Note: The “brain dump” series is akin to what the support.microsoft.com team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect...

In Part 1 of this series, I described how Same Origin Policy prevents web content delivered from one origin from reading content from another origin. (If you haven’t read that post yet, please do start there.) In today’s post, we’ll look at what restrictions are placed on writing...

Recently, the IESG approved publication of a new Internet-Draft defining the HTTP/308 status code (Intended Status: Experimental). This status code is defined as the "Permanent" variant of the existing HTTP/307 status code. Recall that HTTP/307 was defined back in 1999 to remove the ambiguity around...

This crossed my Twitter stream earlier today: I’m not sure why we need a public service announcement to notify folks that Internet Explorer is behaving properly, but I guess there’s no harm in that. However, based on the lack of information provided, and the implication that this...

While most file downloads are quickly and successfully completed, some large downloads take a long time to complete, and may be interrupted in the middle by either the user choosing to “Pause” or due to networking glitches (e.g. WiFi connection dropped). One of the significant...

These days, I struggle to find time to keep up with all of the tech news, but there are a few streams I make a special effort to stay on top of. Ex-Internet Explorer Dave Risney posts items of interest about URIs, web standards, FiddlerCore and myriad other interesting goodies over on his blog . ...

I’ve previously mentioned one site that wasn’t working properly due to sending a malformed Content-Type header. Today, I encountered another site with a similar problem, but in a subtly different way. Looking at the IE9 F12 Network tab, you can see the problem: As you can see...

I recently encountered a blog that isn’t looking right in IE9: The site renders just fine in other browsers, and when the page is put into Compatibility View by ticking the icon in the address bar: What’s going on here? It’s clear that a stylesheet isn’t...

Technical Evangelist Giorgio Sardo just published a great post about HTML5 Canvas, responding to some concerns about bugs in the IE9 Beta. The post also takes a quick look at cross-browser interop for the Canvas object. It’s definitely worth the read: http://blogs.msdn.com/b/giorgio/archive...

Update : Internet Explorer 10 now supports CORS using XMLHTTPRequest . In Internet Explorer 8, the XDomainRequest object was introduced. This object allows AJAX applications to make safe cross-origin requests directly by ensuring that HTTP Responses can only be read by the current page if the data...

The request/response nature of HTTP works very well for traditional web pages, but to build dynamic AJAX applications, it’s often desirable for the server to be able to send data to the client on its own schedule. You could imagine, for instance, scenarios like an online game, or an event viewer...

Web browsers use domain names for a variety of purposes, but how they’re used is much more complicated than most developers realize. In this post, I’ll attempt to cover the most important aspects of this topic. Definitions When talking about “domains” the terminology alone...

IE8 introduced support for some of the more stable features in the HTML5 spec. However, web developers have reported some problematic scenarios in IE8's support for these features, as described below. 1. postMessage only works for IFRAMES/FRAMES The HTML5 postMessage function provides a great way...

Despite its role as the cornerstone of web application security, it’s clear that many (most?) web professionals do not understand Same Origin Policy (SOP), or hold one or more misconceptions about what SOP requires. It’s a big topic, and I don’t plan to address it all on this quiet...

Over the five years I’ve worked on Internet Explorer, I’ve probably seen more questions from the community about HTTP cookies than on any other topic. Cookies are an integral component of most websites in use today, and hence problems or unexpected behaviors with cookies tend to get a lot...

Protocol Restriction Internet Explorer's native XMLHTTPRequest object permits requests to HTTP and HTTPS only; requests to FILE, FTP, or other URI schemes are blocked. Update : IE10 XHR supports CORS . Method Restriction The object permits only the following HTTP methods: "GET", "POST", "HEAD", "PUT...

Q: Eric, you mentioned that the IE8 Web Browser Control, hosted in Forms / WPF, runs in IE7 emulation mode by default. Is there a way to turn the emulation mode off and have the control work in "real" IE8 mode? A: Yes. This is controlled by a feature control key. See Matt Crowley's post on Rendering...

RFC 2616 describes the Accept request header as follows: The Accept request-header field can be used to specify certain media types which are acceptable for the response. Accept headers can be used to indicate that the request is specifically limited to a small set of desired types, as in the case...

My thoughts about Mozilla's Content Security Policy proposal were just published over on the IEBlog. I actually have quite a bit more to say (at even greater length :-) about declarative security mechanisms, and some more technical feedback specific to CSP. I hope to make a number of posts on this topic...

Background One of the interesting attacks which makes the rounds every few years concerns the ability of web pages to use CSS to detect whether or not certain URLs have been visited. Given a sufficiently large set of URLs to probe, a website may be able to develop an interesting profile of where your...