Slashdot Mirror

← Back to Stories (view on slashdot.org)

Does IE8 Really Pass Acid2? [Updated]

Posted by kdawson on from the two-green-eyes-please dept.

thevirtualcat found some inconsistencies in IE8's Acid2 results that made him wonder what's going on. Can anyone replicate these results or, better yet, explain them?
Update: 03/22 23:54 GMT by KD : Several readers pointed out this has to do with cross-site scripting prevention, as described here.

43 of 174 comments (clear)

  1. The answer... by 26199 · · Score: 5, Informative

    As TFA mentions (at the very end!) this is explained here.

    Summary: cross-site security means that if you move the test off the original domain, the test changes. In fact IE8 does the wrong (nonstandard) thing in these cases, but according to them it's more secure (it fails earlier). They're considering making it more standards compliant once they're convinced it's secure enough.

    1. Re:The answer... by 26199 · · Score: 4, Insightful

      In a word, no.

      Next anti-Microsoft flame, please?

    2. Re:The answer... by zappepcs · · Score: 5, Interesting

      I can go one better for you. Technically, MS is correct. MS is thumbing it's nose at standards because they can say "Look, we did it your way. We made IE8 extremely secure and now you claim it's broke. We are not the people that broke web browsing and the Internet, you did it. If we did everything people suggest the Internet just doesn't work."

      To a point, they are right, but they did this to show they are better and only seem insecure because if they don't do such things as they have done the Internet will not work. Oh yes, btw, those other browsers are not secure either... see how their stuff still works?

      --
      Support NYCountryLawyer RIAA vs People
    3. Re:The answer... by kat_skan · · Score: 4, Informative

      Actually, Microsoft is not correct. The browser is supposed to be unable to load the object that is tripping IE's cross-domain security features. Regardless of whether the object fails to load because of security policies or because the resource flat out doesn't exist, the test is constructed so that the browser will display the fallback content for the object, which IE does not do.

    4. Re:The answer... by cheater512 · · Score: 4, Informative

      Microsoft did the correct thing with the cross domain scripting stuff.

      However they then ignore the fall back content hence the problem.
      The standard says that if there is a problem with the object tag then the html inside the html tag should be shown.
      IE8 has a problem with the object tag and then ignores the fallback completely.

      Why does it work on the official site?
      Because its not cross scripting anymore, instead it fetches the page and gets a 404.
      It then uses the fallback content.

      In summary: Microsoft is making their own standard as per usual.

    5. Re:The answer... by pohl · · Score: 5, Informative
      So the behaviour mandated by the standard is insecure?

      No, that is not the case. IE8 is trying to prevent exploitation of their own, proprietary ActiveX API, and simply needs to make some minor corrections to make sure that they do it in such a way that does not violate the standards. The standards don't need to be revised since nobody else implements the swiss cheese that is ActiveX.

      --

      The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...

    6. Re:The answer... by VGPowerlord · · Score: 5, Insightful
      I disagree. It should fall back to the data url when loading the other object failed. Not only that, but the HTML standard agrees with me on this:

      If the user agent is not able to render the object for whatever reason (configured not to, lack of resources, wrong architecture, etc.), it must try to render its contents.

      and

      One significant consequence of the OBJECT element's design is that it offers a mechanism for specifying alternate object renderings; each embedded OBJECT declaration may specify alternate content types. If a user agent cannot render the outermost OBJECT, it tries to render the contents, which may be another OBJECT element, etc.
      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    7. Re:The answer... by Bill,+Shooter+of+Bul · · Score: 4, Interesting

      I can't say for certain who is int he right with this m=particular issue, but there is a larger issue here. If following a standard leads to an unavoidable security hole, should your follow it ?

      --
      Well.. maybe. Or Maybe not. But Definitely not sort of.
    8. Re:The answer... by VGPowerlord · · Score: 2, Informative

      But why is it OK to process the fallback (a data url) if the failed page is on the same domain, but not if it's on a different domain?

