Sanitize classic script's base URL to about:blank when muted errors f…

…lag is set Fixes whatwg#5751.
hiroshige-g · Jul 22, 2020 · d2cadb6 · d2cadb6
1 parent d033d58
commit d2cadb6
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/source b/source
@@ -89218,6 +89218,18 @@ document.querySelector("button").addEventListener("click", bound);
   <ol>
    <li><p>If <var>muted errors</var> was not provided, let it be false.</p></li>
 
+   <li>
+    <p>If <var>muted errors</var> is true, then set <var>baseURL</var> to <code>about:blank</code>.
+    </p>
+
+    <p class="note">
+      When <var>muted errors</var> is true, <var>baseURL</var> is script's <span>CORS-cross-origin
+      </span> <span data-x="concept-response">response</span>'s <span data-x="concept-response-url">
+      url</span>, which shouldn't be exposed to JavaScript.
+      Therefore, <var>baseURL</var> is sanitized here.
+    </p>
+   </li>
+
    <li><p>If <span data-x="concept-environment-noscript">scripting is disabled</span> for
    <var>settings</var>, then set <var>source</var> to the empty string.</p></li>