Does IE8 Really Pass Acid2? [Updated] - Slashdot

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

×

Does IE8 Really Pass Acid2? [Updated] 174

Posted by kdawson on Sunday March 23, 2008 @06:31PM from the two-green-eyes-please dept.

thevirtualcat found some inconsistencies in IE8's Acid2 results that made him wonder what's going on. Can anyone replicate these results or, better yet, explain them?
Update: 03/22 23:54 GMT by KD : Several readers pointed out this has to do with cross-site scripting prevention, as described here.

This discussion has been archived. No new comments can be posted.

Does IE8 Really Pass Acid2? [Updated]

Search 174 Comments Log In/Create an Account

Comments Filter:

Known Cross-domain security issue (Score:5, Interesting)

by Ececheira ( 86172 ) writes: on Sunday March 23, 2008 @06:33PM (#22839432)

The reason you're seeing the result is due to an "overly secure" default for beta 1 when it comes to cross-domain embedded objects.

Here's the explanation:
http://blogs.msdn.com/ie/archive/2008/03/05/why-isn-t-ie8-passing-acid2.aspx [msdn.com]

Google is your friend next time... :)

Share
twitter facebook
Re:The answer... (Score:5, Interesting)

by zappepcs ( 820751 ) writes: on Sunday March 23, 2008 @06:52PM (#22839616) Journal

I can go one better for you. Technically, MS is correct. MS is thumbing it's nose at standards because they can say "Look, we did it your way. We made IE8 extremely secure and now you claim it's broke. We are not the people that broke web browsing and the Internet, you did it. If we did everything people suggest the Internet just doesn't work."

To a point, they are right, but they did this to show they are better and only seem insecure because if they don't do such things as they have done the Internet will not work. Oh yes, btw, those other browsers are not secure either... see how their stuff still works?

Parent Share
twitter facebook
I smell bullshit at the IE blog (Score:3, Interesting)

by Dracos ( 107777 ) writes: on Sunday March 23, 2008 @06:57PM (#22839648)

The Acid tests are test cases used to assess a browser's web standards support.

Yet, in the explanation of the incorrect rendering at the IE blog, AciveX is invoked, with some excuse about cross-domain security.

ActiveX has absolutely nothing to do with Web Standards.

This leads me to believe that MS plans to keep playing the Internet game by their rules for a while yet.

Share
twitter facebook
Cross-domain == cross-site (Score:5, Interesting)

by poor_boi ( 548340 ) writes: on Sunday March 23, 2008 @07:07PM (#22839736)

Microsoft is right to turn cross-domain restrictions on by default. Cross-domain is the same as cross-site, and we all know the pain XSS vulnerabilities can bring. The failure of "copies" of acid2 to render correctly in IE8 are actually due to the "copies" of acid2 being "copied" incorrectly. To copy the acid2 test, you have to make slight modifications to the test contents itself to update the test for the domain it is being hosted on. Them are the breaks of complex tests. Acid2 is a complex test and cannot simply be copied carte blanche.

Share
twitter facebook
Re:On another note... Acid3 (Score:4, Interesting)

by LighterShadeOfBlack ( 1011407 ) writes: on Sunday March 23, 2008 @07:16PM (#22839820) Homepage

Acid3 had been in development for 11 months so it's not like this suddenly sprung into existence overnight to "prove" Microsoft's inadequacies or anything. Even if you consider the release date to be intriguing, I'm not sure what difference you think the Acid3 developers thought it would make to have IE8 fail Acid3. It's not like there are really any users who decide which browser to use based on its ability to accurately render complete standards anyway. Most people don't know what the web standards Acid tests are and won't care even if you tell them.

Putting all that aside, it would still hardly constitute some unfair conspiracy. For one thing every other renderer in released browsers fails quite miserably at it too. Secondly, it's not some arbitrary test, Acid3 measures accuracy of conformance to DOM and ECMAscript standards. Acid3 didn't just make up the standards on the spot, they have existed for years and IE could have (and should have) been attempting to conform the whole time (as should every other renderer).

