XP SP2 RC1


Last week we shipped SP2 RC1 for Windows XP.  This is a Release Candidate and it is not intended to be used in production environments.  However, those of you who love to test things can check it out here.  Those of you who are merely interested in screen shots can find them here.  Today I thought I would post some comments about some of the IE specific work in this release.


Pop-up blocker gets a lot of press, understandably.  Pop-ups invariably top every list of customer complaints I have seen with regards to the browsing experiance.  Everyone knows Pop-ups are annoying, but why, exactally, are they annoying?  They are annoying because nine times out of ten the user does not want the pop-up and the pop-up happens automatically.  When things happen automatically and those things are the wrong things users get annoyed and when users get annoyed they tend to make bad security decisions.


For example, a user navigates to a website that immediatly tries to install an active-x control.  It is well established that most users will probably not read this dialog and will instead try to get rid of it as quickly as possible.  But assume this time the user reads it and decides the control looks sketchy.  The user clicks No on the dialog to abort the install.  The dialog goes away, but it is immediately replaced by another dialog (a jscript alert()) directing the user to install the active-x control! The user clicks OK to dismiss the alert.  This is immediatly followed by the same active-x install dialog the user just said no to.  The user says no again.  Rinse and repeat.  The problem is during this whole time things you do not want to happen are happening automatically.  And to add insult to injury the dialogs are modal, so you can do nothing else with the browser while they are there.  You can not close it, or navigate away from this evil page.  Most people eventually click yes just to get on with their lives.  Often “ActiveX install” is replaced by “file download” in this scenario.  This is a bad situation.


So one of the things we have tried very hard to do is put users back in control of what goes on in the browser.  This is both a security thing and privacy thing.  And, of course, like all things in Software Engineering, there are trade-offs.  Typically security is gained at the expense of features and compatability.  We have endevoured to balance these trade-offs to provide the smoothes experiance possible for the user. 


The following information applies to the pre-release version of this service pack and is subject to change.  Opinions expressed are purely my own, etc. 


Pop-ups
Users almost never want to see pop-ups.  So we started by saying all pop-ups will be blocked.  There are exceptions– brokerage sites use window.open() to display small windows with definitions of trading terms.  E-tailors use window.open() to display small windows with sizing charts (clothing) and definitions of technical terms (computers, electronics, etc).  To handle these exceptions we added code to detect user initiated actions– if the user clicks a link that wants to open a new window, we allow it to open one new window.  The end result is no more cascading windows.  Further more we imposed some restrictions on new windows that were not previously there.  New windows must appear within the work area (as defined by the rcWork field of the
MonitorInfo struct returned by GetMonitorInfo()).  This means new windows must be completely visible to the user and must not cover shell app bars (such as the task bar, MSN dashboard, etc).


For the developers out there hosting the WebBrowser control, the user initiated information is available via the INewWindowManager interface and the NewWindow3 member of DWebBrowserEvents2.


ActiveX
Tony can talk more to this specific area, but there are a few things I love about the work we did here.  You can now say “Do not install this control and never ask me again.”  You can disable controls that have been installed (as well as Browser Helper Objects) by using the Manage Add-ons feature.  When navigating to a Web site that tries to automatically begin installation of an active-x control, the browser automatically blocks the install on the users behalf and instead provides modeless UI at the top of the screen informing the user that the installation was blocked.  The user is then free to navigate the browser, close the browser, etc, or install the control by clicking on the modeless UI.  No more endless looping of modal dialogs.


Downloads
Downloads that are not initiated by the user by clicking on an element in the HTML are blocked, and instead of the download dialog modeless UI is shown at the top of the screen.  The user can allow this download by clicking on the modeless UI or they can continue browsing the web.

Again, for the developers, you will be able to chose the classic modal UI or the new modeless UI when hosting the WebBrowser control.  I am not sure if there is beta documentation for this yet or not though.

So for all of these things there may be an extra click or two involved when you do actually want the pop-up or download, but in the majority case IE will simply let you know that the Web page has requested something and IE has blocked it for the time being.


Questions?  Comments?  I will respond as best as I am able to the extent that I am able.

Comments (129)

  1. jeffdav says:

    Hmm, I just noticed Tony already posted much of this information.

  2. Pete Cole says:

    Perhaps a dumb question, or one with an easy answer – where can one obtain the new/updated header files with these interfaces/events?

  3. José Jeria says:

    Is there any chance that any of these bugs will be fixed for the final Service Pack2?

    http://www.positioniseverything.net/explorer.html

  4. JD on MX says:

    IE/XP sp2 changes: Windows XP is in final testing changes for a significant new updater, and "jeffdav" or Microsoft details how Internet Explorer will change. New window propagation sounds similar to previous implementations: a new window can be opened only…

  5. jeffdav says:

    In response to Pete Cole’s question: That is a good question! I will look into it and post back here when I find the answer.

  6. joe says:

    Nice blog btw…

    SP2 is OK. The firewall features are no blackice or ZA. The updater is OK. Pop Up controls are too agressive. I prefer googlebar.

    Since people classify anything they dont like as "spam"; is this MSFT’s attempt to stop all spam by 2006? Doubtful.

    The system runs/feels a little faster. Not sure why. My benches went up ~4% (but within +/-5% margin of error).

    It’s OK… the firewall failed on some apps, and asked on others (why?). I know its in beta, but more progress should happen.

    my comments.

    thanks for your input/open-mind.

