How to Troubleshoot Apps for the Modern Connected Worker
Internet Explorer 8
1.
2. Internet Explorer® 8
Eduardo Castro
Grupo Asesor en Informatica
ecastro@grupoasesor.net
2
3. Window To Public
Platform for LOB Apps
Facing Website
Maintain Compatible
Secure IT With LOB
Environment Apps Build
Create User
Customer
Connection
Trust
Manageable Reliable
Compatible
With My
Does not Site
become cost
center
3
5. Server
Data, User
settings
Applications
Browser Becomes
The Platform
Browser
OS
Hardware
5
6. Customer
Management
Reporting Travel
Workflow PC Based
Browser Based Research
E-Mail Purchasing
Personal Use
6
7. Customer • Your company has a website and does
Connection business on the web
• Your business on the web relies on customer
Customer Trust trust that the web is a safe place to do business
• You care about the integrity of your business
Security data, infrastructure and PCs
Compatibility & • Your company uses internal web apps and is
Standards building or buying more
• Your users probably spend 2 hours or more in
Supportability the browser every day
• Keeping up to date with browser patches and
Manageability updates is hard
7
8. Enable New
Business Enterprise
Scenarios Reduces
Ready Security Improved Improved
Risks Productivity Developer
Platform
9
14. New
Suggestions with Results from History
Visual Search Returns Provider
Quickly Specify SearchImages with
Configure Multiple Search ProvidersResults
15
16. Compatible
Ready to Deploy
Robust and Flexible Management
Provides Better User Experience
17
17. Enterprise
Standalone Installation
Standard or custom installation package
Distributed Deployment
Active Directory®, WSUS, SCCM
Slipstream Deployment
Create Windows® installation image with Internet
Explorer 8
Windows and Internet Explorer updates can be
slipstreamed
Use Windows Automated Installation Kit
Custom Installation Packages
18
19. Your Users
There Are
Are You Need A
Many
Spending Browser Built
Dangers on
More Time In For Business
the Web
The Browser
20
20. Group Policy (over 1300 in IE8)
Control browser features, ex : Turn on/off Phishing Filter
Configure browser features, ex : home page, favorites
Enforce security settings, ex: trusted sites
New features exposed through group policy
Support Infrastructure
Pay per incident support available to everyone
Support agreements for Windows OS include support for
Internet Explorer
Professional support organization provides issue
resolution
New in IE8 – Crash Recovery
Tabs isolated into separate processes – one tab crashing
does not bring down the browser
Crash recovery reloads tabs when they crash
21
22. Internet
Firefox
Explorer
Scheduled
13 point
monthly
releases
updates
since Feb
on patch
2007
Tuesday
23
23. Application • Will our apps still work?
Compatibility
• Can I choose when it is
Timing delivered in my environment?
User • Will it require user interaction?
Experience • Will it require a reboot?
24
24. Application • See
Compatibility http://msdn.microsoft.com/iecompat
• Scheduled, notified updates on patch
Timing Tuesday
• Control distribution through WSUS
User • Many updates require a reboot
Experience (system level components)
25
25. Application • META tag/group policy
provides compatibility for
Compatibility Internet Explorer 7 apps
• Scheduled updates like
Timing Internet Explorer 7
User • Slipstream
Experience
26
26. Enterprise
Centralized Management of User Settings
Update settings using IEAK
Group Policy Enhancements
Greater control over Internet Explorer behavior
New Administrative Template
Many new and enhanced policy settings
Usage Scenarios
Configure Accelerators
Control InPrivate™ settings
Disable Developer Tools
27
27. Enterprise
Group Policy Enhancements
Turn off Compatibility View
Turn off Compatibility View button
Turn on Internet Explorer 7 Standards Mode
Turn on Internet Explorer Standards Mode for
Local Intranet
Use Policy List of Internet Explorer 7 sites
28
28. Enterprise
Group Policy Enhancements
IE8 plays an important role in helping protect
users against a range of attacks by offering new
security features like the SmartScreen Filter,
Data URI and Encryption support.
All of these security features are GP enabled so
the administrator can ensure their users are
safe and secure in corporate environments.
