Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Does IE8 Really Pass Acid2? [Updated]

kdawson posted more than 6 years ago | from the two-green-eyes-please dept.

Internet Explorer 174

thevirtualcat found some inconsistencies in IE8's Acid2 results that made him wonder what's going on. Can anyone replicate these results or, better yet, explain them?
Update: 03/22 23:54 GMT by KD : Several readers pointed out this has to do with cross-site scripting prevention, as described here.

Sorry! There are no comments related to the filter you selected.

The answer... (5, Informative)

26199 (577806) | more than 6 years ago | (#22839424)

As TFA mentions (at the very end!) this is explained here [msdn.com] .

Summary: cross-site security means that if you move the test off the original domain, the test changes. In fact IE8 does the wrong (nonstandard) thing in these cases, but according to them it's more secure (it fails earlier). They're considering making it more standards compliant once they're convinced it's secure enough.

Re:The answer... (-1, Flamebait)

LostCluster (625375) | more than 6 years ago | (#22839488)

So Microsoft's response to the failed test is that it's an unfair test?

Re:The answer... (4, Insightful)

26199 (577806) | more than 6 years ago | (#22839504)

In a word, no.

Next anti-Microsoft flame, please?

Re:The answer... (0)

Anonymous Coward | more than 6 years ago | (#22840910)

MS implemented anti XSS protection? I guess it includes a lock that prevents it from blocking annoying ads by MS allies and a bug that prevents it from protecting the user from actual XSS attacks...

Re:The answer... (1, Interesting)

ZephyrXero (750822) | more than 6 years ago | (#22841160)

Who cares if they're ACID2 compliant anyway? That's old news now... Let me know when they can pass ACID3 [webstandards.org]

Re:The answer... (1)

Silvrmane (773720) | more than 6 years ago | (#22841290)

Pass Acid 3? Is there a browser that can properly display the page you linked to? What is with all the "t"'s in reversed yellow boxes?

Re:The answer... (1)

HeroreV (869368) | more than 6 years ago | (#22840626)

Sort of. Their response was to claim that because the failure didn't occur on the original test [webstandards.org] (ignoring this [webstandards.org] , where IE8 also breaks), that the mirrors are unfair because they test something which the original did not.

IE8's behavior is definitely wrong (and has nothing to do with XSS), but Microsoft claims the original test didn't test that particular behavior, so failing on that doesn't mean they fail the original test.

It's not that big of a deal since this will most likely be resolved before the next release.

Yes, that's true. (0, Offtopic)

Erris (531066) | more than 6 years ago | (#22839492)

but ActiveX will never be secure. I noticed this a week ago but did not think it worth mentioning. No one really believes IE will really be standards compliant or secure, do they?

It's nice of them to try, but you have to question the utility and sanity of such a massive NIH effort as IE is. At this point, an honest company would throw in the towel and call IE a file browser then try to catch up to Konqueror in that regard. M$ has gone it's own way so long that the quickest route for them to a standards compliant browser is to download Firefox.

Re:Yes, that's true. (5, Funny)

Naughty Bob (1004174) | more than 6 years ago | (#22839698)

M$ has gone it's own way so long that the quickest route for them to a standards compliant browser is to download Firefox.
Another way would be to update iTunes....

Re:Yes, that's true. (2, Informative)

NickCatal (865805) | more than 6 years ago | (#22841472)

Actually, the nightly build of WebKit (OS X) is already at 95/100. The latest Safari isn't nearly as high.

Not like it matters. By the time anyone trys something that is in the ACID3 test there will be an ACID4 that nobody can get to 100 with

Re:Yes, that's true. (1, Informative)

bistromath007 (1253428) | more than 6 years ago | (#22840008)

I 3 Firefox and all, but it's not standards compliant. Tried Acid 3?

Re:Yes, that's true. (1)

poetmatt (793785) | more than 6 years ago | (#22840072)

Umm, misinformation a bit?

Acid3 was recently released so that people have new standards to meet. Nobody is 100% Acid3 compliant as of yet, and not everyone is Acid 2 compliant. This has been discussed to death in a million threads.

Firefox is and will likely continually be one of the more compliant browsers, as opposed to IE, which will continually be one of the less compliant browsers. That's just how it is. Not "the best" or "the worst".

Re:Yes, that's true. (0)

Brian Gordon (987471) | more than 6 years ago | (#22840124)

"more" compliant? Either you're compliant or you're not and neither Firefox nor IE are.

Re:Yes, that's true. (1)

jack455 (748443) | more than 6 years ago | (#22840280)

That would be true in situations like horseshoes and hand grenades, but not here where mostly compliant is very good and not very compliant sucks and causes headaches. Where browsers like Firefox, Opera and Safari fail are largely (unfortunately not exclusively) obscure test cases that don't show up in the real world. I would like it to be that an even slight failure to meet the standards would set a browser apart from everyone else. But that just isn't true.

