Simon Willison’s Weblog

2020 Web Milestones (via) A lot of stuff is happening in 2020! Mike Sherov rounds it up—highlights include the release of Chromium Edge (Microsoft’s Chrome-powered browser for Windows 7+), Web Components supported in every major browser, Deno 1.x, SameSite Cookies turned on by default (which should dramatically reduce CSRF exposure) and Python 2 and Flash EOLs.

# 24th January 2020, 4:43 am / csrf, ie, python, javascript, flash, web, chrome, deno, samesite

Internet Explorer Platform Preview Guide for Developers (via) Lots of SVG and CSS3 stuff, no mention of canvas here either though.

# 16th March 2010, 6:36 pm / svg, css3, ie9, ie, microsoft, canvas, html5

An Early Look At IE9 for Developers (via) Surprisingly, no mention of SVG or canvas and only a note in passing about HTML 5.

# 16th March 2010, 6:11 pm / svg, canvas, html5, ie, ie9, microsoft

Internet Explorer: Global Variables, and Stack Overflows. An extremely subtle IE bug—if your recursive JavaScript function is attached directly to the window (global) object, IE won’t let you call it recursively more than 12 times.

# 2nd March 2010, 9:21 am / bugs, javascript, recursion, internet-explorer, ie

Internet Explorer Cookie Internals (FAQ). Grr... IE 6, 7 and 8 don’t support the max-age cookie argument, forcing you to use an explicit expiry date instead. This appears to affect the cache busting cookie pattern, where you set a cookie to expire in 30 seconds for any user who posts content and use the presence of that cookie to skip caches and/or send their queries to a master instead of slave database. If you have to use expires, users with incorrect system clocks may get inconsistent results. Anyone know of a workaround?

# 26th February 2010, 12:25 pm / caching, cachebusting, cookies, ie

Deep Tracing of Internet Explorer. dynaTrace Ajax looks like an awesome tool. For once, Internet Explorer has a development tool that other browsers can be jealous of.

# 18th November 2009, 8:06 am / dynatraceajax, ie, internet-explorer, debugging, javascript, ajax, john-resig

More technical details about Google Chrome Frame. It’s implemented as a Browser Helper Object, uses IE’s cookies, history and password-remembering, includes the WebKit developer tools and appends “chromeframe” to the regular IE user agent string—though not apparently the Chrome Frame version itself.

# 23rd September 2009, 10:20 pm / google, chromeframe, chrome, bho, ie

Introducing Google Chrome Frame. Here’s what Alex Russell has been up to at Google: An IE plugin (for 6, 7 and 8 on all Windows versions) which embeds the Google Chrome rendering engine—sites can then opt-in to using it by including a X-UA-Compatible meta tag. Seems to be aimed at corporate networks which mandate IE for badly written intranet applications—they can roll this out without retraining users to use another browser or breaking their existing in house apps.

# 23rd September 2009, 9:57 am / alex-russell, chromeframe, google, ie, webkit, chrome, xuacompatible

Microsoft backs long life for IE6. Oh FFS... “The software giant said it would support IE6 until 2014—four years beyond the original deadline.”

# 14th August 2009, 2:53 pm / ie6, ffs, microsoft, ie, browsers

Cross Browser Base64 Encoded Images Embedded in HTML (via) Scarily clever. View the PHP source to see what’s going on—most browsers get image tags that use data URIs starting with data:image/png;base64, but IE gets served a Content-type:message/rfc822 header and a MIME formatted multipart/related document, as used by e-mail clients to embed inline image attachments.

# 17th April 2009, 4:12 pm / hedger-wang, base64, browsers, ie, internet-explorer, mime, php

cufon. A promising alternative to sIFR, cufon uses VML on IE and canvas on other browsers to render custom fonts in the browser. You have to convert your font to JavaScript first, either using their free hosted tool or by installing the FontForge based server-side script yourself. The JavaScript encoded font file uses VML primitives to improve IE performance; the JavaScript library converts that to canvas calls for other, faster browsers.

# 6th April 2009, 10:29 pm / cufon, browsers, fonts, vml, ie, fontforge, sifr, typography, canvas, javascript

Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari. You just can’t trust browser security: Current versions of Safari, IE8 and Firefox all fell to zero-day flaws at an exploit competition. None of the vulnerabilities have been disclosed yet.

# 19th March 2009, 3:30 pm / pwn2own, browsers, security, firefox, safari, ie, ie8

Fixing IE by porting Canvas to Flash. Implementing canvas using Flash is an obvious step, but personally I’m much more interested in an SVG renderer using Flash that finally brings non-animated SVGs to IE.

# 15th March 2009, 1:34 pm / svg, flash, canvas, ie

Ehy IE8, I Can Has Some Clickjacking Protection? (via) IE8 has built-in protection against clickjacking, but it’s opt-in (with a custom HTTP header) and IE only. It turns out the usual defence against clickjacking (using framebusting JavaScript) doesn’t work in IE as it can be worked around with a security=“restricted” attribute on an iframe.

# 29th January 2009, 1:39 pm / clickjacking, ie, ie8, http, security, javascript, iframes

Microsoft: Big Security Hole in All IE Versions. Looks like a 0-day that’s being actively exploited.

# 16th December 2008, 8:26 pm / ie, security, 0day, internet-explorer, microsoft

The March of Access Control. The W3C Access Control specification is set to become a key technology in enabling secure cross-domain APIs within browsers, and since it addresses a legitimate security issue on the web I hope and expect it will be rolled out a lot faster than most other specs.

# 19th November 2008, 8:40 am / accesscontrol, john-resig, ie, browsers, security, crossdomain

On UI Quality (The Little Things): Client-side Image Resizing. Two neat tips for cleanly scaling down images in IE 6 and 7 from Flickr’s Scott Schiller.

# 12th November 2008, 11 pm / scott-schiller, flickr, imagescaling, ie

Obscure bugs revisited: IE, HTTPS and plugins. Filed for future reference: IE breaks mysteriously if you serve it up plugin content (e.g. Flash) over HTTPS with a no-cache header—it deletes the file from cache before the plugin software gets a chance to open it.

# 30th May 2008, 9:54 am / ie, internet-explorer, https, caching, plugins, flash, richard-terry, bugs

Reading binary files using Ajax. There’s a simple trick for Firefox, and (amazingly) you can get IE to play along using a function written in VBScript.

# 22nd April 2008, 7:02 pm / binary, ajax, ie, firefox, vbscript, javascript, xmlhttprequest

Flirting with mime types [PDF] (via) Different browsers have different rules for which content types will be treated as active content (and hence could be vectors for XSS attacks). IE uses a blacklist rather than a whitelist and hence rendered active content for 696 of the tested content types.

# 14th April 2008, 8:18 am / ie, internet-explorer, browsers, contenttypes, security, xss

CSS Compatibility and Internet Explorer (via) Official Microsoft guide to which CSS properties are supported by which versions of IE. This is the kind of documentation browser vendors should be providing as a matter of course.

# 2nd April 2008, 8:05 pm / css, microsoft, ie, documentation, standards

Gears 0.2 Released! New modules are HttpRequest and Timer, both for use within workers (which provide Erlang-style message passing concurrency). Particularly interesting is that the Gears HttpRequest module can be used for much cleaner Comet implementations in IE.

# 5th March 2008, 12:21 am / ie, google-gears, comet, javascript