In other words: No, I don't find it intriguing. It's a mild coincidence, nothing more.

Parent Share
twitter facebook
No, it does not. Security problem is their problem (Score:5, Interesting)

by porneL ( 674499 ) writes: on Sunday March 23, 2008 @07:36PM (#22840006) Homepage

No, it does not pass.
There is no cross-domain insecurity in <object> as defined by the HTML specification. There is a problem in IE8's broken implementation.
If object can't be displayed, browser should ignore it. Ignored <object> isn't any more dangerous than <div>. In such case there's only one document, with one DOM, all within same domain.
But apparently IE8 can't ignore undisplayable <object> properly, so they've hacked around the problem by spawning new IE8 instance that pretends to be a plug-in that handles the invalid <object> (an <iframe> effectively). And when you do stupid things like that, of course you've got a security problem!
No Acid2-passing browser has any problems with displaying same-origin fallback to cross-domain object.

Share
twitter facebook
Re:Yes, that's true. (Score:4, Interesting)

by cheater512 ( 783349 ) writes: <nick@nickstallman.net> on Sunday March 23, 2008 @08:41PM (#22840570) Homepage

If you go to the appropriate wikipedia page you will see a long list of CSS 2 and 3 features.
Beside this list is all the major browsers and how they implement each feature (fully, partially, broken, not implemented, etc...).

Voila! Partial compliance.

Parent Share
twitter facebook
It's a massive improvement... (Score:5, Interesting)

by marm ( 144733 ) writes: on Sunday March 23, 2008 @08:52PM (#22840660)

...even if it's a shame it's taken this long to get there. Pre-releases of Safari and Konqueror passed this almost exactly 3 years ago, and Opera's Presto engine wasn't far behind. The fact that Gecko has taken nearly as long to catch up as IE/Trident is disturbing, but they had their own self-inflicted issues to fix (XPCOM? ewww).

All of this can only mean web developers sleep more soundly at night, and more real work gets done. The IE developers can give themselves a big pat on the back for achieving something useful that will make everyone's lives better, like they used to do with IE3 and 4 and initial CSS1 support. Shame the management decided to slack off on IE development so long. Microsoft: intelligent geeks, ruined by management.

Now, on to Acid 3. IE8 is still clearly trailing everyone else by some distance and is probably going to play catchup for a while yet until they implement native SVG (think about the possibilities for Explorer and Office, that Apple, KDE and friends are just beginning to explore).

As an aside, think how good MS Office might be if they had this level of competition due to having to implement a proper Open Document standard not specified by them. Everyone would get more work done, would be fitter, happier, healthier and better, and Microsoft would probably still have the lion's share of the market. OOXML needs to die now, for everyone's sake, including Microsoft's.

Share
twitter facebook
Other object types (Score:4, Interesting)

by RalphSleigh ( 899929 ) writes: on Sunday March 23, 2008 @09:54PM (#22841130) Homepage

One must ask, does IE 8 only fail on cross site objects of type text/html, or are other cross site objects affected? (e.g. flash, embedded youtube videos, quicktime, etc)...

Share
twitter facebook
Re:The answer... (Score:2, Interesting)

by ZephyrXero ( 750822 ) writes: <.moc.oohay. .ta. .orexryhpez.> on Sunday March 23, 2008 @09:57PM (#22841160) Homepage Journal

Who cares if they're ACID2 compliant anyway? That's old news now... Let me know when they can pass ACID3 [webstandards.org]

Parent Share
twitter facebook
Re:The answer... (Score:1, Interesting)

by Anonymous Coward writes: on Sunday March 23, 2008 @10:47PM (#22841512)

sorry but I have to agree with MS here (spit). The website is trying to get you to do something that is a security violation plain and simple and a significant security violation at that, security should override standards/compliance/or web page niceness, it should and does refuse to run that section and all bets should be off after that. Acid is in the wrong here.

