InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Blocks browser script on FTP directory listings

https://forums.informaction.com/viewtopic.php?t=19795

Page 1 of 1

Blocks browser script on FTP directory listings

Posted: Sun Jun 15, 2014 8:22 pm
by SamB
I just visited ftp://lists.gnu.org/info-global/, and was surprised to see that NoScript had blocked something on that page, considering that the page is generated by the browser itself, and as such the script on it is not actually from that domain at all.

Re: Blocks browser script on FTP directory listings

Posted: Sun Jun 15, 2014 8:35 pm
by Thrawn
What NoScript icon did you see?

Re: Blocks browser script on FTP directory listings

Posted: Tue Jun 24, 2014 8:17 pm
by barbaz
Confirmed. This is the script it's blocking:

Code: Select all

<script type="application/javascript">
var gTable, gOrderBy, gTBody, gRows, gUI_showHidden;
document.addEventListener("DOMContentLoaded", function() {
  gTable = document.getElementsByTagName("table")[0];
  gTBody = gTable.tBodies[0];
  if (gTBody.rows.length < 2)
    return;
  gUI_showHidden = document.getElementById("UI_showHidden");
  var headCells = gTable.tHead.rows[0].cells,
      hiddenObjects = false;
  function rowAction(i) {
    return function(event) {
      event.preventDefault();
      orderBy(i);
    }
  }
  for (var i = headCells.length - 1; i >= 0; i--) {
    var anchor = document.createElement("a");
    anchor.href = "";
    anchor.appendChild(headCells[i].firstChild);
    headCells[i].appendChild(anchor);
    headCells[i].addEventListener("click", rowAction(i), true);
  }
  if (gUI_showHidden) {
    gRows = Array.slice(gTBody.rows);
    hiddenObjects = gRows.some(function (row) row.className == "hidden-object");
  }
  gTable.setAttribute("order", "");
  if (hiddenObjects) {
    gUI_showHidden.style.display = "block";
    updateHidden();
  }
}, "false");
function compareRows(rowA, rowB) {
  var a = rowA.cells[gOrderBy].getAttribute("sortable-data") || "";
  var b = rowB.cells[gOrderBy].getAttribute("sortable-data") || "";
  var intA = +a;
  var intB = +b;
  if (a == intA && b == intB) {
    a = intA;
    b = intB;
  } else {
    a = a.toLowerCase();
    b = b.toLowerCase();
  }
  if (a < b)
    return -1;
  if (a > b)
    return 1;
  return 0;
}
function orderBy(column) {
  if (!gRows)
    gRows = Array.slice(gTBody.rows);
  var order;
  if (gOrderBy == column) {
    order = gTable.getAttribute("order") == "asc" ? "desc" : "asc";
  } else {
    order = "asc";
    gOrderBy = column;
    gTable.setAttribute("order-by", column);
    gRows.sort(compareRows);
  }
  gTable.removeChild(gTBody);
  gTable.setAttribute("order", order);
  if (order == "asc")
    for (var i = 0; i < gRows.length; i++)
      gTBody.appendChild(gRows[i]);
  else
    for (var i = gRows.length - 1; i >= 0; i--)
      gTBody.appendChild(gRows[i]);
  gTable.appendChild(gTBody);
}
function updateHidden() {
  gTable.className = gUI_showHidden.getElementsByTagName("input")[0].checked ?
                     "" :
                     "remove-hidden";
}
</script>

Re: Blocks browser script on FTP directory listings

Posted: Wed Jun 25, 2014 1:30 am
by therube
How/where do you see that?


(I'd like to see updates here, http://sourceforge.net/projects/gnuwin32/files/, just because. Like maybe every 6 weeks, a full version number bump & a new, refined GUI [for these command-line tools] & less features ;-).)

Re: Blocks browser script on FTP directory listings

Posted: Wed Jun 25, 2014 2:44 am
by barbaz
therube wrote:How/where do you see that?
I was connected to an FTP server with PaleMoon when I saw what was described in the OP, so I hit Ctrl-Alt-I to bring up the builtin inspector, then searched for script tags.

If you want to see it in SeaMonkey you'll likely need Firebug (not sure if DOMi would work here?).

ETA DOMi can indeed see the script also.

Re: Blocks browser script on FTP directory listings

Posted: Wed Jun 25, 2014 8:57 am
by Giorgio Maone
No matter who creates the script, the principal (origin) assigned by Firefox for security purposes to that page and the scripts it contains is "ftp://lists.gnu.org", probably because a lot of its content (file names, directory banners...) is still generated by the server hence potentially harmful.

You can verify that by running the following code in a privileged (Environment>Browser) Scratchpad:

Code: Select all

alert(content.document.nodePrincipal.origin)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited