Rob Eberhardt

cleverness ensues

skip navigation

 Tuesday, January 31, 2006

IE 7 beta 2 preview

Yeehaw it's out!  I'm downloading now and am actually excited to testdrive it.  Already noteworthy to me is the functionality changes section in the release notes:

Scriptlets—Internet Explorer 7 disables Dynamic HTML (DHTML) scriptlets, by default. (Scriptlets were deprecated in Internet Explorer 5). They can be reenabled by system administrators, changing URLActions with the Internet Control Panel (INetCPl.) The INetCPL text should read "Allow Scriptlets." If your programs rely on scriptlets, we recommend that you use DHTML behaviors which are more efficient. Disabling scriptlets is part of our continued work to ensure that unsupported technology is deemphasized in Internet Explorer.

I'm very happy about this.  It sounds like Microsoft listened (!) to my request to not remove Scriptlets after all, but to instead just disable them by default (which is certainly a good thing for security).  I have several good old IE components written as DHTML Scriptlets, and I need some option to keep using them in existing web apps.

  • ActiveX controls--ActiveX controls are disabled by default in Internet Explorer Version 7. The ActiveX Input TYPE=FILE control no longer submits a fully-qualified path; it now submits only a filename. The ActiveX control for XEnroll certificate enrollment was removed from Windows Vista and replaced with a new control.

This is a big big deal, and again a good one.  But does this include disabling the built-in ActiveX Controls too, like DSOs and XMLHTTPRequest??  (if so, then ouch!)  Good idea on the file input, but it sounds like it'll cause some rewrites.

  • Channel Definition Format (CDF)--All CDF support was removed from Internet Explorer 7 Beta 2 Preview.

This surprises me.  It may be old tech, but it was big (remember all the "push" hulabaloo? man, those were the [something-] old days), and I do still see sites using it.  Not sure from that statement whether it'll come back in a later beta or RC, tho...

  • DirectAnimation--All DLLs to support the Internet Explorer DirectAnimation component were removed in Internet Explorer 7 Beta 2 Update.

Another big change.  So what's the replacement it, native SVG finally??

  • XBM--Support for XBM, an imaging format designed for X-based systems, was deleted.
  • SSL--Support for weak SSL ciphers was removed from Windows Vista and support for SSLv2 was disabled for all Internet Explorer 7 platforms

Good and better.

  • Windowed Select--The Windowed Select Element was removed from Internet Explorer 7 because IE7 is not using the Windows API. This results in some cosmetic changes in padding. The animation associated with the popup is gone as well, and the popup simply pops up.

Simply marvelous!

  • BASE Element--Internet Explorer 7 strictly enforces the BASE element rule, as documented in the HTML 4.01 standard. We no longer allow BASE tags outside of the HEAD of the document. The standard specifies that the base element must appear within the head of the document, before any elements that refer to an external source.
  • window.opener and window.close--Internet Explorer 7 no longer allows the window.opener trick to bypass the window.close prompt. Browser windows can't close themselves unless the windows were created in script. This security enhancement no longer allows browsing to a random site when the main browser window closes unexpectedly.

Ah, lovely bug fixes.  More please!
(actually, I wish I had known about that window.opener trick a long time ago.  Darn!)

  • WWW-Auth--Internet Explorer 7 changes the precedence rules for WWW-Auth. Previous releases of Internet Explorer used the first header encountered. Internet Explorer 7 uses the first header except when the header is Basic. We use Basic auth if no other authentication mechanism is present.
  • HTTPOnly Cookies--HTTPOnly cookies can no longer be overwritten from scripts.
  • _SEARCH--The _SEARCH sidebar is no longer supported in Internet Explorer 7. It can be reenabled using a URLAction.

All sounds good to me.  I'll be a little sad about _search, tho, but only a little.

  • View Source--The view-source protocol no longer works in Internet Explorer 7 Beta 2 Update.

It actually stopped working back in IE6sp2, which was a pain for me.  It was a Netscape standard, albeit de facto, but it was still quite handy for sharing code (and non-abusable, that I know).

  • Gopher Protocol--Support for the Gopher protocol was removed at the WinINET level. (Gopher support was turned off by default in Internet Explorer 6.)
  • windowexternalImportExportFavorites--windowexternalImportExportFavorites has been removed in Internet Explorer 7 Beta 2 Preview.
  • Telnet--The telnet protocol handler is no longer supported in Internet Explorer.

Gopher, sure -- I haven't touched that in 10yrs. 
The Favorites method -- eh, not a big fan, but I've seen some very cool specific uses (uploading to bookmark sites, in particular). 
But why no telnet://?  All that ever did was open the default telnet client.  This'll definitely be a pain for some sites. 

  • SysImage URL Scheme--The SysImage URL Scheme has been removed from Internet Explorer.

I actually have no idea what this is, which is unusual with IE.  Anyone wanna enlighten my ignorance?

  • Status Bar Scripting--Script will no longer be able to set the status bar text through the window.status and window.defaultStatus methods by default in the Internet and Restricted Zones. This small step helps prevent attackers from leveraging those methods to spoof the status bar. To revert to previous behavior (allowing script to set the status bar through window.status and window.defaultStatus) select the “Security” tab from “Internet Options” in the Control Panel. Select “Custom level…” for the Internet (or Restricted sites) zone. Find “Allow status bar updates via script” and change the setting to “Enable”.

