Add-on Guidelines in action – AVG Security Toolbar


The AVG Security Toolbar team has recently released a new version of their toolbar. It has a more predictable user experience and does a better job of allowing users to stay in control of their browser. It’s a great example of the Guidelines for add-on developers in action.

It’s encouraging to see the example set by the AVG Security Toolbar team. They’re building valuable add-ons for people and at the same time they’re respecting user choice. Here are some high level examples of the changes they’ve made in the new version of their toolbar:

Kudos goes out to the AVG Security Toolbar team. On behalf of our shared customers, thanks. Following the Guidelines and using supported extensibility points in this way means that people have a consistent and reliable experience that allows them to stay in control of their browser. This is exactly what we’d like to see from all add-on developers.

Before: Previous version of AVG Security Toolbar

Old version of the AVG toolbar which injected itself into the new tab page

After: Newest version (2.507.24.1) of the AVG Security Toolbar provides a predictable experience and lets users stay in control of their browser

new version of the AVG toolbar with a more consistent user experience

-Paul Cutsinger and Herman Ng

Comments (41)

  1. Anonymous says:

    @Bill,

    Anyone who installs ChromeFrame is "opt-ing in" to getting owned just like anyone who installs Flash is "opt-ing in" to getting owned, just anyone who installs Java is "opt-ing in" to getting owned, just like anyone who installs Silverlight is "opt-ing in" to getting owned, etc. etc.

    Yeah, so I "don’t understand security", and you surely have shown yourself to "understand security". LOL.

    Flash can load and display contents. Before telling people to do some research, how about you learn to read first? And check your eyesight too.

    Of course if you want to have something downloaded bypassing the IE8 security, you have plenty of ActiveX plugins to do that.

    And you clearly don’t understand what pre-beta means, check your eyesight, learn to read, and do some research, and then go tell Adobe to use those APIs first.

  2. Anonymous says:

    Haha … i.e. it used to be $#!7…

  3. 8675309 says:

    now if only other programs like nis would do this

  4. john says:

    Thanks for that – I removed my AVG toolbar because it was hijacking my browser.

  5. Will says:

    The whole episode begs one to ask "How much was Yahoo paying AVG to hijack my browser to begin with?" and "Why would I trust AVG not to do this kind of stuff again in the future?"

    Microsoft’s Security Essentials is free and now available.  I’m moving all of my computers from AVG and their constant nagging to buy the pay version.

  6. Anonamouse says:

    That’s all nice and everything but what I’m really interested in is if the next version of Trident will support box-shadow and border-radius. Can you blog about that?

  7. The 29th version of my site does a lot of JavaScript object detection and upon critical failure asks users if they want to upgrade. If they choose so they are redirected to a browser ballot page.

    I’m trying to get SVG images of the four major browsers and have Firefox and Opera though can’t seem to find an SVG icon image of IE or Safari (Chrome would work too). I’m not trying to pry about SVG support in IE9; I’d simply appreciate a heads up if any one could help me find an IE and/or Safari SVG image. 🙂

  8. Matt Walton says:

    But it still has a pointless extra search box in it, which just breaks the whole thing as far as I’m concerned.

  9. Fake Al Gore says:

    What does the AVG Toolbar actually do that SmartScreen and the Instant Search Box don’t already do?

    Does the AVG Toolbar search box even offer Visual Search?

  10. achmed says:

    AVG makes millions from Yahoo for this…

  11. harvey says:

    @John A. Bilicki III – "the 29th version" of your website? Are you serious? I hope you don’t display this on your site!

    I understand your quest for an SVG graphic of the IE logo (it would be quite handy), but an official version would need to come from MSFT/IE Team and since such a file would not render in their browser, and would re-highlight to anyone attempting to get the file that IE doesn’t support SVG – I highly doubt that MSFT would release such a file "officially".

  12. Mitch 74 says:

    And anyway, the IE logo’s original graphics file isn’t available in SVG.

    It was made with Adobe Illustrator, and stored as EMS :p

    (disregard this, it’s a joke – I really don’t know).

  13. Ooh says:

    "It no longer takes over the search provider. Instead it uses the proper IE8 set default provider API so that users can choose their default."

    In the second screenshot it’s still Bing in IE’s search box and Yahoo in the AVG toolbar’s box. How does it come to say something different in the text that is shown in the screenshot?! 🙂

  14. @Ooh

    The AVG toolbar’s search box is their own property. The default search provider in their search box is Yahoo! and does not need to be the same as the IE default.

