Enriching the Web Safely: How to Create Application Protocol Handlers

Over the past few days, we’ve gotten several questions from customers about how you can invoke third-party applications on Windows by specially-crafted URLs that invoke Application URL protocol handlers (Firefox’s “firefoxurl:” has been the most discussed example). I wanted to provide some additional context on the issue and clarify IE’s design.

Custom URL handlers enable third party applications (such as streaming media players and internet telephony applications) to directly launch from within another application - commonly a web browser but even using a command line from Start > Run. For example, the “mailto:” custom URL handler enables you to click on a link and start writing an email. To make these custom URL handlers more useful, they can accept parameters that provide more specific instructions. For instance mailto: accepts parameters like subject and body.

The number of potential applications (and protocol handlers) is effectively limitless, allowing for many new and exciting ways to enrich the Web.  However, as with many extension models, there are security implications. In this example, one potential threat is that the custom URL may have dangerous parameters, such as strings that are too long and might cause a buffer overflow. The limitless variety of applications and their unique capabilities make it very difficult to have any meaningful automated parameter validation by the hosting (caller) application. It is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters.

Protected Mode in IE7 in Windows Vista provides some additional protection when a user clicks on Application URL Protocol links by notifying the user that “A website wants to open web content using this program on your computer” and requiring user approval before invoking the actual application.

URL protocol handlers are one of the ways we enable rich experiences in browsing, however, as with any other program that accepts untrusted data from the web, URL protocol handling applications must be carefully designed based on the threat environment. 

You can find more information on writing pluggable protocols and registering applications to URL protocols on MSDN.

Markellos Diorinos
Product Manager

edit: change makes to make in third paragraph.

Comments (99)

  1. Will says:

    FireFox has been shipped to remove their buggy protocol handler and their bug (and a bunch of their other security bugs).  

    The new version is not yet set to autoupdate for some reason though.

  2. Johan S says:

    I would like to be able create my own security zones in addition to the 4 security levels already there (internet, intranet, safe, restricted)?

    Is that something that is coming or already there that I am missing?

  3. Alex says:

    Very good post, the only right answer to everyone blaiming IE for the leaks in Firefox and Trillian…

  4. CF says:

    Sorry for the OT, but it was right the first time; it should be "makes." It is referring to "the limitless variety," a singular noun phrase, and not "applications" or "their unique capabilities." The latter two modify the former, and are not themselves the subject.

  5. There’s been some back and forth on this URI protocol handler issue over the last week. It’s been interesting to watch and I think it says a lot about how different organizations approach security. Today, just as we’ve updated Firefox to help mitigate

  6. Jon says:

    Reading Asa’s post, it’s funny to watch the Firefox guys squirm and try to blame this on IE.

    It sounds like the Mozilla team is saying "Firefox is fragile.  Please be sure that web content is squeaky clean before you give it to us, lest we choke!"  

    What do you suppose this says about their handling of HTML?  

    Danger, Will Robinson!

  7. Carey says:

    I was under the impression that the bug in Firefox was that the program wasn’t prepared to accept multiple parameters in its URL protocol handler.  Perhaps the MSDN article should also mention this explicitly so other developers writing protocol handlers for Windows don’t make the same mistake?

    A simple URL like alert:/a%22%20/b passes *two* arguments from IE to the example MSDN program, which is at least somewhat unexpected.

  8. Henrik Pauli says:

    re: Jon, if anything, please make sure you first read and know about HTML and CSS.  While I appreciate the efforts of the IE Team on that regard very much (though otherwise I don’t muchly care about the browser — and to be honest, I don’t muchly care about Firefox either), I think we all know which the more flawed HTML/CSS implementation is.  Firefox 3 (among with Konqueror and Opera, both of which use completely different and unrelated rendering engines from Firefox) even passes the Acid 2 test which is precisely meant to test browsers against flawed code, so…

    Not to mention it’s unrelated to this topic, really.

    The issue really lies on both sides: both the sender, and the receiver.  If it’s possible — and I don’t see why it wouldn’t — then both cases apply to both IE and Firefox.  And any other participating browser and other software.

    I think Asa makes a good point about escaping, because that /is/ a good sender-side protection against injection and the best thing one can do as a programmer — there’s no way you can influence the receiver, you can’t fix their bugs.

    At the same time, the receiver (and in this sense if Firefox can be called via a custom protocol handler, then it indeed too) has to make sure that it doesn’t leak all over the place, doesn’t allow buffer overflows, and so on.

    All in all, bad comment from you, and not really good attitudes from both parties here.

  9. Jon says:

    Henrik, I didn’t realize that you were the judge and jury for comment quality.

    The comment about HTML points to an issue of security, not standards.  Here, Firefox is saying "Please don’t send us data that might be dangerous."  I’m saying: "That’s called the Internet.  If you can’t handle dangerous data, pack up and go home".

    As for escaping: Sure, that would be lovely, except that Windows has never ever done this, and to start now would break compatibility.  

    Having IE break +my+ code to coddle Firefox’s

    desire not to have to write secure code is simply not acceptable.

  10. Carey says:

    Jon: Have you written a custom protocol handler? Does it work correctly with URLs that contain mixtures of %20 and %22? Firefox and Safari send a single encoded URL parameter while IE decodes the URL first, so in the latter case it could be interpreted as multiple arguments, as the sample code on MSDN does.

    Your code is incompatible with Firefox anyway if making IE do the same would break compatibility.

  11. Al Billings says:

    What does the IE team tell the Trillian users?

    "We’re sorry that we’re an attack vector for your software?"

    There are sure to be more. IE should close this hole given that IE ships on EVERY Windows machine.

    Come on guys, everyone needs to not point fingers and just patch their products. <b>Everyone.</b>

  12. classic says:

    This is the "classic" case of:

    Be liberal on input you support, and strict on output.

    Mozilla and others are being liberal on accepting bad input, and have patched issues with malicious bad data.. but Microsoft is NOT being strict with their output.

    Shame on Microsoft for not doing the right thing, and putting a simple sanitary cleanse on output URIs.

