IEBlog

Accelerator Creation Guide

2009-12-23T21:37:00Z

Introduction

There are a lot of really cool services out there, and I think a lot of them would fit in really well with Accelerators. But even though there’s a lot of value to be had in creating Accelerators, I don’t think we’ve ever had a blog post explaining a step-by-step process for how to do it. I’m hoping this post will help with that.

I’ve been working on the feature for a while, so I’ve come up with some tips and best practices that have helped me become more efficient in building Accelerators. There are also a few mistakes I’ve seen (and made!) over and over again, so I’ll talk about those in the hope of making the development process a bit easier for everyone else out there.

Building an Accelerator

Accelerators streamline the common copy-navigate-paste operation by enabling users to send selected content from the current webpage to one of their favorite services. Fortunately, even though the feature is quite powerful, it’s actually quite easy to write code that uses it. Here’s a step-by-step guide for creating a simple Accelerator.

First, I’ve put up an Accelerator template, with sample information pre-loaded. All you need to do is swap out the sample information for yours. Note that you don’t need to be the service provider to build an accelerator that interacts with a service. If you can find the following information, then you can build an accelerator for virtually any service you want.

Here are the steps:

First, choose a <homepageUrl> for your Accelerator. This is an important field—all the other URLs in the manifest need to match its domain. Generally speaking, the top-level domain for your service is a good choice.

Example: <homepageUrl>http://www.example.com</homepageUrl>
Fill in the absolute path to your favicon into the <icon> field. One trick for doing so: right-click on the service page, view the source, and then search for an .ico file.

Example: <icon>http://www.example.com/favicon.ico</icon>
Under the <display> node, choose a <name> that’s descriptive of your service, while under 50 characters. We recommend that the name include the Accelerator category followed by the name of the service provider.

<display>
<name>Act with Example.com</name>
</display>
Choose a “category” attribute for the <activity> field. I have another post on categories, but here are the ones we recommend:
Choosing a descriptive category is important for how Accelerators are grouped in the accelerator menu, and enables users to understand what your Accelerator will do before even experimenting with it.
Choose which contexts you want your Accelerator operate on—“selection”, “link”, and/or “document”—and then add them as attributes to one or more <ActivityAction> elements. For example:

<activityAction context="selection"> … </activityAction>

The link and document contexts could probably use a little extra explanation. The link context is activated when a user right-clicks on a link and then executes an accelerator from the resulting context menu. Similarly, the document context is activated when the user right-clicks on the page itself and uses the context menu, or goes to the Page menu and executes something under the “All Accelerators” submenu.
Next, fill in the “action” attribute of the <execute> element with the URL of the service you want to use. See the section below regarding variables to find out how to pass data into your service.
Example: <execute action="http://example.com/default.aspx?sel={selection}&src=IE8">
Preview windows are a great way of delivering the output of a service to users as part of a more inline browsing experience—it’s also a great way of enticing them to visit a service’s home page.

You can add a preview window via the <preview> element. I’ve written a section about preview below.

Example: <preview action="http://example.com/default.aspx?sel={selection}&src=IE8">

The sections that follow provide some more in-depth specifics about the steps above.

Variables

IE exposes a number of variables for use with Accelerators. Here’s a list of the most commonly used variables:

{selection} - the user selection within the webpage. Only available in selection context.
{documentUrl} - the URL of the webpage where the Accelerator is invoked.
{documentTitle} - represents the title of the webpage where the Accelerator is invoked.
{link} - the URL of the user selected URL.
{linkText} - the text of the user selected URL.

A full list of variables is available here.

There are two methods of passing these variables to a service through an Accelerator. The first is through the query string:

<execute action=”http://www.example.com/script.aspx?foo=bar”>

The second is through one or more <parameter> tags:

<execute action=”http://www.example.com/script.aspx”>

<parameter name=”foo” value=”bar” />

</execute>

Note that using a <parameter> element is the only way to insert data into the body of the HTTP request. You can use POST with a parameterized query string, as well, but any parameters you pass will show up in the URL. You can specify a GET or POST request via the “method” attribute of the <activityAction> element.

Adding Preview

Preview is probably the most visible feature of Accelerators, and one of the most useful when implemented effectively.

Accelerator previews occupy a window of size 320x240 pixels. Given this, most Accelerators that use it create a special preview page for displaying it.

The key to an effective preview is returning the most relevant information possible based on the information sent by the user, then making sure it fits in the space provided by the preview window.

The Bing Maps Accelerator, for example, maps the location of a selected address using its own UI, scaled down to 320x240:

<preview method="get" action="http://www.bing.com/maps/geotager.aspx">
<parameter name="b" value="{selection}" />
<parameter name="clean" value="true" />
<parameter name="w" value="320" />
<parameter name="h" value="240" />
<parameter name="client" value="ie" />
<parameter name="format" value="full" />
</preview>

Note that you can pass variables to the preview window the same way you can for execution. For example, the Accelerator above uses {selection}.

Another handy rule of thumb is load time—if it takes your preview window takes more than half a second to load, you probably have too much in it, from a user experience perspective.

One trick that you might find useful involves using the mobile version of a service for a preview window. We deliberately sized the preview window to be compatible with mobile services.

Testing your Accelerator

Once you’re done building your Accelerator, it’s time to test it out. We have a Javascript API for installation. Some code like the following will create a link that brings up the Accelerator installation dialog:

<a href=”javascript:window.external.addService(‘myAccelerator.xml’)”>Install me</a>

In order for this to work, you’ll need a live web server—trying to open the link from a page on your local hard drive will result in an error. Any kind of local server will work fine, though—you can use Visual Studio’s ASP.NET server without issue, for example.

