More on IE’s UA string and the SV1 token


In earlier posts, Christopher mentioned that for Windows XP SP2 and Windows Server 2003 SP1  the UA string was getting a new ‘SV1’ decorator.

This has stirred up a flurry of questions and comments about our reasoning behind this decision.

Why did we add ‘SV1’ instead of update the IE version number?  Well, we know from past experience that changing the version number can have a huge impact on site and application compatibility.  We felt that since IE for XPSP2 and WS03SP1 does not have significant changes to page rendering, DHTML, the object model, and the like, the level of impact on the Web of an IE version number change was not justified.   So adding “SV1” seemed a reasonable compromise between no changes to the UA string and a version number change.

The leads to the question, what’s in store for the SV1 tag? At some point in the future, we’ll want to release the next round of security improvements that are, for example, as far beyond XPSP2 as XPSP2 was beyond XPSP1.  If this was part of a release that did change the platform (rendering, DHTML, object model, etc), then we would probably change the version number, otherwise we probably simply change “SV1” to “SV2.”   We might remove SV1 if we do update the IE version.

We certainly welcome feedback on whether you feel we took the right approach.  We’d also like your opinions on the question “should ‘SV1’ stay even if the version number changes?”

– Bruce

Comments (49)

  1. Anonymous says:

    SV1 should go away when the version number changes. Also, I think it was a good idea not to rev the version number unnecessarily. I’ve seen some browser detection javascript that would probably fail to see a newer version of IE than it was written for as a compatable browser. Sad, but true. The only sites that will be broken are those using "features" that this version of IE does not allow by default, like popups.

  2. Anonymous says:

    Frankly I think adding SV1 was a mistake. It’s none of the website’s business whether the visitor has SP2 applied. Advertising the patchlevel of a browser in the useragent could be construed as a security risk.

    Instead of a version number, how about a datestamp of the rendering engine? Something like:

    Mozilla/4.0 Microsoft Internet Explorer (MSIE) enginerevision=20040908

    This could be parsed out as a number, and things like this can be done:

    if (navigator.enginerevision >= 20040908)

    { do_fancy_stuff()

    } else

    { do_plain_stuff()

    }

  3. Anonymous says:

    well, i don’t quite get it. it is true some scripts might break and stuff but, isn’t this just like changing the version number in the end?

    we’ll finnaly have something like "ie6, ie6sv1, ie7, ie7sv1, ie7sv2…"

    if the program changed, it’s anoter version, that sv thing seems just like that to me. another version. another build if you might.

  4. Anonymous says:

    I think you took the wrong approach.

    It’s true that some _clueless_ web authors have written some very fragile scripts that would not be able to deal with a version number change.

    Looking at it very short-sightedly, it appears obvious that you shouldn’t break them unnecessarily.

    However, if you take a long-term look at it, it’s less obvious that this was the correct decision. The web developers that write these kinds of fragile scripts will continue writing them if they don’t learn any better.

    By molly-coddling them, you only put of inevitable breakage when you *do* update the version number. And when is that? When you are launching a new product – possibly the very worst time for things to break.

    Right now, users have no choice but to install your service pack to get the security updates. If they install it and a couple of websites break, they are going to think that it’s something the websites are doing insecurely.

    But what about when they move to Longhorn or whatever, and they find that browsers break then? They are going to perceive Microsoft as being the source of the bugs.

    If I was making the decision, I’d make it clear to these clueless web developers that writing to version numbers is unreliable to ensure future compatibility when it _really_ matters.

  5. Anonymous says:

    I think there’s some validity to that approach, but one of our top goals with XPSP2 is broad, quick adoption. Website incompatibility would hurt that goal. Much of our work in XPSP2 was to enhance security while maintaining appcompat.

    And I suspect that doing a version number change just to force webdevs to do things the "right way" would be hardly be taken kindly by most of the industry.

  6. Anonymous says:

    Bruce, if by most of the industry you are refering to those who don’t know what they are doing, then yes – i don’t think it’d be taken kindly by most of the industry either.

