Overview of Platform Improvements in IE8 RC1

This is one of my favorite times in the product cycle. IE8 is platform complete and as we get closer to releasing the final product, more and more web developers and designers will take advantage of the browser’s features to enable scenarios we haven’t even imagined!

Since the release of IE8 Beta 2 we’ve listened to feedback from many channels including IE8 Beta Feedback, standards working groups and this blog. We’ve made thousands of platform improvements in response to both feedback, and from running the test cases that Jason Upton blogged about on Tuesday. The platform is ready to be built on. I want to give you an overview of web platform improvements since Beta 2, some of which we’ve already talked about and some of which will be covered in more detail in the coming weeks.

Compatibility

It takes time for web developers, designers, and IT professionals to migrate a site to an updated browser. Yet our mutual customers expect the web to look and feel the same after they install the latest IE version. We’ve built Compat View and IE7 Standards Mode to ease migration and allow web developers and designers to opt-in to IE7’s behavior while they upgrade their site. Since Beta 2 we’ve improved IE7 Standards Mode fit-and-finish such that RC1 is very close to the real IE7 web platform.

Interoperability and Standards

• CSS 2.1. Layout interoperability with other browsers through the CSS2.1 standard has always been a top goal for IE8. Beta 2 supported all properties in the CSS 2.1 specification and passed over 3,200 test cases. We’ve made significant improvements since Beta 2 and this week’s RC1 passes well over twice as many test cases as Beta 2. For example, one of our favorite new features is IE8’s new support for High-Res layout, which we’ll blog about in more detail later. We expect very few changes between this RC and the full CSS2.1 support in the final product, which web developers and designers can use to write their pages once and have them rendered the same across browsers.
• HTML, Document Object Model (DOM) and JavaScript. Throughout Beta 1 and Beta 2 we’ve talked about how IE8 is much more interoperable with other browsers in core areas including attribute handling and element lookups like those through getElementById(). To help ensure future interoperability with other browsers and standards compliance, the Release Candidate includes the following updates, which we recently blogged about:
  • Mutable DOM Prototype includes the new ECMAScript 3.1 conformant getter/setter syntax.
  • ARIA supports the dash syntax “aria-checked” across all IE8 document modes. This means web developers can write code once that works across IE8 modes and with other browsers.
  • Cross-Domain Requests (XDR) now checks Access-Control-Allow-Origin header for a match to the origin URL as well as wildcards. As a result, data is only shared with sites whose origin the server specifies.
• Performance. Similar to interoperability, better performance helps improve developer productivity. To this end, we investigated core performance scenarios and focused on optimizing common AJAX design patterns. Web developers and end users alike will experience performance improvements since Beta2.

Development environment

• Developer tools. Beta 2 introduced more power with the JavaScript profiler, save to file, and console.log support. RC1 has dramatically improved stability and a much more accurate view of the HTML tree and CSS tracing. It also offers more flexibility by adding a menu option for viewing source with Notepad, the built-in viewer, or any other choice of viewer.
• Documentation. We think good documentation and communication is an important part of the development environment. To this end, we have updated our Internet Explorer Readiness Toolkit and MSDN IE Development Center for web developers and designers to use as references. Stay tuned to the blog for much more detail on improvements we’ve made since Beta 2 and tips for upgrading to IE8 Standards Mode.

We take your feedback on critical issues very seriously and we know that behavior changes to the platform have the potential for broad impact. We intend to make few platform changes between now and the final product. We’ll be very deliberate about what changes we make and diligent about documenting and communicating them.

Please download the RC1 and test with confidence if you haven’t already. We’re very excited about the improvements we’ve made to IE8’s web platform and developer tools and even more excited to see how web developers and designers build on them to enable new, incredible scenarios! If you’ve already enabled a new scenario using IE8 features, leave a comment and let us know about it.

Marc Silbey
Program Manager

Update 10:15 pm: fixing getElementById() reference.  Thanks Gérard!

User Experience Changes since Beta 2

Since the release of Internet Explorer 8 beta 2, we’ve listened, watched and learned a lot about how people use the new features and our focus has been to refine them for RC1 (the Release Candidate).

This post will give you an overview of the end user changes we’ve made which we’ll discuss in detail over the coming weeks.

In IE8 we made a big push to make sure you can easily get to the sites and use the services you care about. If you’re anything like us, you visit a lot of websites and use a lot of different services or, maybe you’re not like us, and you might have a set of favorites that you stick to. Either way, IE8’s features work together to streamline the experience – it takes fewer clicks and less time.  We’ve also worked to get rid of tedious management tasks. Put a favorite on the favorites bar if you want to go there often. Use the Smart Address bar to get to any place you’ve been – favorite or not. Can you still organize the web into folders? Sure, you just don’t have to.

Let’s talk about a few of the changes we’ve made since beta 2.

Search box

Some of the first feedback we received concerned the search box’s quick pick. People really liked the visual search suggestions and it created a new usage pattern. Now people have more search providers and they switch between them. For example, I might search for a camera on Live.com and then want to check prices on Amazon. In the past, as soon as I clicked on Amazon, it took me to the site. In RC1, it now shows visual search results for Amazon.

Because of this change, you can refine the search on Amazon, switch over to Ebay or your favorite search engine.

Figure 1: Amazon.com and Ebay.com visual search

Here’s a link to get more search providers to try this out.

Smart Address bar

We received consistent feedback that people wanted to see more typed URLs. We also saw that the top four items selected from within the Smart Address Bar are: Open a previously typed URL, Open a history item, Delete a typed URL, and Open a Favorite. Conversely, Open feed and Open autocomplete suggestion were rarely selected.

Based on that information, we tuned the experience of the Smart Address Bar. We made feed results optional and hid them by default. We also streamlined the autocomplete suggestion so now it simply shows the Shift+Enter shortcut and not an entire section. This freed up space to show more results in the list – particularly when you click in the Address bar and press the down arrow.

The resulting feature delivers more typed URLs with less visual clutter.

Figure 2: Smart Address Bar -- more typed URLs

Favorites bar

The Favorites Bar is the way to keep Web Slices, favorites, and feeds one click away. People wanted to be able to add more to the point that they’d take extra steps to manage them. The most common technique was to rename each favorite in the favorites bar so that it had a shorter name. While this allows you to have more favorites showing, it’s tedious. For those of you that would like to fit more on the favorites bar there’s now a way to customize the bar to show shorter names or even just the favorite’s icon. To try this, right click on the Favorites bar and choose Customize title widths.

Figure 3: Favorites Bar with Long Titles

Figure 4: Favorites Bar with Short Titles

InPrivate

In Beta 2 we introduced InPrivate Browsing and InPrivate Blocking, which help put you in control of data on your shared computer, and as you browse the Web. We heard that some of you wanted the ability to use these features separately, so we’ve done that. We’ve also made numerous other tweaks to the UI based on your feedback – more on that in a later post.

More

Some other popular features were Tab Groups, New Tab Page, Find on Page, Accelerators, SmartScreen Filter and Web Slices. As we blog more about the details of the IE Release Candidate, we’ll discuss these plus changes to support developers, security, performance and reliability.

We hope you enjoy browsing with the release candidate, and just like with Beta 2, we’d like your feedback and are looking for ways to make IE better.

Thanks,

IE8 Security Part VII: ClickJacking Defenses

As we planned Internet Explorer 8, our security teams analyzed the common attacks in the wild and the trends that suggest where attackers will be focusing their attention next. Over the course of IE8’s development, we’ve also worked closely with those in the security research community to stay on top of new classes of threats. One of the most subtle and interesting web application security vulnerabilities is called Cross Site Request Forgery (CSRF); security researcher Jeremiah Grossman calls CSRF “the sleeping giant” of web vulnerabilities. As Jeremiah notes, preventing CSRF attacks is hard because there’s generally no easy fix. The architectural underpinnings of the browser security model are designed to allow for interaction with multiple websites simultaneously, and seamless navigation between unrelated websites, but these are the very capabilities that CSRF attacks seek to exploit. With the migration of private data and other high value targets from end-users’ PCs to popular web applications, interest in CSRF and other web application vulnerabilities will only continue to grow.

As we designed Internet Explorer 8, we had to be very careful not to increase the browser’s attack surface for CSRF attacks. IE8’s new XDomainRequest object, for instance, allows cross-domain communication upon explicit permission of the server, but contains specific restrictions to ensure that new types of CSRF attacks are not made possible. End-users can mitigate the impact of CSRF attacks by logging out of sensitive websites when not in use, and by browsing in independent InPrivate Browsing sessions. (InPrivate sessions start with an empty cookie jar, so cached cookies cannot be replayed in CSRF attacks.)

