IE8 Security Part VI: Beta 2 Update

Now that Beta 2 has released, I want to provide a short update on some of the smaller security changes the team has recently made. I’ve also linked to a great article on the IE8 XSS Filter implementation written by the architect of that feature.

Restricting document.domain

The document.domain property initially returns the fully qualified domain name of the server from which a page is served. The property can be assigned to a domain suffix to allow sharing of pages across frames from different hostnames. For instance, two frames running at and can script against one another if both frames set their document.domain to their common  A frame may not set its domain property to a top-level-domain, nor to a different domain suffix. For instance, cannot set its domain property to .com or  The HTML5 proposal formalizes the algorithm used to determine if a given domain property assignment is permitted, and it specifically requires that the assigned value is a suffix of the current value.

In Internet Explorer 7, the following set of calls would succeed:

// initial document.domain is
document.domain = “”;  // 1. Domain property set to default value
document.domain = “”;       
// 2. “Loosen” domain
document.domain = “”;          // 3. “Tighten” domain

In Internet Explorer 8 and other browsers, the 3rd assignment will throw an exception, because is not a suffix of the then-current value,

Put simply, once you’ve loosened document.domain, you cannot tighten it.

Web Applications that need to interact with data from other domains may wish to consider using the postMessage() or XDomainRequest APIs rather than adjusting the document.domain property.

Restricting Frame-Targeting

HTML5 also specifies the circumstances in which one frame is permitted to use the targetname parameter of a call to navigate another named frame or window. 

The rules are meant to help prevent a window injection vulnerability. In a window injection attack, a malicious website in one browser frame attempts to “hijack” a frame or popup owned by a trusted webpage.

For instance, consider the scenario where opens a popup window with the name helpPage.“helpTopic.htm”, “helpPage”, “height=200,width=400”);

If another page at attempts to hijack this window, like so:“spoof.htm”, “helpPage”, “height=200,width=400”);

…instead of navigating the helpPage window owned by, spoof.htm will instead open in a new browser window. While Internet Explorer 7 and 8 always show an address bar on every window, this new restriction makes window injection spoofs even less convincing.

MIME-Handling: Sniffing Opt-Out

As discussed in Part V of this blog series, Internet Explorer’s MIME-sniffing capabilities can lead to security problems for servers hosting untrusted content.  At that time, we announced a new Content-Type attribute (named “authoritative”) which could be used to disable MIME-sniffing for a particular HTTP response. 

Over the past two months, we’ve received significant community feedback that using a new attribute on the Content-Type header would create a deployment headache for server operators. To that end, we have converted this option into a full-fledged HTTP response header.  Sending the new X-Content-Type-Options response header with the value nosniff will prevent Internet Explorer from MIME-sniffing a response away from the declared content-type.

For example, given the following HTTP-response:

HTTP/1.1 200 OK
Content-Length: 108
Date: Thu, 26 Jun 2008 22:06:28 GMT
Content-Type: text/plain;
X-Content-Type-Options: nosniff

<body bgcolor=”#AA0000″>
This page renders as HTML source code (text) in IE8.

In IE6 and IE7, the text is interpreted as HTML:

IE6 text interpreted as HTML

In IE8, the page is rendered in plaintext:

IE8 text interpreted as plaintext

Sites hosting untrusted content can use the X-Content-Type-Options: nosniff header to ensure that text/plain files are not sniffed to anything else.

XSS Attack Surface Reduction: CSS Expressions Disabled IE8 Standards Mode

Also known as “Dynamic Properties,” CSS expressions are a proprietary extension to CSS that carry a high performance cost.  CSS Expressions are also commonly used by attackers to evade server-side XSS Filters. 

As of Beta 2, CSS expressions are not supported in IE8 Standards Mode. They are still supported in IE7 Strict and Quirks mode for backward compatibility. While the IE8 XSS Filter can block attempts to reflect CSS Expressions as part of an XSS attack, blocking them in IE8 Standards Mode brings a performance benefit, improves standards-compliance, and acts as an attack surface reduction against script injection attacks.

Deep Dive on the IE8 XSS Filter

David Ross, architect of the IE8 XSS Filter has published a technical article on the architectural and implementation details of the XSS Filter over on the Secure Windows Initiative blog. If you’re interested in the nitty-gritty details of how the XSS Filter operates, please take a look.

Thanks for reading!

