No blocked XSS notification

[parks853]

Using FF 6.0 on OS X 10.6.8, I get the following message in the error console, but get no warning in the browser:

[NoScript] Blocking cross-site Javascript served from http://crypto-js.googlecode.com/files/2 ... pto-md5.js with wrong type info text/plain, attachment; filename="2.3.0-crypto-md5.js" and included by http://www.clockworkmod.com/desksms/#

Also, It seems NoScript is blocking it, preventing the site from working. Is this a vulnerability I should be concerned with? I want to use the site, but not sure how to get it safely working with NoScript enabled. Is there a setting in NoScript I should change, or is this an issue I should push to the site developer?

Thanks for your help

[Giorgio Maone]

This is an issue which should be pushed to the site developer, who should stop including scripts directly from source code repositories like googlecode.com or github.com. This is bad practice, and in fact is discouraged by the repositories themselves which force text/plain or text/c as the content type for any file, rather than the proper one, because anybody can upload any file there and if you trust the site you automatically trust any arbitrary inclusion.

The solution is self-hosting those JavaScript files or using a dedicated CDN (like googleapis.com does, for instance).

[parks853]

This is an issue which should be pushed to the site developer, who should stop including scripts directly from source code repositories like googlecode.com or github.com. This is bad practice, and in fact is discouraged by the repositories themselves which force text/plain or text/c as the content type for any file, rather than the proper one, because anybody can upload any file there and if you trust the site you automatically trust any arbitrary inclusion.

The solution is self-hosting those JavaScript files or using a dedicated CDN (like googleapis.com does, for instance).

Giorgio,

Thanks for the reply, I'll push the info to the site developer.