  7. Josh Renaud says:

    Picking up where Jose left off, is there improved CSS support? (IE doesn’t support several parts of the CSS1 spec and huge chunks of CSS 2.1)

  8. Peter Torr says:

    I also blogged about the horrors of modal UI as well the other day.

    http://weblogs.asp.net/ptorr/archive/2004/03/20/93334.aspx

    And where’s that transparent PNG support? Hehehe 🙂

  9. jeffdav says:

    Joe: Thanks. The pop-up controls are a little agressive… we will be scaling that back in some scenario’s, mainly for app compat and site compat, but my goal is still to block all pop-ups users do not want. I do not work on the e-mail apps, but this is not part of their plan to prevent spam.

    Peter: Don’t make me use the "p" word on the record. 🙂

    (Not PNG; the other "p" word.)

  10. ok, theres a new firewall, changes to ie and authenticode – lots of nice things. thanks! but why does this accumulate to 260+ mb? (i’ve done a short article on nickles.de on rc1 ( http://www.nickles.de/c/s/45-0013-361-1.htm ) – and that size question was the first to pop up from one of the readers …

    WM_QUERY

    thomas woelfer

  11. Neil's World says:

    After reading an overview of what’s new in IE from jeffdav, one of the IE developers, I realised I’d missed another change in IE.

  12. Jason says:

    Thomas: I think the big size is because most of Windows XP has been recompiled with new security settings. So the SP is in fact replacing most files.

    But I could be wrong. Anyonye?

  13. jeffdav says:

    Pete Cole: The XP SP2 RC1 SDK Beta is not available yet, but should be very soon. Stay posted, I will post a link to the SDK as soon as it ships.

    Thomas Woelfer: I am not a Builder, so there may be a better technical explanation somewhere, but basically it is larger then normal because, I believe, we have to ship a new version of every DLL that changed. If it was just registry changes, it would be easy and small. But XP SP2 puts a lot of new features in the OS, which means we had to touch a lot of DLLs. For IE I do not think it was much bigger then the number we would normally touch in an SP, but across Windows, the effort has been huge.

  14. Pete Cole says:

    SDK.

    Thanks – looking forward to the post.

  15. jeff/jason: if almost everything was recompiled (new vc++ buffer overflow switch) that would of course be an explanation. i’m still trying to find somewhere to confirm this…

  16. TheInformant says:

    "In addition to supporting NX, Service Pack 2 implements sandboxing. All binaries in the system have been recompiled with buffer security checks enabled to allow the runtime libraries to catch most stack buffer overruns, and "cookies" have been added to the heap to allow the runtime libraries to catch most heap buffer overruns."

    XP SP2 Overview Whitepaper

    http://msdn.microsoft.com/security/productinfo/xpsp2/default.aspx

  17. bruce says:

    Too little too late Microsoft. I’m sticking with Firefox.

  18. Simon Jessey says:

    Hmmm. I noticed that questions regarding CSS support, PNG transparency, and the bugs documented on "PositionIsEverything" have been sidestepped. These are obviously legitimate concerns for developers and designers alike. Will these be addressed in this service pack’s final release?

  19. jeffdav says:

    I can only confirm that in the universe there exists a set of questions to which I would like to reply but to which, circumstances being what they are, I can neither confirm nor deny answers. Additionally, I can neither confirm nor deny which questions are, or are not, in said set.

  20. Microsoft has made the Windows XP SP2 "preview" available for downloading, this is a look at what will be happening…

  21. xirclebox says:

    Since the new fixes will not allow active-x to automatically download, will this effect the way the browser handles flash and shockwave plugins? I know that MS is in a battle now about the plugin technology and that it might be thrown out, yet it would be nice to know if this is the start to remove the plugin features.

    thanks

  22. jeffdav says:

    Xircle: Shockwave and Flash will run as they normally would, unless they are not installed on the machine and a website tries to install them automatically. Once the user has agreed to install them, everything should be the same. I think a version of flash ships with Windows XP, and we support upgrades of installed controls. I would not be worried about plugins going away.

    I assume by "battle" you mean the Eolas Patent. A quick search of news.google.com led me to this article: http://www.infoworld.com/article/04/03/05/HNeolasx_1.html. I believe that Microsoft will continue to fight this patent. But I am neither a lawyer nor a policy maker here.

  23. Spong says:

    Bluntly, I’m horrified ActiveX didn’t have a "and don’t ask again" option from day one.

    Better late than never – I guess this is the kind of design change that Trustworthy Computing will ensure is in future products.

  24. The XP SP2 Release Client 1 is now available. Here’s a list of some of the changes to Internet Explorer. As one poster in the thread writes, " Too little too late Microsoft. I’m sticking with Firefox." But the big…

  25. No transparent PNGs? No non-link hovers? No fixed-position background image support? So the only new attractions are security benefits that I already have by using Firefox? Yeah… sounds great…

  26. 1. Are the popup blocking settings configurable in any way? Can one at least turn them off/on?

    2. Are all window.open() calls located in onLoad handlers blocked?

    3. What about javascript calls from Flash applications? Are those allowed/disallowed by the popup blocker?

    –cameron

  27. jeffdav says:

    (1) Yes- you can turn them off and on, and there are some registry keys to control finer points in the algorithm. I will discuss these keys at some point after we RTM, since they are still changing.

    (2) They are blocked since they will not be considered user initiated actions.

    (3) The compat with Flash is a more difficult problem, since the Flash control will be handling the mouse clicks, not mshtml.dll, so in RC1 those new windows will be blocked, unless the site is in the allow list. However, we have a public way for ActiveX controls and applications hosting the webbrowser control to explicitly tell trident to enter and leave the user intiaited action context.