Eric Lawrence
Program Manager
Internet Explorer Security

edit: added IE6: In IE6 and IE7, the text is interpreted as HTML

Comments (69)

  1. SPARTAN-117 says:

    That’s quite neat, now maybe people won’t be so hard on IE. Wonder what other browsers do with the text, render as html? Or plain text.

  2. Mitch 74 says:

    @SPARTAN-117: other browsers render resources sent with "text/plain" as… plain text. IE is the only browser rendering text as HTML if it contains a whiff of (X)HTML. This can lead to some funky behaviors one way or another.

    It’s too bad this opt-in parameter requires access to a server’s "innards" (not all hosts allow use of local htaccess), because I don’t think all hosts allow hosted websites to set up personalized (and proprietary) HTTP headers.

    But then, there aren’t many other solutions… Tip: if you can, enable that setting for all hosted websites (and ask your ISP if he can do the same): you’ll get a more uniform response across browsers and reduce debugging time.

    Personally I don’t like having to add stuff to headers; but if everybody make use of it, then the setting may become opt-out for IE 9…

  3. nikhiljain says:

    The final Version of IE8 Will b drop on 1 Nov 2008 if beta2 is last beta milestone..!!

    chk this link..

  4. David Knight says:

    Adding an extra header is just plain wrong.  The other major browsers do not do this content sniffing on text/plain (any more, I do recall sites back when ns6 appeared where the css wouldn’t work because of it) and there are no problems with sites that have incorrectly configured servers.  This really only leaves intranet sites, which  the company in charge of can easily fix.  This seems to be the attitude with IE8 of lets add a header to tell IE8 to act the way it should in the first place.  Stop it and make IE behave the way the standards say it should.

  5. Trashcan says:

    I agree with David Knight.

    A browser should not sniff the content, it should look at the MIME type and honor it.

    A basic principle of security is to not trust third parties. You cannot rely on headers sent by a remote server. Malicious servers/scripts won’t send the header anyway.

    Why display something as HTML when the server sent it as text/plain? That’s just *plain* wrong.

    Moreover, this is yet another IE specific item. Doesn’t make sense when you’re claiming to move to web standards.

  6. Cronan says:

    Anyone on the IE8 team looking at Chrome today? Any comments on the fact that it seems to render Javascript 10x faster than IE8?

  7. Stifu says:

    "Any comments on the fact that it seems to render Javascript 10x faster than IE8?"

    The IE team already commented on other browsers being much faster, in this post:

    Basically, they sarcastically point out how all browsers brag about their speed and performances, and say they will refrain from doing the same. To sum things up, IE has the worst performances among all modern browsers, but the IE team announce it proudly with an "holier than thou" attitude.

    But hey, at least IE8 is apparently faster than IE7, so it’s a step in the right direction.

  8. david says:

    @nikhiljain: Gosh I hope not! Beta 2 is still quite buggy and has yet to fix several long standing IE DOM bugs and missing DOM implementations. Heck! Where the !@#$ is OPACITY!!!

    Beta 3 is needed for sure because no one could test with Beta 1 because it was so damn buggy.  I only started testing yesterday with IE8 Beta 2 (now that the VPCs are out) and it is finally testable.

    The UI still needs help I can’t move my toolbar buttons to where they belong and that whole right aligned command bar menu is the worst piece of UI I’ve seen in over a decade.

    If Nov 1st is the ship date, then we will be stuck supporting an unfinished product until 2013+ which would hold back the web like you wouldn’t believe.

  9. nikhiljain says:

    @david: Yes IE8 long way to go interms of Performance, web Standards.

    As Chrome drop today therefore more pressure is on IE Team for what they goin to deliver on final release of IE8.

    Chrome Pass 62/100 in Acid3 test But IE8 Beta2 only manage to pass 15/100 in Acid3 Test.

    This simply shows How far IE8 need to go. to be more web compliant

  10. Vasil Rangelov says:

    Like many others, I believe sniffing should be an opt-in option, not an opt-out option.

    To avoid compatability problem, I suggest to the IE team to do what they have already done to the CSS expressions (bravo for that!):

    1. In IE8 mode (no X-UA-Compatible header), turn sniffing off.

    2. In IE7- mode (appropriate X-UA-Compatible set), turn sniffing on.

    3. If the X-Content-Type-Options header is set, follow whatever it says, regardless of compatibility mode (possible values being "sniff" and "nosniff").