  7. Anonymous says:

    If you want to imitate Mozilla (and you evidently do), you should use something like:

    Mozilla/4.0 (Windows; U; Windows NT 5.1; en-GB; rv:6.0) Trident/20040909

    (Obviously "en-GB" would be "en-US", because Microsoft doesn’t localise Windows/IE.)

  8. Anonymous says:

    I’m with Maurits. Advertising the security level of your computer to the world is a bad idea. Malicious websites can now easily parse out the non-patched browsers and attack them (and not everyone can get this patch – windows 2000 users?)

    On the otherhand, they could probably do this anyway with object detection in scripts.

  9. Anonymous says:

    > (Obviously "en-GB" would be "en-US", because Microsoft doesn’t localise Windows/IE.)

    Actually, if they don’t localise, it should be ‘en’. According to RFC 2616, if a web browser asks for a specific dialect, it is a mistake to serve the same language, but a different dialect as a substitute, unless that dialect is also listed and acceptable. For example, somebody who is American but speaks a little German might have this in a broken browser:

    Accept-Language: en-US;q=1, de;q=0.2

    According to the HTTP specification, a server that has a resource available in ‘en’ and ‘de’ versions should serve the German resource.

    However, the inverse is not true. If the browser sent:

    Accept-Language: en;q=1, de;q=0.2

    …the server is free to send an en-US response back.

    No browser should be configured to send ‘en-US’ by default without also sending ‘en’. It’s a mistake that I can find no justification for – it’s not like somebody can understand American English but not any other form of English, is it?

  10. Anonymous says:

    Jim:

    Any language specified in [User-Agent] is meaningless. It only identifies the language of the -agent- (ie. its user interface), not the preferred language of the user. [User-Agent] could very well say "en-us" while [Accept-Language] would say nothing more than "en" (or "fr", for that matter).

  11. Anonymous says:

    Sorry, I interpreted the comment "Microsoft doesn’t localise Windows/IE" to be inclusive of the Accept-Language header. Internet Explorer doesn’t ship with Accept-Language: en-US as default then?

  12. Anonymous says:

    The Accept-Language header is based on the setting in the "Regional and Language Options" control panel applet. Whatever it says there is the default.

    You can override this by changing the Language Options in the Internet Options control panel applet (via Internet Options in IE). This dialog also allows you to set additional accepted languages.

    See http://www.microsoft.com/globaldev/drintl/columns/012/default.mspx and http://www.w3.org/International/questions/qa-lang-priorities.html for more info on this.

  13. Anonymous says:

    Oh, and according to that 2nd link above, the Accept-Languages header is supposed to be the preferred language of the user, in order of preference. Quoting from that page:

    "When a document is requested from a server by your browser, information about language preferences is passed via the HTTP Accept-Language header. If the server stores versions of a page in more than one language, this information can be used to retrieve the page in your preferred language, if it is available. If there is only one version of a page on the server, that version will be retrieved.

    "Mainstream browsers allow you to modify these language preferences. The value itself is a defined by RFC3066, typically as a two or three letter language code (eg. fr for French), followed by optional subcodes representing such things as country (eg. fr-CA represents French as spoken in Canada).

    "In many cases, the initial browser setting is okay. For example, if you have a Japanese version of a browser, the browser typically assumes that you prefer pages in Japanese, and sends this information to the server."

    I hope this extra info clarifies IE’s use of the Accept-Language header.

    -Bruce

  14. Anonymous says:

    I’m just deeply annoyed by the people who say that using the SV tag is a security risk. Oh dear, TO THE BARRICADES!!!

    It isn’t any bigger risk than sending the version of the IE that’s currently in use. The SV tag doesn’t hurt anyone. Actually the contrary; now the websites can now easily do the indexOf() to see if user has the popup blocker installed.

