New security features in IE8

Microsoft has announced interesting new security features that will be in Internet Explorer 8 Beta 2. They are following other browsers such as Firefox on some issues, and taking bold new steps on others.

Firefox users are already filing bugs asking for us to match some of these features.

4 Responses to “New security features in IE8”

  1. Mardeg Says:

    “IE8 prevents “upsniff” of files served with image/* content types into HTML/Script. Even if a file contains script, if the server declares that it is an image, IE will not run the embedded script.”
    “We were able to make this change by default with minimal compatibility impact because servers rarely knowingly send HTML or script with an image/* content type.”

    So much for them working towards natively supporting image/svg+xml which allows javascript in SVG files (does this also break Adobe’s SVG viewer?)

  2. Lee Says:

    I see their address bar now highlights the domain, making the rest of the URL grey. I seem to recall reading that this was removed from firefox nightlies because people found it annoying/harder to read, so I’m interested to see what happens with it in IE.

    I do quite like the idea of isolated mode, though – it’s nice that different tabs can be loaded with different privileges according to the native OS, and that crashes are less of an annoyance. Conceivably this could help with reclaiming lost memory, such as when a plugin leaks memory, too.

  3. ant Says:

    The XSS thing is something NoScript already protects against.

    I’d expect such a simple thing (whitelist JS execution) to be built into the browser by now since it’s been getting requested for X years, but as usual developer politics seem to be killing progress…

  4. Gerv Says:

    From a usability point of view, lack of whitelisting JS execution is not about “developer politics”, it’s about the fact that websites stop working by default, and people don’t like that.