Slashdot Mirror

← Back to Stories (view on slashdot.org)

Does IE8 Really Pass Acid2? [Updated]

Posted by kdawson on from the two-green-eyes-please dept.

thevirtualcat found some inconsistencies in IE8's Acid2 results that made him wonder what's going on. Can anyone replicate these results or, better yet, explain them?
Update: 03/22 23:54 GMT by KD : Several readers pointed out this has to do with cross-site scripting prevention, as described here.

20 of 174 comments (clear)

  1. The answer... by 26199 · · Score: 5, Informative

    As TFA mentions (at the very end!) this is explained here.

    Summary: cross-site security means that if you move the test off the original domain, the test changes. In fact IE8 does the wrong (nonstandard) thing in these cases, but according to them it's more secure (it fails earlier). They're considering making it more standards compliant once they're convinced it's secure enough.

    1. Re:The answer... by 26199 · · Score: 4, Insightful

      In a word, no.

      Next anti-Microsoft flame, please?

    2. Re:The answer... by zappepcs · · Score: 5, Interesting

      I can go one better for you. Technically, MS is correct. MS is thumbing it's nose at standards because they can say "Look, we did it your way. We made IE8 extremely secure and now you claim it's broke. We are not the people that broke web browsing and the Internet, you did it. If we did everything people suggest the Internet just doesn't work."

      To a point, they are right, but they did this to show they are better and only seem insecure because if they don't do such things as they have done the Internet will not work. Oh yes, btw, those other browsers are not secure either... see how their stuff still works?

      --
      Support NYCountryLawyer RIAA vs People
    3. Re:The answer... by kat_skan · · Score: 4, Informative

      Actually, Microsoft is not correct. The browser is supposed to be unable to load the object that is tripping IE's cross-domain security features. Regardless of whether the object fails to load because of security policies or because the resource flat out doesn't exist, the test is constructed so that the browser will display the fallback content for the object, which IE does not do.

    4. Re:The answer... by cheater512 · · Score: 4, Informative

      Microsoft did the correct thing with the cross domain scripting stuff.

      However they then ignore the fall back content hence the problem.
      The standard says that if there is a problem with the object tag then the html inside the html tag should be shown.
      IE8 has a problem with the object tag and then ignores the fallback completely.

      Why does it work on the official site?
      Because its not cross scripting anymore, instead it fetches the page and gets a 404.
      It then uses the fallback content.

      In summary: Microsoft is making their own standard as per usual.

    5. Re:The answer... by pohl · · Score: 5, Informative
      So the behaviour mandated by the standard is insecure?

      No, that is not the case. IE8 is trying to prevent exploitation of their own, proprietary ActiveX API, and simply needs to make some minor corrections to make sure that they do it in such a way that does not violate the standards. The standards don't need to be revised since nobody else implements the swiss cheese that is ActiveX.

      --

      The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...

    6. Re:The answer... by VGPowerlord · · Score: 5, Insightful
      I disagree. It should fall back to the data url when loading the other object failed. Not only that, but the HTML standard agrees with me on this:

      If the user agent is not able to render the object for whatever reason (configured not to, lack of resources, wrong architecture, etc.), it must try to render its contents.

      and

      One significant consequence of the OBJECT element's design is that it offers a mechanism for specifying alternate object renderings; each embedded OBJECT declaration may specify alternate content types. If a user agent cannot render the outermost OBJECT, it tries to render the contents, which may be another OBJECT element, etc.
      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    7. Re:The answer... by Bill,+Shooter+of+Bul · · Score: 4, Interesting

      I can't say for certain who is int he right with this m=particular issue, but there is a larger issue here. If following a standard leads to an unavoidable security hole, should your follow it ?

      --
      Well.. maybe. Or Maybe not. But Definitely not sort of.
  2. Known Cross-domain security issue by Ececheira · · Score: 5, Interesting

    The reason you're seeing the result is due to an "overly secure" default for beta 1 when it comes to cross-domain embedded objects.

    Here's the explanation:
    http://blogs.msdn.com/ie/archive/2008/03/05/why-isn-t-ie8-passing-acid2.aspx

    Google is your friend next time... :)

  3. Re:Yes, that's true. by Naughty+Bob · · Score: 5, Funny

    M$ has gone it's own way so long that the quickest route for them to a standards compliant browser is to download Firefox.
    Another way would be to update iTunes....
    --
    "Be light, stinging, insolent and melancholy"
  4. Cross-domain == cross-site by poor_boi · · Score: 4, Interesting

    Microsoft is right to turn cross-domain restrictions on by default. Cross-domain is the same as cross-site, and we all know the pain XSS vulnerabilities can bring. The failure of "copies" of acid2 to render correctly in IE8 are actually due to the "copies" of acid2 being "copied" incorrectly. To copy the acid2 test, you have to make slight modifications to the test contents itself to update the test for the domain it is being hosted on. Them are the breaks of complex tests. Acid2 is a complex test and cannot simply be copied carte blanche.