Ultimately, however, web applications must be built to prevent CSRF vulnerabilities. Well-designed Web applications often protect themselves with challenge tokens or similar strategies that enable detection of malicious requests that were not intentionally sent by the victim user. Unfortunately, challenge tokens and similar strategies are subject to vulnerabilities. The first vulnerability is cross-site scripting (XSS). If a token-protected web application contains a cross-site scripting vulnerability, it’s likely that the security token can be stolen and the CSRF attack can occur. Fortunately, Internet Explorer 8 includes an XSS Filter and several other features that help prevent XSS attacks that could otherwise be used to steal CSRF-blocking challenge tokens.

Last fall, researchers Robert Hansen and Jeremiah Grossman gave a talk on a second vector that enables CSRF, known as ClickJacking. ClickJacking is a term which encompasses multiple techniques that can be used to trick the user into unwittingly clicking an obscured or hidden web element, usually resulting in an unwanted transaction. A successful ClickJacking attack could circumvent CSRF protections that attempt to confirm transactions with the user. For instance, consider a simple web shop which uses cookies for authentication and offers one-click purchases.

A malicious site elsewhere on the web could construct a page that forces a victim page from the legitimate shop into an IFRAME, and overlay critical portions of that frame with misleading text and images.

The user might be tricked into clicking into the shop’s page unknowingly, and if they were already logged into the shop, an unwanted transaction might occur:

Obviously, this is a pretty simple ClickJacking attack, but more sophisticated versions do exist.

While various mitigations for ClickJacking have been proposed, each entails a set of tradeoffs which can impact compatibility, user-experience, or require significant changes to existing standards. Currently, the simplest and most broadly-used mechanism to defeat ClickJacking attacks is called frame-busting, and it works by simply preventing vulnerable pages from being framed. Unfortunately, typical frame-busting mechanisms rely on script and as a result can be defeated in various ways.

As disclosed to other browser vendors in early December, the Internet Explorer 8 Release Candidate introduces a new opt-in mechanism that enables web applications to mitigate the risk of ClickJacking on vulnerable pages by declaring that those pages may not be framed.

Web developers can send a HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framed. If the X-FRAME-OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame. If the value contains the token SAMEORIGIN, IE will block rendering only if the origin of the top level-browsing-context is different than the origin of the content containing the X-FRAME-OPTIONS directive. For instance, if http://shop.example.com/confirm.asp contains a DENY directive, that page will not render in a subframe, no matter where the parent frame is located. In contrast, if the X-FRAME-OPTIONS directive contains the SAMEORIGIN token, the page may be framed by any page from the exact http://shop.example.com origin.

When rendering is blocked by the X-FRAME-OPTIONS policy, a local error page is presented that explains the restriction and provides a link which opens the frame in a new window. When displayed in a new window rather than a sub-frame, content is no longer subject to ClickJacking.

By using the X-FRAME-OPTIONS directive to protect sensitive anti-CSRF pages, web developers can immediately help mitigate web application attacks for IE8 users. It is my hope that the X-FRAME-OPTIONS directive will be implemented by other browsers as an easily-deployed, highly-compatible mitigation against the threat of ClickJacking. In the longer term, I expect that security researchers and web standards bodies will continue to innovate in the design of browser-enforced web application security policies. We look forward to working with them to frame this and future ClickJacking defenses within the context of a larger security policy feature in future browser versions.

Thanks!

Eric Lawrence
Program Manager

Microsoft submits thousands more CSS 2.1 tests to the W3C

The Internet Explorer 8 Release Candidate is the last major IE8 testing milestone. It indicates that we believe that IE8 is implementation complete for CSS 2.1. We also believe IE8 RC1 has the most complete implementation of the CSS 2.1 specification in the industry.

The only way to know if a browser has correctly implemented a specification is to develop a comprehensive set of tests for the specification. These can be used to determine both the support for a specific part of the spec and the behavior of a specific browser. Web developers can also use these test pages as examples of how to combine various layout properties and elements in their pages and know that their page will interoperate well across all the browsers that pass those tests.

Today, the IE Team is submitting 3784 new test cases to the CSS 2.1 Working Group for inclusion into the CSS 2.1 test suite. These cases were developed since IE8 Beta 2. This brings Microsoft’s contribution to the CSS 2.1 Test Suite to 7005 tests. IE8 RC1 passes all of these tests today. All but 52 of these cases also pass in at least one other major browser. We’re working closely with the CSS working group to swiftly include these in the official test suite. For now, these tests are available at the Windows Internet Explorer Testing Center. The last key element to web layout interoperability is actually passing the tests. IE8 RC1 is the first browser to pass all valid tests in the suite thus meeting the interoperability requirements in the 2.1 spec.

It’s important that the spec, the browser, and the tests all agree on a behavior. This is when web developers really win. While developing these test cases, we found instances where all other browsers implemented something a specific way. That syntax pattern was in pages all over the web, creating a broad dependency on that behavior. In those cases, we proposed a change to the spec and developed an associated test case to ensure the web continues to work and browsers can implement the spec as written. We sincerely hope this helps the committee finish the 2.1 spec and move it into the Recommendation phase.

There is also a variety of unofficial, unsanctioned “tests” posted around the web as well. These range from quirky web pages that someone developed to show off a bug in a browser to complex degenerative web scenarios that combine CSS 2.1 properties and elements in unlikely ways. Some of these are pragmatic tests that actually demonstrate a real-world situation where there are inconsistencies across major browsers. IE8 RC1 passes all of the pragmatic “tests” we could find, although new combinations can always be developed. I strongly encourage those test authors to submit their cases to the W3C’s CSS 2.1 test suite so those tests may be used by any browser under the W3C’s license. Only then will those tests broadly benefit web developers.

If you have specific feedback on any particular test case, I strongly encourage you to provide it on the W3C’s CSS 2.1 Working Group’s mailing list. That will ensure the test case reviewers have your comments in context as they add these pages into the suite.

Jason Upton
Test Manager – Internet Explorer

Internet Explorer 8 Release Candidate Now Available

We're excited to make the IE8 Release Candidate available today for public download today in 25 languages for Windows Vista, Windows XP, and Windows Server customers. You can find it at http://www.microsoft.com/ie8. Please download it now and try it out. We welcome your feedback!

What’s New

The team will post more about all changes between Beta 2 and RC. In brief:

• Platform Complete. The technical community should expect the final IE8 release to behave as the Release Candidate does. The IE8 product is effectively complete and done. We’ll post separately about the thousands of additional test cases we’re contributing to the W3C. We've listened very carefully to feedback from the betas. With the Release Candidate, we’re listening carefully for critical issues.
• Reliability, Performance, and Compatibility improvements. We’ve studied the telemetry feedback about the browser's underlying quality and addressed many issues.
• Security. We’ve worked closely with people in the security community to enable consumer-ready clickjacking protection. Sites can now protect themselves and their users from clickjacking attacks “out of the box,” without impacting compatibility or requiring browser add-ons.  We also made some changes to InPrivate based on feedback from customers and partners.

We also made some changes to the user experience based on feedback. For example, based on data about how people use actually it, we made fitting more items on the Favorites bar easier. (Note that the IE8 Release Candidate is for Windows Vista, XP, and Server only; Windows 7 users will get an updated IE8 with the next update of Windows 7. Also, the Release Candidate of the Internet Explorer Administration Kit is available for download now.)

What’s Important

IE8 focused on how people really use the web. Consumers want a browser that makes the tasks they do every day faster and easier. The activities people spend their time on define real-world performance: navigating to websites, working with tabs, searching, keeping track of changing information (like traffic or an auction), and using the information from one site with another (as in getting a map). Everyone wants a trustworthy browser that keeps them in control and protects their safety. Developers want great developer tools, great interoperability, and a powerful platform that enables them innovate. For some people, accessibility is crucial; for some organizations, policy, administration, and deployment are essential.

The people who read this blog and comment on it are (for the most part) technology enthusiasts and professionals. We enjoy wading through the details of browser features or how to measure performance. We also need to remember that we’re a pretty small minority of the hundreds of millions of people who browse the web. Looking at the telemetry data and usability tests and feedback from real users, we’re excited about the positive impact that this release of IE will have.

What’s Next

The call to action now is for the community to download the Release Candidate, test your sites and services and software with the product, make any changes necessary for the best possible customer experience with IE8, and let us know about your experience.