29
33. Phishing Filter
1M phishing
attempts blocked
per week
Extended Validation Certificates
5000 issued
to date
34
34. Updated
Safety Filter
Expanding scope
to incorporate
new threats
New
Domain Name
Highlighting
Helps the user
identify real
domain name
35
35. Secure
InPrivate™ Technologies
SmartScreen® Filter
Improved Process Model
Cross-Site and Mashup Security
ActiveX Security Technologies
Other Security Technologies
36
36. Targeted Phishing Attack
Phishing Filter evolves to SmartScreen™ Filter to
encompass malware threats
Domain Name Identification highlights the real
domain you’re browsing on
Exploit in Common ActiveX Control
Per-user ActiveX contains risk to single user
account.
Per-site ActiveX allows developer restrict control to
only their site/app
Compromised Partner Site
Cross Domain Requests object ensures data is
only shared after a mutual validation of identity
Cross-Site Scripting Filter helps protect users
against a compromised site
37
37. Secure
InPrivate™ Browsing
Blocking
Privacy Report
Improved Delete Browsing History
View restricted data from being saved
Prevents sites from sharing details
Keeps information from certain sites in visit
Delete personalor blocked cookies of yourbrowser
Review a site’s privacy summary history, etc.
Cookies, temporary Internet files, and Favorites
Retain cookies fromtemporary files forcertificate
Blocks content and third-party sites
38
38. Peace
SmartScreen Filter
Increases anti-phishing and anti-malware protection
Allows you to report unsafe sites to Microsoft
Malware Blocked
Notification
Phishing Site Warning
39
39. Internet Explorer 8 : SmartScreen™ Filter
http://207.68.169.170/fabrikam/index.html
http://207.68.169.170/contoso/enroll_auth.html
40
40. Secure
Standard users can
install
Run on current or
all sites
Reduced risk
Less administration
Per-User ActiveX
Per-Site ActiveX
41
41. Secure
Helps mitigate many memory-related vulnerabilities
by blocking code execution from protected memory
42
42. Secure
Security, compatibility and
functionality
Who? Can it be Where? Exploit
used? Controls
Per User Opt –in Per site ActiveX Killbits
Doesn’t require Pre Internet Explorer
Before it can Developers can
elevating admin 8
be used (Internet restrict to their site
privileges Can be requested
Explorer 7)
by site owner
43
43. Secure
XSS the new buffer overflow
Detects Type-1 (reflection) attacks
Steal cookies Launch CSRF
Log keystrokes Steal browser history
Deface sites Abuse vulnerabilities
Steal credentials Evade phishing filters
Port-scan the Intranet Circumvent HTTPS
44
44. Secure
Cross Domain Requests Cross Document Messaging
(XDR) (XDM)
Enables web developers Enables two domains to
to more securely establish a trust
communicate between relationship to exchange
domains object messages
Provides a mechanism to Provides a web
establish trust between developer a more secure
domains through an mechanism to build cross
explicit acknowledgement domain communication
of sharing cross domain applications
Both parties know which
sites are sharing
information
45
45. Secure
IE8 exposes a new method on the window object named
toStaticHTML. When a string of HTML is passed to this
function, any potentially executable script constructs are
removed before the string is returned information
document.attachEvent('onmessage',function(e) {
if (e.domain == 'weather.example.com') {
spnWeather.innerHTML = window.toStaticHTML(e.data);
}
}
Calling:
window.toStaticHTML("This is some <b>HTML</b> with embedded script following...
<script>alert('bang!');</script>!");
will return:
This is some <b>HTML</b> with embedded script following... !
46
46. Secure
Unfortunately, many mashups use JSON insecurely, relying on the
JavaScript eval method to “revive” JSON strings back into JavaScript
objects, potentially executing script functions in the process. Security-
conscious developers instead use a JSON-parser to ensure that the
JSON object does not contain executable script, but there’s a
performance penalty for this.