If everything goes well, you’ll see the normal Accelerator installation dialog. If it doesn’t, you’ll see something like this:

Whenever I see this dialog, there are a couple of mistakes that very frequently turn out to be the culprits.

Encoded Characters

The first has to do with XML itself. When dealing with query strings, it’s very common to pass in multiple arguments using the ampersand character. Unfortunately, this is a reserved character in XML, so using it as a literal in a query string will raise an error. Instead, you’ll need to escape it with “&”, like this:

<execute action=”http://www.microsoft.com/testscript.aspx?foo=test&bar=test”>

Matching Domain Requirement

The second has to do with the <homepageUrl> tag. To properly identify a service, we require that the URLs specified in <homepageUrl>, the action attribute of <execute>, and the action attribute of <preview> all share the same domain. If this isn’t the case, an error is raised.

Test Cases

Once you can install your Accelerator, there are a few scenarios you should definitely test, since they tend to break for a lot of the Accelerators already out there:

Blank content – what happens when blank content is sent to your service? Do you have a graceful error message in place?
Multi-line content – does your service handle line-breaks the way you think it will? You may want to make sure you parse for the carriage return-line feed sequence (“%0d%0a” in URL encoding) and replace it with something appropriate, like a space.
Script – Some user selection may have JavaScript associated with it. If you specify HTML selection, then your service should be filtering this script on the server for security reasons.
Large selections – Accelerators truncate GET requests at 2048 characters. If you’d like your accelerator to be able to handle more data, you might consider using POST.

Next Steps and Conclusion

Once you have a cool Accelerator built, feel free to upload it to the IE Gallery. It’s a great way to gain more exposure for your Accelerator and your service.

I hope this post was helpful in creating Accelerators. If you have any feedback on this post, any thoughts on Accelerators in general, or any cool creations you’d like to share, feel free to leave a comment.

Thanks!
Jon Seitel
Program Manager

Recap of Add-on-Con

2009-12-17T22:10:00Z

We’ve just returned from Add-on-Con, an annual conference for browser add-on developers held at the Computer History Museum in Mountain View California. The add-on development community is an entrepreneurial bunch of people and it’s exciting to hear about what they’re working on. Herman Ng, Christopher Griffin, and I were there to present and chat with people. Matt Crowley was also in town so he was able to stop by for part of the day.

Herman spoke about best practices to improve reliability and performance. This topic really resonated with the audience. It’s clear developers want to deliver a great experience to customers by building cool features, having great reliability and performance, and getting exposure in the IE Add-on gallery. Based on the amount of interest we saw, Herman will be reworking his presentation into a series of blog posts starting early next year. So you don’t have to wait, I’ll give you two of Herman’s quick tips for add-on developers now.

Get crash reports for your add-on from Windows Quality Online Services (Winqual). This is a great resource for discovering and debugging crashes in your product.
Post your add-on to the IE Add-on gallery. Developers click “join” and then click on your username to upload add-ons.

My presentation covered how to build Webslices (msdn), Accelerators (msdn), and Search Providers (msdn). These extensions are a great way to connect your customers with your services without the risk of introducing performance or reliability problems. You can also build and deliver them with a little bit of XML and markup so you can connect users with your site or service in hours rather than weeks.

Thanks to everyone at OneRiot, GetGlue, and YooNo for organizing such a great event!

Paul Cutsinger
Principal Program Manager
Internet Explorer

IE December Security Update Now Available

2009-12-08T20:50:00Z

The IE Cumulative Security Update for December 2009 is now available via Windows Update or Microsoft Update.

This security update resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The security update addresses these vulnerabilities by correcting the control and by modifying the way that Internet Explorer handles objects in memory. For detailed information on the contents of this update, please see the following documentation:

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7 (except when running on supported editions of Windows Server 2003 and Windows Server 2008), and Internet Explorer 8 (except when running on supported editions of Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2). For Internet Explorer 7 and Internet Explorer 8 running on Windows servers as listed, this update is rated Moderate.

IE security updates are cumulative and contain all previously released updates for each version of Internet Explorer.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Billy Rios
Program Manager
Internet Explorer Security

IE8 SmartScreen in action

2009-11-23T21:32:00Z

Last week at PDC, as we were about to start talking to people about IE9, I saw the following notification from my Facebook account:

From: Facebook [mailto:notification+mwm5axbx@facebookmail.com]
Sent: Tuesday, November 17, 2009 10:05 AM

Dina posted something on your Wall and wrote:

"funny vid of u, you see it? http://www.facebook.com/l/ca339;hTTP://www.N70.InFO/2d"

To see your Wall or to write on Dina's Wall, follow the link below:

<..>

Thanks,

The Facebook Team

The message was from someone I know pretty well, and I believed the message. The address itself (http://www.n70.info/2d) wasn’t that suspicious; there are a lot of URL shortening services, and the .info domain has many legitimate sites on it. So I clicked the it:

and thought – whew.

IE8’s SmartScreen now blocks malware sites over two million times a day. IE8 offers a lot of protection from real-world attacks: phishing protection, a cross-site scripting filter, and Protected Mode (I may run as an administrator, but my browser doesn’t). With attacks on the rise, using (or upgrading to) a browser with this much protection is more important than ever. IE8 also offers great reliability because of process-isolation, and offers users the ability to manage add-ons that affect performance and stability. InPrivate Browsing and InPrivate Filtering are also quite handy.

I wrote back to my friend, and she was surprised. You can read Facebook’s guidance about what to do if this happens to you or a friend.