    But, I don’t think it’s a good thing to have IE 6.0 SV1 and then make IE 7.0 (removing the SV) and then IE 7.0 SV1 or SV2.

    Since you introduced the SV ("Security Version" I suppose) tag, it’s supposed to tell what security _features_ the browser has (that might concern the website we’re visiting, for example the automatic popup blocker).

    Instead, you should keep the SV tag in all builds from now on and increase the SV version each time you implement new security related features (again, the ones which might concern the website).

    For example: the version 1 now has the popup blocker (and some other lockdowns I am not mentioning).

    Now, you release a few bug patches and a new IE version. Don’t change or remove the SV tag.

    Later, you implement this HyperSuperDuperSecurity™ technology that is supposed to make the browser really secure. Now increase the tag to say SV2 that means "This browser has HyperSuperDuperSecurity™ AND popup blocker" (+ the other stuff I’m not mentioning).

    If you don’t do that, in my opinion the tag is worthless since you could detect the stuff from the version string anyway. The tag is for easy detection of features now.

    If you did what I suggested, then the tag is splendid in my opinion.

    Thanks for reading. – pompo

  15. Anonymous says:

    > The Accept-Language header is based on the setting in the "Regional and Language Options" control panel applet. Whatever it says there is the default.

    In my case, that means the default is en-GB. This is an incorrect default. From the link you posted:

    "If a document on the server is tagged as fr (French) then a request for a document matching fr-CH (Swiss French) will fail. To ensure success you should configure your browser to request both fr-CH and fr."

    In this case, a request containing only en-GB in the Accept-Language header could quite legitimately fail to be served by a server containing only en resources. The fact that servers have to work around browsers that are misconfigured by default is frustrating.

    > Oh, and according to that 2nd link above, the Accept-Languages header is supposed to be the preferred language of the user, in order of preference.

    Quite apart from the fact that the document you refer to says no such thing, you are reading the wrong document altogether. HTTP is defined by RFC 2616, not some random FAQ you found on the web. And RFC 2616 is clear on the issue.

    Perhaps you are misreading the bit that refers to Internet Explorer’s dialog for configuring languages? It’s describing the UI and the mechanism, not the format of the header. With all due respect, you really need to read the relevent specifications before going off half-cocked and implementing something in a non-standard way.

  16. Anonymous says:

    Re: Greg K Nicholson’s propose to MSIE UA string:

    MSIE with your proposed string will break really lot of sites, because several item important things are missing ("compatible", "MSIE x.xx"). More back-compatible string should look like:

    Mozilla/4.0 (Windows; U; Windows NT 5.1; en-GB; rv:6.0) Trident/20040909

    Mozilla/4.0 (compatible; <browser-id> <major-version-number>.<minor-version-number>; [<vendor-browser-id> <major-version-number>.<minor-version-number>;] <os-id-and-version>; Trident/<build-date>; <other-comments>)[ <transporting-systems-id>]

    For example:

    Mozilla/4.0 (compatible; MSIE 6.05; Windows NT 5.0; Trident/20040818)

    Mozilla/4.0 (compatible; MSIE 6.05; MSN 9.1; Windows NT 5.1; Trident/20040818; .NET CLR 1.0.3705) WebWasher 3.2

    But real-life examples of MSIE’s UA string is really mess, every extension add something.

    Bruce: Bumping version number is nothing bad, SV1 token is same wrong way as "MSN 9.0;MSN 9.1;" – you can’t add everything to UA string, otherwise default MSIE UA string will be long as this:

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2; ESB{4E69129D-DC9A-443E-A99B-5FD059C284B3}; MA.1.1.0.49; ESB{5A94CAEB-D794-40D5-A791-1B74BF24CBC6}; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Alexa Toolbar; MSN 6.1; MSNbMSFT; MSNmcs-cz; MSNc00; v5m)

  17. Anonymous says:

    Just make sure you keep document.all and then we will always know when to do window.close() 😛

  18. Anonymous says:

    Adam, we’re definitely aware of the overly long UA string issue. Getting out of it is another issue.