Re:Yes, that's true. (1)

quantumplacet (1195335) | more than 6 years ago | (#22841388)

Aren't horeshoes and hand grenades two situations where close does count (as you're attempting to claim browser compliance is as well)?

Re:Yes, that's true. (3, Interesting)

cheater512 (783349) | more than 6 years ago | (#22840570)

If you go to the appropriate wikipedia page you will see a long list of CSS 2 and 3 features.
Beside this list is all the major browsers and how they implement each feature (fully, partially, broken, not implemented, etc...).

Voila! Partial compliance.

Re:Yes, that's true. (4, Insightful)

Bogtha (906264) | more than 6 years ago | (#22840464)

Acid3 was recently released so that people have new standards to meet.

Acid3 isn't a standard, it's a set of tests for specifications that have already existed for years. Acid3 didn't make Firefox less compliant, it merely pointed out ways in which Firefox was already non-compliant.

Re:The answer... (5, Interesting)

zappepcs (820751) | more than 6 years ago | (#22839616)

I can go one better for you. Technically, MS is correct. MS is thumbing it's nose at standards because they can say "Look, we did it your way. We made IE8 extremely secure and now you claim it's broke. We are not the people that broke web browsing and the Internet, you did it. If we did everything people suggest the Internet just doesn't work."

To a point, they are right, but they did this to show they are better and only seem insecure because if they don't do such things as they have done the Internet will not work. Oh yes, btw, those other browsers are not secure either... see how their stuff still works?

Re:The answer... (0)

peragrin (659227) | more than 6 years ago | (#22839872)

The only reason MSFT has to do this though is because of the mess MSFT created with ActiveX controls. No one else is as vulnerable as MSFT is because no one else is dumb enough to use activeX, an Pi with total and complete remote control over your computer. Grated MSFT has been locking it down over the years, but it wasn't designed to be secure to begin with, and as such runs into numerous problems now.

Re:The answer... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22839974)

Twat, clueless fscktards should piss off and shut up. You're gay, or a virgin aren't you? Be honest fagot.

Re:The answer... (1)

Skeetskeetskeet (906997) | more than 6 years ago | (#22840198)

Looks like someone from Microsoft is on break in the rec room.

Re:The answer... (4, Informative)

kat_skan (5219) | more than 6 years ago | (#22840030)

Actually, Microsoft is not correct. The browser is supposed to be unable to load the object that is tripping IE's cross-domain security features. Regardless of whether the object fails to load because of security policies or because the resource flat out doesn't exist, the test is constructed so that the browser will display the fallback content for the object, which IE does not do.

Re:The answer... (1, Interesting)

Anonymous Coward | more than 6 years ago | (#22841512)

sorry but I have to agree with MS here (spit). The website is trying to get you to do something that is a security violation plain and simple and a significant security violation at that, security should override standards/compliance/or web page niceness, it should and does refuse to run that section and all bets should be off after that. Acid is in the wrong here.

Re:The answer... (5, Insightful)

VGPowerlord (621254) | more than 6 years ago | (#22841720)

I disagree. It should fall back to the data url when loading the other object failed. Not only that, but the HTML standard agrees with me [w3.org] on this:

If the user agent is not able to render the object for whatever reason (configured not to, lack of resources, wrong architecture, etc.), it must try to render its contents.

and

One significant consequence of the OBJECT element's design is that it offers a mechanism for specifying alternate object renderings; each embedded OBJECT declaration may specify alternate content types. If a user agent cannot render the outermost OBJECT, it tries to render the contents, which may be another OBJECT element, etc.

Re:The answer... (1)

WhyMeWorry (982235) | more than 6 years ago | (#22840088)

Interesting. The blog actually gave enough information to state that the problem is Microsoft's. They explicitly state that they have chosen an implementation mechanism which creates a potential security problem. The bad rendering is indeed caused by security measures but the security problem is coming from Microsoft's implementation. If this causes them to change their rendering model it would be great.

Re:The answer... (1)

perlchild (582235) | more than 6 years ago | (#22840510)

So the behaviour mandated by the standard is insecure?

And nobody thought to update the standard?

Re:The answer... (5, Informative)

pohl (872) | more than 6 years ago | (#22840722)

So the behaviour mandated by the standard is insecure?

No, that is not the case. IE8 is trying to prevent exploitation of their own, proprietary ActiveX API, and simply needs to make some minor corrections to make sure that they do it in such a way that does not violate the standards. The standards don't need to be revised since nobody else implements the swiss cheese that is ActiveX.

Re:The answer... (4, Informative)

cheater512 (783349) | more than 6 years ago | (#22840606)

Microsoft did the correct thing with the cross domain scripting stuff.