  28. Regarding your answer to #3:

    Does this only apply to window.open() calls or will it similarly apply to URLs targeted at non-existant windows (i.e. target="_blank").

    For practical purposes, there are two ways to spawn an external window from a Flash movie:

    getURL("path_to_webpage","_blank");

    OR

    getURL("javascript:window.open("path_to_webpage");

    It seems clear from your answer that the second case will likely be blocked. Is it likely that the second case will also be blocked? Are these questions better asked of Macromedia?

    Thank you for being available to provide some feedback :). It beats the heck out of having figure this stuff out the hard way.

  29. jeffdav says:

    IE’s Pop-up Blocker will not make a distinction between window.open() and targeting _blank.

  30. Ian Paterson says:

    Many valid applications depend on window.open().

    We spent years developping a Web Instant Messaging client. It behaves like any other IM client, so chat windows open automatically whenever messages are received from friends. The default IE SP2 behaviour makes that impossible.

    Microsoft is being naive if it thinks blocking pop-ups will improve the browsing experience. The marketing people will just cover up the content the user wants to see with DHTML instead. And then users will have to work out how to close the advert each time.

    So the effect of Microsoft blocking pop-ups is that countless valid applications will be disabled, and the advertising will carry on virtually unhindered.

    This particular feature of SP2 appears to be a marketing decision by Microsoft rather than common sense.

  31. Ian Paterson says:

    Are all window.open() calls located in onmouseup and ondblclick handlers blocked?

  32. jeffdav says:

    Ian – I agree that adding Pop-up Blocking to IE will most likely encourage advertisers to migrate to DHTML and Flash based advertising. There is a fundemental difference there though– DHTML is constrained to live inside the browser rendering area and Flash is an ActiveX control that users can disable. Most of the well-respected website have Close buttons on their Flash/DHTML advertising as well. Stopping advertising is a non-goal for the Pop-up Blocker; the main goal is to put control of the browsing experiance back in the hands of the user.

    App and Site compat is definatly a concern though. Is your application an Active-X control or a stand-alone app that hosts the WebOC? For either one we will have a way that you can tell mshtml.dll to allow the window to open. For your app it will most likely be a simple IOleCommandTarget::Exec() call.

  33. Pete Cole says:

    > For your app it will most likely be a simple IOleCommandTarget::Exec() call.

    Do you have a reference (link) for documentation on this – I thought apps were supposed to use INewWindowManager?

    Still waiting on the SDK <g>.

  34. jeffdav says:

    We did not get in to the product in time for RC1, so I do not think it is documented yet. I am still waiting on the SDK as well.

  35. Ian Paterson says:

    Thanks for your answer.

    I understand "the main goal [of pop-up blocking] is to put control of the browsing experiance back in the hands of the user". However, personally I feel much more in control when all I have to do is click on the X to close the window.

    – DHTML adverts obscure my view of the page I requested

    – The close button is not always visible immediately

    – It is not usually obvious where the button is

    So it always takes me a few frustrating seconds to work out how to get rid of the thing. Pop-ups are a no-brainer, I don’t even notice the window content!

    Until now well-respected websites have prefered to sell less annoying pop-up adverts. However Microsoft’s new policy is going to force them to accept highly annoying DHTML adverts.

    Perhaps Microsoft hopes to take the public credit for blocking pop-ups now, and avoid the blame for the inevitable consequences?

  36. Ian Paterson says:

    Microsoft has suggested that the pop-up blocker will not affect corporate intranets. However, today intranets are usually ‘extranets’ and companies cannot control the configuration of all the PCs used to access their applications from outside their head office.

    > App and Site compat is definatly a concern though. Is your application

    > an Active-X control or a stand-alone app that hosts the WebOC?

    Neither. Our Web IM application was developed in pure JavaScript so that it would be accessable from any PC without installation or configuration. That feature is essential for our corporate customers whose intranets are accessable from outside their firewalls.

    Internet Explorer’s runtime constraints make JavaScript the most secure development environment. However every unnecessary restriction Microsoft imposes reduces the viability of this development platform.

    Do you have any ideas how our IM Web application might open a window automatically whenever the user receives a message?

  37. Ian Paterson says:

    Web sites often enable user navigation with mouse button event handlers instead of standard links.

    Will window.open() calls located in onmouseup and ondblclick handlers be blocked in XP SP2?

  38. jeffdav says:

    By default the Blocker does not apply to sites in the Intranet Zone (this is also true of Trusted Sites Zone). The modeless Security Band UI should make it fairly easy for users accessing stuff in the Internet Zone to quickly allow a website to show pop-ups after the first one is blocked.

    If your Chat application is developed in pure JScript, you would probably need the users to add the site to the allow list via the Security Band UI once; then successive visits will function as before.

    I am curious however; how do you get different instances of the client (IE) to talk to eachother through pure JScript? (Don’t tell me if it would violate an NDA or other agreement you have signed.)

  39. Ian Paterson says:

    The typical user never accesses any UI to change a preference or a security setting. So the Security Band UI will only help relatively advanced users. It does not help my company because we cannot target our IM application at such a very small minority.

    [If Microsoft really believes people will use the Security UI then why not disable pop-up blocking by default?]

    > how do you get different instances of the client (IE)

    > talk to eachother through pure JScript

    We’ve spent more than two years developing an IM application where all browser client instances HTTP POST messages to the same server. The server forwards the messages (no peer-to-peer is possible).

    Do you have any *real-world* suggestions that will allow our application (and thousands like it) to function in a user-friendly way with XP SP2’s pop-up blocker?