    Jim, you’re right that the Accept-Language header tag order isn’t relevant and the document doesn’t say that. Yes, I meant to be talking about the dialog UI, not the header format itself.

    Language preferences set in the Languages dialog will result in an Accept-Language header with the tags and associated generated quality values, based on the order listed in the dialog.

    Re: Adding "en" if "en-us" is present. This would appear to be counter to RFC2616.

    RFC2616 cautions against assuming that the prefixes are such that it’s always true that a if a user understands a certain tag, they’ll also understand the prefix of that tag. It goes on to suggest the user be guided in adding the appropriate prefix to get best matching behavior.

    So are you saying that we shouldn’t have defaulted the value at all, or defaulted to a correct pair of values, not just the prefix? Or something else?

  19. Anonymous says:

    > Re: Adding "en" if "en-us" is present. This would appear to be counter to RFC2616.

    > RFC2616 cautions against assuming that the prefixes are such that it’s always true that a if a user understands a certain tag, they’ll also understand the prefix of that tag.

    > So are you saying that we shouldn’t have defaulted the value at all, or defaulted to a correct pair of values, not just the prefix? Or something else?

    I do not believe adding en where en-US is the existing default is incorrect as per RFC 2616, as generic English is understandable by people who understand American English. Blindly adding the generic language tag in all cases is incorrect, as you point out.

    If I were in your position, being concerned with backwards-compatibility, I would seek to remove the incorrect behaviour in the face of this particular issue without changing semantics in the general case. Removing the default would not accomplish this goal, as that would indicate all languages are acceptable and have equal preference. Rather, I would compile a list of which language tags can safely revert to their generic dialect, and include the relevent generic tag as a fallback for the default settings.

    In my particular case, your l10n database would include the fact that ‘en’ is a suitable fallback for ‘en-GB’, ‘en-US’, etc. My default Accept-Language header would be something like this as a result:

    Accept-Language: en-GB;q=1.0, en;q=0.8

    This would be a much more appropriate header value and would allow HTTP conforming servers to transmit en resources to en-GB, en-US, etc clients correctly.

  20. Anonymous says:

    I have download and try your browser. Is not to work like I want. the tab bar is only to show when 2 pages is showing.

    It says it is to improve secure for Internet Explorer but I cannot see picture of lock when I use secure page. I can not see favorites page. is having only ‘bookmarks’ and I have to choose view, sidebar to see explorer bar.

    When I put the c: in address, it does not let me to make new file.

    is to look very ugly.

    page I open say I need to have activex where I get activex??? she say I need to change secure zone but I have no zone control. what is problem???

    what is problem with your browser? is to not work. you is not to make program that works.

    I must to tell my friends your program not good

  21. Anonymous says:

    me agree with phil. 🙁

  22. Anonymous says:

    You really do have to stop pandering to the useless webmasters, if someone has hardcoded a UA string then it means they’re very short sighted (did they think there was going to be no new IE after version 6.0? – ok I thought that for a while due to IE stagnating until Firefox hit the scene)

    But there’s no legitimate reason not to increment the version number, that’s what it’s there for.

    Due to the rapid rate of releases, the Mozilla project has a lot of different UA strings with changing version numbers and no one seems to have any problems

    Here’s the default Firefox 1.0 preview release user agent:

    Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10

    The Mozilla/x.x bit is legacy in Netscape 4.x and below Netscape would use this bit for their version number as Mozilla was originally Netscape’s codename. The 5.0 just indicates it’s a higher version than NS 4.x

    The X11 bit is the platform (for most people this will say "Windows")

    U is the security level. U used to stand for US encryption back in the days that the US used to restrict this, I is for low grade (International) encryption which is not used anymore (hopefully) and N is if you build the browser without crypto support (unlikely).

