Bugzilla

Thanks for writing up this detailed explanation. I think we should definitely take this patch to get this fixed. From my understanding using the file-name as passed to importScripts should always be safe, because you obviously have to know it :)

It's a bit unfortunate the now basically have three different muting behaviors, but we should really work on this outside of a sec-bug. I get the feeling there isn't much interest in actually improving the spec here, just because this is such an edge case and it's easy to introduce some new leak.

To summarize:
1) The current spec says to use an empty string for url. 
> 6. If script's muted errors is true, then set message to "Script error.", urlString to the empty string, line and col to 0, and errorValue to null. 
2) We use the pre-redirect URL in the normal ScriptLoader. I wrote [this comment](https://github.com/whatwg/html/issues/958#issuecomment-610546239) on the HTML github.
3) This patch: Using just the filename instead of a whole URL.

Thanks for writing up this detailed explanation. I think we should definitely take this patch to get this fixed. From my understanding using the file-name as passed to importScripts should always be safe, because you obviously have to know it :)

It's a bit unfortunate that now we basically have three different muting behaviors, but we should really work on this outside of a sec-bug. I get the feeling there isn't much interest in actually improving the spec here, just because this is such an edge case and it's easy to introduce some new leak.

To summarize:
1) The current spec says to use an empty string for url. 
> 6. If script's muted errors is true, then set message to "Script error.", urlString to the empty string, line and col to 0, and errorValue to null. 
2) We use the pre-redirect URL in the normal ScriptLoader. I wrote [this comment](https://github.com/whatwg/html/issues/958#issuecomment-610546239) on the HTML github.
3) This patch: Using just the filename instead of a whole URL.