Cryptic "Script Error." reported in Javascript in Chrome and Firefox

javascript firefox google-chrome error-handling

The "Script error." happens in Firefox, Safari, and Chrome when an exception violates the browser's same-origin policy - i.e. when the error occurs in a script that's hosted on a domain other than the domain of the current page.

This behavior is intentional, to prevent scripts from leaking information to external domains. For an example of why this is necessary, imagine accidentally visiting evilsite.com, that serves up a page with <script src="yourbank.com/index.html">. (yes, we're pointing that script tag at html, not JS). This will result in a script error, but the error is interesting because it can tell us if you're logged in or not. If you're logged in, the error might be 'Welcome Fred...' is undefined, whereas if you're not it might be 'Please Login ...' is undefined. Something along those lines.

If evilsite.com does this for the top 20 or so bank institutions, they'd have a pretty good idea of which banking sites you visit, and could provide a much more targeted phishing page. (This is just one example, of course. But it illustrates why browsers shouldn't allow any data to cross domain boundaries.)

I've tested this in the latest versions of Safari, Chrome, and Firefox - they all do this. IE9 does not - it treats x-origin exceptions the same as same-origin ones. (And Opera doesn't support onerror.)

From the horses mouth: WebKit source that checks origin when passing exceptions to onerror(). And the Firefox source that checks.

UPDATE (10/21/11): The Firefox bug that tracks this issue includes a link to the blog post that inspired this behavior.

UPDATE (12/2/14): You can now enable full cross-domain error reporting on some browsers by specifying a crossorigin attribute on script tags and having the server send the appropriate CORS HTTP response headers.

javascript firefox google-chrome error-handling

An update for those that will stumble into this question in the future : broofa is right with the answer and there's no workaround for this.

Obviously other stumbled into this limitation and some bugs requesting for an fix were filed for Firefox : Bug 69301 and for WebKit : Bug 70574

The good news is that the bug has been resolved for Firefox with the release of Firefox 13.This is how you use it :

<script src="http://somremotesite.example/script.js" crossorigin>

crossorigin is equivalent to crossorigin=anonymous and tells the browser to do a CORS fetch of the script without sending credentials.

You must ensure that the script is sent with an Access-Control-Allow-Origin HTTP header value that matches the requesting domain, e.g.,

Access-Control-Allow-Origin: http://myhomesite.exampleAccess-Control-Allow-Origin: *

otherwise the browser will cancel loading the script.

For Apache:

Header set Access-Control-Allow-Origin "*"

(And see CORS examples for other web servers.)

If you're sending scripts in PHP:

header('Access-Control-Allow-Origin', 'http://myhomesite.example');

I've tested this and it works as expected. all errors from the script.js will be caught by the window.onerror handler with message, file and line details.

The WebKit bug hasn't been fixed yet, but a patch has been proposed (and uses the same solution). Hopefully the fix will be released soon.

More info about CORS here : http://enable-cors.org/

javascript firefox google-chrome error-handling

This one took quite a bit to figure out.

We did a bunch of stuff to try and solve it, including doing things like dumping the WHOLE document body back to our servers via Ajax to try and figure it out.

I am still unsure what causes "Script Error." (with the period BTW, that's how it shows up in our Ajax logger) in Firefox, but in Chrome, we were able to narrow it down to...

Drum roll...

The auto translate feature of Google Chrome.

Many English speaking people probably do not even know about this feature, but to test it, I guess visit a non-English site using Chrome. Or better yet, if you dig thru the Chrome options, there's a spot to change the browser language. Change it to something non-English, restart the browser, and visit an English site.

You should get the bar at the top asking if you would like Chrome to translate the page for you.

In our case anyways, the translator was causing the issue since it injects a script tag into your document body and (guessing here) uses some sort of JS-based system to send the content to Google's servers and get them to translate it.

Even though the error in the console was Unreferenced something, the message that was being sent to window.onerror was "Script Error.".

Anyways, there is a cure.

http://googlewebmastercentral.blogspot.com/2007/12/answering-more-popular-picks-meta-tags.html

<meta name="google" content="notranslate"/>

This will do 2 things (as far as we know, maybe more?):

a) Disable the translate bar from popping up in Chrome.

b) Disable translating of the the page via translate.google.com.

In our situation anyways, this solved A TON of these "Script Error." issues we were experiencing.

Excuse the spelling mistakes in this post, I am still on a non-English mode in Chrome writing this, and the spell checker is not set to English ;) Time to switch back.

Enjoy!

CodeHunter

Cryptic "Script Error." reported in Javascript in Chrome and Firefox

Recent Posts

How can I color dots in a xy scatterplot according to column value?

How to update a claim in ASP.NET Identity?

What does {0} mean when initializing an object?

Accessing members of items in a JSONArray with Java

How to log SQL statements in Spring Boot?

Powershell Get-WebSite name parameter is ignored

How to detect scroll to bottom of html element

Java synchronized method

How to test controllers with CodeIgniter?

Detect Visual Composer

Matplotlib: Specify format of floats for tick labels

Rails join a list of strings with commas and "and" before the last