    The bit that says Linux i686 is the version of your operating system.

    rv:1.7.3 is the version of Mozilla that it is based on

    Gecko/xxxxxxxx indicates the date the browser was build YYYYMMDD

    And Firefox/ is the version of firefox (the preview release is 0.10 as it’s not 1.0 yet).

  23. Anonymous says:

    "Well, we know from past experience that changing the version number can have a huge impact on site and application compatibility."

    Sorry — but that’s the most ridiculous argument that I have ever seen. A version change is a version change, and should be noted in a sane and correct way.

    Webmasters inflexible enough to require specific hard-coded user-agent strings will simply have to change…. big deal.

    I suspect that some legal geniuses are the root of this "SV1" crap, as it seems illogical in every way.

  24. Anonymous says:

    Is Microsoft so hidebound that they dare not face the consequences of changing their User-Agent string from "MSIE 6.0" to "MSIE 6.01"?

    Just as I began to think Microsoft might be regaining its sanity…

  25. Anonymous says:

    If the UA string gets any longer people will be forced to use broadband as making a HTTP request will have such an overhead.

    Likewise people will need to upgrade their hosting to accomodate for the bandwidth it makes.

    Oh yeah, on a side note. The SV1 was a really good idea. now I know if I can send loads of spyware to the user viewing my site. Well done microsoft. In fact I have a better idea, if we are wanting to make the UA string long, why not put the user’s credit card number in the UA string with a few other bits of personal info.

  26. Anonymous says:

    In my opinion SV1 has one use: To tell if I have XP2 SP2 installed. It’s tied to the current version number of IE and as such is relegated to die with that version number.

    It has been said that there will be no future standalone releases of IE, so the next version will probably be tied to either a new OS release, or a service pack release. At that point I would expect the SV1 to go away, since all future versions of the OS include prior service pack updates.

    If however, a service pack did not update IE’s version but once again updated the security of IE, then I would expect SV2 to replace SV1.

    Bottom line, once the version number changes, the SVX should go away until a service pack updates its security.

    Would I prefer to see a incremental version number change instead of SVX? Yes. But now that it’s been introduced, I’d just like consistency in it’s use.

  27. Anonymous says:

    This site is a prime example of how slow Microsoft moves. This rather boring topic has been the only post on here for two weeks.

    Since this post Firefox 1.0 preview has been released and has over 1 million downloads in under four days, has 1.5 million downloads in about 7 days and looks likely to top 2 million by 10 days (their original target was 1 million downloads in 10 days). Source: http://spreadfirefox.com/

    So it’d be nice if we could have some posts on here about planned features for IE 7 – things that will help keep people excited, we want to know, this release is just showing how tired IE is. Come on, give us something interesting, bring back the browser wars!

  28. Anonymous says:

    …or atleast some type of response to the release would be interesting. I’m happy to say I switched the PC’s in my company (not my freelance link) completely over to Firefox since their new release — because even though the average consumer ‘doesn’t care about some obscure thing called CSS’, the average consumers have been wondering why their webpages load faulty, and why their net is so slow on a T1. My average consumers are much more content now, and it’s a shame that Internet Explorer does not care for it’s average consumers enough to respond to these requests.

  29. Anonymous says:

    Dude, if there’s one thing I would love to know it’s: How To Get Rid Of The Stupid 11 Characters of URL in the Title Bar of Popup Windows!

    Who thought of that? Just…just an OPTION would be nice.

    It’s killing my application, PLEASE PLEASE PLEASE tell me how. I’ve been asking for months.

    I’m on win2k3 server, IE 6.

  30. Anonymous says:

    Brady,

    Give it up with the pathetic Firefix is almighty stories please. If you’ve actually used that POS for my than a week you’ll soon be heading back to IE’ville.

    Just wait till your "consumers" get the render errors and crashes, or wonder what happened to their settings and profiles when you come to update it for the millionth time.

    And Microsoft doesn’t move slow, I just think they have more things to do than reply to Linux/Firefox trolls.