Dean Hachamovitch

An Early Look At IE9 for Developers

2009-11-18T17:23:00Z

We’re just about a month after the Windows 7 launch, and wanted to show an early look at some of the work underway on Internet Explorer 9.

At the PDC today, in addition to demonstrating some of the progress on performance and interoperable standards, we showed how IE and Windows will make the power of PC hardware available to web developers in the browser. Specifically, we demonstrated hardware-accelerated rendering of all graphics and text in web pages, something that other browsers don’t do today. Web site developers will see performance gains and other benefits without having to re-write their sites.

Performance Progress. Browser performance involves many different sub-systems within the browser. Different sites – and different activities within the same site – place different loads and demands on the browser.

For example, two news sites might look similar to a user but have very different performance characteristics. Because of how the developers authored the sites, one site might spend most of its time in the Javascript engine and DOM, while the other site might spend most of its time in layout and rendering. A site that’s more of an “application” than a page (like web-based email, or the Office Web Apps) can exercise browser subsystems in completely different ways depending on the user’s actions.

The chart below shows how much time different sites spends in different subsystems of IE. For example, it shows that one major news site spends most of its time in the script engine and marshalling, while another spends most of its time in script and rendering, and the Excel Web App spends very little of its time running script at all.

Note that this chart shows the percentages of total time spent in each subsystem, not relative time between sites. It focuses on just the primary browsing sub-systems and doesn’t include “frame” functionality (like anti-phishing), or third-party software that’s running in the IE process (like toolbars, or controls like Flash). It also factors out networking since that’s dependent on the users network speed. Notice also that a site’s profile can change significantly across scenarios; for example, the Excel Web App profile for loading a file is quite different from the profile for selecting part of the sheet.

The script engine is just one of these browser subsystems. There are many benchmarks for script performance. One common test of script performance is from Apple’s Webkit team, the SunSpider test. The chart below shows the relative performance of different browsers on the same machine running the SunSpider test.

In addition to IE7 and the current “final release” versions of major browsers, we’ve included the latest pre-release “under development” builds of the major browsers. We’re just about a month after IE8 was released as part of the Windows 7 launch, and the version of IE under development is no longer an outlier.

It is worth noting that once the differences are this small, the other subsystems that contribute to performance become much more important, and perceiving the differences may be difficult on real-world sites. That said, we remain committed to improving script performance.

We’re looking at the performance characteristics of all the browser sub-systems as real-world sites use them. Our goal is to deliver better performance across the board for real-world sites, not just benchmarks.

Standards Progress. Our focus is providing rich capabilities – the ones that most developers want to use – in an interoperable way. Developers want more capabilities in the browser to build great apps and experiences; they want them to work in an interoperable way so they don’t have to re-write and re-test their sites again and again. The standards process offers a good means to that end.

As engineers, when we want to assess progress, we develop a test suite that exercises the breadth and depth of functionality. With IE8, we delivered a highly-interoperable implementation of CSS 2.1 and contributed over 7,200 tests to the W3C. Standards that do not include validation tests are much more difficult to implement consistently, and more difficult for site developers to rely on.

Some standards tests – like Acid3 – have become widely used as shorthand for standards compliance, even with some shortcomings. Acid3 tests about 100 aspects of different technologies (many still in the “working draft” stage of standardization), including many edge cases and error conditions. Here’s the latest build of IE9 running Acid3:

As we improve support in IE for technologies that site developers use, the score will continue to go up. A more meaningful (from the point of view of web developers) example of standards support involves rounded corners. Here’s IE9 drawing rounded corners, along with the underlying mark-up:

Another example of standards support that matters to web developers is CSS3 selectors. Here’s a test page that some people in the web development community put together at css3.info; it’s a good illustration of a more thorough test, and one that shows some of the progress we’ve made since releasing IE8:

Community testing efforts like this one can be helpful. Ultimately, we want to work with the community and W3C and other members of the working groups to define true validation test suites, like the one that we’re all working on together for CSS 2.1, for the standards that matter to developers. For example, this link tests one of the HTML5 storage APIs; some browsers (including IE8) support it today, while others don’t.

The work we do here, both in the product and on test suites, is a means to an end: a rich interoperable platform that developers can rely on.

Bringing the power of PC hardware and Windows to web developers in the browser. The PC platform and ecosystem around Windows deliver amazing hardware innovation. The browser should be a place where the benefits of that hardware innovation shine through for web developers.

We’re changing IE to use the DirectX family of Windows APIs to enable many advances for web developers. The starting point is moving all graphics and text rendering from the CPU to the graphics card using Direct2D and DirectWrite. Graphics hardware acceleration means that rich, graphically intensive sites can render faster while using less CPU. (This interview includes screen captures of a few examples.) Now, web developers can take advantage of the hardware ecosystem’s advances in graphics while they continue to author sites with the same interoperable standards patterns they’re used to.

In addition to better performance, this technology shift also increases font quality and readability with sub-pixel positioning:

96 point Gabriola on a Lenovo X61 ThinkPad at 100% Zoom using GDI (note jaggies):

96 point Gabriola on a Lenovo X61 ThinkPad at 100% Zoom: Direct2D (without jaggies):

Last week, Channel 9 interviewed several of the engineers on the team. You can find videos of the interviews here:

Introduction, and Interoperable Standards

Early look at the Script Engine

Hardware accelerated graphics and text in the browser via Direct2D

While we’re still early in the product cycle, we wanted to be clear to developers about our approach and the progress so far. We’re applying the feedback from the IE8 product cycle, and we’re committed to delivering on another version of IE.

Thanks,
Dean Hachamovitch
General Manager, Internet Explorer

Update 11/23/09 - The IE9 demo from PDC is now available. The IE content starts around minute 48.

