PRS203_Wilson
Download
Report
Transcript PRS203_Wilson
What’s New In
Internet Explorer 7?
Chris Wilson
PRS203
Group Program Manager, IE Platform & Security
Microsoft Corporation
1
Internet Explorer
Many different things to many different people
End users
U
Web designers
D
Web application developers
A
Commercial developers of IE add-ons
C
Infrastructure: network admins, CAs, etc.
I
2
Pillars of Internet Explorer 7
Amazing User Experience
Secure and Trustworthy Browsing
Powerful Web Developer Platform
3
Amazing User Experience
Browse…Search…Subscribe
U
Tabbed Browsing
High-quality page zoom
Great new print experience
Integrated subscription platform
4
Demo
IE7 User Experience
5
Amazing User Experience
Flexible Subscription platform
We provide…
Feed Discovery (in IE)
Common Platform
U
D
A
Feedlist, storage, parser, sync
engine
List extensions to RSS
6
Amazing User Experience
OpenSearch 1.1 and extending search
An open way to describe search providers
Developed in cooperation with A9.com
Provided under Creative Commons license
U
D
OpenSearch 1.1 Description Document
Allows search output in HTML as well as RSS
Script API prompts user to add provider:
window.external.AddSearchProvider(
“http://mysearch.com/search.odd” )
I
7
Secure and Trustworthy Browsing
Security is job #1
U
Dynamic protection against web fraud
D
Full user control over add-ons
A
Advanced malware protection
C
I
8
Secure and Trustworthy Browsing
Dynamic protection against web fraud
Anti-phishing service integrated into IE
User experience highlights security
Clear secure connection user experience
Pop up windows identified with their URL
“One Click Cleanup” feature to wipe
history, cache, etc.
Integration of Parental Control (Vista)
U
D
A
I
9
Demo
IE7 Trustworthy Browsing – Web fraud protection
10
Secure and Trustworthy Browsing
Full control over add-ons
Explicit user consent is required on
first run of installed ActiveX controls
Users can easily enable preinstalled controls through the same
Info Bar as new controls
Add-ons Disabled Mode for
recovery
U
D
A
C
I
11
Secure and Trustworthy Browsing
Impeding critical exploits – URL handling
Special characters complicate URL parsing,
e.g. http://[email protected]
U
URLs are often passed as strings, and some
components parse inconsistently
In IE7, we have a single URL parsing object
This API (IURI) is exposed for other apps to
use
Also adds International Domain Name
(IDN)
Secure defaults to prevent spoofing
C
I
12
Secure and Trustworthy Browsing
Impeding critical exploits – cross-domain
javascript: protocol now runs in-page
Now, <img src=“javascript:foo()”> doesn’t
navigate – we strip “javascript:” off and run as
script inside the page context
Objects handling data by reference must
understand HTTP redirects
We’ve always had redirect notifications – but
now we lock the data if the object doesn’t
understands redirects. Objects that aren’t
redirect-aware can’t get access to the data.
I
13
Secure and Trustworthy Browsing
Advanced malware protection
Malicious web pages often install malware or
modify files by exploiting buffer overruns or
other critical security exploits in IE or addons
U
Solution: Protected Mode
Reduces the severity of threats to IE and add-ons
running in IE by eliminating the silent install of
malicious code on the user’s system
Protects registry, file system from silent malware
installs
Does NOT prevent running Win32 code
C
I
14
Secure and Trustworthy Browsing
Protected Mode summary
Protected Mode restricts IE from writing files
outside of the Temporary Internet Files folder
U
IE’s process has fewer write privileges than normal
User
Protected Mode builds on the Windows Vista
Mandatory Integrity Control (MIC), which restricts writes
This means Protected Mode is Windows Vista only!
