Security Error on console (noticed on meta)


(YOU) #1

Firefox 26

SecurityError: The operation is insecure.
...igger("always",null,r),0===this._active&&(this._trigger("stop"),this._loaded=thi...

vendor...319a.js (15 lines)

Chrome 33

Uncaught SecurityError: Failed to execute 'toDataURL' on 'HTMLCanvasElement': Tainted canvases may not be exported. vendor-661cd4437a4f86d72c2cc2d7f5b7319a.js:15
n vendor-661cd4437a4f86d72c2cc2d7f5b7319a.js:15
r.canvas.getContext.i.onload vendor-661cd4437a4f86d72c2cc2d7f5b7319a.js:15

Safari 7

[Error] SecurityError: DOM Exception 18: An attempt was made to break through the security policy of the user agent.
	n (vendor-661cd4437a4f86d72c2cc2d7f5b7319a.js, line 15)
	onload (vendor-661cd4437a4f86d72c2cc2d7f5b7319a.js, line 15)

(Régis Hanol) #2

Do you happen to have enabled the Show incoming message notifications on favicon setting on your preference page?


(YOU) #3

Oh ok. It was on. and now error cleared.

PS: I just noticed "Uncaught TypeError: Object [object Object] has no method 'on' ", if I browse Discourse Meta page directly. but It does not matter since it does not seem to browse it directly.


(Sam Saffron) #4

@chrishunt I noticed these errors started with the favicon stuff lately, is there a new rev we should update to?


(Chris Hunt) #5

@sam I’ll have a look :thumbsup:


(Chris Hunt) #6

I believe this is happening because the meta favicon is being served from a different domain (cdn.discourse.org/meta) and does not have the correct Access-Control-Allow-Origin header set. The browsers are preventing us from injecting the favicon dynamically with javascript because they think we don’t have permission to use the image.

You can fix this by either serving the favicon from the same domain (meta.discourse.org) or by setting the correct header on your image host if you have access.

I think it should be:

Access-Control-Allow-Origin: https://meta.discourse.org

You can verify with:

$ curl -I //discourse-meta.s3-us-west-1.amazonaws.com/original/2X/8/84e98c1bb325985b399b23ddde6d2e7d081bc607.ico

HTTP/1.1 302 Found
Server: nginx
Date: Wed, 08 Jan 2014 22:58:09 GMT
Content-Length: 0
Connection: keep-alive
Cache-Control: no-cache
Location: https://meta.discourse.org//discourse-meta.s3-us-west-1.amazonaws.com/original/2X/8/84e98c1bb325985b399b23ddde6d2e7d081bc607.ico
X-Edge-IP: 192.252.220.98
X-Edge-Location: Long Beach, US
X-Cache: MISS

A correct header looks like:

$ curl -I http://ip.jsontest.com

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: application/json
Content-Length: 25
Date: Wed, 08 Jan 2014 22:57:19 GMT
Server: Google Frontend
Alternate-Protocol: 80:quic,80:quic

(Sam Saffron) #7

Great catch, I will get this sorted, thanks HEAPS for having a look

The funny thing is that we have the header set for fonts.


(Sam Saffron) #8

Can you confirm that after a shift-refresh these errors are all gone?


(YOU) #9

Ya, Security Error on my original post is gone now. I turned “Show incoming message notifications on favicon” option back on.

But "Uncaught TypeError: Object [object Object] has no method ‘on’ " on directly browsing profile pages still there. But may be separate case.

Some more errors during this post reply

Uncaught TypeError: Cannot call method 'each' of undefined application-566b489b9d01e270d7b904d82e785e9a.js:8
Discourse.PostView.Discourse.GroupedView.extend.insertQuoteControls application-566b489b9d01e270d7b904d82e785e9a.js:8
(anonymous function) application-566b489b9d01e270d7b904d82e785e9a.js:8
n.flush vendor-4341c2860b28db4886d036ef594edec3.js:5
r.end vendor-4341c2860b28db4886d036ef594edec3.js:5
r.run vendor-4341c2860b28db4886d036ef594edec3.js:5
Ember.run vendor-4341c2860b28db4886d036ef594edec3.js:5
l.registeredActions.(anonymous function).handler vendor-4341c2860b28db4886d036ef594edec3.js:11
(anonymous function) vendor-4341c2860b28db4886d036ef594edec3.js:8
Ember.handleErrors vendor-4341c2860b28db4886d036ef594edec3.js:4
(anonymous function) vendor-4341c2860b28db4886d036ef594edec3.js:8
ot.event.dispatch vendor-4341c2860b28db4886d036ef594edec3.js:3
v.handle