We’re going to continue listening to feedback. We’re interested in reports of critical issues (e.g. security, backwards compatibility, completeness with respect to planned standards work, or robustness). We’re also going to keep blogging and reading and responding to the comments here.

Our next step, after listening to feedback from the final testing feedback from the community, is releasing the final product. We will be very selective about what changes we make between the Release Candidate and the final product, and very clear in communicating them. We will act on the most critical issues.

Books often have dedications from the authors at the beginning. While software typically doesn’t have an equivalent, the software developer’s blog is a good stand-in. To everyone who has installed the product and provided feedback so far – web developers, security experts, industry partners, IT professionals, and people who “just” browse the web – thank you from the Internet Explorer development team.

Thanks –
Dean Hachamovitch
General Manager

PS – Jason Upton and I sat down last week with Channel 9 to discuss the RC.  You can view the interview here.

Updated 4:04pm – adding link to interview.

Upgrading to Internet Explorer 8 Release Candidate 1

Hello all,

Just like for previous beta releases, I am going to guide you through the upgrade steps for Internet Explorer 8 Release Candidate 1 (IE8 RC1).

Before we begin, let me summarize the major changes you will see when installing IE8 RC1:

1. If you are a Windows Vista or Windows Server 2008 user and you are upgrading from IE8 Beta 1 or Beta 2 to IE8 RC1, you are no longer required to manually uninstall earlier IE8 builds. Instead, IE8 RC1 installer will automatically upgrade your machine from the earlier IE8 builds to the latest IE8 build, all with a single reboot.
2. There is a new pre-requisite for IE8 RC1 (KB957388). This update supersedes KB943302 and KB957055 and will be automatically installed as part of your RC1 upgrade, as long as you keep “Install the latest updates” checkbox checked. This update addresses known application compatibility issues in Windows Vista and Windows Server 2008 and improves the performance and reliability of IE8.
3. All IE8 Beta 1 and Beta 2 users will be offered IE8 RC1 via Windows Update in 25 languages. For Windows XP and Windows Server 2003, the IE language that gets offered via Windows Update will match the base OS language. For Windows Vista and Windows Server 2008, the IE language that gets offered via Windows Update will match the Active Language that the user selected for their account.

Note: If you are running Windows 7 Beta, you will not be able to install IE8 RC1. You will get an error message saying that your operating system is not supported since IE8 already ships in Win7. The IE8 RC1 available from Microsoft Download Center is a standalone upgrade for downlevel version of the OS only: Windows Vista, Windows XP, Windows Server 2008 and Window Server 2003.

Here are some additional resources you can refer to during the RC1 installation:

• System requirements for RC1 are the same as Beta1 and Beta2.
• Release notes for RC1 outline a few scenarios you should watch out for when installing IE8 RC1.
• Troubleshooting guide is a great resource if you run into any problems during your installation.
• Dynamic updates article summarizes which updates get installed with IE8 to keep your experience reliable and secure.
• Technet Edge interview I did which covers many install topics. 

Windows XP or Windows Server 2003

Getting Ready

Before you start IE8 RC1 installation, there are a couple of things to keep in mind:

• Uninstalling IE8 Beta Versions

If you have Internet Explorer 8 Beta 2 or prior installed, the IE8 RC1 installer will automatically uninstall any earlier versions and then install the latest version of IE8 RC1 for you. You will be prompted to reboot twice. The first reboot is to remove pre-RC1 version from your machine and the second one to complete the IE8 RC1 installation. When you launch Internet Explorer, you can open the Help->About Internet Explorer dialog to see the version number 8.0.6001.18372.

• Getting required updates for IE8 RC1

There is 1 update required when running IE8 RC1 on multi-core XPSP2 x86 computers:

KB932823 or KB946501 - This update resolves a problem in which an access violation occurs when an application exists on a Windows XP SP2-based multi-core computer. It will be installed automatically if you select “Install the latest updates” option in Setup Wizard. If this update fails to install successfully, IE8 installation will be blocked until you manually install this update from Microsoft Download Center.

Windows XP Service Pack 3(SP3) users only

The only time we encourage you to manually uninstall Internet Explorer 8 Beta versions prior to upgrading to IE8 RC1 is if you happened to install Windows XP SP3 after installing IE8 Beta.

To see if you need to manually uninstall IE8 Beta first, check these things:

• Is your computer running Windows XP SP3?

Click on the Start Menu and then right click on My Computer and then click Properties

On the General Tab under System it’ll say Microsoft Windows XP Service Pack 3

• Is the  Remove option for IE8 Beta grayed out?

From the Start menu, open Control Panel and click Add or Remove Programs

Select Windows Internet Explorer 8 Beta and you are unable to click on the Remove button.

If you answered yes to both questions, you will be able to install Internet Explorer 8 RC1, but once installed, you will not be able to uninstall either IE8 or Windows XP SP3 later. The Setup Wizard will warn you prior to installation:

If you chose to continue, Windows XP SP3 and IE8 RC1 will become permanent. You will still be able to upgrade to later IE8 builds as they become available, but you won’t be able to uninstall them.

To avoid getting into this situation, we strongly encourage you to follow these steps before installing Internet Explorer RC1:

1. Uninstall Windows XP SP3
2. Uninstall IE8 Beta
3. Re- install Windows XP SP3
4. Install IE8 RC1

See my earlier blog post on Internet Explorer and Windows XP SP3 for more information.

Windows Update

Internet Explorer RC1 will be offered to all Windows XP and Windows Server 2003 systems that have IE8 Beta version installed and have Automatic Updates turned on in 25 languages. A prompt will appear in the notification area of the Windows taskbar when IE8 RC1 is ready for installation. The language version of IE8 RC1 offered is based on your Windows Operating System Language version. For example, if your computer is running a Chinese Simplified or German version of Windows, you will be offered IE8 RC1 in Chinese Simplified or German respectively. For any other Windows languages outside of the 25 that IE8 RC1 is available in, Internet Explorer 8 will be offered to you in English. Again, this only applies to those systems that have IE8 Beta versions installed.

Localized Versions

When installing localized versions of Internet Explorer 8 RC1 on XP or Windows Server 2003 please remember that the base language of the operating system must match the IE8 language you are trying to install; otherwise the Setup Wizard will display an error. You can install IE8 RC1 English on any localized OS Version.

More information about installing localized versions of IE8 RC1 can be found in the release notes.

Uninstalling IE8 RC1

1. From the Start menu, open Control Panel and click Add or Remove Programs
2. Click Windows Internet Explorer 8 Release Candidate 1 and then click Remove.
3. Your computer will be reverted to Internet Explorer 6 + previous IE6 security updates or Internet Explorer 7 + previous IE7 security updates depending on what you had before the upgrade.
4. You can confirm that by clicking Help, then About Internet Explorer next time you launch Internet Explorer.
5. Be sure to check for any new security updates.

Windows Vista or Windows Server 2008

Getting ready

Before you start installing Internet Explorer 8 RC1, there are a couple of things you need to do to prepare your computer:

• Uninstall Internet Explorer 8 Beta

Based on the feedback we received from you, our users, we changed the install of IE8 to automatically replace the older builds as part of the installation. You are no longer required to manually uninstall IE8 Beta builds if you want to upgrade to IE8 RC1. All you have to do is run the IE8 RC1 installer and it will automatically replace the previous IE8 build with the latest one. You just reboot at the end, and you are done.

• Getting required updates for IE8 RC1

KB937287 - This update helps improve reliability and performance when you install or remove Internet Explorer 8 and future individual updates from Microsoft. Without this update, IE8 setup will be blocked: “Setup cannot continue because one or more updates required to install Windows Internet Explorer 8 are not present.” To check if you already have this update on your system, go to Control Panel ->View Installed updates and search for KB937287.

KB957388 – This update addresses known application compatibility issues in Windows Vista. It will be installed automatically if you select “Install the latest updates” option in the Setup Wizard.

You are now ready to install IE8 RC1. After IE8 RC1 installation is complete, the final screen of the Install Wizard indicates that Internet Explorer installation completed successfully.

After you restart your computer and launch Internet Explorer, you can open the Help->About Internet Explorer dialog to see the version number 8.0.6001.18372.

Localized versions

In Windows Vista and Windows Server 2008, we significantly improved the installation experience for localized versions of Internet Explorer 8 RC1. Unlike Windows XP and Windows Server 2003, the base language of Windows does not need to match the Internet Explorer 8 language version in order for a successful install. When your user active language matches the Internet Explorer 8 language you installed, then IE8 will appear in the desired language. You will still be able to use IE8 in all other scenarios, but it will appear in English as a fall back version.

