Udostępnij za pośrednictwem


IE8 and Trustworthy Browsing

This blog post frames our approach in IE8 for delivering trustworthy browsing. The topic is complicated enough that some context and even history (before we go into any particular feature) is important, and so some readers may find this post a bit basic as it’s written for a wide audience. In previous posts here, we’ve written about IE8 for developers: the work in standards support, developer tools, script performance, and more. In future posts, we’ll write about IE8 for end-users (beyond the benefits of improved performance, activities, and Web Slices). This post starts a series about trustworthy browsing, a topic important for developers and end-users and everyone on the web. By setting the context and motivation with this post, the next posts that dive into the details of IE8 will build on this foundation.

Trustworthy refers to one of our overall goals: provide the most secure and most reliable browser that respects user choice and keeps users in control of their machine and their information. For reference, Microsoft’s framework for Trustworthy Computing in general spans four areas: security, privacy, reliability, and business practices.

Security is often where the trust discussion begins. Narrowly, security in this context means “as the user browses the web, the only code that runs on the user’s machine is code that the user allows to run". For example, when the user visits “www.somebadsite.com” the site should not be able to just run “virus.exe” and infect the user’s machine with malware. IE7 made a lot of progress on security, starting with Protected Mode and developing IE to be “secure by design, secure by default” as part of the following SDL requirements. IE7 was the first browser to support Extended Validation certificates to help protect users from deceptive websites, as well as delivering anti-phishing protection, International Domain Name support with protection from deceptive websites, a richer SSL experience and support for stronger SSL cipher algorithms, ActiveX opt-in, and great integration with Parental Controls in Windows Vista. We have done even more security work in IE8 to address the evolving threat environment.

Privacy is a complex topic that more often than not puts one party in conflict with another. If security boils down to “the user is in control of what code runs on the machine,” then privacy boils down to “the user is in control of what information the browser makes available to websites". Many people immediately think of “cookies” at this point because so much discussion and early work around privacy focused on the specific implementation of cookies. Cookies and cookie protection are definitely one aspect of the online privacy discussion. IE6 included innovative work implementing the P3P web standard (from the W3C), and both IE6 and IE7 use it to block cookies from websites that don’t have a privacy policy that complies with the user’s settings. It’s a great example of a privacy protection in use today on the web. In IE7, deleting cookies as well as other information that shows where the user has been on the web is much easier.  That said, there’s more to online privacy than cookies, as cookies are only one implementation of content that can disclose information to websites. In some discussions, people have also described IE7’s Phishing Filter as a privacy feature because it helps protect users from sharing information. The larger challenge here is notifying users clearly about what sites they’re disclosing information to and enabling them to control that disclosure if they choose. As we talk more about privacy, we will broaden the discussion to include additional protections from sharing information that the browser can offer users.

Reliability is relatively simple: the browser should always start, find the Internet, and show web sites without crashing. We define reliability to mean “as the user browses the web, the browser performs well and does not terminate unexpectedly". End-users really don’t care about the cause of instability in the system – malformed web pages (see the old Slashdot article that this post refers to, for example) or third-party extensions (like toolbars; see this post about IE7’s “No Add-ons” functionality) – they just want the browser to work. In addition, when something does go wrong, an important part of reliability is how gracefully the browser recovers from the unexpected. Another aspect of reliability is that sites continue to render correctly. We’ll post more here about the work we’ve done to make IE8 more robust, as well as more interoperable and compatible at the same time.

Business practices guide decisions we make in designing and distributing our products. The key principle here is respecting user choice. For example, when a user installs a new version of IE, IE respects the user’s choice of default search engine. In IE, the user can add or remove different search providers using OpenSearch, a public and open standard that some other browsers have chosen to support as well. IE respects the user’s choice of system defaults (Windows Vista’s “Default Programs” functionality, as well as Windows XP’s Set Program Access Defaults). Explicitly asking the user before installing a new version of IE is key to respecting the user’s browser choice. 

Ultimately, trustworthy browsing is about enabling users to be in control and respecting the choices users make. Specifically, it’s about enabling users to be in control of their machine, of their browser, of their settings, of their experience, of what data they share with whom when. Each part of trustworthy browsing involves an industry-wide challenge. For example, security is an industry challenge; every browser on the web faces attacks.

While all these statements may sound inherently obvious to some readers, these topics are so important that we thought it would be good to talk in general about how we think about them overall.  Over the coming weeks this blog series will talk about how we’re making progress against these challenges, to set the stage for the release of IE8 Beta 2 in August.

