Blocks browser script on FTP directory listings

[SamB]

I just visited ftp://lists.gnu.org/info-global/, and was surprised to see that NoScript had blocked something on that page, considering that the page is generated by the browser itself, and as such the script on it is not actually from that domain at all.

[Thrawn]

What NoScript icon did you see?

[barbaz]

Confirmed. This is the script it's blocking:

Code: Select all

<script type="application/javascript">
var gTable, gOrderBy, gTBody, gRows, gUI_showHidden;
document.addEventListener("DOMContentLoaded", function() {
  gTable = document.getElementsByTagName("table")[0];
  gTBody = gTable.tBodies[0];
  if (gTBody.rows.length < 2)
    return;
  gUI_showHidden = document.getElementById("UI_showHidden");
  var headCells = gTable.tHead.rows[0].cells,
      hiddenObjects = false;
  function rowAction(i) {
    return function(event) {
      event.preventDefault();
      orderBy(i);
    }
  }
  for (var i = headCells.length - 1; i >= 0; i--) {
    var anchor = document.createElement("a");
    anchor.href = "";
    anchor.appendChild(headCells[i].firstChild);
    headCells[i].appendChild(anchor);
    headCells[i].addEventListener("click", rowAction(i), true);
  }
  if (gUI_showHidden) {
    gRows = Array.slice(gTBody.rows);
    hiddenObjects = gRows.some(function (row) row.className == "hidden-object");
  }
  gTable.setAttribute("order", "");
  if (hiddenObjects) {
    gUI_showHidden.style.display = "block";
    updateHidden();
  }
}, "false");
function compareRows(rowA, rowB) {
  var a = rowA.cells[gOrderBy].getAttribute("sortable-data") || "";
  var b = rowB.cells[gOrderBy].getAttribute("sortable-data") || "";
  var intA = +a;
  var intB = +b;
  if (a == intA && b == intB) {
    a = intA;
    b = intB;
  } else {
    a = a.toLowerCase();
    b = b.toLowerCase();
  }
  if (a < b)
    return -1;
  if (a > b)
    return 1;
  return 0;
}
function orderBy(column) {
  if (!gRows)
    gRows = Array.slice(gTBody.rows);
  var order;
  if (gOrderBy == column) {
    order = gTable.getAttribute("order") == "asc" ? "desc" : "asc";
  } else {
    order = "asc";
    gOrderBy = column;
    gTable.setAttribute("order-by", column);
    gRows.sort(compareRows);
  }
  gTable.removeChild(gTBody);
  gTable.setAttribute("order", order);
  if (order == "asc")
    for (var i = 0; i < gRows.length; i++)
      gTBody.appendChild(gRows[i]);
  else
    for (var i = gRows.length - 1; i >= 0; i--)
      gTBody.appendChild(gRows[i]);
  gTable.appendChild(gTBody);
}
function updateHidden() {
  gTable.className = gUI_showHidden.getElementsByTagName("input")[0].checked ?
                     "" :
                     "remove-hidden";
}
</script>

[therube]

How/where do you see that?


(I'd like to see updates here, http://sourceforge.net/projects/gnuwin32/files/, just because. Like maybe every 6 weeks, a full version number bump & a new, refined GUI [for these command-line tools] & less features .)

[barbaz]

How/where do you see that?

I was connected to an FTP server with PaleMoon when I saw what was described in the OP, so I hit Ctrl-Alt-I to bring up the builtin inspector, then searched for script tags.

If you want to see it in SeaMonkey you'll likely need Firebug (not sure if DOMi would work here?).

ETA DOMi can indeed see the script also.

[Giorgio Maone]

No matter who creates the script, the principal (origin) assigned by Firefox for security purposes to that page and the scripts it contains is "ftp://lists.gnu.org", probably because a lot of its content (file names, directory banners...) is still generated by the server hence potentially harmful.

You can verify that by running the following code in a privileged (Environment>Browser) Scratchpad:

Code: Select all

alert(content.document.nodePrincipal.origin)