IE in XP SP2 (Part 3): Web Site Compatibility


See Also: Authenticode - No, and never again! and Information Bar - Stopping the modal dialog madness

Microsoft cares a lot about application compatibility. So does the IE team, but we have an additional burden: web site compatibility. I think I can safely say that there are more web sites (intranet and internet) than there are applications, and many of them are built in a way that is closely tied to specific IE functionality.


While we really try to avoid making changes that affect compatibility, security is one thing that takes precedence. This means that with the large number of security fixes and features in XP SP2 some web sites will break. Between now and RTM things should get a little bit better, but we can't provide workarounds for every web site, and even when we can provide workaround the experience may not be as smooth as it was before.


In other words, if you're a web site developer or you have an application that hosts the web browser control you should strongly consider installing XP SP2 RC1 to test it out. Similarly, if your users are reporting bugs, don't discount them because they're running a pre-release version of XP SP2.


Below are some common types of problems that you should try to avoid.


Authenticode


As noted in earlier posts, IE no longer immediately launches the Authenticode dialog when it encounters an <OBJECT> tag. Instead, there is a more subtle non-modal piece of UI known as the Information Bar that lets the user know a control is present. This causes problems when web sites specifically rely on there being a modal dialog that blocks the web page. Example issues:



  • Scripting an ActiveX control immediately after instantiating it, assuming the user will install it. (The user will get a script error, as they would if they clicked "No" pre-SP2.)

  • Detecting that the ActiveX control wasn't successfully installed and navigating to an error page. In XP SP2 you'll navigate away from the page that gives the user the ability to install the control via. the modeless UI.

  • Having the first instance of the ActiveX control after a form submit. In order for the user to install the control they now have to refresh the page, potentially doing a second submit. (Bonus points if the second form submit causes a duplicate purchase of an expensive product.)

Fortunately for web developers, ActiveX controls only need to be installed once. Make that experience work and you don't have much else to worry about here.


Pop-up Windows (non-user-initiated)


The best thing is to simply avoid showing pop-up windows. This shouldn't be news to anybody as there are literally dozens of pop-up blockers out there (in addition to being built into most major 3rd party browsers), but we've encountered plenty of sites that don't function well when pop-ups are blocked. Example issues:



  • Redirecting when a pop-up is blocked.

  • Instantiating an ActiveX control from a pop-up, especially if you close the window if it fails.

  • Having one pop-up launch another pop-up in another domain. (Bonus points if the second pop-up attempts to install an ActiveX control or download a file, and the chain of pop-ups does a cascading close when the control is blocked.)

  • One-time pop-ups that the user needs to see, but can't be replayed even after refreshing the page.

Downloads


As noted in earlier posts, non-user-initiated downloads are blocked by default. This is something I haven't seen other browsers do and it may require a few download sites to adapt. Fortunately there's plenty of time before most users will have XP SP2. Example issues:



  • Instead of launching the download directly, using the link to navigate to a page that kicks off the download using a timer.

  • Creating a timeout, after which the server refuses to cough up the file. I've seen pages where I can start the download if I click the Information Bar within five seconds, but not after that.

  • Launching a download from a pop-up window.

HTML Dialogs


The Information Bar is a component of the web browser control and will not show up if you host mshtml directly, therefore some of the above items may be blocked outright with easy no end-user workaround. showModalDialog() and showModelessDialog() are where most web sites will encounter this.


MIME Type Handling


I'm not as familiar with this feature, I've run into problems caused by the security restrictions on a few web sites. The primary issue is servers that are misconfigured to send the type "text/plain" for binary file types such as streaming video or music.


Local Machine Zone Scripting


As mentioned in part 2, this is one of the most impactful changes. Again, I'm not intimately familiar with this feature, but if you're doing any kind of scripting from local HTML files that get launched in Internet Explorer (or shell Explorer) you should look into the documentation for XP SP2 RC1 for how to use "mark of the web" and other mitigations. 