Thanks,

Dean Hachamovitch
General Manager
Internet Explorer

Edit: removed hyperlink

Comments

  • Anonymous
    June 24, 2008
    The General Manager of Internet Explorer doesn't know that you check an URL before posting it, or you use the canonical "example.com"?

  • Anonymous
    June 24, 2008
    "Edit: removed hyperlink" Oh come on, Dean. Where's the humor? :P

  • Anonymous
    June 24, 2008
    One thing I would very much like is for instnaces of IE to be more separated in memory. That way if one tab or window crashed it wouldn't bring down the others. Good crash recovery is also a must for IE8. Finally, though, I think the problem of toolbars etc should be dealt with once and for all. When an add-on is identified as the cause of a browser crash, that add-on should be disabled and the user notified. Maybe that would encourage the developers of buggy code (looking at Apple here and their ghastly Quicktime...) to make their add-ons run properly.

  • Anonymous
    June 24, 2008
    long's actions are outright ridiculous. sure, ms is gonna drive traffic to him, let him make adsense-money at their expense. just for the fun of it. sure.

  • Anonymous
    June 24, 2008
    Re: "people have also described IE7's Phishing Filter as a privacy feature because it helps protect users from sharing information" Yet they are happy to send every single URL they browse to Microsoft or one of their agents.

  • Anonymous
    June 25, 2008
    How about another requirement for a 'trustworthy' IE. Comply with standards - Complying with standards is very important for a globally accessible world wide web.  We at Microsoft are committed to following standards and working with the W3C to develop standards BEFORE implementing them in our browser.  We refuse to go back to the old days of trying to create a proprietary web.  We understand that this makes web developers trust us, because we are all about helping developers, developers, developers.

  • Anonymous
    June 25, 2008
    @Ozzie, I find this hilarious, but somebadsite.com seems to consistently crash my version of Firefox 3.0. That really is a bad site!

  • Anonymous
    June 25, 2008
    The comment has been removed

  • Anonymous
    June 25, 2008
    The comment has been removed

  • Anonymous
    June 25, 2008
    The "most secure|reliable browser" is also something, something..stupid. Every browser has it flaws, maybe IE some more than others, but hey. They are at least trying to make it better then before. Some competitions among browsers can't hurt the end user, right?

  • Anonymous
    June 25, 2008
    uh, guys, read the start of the sentence. it's their goal. not all obvious how to even judge what the most secure reliable browser is...

  • Anonymous
    June 25, 2008
    Hello Mr Hachamovitch, I agree and support "billibob"'s post { "Complying with standards is very important for a globally accessible world wide web.  We at Microsoft are committed to following standards and working with the W3C to develop standards BEFORE implementing them in our browser.  We refuse to go back to the old days of trying to create a proprietary web.  We understand that this makes web developers trust us, because we are all about helping developers, developers, developers." } on compliance with W3C web standards. That too should be a very "loud and clear", visible, resounding and echoing commitment regarding IE 8 (and future releases of IE) trustworthy browsing. In the past (say, from late 2001 to 2004 inclusively), Microsoft's commitments toward implementing W3C web standards (HTML 4, CSS 1, CSS 2.x, DOM 1, DOM 2, ATAG 1, UAAG 1, etc) have been weak, unreliable, not trustworthy. I don't want to pounce furthermore on this issue because I can see, verify and measure results, improvements, better compliance, particularly in the CSS 2.1 spec in IE 8. IE 8 and UAAG guidelines/recommendations. I'd like to see Microsoft commit to this formally. Font-size control by the user (Jakob Nielsen) www.useit.com/alertbox/20020819.html A lot of ageing baby-boomers are now more and more fighting/struggling with webpages using 9px, 10px, 11px, 12px font-size. This was mentioned before by me at channel9.msdn.com/Wiki/InternetExplorerFeatureRequests and also in IE blog by 2 posters (Jordan Biserkov March 27th and Cecil Ward April 4th) regarding "Internet Explorer 8 and Adaptive Zoom" IE blog post on March 25th 2008 from Saloni Mira Rai.    "For this year's list of worst design mistakes, (...) I asked readers of my newsletter to nominate the usability problems they found the most irritating. (...) Bad fonts won the vote by a landslide, getting almost twice as many votes as the #2 mistake. About two-thirds of the voters complained about small font sizes or frozen font sizes;"    Top Ten Web Design Mistakes of 2005: 1. Legibility Problems " www.useit.com/alertbox/designmistakes.html Educate web designers on best coding (web standards compliant,  interoperable and accessible) practices (at MSDN2 and elsewhere) and then practice what you preach. I often stumble on non-text-size-resizable webpages at Microsoft. Regards, Gérard

