Josh (the blog)

I’ve delivered simple, clear and easy-to-use services for 20 years, for startups, scaleups and government. I write about the nerdy bits here.


@joahua

IE6 Scripting security

29 Dec 2005

Well, IE is notoriously insecure, but today I was hit with one particularly stupid (though supposedly not undocumented — someone on WSG had encountered it before and alleviated much pain!) ‘feature’ of the browser. Basically, I’ve been dependent upon PNG alpha channel working. Hey, the design isn’t mine and I’m just trying to make the CSS work with as few images as humanly possible — though I have realised I have one that isn’t required, but can’t be bothered changing… because once I’ve slated my markup, I only ever add things to it as required, and never work backwards. Otherwise, I wind up in a perpetual cycle of markup optimisation that culminates in a loss of probably under 2KB over about as many days. Tis bad. Must post the way I do CSS/markup workflow here some day, coz it’s something I’d be interested to see other people’s processes of and how different it is/isn’t from my own.

Anyway! Digression aside, I was using IE5.5+’s filter thing (pretty well documented PNG fix with some caveats… it’s the best we can do until IE7 in all its splendiferous glory dribbles from Microsoft’s front door. Don’t ask me where that came from.) with great success, but for the incessant security warnings every time I loaded the page. Yeah, great, this really looks usable. Not. Every twit using XPSP2 is going to be pretty happy to stay on a page when their browser is blurting security warnings at them… and don’t get me started on IE7′s proposed phishing alert thing that lets users report false positives. Dumb users (i.e. 97% of the population) are going to be scared away regardless, and malicious users (i.e. 2% of the population) are going to write viruses that exploit the reporting mechanism to let sites through.

Wow. This is a really windy post.

Okay. On topic (hah!). The moral of the story is, don’t execute web pages locally. IE won’t trust you. However, if it’s on any random web server (I ended up installing Apache on loopback), IE is perfectly happy to let it execute whatever the hell weird kinda code it wants. And that, kiddies, is why we all love Microsoft.

Related Posts