My Favorite IE Add-on: Mouse Gestures by Ralph Hare

2009-11-13T22:45:00Z

I spend a lot of time dealing with problems users encounter when using Internet Explorer. As a result, when I write about add-ons, I’m usually talking about misbehaving code that is wrecking the browser. However, it’s not all doom-and-gloom out there, and I’m delighted to share my favorite browser add-on with you.

I first came across Ralph Hare’s work when perusing the IE add-on sample code at CodeProject. Ralph and I both liked mouse gestures and wished that Internet Explorer offered them. For those of you who have never used mouse gestures, basically, they allow you to trigger commands like back, forward, refresh, etc, without using the keyboard or clicking on toolbar buttons or menus. While not everyone wants to use mouse gestures, some of us find them incredibly compelling. This sweet spot makes gestures the sort of feature ripe for implementation as an add-on.

Fortunately for all of us, Ralph is a great developer and he put together a fantastic gestures add-on for IE which has evolved and improved a lot over the last six years. I’ve installed his add-on on every computer I’ve used since discovering it, and I now find it annoying to use browsers that don’t support gestures. It’s an ironic turn of events for me, since I’ve been a keyboard snob for over a decade. :-)

What makes this add-on so great?

Respect for the User. The gestures add-on respects your existing browser settings, and does not attempt to change your default homepage, search provider, favorites, user-agent string, etc. There’s no junk (e.g. adware, unexpected toolbars, etc) bundled with it either.

Stability. I’ve tried out a lot of different add-ons over the years, but almost always end up uninstalling each after a few days because they’re unstable and result in occasional or frequent browser crashes. In contrast, Ralph has delivered a rock-solid implementation of gestures; the few bugs I’ve found have been fixed quickly and the updated versions are automatically offered using an automatic notification service.

Best Practices. Ralph’s code is compiled following best-practices for secure and stable add-ons, including linking with the /NXCOMPAT and /DYNAMICBASE flags to opt-in to DEP/NX and ASLR memory protections.

Performance. Many browser extensions are useful from time-to-time, but I’m not willing to suffer a performance penalty when not actively using an extension. For some types of extensions (menu extensions, toolbar buttons) this isn’t a problem, because the add-on code only loads when I actively use the add-on. However, an add-on like Mouse Gestures inherently needs to be available at all times, so high performance is an absolutely critical consideration.

Ralph’s Browser Helper Object (BHO) is written in native C++, and designed and coded for speed. After installing, check out the Load Time column inside the IE Tools > Manage Add-ons dialog:

As mentioned previously, the extension offers an auto-update mechanism, but Ralph ensures that this won't hurt startup performance. He does so by running the check in a background thread, and waiting for about a minute after tab startup to kick off the webservice call. Ralph also sets the NoExplorer registry key to prevent his BHO from loading inside Windows Explorer.

Even the default configuration is optimized for performance: by default, mouse trails aren’t shown, and if a user wants them, they can choose between basic trails:

which work fine with all video cards, and the slightly fancier advanced trails:

which work best with higher-end hardware.

Cross-Version Support. Mouse Gestures is compiled in both 32-bit and 64-bit flavors (installed individually) making the gestures add-on one of the very few available for 64-bit IE. The add-on works in all versions of IE and I’ve personally used it on Windows XP, Server 2003, Vista, Server 2008, and Windows 7 without problems.

Ease-of-Installation. The 32bit and 64bit installers together weigh in just under 1 megabyte. The add-on is packaged using the same NSIS installer that I use to install Fiddler.

If you decide you don’t like the add-on, you can easily uninstall it using the Add/Remove Programs control panel.

Customizability and Power. You can customize its options using the Mouse Gestures… item added to the browser Tools menu. The configuration dialog allows you to assign gestures to built-in actions, define new gestures or actions, and change the appearance of mouse trails.

The most common gesture I use is Down,Right which by default is bound to the Close Tab action. I’ve also bound the Down,Up and Up,Down gestures to the Toggle FullScreen Mode action; this is slightly simpler than hunting for the F11 key on my small but beloved Lenovo X200.

If you’d like, you can bind any gesture to open any of your browser Favorites in the current tab, or a new foreground or background tab.

One of the most powerful features of the add-on allows you to bind a JavaScript file to an action. I use this feature to bind a simple page cleanup script to the Left,Right gesture. When I’m reading an online newspaper or similar page with flashing images or other unwanted distractions, I simply hold the right mouse button and waggle the mouse—all of the images and flash objects are instantly removed, allowing me to read in peace.

Price. Mouse Gestures add-on is clearly a labor of love, and Ralph makes it available for free. If you’d like, you can help defray his web hosting costs using the unobtrusive “Donate via Paypal” link buried at the bottom of his site.

Conclusion

If you’re willing to get hooked on a new way of interacting with your browser, give Ralph’s Mouse Gestures add-on a try, and join me in thanking Ralph Hare for his great work!

Eric Lawrence

Participating at W3C’s TPAC 2009

2009-11-03T00:54:00Z

This week the W3C holds its annual Technical Plenary and Advisory Committee meeting (TPAC 2009). There will be about a dozen people from the IE team participating and this is a valuable opportunity to continue working together with other W3C members on the next generation of web standards. High quality specifications that improve interoperability between browsers are important. Our goal is to help ensure these new standards work well for web developers and will work well in future versions of IE.

We will participate in a number of browser related working group meetings including accessibility, CSS and HTML sessions. For many groups, this is the only face to face time participants will get and so this is a perfect time to put faces to email addresses. Held in Santa Clara, California this year, the close proximity to many of the companies involved in the W3C means a large number of attendees is expected.

