Internet Explorer 8 Cross Site Scripting Filter

[wige]

Playing around with my new install of Internet Explorer 8, I got the following message in the information bar that shows page-related security alerts...

Internet Explorer has modified this page to help prevent cross-site scripting. Click here for more information...

As usual, clicking the information bar only opened a generic help window, with no information about what triggered the filter, or how to correct whatever problem was detected. This tells me that if such a message is encountered on one of my sites, tracking down the issue will be difficult to say the least.

I have already encountered sites that have triggered the filter. Most of these issues were related to advertising code. Unfortunately, there is no easy way to diagnose these issues. A developer needs to install Microsoft's Compatibility Viewer to view the event log generated by the filter. This application can be downloaded from: Microsoft Application Compatibility Toolkit 5.0

Information on the filter can be found here: IEBlog : IE8 Security Part IV: The XSS Filter

[kgun]

Internet Explorer has modified this page to help prevent cross-site scripting. Click here for more information...

The devil is in the details. Is the correct message:

"Internet Explorer has modified (encapsulated) the parsing of this page to help prevent cross-site scripting. Click here for more information..."

Unless, I see some problems for Microsoft.

[wige]

Well, I think there is more to it than that. The first blog post about this feature indicated that IE would monitor all incoming and outgoing traffic from the browser and modify the code to prevent possible attacks. So, for example, if a URL contained <script> in an attempt to inject javascript, the filter would mangle the outgoing request removing the script code. Similar functions would be performed on suspicious quotes in form fields that might indicate SQL injection, limitations on off-domain scripts, etc.

Most of the pages where I have gotten the warning seem to trigger the filter because of scripting on embedded ads. As a result, the ad is not displayed to the user. Instead, just the javascript code is displayed on the page as plain text.

[kgun]

Most of the pages where I have gotten the warning seem to trigger the filter because of scripting on embedded ads. As a result, the ad is not displayed to the user. Instead, just the javascript code is displayed on the page as plain text.

Well a new nail in the business model for small companies, even if the page is not changed, only what is presented to the surfer.

It is a new argument for a static brand link model based on a clean link with rel="nofollow" to please Google.

Personally I prefer a model where the surfer decides him / herself by setting the adfilter. It is as I have told very easy to set that even for the new user in Opera.

So webmasters and surfers in all countris join and start using Opera to surf the web.

[deepsand]

Am I to understand that this behavior is wholly independent of any user controllable browser settings?

[DaveSawers]

I thought it was time to download this new IE8 to see what happens with my sites. These posts were getting me a little concerned.

I'm running Vista Home Premium and the download was quick and problem free. However, IE8 overwrote IE7 without asking if I might want to keep the older version, just as it did when upgrading from IE6 to 7. This isn't a problem for me as I have other computers that I can use to check older versions of IE on and I use Firefox as my day to day developing tool.

None of my sites needed compatibility mode and none of them produced any cross site scripting problems. Not all the HTML on my sites is standard as some of the sites are quite old. Some use Adsense and the newer ones make extensive use of AJAX.

IE8 did pick up one coding error in the site I'm working on at the moment which is an AJAX implementation of an oil industry desktop application. I'd missed a '>' off the end of a div declaration which Firefox passed over. Since I only made that code change yesterday the error was unlikely to have made it through to even a test version. Finding the problem with the developer tools in IE8 was quick and easy, so easy in fact that I may consider switching over from Firefox for primary development. Never thought I'd hear myself saying that! If it's at least as good at picking up Javascript problems as Firefox I'll be tempted.

[edhan]

I think I will wait before jumping into IE8 though the features seem to be good. I did tried the IE8 beta but it is displaying my sites with all the mis-alignment. Guess I will wait until more people are converting to IE8 and I will then be forced to use it. Or maybe I should be trying out with another system and slow make changes to be compatible?

[deepsand]

Most of the pages where I have gotten the warning seem to trigger the filter because of scripting on embedded ads. As a result, the ad is not displayed to the user. Instead, just the javascript code is displayed on the page as plain text.

Hm-mm. The ad wars version of The Empire Strikes Back?

[kgun]

Hm-mm. The ad wars version of The Empire Strikes Back?

One description of the Internet. "The world's biggest anarchy".

Now the ad model is "forced upon" us by big companies. May be there has to be an over national agency like WTO | Welcome to the WTO website setting ad standards in cyber space.

Timothy Geithner called for an new risk watchdog the day before yesterday. There is need for a new cyberspace business (more precisely digital advertising) watchdog, too.

[deepsand]

May be there has to be an over national agency ...

Even were there an international body with both jurisdiction and commensurate power, would you trust it?

One description of the Internet. "The world's biggest anarchy".

True; but, I prefer anarchy to despotism.