However they then ignore the fall back content hence the problem.
The standard says that if there is a problem with the object tag then the html inside the html tag should be shown.
IE8 has a problem with the object tag and then ignores the fallback completely.

Why does it work on the official site?
Because its not cross scripting anymore, instead it fetches the page and gets a 404.
It then uses the fallback content.

In summary: Microsoft is making their own standard as per usual.

Re:The answer... (-1, Troll)

jpdzahr (1260592) | more than 6 years ago | (#22839754)

IS Acid2 a Flash related application? I tried viewing Acid2 with several browsers seems like most browsers really don't work so if there is no plugin for the Acid2 why would we need to test it? JP http://www.american-contractors.org/ [american-contractors.org]

Re:The answer... (1)

jonaskoelker (922170) | more than 6 years ago | (#22839794)

I think the argument for Microsoft's decision is interesting:

To maintain compatibility and be secure by default we didn't want to invoke fallback either, as original web authors might not have intended this behavior.
I thought IE8 was about fixing all the broken behaviour (and becoming incompatible in the process)? As for the "web authors might not have intended this behaviour" point... why would web authors expect non-standard behaviour? The only way I can think of that would a web dev expect IE8's behaviour is if the site is coded specifically against IE8's behaviour. I'm thinking security requires predictability: if you don't know what your code is doing, how can you know it's secure?

Re:The answer... (1)

Berserker (16946) | more than 6 years ago | (#22839994)

IE8 is definetely not ready for prime time. Just point it to maps.google.com , it makes a royal mess. However, I haven't found any really bad problems with Apples Safari for windows other than it's faster than IE8, but I think most browsers are now:-)

Re:The answer... (1)

Brett Buck (811747) | more than 6 years ago | (#22840240)

Right - but the problem is that it's using ActiveX for something where it shouldn't be required. And then the ActiveX security checks bomb it out. At least you can give them some credit for attempting to overcome the train wreck that constitutes ActiveX but the real solution is to just *get rid of ActiveX* and make it work correctly without it.

        Brett

Re:The answer... (1)

plague3106 (71849) | more than 6 years ago | (#22840458)

Yes, and then you'll scream "they broke everyone's site that was depending on AX!!!one!" And of course that's a great way to encourage users to upgrade to a newer more secure browser. Make sure it doesn't work with the company intranet. Wonderful.

Re:The answer... (1)

cheater512 (783349) | more than 6 years ago | (#22840632)

No, the security checks are fine.

The test in question should get a 404 then display the fallback content.
Move it to a different domain and it fails the security checks but doesnt show the fallback content.

A clear violation of the standard and IE 8 gets the FAIL rubber stamp.

Answer (1, Redundant)

gcnaddict (841664) | more than 6 years ago | (#22839426)

Problems with IE8's Acid2 results stem from cross site scripting issues which they're still working on. Rendering is done just fine, but the cross site scripting is posing a problem.

I heard the exact details about this over at MIX but I don't remember them now.

Re:Answer (1)

ClubStew (113954) | more than 6 years ago | (#22839858)

There aren't cross-site "issues" regarding this situation. It's all intention, failing cross-site attempts early as a security precaution.

Known Cross-domain security issue (5, Interesting)

Ececheira (86172) | more than 6 years ago | (#22839432)

The reason you're seeing the result is due to an "overly secure" default for beta 1 when it comes to cross-domain embedded objects.

Here's the explanation:
http://blogs.msdn.com/ie/archive/2008/03/05/why-isn-t-ie8-passing-acid2.aspx [msdn.com]

Google is your friend next time... :)

On another note... Acid3 (0)

urbanriot (924981) | more than 6 years ago | (#22839458)

Did anyone else find it intriguing that a day or two Microsoft announces that they passed Acid2 with IE8, The Web Standard Project announces Acid3 which IE8 epically fails?

Re:On another note... Acid3 (1)

Anonymous Coward | more than 6 years ago | (#22839490)

I would go with "inaccurate" over "intriguing", actually.

Re:On another note... Acid3 (1)

urbanriot (924981) | more than 6 years ago | (#22839530)

Care to elaborate?

I read on various web sites that IE8 passes Acid2... a day or two later I read that Acid3 has just come out, and IE8 fails. Can you correct the inaccuracies please? I'm sincerely curious of the truth.

I would go with "inaccurate" over "intriguing", actually.

Re:On another note... Acid3 (4, Informative)

Your.Master (1088569) | more than 6 years ago | (#22839784)

The IE team announced their internal IE8 build passed Acid2 in mid-December. Acid3 was released March 3. IE8's first public beta went out on March 5.