    Will window.open() calls located in onmouseup and ondblclick handlers be blocked in XP SP2? (you can answer "don’t know")

  40. jeffdav says:

    I kept meaning to double check to make sure of my answer for onDblClick, but I kept forgetting. Thanks for reminding me. If the user clicks an element causing onMouseUp, onClick or onDblClick to fire, and script is executed synchronously during those events that open a new window, the first window to be opened will be considered a user initiated action. There are other events that typically occur along with clicks, such as, for example, onSubmit, that will be considered user initiated by the default settings.

    Our goal is to be secure out of the box, so many security and privacy features are on by default.

    I believe that the security band UI will be usuable by the vast majority of users. If you find that it is not enough, I would suggest checking the return value to your window.open() call to see if it is NULL. If it is, then you know the new window was not created. There can be many reasons for this (out of memory, etc) but most often it will be because Pop-up Blocker blocked it. If you get NULL back you can display UI to the user further explaining the situation. I have noticed CNN.com does something along these lines for video links. Optimally, I guess, you could have an onClick handler for the UI you display that opens the window that was blocked.

  41. Dennis N says:

    Lots of ne files in the SP2 package. Among them are new drivers for the CDROM, namely: CDROM.SYS, IMAPI.SYS, REDBOOK.SYS, STORPROP.DLL, and ATAPI.SYS.

    Anyone know if some of the issues of compatibility between third-party CD/DVD burning software have been resolved by this upgrade?

    Dennis

  42. Duncan Smart says:

    Jeff,

    Can you confirm whether the following will or will not work in XP SP2?

    <input type="button" value="User initiated popup" onclick="window.open(‘popupPage.htm’)">

    if it doesn’t then it’s ridiculous!

    If a popup is initiated by:

    * setTimeout()

    * onmouseover/out

    * onload

    then I can understand it being blocked – but surely not onclick?

  43. jeffdav says:

    Yes– new windows launched from OnClick handlers will not be blocked as long as the user clicks the button. Calling myButton.click() on the button will be blocked.

  44. Duncan Smart says:

    Phew, thanks – it’s just that I got the impression that they would be blocked – I’ll test with XP SP2 RC1 as soon as it’s downloaded…

  45. Sandman says:

    Where can i download the service pack2

  46. Kanwaljit singh says:

    everyhing is fine is xp sp2 but i want that if microsoft add some more thems in xp sp2 to look it more kool.,,,,,,,,,,,,,

  47. JOKERrWILD says:

    So it seems to me that the popup blocker is a good thing! you can still allow popup to come in by pressing the control button you you keyboard nothing wrong with that. Infact makes life a little better so I have a extra key stroke oh well at least I dont have java VIRUS trying to come in ack! Also I love that fact that they have a security applet now to tell people when stuff is out of date! lots of improvements even more so in the wireless area. If you have a linksys router and cards that are having connection problem when you enable WEP and MAC FILTERING microsoft have fixed that bug no more disconnecting. OVERALL I GIVE THIS TWO BIG THUMBS UP!!!!

  48. JOKERrWILD says:

    Oh yeah one last thing you can turn off the popup blocker if you dont like it in the lower right hand corner of the IE screen by where you have the little earth and it says internet its the 4th box to the left and right click and turn off!!!!

  49. jeffdav says:

    You can also left click in the box. 🙂

  50. JOKERrWILD says:

    sure can!!!:)

  51. Ken says:

    Seems to me there a few whiners here who’s content is the very thing annoying many of the rest of us. How about coming up with a better way of advertsing than forcing ANY kind of involuntary windows and popups on those of us who want to go where WE want to go and SEE what WE WANT to see?

  52. Richard says:

    IE needs to get with it supporting png transparency. After reading down this list of questions and replies this is still being side stepped.

    Support for PNG transparency: Yes or No, very simple

    How about tabbed browsing?? Any idea if this will come to be in IE?? Opening up another window just crowds the task bar. Mozilla really the winner in my book in these areas. It’s not a perfect browser but it’s secure and has these sorts of implementations that makd the experience more enjoyable!

    Thanks

    Richard ;-)~

  53. jeffdav says:

    You can, at this point, assume I am an idiot or I cannot answer the question due to circumstances, etc. I am okay with either assumption. 🙂

  54. Tsondo says:

    What is the purpose of AlphaImageLoader if not to handle PNG? I think I’m missing something.

  55. Kevin Colvin says:

    How can we get a hold of Xp SP2 RC1?

  56. cyberPunk says:

    my win xp pc has already downloaded 45 patch in just one year and there is another one coming up???

    fuck off ms buddy! no wonder the bank I work for is keen on testing the java linux desktop……

  57. rehabber says:

    I use Popup Manager and it was free and works great. I have Earthlink and this blocker is better than the one they use and much easier to use. Don’t need another one.

  58. jeffdav says:

    AlphaImageLoader is a DirectX transform that IE supports. It claims to support transparent PNGs but I have not tested this. I do know there is a work around for transparent PNGs that uses a DXT. Here is the doc:

    http://msdn.microsoft.com/library/default.asp?url=/workshop/author/filter/reference/filters/alphaimageloader.asp

  59. I applaud the popup blocker. Every other browser in the world has it and it was only a matter of time before IE did it too.

    One question though Jeff: you seem to be focusing on the fact that something has to be "clicked" in order to open a popup window? What about users who may not be able to use a mouse or don’t have one available? Will keypresses be able to open new windows as well (i.e. I tab over to a link and activate it by pressing on the spacebar)?

  60. Shawn Oster says:

    non sequitur: Reading through the comments on here I realize why computer users have acquired the reputation for having poor social skills. I wonder if people actually speak with as much aggression and rudeness in person as they do in their comments.

