Security and Compatibility in Windows Internet Explorer 7
Note As of December 2011, this article has been archived and is no longer actively maintained. For more information, see Archived Content. For information, recommendations, and guidance regarding the current version of Windows Internet Explorer, see Internet Explorer Developer Center.
Windows Internet Explorer 7 features several changes to improve security and support for standards. As far as possible, these changes maintain compatibility with the behavior of previous versions of Internet Explorer, so that existing Web pages and solutions continue to work without modification. However, some improvements inevitably change the capabilities and behavior of Internet Explorer. As a result, existing web site designs and applications might have to be updated to support Internet Explorer 7.
For Internet Explorer 7, object caching is enabled, by default, for all applications that host the WebBrowser Control. By default, access to all cached objects is blocked; whether browsing across domains or browsing within the same domain. A reference to an object is no longer accessible after the context has changed due to navigation.
Object caching is managed through a feature control registry key (FEATURE_OBJECT_CACHING). If an application that hosts the WebBrowser Control wants to "opt out" of this security feature, it must specifically add its process name to the registry and set the value to 0x00000000. This can be done programmatically by using the CoInternetSetFeatureEnabled function. The following shows the registry key and a disabled process.
HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER) SOFTWARE Microsoft Internet Explorer Main FeatureControl FEATURE_OBJECT_CACHING your process name.exe = 0x00000000
Three new keys prevent internet and intranet HTML from getting personal information from a user. These feature control keys are all "opt-in" keys; if a process wants to participate in this security feature, it must specifically opt in by placing its process name in the registry, under the appropriate feature control key name. Internet Explorer 7 and Desktop Window Manager (DWM) are opted in by default; every other process is opted out by default.
These feature control keys block loading images, loading objects and script access from the user's local file system, so that no personal information can be gathered from them, unless one of the following conditions are met:
- The source file containing the item to load was itself loaded from the local file system.
- The source file originates from the Trusted Sites Zone; that is, the user has specifically validated this site as trustworthy.
The following feature control keys are defined:
- FEATURE_BLOCK_LMZ_IMG can block images that try to load from the user's local file system. To opt in, add your process name and set the value to 0x00000001, as shown below.
- FEATURE_BLOCK_LMZ_OBJECT can block objects that try to load from the user's local file system. To opt in, add your process name and set the value to 0x00000001, as shown below.
- FEATURE_BLOCK_LMZ_SCRIPT can block script access from the user's local file system. To opt in, add your process name and set the value to 0x00000001, as shown below.
The following example demonstrates how these feature controls keys work.
HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER) SOFTWARE Microsoft Internet Explorer Main FeatureControl FEATURE_BLOCK_LMZ_IMG iexplore.exe = 0x00000001 explorer.exe = 0x00000001 your process name.exe = 0x00000001
This section describes possible compatibility challenges in Internet Explorer 7 and specifies functionality available to help developers deal with incompatibilities. See the Information Index for Internet Explorer 7, located in the IE Developer Center, for details on these topics.
Application Compatibility Logging—Application Compatibility logging enables Internet Explorer 7 IT Professionals and Developers to discover incompatibilities between Internet Explorer 7 and earlier versions of Internet Explorer running on Windows XP Service Pack 2 (SP2). It works with Windows Client Application Compatibility, implemented in Microsoft Internet Explorer 6.
User-Agent String—The version token in the user-agent string for Internet Explorer 7 is set to
MSIE 7.0for all beta releases. Web developers should verify that their Web sites can access the new User-Agent String value. If you encounter problems accessing a Web site after you install Internet Explorer 7, check the site's use of user-agent strings early in the troubleshooting process.
Notification of Clipboard Access from Scripts—Internet Explorer 7 notifies users, by default, when scripts in the Internet, Trusted, or Restricted Sites Zones attempt to read or write to the clipboard.
Scriptlets—Internet Explorer 7 disables Dynamic HTML (DHTML) scriptlets, by default. (Scriptlets were deprecated in Microsoft Internet Explorer 5). System administrators can re-enable scriptlets by changing URL Actions with the Internet Control Panel (INetCPl). The INetCPl text should read "Allow Scriptlets." If your programs currently rely on scriptlets, you should modify the prograpms to use DHTML behaviors, which are more efficient. Disabling scriptlets is part of the continuing work to ensure that unsupported technology is de-emphasized in Internet Explorer.
Status Bar Update—Internet Explorer 7 limits the ability of Web pages to use scripts to write information to the status bar. This ability is restricted by default for the Internet Zone, and is subject to user-configurable settings for Trusted and Restricted Sites Zones. This is part of the work to ensure that users are not misled by Web pages. Calls to window status will fail silently in cases where updates are not allowed.
Search Bar Update—Internet Explorer 7 disables the Search Pane (
_search), by default, for security reasons. Instead, the search entry point is the Instant Search box in the upper-right corner of the browser frame. The Search Pane can be re-enabled by system administrators by changing URL Actions with the Internet Control Panel (INetCPl). You must restart Internet Explorer 7 for the setting to take effect.
The Internet Explorer 7 Release Notes, located in the IE Developer Center, provide information about functionality that was removed for this release.
If you design Web sites, develop Internet Explorer extensions, or create applications that host the WebBrowser Control, see the following articles.
- Understanding and Working in Protected Mode Internet Explorer
- ActiveX Security: Improvements and Best Practices
- Cascading Style Sheet Compatibility in Internet Explorer 7
- HTTPS Security Improvements in Internet Explorer 7
- Internationalized Domain Name Support in Internet Explorer 7
- Finding Security Compatibility Issues in Internet Explorer 7