More information about installing localized versions of IE8 RC1 can be found in the release notes.

Uninstalling IE8 RC1

1. From the Start menu, open Control Panel and click Programs
2. Click Programs and Features and click View Installed Updates (located in the left side menu)
   Note: The complete list of installed updates takes a moment to update.
3. Select Windows Internet Explorer 8 Release Candidate 1 and Uninstall
4. Your machine will be reverted to IE7 + previous IE7 security updates
5. You can confirm that by clicking Help, then clicking About Internet Explorer next time you launch Internet Explorer.
6. Be sure to check for any new security updates.

What do I do when I run into issues installing IE8?

Check out the knowledge base article on Troubleshooting IE8 installation. If after trying the recommended workarounds you still can’t install IE8, go to the IE Beta Newsgroup to see if there are any known solutions available. Microsoft MVPs and IE Team members are monitoring this newsgroup and they will help address your issues.

Thank you,

Jane Maliouta
Program Manager

Common Issues in Assessing Browser Performance

I’m Christian Stockwell, a Program Manager on the IE team focused on browser performance.

Measuring the overall performance of websites and web browsers is important for users comparing the performance characteristics of competitive browsers, developers optimizing their websites for download times and responsiveness, browser vendors monitoring the performance implications of code changes, and everyone else who is generally interested in understanding website performance.

I thought it would be interesting to follow up on my previous posts on performance with a discussion around some of the issues impacting browser performance testing and the techniques that you can use to effectively measure browser performance.

Measuring Browser Performance

A common way to approach browser performance testing is to focus on specific benchmarking suites. Although they can be useful metrics, it can be misleading to rely solely on a small number of targeted benchmarks to understand browser performance as users perceive it—we believe that the most accurate way to measure browser performance must include measuring real-world browsing scenarios. Measuring real sites captures factors that are difficult to isolate in other benchmarks and provides a holistic view of performance. Testing browsers against real-world sites does, however, introduce some key challenges and this post discusses some of the mitigations we’ve adopted to effectively measure IE performance as part of our development process.

Before delving too deeply into this post I wanted to say that effective performance benchmarking is surprisingly difficult. The IE team has invested a great deal of effort building a testing and performance lab in which hundreds of desktop and laptop computers run thousands of individual tests daily against a large set of servers, and our team rarely ends a day at work without a few new ideas for how we can improve the reliability, accuracy, or clarity of our performance data.

Part of the challenge in measuring browser performance is the vast number of different activities for which browsers are used. Every day users browse sites that cover the gamut from content heavy sites like Flickr to minimalist sites like Google. They may encounter interactive AJAX sites like Windows Live Hotmail or purely static HTML sites like Craigslist. Still others may use their browsers at work to use mission-critical business applications.

The performance for each of these categories of sites is often gated by different browser subsystems. For example, an image-heavy site may depend on the speed with which the browser can download and decompress images. In contrast, the performance of a simple site may be predominantly a factor of how fast browsers can render HTML. In another twist, AJAX website performance can be a factor of how tightly the JavaScript engine, CSS engine, and DOM are integrated—rather than the individual speed of any of those individual subsystems. When third party controls like Flash and Silverlight enter the equation, performance is often related to how efficiently the control integrates itself into the browser.

I expect that some of the approaches I discuss here will lend more context to the performance work we’ve done for IE8 and give you some insight into our engineering process. Above all, I hope that this post gives you ideas for improving how some of you measure and think about browser and site performance.

Caching Behavior

All browsers are inherently dependent on the network and any tests need to reflect that reality to adequately measure performance.

One aspect of the makeup of the internet that can impact browser performance measurement is how content is stored at various levels throughout the servers that comprise the internet. That storage is called caching.

With regards to browser performance measurement, what it means is that when you visit www.microsoft.com, your browser may request that content from several servers in turn—from your corporate proxy, from a local server, or from a broader set of international servers.

To improve browsing speeds and to distribute the work of serving web pages those servers may choose to temporarily store parts of the page you are navigating to so other users can get them faster. For example, if you get to work first thing in the morning and visit www.msnbc.com to quickly check the news you may request that page first from your corporate proxy server, which would then relay that request to a local server before finally getting the webpage from a server across the country. Once that page has been retrieved, your work’s proxy server or the local server may decide to store some of that content. When your friend Tracy in accounting comes in to work ten minutes later and tries to navigate to www.msnbc.com, she may get the content directly from your work proxy server instead of a server across the country—drastically reducing the time needed to navigate to the site and making Tracy very happy.

In a similar vein, when measuring the performance of several browsers it’s important that we consider the impact of caching. For example, if I were to open ten tabs to ten different websites in one browser, and then open the same ten tabs in a second browser I could wrongfully conclude that the second browser was faster when in fact the difference was due primarily to the content being stored by a nearby server when the first browser requested the pages.

It’s hard to rigorously control how servers may cache content but one general principle of performance measurement is to never only measure anything once. Unless you are specifically trying to measure the impact of upstream caching you should navigate to the sites you want to measure at least once before you start collecting any performance data. In fact, since proxies can cache content per user agent (browser), you should visit each site you intend to test against with every browser you will test.

My summary of caching behaviour is simplified. If you’d like more detailed information many great resources exist that describe the process in greater detail, including the HTTP protocol specification itself. The HTTP protocol spec also makes great nighttime reading and is a conversation starter at any party.

Sample Size

Precisely because there are so many external factors involved in browser performance the number of performance measurements you take can drastically change your conclusions.

I’ve mentioned that a general principle in performance measurement is to never measure anything only once. I’m going to expand that principle to “always measure everything enough times”. Many different schemes exist to determine what “enough times” means—using confidence intervals, standard deviations and other fun applications of statistics.

For a lot of the performance data we collect we often find that adopting a pragmatic approach and avoiding those relatively complex schemes is sufficient. In our lab we find that 7-10 repetitions is usually enough to collect a reliable set of data and identify trends, but you may find that more repetitions are needed if your environment is less controlled.

Once you’ve collected your performance data you will likely want to summarize your results to draw conclusions. Whether you use the arithmetic mean, harmonic mean, geometric mean, or some other method, you should be consistent and fully understand the ramifications of how you are summarizing your data.

For example, let’s look at the following data points collected by testing two browsers navigating to a single webpage:

	Browser A	Browser B
Sample 1	1.0	2.0
Sample 2	1.0	2.0
Sample 3	1.0	2.0
Sample 4	1.0	2.0
Sample 5	10.0	4.0
Arithmetic Mean	2.8	2.4
Geometric Mean	1.6	2.3
Harmonic Mean	1.2	2.2

 

In this contrived example it’s clear that how you summarize your data can change your interpretation of the data—whereas the arithmetic mean suggests that Browser B is faster than Browser A, both the geometric and harmonic means would lead you to the opposite conclusion.

Bandwidth Competition

Sharing your network with other users means that—seemingly without rhyme or reason—your web browser may suddenly take much longer to perform the same action.

One benefit of working for a very large company like Microsoft is that the large number of employees makes certain phenomena reliable and measurable. For example, measuring page download times over the course of the day it’s clear that most of Microsoft starts working in earnest between 8am and 9am, and leaves between 5pm and 6pm.

The reason that I can tell that is that most Microsoft employees are accessing the network fairly constantly over the course of the day. Whether we’re browsing MSDN, reading documents on sharepoint, or rigorously testing the latest xbox games, we’re all competing for bandwidth. That sharing means that if I measure browser performance at 6am I will reliably get more consistent results than if I measure browser performance at 9am, when the entire company is getting to work and starting to email away.

Given the wide variety of networking configurations available in different companies it’s hard to predict the impact of bandwidth competition. To avoid having it distort your results I suggest that you try to collect performance data outside of core business hours if you’re collecting performance data at work.

If you’re collecting performance data at home you can similarly be sharing bandwidth with your family or other people nearby. In those cases you could time your measurements during times when fewer people are likely to be browsing—during business hours, late at night, or very early in the morning.

Resource Competition

Sharing resources across applications on your own machine can affect browser performance just as severely as competing for bandwidth.

This is particularly true when multiple applications rely on the same external applications or platforms. For example, some anti-virus products may integrate differently with various browsers—with unknown performance consequences.

Testing two browsers side-by-side can produce the most distorted set of results. For example, on the Windows platform there is a limit of ten outbound socket requests at any one time; additional requests are queued until connection requests succeed or fail. Testing two browsers side-by-side means that you are likely to run into that limit, which could result in one browser maintaining an unfair advantage by virtue of having started microseconds sooner.