Internet Explorer 8 implements the ECMAScript 3.1 proposal for
native JSON-handling functions (which uses Douglas Crockford’s
json2.js API). The JSON.stringify method accepts a script object and
returns a JSON string, while the JSON.parse method accepts a string
and safely revives it into a JavaScript object. IE8 exposes a new
method on the window object named toStaticHTML. When a string of
HTML is passed to this function, any potentially executable script
constructs are removed before the string is returned information
47
47. Secure
<html>
<head><title>XDR+JSON Test Page</title>
<script>
if (window.XDomainRequest){
var xdr1 = new XDomainRequest();
xdr1.onload = function(){
var objWeather = JSON.parse(xdr1.responseText);
var oSpan = window.document.getElementById("spnWeather");
oSpan.innerHTML = window.toStaticHTML("Tonight it will be <b>"
+ objWeather.Weather.Forecast.Tonight + "</b> in <u>"
+ objWeather.Weather.City+ "</u>.");
};
xdr1.open("POST", "http://evil.weather.example.com/getweather.aspx");
xdr1.send("98052");
}
</script></head>
<body><span id="spnWeather"></span></body>
</html>
48
48. Secure
<html>
<head><title>XDR+JSON Test Page</title>
<script>
if (window.XDomainRequest){
var xdr1 = new XDomainRequest();
xdr1.onload = function(){
var objWeather = JSON.parse(xdr1.responseText);
var oSpan = window.document.getElementById("spnWeather");
oSpan.innerHTML = window.toStaticHTML("Tonight it will be <b>"
+ objWeather.Weather.Forecast.Tonight + "</b> in <u>"
+ objWeather.Weather.City+ "</u>.");
};
xdr1.open("POST", "http://evil.weather.example.com/getweather.aspx");
xdr1.send("98052");
}
</script></head>
<body><span id="spnWeather"></span></body>
</html>
49
50. Secure
Like Windows
Explorer
Toolbars
Search
Providers
Accelerators
InPrivate™
Blocking List
InPrivate™
Subscriptions
51
51. Secure
Domain Name Highlighting
Application Protocol Prompt
File Upload Control
52
52. Secure
Improved Support for Accessibility Standards
Accessible Rich Internet Applications (ARIA)
User Interface Automation (UIA) Express
Adaptive Page Zoom
Intelligently zooms the page
Text and images fit within original page dimensions
53
57. Spend more time innovating and less time special-casing
Compatibility Most standards-compliant (full CSS2.1 support) version of Internet
Explorer
and Interoperability with other browsers means “write once, run anywhere”
Interoperability Compatibility modes for viewing/debugging content written for Internet
Explorer 7 and Internet Explorer 5.5
Develop, test and debug without leaving the browser
Built-in Built-in developer toolbar enables debugging and performance tuning
HTML, CSS, Javascript without leaving the page
Developer Code profiler for identifying performance issues quickly and easily
Tools Change Internet Explorer layout version on the fly to thoroughly test
display scenarios
Build the richest experiences on the Web
Rich, AJAX support enhancements enable rich, dynamic experiences
Web Slices
Innovative Best cross-document/domain messaging implementation with XDR/XDM
Experiences Improved display and scripting performance makes this the fastest Internet
Explorer ever
All right out of the box – no assembly required
58
58. Developer
Developers can specify layout engine
<meta http-equiv="X-UA-Compatible" content="IE=8" >
<meta http-equiv="X-UA-Compatible" content="IE=7" >
Consider using custom response headers in IIS7
59
60. Page Built For Internet Page1. IdentifyInternet
Built For browser
Explorer 6 Explorer 7
2. Serve right page
Page Built To Standards
I’m IE6 I’m Safari
I’m Firefox I’m IE7
6 7
61
61. 1. Identify browser
2. Serve right page
Page Built To Standards
I’m Safari
I’m Firefox
I’m IE8
8
62
62. Safari, Firefox and IE8 all display the same way
Decide when your business can afford to stop
supporting IE6 and IE7 to save your developers
time
But be aware IE6, IE7 and IE8 look the same to
8 most web servers so be sure to send the right page
to IE8
IE8 will display pages the same way as IE7
But you need to tell IE8 to display that way
See http://msdn.microsoft.com/iecompat to learn
7&8 how to add the site compatibility META tag to your
pages/server
IE6 is IE6
Get tips on migration from IE6 to IE7 at
6 http://msdn.microsoft.com/iecompat
63
64. Enterprise
Compatible with Internet Explorer 7
Ships with multiple layout engines
Application Compatibility Tools
Compatibility Mode Value Render Behavior
IE=5 “Quirks” mode
IE=6 Internet Explorer 6 Standards mode
IE=7 ”Strict” mode
IE=8 Internet Explorer 8 Standards mode
IE=edge Uses latest standards that Internet
Explorer 8 and any future versions of the
browser support. Not recommended for
production sites.
