inline script tag still runs, though nothing's allowed

[just_confused]

I am at this URL: http://nintendoeverything.com/another-r ... -comments/

I have nothing allowed in noscript, seen here: http://i.imgur.com/999u96r.png .

The page has an inline script tag, which hijacks the 'copy' event, and inserts extra text: http://i.imgur.com/Cy1MInS.png

This script tag is still running, and my copy is still interfered with.

Am I misunderstanding a basic functionality of NoScript, or missing a setting or allowance? Why is this script still running?

[barbaz]

What exactly are you trying to copy on that page?

[Giorgio Maone]

You're using an old version of NoScript (2.5.4) which cannot block any inline script on Firefox 28 and above.
Why?

[therube]

> What exactly are you trying to copy on that page?

Anything at all.
"Read more at..." is appended to the copied text.

> which cannot block any inline script

Wasn't (particularly) aware that inline scripts could be blocked?
Not seeing where recent FF/NoScript is making any difference?

Hmm...
Well it looks like that (or at least some) behavior did change over time, Inline Scripts.

[barbaz]

Wasn't (particularly) aware that inline scripts could be blocked?

NS wouldn't be much of a security tool if it couldn't block inline scripts...

Not seeing where recent FF/NoScript is making any difference?

NS used to use CAPS to block inline scripts, but Mozilla ripped out CAPS in Gecko 28/29, so NS had to be modified to only use CAPS in old Gecko versions.
http://forums.informaction.com/viewtopi ... 10&t=18724

[therube]

(I probably missed Thrawn's reply. And maybe one day I'll understand , Inline Script Blockage.)

[therube]

"Read more at..." is appended to the copied text.

Could have sworn I saw that occur, with a different Profile, earlier today, but not seeing it now in my current Profile.

[barbaz]

(I probably missed Thrawn's reply. And maybe one day I'll understand , Inline Script Blockage.)

Come on therube, it's not that hard and you've almost got it anyway

In default configuration, scripts from (Temp-)Allowed domains will run if either a) the domain is that of the top-level site or an (i)frame, or b) the site is (temp)Allowed and the script is included there with a script tag like you mentioned in the OP of that other thread. For how embeddings get Allowed base on site permissions - it's pretty similar to regular scripts, see http://noscript.net/features#contentblocking

[barbaz]

"Read more at..." is appended to the copied text.

Could have sworn I saw that occur, with a different Profile, earlier today, but not seeing it now in my current Profile.

What exactly were you trying to copy on that page when you saw that?

[therube]

What exactly were you trying to copy on that page when you saw that?

It was just that, exactly anything, any word, any character, any phrase.

I'll check again this evening & see if I can dup.

[therube]

Not able to DUP it, but when I opened from Session Restore, what I had pasted this morning was still displaying in the location bar.

Have to assume I did it "correctly" at the time?

[barbaz]

Not able to DUP it,

OK neither can I and it doesn't seem that I'm relying on Disable clipboard manipulations to keep the extra stuff off.
Just trying to make sure there wasn't something like this happening here.

[just_confused]

You're using an old version of NoScript (2.5.4) which cannot block any inline script on Firefox 28 and above.
Why?

Ooh. You called it. Upgraded and the behavior is gone.
No reason for the old version, just NoScript usually keeps itself updated. Was 2.5.4 around the time it stopped being hosted through Mozilla?

Thank you so much for the help!

[Thrawn]

NoScript is still hosted through Mozilla. Did you disable automatic updates?

[just_confused]

Oh, y'know, I'm thinking of https everywhere. Never mind. I shall scour my update settings.