windows xp sp2 rc2


I have been slacking in the posting department during my recent travels.  RC2 shipped last week, while I was in NYC.  Others have spoken about it.  I will describe briefly what changed wrt pop-up blocker. 


But first a warning: everyday we have an internal build of RC2.  Everyday I install the latest build on my test machine.  This process causes minor changes to all blur together in my head.  If I need to know when something specific happened, I can look in the source logs.  I am, however, going to write this from memory, so I might get minor details wrong. 


Registry Values and Levels

The various aspects of pop-up manager are controlled by values in the registry under HKCU\Software\Microsoft\Int ernet Explorer\New Windows.  The registry values are all dword values, unless noted.  Values are all either 0 or 1, unless noted.


PopupMgr - Whether the pop-up blocker feature is enabled or not.  This is the checkbox on the privacy tab of the Internet Control Panel.
PlaySound - Whether or not a sound should be played when a pop-up is blocked.  This sound is set in the Sound Control Panel.
ApplyToWebOC - Applications hosting the webbrowser control only get pop-up blocking if they opt in.  This forces pop-up blocking on non-opted-in apps when true.
UseSecBand - Whether or not pop-up blocker notifications should appear in the Information Band.
AccUserInitOnClick - Turns off or on an app compat work-around for some Accessibility Aids.  This is on by default.
Balloon - Set when the balloon notification has been shown.  Not a very interesting value, listed here for completeness.
BlockHTMLDialogs - Whether or not to treat HTML dialogs as pop-ups. 
UserInitTimeout - Number of ms in the timeout period when the UseTimerMethod value is set (see below). 

The biggest changes for SP2 is the creation of multiple levels of pop-up blocking.  This is visible in the advanced pop-up blocking settings dialog (Tools->Pop-up Blocker->Pop-up Blocker Settings...).  The levels are high, medium and low.  The text descriptions of the levels were limited by the size of the box and the length of the text when localized to languages such as German.  I will provide more details.  The levels are pre-set combinations of the following values.  Please note, these may change between now and the final release of SP2.


BlockUserInit - Whether or not to block windows deemed to be the result of a user initiated action.  When on, pop-up blocking is hardcore.  Default is off.
UseTimerMethod - Whether or not to use a timer to detect user initiated actions.  Some sites do things asynchronously to mouse clicks... mostly sites where you submit data which results in a popup.
UseHooks - Whether or not to hook messages going to ActiveX controls.  If this is false, then the control may not be able to open a new window.
AllowHTTPS - Whether or not to blindly allow pop-ups from sites using https.

The default values are High: T,F,F,F; Med: F,F,T,F; Low: F,T,T,T. 
If you go change one setting by hand and it does not match the template for any of those levels, the level will show as “Custom” in the settings dialog.

The only other key to note is the Allow subkey.  This is just a list of domains in the whitelist. 

Script Debugging in IE

When a suitable script debugger is installed, and the user visits a site that causes a script error, IE has traditionally provided a “Do you want to debug?” prompt.  This is controlled by a registry setting and has generally been off by default, but installing other applications could cause this to become enabled.  Most users would really rather not see this prompt.  To that end, the old setting got renamed to “Disable Script Debugging (Other)” and a new setting was created “Disable Script Debugging (Internet Explorer)”.  Apps hosting the webbrowser control to do web page design can still use the old setting to enable script debugging in their app without the average end user having to see this prompt.  Developers can also enable debugging in IE by enabling the new setting.  These settings are in the Internet Control Panel's Advanced tab (Tools->Internet Options->Advanced), under the Browsing sub-heading.

App and Site Compat


We did a lot of work balancing the effectiveness of pop-up blocker with not breaking existing sites.  As always, there are trade-offs here.  Frequently in SP2 we have chosen security/privacy over compatibility, which is why we introduced the levels in pop-up blocker.  The levels provide a quick and easy way to chose where you want to be in the compat trade-off arena.  The default is medium.  If you find some really egregiously broken sites, please feel free to post them here.  I will probably not be able to respond to post responses, but we will look at all of them.


Misc UI Bug Fixes

I fixed a lot of UI bugs, mostly related to menu state.  The layout of the menus changed a bit.  In retrospect, this is not very interesting to talk about.