I’ve offered up two simple examples and others certainly exist. Without going into far greater detail I think it’s clear that I advise against running multiple applications when trying to measure browser performance.

At a minimum you should take two steps to reduce the chance of interference from other applications:

1. Close any open applications, including those that may only appear in your notification area to the right of the taskbar. This is particularly important for other applications that are likely to use the network.
2. In a command window, run the following command to reduce system activity while you are testing: %windir%\\system32\rundll32.exe advapi32.dll,ProcessIdleTasks

Server Interactions

Beyond interference from shared resources on your machine or on your network, your performance results can also be impacted by the internal behaviour of the servers you are visiting.

One of the overarching principles when taking performance measurements is to try to maintain a common state between your tests. For cache management that meant you should give upstream servers a chance to reach a known state before collecting performance data, whereas for the network it meant trying to conduct your tests in a consistent environment that reduces the impact from external sources.

For an example of the application design characteristics which may impact benchmarking, let’s take the example of an online banking application. For security reasons some banking applications only provide access to account information when appropriate credentials are provided. Assuming the benchmarking test is trying to compare two (or more) browsers at this online banking Web site, it’s important to ensure the application is in a consistent state for each browser. By design, most online banking applications will prevent a user from being logged in to two sessions at the same time – when one is logged in, the other is logged out. Failure to reset the Web application state before starting the test on the second browser could cause the server based application to take extra time to analyze the second request, close the first session and start a new one.

That setup and teardown process can impact benchmarking and is not limited to online banking applications, so you should try to remove it as a factor. More generally, you should understand how your sites behave before using them during performance testing.

Observer Effect

In many fields there is the potential that the action of taking a measurement can change the thing that you are trying to measure—that phenomenon is called the Observer Effect.

You can use any of a number of frameworks to simplify the task of measuring specific browsing scenarios. These frameworks are typically aimed at developers or technical users. One example of such a framework is Jiffy.

As with any infrastructure that may directly impact the results you are trying to measure you should carefully assess and minimize the potential for introducing changes to the performance due to the framework you are using for measurement.

As an aside, the IE team uses the Event Tracing for Windows (ETW) logging infrastructure for our internal testing as it provides a highly-scalable logging infrastructure that allows us to minimize the potential for the Observer Effect to distort our results.

Machine Configurations

Just as with humans, no two machines are exactly alike.

As I mentioned above, within the IE performance lab we have a very large bank of machines that are running performance tests every hour of every day. To maximize our lab’s flexibility, early in IE8 we attempted to create a set of “identical” machines that could be used interchangeably to produce a consistent set of performance data. Those machines bore consecutive serials numbers and were from the same assembly line, and all their component parts were “identical”. Despite those efforts, however, the data we collected on that set of machines has been sufficiently varied that we avoid directly comparing performance results from two different machines.

It should come as no surprise, then, that I suggest that unless you want to study how browser performance varies across different platforms you should test all browsers on a single machine.

Cold Start vs. Warm Start

The amount of time it takes to start a browser can depend on many factors outside of the control of the browser.

As with caching, measuring the speed of browser startup is susceptible to outside factors—particularly the first time you start the browser. Before the browser can start navigating to websites it needs to load parts of itself into memory—a process that can take some time. The first time you start the browser, it is difficult to know exactly how much may already be loaded into memory. This is particularly true for IE since many of its components are shared with other programs.

To collect more consistent data, open and close each browser at least once before you start testing against them. If you have no other applications running that should give your operating system the opportunity to load the required components into memory and improve the consistency and accuracy of your results. It should also provide a fairer comparison between browsers, especially in light of features like Windows Superfetch that may otherwise favour your preferred browser.

Website Content

Websites change constantly. Unfortunately, that also includes the time when you are attempting to test performance.

Within the IE team’s performance lab all website content is cached for the duration of our testing. One impact of that caching is that we can ensure that exactly the same content is delivered to the browser for each repetition of a test. In the real world, however, that is often not the case.

News sites, for example, may update their content as a story breaks. Visiting Facebook or MySpace twice may result in radically different experiences as your friends add new pictures or update their status. On many websites advertisements change continually, ensuring that any two visits to your favorite site are going to be different.

Outside of a lab environment it is hard to control that type of change. Approaches certainly exist, and you can use tools like Fiddler to manipulate the content your browser receives. Unfortunately, those approaches stand a very good chance of affecting any performance results. As a result, the pragmatic solution is to follow the advice I’ve outlined in my point on sample sizes above—and if you notice that a very heavy advertisement is appearing every few times you visit a page, I think it’s fair to repeat that measurement to get a consistent set of results.

Website Design

Not only can websites change under you, but site authors may also have written drastically different versions of their website for different browsers.

One tricky spin on the problem of ensuring that websites serve up the same content for each of your tests are those sites that serve distinctly different code to different browsers. In most cases you should ignore these differences when measuring browser performance because those are valid representations of what users will experience when visiting different websites.

In some cases, however, websites can offer functionality that differs so widely between browsers that the cross-browser comparison is no longer valid. For example, I was recently investigating an issue where one of our customers was reporting that a website in IE8 was taking several times what is was in a competitive browser. After some investigation I discovered that the website was using a framework that provided much richer functionality in IE than in the other browser. Fortunately the website was not relying on any of that richer functionality so they were able to slightly modify how they were using the framework to make their site equally fast across browsers.

In that example the website was not using the extra functionality offered by their framework and they were able to update their site—but in many cases websites offer completely different user experiences depending on the browser. Assessing those websites is largely a case-by-case affair, but I typically consider those sites unsuitable for direct comparisons because their performance reflects the intentions of the site developers as much as the performance of browsers.

Identifying sites that differentiate between browsers is not simple, and in this case web developers generally have an upper hand on reviewers. Web developers should use profilers, debuggers, and other tools at their disposal to identify areas in which their websites may offer drastically different experiences across browsers.

Reviewers and less technical users should avoid measuring cross-browser performance on sites that clearly look and behave differently when you try to use them, since in those cases it is difficult to disentangle browser performance from website design.

“Done”

Can you define what “a webpage is done loading” means? How about for a complex interactive AJAX site?

One surprisingly intractable issue in performance measurement is defining what “done” really means in terms of navigating to a webpage. The problems involved are compounded as websites grow increasingly complex and asynchronous. Some web developers have used the HTML “onload” event as an indicator of when the browser has finished navigating to a webpage. The definition of that event is, unfortunately, interpreted differently across different browsers.

Within the IE team we use some of our internal logging events to measure page loads across sites. Since that logging is IE-specific it does not, unfortunately, provide an easy cross-browser solution to measure page loading performance across browsers. And, although cross-browser frameworks like Jiffy and Episodes exist that can help site developers define when their scenarios are “Done”, those indicators are not yet widely consumable by users at large.

Beyond specific code-level indicators some people use browser progress indicators to assess when a page is finished downloading—hourglasses, blue donuts, progress bars, text boxes, and other UI conventions. These conventions, however, are not governed by any standards body and browser makers can independently change where and when (and if!) they are displayed.

Faced with those realities, the pragmatic approach I encourage reviewers and users to adopt is to use browser progress indicators while validating those indicators against actual webpage behaviour. For example, when you are testing how quickly a particular web page loads, try to interact with it while it is loading for the first time. If the webpage appears to be loaded and is interactive before the progress indicators complete then you may want to consider ignoring the indicators and using the page appearance for your measurements. Otherwise, the progress indicators may be enough for an initial assessment of how quickly a page is downloading across various browsers. Without validating that the actual page load corresponds closely to the browser indicators it is difficult to understand when they can be trusted for performance measurement.

Browser Add-ons

Running an add-on when you are testing a browser means that you are no longer only testing browser performance.

As I discussed in my April post, add-ons can have a tremendous impact on the performance of a browser. In the data I receive through Microsoft’s data channels it is not uncommon for me to see browsers with dozens of add-ons installed and I suspect that my colleagues at the Mozilla corporation could say the same of their browser.

Any of those add-ons may be performing arbitrary activity within the browser. Illustrating that impact by way of an anecdote, I’ve noticed that some users with a preferred browser sometimes find any alternative browser faster simply because it comes with a clean slate. For example, a Firefox user with several add-ons installed could move to IE and observe enormous performance improvements while an IE user could migrate to Firefox and observe the same performance benefit. Those results are not contradictory, but rather reflect the significant impact of browser add-ons.

