Using Frames More Securely

re: Using Frames More Securely

Rob Scott — Tue, 12 Feb 2008 15:17:40 GMT

If you want the content to be searchable and indexed, then an IFrame is not the way to go, however, they are great for delivering separate (and disparate) content, and for security reasons as you rightly state.

I use IFrames a lot, but they are relatively limited. I also dislike the fact others can effectively show my content with their own ads / messages next to it using iframes.

re: Using Frames More Securely

Derek Pavatte — Wed, 30 Jan 2008 04:16:53 GMT

iframes sound practical. I'm unconvinced as to why everybody doesn't use them. It's just like user a "hacker-safe" program.

re: Using Frames More Securely

vincentmtb — Sat, 26 Jan 2008 10:01:25 GMT

I have never used iframes. Anyway, for the webdevs who still use them, it's good to discuss :).

re: Using Frames More Securely

steve — Thu, 24 Jan 2008 02:52:16 GMT

Gordon, doesn't sound like you have a lot of customers, or you would know the problems that come with what you are suggesting. Once you start adding outsiders to your qualified persons bug list, it can be hard to stop. Best way is to use corporate relations and partner programs so Microsoft can qualify people before they can access such a thing. That leaves out little people (who might be talented), but it insures weighed opinions on the matters. If the comments across this blog are any indication, most bugs will be "IE Sucks," script kiddies will try and flood it, etc., etc.

I think the problem is that many webdevs think that they deserve to be on the bug list because they are so smart (and thus, likely frustrated by IE's bugs). MS must do a cost/benefit analysis to see if appeasing such a group is worth it. Personally, I can see not wanting to do that until the product is more up to date so as to eliminate all the "FF3 has xyz, you don't, it is therefore a bug" stuff. So perhaps in the future, maybe the IE8 timeframe, it might happen. If it's worth it to appease non paying customers. I think it is, so maybe MS will too.

re: Using Frames More Securely

Gérard Talbot — Tue, 22 Jan 2008 12:38:19 GMT

John,

Believe it or not, I've been trying to reach you yesterday about your MADD bug. I successfully was able to report to Microsoft Security Response Center (MSRC) a webpage

http://www.gtalbot.org/BrowserBugsSection/MSIE7Bugs/#bug92

inspired by your September 2nd 2006 MADD webpage post in IE blog. To make a story short, yes, it can be quite difficult to report a serious problem to Microsoft.

> WHEN has Microsoft suggested using conditional comments?

"In mid October, the IE Blog urged developers to stop using CSS hacks to workaround IE's problems, and start relying on Microsoft's proprietary conditional comments."

http://www.webstandards.org/2005/11/03/ie7-conditional-comments/

"We ask that you please update your pages to not use these CSS hacks. If you want to target IE or bypass IE, you can use conditional comments ."

http://blogs.msdn.com/ie/archive/2005/10/12/480242.aspx

Regards, Gérard

re: Using Frames More Securely

John A. Bilicki III — Tue, 22 Jan 2008 07:57:35 GMT

Frames are useful when used correctly, almost never. However it's obvious people in positions of power (be it assigned of self-proclaimed) abuse the required objectivity for such position: hence the lack of target attribute in XHTML without a CSS property. Another example is the vanity of the HTML5 working group to proclaim HTML5 will be the last version of HTML ever (as implied by the severally lacking Doctype which lacks a version number and thus implies it will be the last version of HTML).

@ Gérard - I agree with your second point. Every frigin time I painstakingly made a quality report using correct terminology, accurately describing the bug, and testing it in numerous other browsers I would only see it disregarded as a duplicate of an already existing bug made by someone who might as well have been reporting it as if they couldn't put out a fire on their head until they entered in x number of characters in x number of required fields!

Also...WHEN has Microsoft suggested using conditional comments?

re: Using Frames More Securely

Gérard Talbot — Tue, 22 Jan 2008 04:37:55 GMT

@Gordon

>we expect and deserve to be treated better

I absolutely agree with you on this. We should have all said so starting in 2001, 2002, 2003 and 2004. The only way to communicate such "respect me better, treat me better" demand to Microsoft at that time was to download and install a better browser, at that time, like Mozilla 1.6+ or Opera 7+.

> You want to know about legitimate bugs so that you can fix them.

Such list of bugs is already known to Microsoft. Visit my IE 7 bugs webpage.

