Back in September, I published a list of minor changes in IE9 Beta. In today’s post, I will provide an updated list of things that have changed in the IE9 Release candidate. Note: This list also includes a few changes that were present in Beta that I didn’t mention at that time. Of course, because there are thousands of changes that I will not be covering, please do not mistake this for a comprehensive list, and please note that I'm deliberately skipping over the big feature improvements that will be discussed on the IEBlog.

Improvements in IE9 that impact issues or features previously discussed on this blog can be found by searching for the tag BetterInIE9.

Standards / Interop Improvements

• Navigation triggered by window.location manipulation now sends a HTTP Referer header.
• The postMessage() API now has asynchronous behavior for IE9 mode pages.
• IE9 will download the FavIcon for a LINK REL="ICON" tag if a TYPE attribute is present with value "image/x-icon".
• When in IE9 Browser Mode, IE now sends context-specific ACCEPT headers.
• globalCompositeOperation support was added to CANVAS.
• CANVAS supports toDataURL() after drawing same-origin VIDEO content. Note: The toDataURL() method incorrectly returns a trailing null byte at the end of the string; the fix for this just missed the RC build.
• Several network cache correctness (age vs. max-age, Expires < Date) and clock-skew issues were fixed.
• In IE9 standards-mode only, we now always encode FORM data as UTF-8 if the Accept-Charset attribute is present with the value “UTF-8”. The design of FORM encoding in IE8 and earlier was to use the encoding of the submitting page by default. Only if the FORM specified Accept-Charset=UTF-8 and the form contained text that could not be encoded in the page's encoding, would IE8 and later submit the form data using UTF-8.
• IE8 and IE9 Standards mode now correctly handle BASE tags that use the file:// protocol.
• When uploading files from pages in IE9 document mode, IE will no longer send PNG and JPEG files with the pre-standards MIME types (image/x-png and image/pjpeg). Instead, IE will send image/png and image/jpg. Behavior in legacy modes is unchanged.
• SCRIPT tags now fire an onload event.
• File downloads may specify non-ASCII names by adding a filename* token to the Content-Disposition: attachment header. IE9 supports RFC5987 for UTF-8 filenames in the filename* parameter.
• For IE9 Browser Mode, localStorage and sessionStorage evaluate the protocol/scheme when isolating storage per-origin.
• The intrinsic size (up to 128x128) of a custom cursor is respected in IE9 document mode. Legacy IE modes scale all cursors to 32x32.
• window.prompt() no longer triggers a security warning when called from the Internet zone.
• Input and button elements inside anchor tags will now navigate if clicked.
• The XMLHttpRequest object will create a responseXML document property if the server returns a MIME-type ending in +xml. Previously, the document would only be created for text/xml or application/xml.
• FTP View now works properly with Unix FTP servers that have advanced permissions set.

Networking

• SOCKS v4 proxies are supported again after being broken in IE9 beta.
• Visiting pages on the Visual Studio Test Server (e.g. by hitting F5 in an ASP.NET web project) no longer shows Page Cannot Be Displayed errors (Connect #601047)
• The FindMIMEFromData function used for MIME-sniffing now ignores any querystring component in pwzURL, if present.
• Premature FIN detection was removed from WinINET. This is the subject of a future blog post.
• Space characters embedded within Download filenames are no longer replaced with underscore characters.
• Executable file downloads are no longer renamed when run from the cache.
• When evaluating which, if any, registered MIME Filters to load, URLMon will now ignore the charset attribute in the server-specified Content-Type header.
• If IE encounters a file download that is delivered with the wrong MIME type and is sniffed to .ZIP, it will not treat that file as a zip file if the file extension is on a list of known formats that are ZIP-derived. That list contains [".zipx", "accdt", "crtx", "docm", "docx", "dotm", "dotx", "gcsx", "glox", "gqsx", "potm", "potx", "ppam", "ppsm", "ppsx", "pptm", "pptx", "sldx", "thmx", "vdw", "xlam", "xlsb", "xlsm", "xlsx", "xltm", "xltx"].
• Fixed IE9 Beta introduced regression whereby content delivered via the RES protocol was interpreted using an incorrect MIME type. That bug broke a number of applications.
• For a file delivered as text/plain, if non-text characters are found (octets outside the 9-13, 27, 31-255 range), IE will treat the file as not really being text/plain and will trigger a file download dialog.
• Downloaded files can now be saved from HTTPS sites even when sent with no-cache headers.
• The XDomainRequest object no longer always fails when IE is running in InPrivate Browsing mode.
• The proxy bypass list now supports a <-loopback> token enabling proxying of traffic sent to 127.0.0.1 or localhost.
• When constructing the UserAgent string, IE9 no longer reads the Pre and Post Platform registry keys under \Internet Settings\User Agent\. It only reads those keys under \Internet Settings\5.0\User Agent\.

• The about protocol no longer triggers Mixed Content Notifications.

Security

• The prefix JavaScript: is stripped from any text pasted into the IE9 address bar. This mitigates a socially-engineered XSS attack common on social networks wherein users were tricked into performing self-inflicted XSS injections upon themselves.  No, CTRL+C,ALT+D,CTRL+V, ENTER will not give you magical powers. 
• Interoperable :visited link protection was added to mitigate CSS History Probing. Unsupported styling patterns are now logged in the F12 Developer Tools console.
• CSS MIME-type validation introduced in IE9 Beta was extended. Now, regardless of document mode or origin, if X-Content-Type-Options: nosniff is specified, the “stylesheet” MUST have a Content-Type of text/css or it will not be applied.
• Pinned Site Mode treats certificate errors as fatal (with no override link). Combined with the fact that the pinned site itself can be pinned with a proper HTTPS URL, several “man-in-the-middle” threats are thwarted when a secure site is pinned to the taskbar.

Miscellaneous Changes

• The window.navigator.appMinorVersion value was changed from “Beta” to “RC”. For the final release, it will be set to “0”.
• In-place shell navigation within the Web Browser Control is no longer blocked.
• .NET Framework XAML Browser applications (XBAPs) no longer run from the Internet zone; they still function in the Local Intranet and Trusted Zones.
• The Format JavaScript option was added to F12 Developer Tools Script tab configuration button.
• Direct Intranet Navigation is now possible. The Go to an intranet site for a single word entry option was added to Tools > Internet Options > Advanced. This allows you to prefer Intranet-navigation over automatic search behavior.
• Drag/drop of favicon to desktop create and launches "sitemode" browser instance. Hold SHIFT to get the legacy behavior of adding a basic shortcut.
• After forced restart (Windows Update), IE9’s tabs will be correctly restored.
• IE9 features improved support for “Bookmarklets”—URL length limits were relaxed and several security prompts were tuned.

• The New Tab Page now shows HTTPS pages unless the option “Do not save encrypted pages to disk” is set.

Performance Improvements

• Myriad network performance improvements were made. These will be subject of an upcoming post on the IEBlog.
• Major performance improvements were made to the XSS Filter.
• Major improvements were made to performance of many CANVAS operations.
• Significant responsiveness improvements were made when a CSS download is pending.
• Find-on-page performance (especially when searching large documents) is dramatically improved.

You can read about other changes at IE9 on MSDN and examine the IE9 RC Release Notes. The team will be posting deep-dive details about major new features in IE9 over on the IEBlog.

That's it for now… I hope you enjoy the IE9 Release Candidate, available for download here.

-Eric