Re:On another note... Acid3 (1)

urbanriot (924981) | more than 6 years ago | (#22839990)

Ah, okay, I must have missed that December announcement and from my point of view, it seemed like new news as the 'internet', Slashdot front page and IRC was buzzing about it. In fact, I'd seen the link to "IE8 Passes Acid2" pasted to IRC at least ten times a few weeks back... and then "IE8 Fails Acid3" a few days later.

Ah well, I guess I'll put my tin foil hat back on.

The IE team announced their internal IE8 build passed Acid2 in mid-December. Acid3 was released March 3. IE8's first public beta went out on March 5.

Re:On another note... Acid3 (0)

Anonymous Coward | more than 6 years ago | (#22839790)

Acid3 has been in the works since before IE8 passed Acid2, and is still not finalized.

Re:On another note... Acid3 (1)

LostCluster (625375) | more than 6 years ago | (#22839574)

Notice they have a "Task Force" for testing Microsoft, but no such group for Firefox, Opera, Safari, etc.

Re:On another note... Acid3 (3, Insightful)

ben there... (946946) | more than 6 years ago | (#22839866)

Notice they have a "Task Force" for testing Microsoft, but no such group for Firefox, Opera, Safari, etc.
Not that surprising, really. There are entire websites [positioniseverything.net] devoted to helping web designers hack around IE bugs. If only a single browser could pass Acid2 and Acid3, ideally that browser would be IE. It's used by the most people, so you must design around its flaws. Not to mention, if that were to happen, Firefox and Opera would do everything possible to catch up immediately. Then we wouldn't have to hack around any browser's flaws.

Re:On another note... Acid3 (1)

daveb (4522) | more than 6 years ago | (#22839950)

>if that were to happen, Firefox and Opera would do everything possible to catch up immediately. But firefox doesn't pass acid2 either. I must have missed your point (or you're wrong)

Re:On another note... Acid3 (1)

calebt3 (1098475) | more than 6 years ago | (#22840014)

You obviously do not have the beta.

Re:On another note... Acid3 (1)

daveb (4522) | more than 6 years ago | (#22841572)

true - i don't

Re:On another note... Acid3 (1)

10101001 10101001 (732688) | more than 6 years ago | (#22840052)

I believe his point was that if IE supported Acid2 and Acid3, Firefox and Opera would strive even harder to maintain competitive against IE with even further standards compliance. But, that'd seem to be a general truism, given how Firefox and Opera are already striving rather hard for standards compliance.

Re:On another note... Acid3 (1)

BobPaul (710574) | more than 6 years ago | (#22840500)

>if that were to happen, Firefox and Opera would do everything possible to catch up immediately.

But firefox doesn't pass acid2 either. I must have missed your point (or you're wrong)
You must have. His statement is as follows:
if( IEPasses(ACID2) && IEPasses(ACID3) ) {
    FirefoxWorkHarder(StandardsCompliance);
    OperaWorkHarder(Standardcompliance);
} else {
    continue(PresentSituation);
}

We're stuck in the else case since, you know, IE doesn't pass both tests yet...

Re:On another note... Acid3 (1)

Malevolyn (776946) | more than 6 years ago | (#22841166)

But then that code just terminates before reevaluating whether or not IE passes the Acid tests. This would work better:

while (1) {
while (!IEPasses(ACID2) || !IEPasses(ACID3)) continue(PresentSituation,60*60*24*365); /* wait 1 year, then break loop to check again */
FirefoxWorkHarder(StandardsCompliance);
OperaWorkHarder(StandardsCompliance);
}


Assuming, that is, that this is an ongoing cycle for the rest of eternity. This could probably be a little more elegant, too.

Re:On another note... Acid3 (1)

Nethemas the Great (909900) | more than 6 years ago | (#22841602)

Catch up? 64bit build of Konqueror 4.0.2 on my Gentoo box is pulling a score of 61 on the Acid 3. Firefox 2.0.0.12 is only scoring 52. If the anecdotes of others are correct, IE 8 can't even break 20.

The IE team is playing games with site developers. They have the market share and couldn't care less whether or not they follow standards. This is the company that instructs their development teams to come up with ways of ensuring that cross compatibility is not possible. They're forcing web developers to spend all of their time working out the idiosyncrasies of IE so that there's no time/budget left to ensure a quality user experience with other browsers. It isn't by accident nor incompetence that IE refuses standards and is such a problematic pain the in hind end to develop content for.

Re:On another note... Acid3 (3, Interesting)

LighterShadeOfBlack (1011407) | more than 6 years ago | (#22839820)

Acid3 had been in development for 11 months so it's not like this suddenly sprung into existence overnight to "prove" Microsoft's inadequacies or anything. Even if you consider the release date to be intriguing, I'm not sure what difference you think the Acid3 developers thought it would make to have IE8 fail Acid3. It's not like there are really any users who decide which browser to use based on its ability to accurately render complete standards anyway. Most people don't know what the web standards Acid tests are and won't care even if you tell them.