> we need to know (just as much) about these bugs

Visit my IE 7 bugs webpage. All the bugs (reproducible, with well coded testcase, links, test suites, etc) are listed.

> so that we can avoid them,

Install, download and use Firefox 2 (or Firefox 3) and/or Opera 9.5 and/or Safari 3.0.4. And keep your better browser updated with latest available version. Realistically speaking, there is nothing better to do *right now* to avoid them.

> or workaround them,

Use conditional comments. Not a perfect or ideal solution but the best right now according to a large, wide consensus. Even Microsoft suggests conditional comments.

Above all, use true CSS forward-compatible workarounds, solutions. CSS hacks are bad, increasing DOM tree with <br> is bad, extra wrapping <div> is bad idea.

> or ensure we update our systems (or client's systems) to avoid problems.

Put a browsehappy.com button or alternativebrowseralliance.com button somewhere in your webpages... and a code conformance policy webpage and an accessibility policy webpage. I've seen good webpages of this sort. Right now, realistically speaking, there is nothing better to do.

Your users should not be upset just because there is a small layout glitch here, a minor misalignment, a barely noticeable layout difference (like a dashed border instead of a dotted border) between IE and other good browsers.

Regards, Gérard

Public Bug Tracking System

Gérard Talbot — Tue, 22 Jan 2008 03:26:36 GMT

@Gordon

1- The nr 1 problem with a public bug tracking system (PBTS) is that Microsoft would get a mix of bug reports regarding IE 6 specifically, regarding IE 7 specifically and regarding IE 6 and IE 7 but fixed in IE 8 (or about to). Considering that the userbase of IE is several hundreds of millions, you would get most likely a lot of noise and very little useful signal... and a huge amount of time, energy, personel to untangle all this. So, IMO, it's not worth it *at this time*.

Once IE 8 beta 1 is out, then it would make a lot of sense to provide a PBTS for IE 8 only and specifically and with insisting that people follow bug writing guidelines. Such IE 8 PBTS would allow to track a list of bugs occuring in IE 8 and then check/follow-up for regression.

2- If you visit and surf places like bugs.webkit.org or bugs.kde.org or even bugzilla.mozilla.org, you will see/notice that the objective quality (usefulness, reduced testcase, clear report, etc) of bugs being reported varies a lot. I remember a regular mozilla bugzilla stating that even an important minority of confirmed bugs' objective quality was overall not that good. Again, you want efforts/typing/time of employees to be concentrated on fixing bugs, not on untangling very poorly written webpages, on resolving as duplicates (DUP), etc..

3- Right now, Microsoft can view, examine, investigate at least 750 bug reports - excellent bug reports regarding spec violations, well written, well built - that actually happen in IE 7. They just have to visit the webpages of Bruno Fassino, Alan Gresley, Simon Pieters, Robin Lionheart, Ingo Chao, David Hammond, Dan, Tino Zijdel, Nick Rigby, Ingo Turski, incutio.com, Mark Wilton-Jones, etc..., and my IE 7 bugs webpage. So, right now, there is *no urgent, no immediate need* to implement a PBTS. You see, there are already so many bugs being reported and bug reports with good working quality that Microsoft can go and jump immediately into *fixing* those already well-defined bugs. And here, I'm not even mentioning the official CSS 2.1 Test suite (and other official test suites) and Ian "Hixie" Hickson extensive test suite (covering CSS, DOM, HTML) for browsers.

And here, I'm not even mentioning unsupported DOM 1 and DOM 2 attributes, methods, interfaces and unsupported CSS 2.1 properties.

4- Microsoft's agenda is not the web authors' agenda nor the web standards movement's agenda. There are some common denominator, overlapping areas of agreement when one superpose, overlap those 3 agendas. Microsoft's main/primary goal, primacy is making its share holders happy and about profitability. Microsoft is a business, profit-driven. You can not say the same with KDE, Mozilla, WebKit, TKHTML, etc. So a solution, a perfect tool applying to them may not be transposed, transferred, just like that, to Microsoft. Even Opera does not have a *public* bug tracking system.

Regards, Gérard

re: Using Frames More Securely

MARCOS — Tue, 22 Jan 2008 03:25:08 GMT

i strongly desagree with ie is the worst browser. sure there is a list of browser not so good and i think soon we wil have a different idea about it.

re: Using Frames More Securely

Webhosting — Mon, 21 Jan 2008 22:32:25 GMT

In my opinion, now IE is the worst browser ever. If it's not bundled with the OS, no one will use it...