Comments (28)

  1. Back in March, there was some back-and-forth in the comments of this post:

    http://blogs.msdn.com/jeffdav/archive/2004/03/22/94080.aspx

    regarding the behavior of the popup blocker WRT Macromedia Flash content, etc. The crux of the issue then (and now) is whether or not the popup blocker would block popups launched from within MM Flash content by default. Back then the answer was yes.

    I have not yet had a chance to try out Win XP SP2 RC2. Has that behavior changed at all? Is the appropriate solution still (as you indicated in the aforementioned post from March) for the plugin developer (in this case Macromedia) to modify the plugin to support the new interface that notifies the browser of the proper context for requests (user initiated or otherwise)?

  2. jeffdav says:

    Cameron–

    That would be the point of the UseHooks key described in the post. By default we do hook messages going to Flash, to allow user initiated windows to open from Flash.

    ActiveX controls can still initiate the user initiated context by Exec()’ing the correct command to mshtml.dll.

    -jmd

  3. Update to my previous comment:

    A more careful reading suggests that, by default, popups initiated from the Flash plugin (which I’m hoping falls into the designation of an ActiveX control?) will not be blocked? Is that a correct reading of the rules for the "Medium" (later described as the default) level?

    Sorry, I failed to put it all together the first time through.

  4. jeffdav says:

    That is correct.

  5. Peter Torr says:

    One thing I really dislike is "negative" options like "BlockUserInit."

    It’s intuitively difficult for people to deal with double negatives, and it makes the configuration overly complicated and ugly. Just looking at the settings for High and Low, wouldn’t it be nicer if High was F,F,F,F and Low was T,T,T,T?

    Then you could just say "High turns it all off" and "Low turns it all on" and customers could easily keep up with it. As it is, having negative options makes it easy for bugs (either bona fide "code defects" or end user "configuration errors") to creep in. We’re only human, after all 🙂

    I would rename it "AllowUserInit" or something along those lines.

  6. jeffdav says:

    Peter–

    I agree. Keep in mind these are registry thingies that most people never need to see. When I started writing this, "BlockUserInit" and "PlaySound" were the only keys. As I learned more and more about the numerous ways to navigate IE, more options were added. I would have liked to have rationalized all these settings in the end, but I waited too long and now we are too close to RTM.

    One of my dreams is to someday rewrite the Internet Control Panel and rationalize all these random IE registry keys… but think of all the apps I would break!

  7. JD on MX says:

    XP SP2 change? My thanks to Cameron Watters for posting this… he cites a post today from "jeffdav" of Microsoft’s Internet Explorer team, and in the followup, it seems like Jeff says that the behavior of blocking windows requested from…

  8. h2os :: blog says:

    I’ll post more on this later once I’ve had a chance to install Windows XP SP2 RC2 and poke around…

  9. E-Bitz - SBS MVP the Official Blog of the SBS says:
  10. A.R. says:

    You might consider focusing more on security holes than on "UI bugs"..

    A list of some of them can be found here: http://iebug.com/

  11. jeffdav says:

    Many of the UI Bugs I have fixed were security bugs. Web sites that use poorly desgined UI to trick users are just as dangerous as ones that use more sophisticated attacks. There is a team of developers who work to secure IE at a lower level; I work on the Browser UI team.

  12. Ian Paterson says:

    I’m afraid that with Windows XP SP2, chromeless popup windows (created with createPopup()) have so many restrictions that they are rendered useless. The only significant functionality offered by a popup that cannot be achieved with an ordinary HTML DIV element is that it may be positioned slightly outside (to the right or left of) the window border.

    Most importantly, popups no longer appear in front of all windows. It is now impossible for a window underneath the top window to alert the user that it needs the user’s attention (e.g. when a message arrives in Outlook Web Access) WHILE still allowing the user to continue working in the top window (e.g. if the user is busy typing a sentence in the top window then their text is not lost when a standard window gains focus).

    Would there not be enough security if popup windows were limited in size/position AND also forced to have chrome (title and status bars) when the programmer wants them to appear on top of all windows?

    Do you know how OWA and other similar applications running on SP2 will inform users that new messages have arrived?

