Forgot your password?
typodupeerror
Internet Explorer

Does IE8 Really Pass Acid2? [Updated] 174

Posted by kdawson
from the two-green-eyes-please dept.
thevirtualcat found some inconsistencies in IE8's Acid2 results that made him wonder what's going on. Can anyone replicate these results or, better yet, explain them?
Update: 03/22 23:54 GMT by KD : Several readers pointed out this has to do with cross-site scripting prevention, as described here.
This discussion has been archived. No new comments can be posted.

Does IE8 Really Pass Acid2? [Updated]

Comments Filter:
  • The answer... (Score:5, Informative)

    by 26199 (577806) * on Sunday March 23, 2008 @06:32PM (#22839424) Homepage

    As TFA mentions (at the very end!) this is explained here [msdn.com].

    Summary: cross-site security means that if you move the test off the original domain, the test changes. In fact IE8 does the wrong (nonstandard) thing in these cases, but according to them it's more secure (it fails earlier). They're considering making it more standards compliant once they're convinced it's secure enough.

    • Re:The answer... (Score:5, Interesting)

      by zappepcs (820751) on Sunday March 23, 2008 @06:52PM (#22839616) Journal
      I can go one better for you. Technically, MS is correct. MS is thumbing it's nose at standards because they can say "Look, we did it your way. We made IE8 extremely secure and now you claim it's broke. We are not the people that broke web browsing and the Internet, you did it. If we did everything people suggest the Internet just doesn't work."

      To a point, they are right, but they did this to show they are better and only seem insecure because if they don't do such things as they have done the Internet will not work. Oh yes, btw, those other browsers are not secure either... see how their stuff still works?
      • Re:The answer... (Score:5, Informative)

        by kat_skan (5219) on Sunday March 23, 2008 @07:38PM (#22840030)

        Actually, Microsoft is not correct. The browser is supposed to be unable to load the object that is tripping IE's cross-domain security features. Regardless of whether the object fails to load because of security policies or because the resource flat out doesn't exist, the test is constructed so that the browser will display the fallback content for the object, which IE does not do.

      • by perlchild (582235)
        So the behaviour mandated by the standard is insecure?

        And nobody thought to update the standard?
        • Re:The answer... (Score:5, Informative)

          by pohl (872) on Sunday March 23, 2008 @08:59PM (#22840722) Homepage
          So the behaviour mandated by the standard is insecure?

          No, that is not the case. IE8 is trying to prevent exploitation of their own, proprietary ActiveX API, and simply needs to make some minor corrections to make sure that they do it in such a way that does not violate the standards. The standards don't need to be revised since nobody else implements the swiss cheese that is ActiveX.

      • Re:The answer... (Score:5, Informative)

        by cheater512 (783349) <nick@nickstallman.net> on Sunday March 23, 2008 @08:45PM (#22840606) Homepage
        Microsoft did the correct thing with the cross domain scripting stuff.

        However they then ignore the fall back content hence the problem.
        The standard says that if there is a problem with the object tag then the html inside the html tag should be shown.
        IE8 has a problem with the object tag and then ignores the fallback completely.

        Why does it work on the official site?
        Because its not cross scripting anymore, instead it fetches the page and gets a 404.
        It then uses the fallback content.

        In summary: Microsoft is making their own standard as per usual.
        • It's a beta.

          Why don't you save the huffiness for when it's actually released?

          They'll probably fix this issue for the RTM.
          • I'm huffy because the MSN Blog article about is boasting about how its really secure.
            • It didn't sound like boasting at all, I think you've read that into the article. To me it sounded like a simple explanation disparity between results on the acid 2 tests. It simply states the behavior is due to how they have implemented security on cross domain content, it doesn't say this is the appropriate behavior, failing to process the html within the object tag is probably NOT the appropriate behavior. I think the only defensiveness I can see in this post, is that they don't want people leaping to a
        • by jimbojw (1010949)
          At the bottom, TFA links to this IEBlog [msdn.com] which states:

          To maintain compatibility and be secure by default we didn't want to invoke fallback either, as original web authors might not have intended this behavior.

          Dear MS:

          A fallback, be definition, means that if you can't render the original, fall back to this content. This is exactly what the web author would have wanted. Thank you.

    • Right - but the problem is that it's using ActiveX for something where it shouldn't be required. And then the ActiveX security checks bomb it out. At least you can give them some credit for attempting to overcome the train wreck that constitutes ActiveX but the real solution is to just *get rid of ActiveX* and make it work correctly without it.

              Brett
      • No, the security checks are fine.

        The test in question should get a 404 then display the fallback content.
        Move it to a different domain and it fails the security checks but doesnt show the fallback content.