    This won’t create a problem for legacy applications which would set X-UA-Compatible anyway, and it won’t create a problem for intranet sites which run in compatibility mode by default.

  11. NMONNET says:

    "Wonder what other browsers do with the text, render as html? Or plain text."

    Other browsers obey the Content-Type HTTP header. If it says text/plain, they try to display plain text. (I’m 100% sure about Moz, haven’t tested lately on other) I have no idea who at MS decided to do this and why. I’ve seen this "feature" happen on at least one crappy corporate extranet, where all generated HTML content was served with text/plain as type.

    Really brain dead, and it resulted in the site being unusable with anything but IE, and of course that made fixing it not an actual priority. Let me elaborate on this: the owner of this jewel is a /big/ insurance company; and I actually escalated the bug to the *CIO*, in person, twice. AFAIK it never got fixed.

    Here’s my advice to the IE team: ditch compatibility tweaks, forget about ‘nosniff’ and IE8 mode or something. Instead, ship IE7 as "Intranet Explorer" and make Internet Explorer obey standards.

  12. I agree that nosniff should be opt-out.

    If the IE8 team _really_ feels they cannot do this, consider that: you could

    – provide two options for the X-Content-Type-Options header: sniff and nosniff

    – tell the world they should start specifying sniff for sites that require it

    – announce that you’re considering nosniff as default for IE9

    – provide a registry switch that lets users turn their IE8 default to nosniff, so they can test whether all their sites that require sniffing have either been fixed or set to sniff

    that should at least give you some latitude for IE9.

  13. billybob says:

    I disagree, what IE really needs is another header/meta tag.  All a competent developer has to do is set a header like X-I-Know-What-I-Am-Doing the value of this header will be a 4-digit year indicating what year the developer knew what he was doing (things may change).

    I think this will make web site maintainence much more predictable for web developers.  We will know that we will have to update our sites once a year.  I think it would be a good money earner for contractors so it would help the industry no end.

    Until this is implemented, could Microsoft produce some documentation which lists all of the extra headers required by IE8, it would save fishing through every blog post.

    Another alternative is a popup for the client.  If a standards compliant website is found, a popup could ask:

    ‘This website appears to be standard HTML, but the web developer might not know what they were doing, should IE assume they are wrong and assume they meant MSHTML?’

    [Yes] [Yes (and remember this)] [No] [Cancel]

    If there is a content type problem, just pop up another box.

    ‘This website has sent wrong content type information.  Would you like to use the type specified by the developer, or just assume it is HTML?’

    [Yes] [No] [Cancel]

  14. GZ says:

    why isn’t there a fast way to report bugs and suggestions built in the IE beta 2? I mean, isn’t a beta about collecting as much feedback as possible?

  15. OPT IN says:

    I agree with Vasil Rangelov.

    Content Sniffing should be OPT IN! in IE8 Standards Mode – No exceptions**!

    ** This means the IntERnet and the IntRAnet TOO MSFT.

    As for those commenting on Google Chrome… yes it completely smokes IE8 Beta 2 in any test you run… Standards, CSS, DOM, Speed, Parsing, Usability and most of all Coolness.

    IE’s UI since version 7 has just been embarrassing.

  16. Donny V says:

    I just installed Chrome and I must say its FAST!!! I thought Firefox was fast…this just smokes it. I just don’t get it. How does a company thats never made a browser smoke you guys. You guys are suppose to be the leaders in this stuff. What the hell is going on over there!! I’m a die hard IE user but I think I might of just switched default browsers.

    I still think IE renders fonts & html elements better though. 😉

  17. Mike says:

    Yes it would be interesting to see if the anyone from the team will be commenting on chrome. Nice to see that it supports svg right out of the box.

    Perhaps if microsoft had spent less time on all this silverlight proprietary crap they might have been in a position to fend off this challenge.

  18. Stefan Markic says:

    That’s IE6 on the picture, not IE7.

  19. Donny V says:

    Well in the defense of Silverlight. That really has nothing to do with the browser or SVG. Silverlight is a Flash competitor and I would almost say a next generation flash competitor. SVG is only for graphics. Silverlight is a whole new platform to develop apps on.

    Plus its cross platform and gets rid of the headaches of developing UI sophisticated apps across different browsers.

  20. Will the authoritative asttribute still be supported or is it dropped in favor of the new header? I already implemented it here and there, so that’s why I’m asking.