Over the last few months, some of us in the IE team have been working through the HTML5 working draft reviewing the specification text. It is interesting to exchange ideas and help the specification become clearer and I am looking forward to seeing many of the people involved again. There has been a long discussion about the submission we made to the HTML working group about distributed extensibility. Tony Ross, the author of our discussion document, will be participating in a panel on extensibility with Jonas Sicking from Mozilla on Wednesday.

Eliot Graff, a lead technical editor for IE, who is helping edit an updated draft of the Canvas API document that Doug Schepers started will also be at the HTML working group meeting this week.

Kris Krueger, one of our lead test managers, has volunteered to help the newly formed Testing Task Force within the HTML working group. Having a comprehensive test suite that thoroughly tests a specification is a key step to ensuring implementations interoperate successfully. Kris will be taking part in the HTML working group meeting on Thursday and Friday.

Paul Cotton, who was recently appointed as a co-chair of the HTML working group as Chris Wilson changed his focus to programmability in the web platform, will also be with us at the TPAC to help the overall work.

On Thursday, the W3C has organised a Developer Gathering for web and application developers who don’t normally participate in the W3C to join discussions about web standards. In my experience the participation of web developers is extremely important to check the overall ease of use of the specifications and APIs being proposed as standards. One of our program managers, Sylvain Galineau, will be amongst the CSS Strike Force presenting CSS demos.

I don’t have room in this short blog post to mention everyone who will be involved this week but I’ve tried to give a flavour for the work that we will be participating in. Above all, it’s fun to hang out with people you mostly see only by email so there will be lots of hallway conversations and debates over lunch or dinner. I can’t wait.

Adrian Bateman
Program Manager

Now Available: IEAK8 can create custom Internet Explorer 8 packages in 19 additional languages

2009-10-29T23:49:00Z

We are pleased to announce that the Internet Explorer Administration Kit (IEAK) 8 now supports creating custom Internet Explorer 8 packages in a total of 43 languages. IEAK8 can be downloaded from http://ieak.microsoft.com.

Custom Internet Explorer 8 packages can be created in the following platform and language combinations:

Windows XP SP2 or SP3 x86:

Total languages:
- Arabic, Bengali, Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hebrew, Hindi, Hong Kong Chinese, Hungarian, Indonesian, Italian, Japanese, Kannada, Korean, Lithuanian, Latvian, Malayalam, Norwegian Bokmal, Polish, Portuguese (Brazil), Portuguese (Portugal), Punjabi, Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Telugu, Thai, Turkish, Ukrainian
New languages:
- Bengali, Bulgarian, Croatian, Estonian, Hindi, Hong Kong Chinese, Indonesian, Kannada, Lithuanian, Latvian, Malayalam, Punjabi, Romanian, Serbian, Slovak, Slovenian, Telugu, Thai, Ukrainian

Windows XP SP2 x64 and Windows Server 2003 SP2 x64:

Total languages:
- Chinese (Simplified), Chinese (Traditional), German, English, Spanish, French, Italian, Japanese, Korean, Portuguese (Brazil), Russian

Windows Server 2003 SP2 x86:

Total languages:
- Chinese (Simplified), Chinese (Traditional), Czech, German, English, Spanish, French, Hungarian, Italian, Japanese, Korean, Dutch, Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Swedish, Turkish

Windows Vista x86, Windows Vista SP1 x86 , Windows Server 2008 x86, and Windows 7 x86:

Total languages:
- Arabic, Bengali, Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hebrew, Hindi, Hong Kong Chinese, Hungarian, Indonesian, Italian, Japanese, Kannada, Korean, Latvian, Lithuanian, Malayalam, Norwegian Bokmal, Polish, Portuguese (Brazil), Portuguese (Portugal), Punjabi, Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Telugu, Turkish, Thai, Ukrainian
New languages:
- Bengali, Bulgarian, Croatian, Estonian, Hindi, Hong Kong Chinese, Indonesian, Kannada, Latvian, Lithuanian, Malayalam, Punjabi, Romanian, Serbian, Slovak, Slovenian, Telugu, Thai, Ukrainian

Windows Vista x64, Windows Vista SP1 x64, Windows Server 2008 x64, and Windows 7 x86:

Total languages:
- Arabic, Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Latvian, Lithuanian, Norwegian Bokmal, Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian, Hong Kong Chinese
New languages:
- Bulgarian, Croatian, Estonian, Latvian, Lithuanian, Romanian, Serbian, Slovak, Slovenian, Thai, Ukrainian, Hong Kong Chinese

To create custom packages in these new languages, you’ll need to install the latest version of IEAK8.

Thanks,
Jatinder Mann
Internet Explorer Program Manager

IE October 2009 Security Update Now Available

2009-10-13T19:50:00Z

The IE Cumulative Security Update for October 2009 is now available via Windows Update or Microsoft Update.

This update addresses three privately reported vulnerabilities and one publicly disclosed vulnerability. The security update addresses these vulnerabilities by modifying the way that Internet Explorer processes data stream headers, validates arguments, and handles objects in memory. For detailed information on the contents of this update, please see the following documentation:

As a reminder, IE security updates are cumulative and contain all previously released updates for each version of Internet Explorer.

Terry McCoy
Program Manager
Internet Explorer Security

Add-on Guidelines in action – AVG Security Toolbar

2009-10-07T02:47:00Z

The AVG Security Toolbar team has recently released a new version of their toolbar. It has a more predictable user experience and does a better job of allowing users to stay in control of their browser. It’s a great example of the Guidelines for add-on developers in action.