    Back on topic, a popup blocker is a great idea and I happen to be one of those developers that distribute both an ActiveX and use setTimeout to popup windows. The windows I popup though are ‘You’re session is about to timeout, do you want to resume?’ style windows, a la internet banking sites. I currently use Google’s toolbar and pop-up blocker and so I’ve already had to deal with my windows being blocked.

    I’m confused by all those people worrying about popup blockers, as if Microsoft is doing something crazy and new. Blockers have been around forever and more are coming everyday… Google, Earthlink, A9. Do you imagine that not having Microsoft include a blocker will somehow prevent you from having to accommodate your users that have any of the other ones installed?

    With clear enough instructions any user can configure a UI option. None of us have some mystical tech-third-eye that allows us to do things mere mortals can’t. If I can go into Internet options to white list a site for popups then I can write a nice, simple, well designed set of instructions telling my grandmother how to do the same.

    I’m curious how people confused the security in Firefox with what is coming out for SP2. I love Firefox, use IE and Firefox about evenly and honestly I’m scratching my head over how Firefox even ended up in this thread. Enlightenment?

    Umm… why exactly do people have a problem patching their computers? Are these people that don’t work out? Or eat? Or get their oil changed every 3000 miles? Or clean their bathrooms (come on, you really shouldn’t make your mother do it anymore). Anything in life that is dynamic requires maintenance and software is no exception. I say keep the patches coming, I’ll take one a day.

    Also it should be obvious by now that jeffdav is pretty good at answering the questions that are put out there so if your question goes unanswered it probably falls under the "I could tell you but then They’d have to kill you, your dog and then kill me" policy.

    A long comment-cum-rant but one can only read so many comments before reaching their threshold.

  61. jeffdav says:

    Vinnie- Yes, we have taken into account keyboard accessibility, and the same basic rules apply. Tabbing to a link and hitting enter will also be considered a user initiated action.

  62. Andy says:

    So far i have heard that POP-Up blocker is the latest and greates feature in the new SP however i a currious when IE will Add feature that other leading browsers have had for years.

    As Richard said I feel a great feature would be the Tabing of subsequent IE windows within the IE app its self and not opening an entirely new window.

    It seems to me that if MS can spend thousands on improving the Firewall on XP and adding a POP-Up blocke they could dish out a few extra $ to make IE more visualy Appealing as well as userfirendly.

    Netscape or Mozilla have both great security reliability and at the same time a grate skinable interface for their browser and features that easy the headach of multiple windows.

    I know that MS is trying to become the Browser of choice by most windows and even some Mac users, but until they offer more userfriendly settings and feature i feel most people would rather deal with the long intial loading time of Mozilla based browsers.

    Are there any plans to address this in future SP or even in the next high priced installment of the windows series.

  63. Jeff: Thanks for the clarification. I figured that keyboard action would count as user-initiated but just wanted to be 100% sure :).

  64. Richard says:

    Hmmm, I don’t think that Mozilla has a longer load time than IE does. It’s about the same IMHO!!

    Glad someone else stepped up to the plate about the tabbed browsing wish.

    I don’t expect IE to follow Mozilla’s example but if they took the info and implemented what is clearly what the user base wants then it’s a clear choice. Many IE users are the "no brainers" kind of user and the Mozilla and Firefox users are more into the "this is what I want and I got it over here" semi-techie kind of user (and then there are those Bill Gates bashers that have no lives and hate everything Microsoft too 😉 )

    In the long run I think MS will come through but it would be better sooner than later. SP2 has the potential to be really great but to have to wait another 2 years for Longhorn to be mature useable desktop with all the Bells & Whistles is only going to loose clients over to Mac and Linux platforms. And it should not be with the attitude "then let them go, they will be back" you don’t know that so comments like that are only moot observations with no validation.

    I think MS has a good thing but no reason it can’t be great and give the user base what they want. In today’s techie world sometimes Windows just doesn’t move forward fast enough. I realize with all the security stuff going on that implementing fun stuff is not possible but tabbed browsing is more of a work issue. It speeds up load time and keeps things tidy and there for you are not slowed down by wondering where the heck is that other browser window with this or that info in it.

    And support for PNG with alpha is just long over due. It’s becoming an industry standard in many of the graphics apps that I use every day and to see PNG’s with transparency not displayed correctly in the IE browser at this late date is just not right!! 🙁

    Richard ;-)~

  65. Daniel Wolf says:

    I would like to thank jeffdav for being so quick to answer these questions. So many times questions to big compaines are unanswered but you answer them right away, no bull. *claps*

    As for my questions:

    1.) Will the IE interface get an overhaul anytime soon? I know it sounds stupid, but I love the smooth, elegent look of FireFox, which I am on now. IE is just to "compicated looking" for me. I am an etreme techie, but I appricite the minimalistic touch =)

    2.) Why do you guys have to pay the EU? What could they do to you? Just been on my mind =P

    3.) Will IE have an eqivilent to AdBlock with FireFox? Come on, we know you use it =P

    4.) When will you release the source to Windows 3.1? Sounds like a cheezy way to get SlashDot coverage =0

    5.) Why not shank advirtising with IE? We all know you would be the hero of the year for "accidently" blocking doubleclick and other ad mongols. You guys have 50+ BILLION dollars, you can take doubleclick. Be my hero Microsoft!

    Thanks for answering =)

  66. Daniel Wolf says:

    Nevermind with #1 and #3.

