Why do scripts run on this page?

[Guest]

Hi, I'm using NoScript 1.9.9.45 in Firefox 3.5.8. When I go to this site:

http://www.fmrealty.com/site/property/l ... Num=R17689

(and no, I can't afford that house ) I see a rollover ad just below and to the right of the main picture. I was curious as to how that worked, since I have not enabled scripts on that site. Hovering over the NoScript icon says "Scripts Currently Forbidden" and the full red circle with a line through it is there. Clicking the NoScript icon gives me the option of enabling scripts on the site-- none are already enabled. So I did a view page source, and found the rollover stuff-- it's implemented in JavaScript. Why does it work? Shouldn't NoScript be blocking it? Not that this particular case is very important, but it just made me wonder where else it might be allowing scripts that I don't know about.

Thanks.

[Alan Baxter]

I see a rollover ad just below and to the right of the main picture. I was curious as to how that worked, since I have not enabled scripts on that site.

Apparently it doesn't need javascript to work. I disabled JavaScript in the Firefox Options > Content pane, but the rollover still works. NoScript is working properly and you're still protected from malicious content, but the rollover is using a different implementation. I'll leave it as an exercise to figure out how it does it. (Translation: I don't know.)

[Alan Baxter]

I know now.
It appears to be implemented with CSS. That rollover javascript stuff you see is part of an unrelated text input validation routine and completely unrelated to the image change you see when the cursor hovers over it.

From the source:

Code: Select all

<style type="text/css">
      #MyFMRealty {display: block; width: 239px; height: 177px; background: url("http://www.fmrealty.com/site/images/myfm_teaser3.jpg") no-repeat 0 0;}
      #MyFMRealty:hover {background-position: 0 -188px;}
      #MyFMRealty span {display: none;}
      a.tt{position:relative; z-index:24; color:#3CA3FF; font-weight:normal; text-decoration:none;}
      a.tt span{ display: none; }
      /*background:; ie hack, something must be changed in a for ie to execute it*/
      a.tt:hover{ z-index:25; color: #aaaaff; background:;}
      a.tt:hover span.tooltip{font-weight:normal; display:block; position:absolute; top:0px; left:0; padding: 10px 0 0 0; width:200px; color: #000; font-size:10px
      text-align: left; filter: alpha(opacity:95);	KHTMLOpacity: 0.95; MozOpacity: 0.95; opacity: 0.95;}
      a.tt:hover span.top{display: block; padding: 30px 8px 0; background: url(bubble.gif) no-repeat top;}
      a.tt:hover span.middle{display: block;	padding: 0 8px; 	background: url(bubble_filler.gif) repeat bottom; }
      a.tt:hover span.bottom{display: block;	padding:3px 8px 10px;	color: #548912; background: url(bubble.gif) no-repeat bottom;}
	 </style>

[Guest]

Great detective work, thanks Alan.

[Alan Baxter]

Thank you and you're welcome. It's my pleasure because that's how I learn new stuff.

[Rick]

OK, why does this one work then - http://stmatthews-bristol.org.uk/

I am referring to the red line of drop down menus below the picture. I am pretty certain that it is not CSS.

There are scripts on that page which NoScript does block (e.g. the email address at the bottom right hand corner) but I can't stop the menus however hard I try.

[Rick]

Never mind. It is CSS after all. The javascript is just there for IE6. Clever stuff this CSS

[Don]

I ran across a site that does something similar using a class=__noscriptOpaqued__ which seems to be related to something called StackExchange. When I FORBID that site using NoScript, the class name changes to __noscriptPlaceholder__2 and all of the navigation and Flash in that site disappear. WOT gives it a red circle and the content is a little extreme too.