The test link appeared on several renowned security forums, so I very much doubt there is something fishy about it.
Else you have to dig deep down into the register to get to traces of this.
There are 5 native scripts on that test site, none of which blocked and only google analytics dot com.
Nothing out of the ordinairy here as well:
http://www.dnsinspect.com/filippo.io/1424639646 - hosted by CloudFlare.
I tested this site before I passed it on:
http://fetch.scritch.org/%2Bfetch/?url=https%3A%2F%2Ffilippo.io%2FBadfish%2F&useragent=Fetch+useragent&accept_encoding=In the case of Yes, the connection is not private: htxps://san.filippo.io/yes.js?cachekill=
and htxps://selfsigned.filippo.io/yes.js?cachekill= & htxps://badfish.filippo.io/yes.js?cachekill=
Could not get domain's name servers from parent servers, because it is self-signed naturally
html5shiv.js was implemented by the researchers to get results from earlier IE versions.
Security Header Status for test site -
https://www.uploady.com/download/l0pdXoxI5Pi/7jjn923f6vpne2jPWarnings on: The secure flag on cookies instructs the browser to only submit the cookie as part of requests over secure (HTTPS) connections. This prevents the cookie from being observed as plain text in transit over the network.
The HttpOnly flag instructs the browser that this cookie can only be accessed when sending an HTTP request. This prevents scripts running as part of a page from retrieving the value and is a defense against XSS attacks.
Major Warning: Data returned in web responses can be cached by user's browsers as well as by intermediate proxies. This directive instructs them not to retain the page content in order to prevent others from accessing sensitive content from these caches. But we have to trust the researcher expert's good intentions.
Again the proverb goes""You can take a horse to the water, but tou cannot make it drink!".
Damian
Manual removal of that Superfish:
https://filippo.io/Badfish/removing.html