If you’ve ever come across a “Script Error” on line 0, you’ve run afoul of the Same Origin Policy. This happens when there’s an error during the first pass of a cross-domain script.
The browser obscures the real error message to close a security vulnerability that can be used to read information from other sites the user may be logged into. Debugging script errors can be tricky because although the developer console contains the correct error message and line number, both window.onerror and Bugsnag can only show you “Script Error.”
Browsers disagree on which errors should be obscured, and which should be visible. Firefox takes the view that only SyntaxErrors are a problem, whereas Chrome and Safari take a more conservative view. In those browsers any Error that happens when running the script is also obscured.
(no CORS) Runtime Errors
(no CORS) Syntax Errors
(CORS) Runtime Errors
(CORS) Firefox✘✔✔✔ Chrome✘✘✔✔ Safari✘✘✔✔ IE <=10✔*✔✔✔ IE >=11✘✘✘✘
* This is a security vulnerability.
Enabling CORS for script tags requires two steps.