It’s encouraging to see the example set by the AVG Security Toolbar team. They’re building valuable add-ons for people and at the same time they’re respecting user choice. Here are some high level examples of the changes they’ve made in the new version of their toolbar:

It no longer takes over the search provider. Instead it uses the proper IE8 set default provider API so that users can choose their default.
The close button is visible so that users can manage it like other toolbars. Additionally, the toolbar is positioned in a supported location which improves stability and performance.
It no longer modifies the new tab page to maintain a predictable new tab experience for users.

Kudos goes out to the AVG Security Toolbar team. On behalf of our shared customers, thanks. Following the Guidelines and using supported extensibility points in this way means that people have a consistent and reliable experience that allows them to stay in control of their browser. This is exactly what we’d like to see from all add-on developers.

Before: Previous version of AVG Security Toolbar

After: Newest version (2.507.24.1) of the AVG Security Toolbar provides a predictable experience and lets users stay in control of their browser

-Paul Cutsinger and Herman Ng

Supporting Web Standards Development with SuperPreview

2009-09-16T02:03:00Z

This post is a guest post from Steve Guttman, of the Expression Web team. Expression Web has created an interesting tool, SuperPreview, which we thought the IE blog audience would be interested in.

Internet Explorer 8 is an important release because it reconfirms Microsoft’s commitment to interoperability and renewed emphasis on Web Standards. My team—which develops the authoring tool, Expression Web—is also pretty emphatic about Web Standards. We’re in the process of doing significant tooling (and retooling) so we can support existing and emerging specifications, reliably.

The Expression Web team recently shipped SuperPreview for Internet Explorer, a FREE tool for performing cross-browser debugging across Internet Explorer, including versions 6, 7, and 8. This tool also helps developers and site owners in migrating their sites from earlier versions of Internet Explorer to the standards-compliant Internet Explorer 8. This is a subset of the full version of SuperPreview (which also supports Firefox) and which ships with Expression Web 3. You can download it here. You can learn more about SuperPreview for Internet Explorer on the Expression Web team blog.

Thanks,
Steve Guttman
Product Unit Manager
Expression Web

Guidelines for add-on developers

2009-09-09T21:34:00Z

It’s well understood that the typical computer users today spend much of their time in their web browser, making it the most important software on their computer. Users expect their browsers to be easy to use, fast, stable and secure.

Over the past few months, users have downloaded thousands of great browser add-ons from www.ieaddons.com and other web sites. Users want to use browser add-ons to enhance their browsing experience, not hinder it or make it more confusing.

We have published a full list of guidelines to help add-on developers create quality add-ons. We created these guidelines to respond to demand from the developer community and to help share the thinking of the IE team, gathered from years of providing support to users and developers. We strongly recommend that developers follow these guidelines when developing add-ons for IE users. We occasionally come across add-ons that violate these guidelines so egregiously that we treat them as malware; on the other hand, we frequently see really helpful and creative add-ons that put the “user in control” and enhance the browsing experience. Here are the core aspects of our guidelines:

Do not limit the user’s ability to access Internet Explorer features

Users require access to the entire set of Internet Explorer features, including but not limited to: the address bar, search box and new tab page to navigate and search the Internet easily and safely. Users expect these features to be available to them at all times and our support data shows that users are confused and unhappy when these features are obscured or changed. Please don’t write add-ons that hide, obscure or limit access to Internet Explorer features.

Do not limit the user’s ability to control Internet Explorer settings

It’s important that users be able to control their browsing experience. We’ve provided many configuration options for IE users to help them set up their browser exactly how they want it and protect themselves from potentially harmful malware. (See previous my previous post on toolbars and search defaults)

To support this guideline, add-on software should not remove or limit the user’s ability to view and modify IE settings.

Only use supported APIs

Add-ons should only use supported Internet Explorer and Windows application programming interfaces (APIs), detailed on MSDN. Using an unsupported method of extending Internet Explorer or relying on implementation details in a specific version of IE may cause browser stability problems when Internet Explorer is updated. Also, when two add-ons try to use the same unsupported method of extending Internet Explorer they might crash the browser – our APIs are specifically designed to prevent this kind of problem.

Microsoft is committed to working with all add-on software developers to ensure that our mutual customers – you, the user – have a great experience when using Internet Explorer with add-ons. If you are developing or maintaining an Internet Explorer add-on, please review our guidelines and ensure that your add-ons deliver a good long-term experience for users.

Thank you,
Frank Olivier and Herman Ng
Internet Explorer Program Management

Preventing Operation Aborted Scenarios

2009-09-04T08:48:00Z

This post follows up on my original Operation Aborted post to provide some additional information and assistance for web site owners or 3^rd party script libraries.

Recap

Nearly a year-and-a-half ago, I blogged about an error that can occur on some websites that generate content via script. This content can cause Internet Explorer’s HTML parser to get into an unrecoverable state, which makes it doubly-hard to find and diagnose why this error is happening. When this state occurs, the HTML parser cannot continue, and simply throws up its hands and admits: “Operation aborted!”

Early in IE8’s development, we put in a mitigation that alleviated the worst side-effects of this problem. Rather than show a modal dialog and then navigate away from the page after you press OK, instead we removed the dialog and transferred the error notification into the status bar (to the script error notification area). As a result, you are not interrupted by a dialog and you can continue to view the current web page. You may not have even noticed that this error occurred; yet the HTML parser does come to a grinding halt (for that tab only) and any additional content will never be processed.

Not too long after IE8 was released, we began hearing reports of IE8 customers continuing to see the old operation aborted dialog! While we knew that we hadn’t fixed every possible scenario that could cause the dialog to appear (it’s triggered as a catch-all for many subsystems such as the navigation stack and networking), we believed that we had mitigated the worst-cases. With recent reports of users seeing the Operation Aborted dialog in IE8 we investigated further to find any additional scenarios that could be triggering the dialog to appear (rather than the script error mitigation).