    And how hard is it for you to backport the new header to IE7 and perhaps IE6? It’s an opt-in thing, should not break the web. Consider backporting some features of IE8 to increase acceptance.

  21. Chromey says:

    This is becoming one of my favorite blogs. The IE teams posts periodic long posts about non-standards-based stuff in IE8 and then people just start riffing on IE8 in general for 80 or so comments, until we get another marketing post, and the process starts over again. Guys, do these comments make you cry? Well, now you’re feeling the pain that us web developers have been feeling since IE5. Seriously, go back to the basics, IE has been broken for too long. Let me be the thousandth person to say it, the first version of Google Chrome 0.2.x BETA is kicking butt on IE*8* Beta. A tremendous illustration of how wrong your values are and how hollow your odes to standards support.

  22. Bob says:

    Would be interested in a post addressing this. Do you agree with the results? If not, why? If so, why did you make the tradeoffs you did?

  23. Trixie says:

    Heh… "That’s IE6 on the picture, not IE7." – bingo! (you beat me to it!)

    I was looking at it thinking?… wait, that layout… it is like… customized… as if the components were drag-n-dropable so that you could arrange the interface in the best way possible… e.g. not the default… e.g. like IE6 did.

    Then it hit me.

    Oh, [/end_subtle] Whats going on with customizing the UI in IE8?  Are we going to be locked down and out again?

    Or are my page titles going to look like this?

    My Home Page – Microsoft Windows Internet Explorer (Explore the web we say only)


  24. D says:

    Well.. i had IE8b1 and was reasonbly satisfied.. i do have FF, for a few portal sites like (coz ie8b1 just crashed)but don’t like to switch browsers..

    but i had a lot of problems with ie8b2. reeeeaaly slow, a few hangs and a lot of bugs. i had so much problems i deinstalled and have ie7 back.

    i also tried google chrome and its really faster and less bs, so i too changed default browsers for now.. but i do miss the rss feeds, might start using outlook for that..

  25. Michael says:

    speaking of java script performance… IE needs to have a JIT compiler for javascript like the one google built for chrome or the one mozilla is working on…

    It can’t really be all that difficult for microsoft to achieve this can it? And it would stop everyone writing comments about IE’s java script performance…

  26. Slawek says:

    Anybody know, when we will be available other languages?

  27. Nobody says:

    Content-Type: text/plain;

    IE8-DO-WHAT-I-JUST-SAID: please;

  28. jerriho says:

    I don’t care even if IE8 completely screws up HTML/Javascript support. I will not design website in HTML for a long, long time anyway. All I want is SiverLight being bundled in with IE8 when shipped, that way surfers could readily access my website with little hassle.

  29. David R Fredrickson II says:

    problems when the favorites star…crashes every time

  30. magnetik says:

    IE is a peice of crap and it’s never gonna get better until M$ wakes up and does what Google did with Chrome – start from scratch!

    If I were on the IE8 team I’d be so embarrassed to be partly responsible for such a bloody awful product.

  31. Justin says:

    How do I turn off this "feature" where local INTRANET sites are not rendered by default in IE8 Standards mode (as they did in IE8 Beta 1)

    As a developer, EVERY site I DEVELOP is tested on my LOCAL network first, then deployed to an EXTERNAL site.  Why the @#$%@! would I want to NOT have Standards mode turned on???

    ARGHHH! I don’t even get the darn broken page Icon so that I can fix what IE guessed incorrectly.

    I’m not liking this IE8 Beta 2 so far… please tell me that this INTRANET issue is getting fixed!

  32. iveinsomnia says:

    Just can’t wait for a working french beta :/

    I’ve tested ie IIX on sbs 08 and looks great.

    ( °°)

  33. Trashcan says:

    Justin, regaring your question:

    In the toolbar, click the Page icon, select "Compatibility View Settings", then uncheck "Display intranet sites in Compatibility View".

  34. Trashcan says:

    Justin, regarding your question:

    In the toolbar, click the Page icon, select "Compatibility View Settings", then uncheck "Display intranet sites in Compatibility View".

  35. JS Console says:

    Although improved, the JavaScript console in IE really lacks a critical feature.

    a [CLEAR] button.  I can’t clear any previous errors to see if I’ve fixed an issue, or if it is repeatable.

    It would also be very nice if the console was tied to the URL ‘javascript:’ so that developers can pull it up just as they can/do in other browsers.