I wont miss this one much.  When I've used it, it's been more a toy or bandaid for ugly URLs.  Much more often I've seen it abused, so all good here.

I'll post more if I find my test-drive interesting.

There's more good discussion about it over on the IEBlog.

 

web/dev/tech
1/31/2006 5:26 PM Eastern Standard Time  #    Disclaimer  |  Comments [6]  | 
8/23/2006 11:20:05 PM (Eastern Daylight Time, UTC-04:00)
I think I beat you to the install. :) For the most part I like it. It is kind of weird not having a File menu, but I guess everone should get used to it since it looks like all new MS products are going that route. I haven't quite figured out the Feeds thing yet, I added all of my RSS Feeds, but I don't know where to find them. Netscapes Feed scroller works better IMO. All in all I'd say this will be a good update.
<br>
<br>I checked out the Telnet thing, worried because ALL Cisco equiptment when you have <a title="" href="" ><acronym title="HyperText Transport Protocol">HTTP</acronym></a> turned on allows you to click the Telnet from their Web UI. I clicked the link and it did open the default telnet app, so either it isn't &quot;broken&quot; in beta or they decided against it.
<br>
<br>-Mike
Mike |Mike
8/23/2006 11:20:05 PM (Eastern Daylight Time, UTC-04:00)
Yup, you did. I'm experimenting with it now.
<br>
<br>Agreed about the UI. You can turn the &quot;Classic menu&quot; back on, but you can't put it back in the classic place (top). That and various other weirdness bothers me. Some I can see getting used to but not that. An &quot;observations&quot; post is on it's way here.
<br>
<br>And yes, telnet's fine. Wonder what the heck they meant by that?
<br>
<br>Or what else isn't REALLY disabled now...
Rob |Rob
8/23/2006 11:20:05 PM (Eastern Daylight Time, UTC-04:00)
Oh, and I already noticed the phishing filter flagged of my pages was flagged as a &quot;suspicious website&quot;: <a target="_new" href="http://slingfive.com/pages/code/xDOM/xDOM/xDOM_demo.html">http://slingfive.com/pages/code/xDOM/xDOM/xDOM_demo.html</a>
<br>(No idea what set it off, except <a title="" href="" ><acronym title="Dynamic HTML">DHTML</acronym></a> Behaviors?)
<br>
<br>Fortunately it was easy to fill out an official &quot;I disagree&quot; form. Hopefully it will actually be effective.
Rob |Rob
8/23/2006 11:20:05 PM (Eastern Daylight Time, UTC-04:00)
Well, good news! They turned it around in a few hours:
<br>
<br>============
<br>
<br>Thank you for submitting a Website Owner/Administrator Webform to Microsoft Phishing Filter Support.
<br>
<br>We analyzed the web page(s) accessible from the URL that you provided: <a target="_new" href="http://slingfive.com/pages/code/xDOM/xDOM/xDOM_demo.html">http://slingfive.com/pages/code/xDOM/xDOM/xDOM_demo.html</a>.
<br>
<br>Upon further review, we have determined that the URL you provided is not associated with a phishing site. We have rectified the designation given to the URL you submitted. We appreciate you bringing this matter to our attention.
<br>
<br>To learn more details about the Microsoft Phishing Filter, please review the white paper located at <a target="_new" href="http://go.microsoft.com/fwlink/?LinkId=49523">http://go.microsoft.com/fwlink/?LinkId=49523</a>.
<br>
<br>Please do not respond to this email, as it is unmonitored alias. You will not receive a reply if you respond to this email.
<br>
<br>Microsoft Phishing Filter Support
Rob |Rob
8/23/2006 11:20:05 PM (Eastern Daylight Time, UTC-04:00)
Not so good news now. Either Microsoft's phishing folks are sending me weird test messages, or the spammers are already messing with them.
<br>
<br>I've gotten 3 messages from them in the last 2 days. Characteristics:
<br>* All sent from &quot;Microsoft Phishing Fliter Support&quot; -- yes they misspelt &quot;filter&quot;.
<br>* All with a weird subject line of &quot;SRX1000006...&quot; followed by the original URL.
<br>* Each message has a mysterious single sentence for a body: 1st was &quot;TEST BODY - SENT&quot;, 2nd was &quot;This is a Dead email&quot;, 3rd was &quot;This is a NOCAT email&quot;.
<br>* BUT they were all sent to the address I submitted the original request from.
<br>
<br>I'm leaning toward the MS phishing folks are just acting spammy. Not good.
<br>
Rob |Rob
8/23/2006 11:20:05 PM (Eastern Daylight Time, UTC-04:00)
Re: Mike and Rob's comments from 2/1/06: I find that telnet: urls do not work in IE7 beta 2 and 3, whether typed in the address bar directly or clicked on a Cisco router's web UI. I also find virtually unanimous opinion on the web that this telnet:// url capability is gone in IE7. So - a question if I may - before you click telnet on the web UI of your cisco device, do you see &quot;telnet://device-name-or-addr&quot; on the lower left status window? Or has Cisco changed this in new IOSs to somehow do telnet not via the telnet:// URL but rather by ActiveX or Java or something? Thanks in advance.
Russ |Russ
Name
E-mail
Home page

Comment (HTML not allowed)  

Enter the code shown (prevents robots):