        A clear violation of the standard and IE 8 gets the FAIL rubber stamp.
  • Answer (Score:2, Redundant)

    by gcnaddict (841664)
    Problems with IE8's Acid2 results stem from cross site scripting issues which they're still working on. Rendering is done just fine, but the cross site scripting is posing a problem.

    I heard the exact details about this over at MIX but I don't remember them now.
    • by ClubStew (113954)
      There aren't cross-site "issues" regarding this situation. It's all intention, failing cross-site attempts early as a security precaution.
  • by Ececheira (86172) on Sunday March 23, 2008 @06:33PM (#22839432)
    The reason you're seeing the result is due to an "overly secure" default for beta 1 when it comes to cross-domain embedded objects.

    Here's the explanation:
    http://blogs.msdn.com/ie/archive/2008/03/05/why-isn-t-ie8-passing-acid2.aspx [msdn.com]

    Google is your friend next time... :)
  • Yes, Microsoft can, as linked at the bottom of the article...

    http://blogs.msdn.com/ie/archive/2008/03/05/why-isn-t-ie8-passing-acid2.aspx [msdn.com]

    News for obsolesce, stuff that is rendered irrelevant before reaching the front page? ;)
  • by Gordonjcp (186804) on Sunday March 23, 2008 @06:45PM (#22839568) Homepage
    Film at 11.
  • by Dracos (107777) on Sunday March 23, 2008 @06:57PM (#22839648)

    The Acid tests are test cases used to assess a browser's web standards support.

    Yet, in the explanation of the incorrect rendering at the IE blog, AciveX is invoked, with some excuse about cross-domain security.

    ActiveX has absolutely nothing to do with Web Standards.

    This leads me to believe that MS plans to keep playing the Internet game by their rules for a while yet.

    • by Chris Snook (872473) on Sunday March 23, 2008 @07:18PM (#22839840)
      IE8 is using ActiveX *internally* because it can't natively render the html OBJECT. Invoking ActiveX triggers XSS checks. The bottom line is that they technically pass the test, but many web designers will do things that really should work, but won't in IE8. It's not because MS is cheating, just that they haven't fully implemented this feature, and they're erring on the side of caution with their partial implementation. Regardless of standards compliance, they'll need to fix this before IE8 is released.
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      They said that their implementation uses ActiveX to handle HTML in OBJECT tags. They weren't saying the test was using an ActiveX control.

      Also, it was not an excuse, it is a reasonable security measure. Frankly, most web developers are far too reckless about security. Rule #1 of secure programming: be as paranoid as you can, and then be more paranoid. If you don't think that every user is out to get you, then you're not being paranoid enough.

      You obviously didn't comprehend what you read. :)
  • by poor_boi (548340) on Sunday March 23, 2008 @07:07PM (#22839736)
    Microsoft is right to turn cross-domain restrictions on by default. Cross-domain is the same as cross-site, and we all know the pain XSS vulnerabilities can bring. The failure of "copies" of acid2 to render correctly in IE8 are actually due to the "copies" of acid2 being "copied" incorrectly. To copy the acid2 test, you have to make slight modifications to the test contents itself to update the test for the domain it is being hosted on. Them are the breaks of complex tests. Acid2 is a complex test and cannot simply be copied carte blanche.
    • Re: (Score:2, Insightful)

      by Jerome H (990344)
      "carte blanche"
      Please... don't use an expression that you don't understand.
      • Indeed; the correct phrases to use here would be, 'as-is,' 'unmodified,' 'in toto' or perhaps even 'all willy-nilly.'

  • by WK2 (1072560) on Sunday March 23, 2008 @07:10PM (#22839764) Homepage
    IE8 has a problem initiating fallback content when a resource can not be acquired. This is exactly what this particular part of the acid2 test is meant to test, fallback code. The fact is, that IE8's fallback behavior works correctly in some cases, but not in others. Specifically, the fallback code works if the failed to acquire resource is supposed to be on the same domain as the acid2 test, whereas if they are on different domains, IE8's code fails to behave properly.

    The fact that the blog writer mentions security is a red herring. While it is true that this does have something to do with security code, the real problem is that the fallback behavior is poor.
  • by porneL (674499) on Sunday March 23, 2008 @07:36PM (#22840006) Homepage

    No, it does not pass.

    There is no cross-domain insecurity in <object> as defined by the HTML specification. There is a problem in IE8's broken implementation.

    If object can't be displayed, browser should ignore it. Ignored <object> isn't any more dangerous than <div>. In such case there's only one document, with one DOM, all within same domain.

    But apparently IE8 can't ignore undisplayable <object> properly, so they've hacked around the problem by spawning new IE8 instance that pretends to be a plug-in that handles the invalid <object> (an <iframe> effectively). And when you do stupid things like that, of course you've got a security problem!