  36. fatso says:

    Google chrome has no search box instead they integrated smart address bar and search box with suggested site. Firefox will be doing this

    Google Chrome: the text in smart address bar is much easier to look at than IE 8 beta 2

    Google chrome made reorganizing much easier by sliding it. Tabs is faster. Should be copied

    Google chrome Bookmark is similar to FF3 so it’s nice. IE 8 Should have done the same thing

    Google chrome load webpage very fast

  37. lezfatso says:

    WOW Google chrome has a really nice download manager. Better than FF3 download manager. plz copy it

  38. Alteran Ancient says:

    I think that there should be a feature to automatically enable InPrivate browsing on certain sites, namely banking sites etc. This would improve security in several cases.

  39. ghg says:

    Internet Explorer has stopped working but didn’t recover the tabs.

    Tab isolation is cool but what about the dialog box that appear when internet explorer has stopped working it should be remove and instead work in background. so all user see is the

    the balloon notification

  40. Anon says:

    Wow, people  seem to hate IE for no reason…

  41. fatso says:

    when you place the favorite star before the tab it does not align vertically with the add to favorite bar star icon.

  42. hh says:

    My IE 8 beta 2 search provider in smart address bar is screwed up because my ISP change it to crappy yahoo search now only if I can restore it to live search.They don’t provide a option to change the search. right now I’m force to use yahoo search in smart address bar please do something about this. In FF3 i have no problem with this.

  43. fast, fast, fast says:

    what I concern is Does IE 8 is faster than other(FF or Chrom),It not,I may not use it

  44. Yert says:

    As I’m sure you’ve all heard, Google released a browser named Chrome.

    The thing I absolutely loved about their documentation (the comic they used to introduce it) was the way they test Chrome.

    Google uses their search engine to test their browser against the most popular websites.

    My suggestion to you? Use the same method! Contact the Live Search guys NOW and get cracking!

  45. AdamC says:

    Well, if I run this code inside IE8 beta 2:

    <div id="test"></div>

    t = document.getElementById("test");



      t.innerHTML += "a";


    It blocks the whole of IE, not just one tab. Everything becomes unresponsive.

    I thought IE8 was supposed to solve this problem?

    All tested browsers (Chrome, FF, Opera) deal with this better than IE8 beta 2.

  46. forFar says:

    Hi team,

    I think I found an rendering discrepancy.

    Created a button:

    <button id="blah">Yay</button>

    Applied CSS:


      height: 50px;


    Every browser on the mark would center the word "Yay" on the button of height 50px, except for IE8 (and ofcourse it’s older counterparts).

    Could you please follow the standards on this sort of thing. It’s the kind of thing that bugs the hell out of us designers, forces us to use hacks (ugh), and makes us swear by other browsers.

  47. wdc says:

    "A browser should not sniff the content, it should look at the MIME type and honor it.

    A basic principle of security is to not trust third parties. You cannot rely on headers sent by a remote server. Malicious servers/scripts won’t send the header anyway."</i>

    The MIME content type comes in the exact same type of header in the exact same HTTP response. Trusting one but not the other makes no sense.

  48. mixtura says:

    Someone made a pretty awesome list of <a href=""&gt; web hosting FAIL. </a>

  49. mors says:

    WTF is "X-Content-Type-Options" ?

    Same old chickens !! Why don’t you respect Content-Type like other browsers and eat frogs like the other vendors have been doing because of website relying on your bugs ?

    arghhh ! I hate you

  50. Brian Smith says:

    It is confusing that X-Content-Type-Options doesn’t work in all cases. See for an excellent description of the problem.

    Imagine that you allow users to upload documents to your website. For policy reasons, you require all images, stylesheets, and scripts to be screened before they can be published. In this situation, it would be nice to use X-Content-Type-Options to enforce that nothing can be interpreted as one of these types of documents unless explicitly labeled with the correct MIME type.

  51. Brian Smith says:

    It is confusing that X-Content-Type-Options doesn’t work in all cases. See for an excellent description of the problem.

    Imagine that you allow users to upload documents to your website. For policy reasons, you require all images, stylesheets, and scripts to be screened before they can be published. In this situation, it would be nice to use X-Content-Type-Options to help prevent other kinds of uploaded documents from being interpreted as one of these types of documents.