  13. Motoryzacja says:

    there are some few problems with slovians language on URL’s in differenct browsers. I had a problem with polish signs after translate it from ISO2 to UTF on my website <a href="http://www.fuksik.pl">www.fuksik.pl</a&gt;. Someone said that […]the program wasn’t prepared to accept multiple parameters in its URL protocol handler.[…] I check and have the same error.

  14. Uros says:


    So you’re saying escaping would break backward compatibility? Lets see: Microsoft to trillian users:"You’re vulnerable. Sorry, we’re not going to fix this, backwards compatibility is more important to us that your safety."

    Brilliant attitude, just brilliant, really.

    There are people blaming Microsoft and there are people blaming Mozilla. Then there are those who are probably right and blame both. But the thing is: Mozilla fixed their flaw and released a new version of their browser. Now it’s Microsoft’s turn and what do they do? Come up with excuses.

    Now when they say that there are limitless attack vectors – yes there are. But this particular one is fixable! Mozilla has fixed it years ago by escaping. Why should the fact that B,C,D,E are not fixable justify not fixing A (which is fixable)? Oh, backwards compatibility, right.

  15. hAl says:

    Escaping existing URI’s is against the RFC that states that escaping an URI might change it semantics.

    What IE should do is refuse to interprete all weblinks with spaces or quotes as they are actually invalid URI’s according to the RFC.

    Sure, that would break the web but at least the RFC would be upheld.

  16. Jon says:

    Windows has had pluggable protocol support since Windows 95.  It has ALWAYS behaved the way it does today, and hundreds or thousands of products depend on that behavior.

    Let’s review: If you DON’T install buggy products (Trillian/Firefox) then you’re not vulnerable.  Now, what does that tell you?

    The idea that idiots writing buggy software should cause Microsoft to be forced to redesign Windows, and break all of the non-idiots that wrote non-buggy software, is utterly stupid.  Lazy developers writing insecure code should either fix their code, or pack up and go home.

    Carey: Yes, Firefox has always had a broken implementation that doesn’t decode URIs.  Apparently, the never tried to bother being compatible with the Windows Operating system that they’re running on.

    Al: You would seriously install a product that talks to the Internet AND trusts that it’s not going to be handed dangerous data?  If you’ll just please provide your IP Address, I’d be happy to help you more clearly understand how dangerous that is…

  17. Rasheed187 says:



    Why don´t you amateurs fix the scrolling problem that IE7 introduced? A lot of pages are scolling very sluggishly because of high CPU usage. FF, Opera and IE6 didn´t have this problem. Stuff like this really makes me mad.

    And while I´m at it, make sure that y´all don´t forget to add a "fit to width" feature, like in Opera. I hope it won´t take too long, I mean a billion dollar company should be able to do better.

  18. Jon says:

    hAl– Your point is fair, except there’s literally nothing in the RFCs which dictates how a browsing user-agent should handle URIs that are handed off to other applications.

    "Sure that would break the web but at least the RFC would be upheld." — hehehe… it’s nice to see that at least one person can recognize reality.

  19. Rasheed187 says:

    Totally forgot this: you amateurs didn´t give an option to put the tabs on bottom! Plus you can´t move around toolbars anymore, and the autohide sidebar is tottaly screwed up. Yes, I´m not exactly a fan of the IE7 team.

    On topic: A good HIPS should be able to stop these kind of attacks, by not allowing other apps to be spawned automaticly.

  20. William Harrison says:


    "Totally forgot this: you amateurs didn´t give an option to put the tabs on bottom!"

    You seem to be assuming that nobody would have thought to do that. It was most likely something that was considered, but not done due to a) Lack of demand, b) By design and/or b) Deadlines. I would expect a "seasoned" developer such as yourself to know that before opening your mouth (unless of course you just like "hearing" yourself :P). I do not know about you, but I would much rather see them work on optimizing the JavaScript engine, or on improving the CSS support for IE8. If there is any change, I would like to see them implement a range control from the HTML5 spec, and improve the file input to allow multiple files to be uploaded at once (if you have ever worked with that WONDERFUL input you probably noticed a lot of things about it do not seem to be standardized – e.g. Look at how Safari does it).

    And FTR (and not the first time I have said this here, probably),

    I am not crazy about the new interface (I immediately moved the menu bar to WHERE IT BELONGS ON WINDOWS XP) myself.

  21. Josef says:

    Stop complaining and release a fix like Firefox have done. It’s not about blaming one or the other. Just fix your software.

  22. fis says:


    Josef, fix your brain!

  23. Every regular-Joe job I’ve worked under people I would always have to directly deal with decisions made that I highly disagreed with so I think it’s reasonable to say that even people at Microsoft are frustrated with those making the big decisions and have the last word on.

    I’m sure the IE team is working with some unreasonable restrictions that force them in between a rock and a hard place. I’m sure what Chris Wilson and Bill Gates want from IE differs dramatically on various points.

    I would appreciate reading people’s comments on the blog more if the comments made were more constructive and in many situations educated. Read what you post before you post it, would you say that out loud as a speaker in a room full of hundreds of people listening and watching you?

    I don’t have anything constructive to say about this particular topic (patiently waiting for news on the rendering engine and (knock on wood) hopefully for some support of CSS 3 properties). However I do have a question…for some reason URLs I paste or open via File/Open continue to open in IE open instead in Firefox regardless of which browser is the default. I can’t even use my Windows Update link in the Start Menu. Any suggestions on how to fix this?

    – John

  24. Tazmanian says:

    hey all when could we see Internet Explorer 8.0 Alpha edition ???

    is Internet Explorer 8.0 – Alpha edition already available????? if so how can i down lode it  do you have a link?

  25. When I was a child, I learned a saying that I still find important to keep in mind: Those who are sitting

  26. Lanad says:

    What does the IE team tell the Trillian users?

    "We’re sorry that we’re an attack vector for your software?"

    There are sure to be more. IE should close this hole given that IE ships on EVERY Windows machine.

