Yeehaw it’s out! I’m downloading now and am actually excited to testdrive it. Already noteworthy to me is the functionality changes section in the release notes:
Scriptlets—Internet Explorer 7 disables Dynamic HTML (DHTML) scriptlets, by default. (Scriptlets were deprecated in Internet Explorer 5). They can be reenabled by system administrators, changing URLActions with the Internet Control Panel (INetCPl.) The INetCPL text should read “Allow Scriptlets.” If your programs rely on scriptlets, we recommend that you use DHTML behaviors which are more efficient. Disabling scriptlets is part of our continued work to ensure that unsupported technology is deemphasized in Internet Explorer.
I’m very happy about this. It sounds like Microsoft listened (!) to my request to not remove Scriptlets after all, but to instead just disable them by default (which is certainly a good thing for security). I have several good old IE components written as DHTML Scriptlets, and I need some option to keep using them in existing web apps.
- ActiveX controls–ActiveX controls are disabled by default in Internet Explorer Version 7. The ActiveX Input TYPE=FILE control no longer submits a fully-qualified path; it now submits only a filename. The ActiveX control for XEnroll certificate enrollment was removed from Windows Vista and replaced with a new control.
This is a big big deal, and again a good one. But does this include disabling the built-in ActiveX Controls too, like DSOs and XMLHTTPRequest?? (if so, then ouch!) Good idea on the file input, but it sounds like it’ll cause some rewrites.
- Channel Definition Format (CDF)–All CDF support was removed from Internet Explorer 7 Beta 2 Preview.
This surprises me. It may be old tech, but it was big (remember all the “push” hulabaloo? man, those were the [something-] old days), and I do still see sites using it. Not sure from that statement whether it’ll come back in a later beta or RC, tho…
- DirectAnimation–All DLLs to support the Internet Explorer DirectAnimation component were removed in Internet Explorer 7 Beta 2 Update.
Another big change. So what’s the replacement it, native SVG finally??
- XBM–Support for XBM, an imaging format designed for X-based systems, was deleted.
- SSL–Support for weak SSL ciphers was removed from Windows Vista and support for SSLv2 was disabled for all Internet Explorer 7 platforms
Good and better.
- Windowed Select–The Windowed Select Element was removed from Internet Explorer 7 because IE7 is not using the Windows API. This results in some cosmetic changes in padding. The animation associated with the popup is gone as well, and the popup simply pops up.
- BASE Element–Internet Explorer 7 strictly enforces the BASE element rule, as documented in the HTML 4.01 standard. We no longer allow BASE tags outside of the HEAD of the document. The standard specifies that the base element must appear within the head of the document, before any elements that refer to an external source.
- window.opener and window.close–Internet Explorer 7 no longer allows the window.opener trick to bypass the window.close prompt. Browser windows can’t close themselves unless the windows were created in script. This security enhancement no longer allows browsing to a random site when the main browser window closes unexpectedly.
Ah, lovely bug fixes. More please!
(actually, I wish I had known about that window.opener trick a long time ago. Darn!)
- WWW-Auth–Internet Explorer 7 changes the precedence rules for WWW-Auth. Previous releases of Internet Explorer used the first header encountered. Internet Explorer 7 uses the first header except when the header is Basic. We use Basic auth if no other authentication mechanism is present.
- HTTPOnly Cookies–HTTPOnly cookies can no longer be overwritten from scripts.
- _SEARCH–The _SEARCH sidebar is no longer supported in Internet Explorer 7. It can be reenabled using a URLAction.
All sounds good to me. I’ll be a little sad about _search, tho, but only a little.
- View Source–The view-source protocol no longer works in Internet Explorer 7 Beta 2 Update.
It actually stopped working back in IE6sp2, which was a pain for me. It was a Netscape standard, albeit de facto, but it was still quite handy for sharing code (and non-abusable, that I know).
- Gopher Protocol–Support for the Gopher protocol was removed at the WinINET level. (Gopher support was turned off by default in Internet Explorer 6.)
- windowexternalImportExportFavorites–windowexternalImportExportFavorites has been removed in Internet Explorer 7 Beta 2 Preview.
- Telnet–The telnet protocol handler is no longer supported in Internet Explorer.
Gopher, sure — I haven’t touched that in 10yrs.
The Favorites method — eh, not a big fan, but I’ve seen some very cool specific uses (uploading to bookmark sites, in particular).
But why no telnet://? All that ever did was open the default telnet client. This’ll definitely be a pain for some sites.
- SysImage URL Scheme–The SysImage URL Scheme has been removed from Internet Explorer.
I actually have no idea what this is, which is unusual with IE. Anyone wanna enlighten my ignorance?
- Status Bar Scripting–Script will no longer be able to set the status bar text through the window.status and window.defaultStatus methods by default in the Internet and Restricted Zones. This small step helps prevent attackers from leveraging those methods to spoof the status bar. To revert to previous behavior (allowing script to set the status bar through window.status and window.defaultStatus) select the “Security” tab from “Internet Options” in the Control Panel. Select “Custom level…” for the Internet (or Restricted sites) zone. Find “Allow status bar updates via script” and change the setting to “Enable”.
I wont miss this one much. When I’ve used it, it’s been more a toy or bandaid for ugly URLs. Much more often I’ve seen it abused, so all good here.
I’ll post more if I find my test-drive interesting.
There’s more good discussion about it over on the IEBlog.