  31. Anonymous says:

    > Give it up with the pathetic Firefix is almighty stories please. If you’ve actually used that POS for my than a week you’ll soon be heading back to IE’ville.

    Funny, I haven’t used Internet Explorer for anything other than testing for over five years and haven’t missed it one bit. In fact, my work would be a hell of a lot easier if it went away completely, as I wouldn’t have to constantly work around its "render errors and crashes". Example:

    http://meyerweb.com/eric/thoughts/2004/09/16/when-browsers-attack/

  32. Anonymous says:

    Is it really common practice to serve up different pages for different sites?

  33. Anonymous says:

    Alan,

    Actually, so far the PC users in the office have found it much faster, and much easier to use — they’ve also enjoyed the Tabbed browsing and some have said that webpages seem to render much more smoothly. As a Web Designer, I’ve used Mozilla products for years… and Safari on my Mac, so I wouldn’t be the best judge of that since I haven’t run back to IE ville for sometime, as it renders standard code improperly.

    It would be silly to say we update Firefox a million times, considering the amount of updates for IE… and Microsoft DOES move slow; they’re sitting with Quark on that boat now for letting their application run stagnant for years.

    But I guess I’m taking input from someone who’s an advanced developer, right? If that is your company you linked to:

    http://validator.w3.org/check?uri=http%3A%2F%2Fwww.convea.com%2F

    Might want to fix those errors — drop in a doctype, placing your scripts in an external file would be cleaner, using semantic code would be smarter, and using CSS (externally) for your elements would be much of an improvement. I see inline style tags, and even this:

    body {

    margin-left: 0px;

    margin-top: 0px;

    margin-right: 0px;

    margin-bottom: 0px;

    }

    You could easily make that:

    body {

    margin: 0px;

    }

    But if you need multiple elements, us developers use shorthand, so you can always do:

    body {

    margin 0px 5px 2px 1px;

    }

    Which is top – right – bottom – left, if you didn’t know. These are techniques from advanced coders, and recommended as it would improve the productivity of updates (not including speeding them up) , and allow for all around compatibility (handheld devices). If you download an opera browser and check your site out small screen, you can get a good judge at the visual errors. Not to mention that site doesn’t abide by Section 508 Handicapp Accessibility guidelines, or WAP 1,2,3 at all — leaving you open to lose possible customers and leaving you open to possible lawsuit.

    Simple and clean design, nothing advanced though, but I can tell the look is professional. You could also drop the 10+ <br> tags and put those in paragraphs, that would simplify things yes?

    Are there any advanced web coders out there, who can tell me they love Internet Explorer other than the power of ActiveX?

  34. Anonymous says:

    > Is it really common practice to serve up different pages for different sites?

    Depends — it’s common for designers to serve up different codes for different browsers, since all have minor errors, though IE has some major ones. Serving up whole different pages is a common practice to some, but it is no longer recommended. It was quite common back in the day to serve up a Netscape version and an IE version, but those were darker days in the browser wars.

    Typically now if you use XHTML+CSS (tableless is preffered, but you can use tables just fine, it’s more of a philosophy arguement for some, me included) You can create one webpage that will work for all, you’ll just notice slight rendering differences, and major ones for 5.0 browsers and under – most can be fixed using CSS hacks, however; allowing you to do one page with a few tweaks and not needing to serve up multiple pages. Cuts your development time in half.

  35. Anonymous says:

    Why can’t you just increment the version number like everyone else does, e.g. Firefox, etc it it annoying all these different Service pack levels, security versions etc.

    Why can’t I just be running IE 6.1 on XP 5.12 (WinXP is WinNT version 5.1).

    Keep it simple, stupid (KISS!)

  36. Anonymous says:

    Because if they do stupid stuff like this, dumb webdevs write scripts that depend on the funny UA string, and hence their site is broken in any other browser, so they maintain the monopoly.

    Also, it probably makes it easier for them to gather statistics about who’s doing what.

  37. Anonymous says:

    Sorry but this stupid.

