Page 1 of 1
Why do scripts run on this page?
Posted: Sun Mar 07, 2010 2:54 pm
by Guest
Hi, I'm using NoScript 1.9.9.45 in Firefox 3.5.8. When I go to this site:
http://www.fmrealty.com/site/property/l ... Num=R17689
(and no, I can't afford that house
) I see a rollover ad just below and to the right of the main picture. I was curious as to how that worked, since I have not enabled scripts on that site. Hovering over the NoScript icon says "Scripts Currently Forbidden" and the full red circle with a line through it is there. Clicking the NoScript icon gives me the option of enabling scripts on the site-- none are already enabled. So I did a view page source, and found the rollover stuff-- it's implemented in JavaScript. Why does it work? Shouldn't NoScript be blocking it? Not that this particular case is very important, but it just made me wonder where else it might be allowing scripts that I don't know about.
Thanks.
Re: Why do scripts run on this page?
Posted: Sun Mar 07, 2010 3:35 pm
by Alan Baxter
Guest wrote:I see a rollover ad just below and to the right of the main picture. I was curious as to how that worked, since I have not enabled scripts on that site.
Apparently it doesn't need javascript to work. I disabled JavaScript in the Firefox Options > Content pane, but the rollover still works. NoScript is working properly and you're still protected from malicious content, but the rollover is using a different implementation. I'll leave it as an exercise to figure out how it does it. (Translation: I don't know.)
Re: Why do scripts run on this page?
Posted: Sun Mar 07, 2010 3:51 pm
by Alan Baxter
I know now.
It appears to be implemented with CSS. That rollover javascript stuff you see is part of an unrelated text input validation routine and completely unrelated to the image change you see when the cursor hovers over it.
From the source:
Code: Select all
<style type="text/css">
#MyFMRealty {display: block; width: 239px; height: 177px; background: url("http://www.fmrealty.com/site/images/myfm_teaser3.jpg") no-repeat 0 0;}
#MyFMRealty:hover {background-position: 0 -188px;}
#MyFMRealty span {display: none;}
a.tt{position:relative; z-index:24; color:#3CA3FF; font-weight:normal; text-decoration:none;}
a.tt span{ display: none; }
/*background:; ie hack, something must be changed in a for ie to execute it*/
a.tt:hover{ z-index:25; color: #aaaaff; background:;}
a.tt:hover span.tooltip{font-weight:normal; display:block; position:absolute; top:0px; left:0; padding: 10px 0 0 0; width:200px; color: #000; font-size:10px
text-align: left; filter: alpha(opacity:95); KHTMLOpacity: 0.95; MozOpacity: 0.95; opacity: 0.95;}
a.tt:hover span.top{display: block; padding: 30px 8px 0; background: url(bubble.gif) no-repeat top;}
a.tt:hover span.middle{display: block; padding: 0 8px; background: url(bubble_filler.gif) repeat bottom; }
a.tt:hover span.bottom{display: block; padding:3px 8px 10px; color: #548912; background: url(bubble.gif) no-repeat bottom;}
</style>
Re: Why do scripts run on this page?
Posted: Tue Mar 09, 2010 1:52 pm
by Guest
Great detective work, thanks Alan.
Re: Why do scripts run on this page?
Posted: Tue Mar 09, 2010 3:46 pm
by Alan Baxter
Thank you and you're welcome. It's my pleasure because that's how I learn new stuff.
Re: Why do scripts run on this page?
Posted: Fri Mar 12, 2010 12:55 pm
by Rick
OK, why does this one work then -
http://stmatthews-bristol.org.uk/
I am referring to the red line of drop down menus below the picture. I am pretty certain that it is not CSS.
There are scripts on that page which NoScript does block (e.g. the email address at the bottom right hand corner) but I can't stop the menus however hard I try.
Re: Why do scripts run on this page?
Posted: Fri Mar 12, 2010 1:33 pm
by Rick
Never mind. It is CSS after all. The javascript is just there for IE6. Clever stuff this CSS
Re: Why do scripts run on this page?
Posted: Fri Mar 12, 2010 1:51 pm
by Don
I ran across a site that does something similar using a class=__noscriptOpaqued__ which seems to be related to something called StackExchange. When I FORBID that site using NoScript, the class name changes to __noscriptPlaceholder__2 and all of the navigation and Flash in that site disappear. WOT gives it a red circle and the content is a little extreme too.