID (+Mike West, @mikewest, or mkwst@chromium.org).

Enjoy Blink’s newly more-usable error reporting!