  52. I was bemused by the note that IE8 will render the no-sniff in plain text. It seems that "renders in plain text" will be the mantra for IE8 users. My XHTML5 page is rendered in plain text – as in code. Oddly enough, not only does FireFox and Opera render that page, but so does the brand new beta Google Chrome running on WebKit. How hard can this be? IE8 is the only major browser that cannot make some attempt at rendering XHTML5 with SVG and MathMl. To add insult to injury, it trashes my @media print id selector in my CSS and displays the @media print targeted CSS content on the screen. Good golly!

  53. Without commenting on the proposal itsef, one request / plea; please, please don’t mint X-* headers.

    The (flawed) idea behind X- headers was that implementers could experiment (hence, X) with new mechanisms without worrying about conflicting with other header names.

    The problem is that as soon as that header name is used on the Internet, it is no longer experimental; it’s in production now, and other systems have to interoperate with it, account for bugs in its various implementations, and so forth.

    So, the X- isn’t helpful, it wastes bytes, and it’s false advertising as soon as you actually use it.

    The only time it’s appropriate to use it is when you’re literally talking to yourself. If there’s even the smallest chance that your header might one day be used with other systems, choose a real header field name, and register it, or at least tell IANA so they can put it in the header repository (see RFC3864, and feel free to ask for help).


  54. witgoed says:

    Well i just want place this comment because of the fact i don’t use IE anymore. Upgrades are very annoying, slow etc. I think it’s good Google shows a browser what does what it’s got to do. Wake up!

  55. Anton P. says:

    forFar wrote:

    <button id="blah">Yay</button>


     height: 50px;


    > Every browser on the mark would center the word "Yay" on the button of height 50px, except for IE8

    This bug is new to IE8b2; it is listed in connect as Bug 365449 (

    > Could you please follow the standards on this sort of thing.

    Actually, there is no standard for this; HTML4.01 does not specify the /style/ of form elements, and CSS2.1 does not touch upon styling of form elements because such elements do not play well with the CSS display model in any current browser.  (Incidentally, form elements are not the only ones in this category; BR and HR for example are also slippery characters.)

    That said, I couldn’t agree more with your opinion; creating a new discrepancy here when there is already a /de facto/ standard followed by all other browsers (including previous version of IE) is very developer-unfriendly.

  56. [l] The second beta version of IE8 was released on August 27th. It is working well in testing so far

  57. The second beta version of IE8 was released on August 27th. It is working well in testing so far. Only

  58. Andrea says:

    In EVERY release of IE, Microsoft HAS to put some stupid, proprietary meta tags/headers support in his browser.

    Anyone here remember MSSmartTagsPreventParsing, MSThemeCompatible, ImageToolbar, Page-Enter, Page-Exit…?

    …and, of course, X-UA-Compatible, X-Content-Type-Options etc

    Microsoft loves standards…

    …they’re own.

  59. Dave says:

    "problems when the favorites star…crashes every time"

    Disable your buggy "Drive Letter Access" addon using the Manage Addons.

  60. Prav says:

    Does IE8 loose/compromise on security features when IE8 is run in IE7 compatible mode (by adding meta tag in IIS or by clicking button within IE).

  61. EricLaw [MSFT] says:

    @Prav: Essentially, no.  The one thing is that in IE7 Compat mode, CSS Expressions can be used.  The IE8 XSS Filter helps protect against attempting to exploit XSS vulnerabilities against CSS expressions, but it’s still attack surface that’s disabled in IE8 standards mode.

  62. a {color : #0033CC;} a:link {color: #0033CC;} a:visited.local {color: #0033CC;} a:visited {color : #800080;}

  63. IEBlog says:

    Design criteria such as standard compliance, performance, reliability and security framed the design

  64. IEBlog says:

    Back in June, Dean Hachamovitch kicked off a series of blog posts explaining how the IE team approached

  65. &#160; &#160; Internet Explorer 8&#160; Beta 2 가 공개되어,&#160; 개발 팀에서 몇가지 최신 보안에 관한 소규모 변경에 대한 업데이트 정보를

  66. &#160; &#160; Internet Explorer 8&#160; Beta 2 가 공개되어,&#160; 개발 팀에서 몇가지 최신 보안에 관한 소규모 변경에 대한 업데이트 정보를

  67. IE8标准模式不再支持CSS表达式(Expression)



  68. I attended Scott Charney&rsquo;s keynote this morning at RSA &ndash; Moving Towards End to End Trust