Of special note here are Explorer Bars and Desk Bands. We've seen several instances where these require the user to use the Information Bar to unblock script/content. In some cases the Information Bar is barely clickable due to the size.

Comments (20)

  1. Stephane Rodriguez says:

    Regarding MIME types, any info on XPSP2 and application/octet-stream? I see it as a major vulnerability problem.

    Let’s take an example : classic Flash anims used to download associated .swf movies locally by means of a registered application/x-shockwave-flash mime type. Unfortunately, since some time, those flash players as well as those people hosting the anims tend to use the more generic application/octet-stream mime type instead, which is less likely to be blocked since it is used for the matter of downloading zip files, exe files, …

    This silently and unnotified change over the use of mime types in conjunction with expected Flash animations can turn any web client into a wreck, and even worse, since the Flash host affords himself the right to download an essentially generic byte buffer that may, depending on the Flash scripting, execute arbitrary code once it’s downloaded. Of note is that it may execute code under the execution rights of the embedded Flash player, not the IE security zones.

    Any info on that?

  2. Pete Cole says:

    …The Information Bar is a component of the web browser control….

    I thought IE hosted mshtml directly, not the web browser control. Are you saying that apps that host the web browser control are going to get ‘hit’ by the Information bar – if so, how does one stop it?

  3. Stephane, I’ll talk to some people about this.

  4. Pete, I hope to post soon on how you can opt-in to the IE security mitigations, including the Information Bar.

    By default it only affects the iexplore.exe and explorer.exe processes.

  5. Aaron Lewis says:

    Regarding pop-ups… Imagine Windows without dialogs. Hopefully the "user-initiated" criteria stays firm in the minds of browser developers, though I know Opera can be a little brat about it.

  6. Jerry Mead says:

    This blog is great, thanks. However something more formal would also be nice. There’s a note here describing the IE SP2 change documentation that we don’t seem to have seen yet:

    http://www.zeepe.net/dasBlog/default,date,2004-03-27.aspx

  7. Sticking to user initiated pop-up windows and downloads has to be one of the most dramatic changes to IE in years. I almost feel bad for all those popup blockers that will render useless after SP2. However, there are a bunch of sites that make fair use of automatic downloads, for example, to select the nearest site mirror or for statistical purposes. Anyway, security first.

  8. JD on MX says:

    Site changes with new IE/Win: The upcoming Service Pack 2 of Windows XP will change specific functionality in Microsoft Internet Explorer. (See last week’s links.) Here, Tony Schreiner of Microsoft discusses specific features on existing websites which may be affected…

  9. Jerry Mead says:

    — have you taken a look at the following site —

    No, but we’re looking now. Thanks.

  10. Mindy says:

    Will the IE SP2 also be part of Windows Update for people that don’t have XP SP2? I’m trying to determine how many of my end users will have this version of the browser and how quickly. If just people with XP SP2, that would slow down deployment. However, if Windows Update also installs it for Win2k, WinMe, etc. then more people will have it sooner.

  11. Mindy, there isn’t yet any information I can share on if/when/how this may be ported downlevel and distributed. If anything happens it would certainly lag SP2, which isn’t due out for another couple months.

  12. Hi. Can anyone tell me why Microsoft allows the "Mark of the Web" to function as a workaround for Local Machine Zone Lockdown? It seems like any malicious hacker could just insert the "Mark of the Web" in all his or her pages to circumvent this new security feature of XP SP2.

  13. When you insert the "Mark of the Web", it makes the page behave as if it’s a normal web page. That means the page is no longer running in the Local Machine Zone and doesn’t have access to local files and such.

  14. Sir JusticE says:

    more to the point, when are we gona get the PNG support that we find on other web browsers that allready have it

  15. Someday, maybe, someday.

  16. Yair says:

    What about a mark of the web for XML pages? Is there anything I can do to make sure XML pages will also be placed out of the local machine zone?

  17. Yair, as far as I know there is currently no way to do that.

Skip to main content