  • Anonymous
    June 25, 2008
    I have been running ie7 for a long time and in the last few days it has been crashing frequently. I reloaded it from scratch with all of the updates and that did not fix the problem. My PC is current on all MS updates. I have been reporting this to MS ever since it started. Is this a known problem?

  • Anonymous
    June 25, 2008
    @Bob: This is almost always caused by a buggy addon.  Please see http://www.enhanceie.com/ie/troubleshoot.asp for information on how to verify.

  • Anonymous
    June 25, 2008
    The comment has been removed

  • Anonymous
    June 25, 2008
    @Matt: This is your issue: "I use IE all the time and almost never have problems." Since you DON'T use other browsers, and therefore DON'T develop for other browsers, you have NO IDEA how bad IE actually is. Take 10 minutes to Google "Bug in IE"... if you don't find 1,000's of results I would be very surprised. From the other perspective, I can write (and do) applications that render PERFECTLY in ALL other browsers, using Spec based HTML/CSS/JavaScript that fall to bits in IE due to bugs. Thankfully IE8 fixed a whopping 50% of their worst bugs... so in 5 years, we'll be able to drop backwards support for all legacy IE products (including IE7!)

  • Anonymous
    June 25, 2008
    [[Take 10 minutes to Google "Bug in IE"... if you don't find 1,000's of results I would be very surprised.]] Hrm... It only took 10 seconds to google for "george is an idiot" and I got 6190 results.  

  • Anonymous
    June 25, 2008
    @Matt "I find that MSIE renders things must cleaner then MFF. (...) I use IE all the time and almost never have problems." You can try 138 testcases with IE 7 at my website www.gtalbot.org/BrowserBugsSection/MSIE7Bugs/ (3 tests are particularly creating major problems for any visitor with IE 7) and definitely well over 750 other tests at Ian "Hixie" Hickson, Bruno Fassino, Alan Gresley, Mark "Tarquin" Wilton-Jones, David Hammond, Peter-Paul Koch, Robin Lionheart (HTML 4 conformance tests), Simon Pieters (45 test failures), Tino Zijdel, Rowan Wigginton, Robert Blaut, Tobie Langel, etc, etc, etc. which IE 7 fails and which other browsers (Firefox 2.0.0.14, Opera 9.27, Safari 3.1.1) pass. CSS 2.1 testsuite (september 2007): Firefox 3.0a9pre rv:1.9a9pre nightly build 2007092502 fails 27 tests out of 500 (5.4% failure); Opera 9.50a3 build 9542 fails 50 tests out of 500 (10.0% failure); Internet Explorer 7 fails 129 tests out of 500 (25.8% failure); Safari 3.0.3 build 522.15.5 fails 43 tests out of 500 (8.6% failure). DOM 1 Core tests with JsUnit 2.0Beta TestRunner by W3C. MSIE 7 fails 85 tests out of 224 tests, a 37.9% rate failure which is well over/above the percentage rate of Firefox 2 (6.3% failure rate) and Opera 9 (5.1% failure rate). We all agree that IE 8 beta 1 does a lot better at CSS 2.1 tests and that IE 8 beta 1 fixed hundreds of bugs (when comparing with IE 7). Regards, Gérard

  • Anonymous
    June 26, 2008
    On the subject of security, you guys really have to update your Internet Zones feature. Internet Zones status bar has to display the allowed and blocked domains, with option to add subdomains to trusted/restricted zones with 1 click on the status bar. In it's current version, I have no way of telling what subdomains are blocked. Instead, I just get a "mixed content" warning, with no way to fix it. Try the noscript plugin in Firefox to see the changes you need to make.

  • Anonymous
    June 26, 2008
    Also, what's the reason RUNAS is disabled in Vista for IE7? Will it also be disabled in IE8? If so, why? Please fix. I can run Firefox with the RUNAS command just fine under Vista.

  • Anonymous
    June 26, 2008
    How long does IE user have to wait for a smart location bar "awesome bar" and to easily add favorites website. Those FF3 feature is really helpful and should be copied right away.