65
66. <meta http-equiv="X-UA-Compatible" content="IE=8" >
Standard Mode
(default)
Higher Web
Interoperability Standards
Existing
Internet
Explorer 7
Mode
<meta http-equiv="X-UA-Compatible" content="IE=7" >
67
67. Compatibility Mode Value Render Behavior
IE=5 “Quirks” mode
IE=7 ”Standards” mode
IE=EmulateIE7 Display standards DOCTYPEs in
Internet Explorer 7 Standards mode;
Display quirks DOCTYPEs in Quirks
mode
IE=8 Internet Explorer 8 Standards mode
IE=edge Uses latest standards that Internet
Explorer 8 and any future versions of the
browser support. Not recommended for
production sites.
68
68. CSS 2.1 compliance
DOM Improvements
CSS 2.1 HTML Improvements
Acid2 Test compliance
This means
HTML
Data URI Support
Improved
Namespace
Support
And more
ACID 2
69. Developer
CSS 2.1 Compliance
Helps standardize web page development
DOM Improvements
Addresses Cross-browser inconsistencies
HTML Improvements
Upgraded support for presentational
elements
Take full advantage of HTML 4
Acid2 Test Compliance
70
71. Internet Explorer 8 Developer Features
Compatibility
Developer Tools
Build Rich Experiences
72. Developer Toolbar
Eases development and troubleshooting
Allows real-time testing, editing, debugging:
CSS and HTML
Script performance
DOM
Enables developers to rapidly prototype, test,
and deploy web sites
73
80. Developer
Browser components updated
Better Navigation
Uses windows.location.hash event
// Set up a handler for hash changes.
window.onhashchange = new function()
{
if (window.location.hash == "hashdata")
{
// Perform work...
}
}
...
// Changing the hash fragment will raise
onhashchange.
window.location.hash = "hashdata";
81
81. Integral to AJAX and Mashups
Data Shared // Page A posts message to a secure Page B.
document.postMessage
("Hello world", "https://wingtiptoys.com");
Web page is requesting data from a URL in the following zone:
// Page B on wingtiptoys.com
// Create an XDR window.attachEvent("onmessage","HandleMessage");
object. Then open a connection and send data
Trusted (Internet)
Trusted (Intranet)
// using POST.
<script>
var xdr = new XDomainRequest();
Restricted
Intranet
Internet
xdr.open("POST", // The message handler for incoming messages.
"http://www.contoso.com/xdr.ashx");
Local
function HandleMessage(e)
xdr.send("argument=value");
Web page is Local
// the {
in Set up an event handler for when the data is loaded.
Allow Allow Allow Allow Allow Block
xdr.onload = new function()
following
Intranet // Verify the domain and scheme
zone: Block
{ // match the ones Allow allow.
Allow Allow
we Allow Block
// Grab the response(e.data != "" && e.origin ==
Trusted
(Intranet)
if text.
Block Allow Allow Allow Allow Block
var response = xdr.responseText; ‘http://www.contoso.com’))
} Trusted {
(Internet) Block Block Block Allow Allow Block
...
Internet
Block Block Block Allow Allow Block
Restricted
Block Block Block Block Block Block
82
84. View
Web Slice
<div class=”hslice” id=”1”>
<p class=”entry-title”>Las Vegas 79°</p>
<div class=”entry-content”>
Discover
<!-- HTML body content to render. -->
...WebSlice
</div>
</div>
Enable Content
85
85. Developer
<div class="hslice" id="1">
<p class="entry-title">Title for WebSlice</p>
<div class="entry-content">Information to be displayed in Web Slice
</div>
</div>
<div class="hslice" id="2">
<p class="entry-title">Title for WebSlice2</p>
<div class="entry-content">Information to be displayed in Web Slice2
</div>
</div>
86
88. Customer • Reach beyond the page with Accelerators, Web
Connection Slices and Visual Search
• Highlight safe browsing features like Safety Filter,
Customer Trust EV certificates and Domain Name Identification
• Turn on safer browsing features for your users and
Security in your web apps
Compatibility & • Use the “META” tag and plan for standards
Standards
• Broad group policy support, crash recovery and
Supportability professional support
• Regular, scheduled patches, managed distribution,
Manageability easier image management
89
89. What security principles are used during development?
What evolving threats does it help protect against?