Uncaught TypeError: Cannot call method 'get' of null application-566b489b9d01e270d7b904d82e785e9a.js:4
Discourse.TopicController.Discourse.ObjectController.extend.topVisibleChanged application-566b489b9d01e270d7b904d82e785e9a.js:4
(anonymous function) vendor-4341c2860b28db4886d036ef594edec3.js:17
u vendor-4341c2860b28db4886d036ef594edec3.js:5
n.flush vendor-4341c2860b28db4886d036ef594edec3.js:5
l vendor-4341c2860b28db4886d036ef594edec3.js:5
Ember.tryFinally vendor-4341c2860b28db4886d036ef594edec3.js:5
Ember.changeProperties vendor-4341c2860b28db4886d036ef594edec3.js:5
Ember.setProperties vendor-4341c2860b28db4886d036ef594edec3.js:5
Ember.Observable.Ember.Mixin.create.setProperties vendor-4341c2860b28db4886d036ef594edec3.js:6
Ember.CloakedCollectionView.Ember.CollectionView.extend.scrolled vendor-4341c2860b28db4886d036ef594edec3.js:17
n.flush vendor-4341c2860b28db4886d036ef594edec3.js:5
r.end vendor-4341c2860b28db4886d036ef594edec3.js:5
r.run vendor-4341c2860b28db4886d036ef594edec3.js:5
(anonymous function)

(Robin Ward) #10

I think I’ve fixed the preferences browsing bug but I can’t seem to reproduce the errors while replying. How did you get those ones to show up?


(YOU) #11

looks like no problem now.

Imm, looks like if I use browser back button twice and edit the post, then I got some errors.
(not sure this is correct actions)

Uncaught TypeError: Cannot call method 'get' of null application-13f8c43ae31d4fd2b31474a043895b45.js:4
Discourse.TopicController.Discourse.ObjectController.extend.topVisibleChanged application-13f8c43ae31d4fd2b31474a043895b45.js:4
(anonymous function) vendor-4341c2860b28db4886d036ef594edec3.js:17
u vendor-4341c2860b28db4886d036ef594edec3.js:5
n.flush vendor-4341c2860b28db4886d036ef594edec3.js:5
l vendor-4341c2860b28db4886d036ef594edec3.js:5
Ember.tryFinally vendor-4341c2860b28db4886d036ef594edec3.js:5
Ember.changeProperties vendor-4341c2860b28db4886d036ef594edec3.js:5
Ember.setProperties vendor-4341c2860b28db4886d036ef594edec3.js:5
Ember.Observable.Ember.Mixin.create.setProperties vendor-4341c2860b28db4886d036ef594edec3.js:6
Ember.CloakedCollectionView.Ember.CollectionView.extend.scrolled vendor-4341c2860b28db4886d036ef594edec3.js:17
n.flush vendor-4341c2860b28db4886d036ef594edec3.js:5
r.end vendor-4341c2860b28db4886d036ef594edec3.js:5
r.run vendor-4341c2860b28db4886d036ef594edec3.js:5
(anonymous function)

Uncaught TypeError: Cannot call method 'each' of undefined application-13f8c43ae31d4fd2b31474a043895b45.js:8
Discourse.PostView.Discourse.GroupedView.extend.insertQuoteControls application-13f8c43ae31d4fd2b31474a043895b45.js:8
(anonymous function) application-13f8c43ae31d4fd2b31474a043895b45.js:8
n.flush vendor-4341c2860b28db4886d036ef594edec3.js:5
r.end vendor-4341c2860b28db4886d036ef594edec3.js:5
r.run vendor-4341c2860b28db4886d036ef594edec3.js:5
Ember.run vendor-4341c2860b28db4886d036ef594edec3.js:5
l.registeredActions.(anonymous function).handler vendor-4341c2860b28db4886d036ef594edec3.js:11
(anonymous function) vendor-4341c2860b28db4886d036ef594edec3.js:8
Ember.handleErrors vendor-4341c2860b28db4886d036ef594edec3.js:4
(anonymous function) vendor-4341c2860b28db4886d036ef594edec3.js:8
ot.event.dispatch vendor-4341c2860b28db4886d036ef594edec3.js:3
v.handle

and once I got that error, every edit give me one error “each” of undefined

but apart from error on console, post edit working properly, so may be no need to worry.


(Jeff Atwood) #12

We can’t repro that one, also seems a bit obscure. But thank you very much for all the reports, whenever I see a bug entry from YOU I always know it is going to be a good one based on experience here and elsewhere. :trophy:


(Jeff Atwood) #13