  • Anonymous
    June 26, 2008
    Stop irritate me with silverlight update each time I surf on official Microsoft website! When I say no, I really meant it. Keep harassing me won't get your product sold. Period.

  • Anonymous
    June 26, 2008
    @Just a bystander -- ranting to the IE team won't do any good, they don't have any control over the Silverlight team, including the strings that the Silverlight team apparently pulls with the microsoft.com folks. I agree with you that being begged to install Silverlight is terrible; and I hate it too.  I wonder if when IE8 is released each page on microsoft.com will have "click to install IE8" in the upper-left corner?  Doubt it, since Silverlight seems to be where all the corporate attention is at.  Makes me think that the IE team isn't too fond of their tactics either -- or Silverlight itself for that matter, since it goes completely against the HTML/CSS efforts that the IE team is promoting.

  • Anonymous
    June 27, 2008
    The comment has been removed

  • Anonymous
    June 27, 2008
    " Stop irritate me with silverlight update each time I surf on official Microsoft website! When I say no, I really meant it. Keep harassing me won't get your product sold. Period. " I have to agree with "Just a bystander". If "(Business practices) The key principle here is respecting user choice.", then users should not have to decline repeatedly, again and again. Regards, Gérard

  • Anonymous
    June 27, 2008
    The comment has been removed

  • Anonymous
    June 27, 2008
    http://blogs.zdnet.com/security/?p=1361 Internet Explorer ‘feature’ causing drive-by malware attacks "Schouwenberg (left) said he reported the vulnerability to Microsoft a long time ago, warning the company that JavaScript embedded into GIF files can be executed under certain circumstances.  Microsoft disagreed and the issue was never patched." Thanks Microsoft, can always count on IE to protect from drive-by malware downloads.

  • Anonymous
    June 27, 2008
    I think IE could be made safer if you implemented the Netscape Plugin API. So Plugin-writers can write theiy plugins using a simple API and end-users can install them more easily than ActiveX-Controls.

  • Anonymous
    June 27, 2008
    @Daniel-- Uh, the NPAPI is no safer than ActiveX, the API isn't any simpler, and they're not any easier to install.  So, I'm not sure what the point would be.  

  • Anonymous
    June 27, 2008
    The comment has been removed

  • Anonymous
    June 27, 2008
    Hey Dean, Could you guys please add background-color, border-color, and color support for checkboxes please? I have to admit they look best in Opera right now. It would also be nice if they did not have a two pixel thick border by default. The only other style related nuisance in IE8 B1 right now is that inline-level elements when rendered as block-level do not have their height correctly rendered. For example an element with the following... span { border: 1px #000 solid; display: block; height: 18px; } ...should have a rendered height of 20px total. However in all browsers this is incorrectly rendered as 18 pixels even though it is explicitly set to display as a block-level element. Unless I missed something in the spec...? I'm mostly interested in GUI and JScript improvements in beta 2 as well as seeing the progress in regards to the two bugs I posted. I'd really like to see addEventListener support added though I think it's been clarified that it won't make the cut for IE8. Keep up the good work...

  • Anonymous
    June 27, 2008
    @Ted: I count more ActiveX related security problems than NPAPI related security problems. Besides, every other Browser uses NPAPI so Microsoft could help making Plugin developers life easier. Wasn't there some guy shouting "Developers, developers"?

  • Anonymous
    June 27, 2008
    John A. Bilicki III: I've tested your code in Firefox 3, Safari 3.1 and Opera 9.5 and neither redners 18px height. They correctly render a height of 20px. If IE8b1 renders a height of only 18px that's a bug. If not done yet, you should report it (https://connect.microsoft.com/IE/Feedback).

  • Anonymous
    June 27, 2008
    @ Daniel I use secondary style sheets to correct rendering errors. I do not use them for browser versions in development however (IE8 and until recently Opera 9.5). You can test browsers without the CSS patch by using the following HTTP query at the end of any URLs at my website... http://www.jabcreations.com/blog/?csspatch=0 Version 2.8 Preview V will debut later on this week if all goes well. It'll have patching for browsers/versions per *nix, OS X, and Windows platforms. Opera 9.5 currently shares Opera 9.0/9.1/9.2 patch.

  • Anonymous
    June 28, 2008
    Daniel says <<"I count more ActiveX related security problems than NPAPI related security problems.">> False comparison.  There are more ActiveX controls than NPAPI plugins by orders of magnitude.