    Come on guys, everyone needs to not point fingers and just patch their products. <b>Everyone.</b>

  27. And… he hasn&#39;t lost his special knack for being able to aim his riposte just right… My regular

  28. Pointing fingers doesn’t take much above a room-temperature IQ, and certainly doesn’t solve problems.

    Browser vendors need to agree on seamless behavior in the same conditions and standards – compliance, and strive to ensure that these are all implemented and tested successfully.

  29. Dave Bacher says:

    I love Mozilla’s response to this, it’s clear they don’t understand security at all.

    Here’s the issue…

    You have a port (end point) on a publicly exposed API.  Any process on the system can read the information on how to access the port, and then invoke the port.  It is not only Microsoft code, but any code on the system.

    It is an issue on POSIX also, if there are ports that do not perform validation.

    You have a trusted code base (the core application).  Any place there is a port entering that trusted code base, you must assume whatever is connected to the port is hostile.  It does not matter what technology the port uses — DDE, COM, Command Line, XPCOM, .NET, Java, LISP, scripting language, whatever — you have to assume the code on the other side intends to be malicious.

    For example, Outlook has traditionally been plagued by untrusted code calling trusted ports.  Microsoft’s policy was, for a long time, that any code running on the local machine is fully trusted (you can see this today in .NET).

    That doesn’t mean the code can access anything outside the current user’s sphere of influence, but it can access network resources and anything else that the currently logged in user has access to.  As always, don’t run as root.

    Outlook finally recognized this, and put a proxy pattern into place.  The proxy checks the invoker’s .NET evidence (if any) and Authenticode signature (if any) against a black list and against a white list, on a feature by feature basis.

    There is actually only one list, incidently.  Instead of doing like FireFox (where there are multiple lists in different places), Microsoft made a list of programs, then as a child a list of permissions.  You set the permission on the program to either "allow," "deny" or "prompt," with the default being "prompt."

    When code invokes the port — be it an extension loaded into Outlook’s address space, or a process on another computer — it applies this security policy.

    It also parses input into encapsulated objects that enforce validity rules, and uses those internally everywhere it needs a URL, for example.

    What does this have to do with Internet Explorer and FireFox?

    Now FireFox is actually wrong in their assertion it is correct to filter URL’s before passing them to external applications.

    For example, many HTML properties take JavaScript URL’s (javascript:whatever(‘code goes here.’);) — those URL’s violate the specification, but are in common use, and it isn’t going to change.

    In order to handle those URL’s — and it isn’t just JavaScript — you can’t really properly validate the URL outbound from the browser, without compromising some application’s ability to function.

    To be clear, I am not in disagreement that these application’s are out of specification with the URL standard; however, they exist and one of them is the second or third most common URL found on the public internet, and so you can’t say "we’re going to validate everything outbound."

    You have to validate it inbound.

    You have to do it either way, because there might be a bug in the caller, a misimplementation, etc.  But even if the caller works perfectly, you can’t be sure it is not a malicious process designed to attack you.

    Unless you have the gate keeper that I described above from Outlook sitting on your public ports and using some form of strong evidence.

    And even then you should assume the other process has been compromised, and take appropriate measures.  

    For example, you might have a "Send Mail" permission, and a separate "Throttle" permission that kicks in if more than 10 messages are sent in under a minute.  There are programs that (legitimately) need to send mass mailings — GNU MailMan for example — but there are also programs that do not typically need to.

    By having two permissions, you protect yourself so that in a worst case, you still have contained the attack.

    Anyway, what it comes down to is that the Mozilla guys have had a very bad attitude about this, because it has made them look very bad.  Rather than owning up to the fact it is their fault, that they didn’t follow basic rules, and that they are not thinking securely, they instead blamed it on the guy on the other side of the port.

    The biggest problem with validating URL’s is that you have technologies like JavaScript that are using invalid URL’s.  So you have to have a list "I validate for these URL’s, I do different validation (or no validation) for these other URL’s," and the only way to know that is to put it in control of the protocol handler’s configuration entry.

    At that point, you’re still putting the burden of validation on the side you do not control; that is always a recipe for disaster.

  30. Heard about the firefoxurl vulnerability? It turns out that you can exploit Firefox by having Internet

  31. Jack says:

    @Dave Bacher:

    Get off your high horse there lado.  The Mozilla team’s attitude towards software development and security is 100x better than anything Microsoft has ever done.

    It is NOT their fault, that IE has known, open attack vectors into other applications.  The simple fact that the MS team has no intention of making *ANY* effort to curb this, shows who really cares about security.

    Lets put it another way.. IE6 is a virus/malware magnet.  Has MS provided an IE7 upgrade for all users stuck on this browser? *Nope*!  If you aren’t on XP, or if your IT dept won’t upgrade due to incompatibilities, you are totally vulnerable.

    Win2k and 98SE are still running strong on many PCs, the scary thing, is they are on IE6 too!

    Apps with outbound URL’s should do their best to ensure clean data… and should be very weary of any inbound URL’s.

    Blaming Mozilla for bad software/attitude is like blaming the Tooth Fairy for violent crime.

    Pointless and lame.

  32. Sam Spade says:


    What is your attitude now that it has been revealed that Firefox sends "bad data" (Window Snyder’s description) to protocol handlers in the same way as IE?

  33. web designer says:

    "The limitless variety of applications and their unique capabilities make it very difficult to have any meaningful automated parameter validation by the hosting (caller) application. It is the responsibility of the receiving (called) application to make sure it can safely process the incoming parameters."

    I can disagree with you on this. I mean not all users have the knowledge 2 "make sure it can safely process the incoming parameters."

    An automated validation is much more user friendly; even f it means more develoment on IE side, IMHO.

  34. Tazmanian says:

    this commet is for web designer is this the right blog for this commet?

    re: Enriching the Web Safely: How to Create Application Protocol Handlers

    Friday, July 20, 2007 9:11 PM by Tazmanian

    hey all when could we see Internet Explorer 8.0 Alpha edition ???

    is Internet Explorer 8.0 – Alpha edition already available????? if so how can i down lode it  do you have a link?

  35. Rasheed187 says:


    @ William Harrison, it´s just very disappointing to me that a company with so many resources manages to come up with a mediocre product. Of course there a lot of good things in IE7, they did fix and improve a couple of things, but surely they can do better?