Putting all that aside, it would still hardly constitute some unfair conspiracy. For one thing every other renderer in released browsers fails quite miserably at it too. Secondly, it's not some arbitrary test, Acid3 measures accuracy of conformance to DOM and ECMAscript standards. Acid3 didn't just make up the standards on the spot, they have existed for years and IE could have (and should have) been attempting to conform the whole time (as should every other renderer).

In other words: No, I don't find it intriguing. It's a mild coincidence, nothing more.

Re:On another note... Acid3 (5, Funny)

Naughty Bob (1004174) | more than 6 years ago | (#22840146)

Did anyone else find it intriguing that a day or two Microsoft announces that they passed Acid2 with IE8, The Web Standard Project announces Acid3 which IE8 epically fails?
It's like this- The Web Standards Project is like a kindly teacher, who waited patiently for the slowest kid in the class to understand the current lesson, before moving on to the next one.

Re:On another note... Acid3 (1)

sltd (1182933) | more than 6 years ago | (#22840562)

IE8 Beta 1 - 18%
Firefox 3 Beta 4 - 68%
Safari - 75%

IP address (1)

sdhoigt (1095451) | more than 6 years ago | (#22839514)

Dude, you forgot to mask out your IP address in one of your screens.

SD

Incorrectly set up website fails to render (2, Funny)

Gordonjcp (186804) | more than 6 years ago | (#22839568)

Film at 11.

no digg (-1, Flamebait)

larry bagina (561269) | more than 6 years ago | (#22839614)

hey fuckface, this it not news in that 1) it's been bouncing around the blogosphere for weeks and 2) there's a legitimate reason why it renders differently.

If I ever see you I will donkey punch you.

Bashing (-1, Flamebait)

freitasm (444970) | more than 6 years ago | (#22839632)

Anything and everything just to bash Microsoft...

Next?

I smell bullshit at the IE blog (3, Interesting)

Dracos (107777) | more than 6 years ago | (#22839648)

The Acid tests are test cases used to assess a browser's web standards support.

Yet, in the explanation of the incorrect rendering at the IE blog, AciveX is invoked, with some excuse about cross-domain security.

ActiveX has absolutely nothing to do with Web Standards.

This leads me to believe that MS plans to keep playing the Internet game by their rules for a while yet.

Re:I smell bullshit at the IE blog (5, Informative)

Chris Snook (872473) | more than 6 years ago | (#22839840)

IE8 is using ActiveX *internally* because it can't natively render the html OBJECT. Invoking ActiveX triggers XSS checks. The bottom line is that they technically pass the test, but many web designers will do things that really should work, but won't in IE8. It's not because MS is cheating, just that they haven't fully implemented this feature, and they're erring on the side of caution with their partial implementation. Regardless of standards compliance, they'll need to fix this before IE8 is released.

Re:I smell bullshit at the IE blog (2, Insightful)

Anonymous Coward | more than 6 years ago | (#22839848)

They said that their implementation uses ActiveX to handle HTML in OBJECT tags. They weren't saying the test was using an ActiveX control.

Also, it was not an excuse, it is a reasonable security measure. Frankly, most web developers are far too reckless about security. Rule #1 of secure programming: be as paranoid as you can, and then be more paranoid. If you don't think that every user is out to get you, then you're not being paranoid enough.

You obviously didn't comprehend what you read. :)

The FUD is deep today. (1)

lantastik (877247) | more than 6 years ago | (#22839662)

n/t

Cross-domain == cross-site (4, Interesting)

poor_boi (548340) | more than 6 years ago | (#22839736)

Microsoft is right to turn cross-domain restrictions on by default. Cross-domain is the same as cross-site, and we all know the pain XSS vulnerabilities can bring. The failure of "copies" of acid2 to render correctly in IE8 are actually due to the "copies" of acid2 being "copied" incorrectly. To copy the acid2 test, you have to make slight modifications to the test contents itself to update the test for the domain it is being hosted on. Them are the breaks of complex tests. Acid2 is a complex test and cannot simply be copied carte blanche.

Re:Cross-domain == cross-site (2, Insightful)

Jerome H (990344) | more than 6 years ago | (#22840334)

"carte blanche"
Please... don't use an expression that you don't understand.

Re:Cross-domain == cross-site (0)

Anonymous Coward | more than 6 years ago | (#22840432)

If they wanted to make it copyable, all they had to do was to make it a relative URL.

Re:Cross-domain == cross-site (1)

Bogtha (906264) | more than 6 years ago | (#22841416)

Making it a relative URL means they can't guarantee that the <object> element fails to render. They needed it to be an absolute URL so that they could be certain it returned a 404.

