Simon Willison’s Weblog

Items tagged ie8, microsoft

Filters: ie8 × microsoft ×

Major IE8 flaw makes ’safe’ sites unsafe. IE8 has an XSS protection feature which rewrites potentially harmful code in HTML pages—I think it looks for suspicious input in query strings which appears to have been output directly on the page. Unfortunately it turns out there’s a flaw in the feature that can allow attackers to rewrite safe pages to introduce XSS flaws. Google are serving all of their pages with the X-XSS-Protection: 0 header. Until the fix is released, that’s probably a good idea. # 22nd November 2009, 3:34 pm

IE8 Security Part IV: The XSS Filter (via) IE8 will include an XSS filter to identify and neutralise “reflected” XSS attacks (where malicious code in a query string is rendered to the page), turned on by default. Sounds like a good idea to me, and site authors can disable it using Yet Another Custom HTTP header (X-XSS-Protection: 0). # 3rd July 2008, 9:37 am

Principles and Legality. Eric Meyer notes that language about legality in Microsoft’s recent IE announcement suggests that Opera’s much criticised EU threat may have helped positively influence the result. # 4th March 2008, 7:45 pm

Conversation with Bill Gates about IE8 and Microsoft Transparency. Molly asks the tough questions about IE8—it looks like there should be a lot of IE8 material at MIX08 next year. # 6th December 2007, 11:47 am