In the following two scenarios, the root cause of the Operation Aborted issue is the same (for details, please read my previous post), but the way in which it happens in these scenarios causes IE to bypass the mitigation that we put in place for IE8.

Scenario 1: Nested Parsing after Operation Aborted

<html>
 <body>
  <div>
   <script type="text/javascript">
    document.body.appendChild(document.createElement('div'));
    document.write("Testing");
   </script>
  </div>
 </body>
</html>

In the HTML above, the effect of the first line of the script is to trigger the Operation Aborted problem. In IE8 this is mitigated as previously mentioned. However, if sometime later a document.write API call is issued as shown in the second line of script, all versions of Internet Explorer, including 8, will present you with the old operation aborted dialog.

Scenario 2: Operation Aborted in error handlers

<html>
 <body>
  <script type="text/javascript">
   window.onerror = function() {
    var el = document.getElementById("div2");
    el.appendChild(document.createElement("div"));
   }
  </script>
  <div id="div1"></div>
  <div id="div2" onclick="alert('hi';"></div>
 </body>
</html>

In this HTML file, a script error (in the onclick event handler) has a run-time error, which causes the window object's onerror handler to be invoked. In this scenario, if Operation Aborted is triggered in the error handler, the dialog will also show in IE8.

Programmatically Detecting Operation Aborted

When this error dialog occurs, it is very hard for web developers to find the problem and fix it. Often (and in most cases we’ve seen) the problem is introduced in third-party scripts that are referenced by the affected page. To help web developers quickly find and fix the problem, we’ve written a little script that should help.

This script must be run as the first script in the page that is experiencing the Operation Aborted error. It overrides the usage of innerHTML and appendChild by first checking the parsing frontier before allowing the action. AppendChild is by far the most common DOM entry point that can trigger Operation Aborted, followed by innerHTML. The script may flag false positives, but we wanted to err on the side of being overly cautious.

This script relies on a feature enabled in IE8 standards mode only—Mutable DOM Prototypes. Thus, it will only work for pages that use IE's most standards-compliant mode. See this post on compatibility view for more details on the mode that IE is interpreting your page in. However, the operation aborted problems that this script identifies (in IE8 standards mode) also apply to IE7 and IE6 thereby helping you diagnose and fix this issue in any version of IE.

To use the following script follow these steps:

Add a script element to the head of the page in question. This script element should be before any other script element on the page.
Place the following script text within that script element (or reference a file containing it from the src attribute)
Set the "f1" and "f2" feature values
1. Setting "f1" to true will skip DOM calls that could potentially cause the Operation Aborted error. However, this will also result in a change in program flow, and other script errors could result.
2. Setting "f2" to true stops program flow at the point of a potential Operation Aborted error and breaks into the debugger (external or built-in JavaScript debugger). This is where you can analyze each occurrence to see what assumptions were being made and how the program flow can be altered to prevent the problem.
In IE, navigate to the page in question.
Start the JavaScript debugger by pressing "F12" and then selecting the "Script" tab in the Developer Tools, and press the button "Start Debugging".

(function() {
    // Feature switches
    // WARNING: 'true' may cause alternate program flow.
    var f1 = PREVENT_POTENTIAL_OCCURANCES = false;          
    var f2 = BREAK_INTO_DEBUGGER_AT_POTENTIAL_OCCURANCES = true;
    if (!window.console) {
        window.console = {};
        window.console.warn = function() { };
    }
    var frontierCheck = function(host) {
        // Is host on the frontier?
        while (host && (host != document.documentElement)) {
            if (host.parentNode && (host.parentNode.lastChild != host))
            // This is not on the frontier
                return true;
            host = host.parentNode;
        }
        if (!host || (host != document.documentElement))
            return true; // This node is not on the primary tree
        // This check is overly cautious, as appends to 
        // the parent of the running script element are 
        // OK, but the asynchronous case means that the 
        // append could be happening anywhere and intrinsice
        // knowledge of the hosting application is required
        console.warn("Potential case of operation aborted");
        if (f2)
            debugger;
        // Step up two levels in the call stack 
        // to see the problem source!!
        if (f1)
            return false;
        else
            return true;
    }
    var nativeAC = Element.prototype.appendChild;
    Element.prototype.appendChild = function() {
        // call looks like this:
        //    object.appendChild(object)
        // Go back one more level in the call stack!!
        if (frontierCheck(this))
            return nativeAC.apply(this, arguments);
    }
    var nativeIH = Object.getOwnPropertyDescriptor(Element.prototype, "innerHTML").set;
    Object.defineProperty(Element.prototype, "innerHTML", { set: function() {
        if (frontierCheck(this))
            nativeIH.apply(this, arguments);
    }
    });
})();

We recognize that the operation aborted dialog and its mitigated cousin in IE8 are still the source of significant web developer pain. We hope this information and prevention script help you to diagnose and fix issues related to Operation Aborted in IE8 (and older versions of IE).