      The spec says you must try to render the fallback if an object is not processed because the browser is configured not to render it. I quoted the relevant section in my last post.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  2. Known Cross-domain security issue by Ececheira · · Score: 5, Interesting

    The reason you're seeing the result is due to an "overly secure" default for beta 1 when it comes to cross-domain embedded objects.

    Here's the explanation:
    http://blogs.msdn.com/ie/archive/2008/03/05/why-isn-t-ie8-passing-acid2.aspx

    Google is your friend next time... :)

  3. Comment removed by account_deleted · · Score: 2, Informative

    Comment removed based on user account deletion

  4. Incorrectly set up website fails to render by Gordonjcp · · Score: 2, Funny

    Film at 11.

  5. I smell bullshit at the IE blog by Dracos · · Score: 3, Interesting

    The Acid tests are test cases used to assess a browser's web standards support.

    Yet, in the explanation of the incorrect rendering at the IE blog, AciveX is invoked, with some excuse about cross-domain security.

    ActiveX has absolutely nothing to do with Web Standards.

    This leads me to believe that MS plans to keep playing the Internet game by their rules for a while yet.

    1. Re:I smell bullshit at the IE blog by Chris+Snook · · Score: 5, Informative

      IE8 is using ActiveX *internally* because it can't natively render the html OBJECT. Invoking ActiveX triggers XSS checks. The bottom line is that they technically pass the test, but many web designers will do things that really should work, but won't in IE8. It's not because MS is cheating, just that they haven't fully implemented this feature, and they're erring on the side of caution with their partial implementation. Regardless of standards compliance, they'll need to fix this before IE8 is released.

      --
      There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
    2. Re:I smell bullshit at the IE blog by Anonymous Coward · · Score: 2, Insightful

      They said that their implementation uses ActiveX to handle HTML in OBJECT tags. They weren't saying the test was using an ActiveX control.

      Also, it was not an excuse, it is a reasonable security measure. Frankly, most web developers are far too reckless about security. Rule #1 of secure programming: be as paranoid as you can, and then be more paranoid. If you don't think that every user is out to get you, then you're not being paranoid enough.

      You obviously didn't comprehend what you read. :)

  6. Re:Yes, that's true. by Naughty+Bob · · Score: 5, Funny

    M$ has gone it's own way so long that the quickest route for them to a standards compliant browser is to download Firefox.
    Another way would be to update iTunes....
    --
    "Be light, stinging, insolent and melancholy"
  7. Cross-domain == cross-site by poor_boi · · Score: 4, Interesting

    Microsoft is right to turn cross-domain restrictions on by default. Cross-domain is the same as cross-site, and we all know the pain XSS vulnerabilities can bring. The failure of "copies" of acid2 to render correctly in IE8 are actually due to the "copies" of acid2 being "copied" incorrectly. To copy the acid2 test, you have to make slight modifications to the test contents itself to update the test for the domain it is being hosted on. Them are the breaks of complex tests. Acid2 is a complex test and cannot simply be copied carte blanche.

    1. Re:Cross-domain == cross-site by Jerome+H · · Score: 2, Insightful

      "carte blanche"
      Please... don't use an expression that you don't understand.

      --
      int main() { while(1) fork(); }
  8. This is not a security problem, per se. by WK2 · · Score: 3, Insightful

    IE8 has a problem initiating fallback content when a resource can not be acquired. This is exactly what this particular part of the acid2 test is meant to test, fallback code. The fact is, that IE8's fallback behavior works correctly in some cases, but not in others. Specifically, the fallback code works if the failed to acquire resource is supposed to be on the same domain as the acid2 test, whereas if they are on different domains, IE8's code fails to behave properly.

    The fact that the blog writer mentions security is a red herring. While it is true that this does have something to do with security code, the real problem is that the fallback behavior is poor.

    --
    Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
    1. Re:This is not a security problem, per se. by Anonymous Coward · · Score: 2, Informative

      You should read. The explanation that he gave, I will now give, in my own words, hoping that you will read them correctly this time.

