Cryptic "Script Error." reported in Javascript in Chrome and Firefox
I have a script that detects Javascript errors on my website and sends them to my backend for reporting. It reports the first error encountered, the supposed line number, and the time.
EDIT to include doctype:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.facebook.com/2008/fbml">
...
<script type="text/javascript">
//<![CDATA[
// for debugging javascript!
(function(window){
window.onerror = function(msg, url, ln) {
//transform errors
if (typeof(msg) === 'object' && msg.srcElement && msg.target) {
if(msg.srcElement == '[object HTMLScriptElement]' && msg.target == '[object HTMLScriptElement]'){
msg = 'Error loading script';
}else{
msg = 'Event Error - target:' + msg.target + ' srcElement:' + msg.srcElement;
}
}
msg = msg.toString();
//ignore errors
if(msg.indexOf("Location.toString") > -1){
return;
}
if(msg.indexOf("Error loading script") > -1){
return;
}
//report errors
window.onerror = function(){};
(new Image()).src = "/jserror.php?msg=" + encodeURIComponent(msg) + "&url=" + encodeURIComponent(url || document.location.toString().replace(/#.*$/, "")) + "&ln=" + parseInt(ln || 0) + "&r=" + (+new Date());
};
})(window);
//]]>
</script>
Because of this script, I'm acutely aware of any javascript errors that are happening on my site. One of by biggest offenders is "Script Error." on line 0. in Chrome 10+, and Firefox 3+. This error doesn't exist (or may be called something else?) in Internet Explorer.
Correction (5/23/2013): This "Script Error, Line 0" error is now showing up in IE7 and possibly other versions of IE. Possibly a result of a recent IE security patch as this behavior previously did not exist.
Does anyone have any idea what this error means or what causes it? It happens on about 0.25% of my overall pageloads, and represents half the reported errors.
The "Script error." happens in Firefox, Safari, and Chrome when an exception violates the browser's same-origin policy - i.e. when the error occurs in a script that's hosted on a domain other than the domain of the current page.
This behavior is intentional, to prevent scripts from leaking information to external domains. For an example of why this is necessary, imagine accidentally visiting evilsite.com
, that serves up a page with <script src="yourbank.com/index.html">
. (yes, we're pointing that script tag at html, not JS). This will result in a script error, but the error is interesting because it can tell us if you're logged in or not. If you're logged in, the error might be 'Welcome Fred...' is undefined
, whereas if you're not it might be 'Please Login ...' is undefined
. Something along those lines.
If evilsite.com does this for the top 20 or so bank institutions, they'd have a pretty good idea of which banking sites you visit, and could provide a much more targeted phishing page. (This is just one example, of course. But it illustrates why browsers shouldn't allow any data to cross domain boundaries.)
I've tested this in the latest versions of Safari, Chrome, and Firefox - they all do this. IE9 does not - it treats x-origin exceptions the same as same-origin ones. (And Opera doesn't support onerror.)
From the horses mouth: WebKit source that checks origin when passing exceptions to onerror(). And the Firefox source that checks.
UPDATE (10/21/11): The Firefox bug that tracks this issue includes a link to the blog post that inspired this behavior.
UPDATE (12/2/14): You can now enable full cross-domain error reporting on some browsers by specifying a crossorigin
attribute on script tags and having the server send the appropriate CORS HTTP response headers.
An update for those that will stumble into this question in the future : broofa is right with the answer and there's no workaround for this.
Obviously other stumbled into this limitation and some bugs requesting for an fix were filed for Firefox : Bug 69301 and for WebKit : Bug 70574
The good news is that the bug has been resolved for Firefox with the release of Firefox 13. This is how you use it :
<script src="http://somremotesite.example/script.js" crossorigin>
crossorigin
is equivalent to crossorigin=anonymous
and tells the browser to do a CORS fetch of the script without sending credentials.
You must ensure that the script is sent with an Access-Control-Allow-Origin
HTTP header value that matches the requesting domain, e.g.,
Access-Control-Allow-Origin: http://myhomesite.example
Access-Control-Allow-Origin: *
otherwise the browser will cancel loading the script.
For Apache:
Header set Access-Control-Allow-Origin "*"
(And see CORS examples for other web servers.)
If you're sending scripts in PHP:
header('Access-Control-Allow-Origin', 'http://myhomesite.example');
I've tested this and it works as expected. all errors from the script.js will be caught by the window.onerror
handler with message, file and line details.
The WebKit bug hasn't been fixed yet, but a patch has been proposed (and uses the same solution). Hopefully the fix will be released soon.
More info about CORS here : http://enable-cors.org/
This one took quite a bit to figure out.
We did a bunch of stuff to try and solve it, including doing things like dumping the WHOLE document body back to our servers via Ajax to try and figure it out.
I am still unsure what causes "Script Error." (with the period BTW, that's how it shows up in our Ajax logger) in Firefox, but in Chrome, we were able to narrow it down to...
Drum roll...
The auto translate feature of Google Chrome.
Many English speaking people probably do not even know about this feature, but to test it, I guess visit a non-English site using Chrome. Or better yet, if you dig thru the Chrome options, there's a spot to change the browser language. Change it to something non-English, restart the browser, and visit an English site.
You should get the bar at the top asking if you would like Chrome to translate the page for you.
In our case anyways, the translator was causing the issue since it injects a script tag into your document body and (guessing here) uses some sort of JS-based system to send the content to Google's servers and get them to translate it.
Even though the error in the console was Unreferenced something, the message that was being sent to window.onerror was "Script Error.".
Anyways, there is a cure.
http://googlewebmastercentral.blogspot.com/2007/12/answering-more-popular-picks-meta-tags.html
<meta name="google" content="notranslate"/>
This will do 2 things (as far as we know, maybe more?):
a) Disable the translate bar from popping up in Chrome.
b) Disable translating of the the page via translate.google.com.
In our situation anyways, this solved A TON of these "Script Error." issues we were experiencing.
Excuse the spelling mistakes in this post, I am still on a non-English mode in Chrome writing this, and the spell checker is not set to English ;) Time to switch back.
Enjoy!