    Just read you can answer due to NDA. Too bad =)

  67. Daniel Wolf says:

    Where is the damn edit button? I meant can’t

  68. jeffdav says:

    Danial-

    1) Please keep in mind SP2 is a service pack. Yes there are new features, but they are focused on Security and Privacy. If you must see the latest and greatest you can always check http://www.winsupersite.com.

    2) I dunno. I am not a lawyer or policy maker. I just write code. 🙂 Probably we want to continue to sell our products in their market.

    3) I have not used FireFox’s AdBlock feature, but I learned a lot from the experiance of implementing Popup Manager; the most difficult lesson being it is very hard to automate a decision making process for what is "good" content and what is "bad" content.

    4) I dunno. I am not a policy maker. I just write code. If I had to guess, I would say we will probably release the Win 3.1 source code 7-10 years after we release the Dos 6 source. 🙂

    5) When we were working on IE 6 the networking team added support for allowing and blocking cookies on a per-domain basis. I actually wrote the UI for that. Tools->Internet Options->Privacy->Edit, then just block whatever domain you do not want. This will block all cookies from that domain. It has always been my secret wish for someone to maintain a black list of sites. Obviously Microsoft cannot maintain such a list. Both the cookie list and popup exception list are both stored as registry keys. It would seem to me to be fairly trivial to write a tool to update the lists from a web service.

  69. jeffdav says:

    Now I want a comment edit thingie to fix misspeeling your name!

  70. Daniel Wolf says:

    I meant like block it by default =) I have it blocked on FireFox, and I see like no ads, ever!

    I want to point you to some awesome utilites that I have found that I use when other people screw up their machines!

    HijackThis – Shows IE components. Its hard to explain, google it and download it.

    As for your secret desire, *prepares to make your day* TADA! http://www.staff.uiuc.edu/~ehowes/resource.htm Download IE-SPYAD Its what I used to use. Even has a pr0n blacklist, but I doubt you will be needing that =) Read the readme

    Thanks for replying so fast! Have a nice day!

    P.S. lol @ the #4 reply, I was laughing!

  71. Daniel Wolf says:

    Cross to the darkside Jeff! Just try it out, you will get some cool ideas =P

    http://www.mozilla.org

    Download FireFox =)

  72. Andy says:

    Jeff — Are there any plans by MS to implement more user friendly and appealing features into the IE platform or does MS plan to generaly keep the same interface they have now?

    I feel that it would help to make IE alot easier to use. Also you may want to consider (if not allready in place) a wizard that allows non-techy people to changes security settings based on preset parimaters or at least asking them in more detail about certain choices. Most first time Windows users have trouble understanding what active X is or weather or not you should activate it.

    I am not sure if something like this is in place allready and I am just not looking in the right place or what. I tend to be the most technically savy person in my close circle of friends/family and if this feature existed i could simply tell them about it and spend less time manually setting up security features.

    As you can probably tell from the way i word things i know no where near as much as most of the people who post here however i can genraly do ok to follow along with the teckyest of people 🙂 Please let me know if you have the wizard thing in place and how to access it.

    If you have trouble understanding my uncoherint babling just let me know i will try to make sense next time 🙂

  73. Daniel Wolf says:

    I have never seen a IE wizard. If people can’t find the Tools menu, they probably can’t set their security, even with a wizard. They would be scared of "screwing something up"

    Hell, I have burned my motherboard twice, had to reinstall Windows XP 11 times (Just exlain to the person on the phone and they give you a key), screwed up IE twice, burned my video card once, burned my monitor once, and stepted on my router once =) Oh yeah, I’ve also dropped my Tablet PC once =)

    Dan = techie clutz

    Wait till I get to Linux, I’ll screw it up everyday!

  74. Daniel Wolf says:

    Oh yeah, I also almost burned my motherboard due to some soder (hotwiring my ATX botherboard connection so my PC would think it was on, as in turn on the fans, lights, ect, without booting up) and also forgot that I unpluged my watercooling unit and almost burned my CPU.

    hehe

  75. Daniel Wolf says:

    That was just last week.

    See ya later.

  76. Joesg@msn.com says:

    Reading the comments about SP2 I refer to Norton Anti Virus not being able to update. This is the case on my computer. Is there a way for me to get it to work or do I have to count on an upgrade from Norton? Which my computer can’t seem able to do. Thanks, Joe

  77. jeffdav says:

    Joesg-

    I do not have enough context to help with your question. My area of expertise is Internet Explorer, but if I had to guess as to your update problem, my psychic powers point me in the direction of the Internet Connection Firewall. Perhaps you need to allow Norton through? Try disabling it and see if Norton can update.

  78. dave says:

    these are all great features. congrats!! My first problem was with updating. It is very touchy. Any suggestions.

  79. Dunlop Chulullapops says:

    If I’m am currently happy with how my conputer is running with windows xp, but do i have to download to the service pack part 2?

    like what if everything is running good?

    is it inportant to do the update?

    thanks in advance to jef,

    dunny

  80. jeffdav says:

    Well, nothing forces you to upgrade. SP2 (like all of our service packs) has an uninstall feature as well, if all does not go well with the upgrade. (Control Panel->Add/Remove Programs)

    I would say this is a very important update.

  81. David says:

    I do programin/support for a web based application and was wondering if there going to be some way to automicaticaly set my site to be added to thier whitelist to allow my pop-ups. Similar to the way some sites ask me if I want to set thier crumy site as my homepage.

    window.open(blah blah)

    if window.open is null the textbox.text = ‘Click me to add me to your whitelist’

    then execute some code that would add my site to the white list.

  82. jeffdav says:

    There is no programmatic way for a web page script to add something to the white list.