    The main issue is that in its previous versions, the toolbar installer used a different method to set the default search provider in IE when the user chose to do so (clicking on a checkbox). As a result users did not see the Search Provider Default dialog as shown in this post:

    http://blogs.msdn.com/ie/archive/2009/03/02/why-am-i-seeing-this-dialog.aspx

    The newest version uses the proper API to set the default provider. Users will see the dialog when they choose to change the search provider from the installer. That puts them back in control.

    – Herman

  15. clark says:

    This is all very interesting but it doesn’t explain when IE will support all of the ECMAScript Properties, Methods and Events properly.. or when CSS opacity and rounded corners will be supported.. or when SVG and CANVAS will be supported in IE.

    I thought the IE Blog was where MSFT regularly announced that "We heard you!", "we’re listening to you", "we value your input", "we’re serious about standards", "IE will eventually catch up", "we intend to open up a fully public bug tracking site for IE"

    All of these are very nice statements.. but we are waiting for at least one of them to come true.

    Any details on that?

    I think the next version of IE should be code named:

    IE9 – Pinocchio Edition

  16. Mark says:

    @Clark: It’s hard to tell what you mean. I *think* you’re talking about *DOM* properties, methods and events?

    Maybe they’d say more if comments were less obnoxious?

  17. @harvey I can’t STAND software with week knees about version numbers. Version 14 shouldn’t be called "CS4". That sort of stuff justifies a good trout smacking.

    @Clark If you did some research you would know that there are plenty of talk about if IE gets to C it has to accomplish B. Things like border-radius, SVG, and JScript improvements are on the radar…I’m also holding out for XHTML support. If we can get decent support for all of those things I’ll be one happy duck.

    I found an Illustrator .ai file of Safari’s logo though the SVG export is 573KB! Ouch!

    Doing basic SVG related research I’d have to say Opera has the lead as far as reliable implementation of SVG is concerned. It’s able to properly display SVG via object and img elements, Safari can too though its background is not transparent with the object element. That creates friction with Firefox as Gecko does not support SVG via the image element (hint hint wink wink IE team).

  18. Roland says:

    Unfortunately, it’s way too hard to develop IE add-ons, because it currently only makes sense to write them in C++ (VB6/Delphi cannot create 64-bit code – for IE 64-bit; .NET is not supported for IE add-ons; JScript – like in Firefox – is not supported). In addition, you must grasp the complicated COM stuff first before you can write IE add-ons).

    I wish the IE team would create a JScript JIT compiler à la Chrome for IE8.1 and then a JScript wrapper framework that allows writing performant IE add-ons in JScript – perhaps in IE 8.2.

    The framework could wrap all the low-level COM stuff for creating BHOs etc.

  19. EricLaw [MSFT] says:

    @Roland: As virtually no one uses 64-bit IE, the lack of a 64bit Delphi compiler is no impediment to writing IE extensions in Delphi. (I’ve written a few over the years, FWIW; TamperIE, PopupPopper, etc).

    Beyond Accelerators (which are implemented with web technologies) you can also write Menu Extensions and toolbar buttons using JavaScript: http://www.enhanceie.com/ie/dev.asp

  20. Mitch 74 says:

    Careful about SVG file sizes: exports are usually stored as uncompressed .svg files, and XML ain’t exactly byte conservative.

    Packing it with gzip yields quite an improvement.

    Personally, I use SVG when I generate graphics on-the-fly inside XHTML markup (which Firefox handles rather well).

    The IMG tag is rather unique, and is in fact considered a bit of an aberration: due to its age, it doesn’t make use of a MIME type in its parameters, so you can’t specify the image’s exact type. In Gecko, the only supported types are JPEG, GIF, PNG and (I’m actually not sure about the last) BMP; if you want to load anything more recent, you have to use the OBJECT tag (which can actually be used to load images too) – like you do with Flash or Silverlight…

    This is also understandable because an SVG document has its own DOM: it can be modified with Javascript, while IMG, being a ‘typeless’ self-contained tag, can’t support children…

  21. hAl says:

    With the free MSE security package now available and not bothering to nag users like AVG I think AVG will drop a lot of users.

    Their anoying toolbar becoming slihtly less anoying won’t save them from that.