  • Anonymous
    June 28, 2008
    Please, I am begging you, please take a look at javascript performance. A perfect example is setting up an onmouseover event for all rows in a table of 200+ rows. Or even setting up tr:hover in a stylesheet to just change the background color. It is EXTREMELY slow and laggy. Every other browser in the world handles it fine except for IE. It is drastically limiting a lot of the web 2.0 advancement for websites. I have had to hold back a number of features on my websites because of bad IE performance on this issue. Thank you!

  • Anonymous
    June 28, 2008
    @ John A. Bilicki III > Could you guys please add background-color, border-color, and color support for checkboxes please? I have to admit they look best in Opera right now. Maybe you could submit such request at connect's IE feedback... unless you have done so already. Here's good testpage: www.dhtmlkitchen.com/learn/css/forms/radio.html (credits to Garrett Smith) Regards, Gérard

  • Anonymous
    June 28, 2008
    @ John A. Bilicki III Regarding background-color, border-color, and color support for checkboxes... I filed it: Bug 354150 at connect IE feedback Regards, Gérard

  • Anonymous
    June 28, 2008
    Most average user rarely pay attention to what link they are clicking and they fall victim to a prank or malicious website. anyone can basically create a link that display msn but the url address is different. I think it's because the url info location is in the left side of the status bar. When IE user mouse over a link we see the url info displayed in the left side of the status bar. How about displaying the url info in the address bar instead. It's much easier for IE user to notice it and experience is also nice knowing that link is right. This is another way to enchance the IE address bar.

  • Anonymous
    June 28, 2008
    The comment has been removed

  • Anonymous
    June 29, 2008
    The comment has been removed

  • Anonymous
    June 29, 2008
    The comment has been removed

  • Anonymous
    June 29, 2008
    i tried to download the smallest IE Image but because im using WiFi it cut out & the download stalled so could enable microsoft FTM for the vpc images

  • Anonymous
    June 29, 2008
    @GI-- it's an interesting idea, but keep in mind that any site can redirect to any other, so the original url isn't so important.  And if they built the feature you described, the bad guys could build a link that is the background of the entire page and then spoof the address bar with the url of the site that the user not on.. @Daniel-- Yeah, I'm sure you did the math.  You gotta be careful when you just make $%!+ up, because people are going to catch on.  Particularly when you then ask for the numbers that you obviously don't have.   For those who aren't experts in this space (as Daniel obviously isn't) keep in mind that ActiveX controls are used by many things other than the browser, while NPAPI plugins are used exclusively by minority-share browsers like Firefox.  Hence, it's not at all surprising that there are more AX controls.   It's also pretty much completely irrelevant.  The point is that both ActiveX and NPAPI are binary native code modules that can do anything the current user can do.  One difference is that in IE, such controls are restricted by Protected Mode, while in other browsers, they have no restrictions.  Additionally, IE supports killbits, while other browsers do not have such a mechanism.  If other browsers gain in marketshare, their lack of add-on security is inevitably going to bite them. @Eduardo: Since CSS3's spec isn't done yet, it is pretty silly to call for "full support."

  • Anonymous
    June 29, 2008
    About the sizing problem: be sure that you're using a "strict" HTML doctype (HTML 4.01 Strict + DTD path) to ensure that the browser is using Strict mode. There was progress in IE7 and 8 security wise, that's for sure: but then, IE6 was so bad... IE7's heavy code review was useful (one in ten vulnerability that hit IE6 since IE7 came out didn't affect 7 as strongly). About NPAPI: it certainly isn't simple, but it's documented, and used (by Mozilla sure, but also Safari/Konqueror, and Opera) - representing a 15-35% market share (depending on where you're at). It did enjoy one huge advantage over ActiveX for a long while, plugins could be hosted and run inside a non-admin user's directory, meaning that a limited user could enjoy the plugin, and if the plugin was compromised, it couldn't go past the user's limitations (taking control of ActiveX in a limited user account led to privilege escalation, and still does on XP) About mimetypes: I think Daniel is right, external resources have to be identified by a mimetype: http://www.w3.org/TR/REC-CSS2/conform.html#text-css, and current browsers do (or should do) that at least in Strict mode.

