Controlling the XSS Filter

Internet Explorer 8 included a novel new feature to help prevent reflected cross-site scripting attacks, known as the XSS Filter. This filter runs by default in the Internet, Trusted, and Restricted security zones. Local Intranet zone pages may opt-in to the protection using the same header: X-XSS-Protection: 1 If a cross-site scripting attack is detected,…

10

Challenge-Response Authentication and Zero-Length Posts

From time-to-time, web developers contact the IE team reporting that they’ve encountered a problem whereby Internet Explorer submits a POST but fails to transmit the content body. This bodyless POST indicates via the Content-Length header that the POST is zero-bytes long, regardless of how much data was supposed to be uploaded. This behavior occurs on…

7

The Hazards of Relying upon Browser Quirks

While many web developers find subtle browser behaviors baffling, often browser developers are bewildered by web content. Yesterday, we ran into an interesting site compatibility problem that occurs in the latest internal version of IE9. The site in question is a popular site which uses a Flash applet as a major component of the site. Upon attempting…

8

Friendly HTTP Error Pages

Internet Explorer 5 and later will show a  “Friendly” HTTP Error page if the server returns certain HTTP Error status codes with a short message body. The intent is to replace a terse server message like this one: …with a page which may be slightly more helpful to the average user, like this one: Unfortunately,…

0

Downloads and International Filenames

A few times a year, I get a question about Internet Explorer’s behavior when it comes to downloading files that have non-ASCII characters in the filename, because different browsers have different behavior when handling such files. The server can suggest the name for a file download in one of two ways: Explicitly, by including a…

16

The Performance Impact of META REFRESH

Some sites will utilize the META REFRESH directive to perform a client-side redirection. In general, this should be avoided in favor of other redirection types, for instance, a server-side redirection (HTTP/3xx) or by using JavaScript. Using META REFRESH creates a potential performance problem in IE because IE will conditionally revalidate resources when navigating to the…

17

COMET Streaming in Internet Explorer

The request/response nature of HTTP works very well for traditional web pages, but to build dynamic AJAX applications, it’s often desirable for the server to be able to send data to the client on its own schedule. You could imagine, for instance, scenarios like an online game, or an event viewer, where the server may…

23

Using Meddler to Simulate Web Traffic

As mentioned back in July, IE8’s new lookahead downloader has a number of bugs which cause it to issue incorrect speculative download requests. The “BASE Bug” caused the speculative downloader to only respect the <BASE> element for the first speculatively downloaded script file. Subsequent relative SCRIPT SRCs would be combined without respecting the specified BASE,…

10

Internet Explorer Cookie Internals (FAQ)

Over the five years I’ve worked on Internet Explorer, I’ve probably seen more questions from the community about HTTP cookies than on any other topic. Cookies are an integral component of most websites in use today, and hence problems or unexpected behaviors with cookies tend to get a lot of attention. In this post, I’ll…

67

Internet Explorer’s Cache-Control Extensions

Some time ago, I wrote a summary of how Internet Explorer’s cache works. At the time, I left out mention of the two cache-control directives introduced by IE5: pre-check and post-check. These directives enable a “background update” mechanism where a cached resource is reused while simultaneously a background revalidation of the resource is performed, ensuring…

5