As a result, in our performance lab we test both clean browser installations as well as with the most common add-ons installed. To disable all add-ons in IE8, click on the “Tools” menu and select “Manage add-ons”. In the Manage Add-ons screen ensure that you’ve chosen to show “All Add-ons”, and disable each listed add-on. Alternatively, if you are comfortable with the command line you can run IE with add-ons disabled with the “iexplore.exe -extoff” command.

Since most browser makers go to great lengths to ensure that add-ons continue to work as expected when upgrading, taking the time to follow these steps is particularly important when evaluating new versions of browsers as any performance improvements may be hidden by a single misbehaving add-on.

I know this post has been quite long, but I hope that by covering a few of the techniques we use when measuring IE performance you will be able to adapt some of them to your particular needs. Understanding how we think about performance testing may also give you a better understanding of our process and our approach to browser performance. Last but not least, I hope that I’ve given you a little more insight into some of the work going on behind the scenes to deliver IE8.

Christian Stockwell
Program Manager

Yes, we did...

…notice this yesterday while running the Windows 7 Beta:

If you open the newly redesigned whitehouse.gov in Internet Explorer 8 on Windows 7 Beta, you’ll notice that the dropdown menus don’t hide correctly when you hover over other menu items.

This is because the version of IE8 in Windows 7 Beta is somewhat older than the Internet Explorer 8 Release Candidate (IE8 RC1) that we're about to release for Windows Vista and Windows XP. Internet Explorer 8 RC1 displays whitehouse.gov correctly - without this menu issue, as does most recent internal Win7 build.

Over the past months, our compatibility team has been hard at work, finding and fixing bugs that cause site rendering issues. Due to the different release schedules for Windows 7 Beta and IE8 RC1, some of these bug fixes didn't make it into Windows 7 Beta (aka Build 7000). So, if you want to use the latest version of IE8 – you’ll want to install IE8 RC1 for Windows Vista or Windows XP.

Just like we did for IE8 Beta 2, we would love to get your feedback on IE8 RC1 rendering. Soon after we release IE8 RC1, we will blog again about using the Report a Webpage Problem Add-On to report site rendering issues. The data that you have uploaded with this tool in the past has been very useful in our efforts to find and fix rendering issues - thank you very much for helping us out.

Frank Olivier
UX and Compatibility PM

Edit 1/22: Updating Report a webpage add-on hyperlink.

January Chat with the Internet Explorer team on Thursday

Join members of the Internet Explorer team for the first Expert Zone chat  of 2009 this Thursday, January 22^nd at 10.00 PST/18.00 UTC. These chats are a great opportunity to have your questions answered by members of the IE product team. Thank you to all who have attended our previous chats! 

Other upcoming Expert Zone chat dates can be found here.  If you can’t join us live, the transcript for all chats are available here.

Sharon Cohen
Program Manager

Accessibility: Improved ARIA Support in the IE8 RC

Hi, my name is Tony Ross and I’m one of the Program Managers for Internet Explorer. As JP mentioned in an earlier post, the IE Team has been working to make IE8 the most accessible web browser possible. We have also been working on improving interoperability and making things easier for web developers. Following these goals, I want to introduce you to a change we’ve made in the RC aimed at improving our support for ARIA, a syntax for making dynamic web content accessible. I’ll walk you through what IE did before, what IE does now, and what this change means overall.

What did IE do before?

We added support for ARIA in Beta 1, but some differences in syntax existed depending on the browser mode. In IE8 Standards Mode you could access ARIA attributes from script using the syntax defined in the standard:

value = elm.getAttribute("aria-checked");

In the compatibility modes, IE7 Mode and Quirks Mode, you needed to use a camelCased version of the attribute name:

value = elm.getAttribute("ariaChecked");

You may find the different syntax odd at first, but it results from how IE handles attributes and properties. Properties exist on script objects and are of the form elm.property.  As a convenience to developers, IE automatically maps attributes to properties. When the name of a native attribute contains a dash, IE adjusts it to produce acceptable property syntax:

value = elm.ariaChecked;

Without this adjustment, each dash in the name would be treated as a minus sign by the script interpreter:

value = elm.aria-checked;    // Attempting to access a dashed property

value = elm.aria – checked;  // What the dash means to the script interpreter

Older versions of IE and the compatibility modes in IE8 use the same name for both properties and attributes. Consequently, adjusting the name for properties affects the getAttribute syntax as well. This adjustment applies to all native attributes with dashed names, not just those that are part of ARIA. IE does not alter unrecognized attributes, and will leave names like “foo-bar” alone. IE8 Standards Mode avoids this conflict altogether by maintaining separate names for attributes and properties.

What does IE do now?

We did not initially support the standardized ARIA syntax in IE7 Mode or Quirks Mode due to the issue mentioned above. Backwards compatibility is paramount for these modes, so we are cautious about making changes to their behavior.

Later we received feedback expressing concerns about having different syntaxes for ARIA. This feedback came from web developers, Assistive Technology Vendors, and members of the standards community. Their concerns primarily focused on pages not ready to run in IE8 Standards Mode, where adding ARIA support would require choosing one of the syntaxes or doing extra work to support both.

Based on this feedback, we reexamined IE’s handling of ARIA. Older versions of IE do not have ARIA support. They treat ARIA attributes as unknown and do not camelCase their names. This means that script can manipulate ARIA in these versions using the standardized syntax, although the information is not exposed via APIs like Microsoft Active Accessibility (MSAA).

Taking this information into consideration along with the feedback we received, we decided changing IE8’s behavior was the best option. IE8 will now preserve the dash for ARIA attribute names in all modes. As part of this change, we are eliminating camelCased ARIA properties to avoid the naming conflict discussed above. You now only need to use the standardized syntax to add ARIA support in IE8, no matter which browser mode is being used:

value = elm.getAttribute("aria-checked");

What does this change mean?

For Web Developers

This change should make using ARIA in your pages even easier. We have removed the need to support multiple syntaxes for ARIA and have left you with just one.

• One syntax that works across all IE8 modes
• One syntax that is interoperable with other browsers
• One syntax that is consistent with the standard

For End Users

This change should make even more sites accessible in IE8 because all IE8 modes now support the ARIA standard.

For ARIA

This change should help increase the adoption of the standardized syntax for ARIA, since developers no longer have to worry about dealing with an alternate syntax.

Conclusion

We’ve taken the multiple syntaxes for ARIA supported by IE8 since Beta 1 and reduced them down to one that is consistent with the standard. We’ve made this change because we believe it will have a positive impact on developers, end users, and ARIA in general. As always, we are grateful for the feedback we receive from the community as it plays a key role in making these types of decisions.

Tony Ross
Program Manager

Completing Access Control support for XDomainRequest

Back in October, Sunava described changes that we made to the XDomainRequest (XDR) object in IE8 between the Beta 1 and Beta 2 releases. This object allows your AJAX web pages to request data from sites with a different hostname from the page itself, something that IE doesn’t allow for security reasons via XMLHttpRequest. Since Beta 1 we’ve been working with the W3C Web Application group on the Access Control framework and the changes we made in Beta 2 were to adopt the Simple Cross-Site Access Request.

I’m happy to announce that we have recently completed our support for the Access Control Check using the Access-Control-Allow-Origin header defined by the updated spec. This means that, in addition to the wildcard check (looking for *) that we supported in Beta 2, we also now support the origin URL check. This support will be part of the next public release of IE that Dean announced a few weeks ago.

I have recorded a short video that demonstrates how to use XDR and what this announcement means. It also shows how the Access Control framework is supported by other browsers allowing interoperable services to be called from your pages.

If you’d like to download a copy of this video, it’s available here.

Adrian Bateman
Program Manager

Update 3:55: Adding a link to a downloadable version.

Responding to Change: Updated Getter/Setter Syntax in IE8 RC 1

As a Program Manager, I love to write feature specifications (that’s a job description requirement)! In each spec, PMs carefully weigh the pros and cons of certain design tradeoffs, consider the customer requests, available feedback and telemetry data, etc. Based on all of that information, we make certain informed assumptions about what we would like to build and how. Despite our best planning efforts, we know that some of the assumptions made in early specs may change at any time through development. One of these common areas of change is in the web standards space—therefore we plan extra time in our schedule to re-evaluate current conditions and make changes to the product if necessary.

Responding to changes in web standards during the middle of the product cycle can be challenging for a variety of reasons. Speaking strictly from a development standpoint, feature changes always come at a cost—usually a trail of product bugs which take time to find and fix. Other changes are risky because the standard that they are based on could change. Each time we consider a change, we must carefully weigh the consequences.