  13. Shaffer says:

    we have developed software and i believe a user is having problems because the ‘discuss’ feature may be checked. The user claims she has no discuss option in her explorer bar. Is this possible? She says she is using Windows XP Professional and IE 6.0. I’m using the same OS and browser and have ‘discuss’ in my explorer bar.

    Please advice.

  14. Shaffer says:

    we have developed software and i believe a user is having problems because the ‘discuss’ feature may be checked. The user claims she has no discuss option in her explorer bar. Is this possible? She says she is using Windows XP Professional and IE 6.0. I’m using the same OS and browser and have ‘discuss’ in my explorer bar.

    Please advice.

  15. jeffdav says:

    I think discuss comes with office, yes? I never use it, so I am not 100% sure. 🙂

  16. HK says:

    BlockUserInit – Whether or not to block windows deemed to be the result of a user initiated action. When on, pop-up blocking is hardcore. Default is off.

    UseTimerMethod – Whether or not to use a timer to detect user initiated actions. Some sites do things asynchronously to mouse clicks… mostly sites where you submit data which results in a popup.

    UseHooks – Whether or not to hook messages going to ActiveX controls. If this is false, then the control may not be able to open a new window.

    AllowHTTPS – Whether or not to blindly allow pop-ups from sites using https.

    The default values are High: T,F,F,F; Med: F,F,T,F; Low: F,T,T,T.

    If you go change one setting by hand and it does not match the template for any of those levels, the level will show as “Custom” in the settings dialog.

    You don’t actually SUPPORT the stuff you’re programming, right? You see, if you were Mr. "I-don’t-know-much-about-my-computer-but-I-heard

    -theInternet-is-so-dangerous" and you hear of a strange new virus that’s spreading via websites or anything like this or you are annoyed by popupwindows that still came through the popupblockers, you would tend to disable anything.

    Many banks use popups to initiate a secure connection to the user. It’s also used to look up for the browser they’re using and presenting the right javascript-code to let the user do their banking-stuff. They have verified their identity by a trusted root certification authority.

    If they’re clever, they ordered the more expensive special certificate that’s neccessary to enable strong in enryption mode in MSIEs that fell under the old export-restrinctions concerning strong encryption:

    http://www.verisign.com/products/popInfo/encryption.html

    On behalf of all my collegues trying to support the various types of MSIE, please do the following on the default high settings:

    Enable to pop up windows which are encrypted, provided they have a certificate that’s issued by a trusted root certification authority. Call this setting: "Enable Popups from trusted, encrypted sites (e.g. Webshops, Online-banking-applications). Note: By disabling this setting, some Webshops or Online Banking might stop working correctly.

    Something like this. Or at least tell the user after enabling the deafault high setting that some webshops or their Online Banking might not work anymore. Explain the User how to add sites to the white-list. Note: The secured Window opened by many sites originates from an unsecured site.

    Explorer has to check wheter the Window which is attempting to open originates from one of the trusted sites. Otherwise, User has to add both the unsecured and the secured URL to it’s trusted sites. This is a very annoying behaviour of the MSIE since the beginning of MSIE using the zone-model. It would be sufficient to allow any site to open a secured Window from a site that’s in the white list as long as every single item is from the same secured trustworty domain (disallowing cross-frame-attacs from an unsecured frame).

    To sum up:

    1. Why just the option to allow *every* secured site to open a Popup even thogh User has no confirmation that the issuer of that certificate is trustworthy? Why not allowing only identified Companies to open a Popupwindow/Use Java Script and stuff even on high settings? Make it adjustable, so that the user could diallow this option on purpose, OK.

    2. Is there a way to explain to Users what to do to get the requested Webshop- or bankingfunctions?

    Sorry for writing so long, but Norton Internet Security already gives us enough headache. But this is going to be a major problem to us. We don’t spam, we don’t do anything bad. We’re just trying to keep our customers happy.

    ;(

    You wouldn’t believe what some Users do to their system without any idea what hey are doing. Now try to give them the service they deserve in our opinion and figure out what they need to do to get out of this mess. But as far as I see it, this is going to be a major problem to us and many, many more.

    Sincerely

    HK (full name disclosed upon every mail originating from microsoft.com for now I’m saying that I am from Germany).

    PS: Please send some greetings to "Sven Freitag", he should be in america working @microsoft right now. Working email-address, no need to edit anything: nospam001@gmx.net

Skip to main content