    No Acid2-passing browser has any problems with displaying same-origin fallback to cross-domain object.

  • by Whuffo (1043790) on Sunday March 23, 2008 @08:03PM (#22840260) Homepage Journal
    Microsoft continues to trumpet their excellence but their products don't preform as they claim. Look at Vista; piece of crap. Sure, they're selling a bunch of copies - mostly pre-installed copies on new computers and a few more from people who want the latest and greatest from Redmond. The majority of their market has decided to stay well away from Vista.

    Internet Explorer is losing ground to Firefox, so they come out with a new version and claim that it meets standards and works better. Nope, it's just more of their marketing spin.

    The real problem is that Microsoft has lost sight of the goal. They're supposed to be producing software that meets the needs and desires of their customers, but they're busily producing software that's only intended to further their goal of "world domination". Their marketing department is busy trying to make that pig look like a swan, but it's not working.

    Too bad that Linux distributions aren't quite "there" yet - close, but not yet. This is a golden opportunity for a real competitor...

    • Re: (Score:3, Interesting)

      by Ilgaz (86384) *
      They won the race long time ago. It is impossible to have windows with mshtml.dll (or web frameworks) removed. That was all the big deal. They weren't really caring about their end user, they were caring about even the most basic blog owner can't have peace without looking "If IE shows his page fine". There are companies who offers "test with IE" service to users did you know? For money!

      It is still impossible to have 100% (not 99%) perfect web experience for end user if he/she is not using Windows XP/Vista
  • by marm (144733) on Sunday March 23, 2008 @08:52PM (#22840660)
    ...even if it's a shame it's taken this long to get there. Pre-releases of Safari and Konqueror passed this almost exactly 3 years ago, and Opera's Presto engine wasn't far behind. The fact that Gecko has taken nearly as long to catch up as IE/Trident is disturbing, but they had their own self-inflicted issues to fix (XPCOM? ewww).

    All of this can only mean web developers sleep more soundly at night, and more real work gets done. The IE developers can give themselves a big pat on the back for achieving something useful that will make everyone's lives better, like they used to do with IE3 and 4 and initial CSS1 support. Shame the management decided to slack off on IE development so long. Microsoft: intelligent geeks, ruined by management.

    Now, on to Acid 3. IE8 is still clearly trailing everyone else by some distance and is probably going to play catchup for a while yet until they implement native SVG (think about the possibilities for Explorer and Office, that Apple, KDE and friends are just beginning to explore).

    As an aside, think how good MS Office might be if they had this level of competition due to having to implement a proper Open Document standard not specified by them. Everyone would get more work done, would be fitter, happier, healthier and better, and Microsoft would probably still have the lion's share of the market. OOXML needs to die now, for everyone's sake, including Microsoft's.
    • Re: (Score:3, Informative)

      Now, on to Acid 3. IE8 is still clearly trailing everyone else by some distance and is probably going to play catchup for a while yet until they implement native SVG...

      The Webkit nightly is up to 95/100 on Acid 3. Anyone run Gecko nightly lately?

    • Re: (Score:2, Insightful)

      by Bodero (136806)

      As an aside, think how good MS Office might be if they had this level of competition due to having to implement a proper Open Document standard not specified by them. Everyone would get more work done, would be fitter, happier, healthier and better, and Microsoft would probably still have the lion's share of the market.

      What the fuck? Yeah, I know I'd gain at least 3 hours per week in productivity if Office used a standard XML format than its current implementation.

      ...Where do people come up with this stuff

      • by marm (144733)
        My rather obvious point (that I thought everyone would understand) being that if everyone used a standard format, then there'd be proper competition, and that would make MS Office better. Forest, trees, spot the difference?
        • by Bodero (136806)
          Still don't get it. You already can export into a standard format (RTF or any other formatted filetype). Now if competition actually existed that rivaled Office, that would make Office better. But how does a file format do that?
          • by marm (144733) on Sunday March 23, 2008 @11:51PM (#22841898)
            Because the file format limitations are what (at least as far as I can see) are what keep the competitors from being viable alternatives.

            I'm an IT manager by trade. I don't care who provides my company with software or what platform it runs on, as long as the business I provide IT for benefits from it and it is cost-effective, ideally giving me an advantage over my company's own competitors. The changes in UI between MS Office XP (which they're mostly using now), 2003 and especially 2007 are big enough that I have to retrain my users to use them, and frankly the cost of training my users to use 2007 is enough that I've been seriously considering moving them to OpenOffice.org.