      The portion of the acid2 test that is at issue with IE8 here works like this:

      1. The test has markup that points to an object at http://www.webstandards.org/404/; basically, the object's not there, on purpose.
      2. The test has subsequent markup that contains a data: URI with embedded replacement/fallback content.

      What should happen?

      Two claims:

      1. MS IE team: Because the lark document resides on a different domain if you run the test from another site, they feel it's insecure to check some other domain's content like that.
      2. Rest of us: We acknowledge that it is in fact nice of them to be security minded in this way, BUT the fallback content is still there, embedded in the test, and they should go ahead and render it if they aren't able to get the first-ordered content because of a 404 OR because they are paranoid.

      It's content designed to be used in the place of the real content if for whatever reason (offline browsing? paranoia? maybe the original content was eaten by a grue?)

  9. Re:On another note... Acid3 by Your.Master · · Score: 4, Informative

    The IE team announced their internal IE8 build passed Acid2 in mid-December. Acid3 was released March 3. IE8's first public beta went out on March 5.

  10. Re:On another note... Acid3 by LighterShadeOfBlack · · Score: 3, Interesting

    Acid3 had been in development for 11 months so it's not like this suddenly sprung into existence overnight to "prove" Microsoft's inadequacies or anything. Even if you consider the release date to be intriguing, I'm not sure what difference you think the Acid3 developers thought it would make to have IE8 fail Acid3. It's not like there are really any users who decide which browser to use based on its ability to accurately render complete standards anyway. Most people don't know what the web standards Acid tests are and won't care even if you tell them.

    Putting all that aside, it would still hardly constitute some unfair conspiracy. For one thing every other renderer in released browsers fails quite miserably at it too. Secondly, it's not some arbitrary test, Acid3 measures accuracy of conformance to DOM and ECMAscript standards. Acid3 didn't just make up the standards on the spot, they have existed for years and IE could have (and should have) been attempting to conform the whole time (as should every other renderer).

    In other words: No, I don't find it intriguing. It's a mild coincidence, nothing more.

    --
    Spelling mistakes, grammatical errors, and stupid comments are intentional.
  11. Re:On another note... Acid3 by ben+there... · · Score: 3, Insightful

    Notice they have a "Task Force" for testing Microsoft, but no such group for Firefox, Opera, Safari, etc. Not that surprising, really. There are entire websites devoted to helping web designers hack around IE bugs. If only a single browser could pass Acid2 and Acid3, ideally that browser would be IE. It's used by the most people, so you must design around its flaws. Not to mention, if that were to happen, Firefox and Opera would do everything possible to catch up immediately. Then we wouldn't have to hack around any browser's flaws.
  12. No, it does not. Security problem is their problem by porneL · · Score: 4, Interesting

    No, it does not pass.

    There is no cross-domain insecurity in <object> as defined by the HTML specification. There is a problem in IE8's broken implementation.

    If object can't be displayed, browser should ignore it. Ignored <object> isn't any more dangerous than <div>. In such case there's only one document, with one DOM, all within same domain.

    But apparently IE8 can't ignore undisplayable <object> properly, so they've hacked around the problem by spawning new IE8 instance that pretends to be a plug-in that handles the invalid <object> (an <iframe> effectively). And when you do stupid things like that, of course you've got a security problem!

    No Acid2-passing browser has any problems with displaying same-origin fallback to cross-domain object.

  13. Re:On another note... Acid3 by Naughty+Bob · · Score: 5, Funny

    Did anyone else find it intriguing that a day or two Microsoft announces that they passed Acid2 with IE8, The Web Standard Project announces Acid3 which IE8 epically fails?
    It's like this- The Web Standards Project is like a kindly teacher, who waited patiently for the slowest kid in the class to understand the current lesson, before moving on to the next one.
    --
    "Be light, stinging, insolent and melancholy"
  14. Re:Simple stuff like CSS by Anonymous Coward · · Score: 2, Informative

    Have you specified a valid doctype? Even IE8 will probably degrade into quirks mode without one, which will cause auto margins to fail.

