Understanding Once-Per-Session Cache Validation

Last year, I wrote about the IE9 improvements in heuristic expiration, which apply when a server fails to specify how long a cached resource should be treated as fresh. Heuristic Expiration works by calculating an implicit freshness lifetime from the Last-Modified timestamp on the cached resource and the timestamp at which the resource was downloaded from…


XDomainRequest – Restrictions, Limitations and Workarounds

Update: Internet Explorer 10+ supports CORS using XMLHTTPRequest. IE11 deprecates the XDomainRequest object and it is not available in IE11 Edge mode. In Internet Explorer 8, the XDomainRequest object was introduced. This object allows AJAX applications to make safe cross-origin requests directly by ensuring that HTTP Responses can only be read by the current page if…


COMET Streaming in Internet Explorer

The request/response nature of HTTP works very well for traditional web pages, but to build dynamic AJAX applications, it’s often desirable for the server to be able to send data to the client on its own schedule. You could imagine, for instance, scenarios like an online game, or an event viewer, where the server may…


Understanding Session Lifetime

Back in May of last year, I discussed changes we made in Internet Explorer 8 to make the browser’s session handling behavior more predictable. Specifically, we introduced a “New Session” item on the File menu—this menu item explicitly creates a new browser session which doesn’t share session information with the existing session. From the command…


IE8 Lookahead Downloader Fixed

BackgroundLast year, I wrote about two bugs in IE8’s Lookahead Downloader that would cause IE8 to make spurious download requests for non-existent URLs. These spurious download requests generally went unnoticed by users, because the main parser would eventually retrieve the correct resource when it was needed. However, for a small number of sites (where requesting…


Understanding SmartScreen Blocking

I’ve received a few emails recently, asking “Why is SmartScreen blocking my newspaper’s website?” Usually, the person asking assumes that, because they trust and regularly visit the website in question, this must be a false positive in SmartScreen. The reality is a bit more complicated, and a bit more interesting. Many websites rely upon advertising…


Troubleshooting Authentication with Fiddler

Over the last few weeks, I’ve been exchanging mail with a webmaster (Vladimir) in Russia who reported that his customers were having problems using IE8 on Windows 7 to log into his website. His site uses HTTP Basic Authentication, so users are prompted to enter their credentials using the following dialog: I asked the webmaster to…


Understanding DEP/NX

Despite being one of the crucial security features of modern browsers, Data Execution Prevention / No Execute (DEP/NX) is not well understood by most users, even technical experts without a security background. In this post, I’ll try to provide some insight into how DEP/NX works, explain why you might encounter a DEP/NX crash, and convince you that turning…


Understanding Domain Names in Internet Explorer

Web browsers use domain names for a variety of purposes, but how they’re used is much more complicated than most developers realize. In this post, I’ll attempt to cover the most important aspects of this topic. Definitions When talking about “domains” the terminology alone is confusing (and contentious).  So, let’s start with some simplistic definitions…


Getting the Server’s Certificate Chain from WinINET

Over the last few years, a number of folks have lamented that there’s no good way to get the server’s complete certificate chain from a WinINET HTTP response. That has changed with the release of the new WinINET shipping in Windows 7 / IE8.  INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT is a new flag you can pass to InternetQueryOption to grab the server’s certificate chain….