-Travis Leithead
Program Manager

Internet Explorer 8 is now available via Windows Server Update Services (WSUS)

2009-08-26T00:14:00Z

If you manage your organization’s PCs using Windows Server Update Services (WSUS) I’m pleased to announce that we have made Internet Explorer 8 available via this technology for the following languages and platforms:

Internet Explorer 8 releases on WSUS for August 25, 2009
Windows Vista	All supported languages
Windows Server 2008	All supported languages
Windows Server 2003	All supported languages
Windows XP	English; Arabic; Chinese (Traditional); Chinese (Simplified); Czech; Danish; Dutch; Finnish; French; German; Greek; Hebrew; Hungarian; Italian; Japanese; Korean; Norwegian; Polish; Portuguese (Portugal); Portuguese (Brazil); Russian; Spanish; Swedish; Turkish
Windows Vista and Windows Server 2008	Internet Explorer 8 Language Packs

On September 22, 2009 all supported languages will be available via WSUS, with the release of the following versions of Internet Explorer 8 for Windows XP:

Internet Explorer 8 releases on WSUS for September 22, 2009
Windows XP	Bosnian (Cyrillic); Bosnian (Latin); Bulgarian; Catalan; Croatian; Estonian; Hindi; Latvian; Lithuanian; Macedonian; Romanian; Serbian (Cyrillic); Serbian (Latin); Thai; Ukranian; Vietnamese; Albanian; Assamese; Basque; Bengali (Bangladesh); Bengali (India); Gujarati; Indonesian; Kannada; Kazakh; Konkani; Malay (Malaysia); Malayalam; Marathi; Punjabi; Tamil; Telugu

How do I control my Internet Explorer 8 deployment?

Internet Explorer 8 is available in the “Update rollup” category, and will appear in your WSUS administration console as follows:

Note that even if Auto-Approve for the “Update Rollup” category is on, Internet Explorer 8 will not automatically be deployed- you must approve the Internet Explorer 8 License Terms before Internet Explorer 8 is deployed to your downstream clients. As the Internet Explorer 8 License Terms are shared between all Internet Explorer 8 WSUS items, once you accept the license terms for any of the items, the remaining items may be approved without accepting them.

What other Internet Explorer 8 updates will be available via WSUS?

Today we have also released the standalone Language Packs for Windows Vista and Windows Server 2008 to WSUS under the “Update” category. Also, cumulative security updates for Internet Explorer 8 and Internet Explorer 8 Compatibility View List updates will be made available via WSUS as they are released.

Where can I find more Internet Explorer 8 deployment information?

Visit the Internet Explorer TechNet Center – among other useful resources you’ll find an Internet Explorer Deployment Guide and information about the Internet Explorer Administration Kit which explains how to generate a MSI installer and distribute it using Systems Management Server or Group Policy.

Eric Hebenstreit
Lead Program Manager

Update 8/26: changing references to EULA to License Terms.
Update 12/17/09: Removing Slovakian and Slovenian from the list of supported languages for Windows XP via WSUS for release 9/22. These were added incorrectly.

Real-World Protection With IE8’s SmartScreen Filter™

2009-08-13T23:48:00Z

Back in March, I posted a note to the IEBlog when the pre-release version of IE8’s SmartScreen Filter had delivered its 10 millionth malware block. Today, I’m happy to report that IE8’s SmartScreen Filter has delivered more than 70 million blocks in the first four months since IE8’s official release, for a cumulative total of 80 million blocks. This data is a strong indication of the value of the protection SmartScreen provides, and of just how widespread socially-engineered malware attacks are on the web today.

While we were proud of the work that went into SmartScreen leading up to IE8’s release, we knew that it was only the beginning of our efforts. Microsoft’s commitment to Trustworthy Browsing didn’t end when we signed off on the final IE8 code-- the reputation services behind SmartScreen represent an ongoing investment that we strive to improve every day.

Eighty million blocks is an incredible number of attacks thwarted-- each malicious download blocked helps prevent compromise of that user’s computer. The other key numbers that I announced in March are holding strong, even with a rapidly expanding user base:

IE8 is delivering a malware block for approximately 1 out of 40 users every week
Approximately 1 of every 200 downloads is blocked as malicious

If you’re not running IE8’s SmartScreen Filter, I believe you are missing a key piece of protection to help ensure your safety on the Internet. IE8 users can ensure that SmartScreen is enabled by clicking on the toolbar's Safety button (or if you're in Show Only Icons mode) and examining the SmartScreen Filter submenu. If a “Turn on SmartScreen Filter” item is present, click it to enable protection.

Malware Block Effectiveness

Heading into the launch of IE8, the engineering team commissioned an independent study of SmartScreen Filter by NSS Labs. Our objective was to gather an accurate and independent baseline measurement of SmartScreen’s protection against socially engineered malware attacks. That baseline, run against the IE8 Release Candidate, allows us to validate our investments in improved intelligence and technology. Since then, we’ve made major investments in malware intelligence and rapid response systems to provide an ever-increasing level of protection for users.

NSS Labs has just completed a second round of studies on socially engineered malware attacks, and I’m happy to share the results. In this latest test pass, NSS found a 12% improvement in SmartScreen’s protection levels. Here’s the data from NSS Labs on the malware block rate for major browsers:

Microsoft’s reputation services team has other significant investments staged to launch in the next quarter, so I expect even better results in the near future.

Phishing Block Effectiveness

We’ve spent quite a bit of time talking about the socially engineered malware threat because it is currently the biggest problem users face. However, phishing remains a prevalent and important threat to users as well. We’re continuously making improvements to our data sources and intelligence systems that deliver phishing protection. This continuous investment keeps IE in the market-leading position it established with the release of the Phishing Filter in IE7. Since then, Internet Explorer 7 and 8 have blocked over 125 million phishing attacks.

The newest NSS study included a test pass for phishing blocks. NSS Labs reported the following block rate for major browsers:

You can view the full NSS study at http://nsslabs.com/browser-security.

I hope that the internal data I’ve shared today and the results of the NSS testing are a clear indicator of our commitment to Trustworthy Browsing, and our ongoing execution against that promise.

Thanks,
-Eric Lawrence