    No matter what microsoft does the people complaining will always complain. These people at microsoft work damn hard, so how about instead of complaining and insulting them, thank them, because chances are those moaning can’t do anywhere near what those at Microsoft do every day. So thanks guys for all your hard work.

  38. Anonymous says:

    Richard – thank them?? For what?

    We pay money for Windows and therefore expect a certain level of quality because we are their customers.

    The fact is, IE development has only been stepped up because they see a threat in Firefox, if there was no threat IE would not improve. It’s a sad situation that a bunch of volunteers can produce for free a product that’s a lot better than comes with Windows – I doubt Firefox would have existed if IE had been of good quality, but when people are fed up with software they seek alternatives.

    I have to say, if you don’t get your act together and get it together soon. XP is the last MS product I will buy. I will move over to Linux warts and all, because despite the fact that Linux is not as polished as Windows it’s a lot more dependable.

  39. Anonymous says:

    Richard – thank them?? For what?

    We pay money for Windows and therefore expect a certain level of quality because we are their customers.

    The fact is, IE development has only been stepped up because they see a threat in Firefox, if there was no threat IE would not improve. It’s a sad situation that a bunch of volunteers can produce for free a product that’s a lot better than comes with Windows – I doubt Firefox would have existed if IE had been of good quality, but when people are fed up with software they seek alternatives.

    I have to say, if you don’t get your act together and get it together soon. XP is the last MS product I will buy. I will move over to Linux warts and all, because despite the fact that Linux is not as polished as Windows it’s a lot more dependable.

    As for those of those moaning about the quality of IE couldn’t do better than Microsoft, some people can, Firefox is proof of that.

  40. Anonymous says:

    The problem with Microsoft is their bludgeoning insistence that the browser must be and is an integral part of the operating system. Sorry, it’s not – it’s just a piece of software. An OS servers one purpose and one purpose only – provide access to hardware. So, it provides explorer to access the hard drive, the Windows API to access the monitor, drivers to access printers, API’s to access ethernet cards, etc, etc. The browser is simply a piece of software that accesses these API’s, just like Word or Media Player.

    If Microsoft pared down Windows to simply doing the job of an OS, they could make a pretty slick OS. Instead they’ve decided to kluge it up with all this excess software that would be better delivered separately. The Firefox thing is just a symptom of Microsoft’s disease. They didn’t update their browser because it takes so long to update an OS, so a group that can just concentrate on the browser is kicking their butt. And people, even non-techies, are actually starting to switch, which is a HUGE statement. If a product comes bundled free on a PC, it has to be really bad and the competition much better for the average user to even CONTEMPLATE switching.

    Here’s what I see happening. Now that Microsoft is only supporting security on XP, more and more users will switch to Firefox (or whatever) for browsing, only using IE for those sites that require it. As the percentage of non-IE browsers edges up to the 25% range, IE-only web sites will begin changing so that they don’t lose these users. Once the IE-only web sites are gone (or at least, not nearly as common), the biggest impediment to switching to a non-IE browser will be gone and more people will switch.

    It kills me how Microsoft repeatedly said that not allowing them to bundle the browser in the OS would "kill innovation", yet once they won they never updated the browser again. Where’s the innovation in that? I’m sure that once their browser begins to lose market share that the backpeddling will begin and we’ll see new and better IE versions apart from the OS. As it should be. Competition is the only instigator of innovation, period.

  41. Anonymous says:

    This blog is as dead as IE development. 😛

  42. Anonymous says:

    Brady, get off your high "standard compliant" horse. Perhaps you are not aware that the makers of the wonderfully standards complient Firefox didn’t think to make the much publisized download site standards compliant. For that matter, they Mozilla site itself has CSS errors.

    spreadfirefox.com home page 154 errors (xhtml)

    http://validator.w3.org/check?verbose=1&uri=http%3A//www.spreadfirefox.com/

    mozilla.org home page 2 errors (css)

    http://jigsaw.w3.org/css-validator/validator?profile=css2&warning=2&uri=http%3A//www.mozilla.org/

    Etc. etc.