  5. Re:On another note... Acid3 by Your.Master · · Score: 4, Informative

    The IE team announced their internal IE8 build passed Acid2 in mid-December. Acid3 was released March 3. IE8's first public beta went out on March 5.

  6. Re:I smell bullshit at the IE blog by Chris+Snook · · Score: 5, Informative

    IE8 is using ActiveX *internally* because it can't natively render the html OBJECT. Invoking ActiveX triggers XSS checks. The bottom line is that they technically pass the test, but many web designers will do things that really should work, but won't in IE8. It's not because MS is cheating, just that they haven't fully implemented this feature, and they're erring on the side of caution with their partial implementation. Regardless of standards compliance, they'll need to fix this before IE8 is released.

    --
    There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
  7. No, it does not. Security problem is their problem by porneL · · Score: 4, Interesting

    No, it does not pass.

    There is no cross-domain insecurity in <object> as defined by the HTML specification. There is a problem in IE8's broken implementation.

    If object can't be displayed, browser should ignore it. Ignored <object> isn't any more dangerous than <div>. In such case there's only one document, with one DOM, all within same domain.

    But apparently IE8 can't ignore undisplayable <object> properly, so they've hacked around the problem by spawning new IE8 instance that pretends to be a plug-in that handles the invalid <object> (an <iframe> effectively). And when you do stupid things like that, of course you've got a security problem!

    No Acid2-passing browser has any problems with displaying same-origin fallback to cross-domain object.

  8. Re:On another note... Acid3 by Naughty+Bob · · Score: 5, Funny

    Did anyone else find it intriguing that a day or two Microsoft announces that they passed Acid2 with IE8, The Web Standard Project announces Acid3 which IE8 epically fails?
    It's like this- The Web Standards Project is like a kindly teacher, who waited patiently for the slowest kid in the class to understand the current lesson, before moving on to the next one.
    --
    "Be light, stinging, insolent and melancholy"
  9. Re:Yes, that's true. by Bogtha · · Score: 4, Insightful

    Acid3 was recently released so that people have new standards to meet.

    Acid3 isn't a standard, it's a set of tests for specifications that have already existed for years. Acid3 didn't make Firefox less compliant, it merely pointed out ways in which Firefox was already non-compliant.

    --
    Bogtha Bogtha Bogtha
  10. Re:Simple stuff like CSS by Bogtha · · Score: 4, Informative

    Auto margins failing to centre block elements is a hallmark of quirks mode, which means that you aren't using a doctype, which means that you are writing invalid code, which means that you aren't in any position to criticise others for not following the specifications.

    --
    Bogtha Bogtha Bogtha
  11. It's a massive improvement... by marm · · Score: 4, Interesting

    ...even if it's a shame it's taken this long to get there. Pre-releases of Safari and Konqueror passed this almost exactly 3 years ago, and Opera's Presto engine wasn't far behind. The fact that Gecko has taken nearly as long to catch up as IE/Trident is disturbing, but they had their own self-inflicted issues to fix (XPCOM? ewww).

    All of this can only mean web developers sleep more soundly at night, and more real work gets done. The IE developers can give themselves a big pat on the back for achieving something useful that will make everyone's lives better, like they used to do with IE3 and 4 and initial CSS1 support. Shame the management decided to slack off on IE development so long. Microsoft: intelligent geeks, ruined by management.

    Now, on to Acid 3. IE8 is still clearly trailing everyone else by some distance and is probably going to play catchup for a while yet until they implement native SVG (think about the possibilities for Explorer and Office, that Apple, KDE and friends are just beginning to explore).

    As an aside, think how good MS Office might be if they had this level of competition due to having to implement a proper Open Document standard not specified by them. Everyone would get more work done, would be fitter, happier, healthier and better, and Microsoft would probably still have the lion's share of the market. OOXML needs to die now, for everyone's sake, including Microsoft's.

  12. The reason. by Tokerat · · Score: 4, Funny

    IEBlog article:

    To maintain compatibility and be secure by default we didn't want to invoke fallback either, as original web authors might not have intended this behavior. As we all know, developers (developers, developers, developers) NEVER intend for a fallback resource to be utilized when primary resources fail. Microsoft has once again taken the initiative to embrace the developer community as a loving parent and save us from our own incompetent, foolish selves.

    "What does 'It's not a bug, it's a feature' mean, daddy?"

    "I'll tell you when you're older."
    --
    CAn'T CompreHend SARcaSm?
  13. Re:Yes, that's true. by Bogtha · · Score: 4, Informative

    The Acid3 test is a NEW test that uses/tests the NEW feature that the CSS3 intoduces.

    Let's do exactly what you suggest, and "RTFM". From the Acid3 page at webstandards.org, with links to the specifications and dates added by me:

    Here is the list of specifications tested:

    As you can see, the majority of the Acid3 test is comprised of behaviour described in specifications published years ago, with a substantial portion of them over five years old and some over a decade old.

    CSS3 intoduces many changes,

    Actually, CSS 3 is not a single specification, but a group of

    --
    Bogtha Bogtha Bogtha