Re:Cross-domain == cross-site (0)

Anonymous Coward | more than 6 years ago | (#22840442)

Bullshit.

wget the file, then pull it up in a browser. Click the Take the Acid 2 Test, and it should work with no failure.

The following browsers find it just fine after a second, in which the eyes aren't shown (orange bar) Opera 9.50 beta 1, Konqueror 3.5.8. They correctly rendered from a local file.

IE fails the test, due to improper handling of the object, and it's part of the test.

In particular the eyes from the acid2 test (with most of the png removed):
<div class="eyes"><div id="eyes-a"><object data="data:application/x-unknown,ERROR"><object data="http://www.webstandards.org/404/" type="text/html"><object data="data:image/png;base64,iVBORw0KGgoAAAANS...SuQmCC">ERROR</object></object></object></div><div id="eyes-b"></div><div id="eyes-c"></div></div> <!-- that's a PNG with 8bit alpha containing two eyes -->

Can you guess where the failure is?

If you're gonna try the test on your own site (0)

Anonymous Coward | more than 6 years ago | (#22839752)

...make sure you copy all the files the test depends on, and make hard-coded links such as http://www.webstandards.org/404/ [webstandards.org] to point to your copy. Not rocket science.

just like this? (-1, Troll)

FudRucker (866063) | more than 6 years ago | (#22839760)

IE8 passes Acid2 just like OOXML is an Open Source file format, (only in name son, only in name)

This is not a security problem, per se. (3, Insightful)

WK2 (1072560) | more than 6 years ago | (#22839764)

IE8 has a problem initiating fallback content when a resource can not be acquired. This is exactly what this particular part of the acid2 test is meant to test, fallback code. The fact is, that IE8's fallback behavior works correctly in some cases, but not in others. Specifically, the fallback code works if the failed to acquire resource is supposed to be on the same domain as the acid2 test, whereas if they are on different domains, IE8's code fails to behave properly.

The fact that the blog writer mentions security is a red herring. While it is true that this does have something to do with security code, the real problem is that the fallback behavior is poor.

Re:This is not a security problem, per se. (0)

Anonymous Coward | more than 6 years ago | (#22839904)

So if the web standards made by whoever has a security bug in it, MS should purposefully code in the bug? That's the lamest excuse to bash MS I've ever heard and I read this site daily.

Re:This is not a security problem, per se. (2, Informative)

Anonymous Coward | more than 6 years ago | (#22841378)

You should read. The explanation that he gave, I will now give, in my own words, hoping that you will read them correctly this time.

The portion of the acid2 test that is at issue with IE8 here works like this:

1. The test has markup that points to an object at http://www.webstandards.org/404/ [webstandards.org] ; basically, the object's not there, on purpose.
2. The test has subsequent markup that contains a data: URI with embedded replacement/fallback content.

What should happen?

Two claims:

1. MS IE team: Because the lark document resides on a different domain if you run the test from another site, they feel it's insecure to check some other domain's content like that.
2. Rest of us: We acknowledge that it is in fact nice of them to be security minded in this way, BUT the fallback content is still there, embedded in the test, and they should go ahead and render it if they aren't able to get the first-ordered content because of a 404 OR because they are paranoid.

It's content designed to be used in the place of the real content if for whatever reason (offline browsing? paranoia? maybe the original content was eaten by a grue?)

Simple stuff like CSS (1, Insightful)

Cruciform (42896) | more than 6 years ago | (#22839802)

I was kind of hoping that IE8 would at least be more compatible with CSS as I possess only basic HTML skills and find it a huge pain to try and make things look similar in multiple browsers by using javascript hacks and other crap.

But even the most basic CSS like

margin-left: auto;
margin-right: auto;

to center a DIV doesn't work in IE8 while it works great in Firefox.
Maybe I just read the wrong HTML/CSS tutorial sites but it would be nice if they rendered things consistently.

Re:Simple stuff like CSS (0)

Anonymous Coward | more than 6 years ago | (#22840084)

That works in IE7, I haven't tried IE 8 but it seems kind of odd that it would work in IE7 not IE8

Re:Simple stuff like CSS (2, Informative)

Anonymous Coward | more than 6 years ago | (#22840242)

Have you specified a valid doctype? Even IE8 will probably degrade into quirks mode without one, which will cause auto margins to fail.

Re:Simple stuff like CSS (4, Informative)

Bogtha (906264) | more than 6 years ago | (#22840516)

Auto margins failing to centre block elements is a hallmark of quirks mode, which means that you aren't using a doctype, which means that you are writing invalid code, which means that you aren't in any position to criticise others for not following the specifications.