    About your comments, the javascript engine is not really that important for me, it would be nice if it became faster, but I think we need to move away from javascript, it´s a security risk and slows down website loading a lot, that´s why I have disabled javascript.

    And of course better CSS support is always welcome. Btw, do you perhaps know what´s causing the "sluggish scrolling" problem? Is it related to CSS? Check out this link, how the hell did the people on the IE7 team didn´t notice this?


  36. Will says:

    @Rasheed187: Your page scrolls fine for me.  IE7 has two performance issues related to scrolling, both of which are avoidable by web developers.  See IE0003 and IE0004 at http://www.enhanceie.com/ie/bugs.asp

  37. jakeb says:

    I think a good real world comparison would be in writing a paper. When researching a paper you collect data from many sources. Some of these are accurate, and some are not even though they may seem legitimate. If I take a fact from a reference, then it is my responsibility to verify that it is accurate before using it. If I do not do so, I am the one who has to answer for it. I can blame it on bad references all I want, but if I still fail to verify my references on my next paper, it is still my fault. And I will be the one who fails my course or gets fired.

    It is the responsibility of the receiving protocol handler to verify the data it is receiving before using it. From what I understand protocol handlers can be called by any application. So even if IE passed it exactly how Firefox wanted, wouldn’t Firefox still be vulnerable to links from any other application?

  38. Robert says:

    Hmm, the courageous way you’ve handled this seems to indicate that the IE team is almost as competent as this guy.


    Forsooth, words are woefully inadequate in describing how Scott typifies the ‘Softies I have had the pleasure of dealing with.

  39. Window says: &quot;Over the weekend, we learned about a new scenario that identifies ways that Firefox

  40. pb says:


    Yup, Firefox is just fine. Come on guys, you have to validate your incoming data. That’s how it works. You don’t trust, you validate.

  41. Rasheed187 says:


    So what are you trying to say, don´t you get high CPU usage while scrolling the page? Have you compared it with FF and Opera? I doubt that this is a problem related to my machine. It does seem to be a CSS bug, probably this one, if I´m correct:

    IE0004: Slow scrolling with use of CSS :hover rules

    Users may experience poor performance in IE7 when scrolling pages that contain large numbers of elements with :hover rules.

  42. Tom says:

    Anyone have an addon for IE7 (or even IE6) that adds the following options to the context menu:

    "Open this frame in a new window"

    "Open this frame in a new tab"

    (when right-clicking on a frame obviously)

    The wording doesn’t need to be the same, but I need the functionality.  Oddly enough, Opera, Safari, and Mozilla all have this, but IE doesn’t?!

    thank you

  43. Steve says:

    Hey Tom, I too have been looking for these, didn’t see any, so I hacked my own.  My Addon handles your first case, "open in a new window", but I couldn’t find docs on how to do the new tab thing in IE, so I don’t have that feature (pity).

    I don’t have the file hosted anywhere (and the IE Marketplace takes weeks to setup) so if you want it, just let me know and I’ll find somewhere to host it.


  44. Brianary says:

    It seems like you guys have been posting a lot less lately.

    I found out this week that the CSS border-spacing property is STILL not supported, and that we cannot enable HTTP compression because of IE *STILL*!

    We were looking at about a 70% reduction in bandwidth costs, but due to a bug in MSIE that still exists in version 7, we can’t enable it.

    Can we just bill Microsoft for that one?

  45. EricLaw [MSFT] says:

    @Brianary: We are not aware of ANY outstanding issues with compression in IE7.  I’d very much like to get more detail about the issue you’re having.  Please feel free to send me a note at ericlaw at microsoft dotcom.

  46. ash says:


    Dave’s was the first post that made an attempt to understand what was written in the article, hardly a "high horse" position.  

    So, can you please explain clearly and with evidence why you believe that "IE has known, open attack vectors into other applications".

    On the same note, it would also help if you were the first person who could explain why encoding URL’s before they are passed to third party apps is beneficial, because I cannot see any reason why this is the case.

  47. Eduardo valencia says:

    Please microsoft,we need a new build,with improved standards.

    Make it posssible!

  48. dvd says:

    Dudes, when it’s validate it validate. When not, it’s not. What the whole this argue is about?

  49. ell says:

    i second eduardo. we need a new build!

  50. charll says:

    Could you guys take a look at this link at the comments started at the bottom.


    Please ooooh please implement the CSS2.1 tags like

    display: table;

    display: table-row;

    display: table-cell;




    and many more STANDARD TAGS.

    please ooh please.

    In school they learn us to make a website FIRST for FIREFOX and then fixing up IE with hacks (but most of the time we don’t do that we say: just use a good web browser)

    what’s so hard on following the standards?

    When HTML 5 and CSS3 (or CSS2.2) will come, what will you do then? again making your own tags or only implement 10% of it. and implement 5% wrong or creating your own style language?

    We webdevs get sick of this.

    We do not care about how you guys made a new Iwatch or whatever you can’t follow the rules at first so what’s the point.

    You have a problem but you don’t fix it instead of fixing it you create more stuff (and more problems).

    Go ahead and talk with the people from W3C, opera, firefox

    it would be better for us webdevs and for you guys to gain back some trust of us.

    And i know you guys say: "ooh who cares about that css, all that the people want is open IE and surfing to a website. that’s it".

    Well please think about us.

    Make it go faster. Like marC said on that link: if there is a bug in windows, the next day you have already a patch or solution for it. But for IE it takes years to just implement 1 css tag that other browsers supported already 5 years ago. If it goes to slow wel just ask your good friend Bill for some more money and get a bigger team. The future is on the internet so please do your best and implement ALL of that css good.

    tnx for reading ( a frustrated webdev who use to much [IF IE] )

  51. Arven says:

    All that you say is correct but Firefox is easier to use and most important is people already adjust themselves to Firefox because it had better performances when there is not IE7 on market. When IE7 arrives on market everyone think that it is another version of old IE that is used ages ago. Nobody want even see performances of great IE7 and that is problem.

