Sanitize classic script's base URL when muted errors flag is set

Fixes #5751.
whatwg · Jul 24, 2020 · ac285c0 · ac285c0
1 parent 82a0784
commit ac285c0
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/source b/source
@@ -89228,6 +89228,16 @@ document.querySelector("button").addEventListener("click", bound);
   <ol>
    <li><p>If <var>muted errors</var> was not provided, let it be false.</p></li>
 
+   <li>
+    <p>If <var>muted errors</var> is true, then set <var>baseURL</var> to
+    <code>about:blank</code>.</p>
+
+    <p class="note">When <var>muted errors</var> is true, <var>baseURL</var> is the script's
+    <span>CORS-cross-origin</span> <span data-x="concept-response">response</span>'s <span
+    data-x="concept-response-url">url</span>, which shouldn't be exposed to JavaScript. Therefore,
+    <var>baseURL</var> is sanitized here.</p>
+   </li>
+
    <li><p>If <span data-x="concept-environment-noscript">scripting is disabled</span> for
    <var>settings</var>, then set <var>source</var> to the empty string.</p></li>