  • Anonymous
    June 29, 2008
    @Mitch-- i would be very surprised if it was really only 1 in 10.  ms did a ton of security work in ie7.  of course, at best, you're going off of the number of "disclosed" security issues, since obviously not all issues are known. Overall, other browsers have somewhere under 20% marketshare combined, making IE the most interesting target.  as other browser gain share, they also gain attackers and exploits.  it's the nature of the beast.   From your explanation of NPAPI's so-called advantage, it's clear that you do not understand how security works on Windows.   If an Admin user on XP runs an NPAPI extension in Firefox, that extension runs with admin permissions.  Period. It has nothing to do with "directories"... if a normal user runs a program or addon in, say, System32, that program or addon only runs with that user's permissions.  Similarly, if an admin runs a file in any folder, that file runs as admin.  (On Vista, things changed such that the application might prompt on startup before getting full admin creds).   As for mimes, current browsers rarely enforce MIME-types for CSS & Javascript resources.  They could start, but that would mean taking a compatibility hit for no clear benefit of any sort.

  • Anonymous
    June 29, 2008
    Ted, the features that i was talking about was not really my idea it's actually a Firefox add-ons called fission "Active link/mouse-over link in the address bar".

  • Anonymous
    June 29, 2008
    active link/mouse-over link in the address bar and domain highlighting work really well. Right now this is only possible in fission and locationbar a Firefox add-ons. IE team should check this feature out.

  • Anonymous
    June 29, 2008
    @ Gérard The test page you sent I am pretty sure it creates an element over the checkbox, I've seen that before. But the bug that you filed is pretty much what I requested for here in the blog. It would be nice if we could beauty up IE's native Windows GUI controls a bit. I don't know about the rest of you guys but Firefox is not a minority browser based on well over quarter of a million hits in three weeks... Firefox --> 62.7% IE --> 26.5% Safari --> 2.3% Opera --> 1% Mozilla Suite --> 0.6% Minefield --> 0.3% Iceweasal --> 0.3% AOL --> 0.2% SeaMonkey --> 0.2%

  • Anonymous
    June 29, 2008
    The comment has been removed

  • Anonymous
    June 29, 2008
    The comment has been removed

  • Anonymous
    June 29, 2008
    @Ted: I understand very well. I know how security works in windows: there is none :p (OK, there used to be none, things started to change in 2004). I know: if a user is an administrator, every and all extensions you run will run with admin privileges and can be used to infect your system - be it ActiveX or NP. However, NP can run from a local user's directory with a local user's right (security in Windows is defined per file per user, and per process; in POSIX systems, both are much more linked). You can't turn a computer into a zombie simply by subverting a NS plugin - you need to get privilege escalation on the user account running that instance of the plugin (which, admittedly, wasn't too difficult, but still added a barrier). Microsoft didn't concern itself with this for ActiveX, the latter having been created for Win9x (Windows 95 OSR 2.5 and more recent, to be precise) - which was, by definition, a single user, unprotected memory space OS family. This was corrected in IE8 for Vista, but XP still can't run an ActiveX control without relying upon ActiveX's own security layer (and broken ActiveX controls abound, which can be used to work around that layer). @JAB3: I basically agree with you - IE4 was surprisingly advanced at the time, and I'm quite impressed by how much you can still do with IE5 to support standards (were it not for the event model, I wouldn't gripe about IE that much, I admit). HTML 5 is an interesting idea: merging HTML4 and XHTML 1.0 would admittedly make HTML maintenance easier (XML is much simpler than SGML syntax-wise; the fact is UAs perverted HTML a lot). Mitch

  • Anonymous
    June 30, 2008
    @Daniel, @Mitch 74 and @Ted A stylesheet sent as content-type text/plain shouldn't be interpreted by the browser as CSS. It should instead be ignored. The type attribute on the link element should have no relevance if the document comes with an HTTP Content-type header. Testcase by David Hammond: www.webdevout.net/testcases/css-content-type/ @Ted > current browsers rarely enforce MIME-types for CSS Firefox 1+ and Gecko-based browsers do enforce it. Regards, Gérard

  • Anonymous
    June 30, 2008
    http://www.heise.de/english/newsticker/news/110181 new zero day bug perhaps

  • Anonymous
    June 30, 2008
    <<<you need to get privilege escalation on the user account running that instance of the plugin (which, admittedly, wasn't too difficult, but still added a barrier).>>> Wrong.  If the user is an admin, Firefox and all of its addons run as admin.  As you've been told REPEATEDLY here, the file path is irrelevant.  The user's token is all that matters.