Re:Simple stuff like CSS (1)

Rigrig (922033) | more than 6 years ago | (#22840534)

I was kind of hoping that IE8 would at least be more compatible with CSS as I possess only basic HTML skills and find it a huge pain to try and make things look similar in multiple browsers by using javascript hacks and other crap.
Just assume ie* needs special treatment. The way I see it, the more ie8 is 'ms standards compliant' the more work I'll have updating the hacks that made any page look ok in ie7.
Whenever I work on a personal project though, I check it's standard compliant, and don't care if it doesn't look so good in ie. If it looks the same in firefox, safari and opera, passes the validator and is readable in ie, I'm not going to bother with any ie-specific code.(haven't really encountered any page ie breaks hard enough to make it unusable in ie so far)

Re:Simple stuff like CSS (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22840566)

How does something patently and demonstrably false get modded +4 Insightful?

No, it does not. Security problem is their problem (4, Interesting)

porneL (674499) | more than 6 years ago | (#22840006)

No, it does not pass.

There is no cross-domain insecurity in <object> as defined by the HTML specification. There is a problem in IE8's broken implementation.

If object can't be displayed, browser should ignore it. Ignored <object> isn't any more dangerous than <div>. In such case there's only one document, with one DOM, all within same domain.

But apparently IE8 can't ignore undisplayable <object> properly, so they've hacked around the problem by spawning new IE8 instance that pretends to be a plug-in that handles the invalid <object> (an <iframe> effectively). And when you do stupid things like that, of course you've got a security problem!

No Acid2-passing browser has any problems with displaying same-origin fallback to cross-domain object.

Re:No, it does not. Security problem is their prob (1)

Bogtha (906264) | more than 6 years ago | (#22840546)

If object can't be displayed, browser should ignore it.

No, that's exactly wrong. If an <object> element can't be rendered, its content should be rendered instead.

the enternet (1)

rice_burners_suck (243660) | more than 6 years ago | (#22840112)

All I know is that I click the big shiny "e" and I'm in this thing called the Internet. Because the word "Internet" starts with an "e." The Internet must have been invented by Microsoft, when Al Gore still worked there.

just use firefox (0, Offtopic)

rock3r (1261068) | more than 6 years ago | (#22840180)

Well firefox is better don't matter. My blog http://scenewarez.blogspot.com/ [blogspot.com]

Re:just use firefox (2, Informative)

liquiddark (719647) | more than 6 years ago | (#22840286)

Of course, 2.0.0.1.2 Firefox doesn't pass Acid2 either. So, not so much.

Re:just use firefox (1)

JohnBailey (1092697) | more than 6 years ago | (#22841226)

Of course, 2.0.0.1.2 Firefox doesn't pass Acid2 either. So, not so much.
It will be an old version in a few months when Firefox 3 comes out, and FF3 beta 4 passes Acid 2. I just tried it and it renders the whole thing perfectly.

Re:just use firefox (1)

SCPRedMage (838040) | more than 6 years ago | (#22841758)

Gee, you mean if we're comparing the latest beta version of Internet Explorer against Firefox, we should compare it to Firefox's latest beta?

Madness!

Does it matter if you Pass Acid 2? (1)

Tazz_ben (619965) | more than 6 years ago | (#22840196)

I think the Acid 2 test is great in all as a way to test if a browser supports CSS well. But it seems as though IE is now targeted at Acid 2... What I mean by that is that, from the few days of playing with IE8 I've noticed a great deal of problems with some really basic CSS (like padding) when in "standards mode". Sites that function perfectly in all modern browsers fall apart in IE8 (Google Maps come to mind). And, it might be just me, but it seems as though the IE team worked very hard to pass Acid 2, not to build a browser that renders CSS correctly and as a result passes Acid2.

Microsoft Has Lost The Race (2, Insightful)

Whuffo (1043790) | more than 6 years ago | (#22840260)

Microsoft continues to trumpet their excellence but their products don't preform as they claim. Look at Vista; piece of crap. Sure, they're selling a bunch of copies - mostly pre-installed copies on new computers and a few more from people who want the latest and greatest from Redmond. The majority of their market has decided to stay well away from Vista.

Internet Explorer is losing ground to Firefox, so they come out with a new version and claim that it meets standards and works better. Nope, it's just more of their marketing spin.

The real problem is that Microsoft has lost sight of the goal. They're supposed to be producing software that meets the needs and desires of their customers, but they're busily producing software that's only intended to further their goal of "world domination". Their marketing department is busy trying to make that pig look like a swan, but it's not working.

Too bad that Linux distributions aren't quite "there" yet - close, but not yet. This is a golden opportunity for a real competitor...