  52. David says:

    Can we get an update on this? It appears that the Firefox folks actually had a bigger problem too, but I haven’t heard about a fix for Trillian yet?

    Has the bug in IE been fixed? Will it be included in the next "Patch Tuesday" (TM)?

    Can you please post a complete list of the applications affected by your bug?

    If this is a serious issue, we need to disable IE on users PC on the network, and tell them to only use their Firefox browser until this is fixed.

  53. gabe says:

    according to Microsoft this is not a bug they are gonna fix

    as a matter of fact Microsoft says its a feature not a bug

  54. Jon says:

    David– The Trillian bug is in Trillian; you should talk to them about getting a fix for it.

    Firefox and IE both pass parameters in the same way, and this behavior is by-design, and documented on MSDN.

  55. Davide says:

    what charll said is true.

    Will there be an update soon for Internet Explorer with better support for CSS2.1 (and CSS3) for the default tags? It would be nice because in september the schools are running again then and people start to work again, the summer is past. An update with many css improvements would be appreciated.

    Forums would louk much much better if we could only use  display: table/table-cell/table-row;

    and many more things that IE doesn’t support.

    phpBB forums are waiting for that…

    We also and it would fix some major css problems like faux columns. (FireFox supports it but again Internet Explorer doesn’t)

    I beg you IE-team. Add those css things to Internet Explorer in one of the first updates. Please. Don’t try to do it your own way, follow the standards.

    And let older IE browsers upgrade to the latest version. force them and the world would look a bit better and you will have some of our trust back.


  56. Mona says:

    poor poor Internet Explorer


    fix this it seems that you have a lot of work to do. Hurry up, the others are already busy on CSS3 and you guys can’t implement css1 :’) haha

  57. Laurence says:

    it has been almost a year since ie7 came out, but if my memory serves be correctly we haven’t seen any updates to the rendering engine or to the CSS support.  the only patches we’ve seen have been for critical security hole patches.

    if we go back in time we recall that there was another stagnent time when the development of ie froze while the world had to wait for other developers (cough Firefox, Opera, Safari) to come in and resurect the "Innovation" on the web.  then ie7 was touted as this mass improvement, and commitment to the developer community.

    I just searched this blog, and nowhere are there posts about what is going to be in ie8, what bugs are going to be fixed, what usability items are going to be resolved (ie. hiding the Menu Bar.. man that was soooooooo smart! – NOT!)

    there was a distant hope too, that some bug tracking would be available, but that too was shut down in its prime.

    Now you can try and shut me down as a nay-sayer, but the facts stand for themselves!

    Try this uri.  This is a search in this very blog, for the term "IE8" (sans-quotes).


    For those too lasy to middle-click the link, I’ll spoil the surprise…

    "No Results"!!!

    Wow! so glad you couldn’t post a single comment on new features in IE8, long standing bugs that will be fixed in IE8 or an IE7 patch.

    For those that have ever watch an eppisode of South Park;


    Developers, Developers, Developers? – Bull.

    Freedom to Inovate? – Bull.

    IE Development Transparency? – Bull.

    Listening to Development Community? – Bull.

    "We hear you!"? – Bull.


    I was very careful not to use cursing, because the rules on this blog disallow it.  However it should be obvious from the tone, and the blatently obvious, "You’ve been called out", the ball is in your court.

    What does the MSIE team have to say for itself?

    Where’s the open communication (one-way doesn’t cut it)

    Where’s the problem reporting tool(s)?

    Where’s the road map of future releases?

    Where’s the "we plan to support Tech X, by IE v.Y"?

    Fed up of the lies.

  58. Ron says:

    MS can’t keep promises, so they won’t make any. Safest approach for them.

  59. Mona says:

    I bet they will close the comments again here because they can’t hear it anymore :’) poor guys.

    Just implement CSS2.1 (and CSS3) correctly. FireFox & webkit are already implementing it and you guys argh you can’t implement CSS1.

    very very poor

    and Laurence  damn you have a BIG point over there ^^

  60. Dave Massy says:

    Guys, Being rude in your comments doesn’t encourage a conversation!

    There are reasons why none of the browsers deploy improvements to their compliance to standards recommendations outside of major versions. I’ve tried to explain that at http://www.dmassy.com/details.aspx?Entry=4

    We should expect IE8 to further improve compliance but changes to behaviro other than security related shoudl not really be expected before then. It would be nice if the IE team would continue the transparency started during the development of IE7 and discuss what to expect in IE8, at least acknowledging issues raised. However I suspect the team is hard at work on architectural changes to allow some of those issues to be addressed.

    Having been on the receiving end of such rude and angry comments in the past, I can say that if you want the team to actually respond then you have a better chance of hearing from them if you are polite and ask clear questions rather than post an angry rant. A conversation requires both sides to show some respect or it is just an argument!



  61. rex says:

    ok Dave, here goes.

    Dear IE Team,

    Please post news to this blog about IE8 asap.

    There has been no discussion of what fixes we can expect in IE8 nor comments about new features.

    The transparency discussed previously has not happened.  We would greatly appreciate it if the IE team would please post what the status of IE is, a roadmap of releases and/or features (even ETAs) and most importantly re-open 2-way lines of communication.

    Development on IE as a platform, or as a Web browser can not continue without your support, input, and a reliable method to communicate and track issues with IE.

    thank you


  62. ash says:


    An arrogant and childish letter isn’t going to get you far.

  63. steve_web says:

    @ash, re: "…arrogant and childish…"

    Huh? What?!

    If I follow this trail correctly, Laurence posted a "heated" note about the lack of IE info after IE7 shipped.  The tone was harsh, but hey, we’ve *ALL* been there, and the points made were valid.

    Next Dave Massey (ex. MSFT IE Team) joins in, and indicates that the tone was over the top, *BUT* the point was valid.. open discussions/info between the IE team and developers went AWOL after IE7 (much to his dismay)

    Then Rex, after reading Dave’s comments, asks very politely, for MS to please take note, and re-open the communication.

    I fail to see where Rex is being childish or arrogant?!