  • Anonymous
    June 30, 2008
    I guess I'll have to wait for IE8 final release to judge such benefits of this browser. From my earlier experience with IE5 to IE7 they were not very close to "trustworthy browsing".

  • Anonymous
    June 30, 2008
    http://blogs.zdnet.com/security/?p=1370 Exploit code released for unpatched IE 7 vulnerability So much for Trustworthy Browsing.

  • Anonymous
    June 30, 2008
    *Correction on my last post: I meant to say, 'try to support HTML5 in place of XHTML'.

  • Anonymous
    June 30, 2008
    @John Bilicki -- Ted's statistic is ballpark correct. Fx seems to be at around 15-20% market share (and this takes into account user-agent strings, http request, and caching behaviors unique to each user agent). Safari is around 5-7%, and Opera is around 1%. ... IE is used, worldwide, to browse around 75-80% of the time.

  • Anonymous
    July 02, 2008
    The comment has been removed

  • Anonymous
    July 02, 2008
    As someone whose email address is posted in thousands of forum posts, newsgroup discussions, and blogs,

  • Anonymous
    July 02, 2008
    Hi! I’m Eric Lawrence, Security Program Manager for Internet Explorer. Last Tuesday, Dean wrote about

  • Anonymous
    July 02, 2008
    All VERY good ; keep it up. However, (I know its a bit too late in the development process) but i would love a feature, where cookies, authentication sessions, etc expire and are deleted after a number of days automatically! Like history, the user chooses how long info is kept. Anyone know of an addon ?

  • Anonymous
    July 08, 2008
    Hopefully it turns out good with the security and the css attributes.

  • Anonymous
    August 21, 2008
    http://news.cnet.com/8301-10805_3-10021120-75.html?hhTest=1&amp;tag=nefd.topPosted by Stephen ShanklandFor

  • Anonymous
    August 22, 2008
    Last week was an exciting week for Windows and blogging. Senior Vice Presidents Steven Sinofsky and Jon

  • Anonymous
    August 25, 2008
    Previous posts have covered trustworthy principles in general and some product specifics as well. Privacy

  • Anonymous
    August 25, 2008
    Previous posts on the IE Blog have covered trustworthy principles in general and some product specifics

  • Anonymous
    August 27, 2008
    We’re excited to release IE8 Beta 2 today for public download. You can find it at http://www.microsoft.com/ie8

  • Anonymous
    August 27, 2008
    We’re excited to release IE8 Beta 2 today for public download. You can find it at http://www.microsoft

  • Anonymous
    August 27, 2008
    The IE Blog reports on the long-awaited Beta 2 release of IE 8 : We&#8217;re excited to release IE8 Beta

  • Anonymous
    August 27, 2008
    Hi All, We’re excited to release IE8 Beta 2 today for public download. You can find it at http://www.microsoft.com/ie8

  • Anonymous
    August 27, 2008
    IE8 Beta 2 is available today for public download from http://www.microsoft.com/ie8 (for 32- and 64-bit

  • Anonymous
    August 29, 2008
    Back in June, Dean Hachamovitch kicked off a series of blog posts explaining how the IE team approached

  • Anonymous
    September 06, 2008
    [l] The second beta version of IE8 was released on August 27th. It is working well in testing so far

  • Anonymous
    September 06, 2008
    The second beta version of IE8 was released on August 27th. It is working well in testing so far. Only

  • Anonymous
    March 16, 2009
    &#160; &#160; 안녕하세요! 저는 인터넷 익스플로러 보안 프로그램의 책임자인 에릭 로렌스라고 합니다. 지난 화요일, 딘(Dean)이 신뢰성 높은 브라우저 에 대한 저희의 생각을

  • Anonymous
    March 26, 2009
    &#160; &#160; 이전 글에서는 일반적인 안정성 확보를 위한 행동 지침 (영어) 과 제품의 세부 사항 ( XSS Filter 와 안정성 (영어) )에 대해 설명했습니다. 프라이버시

  • Anonymous
    March 29, 2009
    IE8 и блокировка стороннего контента В прошлых статьях мы уже говорили о принципах надежности в общем

  • Anonymous
    March 29, 2009
    В прошлых статьях мы уже говорили о принципах надежности в общем и о некоторых особенностях браузера

  • Anonymous
    March 29, 2009
    В прошлых статьях мы уже говорили о принципах надежности в общем и о некоторых особенностях браузера