What is "Script Error"?
Ben Vinegar
The Problem
Script error.
“Script error” is what browsers send to the onerror callback when an error originates from a JavaScript file served from a different origin (different domain, port, or protocol). It’s painful because even though there’s an error occurring, you don’t know what the error is, nor from which code it’s originating. And that’s the whole purpose of window.onerror – getting insight into uncaught errors in your application.
To better understand what’s going on, consider the following example HTML document, served at http://example.com/test:
<!DOCTYPE html> <html> <head> <title>example.com/test</title> </head> <body> <script src="http://another-domain.com/app.js"></script> <script> window.onerror = function(message, url, line, column, error) { console.log(message, url, line, column, error); }; foo(); // call function declared in app.js </script> </body> </html>
Here’s the contents of http://another-domain.com/app.js. It declares a single function, foo, whose invocation will always throw a ReferenceError.
// another-domain.com/app.js function foo() { bar(); // ReferenceError: bar is not a function }
When this document is loaded in the browser and JavaScript is executed, the following is output to the console (logged via the window.onerror callback):
"Script error.", "", 0, 0, undefined
This isn’t a bug – browsers intentionally hide errors originating from script files from different origins for security reasons. It’s to avoid a script unintentionally leaking potentially sensitive information to an onerror callback that it doesn’t control. For this reason, browsers only give window.onerror insight into errors originating from the same domain. All we know is that an error occurred – nothing else!
The Solution
In order to get visibility into errors thrown from scripts originating from different origins, you must do two things.
Cross Origin Anonymous
<script src="http://another-domain.com/app.js" crossorigin="anonymous"></script>
This tells the browser that the target file should be fetched “anonymously”. This means that no potentially user-identifying information like cookies or HTTP credentials will be transmitted by the browser to the server when requesting this file.
Cross Origin HTTP header
Access-Control-Allow-Origin: *
CORS is short for “Cross Origin Resource Sharing”, and it’s a set of APIs (mostly HTTP headers) that dictate how files ought to be downloaded and served across origins. By setting “Access-Control-Allow-Origin: *”, the server is indicating to browsers that any origin can fetch this file.
By setting the global wildcard, you are indicating that any origin can consume this server. If you want, you can restrict it to only known domains you control, e.g.
Access-Control-Allow-Origin: http://www.example.com, http://www.another-domain.com
Note: Most community CDNs properly set an Access-Control-Allow-Origin header.
Once both of these steps have been made, any errors triggered by this script will report to window.onerror just like any regular same-domain script. So instead of “Script error”, the onerror example from the beginning will yield:
ReferenceError: bar is not defined", "http://another-domain.com/app.js", 2, 1, [Object Error]
Further Reading
If you’re looking to get a deeper understanding of how JavaScript application monitoring works, take a look at the following articles:
Get Started With Sentry
Get actionable, code-level insights to resolve JavaScript performance bottlenecks and errors.
Create a free Sentry account
Create a JavaScript project and note your DSN
Grab the Sentry JavaScript SDK
<script src="https://browser.sentry-cdn.com/7.111.0/bundle.min.js"></script>
- Configure your DSN
Sentry.init({ dsn: 'https://<key>@sentry.io/<project>' });
Loved by over 4 million developers and more than 90,000 organizations worldwide, Sentry provides code-level observability to many of the world’s best-known companies like Disney, Peloton, Cloudflare, Eventbrite, Slack, Supercell, and Rockstar Games. Each month we process billions of exceptions from the most popular products on the internet.
Related Answers
- Are there any issues with using `async`/`await` with `forEach()` loops in JavaScript?
- Asynchronous Callbacks in JavaScript
- Capturing JavaScript Errors
- How do I check if an element is hidden in jQuery?
- Check if a variable is a string in JavaScript
- Fixing ChunkLoadErrors in JavaScript
- Comments in JSON
- Warning: componentWillMount has been Renamed, and is not Recommended for Use
- Convert Unix timestamp to date and time in JavaScript
- Default function parameter values in JavaScript
A better experience for your users. An easier life for your developers.
A peek at your privacy
Here’s a quick look at how Sentry handles your personal information (PII).
×Who we collect PII from
We collect PII about people browsing our website, users of the Sentry service, prospective customers, and people who otherwise interact with us.
What if my PII is included in data sent to Sentry by a Sentry customer (e.g., someone using Sentry to monitor their app)? In this case you have to contact the Sentry customer (e.g., the maker of the app). We do not control the data that is sent to us through the Sentry service for the purposes of application monitoring.
Am I included?PII we may collect about you
- PII provided by you and related to your
- Account, profile, and login
- Requests and inquiries
- Purchases
- PII collected from your device and usage
- PII collected from third parties (e.g., social media)
How we use your PII
- To operate our site and service
- To protect and improve our site and service
- To provide customer care and support
- To communicate with you
- For other purposes (that we inform you of at collection)
Third parties who receive your PII
We may disclose your PII to the following type of recipients:
- Subsidiaries and other affiliates
- Service providers
- Partners (go-to-market, analytics)
- Third-party platforms (when you connect them to our service)
- Governmental authorities (where necessary)
- An actual or potential buyer
We use cookies (but not for advertising)
- We do not use advertising or targeting cookies
- We use necessary cookies to run and improve our site and service
- You can disable cookies but this can impact your use or access to certain parts of our site and service
Know your rights
You may have the following rights related to your PII:
- Access, correct, and update
- Object to or restrict processing
- Port over
- Opt-out of marketing
- Be forgotten by Sentry
- Withdraw your consent
- Complain about us
If you have any questions or concerns about your privacy at Sentry, please email us at compliance@sentry.io.
If you are a California resident, see our Supplemental notice.