In this post, I’d like to describe a significant recent event in the evolution of one web standard and how we chose to respond to it in Internet Explorer 8. I think this post offers a unique view into the complexity involved in responding to changes in web standards during development, as well as a great forum to announce the change in the upcoming release candidate.

ECMAScript 3.1

ECMAScript, the standard that defines JavaScript, was last updated almost 10 years ago. Earlier this year however, a revision that has come to be known as “ECMAScript 3.1” began to make rapid progress toward standardization. Back when we started work on Internet Explorer 8, we expected that any new ECMAScript developments would occur soon enough to give us ample time to integrate them into our planning; we were motivated to revisit that expectation with the recent rapid progress of ECMAScript 3.1. In particular, we wanted to be careful not to introduce features into Internet Explorer 8 in a way that would be incompatible with what we could see coming in the ECMAScript 3.1 draft.

ECMAScript 3.1 includes many extensions to the JavaScript language that make web development easier and more powerful. One of these features is JSON support and we quickly decided that the native JSON API in IE8 needed to be the same as the JSON API that is included in the ECMAScript 3.1 draft. Another feature from the draft that quickly came to my attention was support for getters and setters.

DOM prototypes

For many months we’ve been working on a feature that helps make the DOM more compatible with the JavaScript language by introducing the concept of JavaScript prototypes to the DOM. Using DOM prototypes, savvy web developers can easily extend HTML elements and other DOM objects with new functionality, develop more powerful libraries and abstraction layers, and even replace any built-in properties and methods with their own. This was one of our top-requested programming features by influential JavaScript experts. One very important part of the feature was getter/setter properties in the DOM.

Prior to 3.1, ECMAScript did not include the concept of getter/setter properties, but some JavaScript implementations did support them using an API that is mutually supported by several other major browsers and programming environments. When we started working on DOM prototype support, we chose to implement that de facto getter/setter API.

ECMAScript 3.1 made an early decision to include getter/setter properties but by using a more flexible API rather than the de facto API. This decision was made with the concurrence of all the major browser vendors including those who currently support the de facto getter/setter API. With ECMAScript 3.1 in full swing and other browser vendors bought-in, we now had an important decision to make: do we respond to this unexpected change and pursue implementing the ECMAScript 3.1 getter/setter API for the DOM, or do we ship what we have and tackle the ECMAScript 3.1 API in a future release?

The answer really came down to what was best for the web developer; they need interoperability and by ensuring that we support getters/setters as outlined in ECMAScript 3.1, we help deliver that interoperability in the long-term. Given that we were mere weeks away from shipping Beta 2 and did not want to put the quality of that release in jeopardy, we felt it was important to release the existing implementation (de facto getter/setters) to give web developers a chance to test and find any significant bugs rather than cut the feature from Beta 2 (saving it for RC 1). We appreciate the feedback we’ve received thus far, and have been able to take the requisite time to respond to compatibility issues that we might not otherwise have had the time to do.

Standards first

I’m now pleased to announce that with the upcoming Release Candidate of Internet Explorer 8, we not only have a high-quality DOM prototypes implementation, but we’ve been able to change the getter/setter implementation to follow the draft ECMAScript 3.1 standard. While our JavaScript engine and DOM won’t have support for all of the ECMAScript 3.1 enhancements in this release, it does mean that web developer code written to add getters and setters to the DOM in Internet Explorer 8 will continue to work now and into the future, since that code will be based on web-standards.

I’m very excited about this new capability in IE8! To help you get started, I’ve written a few articles that provide an introduction to DOM prototypes and getter/setters (and the new syntax that will be publicly available in the upcoming release candidate build):

• Document Object Model Prototypes, Part 1: Introduction
• Document Object Model Prototypes, Part 2: Accessor (getter/setter) Support

Also, some of you may have noticed that MSDN has also been updated to include the prototypes available in Internet Explorer 8!

DOM prototypes and getters/setters allow for some pretty cool programming possibilities. In an upcoming blog post, I’ll get into more details on some of the scenarios that IE8 makes possible. Please leave a comment and tell us what cool scenarios you’ve already implemented using this feature!

Returning to the topic of responding to change, what may initially appear as the best design for the web may change over the course of a product’s development. The experience I had with DOM getters/setters in Internet Explorer 8 has personally confirmed this. As we finish IE8 and on into the future, we’ll continue to gather the right data, listen to customer feedback, and make product changes where appropriate. I know our team cares a lot about web standards and supporting them as a way to achieve interoperability—which ultimately helps web developers to be more productive; embracing ECMAScript 3.1 is one more step to help get there sooner.

-Travis Leithead
Program Manager

Update 1/15: Please note, in some of the examples referenced in the above links, property descriptors have a “getter” and “setter” property. This was recently simplified to “get” and “set” (for consistency with other parts of the ES3.1 language). This is reflected in our current binaries, and we are in the process of updating this documentation now… sorry for the confusion.

IE8 in Windows 7 Beta

The Windows 7 Beta includes a beta of  Internet Explorer 8.  I say “a beta” because IE8 in Windows 7 Beta is a pre-release candidate build of IE:  it’s IE8 Beta 2 plus end user features that are only available on Windows 7 plus many fixes based on feedback we’ve gotten from IE8 Beta 2 usage.  This post is an overview of what you’ll find new in Windows 7’s Internet Explorer, as well as some suggestions about how to get the best experience with this pre-release software. 

Tabs in the Taskbar

Tabs are a very heavily used feature and Windows 7 makes it easy to switch to any tab you want. When you move the mouse over the Internet Explorer icon, you’ll see a thumbnail image of every tab of every IE window that you have open. Just click the page you want to get back to.

Figure 1: IE Tabs in the Taskbar

Given that users open the browser with a specific destination in mind – whether it be mail, an online newspaper or even a search, IE8, in conjunction with Windows 7, introduces the new Jump List feature which makes ‘getting where you’re going’ faster and easier. Jump lists help you get back to the most frequently visited sites in your history list even before you’ve opened the browser! These lists can be opened by dragging up (or right-clicking) on the IE icon on the taskbar. Clicking one of these will launch the IE browser and navigate to that site. Once IE has been opened, you will see the same drag-to-display functionality in the address bar. Simply putting the mouse on the text in the address bar and dragging down will open your most frequently visited sites.

Figure 2: IE Jump List            

If you have a touch enabled machine you can drag to open the jump list and the address bar using your finger.  In fact there are quite a few features for those of you that have a touch enabled machine. Let’s talk about those.

Touch features

The touch features are all about adapting to how touch interaction is often different than mouse interaction.

Because of the different sizes of fingers and the various ways people touch the screen, touch tends to be less accurate than mouse clicking. To respond to that we’ve made a few commonly used features easier to target. When the Favorites Center or Smart Address Bar is invoked with Touch, we put more spacing between items so it is easier to touch the link you want. We’ve also made the tab close button hit target taller.

Here’s an example of how the items in the Favorites Center are more spaced out when using touch.

Figure 3: Spacing of items in IE for use with touch

Touch also has a much more direct feeling than a mouse. When using touch machines, users naturally use their finger to scroll the page up and down, so we support that by default. In addition, navigating back and forward can be done with a left or right flick.

Other features enabled for Touch include opening a link in a new tab, which can be done by placing the finger on the link, dragging it a few pixels in any direction and then releasing, and two-finger zoom (on multi-touch enabled machines only).

Suggestions for the Best Experience

Our data and experience signing-off on the Windows 7 beta has been positive. Many of us have been running Windows 7 as our primary machines at home and at work for a while and loving it. At the same time, we pay very close attention to feedback. We’re looking forward to the data from millions and millions of beta users.

From the preliminary data we have already, we have some suggestions for people running the beta. The general advice is to run the latest versions of add-ons - we’ve been working with several add-on developers to make sure that together we’re able to deliver the best possible experience and there have been quite a few improvements. Some specific recommendations:

• HP Smart Web Printing

There isn’t an update for the HP Smart Web Printing Add-on available at this time. For this add-on, IE will show you the following message and ask if you’d like to disable this add-on. Choose “Disable this add-on”.

• Skype

Use version 4.0 beta not 3.0. For older versions of the Skype add-on, IE will show the following message. Choose “Disable this add-on”.  Then get the latest Skype version 4.0 beta which works well by clicking the “Check for updates” button or by visiting http://www.skype.com/download/skype/windows/beta/ directly

• Windows Live Sign-in Helper

Use the latest version of Windows Live Sign-in Helper. You can get it from http://get.live.com/

• Weather Channel Toolbar

There isn’t an update for the Weather Channel Toolbar available at this time. If you experience problems, you can disable this toolbar by right clicking and unchecking the Weather Channel Toolbar.

