[thoughtexpt]

From what domain does comcast.js originate? Does the injection still work if we block connections to the IP for that domain?

[jand]

The script is inlined, so blocking by origin seems not possible. You could write a greasemonkey script (is that still a thing?) or write an extension which removes the line

_ComcastAlert.go();

from every visited page.

[ryan-c]

I think you could also insert a script in the document head that adds an event listener for beforescriptexecute that checks for and cancels execution of the comcast script. A website could do this themselves even.

Better yet, block the script if detected, then fire the acknowledgement.

[notahacker]

If script detected, serve not-strictly-accurate but damaging to Comcast warning about "insecure Comcast connection"...