Parent Share
twitter facebook
Re:The answer... (Score:5, Interesting)

by Bill, Shooter of Bul ( 629286 ) writes: on Monday March 24, 2008 @12:17AM (#22842010) Journal

I can't say for certain who is int he right with this m=particular issue, but there is a larger issue here. If following a standard leads to an unavoidable security hole, should your follow it ?

Parent Share
twitter facebook
Re:Simple stuff like CSS (Score:4, Interesting)

by Bogtha ( 906264 ) writes: on Monday March 24, 2008 @03:03AM (#22842694)

Is the doctype <!DOCTYPE html PUBLIC> invalid?

Validity is a property of documents; a doctype declaration alone cannot be valid or invalid. But that code is incorrect, you've forgotten the public identifier. That code also puts other browsers into quirks mode [dbaron.org].

Is the ISO HTML 2000 version doctype invalid?

There's more than one ISO HTML 2000 doctype declaration available. As for correctness, that depends on whether or not you screw the syntax up. But next to nobody uses that doctype anyway. Can you name a single HTML tutorial that mentions it? The OP wondered if he was reading the wrong tutorials, in my experience, it's common for tutorials to miss out doctypes altogether and unheard of for them to mention ISO-HTML at all. So we can reasonably eliminate that from consideration as well.

Is it considered invalid to put the XML prolog before the doctype of an XHTML document?

It is not invalid, but you shouldn't do so when serving it as text/html as it goes against the compatibility guidelines in the XHTML 1.0 specification, which RFC 2854 requires you to follow. Further, Internet Explorer hasn't chosen quirks mode for documents with XML prologues since version 6, so that's not the issue here either.

Is it considered invalid to put an SGML comment before the doctype?

There's nothing wrong with that, although again, it's not something tutorials teach. You can divide HTML tutorials into two different groups: one doesn't mention doctypes and the other says that the doctype must come first (or straight after the XML prologue).

Wikipedia says all of those situations will put some IE versions into quirks mode despite the presence of a doctype.

But "some IE versions" isn't relevant here, we are talking about version 8 in particular. Are you actually looking for an explanation for the problem, or are you just trying to find a way of blaming Microsoft? Doctype switching has been around for many years, all major browsers do it, and it's silly to blame Microsoft for auto margin centring not working when Internet Explorer has supported it for seven years.

Parent Share
twitter facebook
Re:Microsoft Has Lost The Race (Score:3, Interesting)

by Ilgaz ( 86384 ) * writes: on Monday March 24, 2008 @08:43AM (#22843960) Homepage

They won the race long time ago. It is impossible to have windows with mshtml.dll (or web frameworks) removed. That was all the big deal. They weren't really caring about their end user, they were caring about even the most basic blog owner can't have peace without looking "If IE shows his page fine". There are companies who offers "test with IE" service to users did you know? For money!

It is still impossible to have 100% (not 99%) perfect web experience for end user if he/she is not using Windows XP/Vista without IE. You will get stuck somewhere for sure. That is a win too.

So, they can even pass Über Quantum Acid 1000 test, it won't matter to them. So, they clicked some switch to stop conspiring w3c standard sites and voila, it passes.

You didn't actually believe MS of a small country size is really incompetent to code w3c standard browser yes? IE 5 for Macs (of its release date) supports more standards than any browser on market at that time.

Parent Share
twitter facebook
Re:Who cares? (Score:2, Interesting)

by meson2439 ( 1230350 ) writes: <mesonNO@SPAMoperamail.com> on Monday March 24, 2008 @09:44AM (#22844374)

Opera already passes all the ACID test :)
It renders fast and has a lot of fun features to play with. I'm already addicted to the mouse gestures up to the point the normal clicking i do with windows feels boring. I wonder if there is any OS that offers mouse gestures??

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

692 commentsMen Overran a Job Fair For Women In Tech
512 commentsGoogle Workers Protest Cloud Contract With Israel's Government
472 commentsHow Electric Cars are Already Upending America
446 commentsInternet Access in Gaza is Collapsing as ISPs Fall Offline
424 commentsConservatives Bombarded With Facebook Misinformation Far More Than Liberals In 2020 Election, Study Suggests

With your bare hands?!?