    However, I’m going to be arrogant for a moment, and suggest that Rex’s polite request (based on Massey’s suggestion), will be completely ignored.  As was any other request, by any other developer, since IE7 shipped.

    That my friends, is what is sad about this whole situation.  Please feel free to prove me wrong, I would love it if that were the case.

  64. Just Curious says:

    How can I tell if I have IE(x) installed on my PC?

  65. swingle says:

    Be liberal on input you support, and strict on output.

    Mozilla and others are being liberal on accepting bad input, and have patched issues with malicious bad data.. but Microsoft is NOT being strict with their output.

    Shame on Microsoft for not doing the right thing, and putting a simple sanitary cleanse on output URIs.

  66. Jon says:

    Swingle: What exactly do you think "cleanse" means?  Strict implies that there’s some specification which covers how to correctly pass a command line to a handling application.  Since Microsoft invented the feature, the implication that they’re not following their own specification is pretty silly.

  67. Ron says:

    "How can I tell if I have IE(x) installed on my PC?"

    Open IE, then click on the ‘Help’ menu item and select "About Internet Explorer". It should mention the version number in the popup window.

  68. It is a good web. I always have the problem about the Internet Explorer cannot display the webpage.How to solve the problem?

  69. tom says:

    @Brandit Prarasri:

    There are several reasons why you might see this.  Can you provide a/the URL(s) to the page where you see this?

    For example, this might be the <script type="text/javascript" src="…"/> bug, or there could be content on the page that triggers an endless loop, or ???

    With a URL, we can go investigate and find the source of the problem

    By the way, does the page(s) you are trying to view work in other browsers? e.g. Opera or Firefox?

    tx, tom

  70. Online PR says:

    All that you say is correct but Firefox is easier to use and most important is people already adjust themselves to Firefox because it had better performances when there is not IE7 on market. When IE7 arrives on market everyone think that it is another version of old IE that is used ages ago. Nobody want even see performances of great IE7 and that is problem.

    Best Regards

    <a  rel="follow" href="http://www.online-artikel.de/&quot; title="Online PR-Portal">Online PR Portal</a>

  71. pot stirrer says:

    Uh guys! You got called out a week ago!


    Are you not even going to post a response?  Looks like Laurence is right, IE development has stopped again.

    So glad you guys could step up to the table with some info on new stuff & data on bug fixes.

    so much for hoping that IE8 is going to fix IE7!

    looks like it is time to stop putting in hacks for IE and just give up, cause apparently they don’t care anymore, so why the heck should we.

    From now on, my sites will be supporting Good browsers only.  If users aren’t at least on IE7 or better, they can go download Firefox, Opera or Safari.  And if they don’t like the crappy rendering in IE7, they can download a real browser.

  72. Maxim says:

    Whether there will be and in the further such ways of protection or not?

  73. frank says:

    I just read with a laugh on MSDN,  



    "Internet Explorer 6 and later support all of the properties, methods, and collections defined in the Document Object Model (DOM) Level 1 World Wide Web link specification"

    Wow! if only that were true! then we would have a Web browser (no, make that a platform) that we could confidently build on top of.

    Last time I checked, in IE6 and IE7, the following methods were broken.

    a) .getElementById()

    b) .getAttribute()

    c) .setAttribute()

    d) .createElement()

    e) .cloneNode()

    Any word on when these are going to be fixed? I know that 7 years is a short time span to incorporate these features in a browser, but we were expecting these to be fixed in IE7.

    Oh, and I know that this is level 2 DOM (also only 7 years old) but can you look into supporting events properly?


    supporting .addEventListener() would make developing in IE a whole lot easier, instead of having to duplicate code in some 1-off proprietary format, just to make sure code works in all browsers.

    Oh and for those that need references…….

    a) returns objects matching by name, not ID

    b & c) doesn’t work on a multitude of attributes including class, for, style, colspan, rowspan, name, cellpadding, cellspacing, frameborder, maxlength, onclick, onchange, onmouseover, on… well lets just say every single inline event handler attribute?!?!?!

    d) .createElement( ‘<input name="foo">’ ); is NOT THE WAY ELEMENTS SHOULD BE CREATED!

    e) anyone thats ever copied/moved checkboxes and radio buttons around a page knows that this  is a disaster.

    So as Dave Massy stated (on his Blog), if you are not going to spill the beans on all of these being fixed in IE8, can you talk about IE7 in the mean time? Lets start by explaining why there were NO, NONE, ZIPPO, NADA, ZIP, ZILCH fixes to Javascript in IE7?

    I’m just a web developer, but to me, I would have to say that 6 years of development and 0 fixes to the core scripting language seems pretty darn pathetic especially when you consider that 90% of it can be fixed without any worry of backwards compatibility!

    Oh, I will give some credit.. as Dave pointed out, thanks for re-opening the comments.  Considering this is the ONLY form of open communication with the IE Team, it is critical that at least one post always have open comments.

  74. Dave Massy says:


    As you are probably well aware the DOM functionality was not an area of focus for IE7. During IE7 the team focused on improving CSS which is what most developers were complaining about. This expectation was clearly and repeatedly set during the development of IE7.

    I know the team is well aware that work is needed on the DOM. There is as always the concern of breaking exisitng sites with such changes. That is something that is clearly doable but is an extra complication.

    There was actually work undertaken on the JScript engine in IE7 to improve performance.

    I’m hopeful that the team might get to undertake the DOM changes in IE8. I’m sure the team will let us know when they are ready.



  75. the bigest thing for me has been pasting,new stuff from other url i have how to make it easyer.

  76. rss feeds on this has been the hardest to intergrate,with other blogs i have

  77. coma says:

    yesterday i was trying to make a website.

    when i did the CSS part:



    display: table;

    display: table-row;

    display: table-cell;

    all works fine  but then when I took a look on IE the crap came again 🙁

    The only you guys say as an excuse is that you focus on security and that your browser needs to be backwards compatible with older websites.