  15. Microsoft Has Lost The Race by Whuffo · · Score: 2, Insightful
    Microsoft continues to trumpet their excellence but their products don't preform as they claim. Look at Vista; piece of crap. Sure, they're selling a bunch of copies - mostly pre-installed copies on new computers and a few more from people who want the latest and greatest from Redmond. The majority of their market has decided to stay well away from Vista.

    Internet Explorer is losing ground to Firefox, so they come out with a new version and claim that it meets standards and works better. Nope, it's just more of their marketing spin.

    The real problem is that Microsoft has lost sight of the goal. They're supposed to be producing software that meets the needs and desires of their customers, but they're busily producing software that's only intended to further their goal of "world domination". Their marketing department is busy trying to make that pig look like a swan, but it's not working.

    Too bad that Linux distributions aren't quite "there" yet - close, but not yet. This is a golden opportunity for a real competitor...

    1. Re:Microsoft Has Lost The Race by Ilgaz · · Score: 2, Interesting

      They won the race long time ago. It is impossible to have windows with mshtml.dll (or web frameworks) removed. That was all the big deal. They weren't really caring about their end user, they were caring about even the most basic blog owner can't have peace without looking "If IE shows his page fine". There are companies who offers "test with IE" service to users did you know? For money!

      It is still impossible to have 100% (not 99%) perfect web experience for end user if he/she is not using Windows XP/Vista without IE. You will get stuck somewhere for sure. That is a win too.

      So, they can even pass Über Quantum Acid 1000 test, it won't matter to them. So, they clicked some switch to stop conspiring w3c standard sites and voila, it passes.

      You didn't actually believe MS of a small country size is really incompetent to code w3c standard browser yes? IE 5 for Macs (of its release date) supports more standards than any browser on market at that time.

  16. Re:just use firefox by liquiddark · · Score: 2, Informative

    Of course, 2.0.0.1.2 Firefox doesn't pass Acid2 either. So, not so much.

  17. Re:Yes, that's true. by Bogtha · · Score: 4, Insightful

    Acid3 was recently released so that people have new standards to meet.

    Acid3 isn't a standard, it's a set of tests for specifications that have already existed for years. Acid3 didn't make Firefox less compliant, it merely pointed out ways in which Firefox was already non-compliant.

    --
    Bogtha Bogtha Bogtha
  18. Re:Simple stuff like CSS by Bogtha · · Score: 4, Informative

    Auto margins failing to centre block elements is a hallmark of quirks mode, which means that you aren't using a doctype, which means that you are writing invalid code, which means that you aren't in any position to criticise others for not following the specifications.

    --
    Bogtha Bogtha Bogtha
  19. Re:Yes, that's true. by cheater512 · · Score: 3, Interesting

    If you go to the appropriate wikipedia page you will see a long list of CSS 2 and 3 features.
    Beside this list is all the major browsers and how they implement each feature (fully, partially, broken, not implemented, etc...).

    Voila! Partial compliance.

  20. It's a massive improvement... by marm · · Score: 4, Interesting

    ...even if it's a shame it's taken this long to get there. Pre-releases of Safari and Konqueror passed this almost exactly 3 years ago, and Opera's Presto engine wasn't far behind. The fact that Gecko has taken nearly as long to catch up as IE/Trident is disturbing, but they had their own self-inflicted issues to fix (XPCOM? ewww).

    All of this can only mean web developers sleep more soundly at night, and more real work gets done. The IE developers can give themselves a big pat on the back for achieving something useful that will make everyone's lives better, like they used to do with IE3 and 4 and initial CSS1 support. Shame the management decided to slack off on IE development so long. Microsoft: intelligent geeks, ruined by management.