            However, the lack of a properly standardized file format prevents me from doing that. I have experimented with OOo with some of my users, and the biggest complaint (once I have trained them up a bit in OOo) I have is that .doc documents they are sent frequently don't look or print right, or they don't look right on the receiving end. If they can cope with that, I have found OOo gives me fewer support calls, primarily because the text rendering engine in OO Writer is more predictable than that in MS Word. Every few days I have to send someone to look at a user's Word document because the formatting does not work as they expect, particularly if the document contains columns or per-paragraph margins. In OO writer, those same documents behave exactly as expected. I can't understand how MS Word has got it wrong for so long - the bugs I see in Office XP are exactly the same in 2007. OO.org does it right, MS Word doesn't, and the only reason I can't reduce those support calls is that my users expect to be able to import and export external documents perfectly each time. There are similar issues with OO Calc vs. Excel also, particularly with regards to external data sources that Excel seems to forget about with no rhyme or reason, but which OO Calc gets right all the time, every time.

            I know from experience with KOffice that I get better import - pretty much spot-on for the fairly complex documents my users create - from that into OO.org as ODF than I do Word documents into OO.org, so there must be something good about having a properly standardized file format. My conclusion therefore is that if MS Office had to support ODF, then MS would be forced to fix the bugs in Word and Excel rather than rely on their proprietary file format to keep competitors out and ignore the problems.

            This is a similar situation with IE8 finally fixing long-standing bugs in order to pass the Acid 2 test, which is only possible by HTML and CSS being properly standardized.
            • by marm (144733)
              I should probably add, having got slightly carried away with my last reply, that RTF doesn't come anywhere close to providing good enough fidelity - for the documents I have tried - between different word processors, I suspect because it's specified by one entity (Microsoft) and everyone else has to play catch-up. HTML and CSS, on the other hand are specified by a group of people all interested in the same outcome - interoperability. RTF also has no bearing on spreadsheet interop...

              OOXML will probably hav
            • by Blakey Rat (99501)
              The changes in UI between MS Office XP (which they're mostly using now), 2003 and especially 2007 are big enough that I have to retrain my users to use them, and frankly the cost of training my users to use 2007 is enough that I've been seriously considering moving them to OpenOffice.org.

              I'm calling bunk on that for two reasons:
              1) Office 2003 was virtually identical to Office 2000. Cost of retraining: $0.
              2) Office 2007's UI is a better interface among every single Office user I've talked to. And that's in a
        • by Blakey Rat (99501)
          Except Office, using their horrible nasty proprietary file formats that give Slashdotters nightmares, is already better than all of the competition. Unless you know about some competing product I'm not aware of. Office is good because it has decades of development behind it, because Microsoft surveys their users and does on-site tests to find out what works and what doesn't (thus the new UI in 2007), and because Microsoft hires very smart people to design the features (for example, the statistical features
    • by Ilgaz (86384) *
      They basically did something like ./configure --enable-w3c

      After Opera ASA from Norway, that little company has taken them to court to SUPPORT WEB STANDARDS. That happened while everyone joking with them. I am sure they are still being joked at.

      http://yro.slashdot.org/article.pl?sid=07/12/13/1524233 [slashdot.org]

      Hard to prove? Of course, it is closed source, nobody knows what IE8.zip source code contains. I just say you can't simply code w3c standard compliant code from a non standards supporting/ conspiring code over 3-4
    • by BenoitRen (998927)

      The fact that Gecko has taken nearly as long to catch up as IE/Trident is disturbing, but they had their own self-inflicted issues to fix (XPCOM? ewww).

      Oh come on. It's just a test. It does note indicate overall standards compliance. Gecko is quite good at that. For instance, it's still the only web browser to implement the CSS2 :last-child pseudo-selector.

  • The reason. (Score:5, Funny)

    by Tokerat (150341) on Sunday March 23, 2008 @09:23PM (#22840892) Journal

    IEBlog article:

    To maintain compatibility and be secure by default we didn't want to invoke fallback either, as original web authors might not have intended this behavior.
    As we all know, developers (developers, developers, developers) NEVER intend for a fallback resource to be utilized when primary resources fail. Microsoft has once again taken the initiative to embrace the developer community as a loving parent and save us from our own incompetent, foolish selves.

    "What does 'It's not a bug, it's a feature' mean, daddy?"

    "I'll tell you when you're older."
  • Other object types (Score:4, Interesting)

    by RalphSleigh (899929) on Sunday March 23, 2008 @09:54PM (#22841130) Homepage
    One must ask, does IE 8 only fail on cross site objects of type text/html, or are other cross site objects affected? (e.g. flash, embedded youtube videos, quicktime, etc)...
  • Reload the page and watch Safari 3.1 fail on Windows and Mac.

The trouble with opportunity is that it always comes disguised as hard work. -- Herbert V. Prochnow

Working...