IEInternals

A look at Internet Explorer from the inside out. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14

Browse by Tags

Tagged Content List
  • Blog Post: Managed Code Browser Extensions

    I love the .NET Framework. I’ve been programming in C# since 2001, I spent much of my free time for a decade building Fiddler on .NET, and I now code in C# for a living. .NET provides a fantastic, highly-productive platform suitable for building a huge range of tools and applications, and as it...
  • Blog Post: Windows Server as a Workstation

    Back in the Windows 2003 timeframe, Microsoft had a problem. The security press of the time liked to put out charts showing which operating systems had the most vulnerabilities. Windows 2000 wasn’t looking so hot, owing to the fact that Windows 2000 Server had a full web browser built-in, “out...
  • Blog Post: “Everybody Lies”

    Today we present EricLaw’s 2nd law of Software: “ If your software platform is sufficiently popular, and it offers a GetVersion API, that API probably lies. ” Recently, a user of Telerik’s automated web testing product ( Test Studio ) filed a bug noting that they’d recently...
  • Blog Post: Authenticode and Weak Certificate Chains

    Recently, someone attempted to download a deprecated version of the Windows Script debugger . This tool was used to debug scripts prior to the introduction of more powerful, modern tools like those that are built into IE8 and later. The user emailed me when they encountered a very surprising outcome...
  • Blog Post: Best Practice: Get your HEAD in order

    To ensure optimal performance and reliability when rendering pages, you should order the elements within the HEAD element carefully. First, I’ll explain the optimal order, and then explain the reasoning for this structure. Optimal Head Ordering <doctype> <html> <head>...
  • Blog Post: Understanding Protocols

    For over a decade, Internet Explorer has enabled developers to extend the browser with new URL protocol schemes. These protocols can be one of two types: Asynchronous Pluggable Protocols - COM objects that implement the IInternetProtocolRoot interface and return content to URLMon, usually for rendering...
  • Blog Post: Consent and Browser Refreshes

    Modern browser APIs like the GeoLocation API are designed to have an asynchronous consent experience, whereby the API simply will not undertake a privileged action until the user consents. Unfortunately, many browser features like popup windows and ActiveX controls were designed before privilege limitations...
  • Blog Post: The Web Browser Control and the Silent Flag

    Applications that host the Web Browser Control have the opportunity to set the Silent flag to suppress all dialogs that the web browser control may generate. In some cases, this is useful, because it can help ensure a “quiet” user experience without unexpected popups. Current versions...
  • Blog Post: Proper Content-Type Header Syntax

    I’ve previously mentioned one site that wasn’t working properly due to sending a malformed Content-Type header. Today, I encountered another site with a similar problem, but in a subtly different way. Looking at the IE9 F12 Network tab, you can see the problem: As you can see...
  • Blog Post: A Security Prompt that makes you go “Huh?”…

    Every few months, a Microsoft employee will send me an email complaining that Internet Explorer showed them the following dialog: This page is accessing information that is not under its control. This poses a security risk. Do you want to continue? …and they don’t understand...
  • Blog Post: Understanding Local Machine Zone Lockdown

    Recently, a colleague sent me an email which provided a flashback into my own past: Hey, Eric-- Why do we show this when opening HTML locally? What are we protecting the user from? -Ben I myself had sent an email with almost the same text nearly seven years ago, and the surprisingly...
  • Blog Post: Everything you need to know about Authenticode Code Signing

    In today’s post, I’ll be discussing the use of Authenticode to sign software programs; this post will be of interest primarily to software developers. Large software companies (like Microsoft) often have an entire team dedicated to the code-signing and release process, but even (especially...
  • Blog Post: IE9 - Debugging a Canvas Game

    A few weeks ago , I discussed one compatibility issue we’d found when running a new HTML5 game . The game’s developers quickly fixed their site to return a proper character set declaration and we were able to get the game running in IE9. However, after playing the game for about 5 seconds...
  • Blog Post: IE9 No-Reboot Setup and the Windows Restart Manager

    On Windows 7, Internet Explorer 9 can often be installed without rebooting the system. In cases where a system restart is required, either the system lacks one of the required prerequisites (so IE Setup is forced to install it and reboot) or a running program or service is holding one of Internet Explorer’s...
  • Blog Post: File Download and Filenames

    Several months ago, I blogged about IE’s support for International Filenames on Downloads . Today’s post is a bit simpler and describes two cases when IE may rename downloaded files. Filename Extension and QueryString Parameters If a file download HTTP response does not contain a Content...
  • Blog Post: IE and the Security Development Lifecycle

    Microsoft's Security Development Lifecycle describes how we engineer security into our products. Earlier this year, Security Program Manager Mark Shlimovich wrote a detailed whitepaper about how SDL was applied to IE8, providing "behind the scenes" insights into the security engineering that went into...
  • Blog Post: Certificate Enrollment from the Browser

    Back in Windows XP, an ActiveX control known as XEnroll could be used from the browser to request digital certificates on the client’s behalf. Certificate authorities and others would use this control when a customer purchased a certificate for code signing, server authentication, or other purposes...
  • Blog Post: Combating ClickJacking With X-Frame-Options

    Back in January of 2009, I announced IE8’s support for a new header-specified directive: X-Frame-Options , that can be used to mitigate ClickJacking attacks. As a declarative security measure , X-Frame-Options has minimal compatibility impact, but requires adoption by clients and servers in order...
  • Blog Post: Understanding the Protected Mode Elevation Dialog

    Internet Explorer 7 introduced Protected Mode, a feature which helps ensure that the browser and its add-ons run with a minimal set of permissions. Code running inside the “Low Rights” process doesn’t have permission to write to your user-profile’s folders or registry keys, which helps to constrain the...
  • Blog Post: Understanding DEP/NX

    Despite being one of the crucial security features of modern browsers, Data Execution Prevention / No Execute (DEP/NX) is not well understood by most users, even technical experts without a security background. In this post, I’ll try to provide some insight into how DEP/NX works, explain why...
  • Blog Post: The User-Agent String: Use and Abuse

    When I first joined the IE team five years ago, I became responsible for the User-Agent string. While I’ve owned significantly more “important” features over the years, on a byte-for-byte basis, few have proved as complicated as the “simple” UA string. I ( and others...
  • Blog Post: Two New Tools Available from the SDL Team

    Yesterday, IE Team alumnus Jeremy Dallman posted over on the Security Development Lifecycle team’s blog, announcing the release of BinScope and MiniFuzz . These two tools are part of the toolset that the Internet Explorer team uses to help verify the security of our product code. If you’re building...
  • Blog Post: My Favorite IE Add-on: Ralph Hare’s Mouse Gestures

    Unfortunately, I spend a lot of time dealing with problems users encounter when using Internet Explorer. As a result, when I write about add-ons, I’m usually talking about misbehaving code that is wrecking the browser. However, it’s not all doom-and-gloom out there, and I’m delighted...
  • Blog Post: IE and the Accept Header

    RFC 2616 describes the Accept request header as follows: The Accept request-header field can be used to specify certain media types which are acceptable for the response. Accept headers can be used to indicate that the request is specifically limited to a small set of desired types, as in the case...
  • Blog Post: The Privacy Impact of Add-ons: New APIs for IE8

    By default, when starting a new session using IE8's InPrivate Browsing feature, toolbars and Browser Helper Objects are disabled. This is done to help protect the user's privacy: many toolbars and extensions maintain their own navigation/search/etc history lists, and such lists could violate the user...
Page 1 of 2 (26 items) 12