    Now, on to Acid 3. IE8 is still clearly trailing everyone else by some distance and is probably going to play catchup for a while yet until they implement native SVG (think about the possibilities for Explorer and Office, that Apple, KDE and friends are just beginning to explore).

    As an aside, think how good MS Office might be if they had this level of competition due to having to implement a proper Open Document standard not specified by them. Everyone would get more work done, would be fitter, happier, healthier and better, and Microsoft would probably still have the lion's share of the market. OOXML needs to die now, for everyone's sake, including Microsoft's.

    1. Re:It's a massive improvement... by 99BottlesOfBeerInMyF · · Score: 2, Informative

      Now, on to Acid 3. IE8 is still clearly trailing everyone else by some distance and is probably going to play catchup for a while yet until they implement native SVG...

      The Webkit nightly is up to 95/100 on Acid 3. Anyone run Gecko nightly lately?

    2. Re:It's a massive improvement... by marm · · Score: 3, Insightful

      Because the file format limitations are what (at least as far as I can see) are what keep the competitors from being viable alternatives.

      I'm an IT manager by trade. I don't care who provides my company with software or what platform it runs on, as long as the business I provide IT for benefits from it and it is cost-effective, ideally giving me an advantage over my company's own competitors. The changes in UI between MS Office XP (which they're mostly using now), 2003 and especially 2007 are big enough that I have to retrain my users to use them, and frankly the cost of training my users to use 2007 is enough that I've been seriously considering moving them to OpenOffice.org.

      However, the lack of a properly standardized file format prevents me from doing that. I have experimented with OOo with some of my users, and the biggest complaint (once I have trained them up a bit in OOo) I have is that .doc documents they are sent frequently don't look or print right, or they don't look right on the receiving end. If they can cope with that, I have found OOo gives me fewer support calls, primarily because the text rendering engine in OO Writer is more predictable than that in MS Word. Every few days I have to send someone to look at a user's Word document because the formatting does not work as they expect, particularly if the document contains columns or per-paragraph margins. In OO writer, those same documents behave exactly as expected. I can't understand how MS Word has got it wrong for so long - the bugs I see in Office XP are exactly the same in 2007. OO.org does it right, MS Word doesn't, and the only reason I can't reduce those support calls is that my users expect to be able to import and export external documents perfectly each time. There are similar issues with OO Calc vs. Excel also, particularly with regards to external data sources that Excel seems to forget about with no rhyme or reason, but which OO Calc gets right all the time, every time.

      I know from experience with KOffice that I get better import - pretty much spot-on for the fairly complex documents my users create - from that into OO.org as ODF than I do Word documents into OO.org, so there must be something good about having a properly standardized file format. My conclusion therefore is that if MS Office had to support ODF, then MS would be forced to fix the bugs in Word and Excel rather than rely on their proprietary file format to keep competitors out and ignore the problems.

      This is a similar situation with IE8 finally fixing long-standing bugs in order to pass the Acid 2 test, which is only possible by HTML and CSS being properly standardized.

  21. The reason. by Tokerat · · Score: 4, Funny

    IEBlog article:

    To maintain compatibility and be secure by default we didn't want to invoke fallback either, as original web authors might not have intended this behavior. As we all know, developers (developers, developers, developers) NEVER intend for a fallback resource to be utilized when primary resources fail. Microsoft has once again taken the initiative to embrace the developer community as a loving parent and save us from our own incompetent, foolish selves.

    "What does 'It's not a bug, it's a feature' mean, daddy?"

    "I'll tell you when you're older."
    --
    CAn'T CompreHend SARcaSm?
  22. Other object types by RalphSleigh · · Score: 3, Interesting

    One must ask, does IE 8 only fail on cross site objects of type text/html, or are other cross site objects affected? (e.g. flash, embedded youtube videos, quicktime, etc)...

    --
    Come as you are, do what you must, be who you will.
  23. Re:Yes, that's true. by NickCatal · · Score: 2, Informative

    Actually, the nightly build of WebKit (OS X) is already at 95/100. The latest Safari isn't nearly as high.

