Comments on: New security features in IE8 http://www.squarefree.com/2008/07/04/new-security-features-in-ie8/ Jesse Ruderman on Firefox, security, and more Fri, 09 Sep 2011 05:56:55 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Gerv http://www.squarefree.com/2008/07/04/new-security-features-in-ie8/comment-page-1/#comment-4179 Gerv Mon, 07 Jul 2008 08:35:41 +0000 http://www.squarefree.com/?p=398#comment-4179 From a usability point of view, lack of whitelisting JS execution is not about "developer politics", it's about the fact that websites stop working by default, and people don't like that. From a usability point of view, lack of whitelisting JS execution is not about “developer politics”, it’s about the fact that websites stop working by default, and people don’t like that.

]]> By: ant http://www.squarefree.com/2008/07/04/new-security-features-in-ie8/comment-page-1/#comment-4175 ant Fri, 04 Jul 2008 23:38:06 +0000 http://www.squarefree.com/?p=398#comment-4175 The XSS thing is something NoScript already protects against. I'd expect such a simple thing (whitelist JS execution) to be built into the browser by now since it's been getting requested for X years, but as usual developer politics seem to be killing progress... The XSS thing is something NoScript already protects against.

I’d expect such a simple thing (whitelist JS execution) to be built into the browser by now since it’s been getting requested for X years, but as usual developer politics seem to be killing progress…

]]> By: Lee http://www.squarefree.com/2008/07/04/new-security-features-in-ie8/comment-page-1/#comment-4174 Lee Fri, 04 Jul 2008 22:24:23 +0000 http://www.squarefree.com/?p=398#comment-4174 I see their address bar now highlights the domain, making the rest of the URL grey. I seem to recall reading that this was removed from firefox nightlies because people found it annoying/harder to read, so I'm interested to see what happens with it in IE. I do quite like the idea of isolated mode, though - it's nice that different tabs can be loaded with different privileges according to the native OS, and that crashes are less of an annoyance. Conceivably this could help with reclaiming lost memory, such as when a plugin leaks memory, too. I see their address bar now highlights the domain, making the rest of the URL grey. I seem to recall reading that this was removed from firefox nightlies because people found it annoying/harder to read, so I’m interested to see what happens with it in IE.

I do quite like the idea of isolated mode, though – it’s nice that different tabs can be loaded with different privileges according to the native OS, and that crashes are less of an annoyance. Conceivably this could help with reclaiming lost memory, such as when a plugin leaks memory, too.

]]> By: Mardeg http://www.squarefree.com/2008/07/04/new-security-features-in-ie8/comment-page-1/#comment-4173 Mardeg Fri, 04 Jul 2008 22:16:26 +0000 http://www.squarefree.com/?p=398#comment-4173 "IE8 prevents “upsniff” of files served with image/* content types into HTML/Script. Even if a file contains script, if the server declares that it is an image, IE will not run the embedded script." "We were able to make this change by default with minimal compatibility impact because servers rarely knowingly send HTML or script with an image/* content type." So much for them working towards natively supporting image/svg+xml which allows javascript in SVG files (does this also break Adobe's SVG viewer?) “IE8 prevents “upsniff” of files served with image/* content types into HTML/Script. Even if a file contains script, if the server declares that it is an image, IE will not run the embedded script.”
“We were able to make this change by default with minimal compatibility impact because servers rarely knowingly send HTML or script with an image/* content type.”

So much for them working towards natively supporting image/svg+xml which allows javascript in SVG files (does this also break Adobe’s SVG viewer?)

]]>