共用方式為


Add-ons, Installation Experiences, and User Consent

As discussed in previous blog posts, add-ons can have a material impact on browser performance. IE measures the performance of add-ons so that users can make informed decisions about them. It is important to understand how add-ons arrive on a user’s system to begin with because browser performance is so important to site developers and to consumers. The notification and control that users have around the add-on installation process is equally important because add-ons can also have an impact on user privacy and information sharing. This blog post surveys the current installation experience for different kinds of add-ons in different browsers and how the add-on installation experience can be more robust for consumers.

First, let’s look at mark-up based add-ons in IE. These add-ons describe their functionality without any executable code, typically using XML. Examples are OpenSearch providers, Web Slices, and Accelerators. There is no code in the add-on itself and no code involved when the add-on is installed. Consumers install these add-ons from within the browser. There is clear consumer consent as part of that in-browser installation experience:

Accelerator installation consent dialog from IE8

Binary add-ons, like Toolbars and BHOs, are full Windows programs that run within the browser. The installers for these Windows programs are other Windows programs that run outside the browser. Some add-on installations are the result of a user explicitly seeking them out and installing them. Other add-on installations are bundled with other software. These can be a surprise to users, and are often installed without explicit consent.  Technically, browsers can only detect that an add-on was installed, not what consent the user gave during installation. We hope you’ll share your favorite examples of software installation surprises in the comments. It is not clear from within the browser what consent (if any) a consumer has given when one of these add-ons is installed. It is clear that the next time the user starts IE, the new add-ons will affect browser performance and reliability, and possibly privacy.

Add-ons can also affect privacy. Additional code running in the browser can send user information to websites. (You can read more about an add-on that sent user information inappropriately here.) For this reason, when users start IE8’s InPrivate Browsing feature, IE runs without toolbars and BHOs. The user expects an InPrivate session to be private, and there is no way for IE to know what information add-ons save on the user’s system or send to websites. 

Because many add-on setup experiences surprise users, some browsers today seek user conformation before they run newly installed add-ons. For example, here’s the dialog that Firefox 3.6 shows the first time the user starts it after installing an add-on:

Firefox add-on installation consent dialog

Note that before seeing this prompt, the user initiated the add-on installation explicitly and clicked two prompts within the browser to install the add-on.

On today’s web, consumers face many different threats to browser security, reliability, performance, and privacy. We work closely with other software vendors to make experiences within IE better for consumers. For example, we exchange feedback with toolbar vendors about their work and the IE Add-on Guidelines and Requirements. Many times, these conversations result in improvements to add-ons. Microsoft treats all add-ons and software vendors consistently with respect to these guidelines and requirements. Given the ambiguities and risks around add-ons, consumers benefit from having more information and more control over how add-ons are installed.

Herman Ng

Program Manager, Internet Explorer

Comments

  • Anonymous
    September 03, 2010
    Fifth paragraph: "conformation" should be "confirmation"

  • Anonymous
    September 03, 2010
    Will IE 9 have a new way to create addons? Would love if we can get a VS 2010 support for IE Addon development.

  • Anonymous
    September 03, 2010
    The comment has been removed

  • Anonymous
    September 03, 2010
    I am hoping for a better add-on experience with IE9. Something like Firefox and/or Chrome where all add-ons are separately installed, is preferred.

  • Anonymous
    September 03, 2010
    Will addons in IE9 have a timer for install so that accidental drive-by installs can be avoided? Likewise many other software products include pre-checked crapware installs as part of their ad revenue. e.g. (bogus example, but you get the point) you go to install Adobe Reader and the install tries to get you to install the Norton A/V toolbar in IE. Will IE9 present a dialog on startup indicating that a new addon ("Norton A/V toolbar") was installed by a 3rd party vendor, did you authorize this? (Yes/No/Uninstall the crapware) I think in my entire IT experience I have yet to see a single user that actually wanted to install all the addons inside their IE.

  • Anonymous
    September 04, 2010
    @Rachel: Within IE, add-on installs aren't simply delayed, they're blocked. The user must specifically elect to install add-ons using the notification bar. @ieuser: I'm not entirely sure what you're asking about? Visual Studio can already be used to create add-ons (and it's the most common way to create binary add-ons today).

  • Anonymous
    September 04, 2010
    The comment has been removed

  • Anonymous
    September 04, 2010
    PS-- I'm a Systems Administrator, and if I could group policy disable the addition of these classes of add-ons that would be even better! I can't tell you how many times I get called to fix somebody's Internet issues and find out the problem is due to toolbars and BHO's that they installed purely by accident because of bundling.

  • Anonymous
    September 04, 2010
    The comment has been removed

  • Anonymous
    September 04, 2010
    We want integrated addons like Firefox or Chrome and not installing .exe just for one addon. I really do not know why MS can't do this already. the addons gallery is already in place, just add real addons like adblock and not accelerators or what not.

  • Anonymous
    September 04, 2010
    unlike in lesser browsers, you do not need to download an ad blocker for IE it already has one built in already. just configure in inprivate filtering feature with the block list from adblock. this is so easy that lots of magazines have written articles for noobs about how.

  • Anonymous
    September 04, 2010
    @EricLaw [MSFT] "Within IE, add-on installs aren't simply delayed, they're blocked. The user must specifically elect to install add-ons using the notification bar." Wait, what? Last time I checked, when an add-on BHO or Toolbar is installed (usually in cases like the ones GoodThings2Life describes), IE8 does nothing to stop it from running. It stops ActiveX controls when a page first requests them, but not Toolbars and BHOs. Or are you talking about what IE9 is going to do? If that's the case, then it's nice to hear that IE will finally block toolbars and BHOs unless the user has explicitly allowed them within IE itself. If you were talking about ActiveX controls when you said "add-on"... I don't think Rachel was talking about ActiveX controls.

  • Anonymous
    September 04, 2010
    Boen, you should probably learn to read. Here was the specific question: "Will addons in IE9 have a timer for install so that accidental drive-by installs can be avoided?" There's no such thing as an accidental drive-by install in IE and hasn't been since XPSP2.

  • Anonymous
    September 04, 2010
    @  Learn:  common, its 2010. MS should provide us a way to implement this in 1 click. We want a better solution and Addons from MS not .exe ones.

  • Anonymous
    September 05, 2010
    Yeps, IE9 need something like Firefox.. Without an "install.exe" and admin/system problems. And more:

  • Add-on Store
  • Easy development/deployment like Silverlight (.NET)
  • Anonymous
    September 05, 2010
    The comment has been removed

  • Anonymous
    September 07, 2010
    I guess I can understand a lot of the frustration with toolbars in IE, I don't add them myself, and if I'm in too much of a hurry to install something and miss a checkbox on an install and end up with the yahoo toolbar i curse myself out. please re-read that last part "I curse myself out", I don't blame Microsoft because I don't read / don't know how to install software. IE shouldn't protect me from every stupid mistake I can make on my computer, and it's unrealistic to assume that it should. As noted, they provide a way for administrators to turn off toolbar installation in a corporate (or home) environment, which they should. Other than that take responsibility for your own actions and learn to read a EULA, or checkbox labels. The answer is smarter users, not smarter software.

  • Anonymous
    September 08, 2010
    The comment has been removed

  • Anonymous
    September 10, 2010
    Will there be the possibility for plugins that will not be initialized with every opening of a tab.