Figure 4: Right click to disable a toolbar in IE

As we gather more real-world data about the IE8 in Windows 7 experience, we’ll keep you updated here.

For site developers

The IE8 rendering platform is the same across different OS’s. So, you can write your page once for IE8. If you’re using OS detection logic you need to make sure it works properly to account for Windows 7.

Check out the Engineering Windows 7 blog to learn more about Windows 7.  I’m looking forward to your comments.

Paul Cutsinger
Principal Lead Program Manager

The Internet Explorer 8 User-Agent String (Updated Edition)

As announced in February 2008, Internet Explorer 8 sends an updated user-agent string when interacting with web servers. Since we last blogged about the User-Agent string, the Internet Explorer team introduced Compatibility View and today, the Windows team is releasing the Windows 7 Beta. Each of these events has a small impact on the User-Agent string, as I will outline in this post.

The Trident/4.0 User-Agent String

In order to help users visit sites that block the “MSIE 8.0” user-agent string, IE8 will send the “MSIE 7.0” version information when viewing sites with Compatibility View enabled. As Scott described last August, a new “Trident” token in the User-Agent string allows your code to detect Internet Explorer 8 clients even when they are using the Compatibility View feature.

IE8 on Windows Vista (Compatibility View)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)

IE8 on Windows Vista

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)

As noted in the Best Practices for detecting the IE version, we recommend that web developers do not block access to content based on the user-agent string of the browser. If you must offer different content to different versions of the browser due to improved capabilities, you should ensure that future versions of the browser are not blocked.

Serving content based solely on the user-agent string is often an unreliable way to detect the full capabilities of the browser, because the user might have adjusted some settings, such as disabling script or extensions.

The Windows 7 User-Agent String

On Windows 7, IE8 will send the User-Agent string with the new Windows NT version token.

IE8 on Windows 7

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)

(If you’re curious about why Windows 7 uses the version number “6.1”: the short answer is that it improves compatibility, and the longer answer can be found over on the Windows Team Blog.)

Nevertheless, the “Windows NT 6.1” version token may still result in problems for a very small number of websites that check the operating system version. Such websites may show error messages or otherwise interrupt visitors who are running Internet Explorer 8 on Windows 7. The Compatibility View button will not resolve this problem for such sites, because the Compatibility View button only changes the Internet Explorer version number, leaving the Windows version number intact.

In order for IE8 users on Windows 7 to visit websites which block the “Windows NT 6.1” version string, a registry override must be set to temporarily change the reported Windows version number. If you encounter any websites that block Windows 7 visitors, please submit a bug report on Connect or provide the URL of the site in the comments below.

Detecting 64-bit Internet Explorer

As machines with more than 4 gigabytes of RAM become more common, more and more users are running 64-bit versions of Windows. For compatibility with 3^rd party add-ons, the 32-bit edition of Internet Explorer remains the default on 64-bit systems. However, in some cases it can be useful for websites to recognize when users are visiting using 64-bit systems—for instance, a site may want to know whether to offer a 64-bit executable download.

Tokens in the User-Agent string will enable you to determine whether or not the user is running a 64-bit version of Windows, and whether they are running the 64-bit edition of Internet Explorer.

64-bit IE on 64-bit Windows:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Win64; x64; Trident/4.0)

32-bit IE on 64-bit Windows:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0)

Incidentally, WOW64 stands for “Windows on Windows 64-bit.”

Extending the User-Agent String

As described in the MSDN article Understanding User-Agent Strings, it is possible for users or applications to add new tokens to the User-Agent string by setting registry keys. We strongly encourage discretion in adding additional tokens, as the network overhead can become measurable as the string grows. Remember, the User-Agent string is sent in the headers for every HTTP/HTTPS request from the browser (and applications based on the IE Web Browser Control), so if you must add a token, please keep it as short as possible. We have also encountered some websites that do not function if the user-agent string is unusually long (for instance, over 128 characters).

You can check the User-Agent string your browser is currently sending here.

Thanks!

Eric Lawrence
Program Manager

Update 12:37: correcting formating of titles in post.

IE8 Blocker Toolkit Available Today!

We believe IE8 helps make browsing the web faster, easier, safer and more reliable. To help our users be more secure and up-to-date, we will distribute IE8 via Automatic Update (AU) and the Windows Update (WU) and Microsoft Update (MU) sites much like we did for IE7. We know that in a corporate environment, the IT organization will often want to delay the introduction of a new browser until they have tested compatibility with internal applications and sites.  We’ve done a lot of work in IE8 to maintain compatibility with sites designed for Internet Explorer 7, for example compatibility view and the compatibility meta tag.  However we know many IT organizations will still want to test the browser before it is deployed.  To help prevent users from installing IE8 through Automatic Update before compatibility testing has been completed, we are providing the IE8 Blocker Toolkit. This toolkit has no expiration date and can be configured either by running the registry file on the client machines or via Group Policy in domain joined environments. The Blocker Toolkit is available today from the Microsoft Download Center.

IE8 will be available for users on the following platforms:

• Windows Vista 32bit and 64bit,
• Windows XP SP2 and above,
• Windows Server 2008 and Windows Server 2003 SP2 and above

The IE8 update will be released as the highest priority update for each operating system. For Windows Vista and Windows Server 2008, it will be listed as Important. For Windows XP and Windows Server 2003, the update will be listed as High Priority. Delivery of IE8 via AU will begin after we make IE8 available from the Microsoft Download Center. Of course, users can always decline to install IE8 through AU when it is offered. More information for IT Professionals about IE8 delivery via AU is available here.

If you previously used the IE7 Blocker toolkit to block IE7 from being offered as a high-priority update, you will need to run the IE8 version of the Blocker Toolkit to block IE8 from being offered via AU. There are different registry keys used to block or unblock automatic delivery of IE7 and IE8. If you configure the IE8 Blocker Toolkit setting to prevent users from installing IE8 via WU/AU, IE8 will not appear in the list of available high priority or important updates.  We believe this approach strikes a good balance by helping customers become more secure and letting organizations control when they are ready to deploy IE8 to their users.  Note: The IE8 Blocker toolkit will not block the final version of IE8 being offered to users who already have pre-released versions of IE8 installed on their machine.  Also, the IE8 Blocker toolkit will not prevent users from manually installing IE8 from the Microsoft Download Center.

Organizations that use an update management solution such as Windows Server Update Services or Systems Management Server 2003 do not need to deploy the Blocker Toolkit.  Windows Server Update Services and Systems Management Server 2003 allow organizations to fully manage deployment of updates released through WU and MU, including IE8.  For more information about the IE8 Blocker Toolkit, check out this link.

For those who are interested, here is what the AU experience will look like for IE8.

How the AU delivery will work

For Windows XP and Windows Server 2003 users

• AU will notify you when IE8 is ready to install. You will also be able to visit Windows Update or Microsoft Update sites and manually install IE8 update by performing an “Express” scan for high-priority updates.

• When Windows Update starts installing IE8, you will see the IE8 welcome screen as such:

To proceed with the installation, decide on whether or not you’d like to participate in our Customer Improvement Program and click Install. If you choose Ask me later, WU will re-offer IE8 to you during the next update scan. If you choose Don’t Install, WU will not offer IE8 to you again, and IE8 will appear as an optional item on Windows Update.

For Windows Vista and Windows Server 2008 Users

• AU will notify you when IE8 is ready to install. You can click on the bubble to launch IE8 installation. You can also install IE8 from Windows Update manually by typing Windows Update in the command prompt and checking for updates.

• When Windows Update starts installing IE8, you will see the IE8 welcome screen:

To proceed with the installation, click Install. If you choose Ask me later, WU will re-offer IE8 to you during the next update scan. If you choose Don’t Install, WU will not offer IE8 to you again, and IE8 will appear as an optional item on Windows Update.

Note: The IE8 Welcome screens are still in draft form and are subject to change by the time IE8 is distributed via WU/AU.

If you configure the IE8 Blocker Toolkit setting to prevent users from installing IE8 via WU/AU, IE8 will not appear in the list of available high priority or important updates. We believe this approach strikes a good balance by helping customers become more secure and letting organizations control when they are ready to deploy IE8 to their users.

Thanks,
Jane Maliouta
Program Manager