Internet Explorer 8 Cross Site Scripting Filter

[wige]

Playing around with my new install of Internet Explorer 8, I got the following message in the information bar that shows page-related security alerts...

Quote:

Internet Explorer has modified this page to help prevent cross-site scripting. Click here for more information...

As usual, clicking the information bar only opened a generic help window, with no information about what triggered the filter, or how to correct whatever problem was detected. This tells me that if such a message is encountered on one of my sites, tracking down the issue will be difficult to say the least.

I have already encountered sites that have triggered the filter. Most of these issues were related to advertising code. Unfortunately, there is no easy way to diagnose these issues. A developer needs to install Microsoft's Compatibility Viewer to view the event log generated by the filter. This application can be downloaded from: Microsoft Application Compatibility Toolkit 5.0

Information on the filter can be found here: IEBlog : IE8 Security Part IV: The XSS Filter

[kgun]

Quote:

Originally Posted by wige

Internet Explorer has modified this page to help prevent cross-site scripting. Click here for more information...

The devil is in the details. Is the correct message:

"Internet Explorer has modified (encapsulated) the parsing of this page to help prevent cross-site scripting. Click here for more information..."

Unless, I see some problems for Microsoft.

[wige]

Well, I think there is more to it than that. The first blog post about this feature indicated that IE would monitor all incoming and outgoing traffic from the browser and modify the code to prevent possible attacks. So, for example, if a URL contained <script> in an attempt to inject javascript, the filter would mangle the outgoing request removing the script code. Similar functions would be performed on suspicious quotes in form fields that might indicate SQL injection, limitations on off-domain scripts, etc.

Most of the pages where I have gotten the warning seem to trigger the filter because of scripting on embedded ads. As a result, the ad is not displayed to the user. Instead, just the javascript code is displayed on the page as plain text.

[kgun]

Quote:

Originally Posted by wige

Most of the pages where I have gotten the warning seem to trigger the filter because of scripting on embedded ads. As a result, the ad is not displayed to the user. Instead, just the javascript code is displayed on the page as plain text.

Well a new nail in the business model for small companies, even if the page is not changed, only what is presented to the surfer.

It is a new argument for a static brand link model based on a clean link with rel="nofollow" to please Google.

Personally I prefer a model where the surfer decides him / herself by setting the adfilter. It is as I have told very easy to set that even for the new user in Opera.

So webmasters and surfers in all countris join and start using Opera to surf the web.

[deepsand]

Am I to understand that this behavior is wholly independent of any user controllable browser settings?

[DaveSawers]

I thought it was time to download this new IE8 to see what happens with my sites. These posts were getting me a little concerned.

I'm running Vista Home Premium and the download was quick and problem free. However, IE8 overwrote IE7 without asking if I might want to keep the older version, just as it did when upgrading from IE6 to 7. This isn't a problem for me as I have other computers that I can use to check older versions of IE on and I use Firefox as my day to day developing tool.

None of my sites needed compatibility mode and none of them produced any cross site scripting problems. Not all the HTML on my sites is standard as some of the sites are quite old. Some use Adsense and the newer ones make extensive use of AJAX.

IE8 did pick up one coding error in the site I'm working on at the moment which is an AJAX implementation of an oil industry desktop application. I'd missed a '>' off the end of a div declaration which Firefox passed over. Since I only made that code change yesterday the error was unlikely to have made it through to even a test version. Finding the problem with the developer tools in IE8 was quick and easy, so easy in fact that I may consider switching over from Firefox for primary development. Never thought I'd hear myself saying that! If it's at least as good at picking up Javascript problems as Firefox I'll be tempted.

[edhan]

I think I will wait before jumping into IE8 though the features seem to be good. I did tried the IE8 beta but it is displaying my sites with all the mis-alignment. Guess I will wait until more people are converting to IE8 and I will then be forced to use it. Or maybe I should be trying out with another system and slow make changes to be compatible?

[deepsand]

Quote:

Originally Posted by wige

Most of the pages where I have gotten the warning seem to trigger the filter because of scripting on embedded ads. As a result, the ad is not displayed to the user. Instead, just the javascript code is displayed on the page as plain text.

Hm-mm. The ad wars version of The Empire Strikes Back?

[kgun]

Quote:

Originally Posted by deepsand

Hm-mm. The ad wars version of The Empire Strikes Back?

One description of the Internet. "The world's biggest anarchy".

Now the ad model is "forced upon" us by big companies. May be there has to be an over national agency like WTO | Welcome to the WTO website setting ad standards in cyber space.

Timothy Geithner called for an new risk watchdog the day before yesterday. There is need for a new cyberspace business (more precisely digital advertising) watchdog, too.

[deepsand]

Quote:

Originally Posted by kgun

May be there has to be an over national agency ...

Even were there an international body with both jurisdiction and commensurate power, would you trust it?

Quote:

Originally Posted by kgun

One description of the Internet. "The world's biggest anarchy".

True; but, I prefer anarchy to despotism.

[wige]

Quote:

Originally Posted by DaveSawers

If it's at least as good at picking up Javascript problems as Firefox I'll be tempted.

To me, the Javascript checking seems flaky. IE always seems to report problems with vague error messages ("Method does not exist") followed by incorrect line numbers.

Quote:

Originally Posted by deepsand

Am I to understand that this behavior is wholly independent of any user controllable browser settings?

Correct. From what I can tell, it might be possible to somehow turn this feature off, but it is enabled by default and I don't see an easy way to disable it. The user is not prompted, and can not disable the filter when a page is filtered, the way they could enable a download when the download filter is triggered.

Quote:

Originally Posted by edhan

I think I will wait before jumping into IE8 though the features seem to be good. I did tried the IE8 beta but it is displaying my sites with all the mis-alignment. Guess I will wait until more people are converting to IE8 and I will then be forced to use it. Or maybe I should be trying out with another system and slow make changes to be compatible?

There have been some changes between the Beta and the final release. Many issues (such as the one with Google results pages causing an infinite loop) appear to have been corrected. Microsoft has released a VM image that can be used to test IE8 without installing it on your system, as one option.

Quote:

Originally Posted by deepsand

Hm-mm. The ad wars version of The Empire Strikes Back?

I don't know about that. This seems like it should be more of an edge case, just a warning that webmasters need to be careful and test when working with cross-domain scripting.