Julian Reschke wrote:
Could you please provide some more information or give an example about
when this would be the case?
Here's a simple past example, if I understand your question correctly.
One can set an onerror handler on Window that will trigger if an exception is
thrown and not caught, and will also trigger on script parsing/compilation
errors. For the latter case, the offending line of script is included in the
exception object.
Now consider the following HTML page:
<script src="target.html"></script>
Since most likely target.html is not actually valid JS, there will be a parse
error, and the error object will contain the text on the line in question.
For what it's worth, Gecko will now only include the text if the script the
error is in and the onerror handler are same-origin. Until we started doing
that, there was a cross-origin information leak.
-Boris