  83. Bill says:

    Why can’t we test just a rc1 of IE instead of the whole SP? My clients need more control over user’s bad habits.

  84. Glenn says:

    How to re-enable Java??? Have a Microsoft Great Plains page that I no longer can access because it uses Java! Help!

  85. Paul Dolen says:

    Two questions:

    1. What version number is the updated IE given?

    2. Will this updated IE be available for the other platforms that support IE 6?

  86. Clifton says:

    Hi Jeff

    Wanted to know whether communication between popup and parent window will function normally.

    I have a link on my site which opens a poup when user clicks it.

    Now in this poup i have a link which closes the pop up and open a new URL in parent (calling) window. Will this work after SP2 is applied.

    I am accessing parent window using "window.opener "

    Apologies if I sounded dumb.

    Thanks in advance.

    Clifton

  87. jeffdav says:

    Clifton –

    If a popup is blocked, then window.open() will return null to the parent, and the parent should check for null and not try to communicate with it. 🙂

    If a popup is not blocked, then communication will function normally.

    If a popup is blocked and the user chooses decides they want to see it, we refresh the page and allow popups on the refreshed page, so the communication will function normally. The first implementation would actually cache the arguments to window.open() and replay the pop-up without refreshing the page (Beta 1, perhaps RC1), which DID break the communcication channel between the child and parent, but that is gone from the product now.

  88. jeffdav says:

    Paul-

    1. I am not sure the exact build number, but it will be a minor revision to IE 6. The UA string will be updated so that websites can detect it.

    2. I cannot say.

  89. L3lll1941 says:

    I noticed that some of my Quick Launch icons do not appear until I reboot a second time.

  90. jay says:

    ugh i need help please im trying to install the sp2 but i keep getting this error that the atapi.sys is in use and i tried almost everything from running the service pack in safe mofe to ending most of the proccesses in the task manager can anyone help me please

  91. rampel says:

    I took (foolishly?) someone’s advice and installled XP Pro SP2 RC1

    The most significant thing it did to my system is Disable Mozilla, not delete or uninstall but disable completely no mouse or kb commands can start it. So I logged out of admin and into user and – it works normally. I logged into admin agin, gave user all permissions and pass, and back to user. What I want to do now is copy or move my settings from admin to user. Is there a short way of doing this and how?

    And, what’s this act of disabing Mozilla?

    TIA

  92. JPDeckers says:

    Jeff

    "The compat with Flash is a more difficult problem, since the Flash control will be handling the mouse clicks, not mshtml.dll, so in RC1 those new windows will be blocked, unless the site is in the allow list. However, we have a public way for ActiveX controls and applications hosting the webbrowser control to explicitly tell trident to enter and leave the user intiaited action context."

    We’ve tested SP2, and it seems that user-clicks on .swf’s that are integrated in a page are allowed to open a new window w/ getURL("webpage","_blank")

    , while the SAME .swf is not allowed to open a new window if the page is framed with a normal frameset (or iframe).

    Is this default behaviour (and should (i)frames be dropped for pages with flash-ads), or is this likely to be changed in the final release ?

    Also, is there any more information available yet regarding the "public way for ActiveX controls" ? We’ve searched a lot for this, and where not able to find any information yet.

    – JP

  93. Geoff H. says:

    Argh! Being new to the whole COM game I finally have managed to convert urlmon.idl to urlmon.tlb [included "library"] and then finally a dll which I was able to add as a reference to my c# project. And all because I wanted access to " CoInternetSetFeatureEnabled" amongst other things.

    The problem is that a handle to this function has been created 🙁 What am I doing wrong here?

    Geoff

  94. jeffdav says:

    I am not an expert in managed code and all that library voodoo. I will try to pursuade someone who is to comment here.

  95. Geoff H. says:

    Jeff,

    Thanks for responding 🙂 Yep, it’s voodoo alright and has got me scratching my head over why the idl file isn’t properly producing a dll for me to use in my managed app.

    I reread the above and the last paragraph should have stated the the function -had NOT- been created. The way it was written made me look mad as a hatter <GRIN>.

    Thanks for your help.

  96. Geoff,

    Jeff contacted me about your issue. I don’t know anything about IE, but after talking to him for a while I realized that CoInternetSetFeatureEnabled is a DLL export from Urlmon.dll. To access this you won’t use COM interop – instead you need to use P/Invoke. You probably want something like:

    [DllImport("urlmon.dll")]

    int CoInternetSetFeatureEnabled(uint inetfeaturelist, uint dwFlags, bool fEnable);

    Your DLL generated from TLBIMP may have the imports for the feature list & flags, you could check if it successfully got those using ILDASM. If not you’ll need to define them by hand.

    This API as shown here will return a HRESULT as an integer. You’ll need to check if it succeeded (positive or zero) or failed (negative).

    I would also suggest you check out .NET and COM: The Complete Interoperability Guide. This book has more than you’d ever want to know about COM interop.

  97. Geoff H. says:

    Dino, Thanks for your help. Dang, didn’t want to resort to P/Invoke but I suspected it would end up being the final call.

    I’m off and running…

  98. Tim P says:

    I am using AlphaImageLoader to work around IE’s still broken PNG support. Yesterday, I found a coworker’s machine would not display such an image at all. After a minute, we discovered what may be the ‘modeless UI’ mentioned in the article. It warned that the page had ‘active content’ which was disabled, and clicking the warning message would enable active content for files from that server (it was the local machine in this case).