  22. Mike says:

    Since we are talking about add ons, I hope it is not deemed too off topic.

    I wonder if any of the team could give us their opinions on Google Chrome Frame.

    Thanks in advance!

  23. hitch1 says:

    @Roland,

    "Unfortunately, it’s way too hard to develop IE add-ons, because it currently only makes sense to write them in C++"

    I don’t think there’s anything "way too hard" about C++, it’s just a programming language, and it’s not any harder to learn than JavaScript.

    It’s not really any easier to develop in JavaScript+XUL than develop in C++

  24. Mitch 74 says:

    @hitch1: the thing is that C++ is a strictly typed, compiled language where you need to manage your RAM allocations, while XUL, Javascript etc. are interpreted – meaning that you can be looser with your data types (and length), allocations (garbage collectors) and thus, while they are not harder to learn than C++, they are much easier to use in the default configuration (go and program in ‘strict’ JS, feel the pain – JSlint will hurt your feelings).

  25. Bill says:

    Mike, even if they won’t comment, I will.

    ChromeFrame is a big security hole. It ignores IE security and privacy features and preferences. When you install it, you’re allowing bad guys to exploit google’s weaker security and losing the security and privacy benefits of using IE8.

    http://code.google.com/p/chromium/issues/detail?id=22846

    Neat hack, but definitely NOT ready for production use.

  26. Mike says:

    @Bill

    The issue you pointed out is more of a change in expected behaviour rather than a massive security issue.

    I don’t really buy this idea that using chrome frame is going to make IE less secure. If this was the case then it is an issue with all IE plugins.

    The point is this blog is meant to be a place for the development team to communicate. Why the complete silence over chrome frame?

    If it is insecure maybe the team can point out why and where the responsibility lies, is it the fault of google or IE plugin architecture.

  27. razor says:

    avg out of all the security tools? anyway the IE itself needs more updating. the new tab button needs to have an indication that it’s a new tab button. the overall interface is nicer looking but much more confusing than the past IE. The menu bar isn’t there which makes it sleekier but much more confusing for new users and basic users to do simple task. Bad idea. tool bars are annoying so thank god it’s an add on. the bing search engine is just as annoying. IE looks nice but security wise not so much. it takes a whole year to get an update and after all these updates it’s never been good enough to use. The only reason I used to like using IE was for the scroll bar color thing, but obviously that only works on IE. IE needs to be up to date with the world wide web standards. It’s still far behind. At this rate IE will be losing more share of the market. mozilla has fast updates to security plotholes. it also is fast in getting up to date with the lateest web standards. COME on IE I was rooting for you!

  28. Also if the IE team is working on SVG and wants to REALLY make the SVG crowd really happy I can’t think of anything that would top this…

    div.example {background-image: url(happy.svg);}

  29. Bill says:

    @Mike: Maybe i’m crazy, but I think killing phishing and malware protection without even warning the user that you’re doing it is a pretty "massive" security issue.

    As to the idea that this is somehow IE’s fault (?!?!)… are you suggesting that IE should block users from downloading from google’s website? The bug is clearly on googles side.

    http://code.google.com/p/chromium/issues/detail?id=22846

  30. Frymaster says:

    @Mike even if you assume chrome and IE are equivalently exploitable, they aren’t _identically_ exploitable.  So you’ve now got a website that can have frames which target the default (IE) renderer, and frames which target the chrome-on-IE renderer.  Not only does that give you the chance to attack chrome vulns from IE, you might be able to use, say, an IE vuln to turn a less-severe bug in chrome into a critical exploit, or vice versa.  You haven’t doubled the attack surface, you’ve squared it.

  31. hitch1 says:

    @Bill,

    Those are not exactly Google Chrome Frame’s problem, but the plugin system’s problem. Any plugin like Flash, Java, etc. can breach IE security and privacy features and preferences. InPrivate can’t clear flash cookies, so actually I’d say the InPrivate feature itself is broken since any site can collect your browsing behavior data with a simple flash plugin, even when InPrivate is enabled.

    Like-wise, a simple flash plugin can load and display contents from sites supposedly blocked by IE8 phishing and malware protection.

    I’m not saying Google should not try to make Google Chrome Frame respect IE’s security and privacy systems, but those are not some "massive security issue" suddenly pops up with Google Chrome Frame as what your posts trying to say, those are "massive security issue" that already existed for more than a decade with the whole plugin system.