Standards Test or Not? (1)

d00m.wizard (1226664) | more than 6 years ago | (#22840434)

Its just a bit strange to me to have Microsoft acknowledge the problem, yet be so nonchalant about the fact that its because objects are handled by Active X. Okay back up. Last I checked Active X isn't a standard. Its just so lame the fact that things may look like they render correctly or have engineers trying to make one test pass (though crookedly). Its not standards compliant. Nuff said.

Re:Standards Test or Not? (1)

ashridah (72567) | more than 6 years ago | (#22840482)

You're right. Activex isn't a standard.

*it's an implementation detail*

It should also be noted that the security problem doesn't go away if activex is taken out of the picture. Whatever is implemented in it's place still has to be security checked. The difference being that it might be possible to sandbox the object renderer.

The question that I want to know the answer to is "does the part of the standard this feature is attempting to test describe what the security implications should be?"

If the answer is "No", then the people working on IE have every right (and infact, a duty) to look at this from a "More security = better" standpoint than "Make sure it works" standpoint.

It's a massive improvement... (4, Interesting)

marm (144733) | more than 6 years ago | (#22840660)

...even if it's a shame it's taken this long to get there. Pre-releases of Safari and Konqueror passed this almost exactly 3 years ago, and Opera's Presto engine wasn't far behind. The fact that Gecko has taken nearly as long to catch up as IE/Trident is disturbing, but they had their own self-inflicted issues to fix (XPCOM? ewww).

All of this can only mean web developers sleep more soundly at night, and more real work gets done. The IE developers can give themselves a big pat on the back for achieving something useful that will make everyone's lives better, like they used to do with IE3 and 4 and initial CSS1 support. Shame the management decided to slack off on IE development so long. Microsoft: intelligent geeks, ruined by management.

Now, on to Acid 3. IE8 is still clearly trailing everyone else by some distance and is probably going to play catchup for a while yet until they implement native SVG (think about the possibilities for Explorer and Office, that Apple, KDE and friends are just beginning to explore).

As an aside, think how good MS Office might be if they had this level of competition due to having to implement a proper Open Document standard not specified by them. Everyone would get more work done, would be fitter, happier, healthier and better, and Microsoft would probably still have the lion's share of the market. OOXML needs to die now, for everyone's sake, including Microsoft's.

Re:It's a massive improvement... (2, Informative)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#22840712)

Now, on to Acid 3. IE8 is still clearly trailing everyone else by some distance and is probably going to play catchup for a while yet until they implement native SVG...

The Webkit nightly is up to 95/100 on Acid 3. Anyone run Gecko nightly lately?

Re:It's a massive improvement... (1, Insightful)

Bodero (136806) | more than 6 years ago | (#22841304)

As an aside, think how good MS Office might be if they had this level of competition due to having to implement a proper Open Document standard not specified by them. Everyone would get more work done, would be fitter, happier, healthier and better, and Microsoft would probably still have the lion's share of the market.


What the fuck? Yeah, I know I'd gain at least 3 hours per week in productivity if Office used a standard XML format than its current implementation.

...Where do people come up with this stuff?

Re:It's a massive improvement... (1)

marm (144733) | more than 6 years ago | (#22841452)

My rather obvious point (that I thought everyone would understand) being that if everyone used a standard format, then there'd be proper competition, and that would make MS Office better. Forest, trees, spot the difference?

Re:It's a massive improvement... (1)

Bodero (136806) | more than 6 years ago | (#22841580)

Still don't get it. You already can export into a standard format (RTF or any other formatted filetype). Now if competition actually existed that rivaled Office, that would make Office better. But how does a file format do that?

The reason. (4, Funny)

Tokerat (150341) | more than 6 years ago | (#22840892)

IEBlog article:

To maintain compatibility and be secure by default we didn't want to invoke fallback either, as original web authors might not have intended this behavior.
As we all know, developers (developers, developers, developers) NEVER intend for a fallback resource to be utilized when primary resources fail. Microsoft has once again taken the initiative to embrace the developer community as a loving parent and save us from our own incompetent, foolish selves.

"What does 'It's not a bug, it's a feature' mean, daddy?"

"I'll tell you when you're older."

Other object types (3, Interesting)

RalphSleigh (899929) | more than 6 years ago | (#22841130)

One must ask, does IE 8 only fail on cross site objects of type text/html, or are other cross site objects affected? (e.g. flash, embedded youtube videos, quicktime, etc)...

Lay off (1)

vegitto (1222942) | more than 6 years ago | (#22841740)

In terms of web standards I think IE8 has moved dramatically forward, and its a great thing to see. The biggest issue with IE8 which I am surprised no one has mentioned, is the performance. My PC (AMD XP1600+, ATI x700 and 1.4gb of ram), STRUGGLES to render anything! For example, if I go to slashdot, the menu on the left chugs and chugs and has huge delays in when the containers register hover effects. And don't even get me started on scrolling.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?