    I don’t understand the last part…

    If I use <div id="test"></div> in my website that I build 5 years ago or when I built it now it’s the same. I don’t see what would break the sites down then if you implement more css features and tags.



    and to be honest I don’t care if a website breaks because it still uses <br> instead of <br /> (just to give a basic example with br)

    It’s time then that website developers learn the language good. If they don’t code good they shouldn’t be webdev’s.

    C++ or C# syntax must also be correct before it works, there you also need to follow the "standards" (=syntax/rules) so why would that be different here with css and xhtml and javascript?

    Make the IE team bigger, make it opensource I don’t care.. All i want is that it doesn’t take another year before you guys implement some feature that was 6years ago needed for the first time and already good implemented by the other browsers. I see new opensource browsers develop faster than your IE team. That keeps me wondering to be honest.

    Again I’ve see some other browsers adding new CSS3 (yes read it good C S S 3) features into their browsers and your team has problems with CSS1…

    well well well isn’t it time that our friend Mr. Wilson asks some support from Mr. Gates?

    What do you guys think about it? 🙂

  78. AC says:

    "It’s time then that website developers learn the language good. If they don’t code good they shouldn’t be webdev’s."


  79. Dave Massy says:


    That’s really a rather arrogant attitude don’t you think? Basically you are saying that all web developers should be professional and if the browser is updated and their sites break then it is their own fault. That is really not going to get you a lot of customers if that is your support policy.

    What about the companies who have nothing to do with IT who spend good money to have their websites developed and the developer then moves on? They then have to spend money when the browser is suddenly updated on something they do not understand.

    It would certainly be a lot easier and cleaner if all web developers "learn the language good" as you so eloquently put it. However the unfortunate reality is that many web developers use the "hack it and see" approach to developing content where they copy code from somewhere else and then hack at it until it does what they want. Such code is rarely maintainable.


  80. steve_web says:

    @DMassy re:"There is as always the concern of breaking exisitng sites with such changes"

    Changing many aspects of the broken DOM in IE will not have backward compatibility issues.

    For example, fixing obj.setAttribute(‘name’,’fred’);

    to actually work, will not break anything, because it never did work in IE in the first place.  For those that will then moan, well, what if someone was calling this, and it didn’t apply the name, and now it suddenly will, it will break stuff!  Well, for those, I only have 1 thought.

    "If you call a method, and expect it to do nothing, and return nothing because the implementation of the spec is wrong, don’t call it!  If you call it, when the API is fixed, EXPECT the call to work!"

    Next: If developers out there, have coded content to use .getElementById( nameToMatch ); then you have set yourself up for a severe let down.  The method call has "Id" right in the name! If you expect this botched behavior to work in future versions YOU ARE doomed to fail.  Not to mention that the behavior will not work in other browsers, so you are wasting your time anyway.

    Next: .createElement() this one is fun, because MS has already shot themselves in the foot on this one.  Developers have to pass in crud to this method, because the .setAttribute() method is broken.  Fixing this can wait though, as long as the .setAttribute() is fixed!!!!

    For us developers, we’re in a strange spot…  we hope that IE8 solves *everything* (or as much as possible), because the sooner we can deprecate support for IE6, and IE7, the sooner we can stop coding hacks, and just code.  However for every release that we "push" out fixing this mess, means we have to "add" another layer of hacks, for each slightly-different-but-still-wrong browser version.


    I know that I will be over the moon with joy, the day that I can officially say that IE6 is deprecated.. no more z-index nightmares, no more iframe hacks, no more adding event handlers to get a simple mouseover effect..

    I think that there should be an official date set, and web dev’s all over the world can raise a glass and cheer!


  81. When I was a child, I learned a saying that I still find important to keep in mind: Those who are sitting

  82. Dave Massy says:


    The commitment to compatibility does not mean things will not change but it is a justifiable concern when making any change.

    As you rightly point out, some changes to the DOM will not break existing content or are extremely unlikely to. Other changes can almost be guaranteed to break existing content. I’m not saying changes should not be made. I’m actually a big fan of making changes as soon as is realistically possible so that the standard recommendations are followed. However I want those changes to be undertaken so that the implementation is of high enough quality that web developers can really rely on it. I also believe that existing content on the web should for the most part continue to work unchanged.

    I do not want to see the IE team just fix the parts of the DOM that don’t affect compatibility and not undertake fixing the parts that are most important to developers. The team should either do a decent job or not do it at all. I would hope that almost everyone would agree on that point.

    You make a great point that:

    "every release that we ‘push’ out fixing this mess, means we have to ‘add’ another layer of hacks, for each slightly-different-but-still-wrong browser version."

    Do you want to see a new version of the browser every year that only nibbles at the problems and leaves us with several different browser versions to cope with. Or should we wait three plus years and get a major upgrade that addresses the majority of issues? I do not know when IE8 will arrive but I do hope that it will not be a rush job that only nibbles at the problems.

    I’m not going to say that the IE team is always correct in what they do but it is easy to throw stones and point out the failings when you are on the outside. A browser is a very complex beast and concerns such as security and compatibility are the reality of developing a browser in today’s world. For companies building solutions on browser technology it is important for them to know that they won’t have to revise their applications every time one of the IE developers farts on the browser codebase.

    As I’ve said I’d love to see the IE team be as transparent with IE8 development as they were with IE7. However it would also help if the people commenting here would recognise the realities of the commitment to compatibility instead of believing that it is of no importance. As soon as you say "It’s a standard and therefore it must be followed at all costs and break existing content" you demonstrate a complete lack of appreciation of how businesses are relying on the browser’s behavior for their livelihood. Compatibility is an important concern but it is not a reason for not changing things.



  83. Joel says:

    An off-topic note:

    Where are the updated Virtual PC IE6 images?  We’re a week away from April’s images timebombing.

  84. tim.m says:


    How could you expect from us to create good websites if it doesn’t matters how you use the syntax. You seem to don’t care about it. If the syntax said: <br />  you don’t need to type <br> or <rb />.

    syntax == syntax

    The problem can be fixed by saying: next year we will not support <br> anymore. It would give a great boost for the websites, for the web, the IT sector (think about work there will be more webdevs and that’s good >> lower prices etc)

    And for now you can say if you use a DTD xhtml 1.1 Strict or some other recent DTD you need to say: The browser does not support <br> anymore in this new DTD, if you still want to use <br> then set an older DTD. (and all the other "old" websites still have that old DTD so sites will not break down when updating a browser.)