    Google is actually being nice and working hard to try to workaround the security issues in the plugin system, unlike other plugin providers, for example Adobe. So it’s indeed not Google Chrome Frame’s fault, but IE’s fault (and Netscpae’s fault) as IE (and Netscape) did not design the ActiveX (and NPAPI) plugin system to respect the browser’s security and privacy measures. And Google is doing extra work than other plugin providers, trying to fix this hole in the plugin system for their own plugin.

    If IE really think blocking users from downloading from google’s website can solve this "massive security issue", then IE should first block users from downloading Flash, Java, Silverlight, etc. etc.

    And Google Chrome Frame is just a pre-beta release, it seems Google is willing to spend efforts to make their plugin respect the browser’s security and privacy settings, which already is much more than what you can say about other plugin providers.

  32. Bill says:

    hitch, you don’t understand security. Everyone knows that plugins can circumvent security; that’s why you need to be careful which you choose to install. Anyone who installs ChromeFrame is "opt-ing in" to getting owned.

    Flash doesn’t load web pages, and doesn’t download files (it tells the browser to do that). Do some research?

    IE has apis that ChromeFrame should be using: http://blogs.msdn.com/ieinternals/archive/2009/06/30/IE8-Privacy-APIs-for-Addons.aspx

  33. Casey says:

    Thanks for posting this.  I’m so excited to install my AVG Security Toolbar!

  34. wai says:

    Hi IEteam,

    I found IE’s address bar cannot correctly highlight the domain of http://xs.to/ website

    I am using Win7 English

  35. alastair says:

    Don’t you think it’s a little ironic to be preaching UI design to add-on developers when the UI in Internet Explorer itself is now *so* poor? I mean, the user is presented with a bizarre and random arrangement of icons, some of which are really menus, and by default they even get that "you’ve got more stuff off the side" miniature low-contrast double right arrow (I guess you aren’t aiming at older folk with that one then…)

    I don’t know who’s in charge of UI at Microsoft these days, but it seems to me that whoever it is totally lost the plot around the time of IE 7.

  36. Greg says:

    Please provide in IE8

    – extra data on the in private filtering such as content type, image size (x by y), content size.  

    – I want to block all 1×1 pixel images and block most images smaller than 4×4.  

    – I’d like to detect and get the option to block third party objects referenced from within a web page.  For example, I’d like to see only ABC.ORG content when browsing their web site.

    – I’d like to block all images from a given site. For example, an I’d like to block all images from a web based email site I use as I only want the email and not all of the other content.

    – Can we get a View option on in private filtered objects so thaht we can see if we want to block the script, html, css, or image?

  37. Arik says:

    Greg, IE8 was finished nearly half a year ago. You’re asking for an advanced feature for IE9.

  38. Fduch says:

    Hello.

    It seems that some spy infiltrated Micorosft and just wants to kill Internet Explorer with non-stop sabotage.

    Recently I saw another one of his doings:

    I stumbled upon an article "Top 11 must-have Internet Explorer Addons". Add-ons for IE? Thet’s cool! Let me think.. I want "Video Downloader" ( http://windowsmarketplace.com/details.aspx?itemid=2998445 ), "IeSessions" ( http://www.windowsmarketplace.com/details.aspx?view=info&itemid=3343000 ) looks cool too (IE loses sessions like a sieve).

    Oops! Looks like someone just removed all IE add-ons from the windowsmarketplace.com site. And he did never put them on ieaddons.com. So this evil guy has just completely deleted must-have IE add-ons. Only add-ons which weren’t foolishly hosted on Microsoft’s websites survived. Isn’t it a clear case of inside sabotage and trust killing.

    What are you going to do to prevent such things from happening in the future?

  39. Markus says:

    fudch: You cite a two+ year old article with broken links as somehow the fault of the IE team?

    And what on earth does "IE loses sessions like a sieve" even mean???

  40. Fduch says:

    >You cite a two+ year old article with broken links as somehow the fault of the IE team?

    How can IE team say they are serious about addons if they throw them away like trash? Only two years and the add-ons are gone. And you say it means nothing? Show me a "two+ year old article" with broken links to add-ons on Mozilla’s site.

    >IE loses sessions like a sieve

    Bad idiom, I guess. Have you ever tried to carry water in a sieve? It leaks. Just like opened tabs (pages) gradually disappear from IE sessions.

Skip to main content