问题描述
我有一个脚本来检测我的网站上的Javascript错误,并发送到我的后端进行报告。它报告遇到的第一个错误,假设的行号和时间。编辑包括doctype:
<!DOCTYPE html PUBLIC - // W3C // DTD XHTML 1.0 Transitional // ENhttp://www.w3.org/TR /xhtml1/DTD/xhtml1-transitional.dtd\">
< html xmlns =http://www.w3.org/1999/xhtmlxml:lang =enlang =enxmlns:fb =http://www.facebook.com / 2008 / FBML>
...
< script type =text / javascript>
//<![CDATA [
//用于调试javascript!
(function(window){
window.onerror = function(msg,url,ln){
//转换错误
if(typeof(msg)==='object '&& msg.srcElement&& msg.target){
if(msg.srcElement =='[object HTMLScriptElement]'&& msg.target =='[object HTMLScriptElement]') {
msg ='加载脚本时出错';
} else {
msg ='事件错误 - 目标:'+ msg.target +'srcElement:'+ msg.srcElement;
}
}
msg = msg.toString();
//忽略错误
if(msg.indexOf(Location.toString )> -1){
return;
}
if(msg.indexOf(Error loading script)> -1){
return;
}
//报告错误
window.onerror = function(){};
(new Image())。src =/jserror.php?msg=+ encodeURIComponent(msg)+& ur l =+ encodeURIComponent(url || document.location.toString()。replace(/#.*$/,))+& ln =+ parseInt(ln || 0)+& r =+(+ new Date );
};
})(窗口);
//]]>
< / script>
由于这个脚本,我非常清楚我网站上发生的任何JavaScript错误。 最大罪犯之一是脚本错误。在Chrome 10+和Firefox 3+中的第0行。。
更正(5/23/2013):此错误在Internet Explorer中不存在(或可能称为别的)这个脚本错误,行0错误现在显示在IE7和其他版本的IE中。可能是最近的IE安全补丁的结果,因为以前的行为以前不存在。
有没有人知道这个错误是什么意思或什么原因?它发生在我的整个页面加载的大约0.25%,并且代表报告错误的一半。
脚本错误。在Firefox,Safari和Chrome中发生异常时,违反了浏览器的 - 即该错误发生在托管在当前页面以外的域上的脚本中。
此行为是故意的,以防止脚本泄漏信息到外部域。举个例子,为什么这是必要的,想象一下意外地访问 evilsite.com
,它提供一个页面,< script src =yourbank.com /index.html\">
。 (是的,我们指向脚本标签在html,而不是JS)。这将导致脚本错误,但错误很有趣,因为它可以告诉我们您是否登录。如果您已登录,错误可能是'Welcome Fred ...'未定义
,而如果您不是,则可能是请登录...'未定义
。如果evilsite.com对前20名左右的银行机构进行这样的操作,他们会对您访问的银行网站有一个很好的了解,并可以提供更有针对性的网络钓鱼页面。 (这只是一个例子,但这说明了为什么浏览器不允许任何数据跨越域的边界。)
我在Safari,Chrome和Firefox的最新版本中已经对此进行了测试 - 他们都这样做。 IE9不会 - 它将x原始异常与相同的来源异常处理相同。 (和歌剧不支持onerror。)
从马口:。
更新(10/21/11):包含一个指向博客帖子的链接,从而激发了此行为。
更新(12/2/14):现在,您可以通过指定,让服务器发送适当的 HTTP响应标头。
I have a script that detects Javascript errors on my website and sends them to my backend for reporting. It reports the first error encountered, the supposed line number, and the time.
EDIT to include doctype:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
...
<script type="text/javascript">
//<![CDATA[
// for debugging javascript!
(function(window){
window.onerror = function(msg, url, ln) {
//transform errors
if (typeof(msg) === 'object' && msg.srcElement && msg.target) {
if(msg.srcElement == '[object HTMLScriptElement]' && msg.target == '[object HTMLScriptElement]'){
msg = 'Error loading script';
}else{
msg = 'Event Error - target:' + msg.target + ' srcElement:' + msg.srcElement;
}
}
msg = msg.toString();
//ignore errors
if(msg.indexOf("Location.toString") > -1){
return;
}
if(msg.indexOf("Error loading script") > -1){
return;
}
//report errors
window.onerror = function(){};
(new Image()).src = "/jserror.php?msg=" + encodeURIComponent(msg) + "&url=" + encodeURIComponent(url || document.location.toString().replace(/#.*$/, "")) + "&ln=" + parseInt(ln || 0) + "&r=" + (+new Date());
};
})(window);
//]]>
</script>
Because of this script, I'm acutely aware of any javascript errors that are happening on my site. One of by biggest offenders is "Script Error." on line 0. in Chrome 10+, and Firefox 3+. This error doesn't exist (or may be called something else?) in Internet Explorer.
Correction (5/23/2013): This "Script Error, Line 0" error is now showing up in IE7 and possibly other versions of IE. Possibly a result of a recent IE security patch as this behavior previously did not exist.
Does anyone have any idea what this error means or what causes it? It happens on about 0.25% of my overall pageloads, and represents half the reported errors.
The "Script error." happens in Firefox, Safari, and Chrome when an exception violates the browser's same-origin policy - i.e. when the error occurs in a script that's hosted on a domain other than the domain of the current page.
This behavior is intentional, to prevent scripts from leaking information to external domains. For an example of why this is necessary, imagine accidentally visiting evilsite.com
, that serves up a page with <script src="yourbank.com/index.html">
. (yes, we're pointing that script tag at html, not JS). This will result in a script error, but the error is interesting because it can tell us if you're logged in or not. If you're logged in, the error might be 'Welcome Fred...' is undefined
, whereas if you're not it might be 'Please Login ...' is undefined
. Something along those lines.
If evilsite.com does this for the top 20 or so bank institutions, they'd have a pretty good idea of which banking sites you visit, and could provide a much more targeted phishing page. (This is just one example, of course. But it illustrates why browsers shouldn't allow any data to cross domain boundaries.)
I've tested this in the latest versions of Safari, Chrome, and Firefox - they all do this. IE9 does not - it treats x-origin exceptions the same as same-origin ones. (And Opera doesn't support onerror.)
From the horses mouth: WebKit source that checks origin when passing exceptions to onerror(). And the Firefox source that checks.
UPDATE (10/21/11): The Firefox bug that tracks this issue includes a link to the blog post that inspired this behavior.
UPDATE (12/2/14): You can now enable full cross-domain error reporting on some browsers by specifying a crossorigin
attribute on script tags and having the server send the appropriate CORS HTTP response headers.
这篇关于Cryptic“脚本错误”。在Chrome和Firefox中以Javascript格式报告的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!