    I still don’t get it (like coma said): They work so slow! I’ve submitted a bug in Visual Studio, 2 days later the bug was fixed. When you see the Microsoft Connect > Feedback thing it has visual studio bugs every day and everyday you see "fixed".. You can "see" them work on it.

    When I wanted to check the Microsoft Connect Feedback thing for Internet Explorer it was closed… how poor

    I nah.. let’s say "We" want IE8 soon with a greaaaaat support for CSS, javascript, standards. or at least give us some info or a beta testing to report bugs etc…

  85. rc says:

    I have heard from a source in Redmond that development of IE8 faces seriuos troubles. Therefore IE8 will not be released neither this year nor 2008, even in beta version. Maybe it will not be released at all.

    Due to total muddle in developers team they cannot report anything about their plans neither in this blog nor anywhere else. No wonder that they have completely forgotten about VPC Image and IE Developer Toolbar.

    If IE8 will ever be released, it sure will be an entirely new browser, not successor of IE 7, written by entirely new developers, maybe ever not Microsoft.

  86. Dave Massy says:


    You are twisting my words and you know youare. I’m not trying to pick an argument, I’m simply explaining the reality of delivering a browser in today’s world. I’m certainly not defending the speed at which Microsoft delivers these fixes and I’d love to see them work faster. I’d love to see a stricter syntax in use so fewer developers could rely on poor parsing of HTML. That poor parsing is largely an inheritence from when IE4 had to emulate the poor parsing in Netscape Navigator 3 so that existing content renders. I was part of the IE4 team and recall the effort put in to emulate the slightly bizarre rendering of tables that Netscape had so that existing content on the web would render. Why? Because if IE didn’t display the existing content no one would have used IE4.



  87. Mitch 74 says:

    IE7 was a half-hearted attempt at fixing CSS support in Trident. Nothing more: quid addEventListener and consort?

    Nothing was added to support HTML 4.01 (apart from support for <abbr> – oh, great), let’s not even mention XHTML (seen as ‘flawed HTML 4.01’, and only when IE is fed a bogus MIMEtype), or alternate stylesheets, or site navigation (how old is the <link> tag, by the way?).

    How comes other programmers (even reduced teams, remember iCab is made and programmed by a team of 2 people) can do a better job at implementing specs than Microsoft, with its thousands of devs and its huge budget? And no, don’t get me started on ‘backward compatibility’: said compatibility was broken often enough with this poor release called IE7 (a 2002-level browser released in 2006) to make this point moot.

    We now need to cover ‘legacy’ IE releases: just use XHTML 1.0 Strict with the XML prologue, and IE5/5.5/6 will render the page the very same way; other browsers will use ‘strict’ rendering, and many (if provided the correct MIME-type) will switch to ‘real strict’ XML parsing.

    But not IE7 – and from what I could find, IE8 will do the same. As such, we now end up with three (3) development tracks for our websites:

    – IE5/6 (makes a mess of CSS and Jscript)

    – IE7/8 (makes a DIFFERENT mess of CSS and Jscript)

    – all others (Firefox, Opera, Konqueror, Safari, iCab).

    Thank you, Microsoft. Thank you so much. No one I know of has managed to botch up a bug-fix release this way.

  88. Jon says:

    @RC: Hahahaha… You don’t honestly believe that drivel, do you?

  89. EricLaw [MSFT] says:

    Joel– We expect to drop new VPC images for IE6 by Monday, August 13th.  Thanks!

  90. melvin says:

    Since there doesn’t seem to be any sort of news on IE8 or fixes or anything, can someone at Microsoft in the IE team at least announce that the button stretching bug will be fixed in IE8.

    Right now I don’t give a care about any other bugs except this one.


    The horrible stretched button disaster in IE (even in the chrome of the browser itself!) (Internet Options – Security – Reset all zones to default level button)

    If this isn’t fixed in the current IE8 internal builds, then please! do not bother setting an alpha or beta date until this is fixed.

    This bug just makes IE look horrible, and there is no *real* hack to fix this. (many have tried, but in standards mode (lol) most of the hacks fall apart, and most hacks still croak over 25 chars in width)

  91. Dave Massy says:


    That bug is pretty bad and does make buttons look ugly. However it is only present on Windows XP and not Windows 2000 or Windows Vista as it is associated with the default visual style on that Operating System. Despite it being present for so long I don’t recall seeing that many complaints about it. Probably as large buttons are unusual in well designed websites.

    I don’t know if it will get attention in IE8 but I’d expect the team to concentrate on the issues that are getting most complaints.



  92. tony says:


    Program: Internet Explorer 7

    Language: CSS

    Bug: :focus does not work on a form.

    Friendly greeting 🙂

  93. Simon says:

    Excuse me guys, but when is the next VPC image refresh coming out for IE7? Can we have an image for IE5 please? Many of our clients still use IE5/IE5.5 browsers.

  94. Dave Massy says:


    If you have clients still using IE5 or IE5.5 then you should really encourage them to upgrade ASAP. IE5 is only supported on Windows 2000 and IE5.5 is no longer supported at all. That means that no security upgrades are made available for those browsers except for IE5 on W2K.

    As Eric Lawrence mentioned above the VPC updates are expected shortly.


    That bug is a Windows XP only issue and does not repro on Windows Vista. It’s to do with the Windows XP visual styles and is certainly ugly. As few commenrcial websites use large buttons it isn’t often encountered on the web.



  95. Bink.nu says:

    just released Security Advisory 943521 regarding a vulnerability affecting Windows Server 2003 and Windows

  96. everyone. This is Jonathan from the SWI team in the MSRC. We’ve just released Security Advisory 943521

  97. Je vous en parlais dans ce billet , et avant dans celui-ci : la manière d&#39;exploiter cette faille

  98. Today I’ve been playing around with the (for me) finally working notifications and the performancepoint…

Skip to main content