    Not like it matters. By the time anyone trys something that is in the ACID3 test there will be an ACID4 that nobody can get to 100 with

    --
    -nick
  24. Reverse yellow boxes.... by AstroPHX · · Score: 2, Informative

    All ACID tests are attempts at benchmarking the ability of a browser to apply standards (W3C standards, to be specific) correctly. Unless your browser showed you the image exactly as it appears here http://acid3.acidtests.org/reference.html, your browser did not pass the ACID3 test.

    I do not see any "'t's in reversed yellow boxes" in the reference document, so I am going to go out on a limb and suggest your browser does not pass the ACID3 test.

  25. Re:Lay off by XNine · · Score: 2, Funny

    E8 has moved dramatically forward, and its a great thing to see. The biggest issue with IE8 which I am surprised no one has mentioned, is the performance. My PC (AMD XP1600+, ATI x700 and 1.4gb of ram), STRUGGLES Err... and STRUGGLING is a dramatic improvement? Damn, no wonder watching youtube is like watching paint dry. Who'da thunkit?
    --
    Never monkey with another monkey's monkey.
  26. Re:Simple stuff like CSS by Bogtha · · Score: 3, Interesting

    Is the doctype <!DOCTYPE html PUBLIC> invalid?

    Validity is a property of documents; a doctype declaration alone cannot be valid or invalid. But that code is incorrect, you've forgotten the public identifier. That code also puts other browsers into quirks mode.

    Is the ISO HTML 2000 version doctype invalid?

    There's more than one ISO HTML 2000 doctype declaration available. As for correctness, that depends on whether or not you screw the syntax up. But next to nobody uses that doctype anyway. Can you name a single HTML tutorial that mentions it? The OP wondered if he was reading the wrong tutorials, in my experience, it's common for tutorials to miss out doctypes altogether and unheard of for them to mention ISO-HTML at all. So we can reasonably eliminate that from consideration as well.

    Is it considered invalid to put the XML prolog before the doctype of an XHTML document?

    It is not invalid, but you shouldn't do so when serving it as text/html as it goes against the compatibility guidelines in the XHTML 1.0 specification, which RFC 2854 requires you to follow. Further, Internet Explorer hasn't chosen quirks mode for documents with XML prologues since version 6, so that's not the issue here either.

    Is it considered invalid to put an SGML comment before the doctype?

    There's nothing wrong with that, although again, it's not something tutorials teach. You can divide HTML tutorials into two different groups: one doesn't mention doctypes and the other says that the doctype must come first (or straight after the XML prologue).

    Wikipedia says all of those situations will put some IE versions into quirks mode despite the presence of a doctype.

    But "some IE versions" isn't relevant here, we are talking about version 8 in particular. Are you actually looking for an explanation for the problem, or are you just trying to find a way of blaming Microsoft? Doctype switching has been around for many years, all major browsers do it, and it's silly to blame Microsoft for auto margin centring not working when Internet Explorer has supported it for seven years.

    --
    Bogtha Bogtha Bogtha
  27. Re:Who cares? by meson2439 · · Score: 2, Interesting

    Opera already passes all the ACID test :)
    It renders fast and has a lot of fun features to play with. I'm already addicted to the mouse gestures up to the point the normal clicking i do with windows feels boring. I wonder if there is any OS that offers mouse gestures??

  28. Re:Yes, that's true. by Bogtha · · Score: 4, Informative

    The Acid3 test is a NEW test that uses/tests the NEW feature that the CSS3 intoduces.

    Let's do exactly what you suggest, and "RTFM". From the Acid3 page at webstandards.org, with links to the specifications and dates added by me:

    Here is the list of specifications tested:

    As you can see, the majority of the Acid3 test is comprised of behaviour described in specifications published years ago, with a substantial portion of them over five years old and some over a decade old.

    CSS3 intoduces many changes,

    Actually, CSS 3 is not a single specification, but a group of

    --
    Bogtha Bogtha Bogtha