When IE needs to write outside of the TIF folder
(e.g. File…Save As), we have a broker process
with appropriate privileges to do so
Compatibility layer for add-ons to elevate privs
C
I
15
Secure and Trustworthy Browsing
Protected Mode changes ActiveX install
Same as XPSP2 with a new UAP credential prompt
U
C
I
16
Secure and Trustworthy Browsing
Protected Mode changes toolbar install
Same as XPSP2 with a new UAP credential prompt
U
C
I
17
Architectural Overview
Admin
rights
Admin
rights
(Highrequired
IL) required
User Broker (Medium IL)
Mandatory Integrity Control
Admin Broker (High IL)
Internet Explorer
6 running
Quicktime
Protected
Mode
InternetActiveX
Explorer
running the Ebay Toolbar and Quicktime ActiveX
At a Low Integrity Level (Low IL)
User rights
required
User rights
(Medium
IL) required
Install ActiveX
Install ActiveX
And Toolbars
Install Toolbars
Download Docs
Download Docs
Save/Change Settings
Save/Change Settings
Allow Add-ons to Elevate
Low rights (Low IL) required
C
Cache Web Content
Compat Layer
Save/Change
Add-on Settings
I
18
Secure and Trustworthy Browsing
Protected Mode – compatibility features
Intranet/Trusted Sites/LM don’t run in PM
U
Add-ons can restore impacted functionality
In-proc add-ons (ActiveX controls, toolbars)
File writes get re-routed to the TIF via compat layer
Registry writes get re-routed to a virtual registry
Can call “Save As” API to save files outside of the
TIF
Out-of-proc add-ons (DocObject servers, etc)
Get Protected Mode’s restrictions by default
Can elevate privilege if user allows
C
I
19
Secure and Trustworthy Browsing
IE Compatibility Evaluator in XPSP2
Identifies features blocking app functionality
In the Windows App Compatibility Toolkit 4.0
Blogged on IEBlog in March:
D
A
http://blogs.msdn.com/ie/archive/2005/03/17/398435.aspx
I
20
Powerful Web Dev Platform
“Don’t break the Internet”
“Quirks mode” stays the same - many
platform changes are only in “strict mode”
D
We do change behavior under strict mode
A
<?xml> prolog doesn’t prevent strict mode
I
21
Powerful Web Dev Platform
Fixing the top problems
Fixed some serious issues in IE 6
layout
Incompatibilities with the latest CSS standard,
as well as some nasty bugs in the engine
We’ve knocked out the top bugs on
quirksmode.org and positioniseverything.net,
as well as other problems
D
A
I
22
Powerful Web Dev Platform
Layout issues in short…
positioniseverything.ne
t
Partial bug list
Peekaboo Bug
Quirky Percentages In IE6's Formatting
Model
IE/Win Line-height Bug
D
IE6 Border Chaos
Disappearing List-Background Bug
Guillotine Bug
A
Unscrollable Content Bug
IE 6 Duplicate Characters Bug
Doubled Float-Margin Bug
Duplicate Indent Bug
Three Pixel Text Jog
I
Creeping Text Bug
Missing First Letter Bug
…and many more issues.
23
Powerful Web Dev Platform
Adding the most requested features
Added top requested standards features
PNG alpha channel support
All CSS 2 Selectors
First-child, adjacent, attribute, child etc.
CSS 2 fixed positioning
CSS 2 :hover pseudo-class works on all
elements
Polished HTML 4.01 support
D
A
I
<abbr> element, <object> fallback
24
Powerful Web Dev Platform
Adding the most requested features
Native XMLHTTPRequest
Better enables DHTML/Atlas applications
No longer subject to ActiveX being enabled
<select> element now windowless
D
A
Can be visually layered w/ other
elements
Even more complete documentation
I
25
Demo
IE7 Web Platform Advancements
26
Powerful Web Dev Platform
Web developer toolbar
IE toolbar providing a rich tool set for
exploring DHTML and CSS with
object model and visual tools
D
A
Downloadable Beta available shortly
Runs on IE6+
27
Demo
IE Web Developer Toolbar
28
Key Takeaways
We thought this Internet thing would be big one day…
We’re providing more containment as well as
better arming users to make informed decisions
about their system security
We’re working hard to improve our web platform
We want your continued feedback to put out
better and better versions of the platform for you
My email address is [email protected]
(Please put “IE feedback” in the title, and please DON’T email
[email protected] – he’s not the same guy)
29
Call To Action
What should you do?
Make sure your IE components (ActiveX,
BHOs, toolbars) are prepared for changes
Give us feedback - [email protected]
Build web applications!
Use the rich platform of IE, DHTML, Atlas and
WPF
30
Community Resources
At PDC
For more information on RSS, go see
DAT320: Windows Vista: Building RSS Enabled Applications
(Thursday @ 14:15)
Hands-on Lab: DATHOL08: RSS in Longhorn
For more on IE in general, or other specific issues:
PNL06: What’s Next for Microsoft’s Web Platform? (Friday @ 8:30)
Presentation Track Lounge: IE team members are hanging out there
Ask The Experts event: stop by the IE table
After PDC
IE Dev Center on MSDN: http://msdn.microsoft.com/ie/
IE Team Blog: http://blogs.msdn.com/IE/ - #1 on MSDN!
IE feedback alias: [email protected]
If you missed these related PDC sessions, watch them on the
DVD
PRS200: Choosing the Right Presentation Technology
FUNL03: Case Study: Building a More Secure Browser in IE7
31
© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
32