    I have not been able to identify the security setting that enables this protection. Does anyone here know? I need to be able to document the requirements for proper display of the page. If the setting can be detected in javascript, I’ll probably also want to tell the user why images aren’t displayed correctly, and maybe switch my images to plain old <img> tags, broken transparency and all.

    Obviously, the best solution would be for IE for Windows to just display PNGs correctly without the proprietary directx workaround. I understand IE for Mac already does.

    But if anyone can explain the requirements/limits with the workaround, I would appreciate it.

  99. Sangeet Chourey says:

    Jeff,

    I want to Test Pop-up blocker of SP2 for my Internet applications, but same time doesn’t want to download and install whole of huge SP2 ( 273 MB ) .. Can I download pop-up block feature and test it.. ?

    Thanks

    Sangeet

  100. jeffdav says:

    Sangeet- Popup Blocker is only available as part of the SP2 update.

  101. h2os :: blog says:

    I’ll post more on this later once I’ve had a chance to install Windows XP SP2 RC2 and poke around…

  102. steveH says:

    I’m concerned about the impact of some of the new IE features on the online trading application we’ve developed in JScript. We rely absolutely on being able to popup (Trade Confirmation) windows on receipt of suitable messages from server (via JMS messaging and invisible applet).

    We also employ a caching mechanism whereby we precache all ‘dialog’ content within jscript variables, open windows using a javascript: protocol to open an empty page (avoiding any round-trip to server over expensive ssl connection) and write cached content into opened window. Some of the content includes embedded jsp within iframes (https:). We now get the dreaded "mixture of secure and unsecure…" message which never happened before.

    Our clients mostly use locked down machines with no access to IE settings. Is our app going to be broken ? I’m all in favour of new features, even if they are in ‘service packs’ but no way should major features which change basic functionality be introduced enabled by default.

  103. Dipak Patadia says:

    As window.open() won’t allow me to open a new window from page’s body onLoad() event.

    So, in my web application, after identify that the pop-up blocker is enabled, I need to display a page suggesting user to click the link to open the required page. I want to develop a general page which will accept the URL, name and features and display the link. Can I call the window.showModalDialog() statement to open this intermediate page?

    I would like to know whether any restrictions on window.showModalDialog and window.showModelessDialog statements? Can I call these statements from the function which has been called from the body onLoad() event? Also, would like to know other better alternates. – Thanks

  104. DirkPitt says:

    Good read this, Cheers Jeffdav

  105. Luna says:

    Hi, i try to use onclick to show a popup window. However it failed.

    Looks like IE blocks all window.open(), even i click a link, IE still won`t let me popup the window?

    <input type="button" value="User initiated popup" onclick="window.open(‘popup.html’)">

    Have any idea what happened? Thanks!

  106. Dipak Patadia says:

    When the "Filter Level" is set to "High: Block all pop-ups (Ctrl to override)", all types of pop-up windows are blocked including windows created through user interaction. To allow user initiated pop-up windows, set Filter level to Medium. See Tools->Internet Options->Privacy tab-Pop-up blocker section->Settings.

  107. Dave McCulloch says:

    I am writing a web app that allows users to open a personal list of web sites as separate browser windows. After a few months of coding, it is almost done, but I recently learned that SP2 will block pop-ups, making my app useless. Questions:

    1. When blocking pop-ups, will SP2 give users a convenient option of enabling pop-ups for the current domain, similar perhaps to Google’s toolbar whose on/off switch displays and controls its white-list?

    2. What options exist for enabling a site to use pop-ups?

    3. If a site is enabled through IE’s white-list, would window.open() be operational in the onLoad event?

    Thanks for any answers!

  108. jeffdav says:

    Dave–

    Is your app jscript/html or is it an ActiveX control? There is a way for ActiveX to initiate a user intiated action.

    (1) When pop-ups are blocked, SP2 shows the Information Bar across the top. Users can click on it and get a menu which has an option to allow pop-ups from that page. The allow can be permanent or one-time. This works similar to blocked images in Outlook.

    (2) If the popup comes from a user action (click, for example) then we allow one pop-up. Whitelist is the best option. PopupMgr is off by default for Trusted Sites, so you could also add the domain to the trusted sites list, but that means the domain is trusted in many other ways besides not blocking popups– this is not really recommended or necessary.

    (3) Yes.

  109. Dave McCulloch says:

    Jeff,

    Thanks for the information!

    My app is javascript/html.

    Is there a web site that has a picture of SP2’s information bar and its pop-up menu so I can prepare some instructions (I realize that I might have to change it when the final product is released, but that would be easier than writing everything from scratch then)?

    Also, is there a way for my application to detect that it is Windows security that is preventing pop-ups from working? With that information, at least I could give users a customized response when my app fails.

  110. jeffdav says:

    The only way to detect the popup was blocked is to check the return value from window.open() for null (which all good scripts should be doing already 🙂 ). It can be null for other reasons–such as out of memory cases–but the majority of the time null will be returned because a Pop-up Blocker of some sort was active.

  111. vincenzo says:

    What about adodb.stream. I use it in my corporate web application and it does not work with IE RC2. How can I ENABLE it?

    vincenzo

  112. dan says:

    is there a way to add to the white list in windows XP SP2 by allowing the user to click on a button or something in our web application

  113. jeffdav says:

    Dan- No.

    Vincenzo- See the bottom notes of this article: http://support.microsoft.com/default.aspx?kbid=870669

    -j

  114. vincenzo says:

    Thanks.

    The problem is that in my registry there is no key "HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{00000566-0000-0010-8000-00AA006D2EA4}" to set to 0.

    I suspect that adodb.stream in the new IE is disabled by other way. But I hope to find a way to re-enable it.

    Thanks again