Censor events for cross-origin scripts

[jeisinger]

If a script was loaded from a cross-origin URL without CORS access, we should censor the events / or not send them at all.

[domenic]

Done in spec-land in whatwg/html@d7e1571... now let's see if I can figure out how to write some tests :-S

[jeisinger]

is "muted errors" defined somewhere?

[domenic]

https://html.spec.whatwg.org/#muted-errors

[domenic]

Also relevant is https://html.spec.whatwg.org/#the-script-element:create-a-script which plumbs the flag through

[jeisinger]

hum, so there are three "scripts" we could consider: the script that created the promise, the script that rejected it, or the script that created the reason.

which one should we use for the is muted check?

Implementation wise, we currently use "reason" to display the stack in devtools, however, that means that if you e.g. new Promise(function(a,b) { b(1); }); you won't get a stack trace.

[domenic]

The spec is that it's the script that rejected it, similar to how it's the script that throws an error that we use for window.onerror's muted check. (There the choices are fewer: the script that threw the error, and the script that created the error.)

I'm not sure I understand the relevance of your last paragraph...