Why “Script Error.” Happens and How to Fix It in Modern Browsers

This article briefly introduces the Script Error issue and argues that systematic solutions are needed for generic system‑level problems.

Script Error Causes and Current Solutions

Because of the browser's same‑origin policy, unknown cross‑origin script execution errors throw the generic message "Script error.", making it hard for developers to locate the exact problem. The usual fix is to add the crossorigin attribute to the <script> tag and configure the server to send the Access-Control-Allow-Origin response header.

Some hacky approaches proxy native browser APIs and wrap business code in try…catch, but poorly implemented proxies introduce hidden bugs and performance overhead, making this strategy unwise.

Other Issues

Adding crossorigin can be difficult.

Async script loading nesting (A loads B, B loads C) obscures which external scripts are loaded.

External code injection via browser extensions or custom WebView containers.

Invalid Script Error data makes it hard to assess business impact and wastes monitoring resources.

Server cooperation is required to set the Access-Control-Allow-Origin header.

Root Cause: Why It Is Called Script Error

Originating from a 2006 security article, sites rendered server‑side would return different responses for logged‑in versus logged‑out users. Attackers could load the target site via a script tag, observe differing error messages, and infer login status, enabling targeted attacks.

<script src="http://mail.google.com/mail/"></script>

Logged in:

Not logged in:

Similar differences appear on other sites (e.g., Amazon). The WHATWG specification defines how error information should be exposed.

Chrome’s implementation follows this spec.

Reference: "I know if you're logged‑in, anywhere" – https://blog.jeremiahgrossman.com/2006/12/i-know-if-youre-logged-in-anywhere.html

Can the Script Error Specification Be Changed?

Given modern browsers’ robust same‑origin policies, there is debate about exposing error message, line number, column number, and URL. The consensus is to keep them hidden to avoid complicating the security model.

Discussion: https://github.com/whatwg/html/issues/2440 unhandledrejection: https://github.com/whatwg/html/issues/5051

How Major Companies Handle Script Error

Testing on several large sites shows different approaches:

var s = document.createElement('script');
s.src = 'https://g.alicdn.com/dinamic/h5-tb-cart/5.0.41/index.min.js';
document.body.appendChild(s);

Google: reports Script Error directly.

Twitter: blocks unknown script loads via CSP, similar to GitHub and Facebook.

QQ Video: reports Script Error and monitors asynchronous script loads.

Future‑Oriented Recommendations

We should not oppose the standard; same‑origin policy will only improve. In China, many developers only use Access-Control-Allow-Origin, which is insufficient.

Twitter’s CSP‑based handling is reasonable: allow only whitelisted scripts with proper crossorigin configuration, preventing external script injection. Large platforms like Taobao face challenges due to scale, but should move toward this direction.

In the short term, improve cross‑origin script visibility by enabling CSP Report‑Only for cross‑origin scripts and using raw methods to inventory scripts lacking crossorigin:

document.querySelectorAll('script[src]:not([crossorigin]')

By fixing missing crossorigin on obvious cross‑origin scripts (e.g., analytics, security scripts), developers can better diagnose and ignore irrelevant Script Errors.

References

What is script error – https://blog.sentry.io/2016/05/17/what-is-script-error

Cryptic "Script Error." reported in Javascript – https://stackoverflow.com/questions/5913978/cryptic-script-error-reported-in-javascript-in-chrome-and-firefox

Alternative approaches to solving "Script Error" – https://juejin.cn/post/6844903727820718094#heading-6

iOS Privacy: Instagram and Facebook tracking – https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser

I know if you're logged‑in, anywhere – https://blog.jeremiahgrossman.com/2006/12/i-know-if-youre-logged-in-anywhere.html

HTML Spec: Runtime script errors – https://html.spec.whatwg.org/multipage/webappapis.html#runtime-script-errors

"Script error." message in window.onerror makes bad DevExp trade off – https://github.com/whatwg/html/issues/2440

unhandledrejection should fire even for muted scripts – https://github.com/whatwg/html/issues/5051

Content‑Security‑Policy‑Report‑Only – https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only