fix a NSE bug when http-cross-domain-policy has no output. Closes #343

scripts/http-cross-domain-policy.nse

@@ -279,16 +279,16 @@ Forgery attacks, and may allow third parties to access sensitive data meant for
      }
   local check, domains, domains_available, content = check_crossdomain(host, port, lookup)
   local mt = {__tostring=function(p) return ("%s:\n      %s"):format(p.name, p.body:gsub("\n", "\n      ")) end}
-  for i, _ in pairs(content) do
-    setmetatable(content[i], mt)
-    tostring(content[i])
-  end
   if check then
     if stdnse.contains(domains, "*") or stdnse.contains(domains, "https://") or stdnse.contains(domains, "http://") then
       vuln.state = vulns.STATE.VULN
     else
       vuln.state = vulns.STATE.LIKELY_VULN
     end
+    for i, _ in pairs(content) do
+      setmetatable(content[i], mt)
+      tostring(content[i])
+    end
     vuln.check_results = content
     vuln.extra_info = string.format("Trusted domains:%s\n", stdnse.strjoin(', ', domains))
     if not(lookup) and nmap.verbosity()>=2 then