What is the approach to application compatibility?
Do I have control over the security and user features I
expose to my users?
What options do I have for deployment beyond end-user
install?
Who do I call when there is a technical problem I can’t
solve?
90
90. Download and evaluate Internet Explorer 8 Beta 2
http://www.microsoft.com/ie8
Use http://msdn.microsoft.com/iecompat to
become Internet Explorer 7 compatibility
Add the META tag to ensure compatibility
with Internet Explorer 8
Plan deployments using the Internet
Explorer Deployment Guide
E-mail iedeploy@microsoft.com
with questions
91
91. Internet Explorer 8 puts the web at your service through seamlessly integrated services, flexible configuration
options and low customer support costs that OEMs have come to expect with the world’s most popular web
browser.
Seamlessly expose online services to your customers and increase
business value in the browser
Business • Rich search experience using Visual Search Suggestions in IE8
• Quick access to the information customer care about – Web Slices e.g. OEM offers,
Opportunities blogs, sport scores, stock ticker, social networking status etc.
• Email, Shop, Map, Blog, Share, Translate, Lookup with Accelerators
Create flexible and reliable browser configurations on their disk
Flexible images, with direct support from Microsoft
• IEAK and OPK enable customization and image creation
Configuration • Direct support from MSFT OEM field team
Reduce support costs when your customers use the most reliable and
Low Support secure browser [from Microsoft]
• Reset IE8 to factory settings / no add-ons mode
Costs • [Better] Protect your customers’ information -Anti-malware/phishing
• Know where you are on the web - Domain highlighting
92
92. [More] Freedom from
intrusion International Domain Names
Pop-up Blocker in IE7
Social Engineering & Exploits
Increased usability
Reduce unwanted communications
[Improved] Protection Secure Development Lifecycle
from harm Extended Validation (EV) SSL certs
Browser & Web Server Exploits SmartScreen® Filter
[Improved] Protection from deceptive websites, Domain Highlighting
malicious code, online fraud, identity theft XSS Filter/ DEP/NX
ActiveX Controls
Control of information User-friendly, discoverable notices
P3P-enabled cookie controls
Choice and control Delete Browsing History
Clear notice of information use InPrivate™ Browsing & Blocking
Provide only what is needed
93
93. [More] Freedom from
intrusion International Domain Names
Pop-up Blocker in IE7
Social Engineering & Exploits
Increased usability
Reduce unwanted communications
[Improved] Protection Secure Development Lifecycle
from harm Extended Validation (EV) SSL certs
Browser & Web Server Exploits SmartScreen® Filter
Protection from deceptive websites, Domain Highlighting
malicious code, online fraud, identity theft XSS Filter/ DEP/NX
ActiveX Controls
Control of information User-friendly, discoverable notices
P3P-enabled cookie controls
Choice and control Delete Browsing History
Clear notice of information use InPrivate™ Browsing & Blocking
Provide only what is needed
94
95. 11 de noviembre 2008, Hotel Barceló San
José Palacio, Costa Rica
96. Hora IT Pros Desarrolladores
8:00 AM Registro
9:00 AM Bienvenida
Windows 2008, SQL Server 2008 y Desarrollo de Web Parts,
9:30 AM
MOSS 2007, Héctor Insua Gilberto Bermúdez
11:00 AM Refrigerio
Configuración de colaboración para
Silverlight y SharePoint, Luis Diego
11:15 AM Extranets con MOSS 2007, Carlos
González
Rojas
12:15 PM Almuerzo
Disaster Recovery, Luis Du Solier, Procesos de Negocios con
1:00 PM
Ricardo Muñoz Workflows, Héctor Insua
2:00 PM Refrigerio
Como llevar a cabo una
SharePoint Designer para
2:15 PM implementación exitosa de
principiantes, Manfred Guendel
SharePoint, Héctor Insua
Panel: Valor de negocio de la
Panel: Arquitectura de Información
3:45 PM colaboración y productividad
para MOSS 2007
empresarial
5:00 PM Fin del evento
97. Internet Explorer® 8
Eduardo Castro
Grupo Asesor en Informatica
ecastro@grupoasesor.net
98