javascript - 隐秘的“脚本错误”。在Chrome和Firefox中以Javascript报告(Cryptic “Script Error.” reported in Javascript in Chrome and Firefox)

Question

I have a script that detects Javascript errors on my website and sends them to my backend for reporting.(我有一个脚本，可以检测网站上的Javascript错误并将其发送到我的后端进行报告。)

It reports the first error encountered, the supposed line number, and the time.(它报告遇到的第一个错误，假定的行号和时间。)

EDIT to include doctype:(编辑以包含doctype：)

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">

...(...)

<script type="text/javascript">
//<![CDATA[
// for debugging javascript!
(function(window){
    window.onerror = function(msg, url, ln) {
        //transform errors
        if (typeof(msg) === 'object' && msg.srcElement && msg.target) {
            if(msg.srcElement == '[object HTMLScriptElement]' && msg.target == '[object HTMLScriptElement]'){
                msg = 'Error loading script';
            }else{
                msg = 'Event Error - target:' + msg.target + ' srcElement:' + msg.srcElement;
            }
        }

        msg = msg.toString();

        //ignore errors
        if(msg.indexOf("Location.toString") > -1){
            return;
        }
        if(msg.indexOf("Error loading script") > -1){
            return;
        }

        //report errors
        window.onerror = function(){};
        (new Image()).src = "/jserror.php?msg=" + encodeURIComponent(msg) + "&url=" + encodeURIComponent(url || document.location.toString().replace(/#.*$/, "")) + "&ln=" + parseInt(ln || 0) + "&r=" + (+new Date());
    };
})(window);
//]]>
</script>

Because of this script, I'm acutely aware of any javascript errors that are happening on my site.(由于有了这个脚本，我很清楚自己的网站上发生的任何JavaScript错误。)

One of by biggest offenders is "Script Error."(最大的违规者之一是“脚本错误”。) on line 0. in Chrome 10+, and Firefox 3+.(在Chrome 10以上版本和Firefox 3以上版本中， 位于第0行 。) This error doesn't exist (or may be called something else?) in Internet Explorer.(此错误在Internet Explorer中不存在（或可能称为其他错误？）。)

Correction (5/23/2013): This "Script Error, Line 0" error is now showing up in IE7 and possibly other versions of IE.(更正（5/23/2013）：此“脚本错误，第0行”错误现在在IE7和其他版本的IE中显示。)

Possibly a result of a recent IE security patch as this behavior previously did not exist.(可能是由于最近的IE安全修补程序引起的，因为以前没有此行为。)

Does anyone have any idea what this error means or what causes it?(有谁知道这个错误是什么意思或者是什么原因导致的？)

It happens on about 0.25% of my overall pageloads, and represents half the reported errors.(它发生在我的总网页加载量的0.25％左右，占报告的错误的一半。)   ask by Mike Sherov translate from so

Answer 1

The "Script error."(“脚本错误”。)

happens in Firefox, Safari, and Chrome when an exception violates the browser's same-origin policy - ie when the error occurs in a script that's hosted on a domain other than the domain of the current page.(当异常违反了浏览器的同源策略时 ，即在错误发生在Firefox，Safari和Chrome中时，即当错误发生在托管于当前页面域之外的域中的脚本中时。)

This behavior is intentional, to prevent scripts from leaking information to external domains.(此行为是有意的，以防止脚本将信息泄漏到外部域。)

For an example of why this is necessary, imagine accidentally visiting evilsite.com , that serves up a page with <script src="yourbank.com/index.html"> .(有关为什么这样做的示例，请想象一下偶然访问了evilsite.com ，该页面上显示了<script src="yourbank.com/index.html"> 。) (yes, we're pointing that script tag at html, not JS).(（是的，我们将脚本标记指向html而不是JS）。) This will result in a script error, but the error is interesting because it can tell us if you're logged in or not.(这将导致脚本错误，但是该错误很有趣，因为它可以告诉我们是否已登录。) If you're logged in, the error might be 'Welcome Fred...' is undefined , whereas if you're not it might be 'Please Login ...' is undefined .(如果您已登录，则错误可能是'Welcome Fred...' is undefined ，而如果您未登录，则可能是'Please Login ...' is undefined 。) Something along those lines.(遵循这些原则。)

If evilsite.com does this for the top 20 or so bank institutions, they'd have a pretty good idea of which banking sites you visit, and could provide a much more targeted phishing page.(如果evilsite.com是针对排名前20位的银行机构这样做的，那么他们会非常了解您访问的银行站点，并且可以提供更具针对性的网络钓鱼页面。)

(This is just one example, of course. But it illustrates why browsers shouldn't allow any data to cross domain boundaries.)(（当然，这只是一个例子。但是它说明了为什么浏览器不应允许任何数据跨越域边界。）)

I've tested this in the latest versions of Safari, Chrome, and Firefox - they all do this.(我已经在Safari，Chrome和Firefox的最新版本中对此进行了测试-它们都可以做到这一点。)

IE9 does not - it treats x-origin exceptions the same as same-origin ones.(IE9不会-它将x起源异常与同起源异常一样对待。) (And Opera doesn't support onerror.)(（而且Opera不支持onerror。）)

From the horses mouth: WebKit source that checks origin when passing exceptions to onerror().(从马口说起 ：在将异常传递给onerror（）时检查来源的WebKit源 。)

And the Firefox source that checks .(并检查Firefox源 。)

UPDATE (10/21/11) : The Firefox bug that tracks this issue includes a link to the blog post that inspired this behavior.(更新（10/21/11） ： 跟踪此问题的Firefox错误包括指向启发此行为的博客文章的链接。)

UPDATE (12/2/14) : You can now enable full cross-domain error reporting on some browsers by specifying a crossorigin attribute on script tags and having the server send the appropriate CORS HTTP response headers.(UPDATE（12/2/14） ：现在，您可以通过在脚本标签上指定crossorigin属性并让服务器发送适当的CORS HTTP响应标头，在某些浏览器上启用完整的跨域错误报告。)