    Rather than ad hominem, why don’t you focus on the issues?

    A note on versions and security…

    If you give a date in the UA, that’s the same as saying XPSP2 or SV1. The release date corresponds to the bug fixes. The only way there is ambiguity is if patches do not update the UA at all – you just kind of stick with vX.x for a while. As soon as you say vX.x+1, you’ve told everyone what changes were made. or vX+1.x or whatever. SV1 isn’t any more of a security issue than Gecko’s date string.

  43. Anonymous says:

    Thanks Louis Parks for the input and knowledge — you’re right about spreadfirefox.com — but for the mozilla errors, you might note that those are because:

    1) First error is a CSS3 selector, not an error but out of the context of the code

    2) second error is a hack to make Internet Explorer for Mac play nice, since it has validation errors.

    But I guess with all the inline styles and the errors in your site, you’re an expert on good coding practices as well:

    http://validator.w3.org/check?uri=http%3A%2F%2Fwww.lparky.com%2Fblog%2F

    While I agree the spreadfirefox is odd, the second errors you pointed out may be because it’s a little more advanced than your level of talent? That’s only passing judgement on your design and your low level coding practices — you know, you could cut your page size down in half by using shorthand CSS? Turn this:

    #banner {

    font-family:’Trebuchet MS’, ‘Lucida Grande’, Verdana, Lucida, Geneva, Helvetica, Arial;

    font-size:19px;

    color:#671603;

    font-style: italic;

    font-weight:normal;

    padding-right:0px;

    padding-top:10px;

    padding-left:0px;

    padding-bottom:15px;

    margin-bottom:15px;

    background:#FFF;

    background-position: top;

    background-repeat: repeat-x;

    border-bottom:1px solid #355EA0;

    }

    Into this:

    #banner {

    font: italic normal 19px Trebuchet MS’, ‘Lucida Grande’, Verdana, Lucida, Geneva, Helvetica, Arial;

    color:#671603;

    padding:10px 0px 15px 0px;

    margin-bottom:15px;

    background:#FFF repeat-x top;

    border-bottom:1px solid #355EA0;

    }

    …missing an image declaration in that background one too. You seemed to be an experienced programmer from your blog, why am I defending good coding practices when yours are bloated, outdated, error filled, and in no way accessible? From what I would know, that doesn’t put you in the position of passing judgement on anyones work, just as much as my skillset wouldn’t put me in the position to pass judgement on your programing skills; only your markup practices.

  44. Anonymous says:

    I agree that a date stamp gives out security information just as easily as a security token.

    My point was that a security token serves no purpose other than to compromise security. Really.

    But a date stamp, though it is a security risk, also provides complete information about the browser’s feature support. That alone may be worth the security risk.

    Ideally, though, I’d like to see a per-module token standard: something like

    Microsoft Internet Explorer/2005-08-28: CSS(+all), CSS2(-font +all), SVG(+all), ECMAScript(-file +all), …

    I would ALSO like to see the ability to turn off certain features on a zone-by-zone or even site-by-site basis – AND have the user-agent dynamically change to respect the current feature set FOR THAT PAGE! That would be REALLY cool.

    So, for example, I could turn off javascript in my Internet Zone but leave it on for my Trusted Sites. My corporate intranet server would then be able to tell that I am accepting javascript from them, and MSN’s server would be able to tell that I am NOT accepting javascript from MSN.

  45. Anonymous says:

    > So, for example, I could turn off javascript in my Internet Zone but leave it on for my Trusted Sites.

    You can already do that, except it’s called "Active Scripting".

  46. Anonymous says:

    Yes, I know I can. But the sites I visit have no clue that I have javascript turned off (or on, as the case may be.) What I’m proposing is putting something in the UserAgent string letting the site know my ability and willingness to run javascript… or perhaps in a different HTTP request header rather than the User-Agent…