Appendix 3: Internet Explorer 6 to Internet Explorer 8 Browser Changes

Article
09/12/2012

Applies To: Windows 7

	Design Changes from Internet Explorer 6 to Internet Explorer 7	Design Changes from Internet Explorer 7 to Internet Explorer 8
Internet Explorer Versioning	When a long user agent (UA) string encounters a server that accepts shorter UA string only, the user will be presented with an error page	Internet Explorer 8 Compatibility View mode, turned on by default for intranet sites in Internet Explorer 8, actually sends an Internet Explorer 7 user agent string; to differentiate between Internet Explorer 7 and Compatibility View, look for the newTrident token

Note

Check for code that incorrectly special cases around Internet Explorer 6, 7, or 8 via user-agent string sniffing, versions vectors, or conditional comments.

Quirks mode exception: As a rule of thumb, no standards compliance changes needed for web pages that specify the Quirks mode DOCTYPE (by setting “standards-compliance” DOCTYPE switch to “off”).

	Design Changes from Internet Explorer 6 to Internet Explorer 7	Design Changes from Internet Explorer 7 to Internet Explorer 8
Standards Compliance Updates Applies to specified document modes IE8 Compatibility View mode, on by default for intranet, generally reverts standards updates from IE7 to IE8 Use the EmulateIE7 X-UA-Compatible HTTP header or META tag to enable Compatibility View mode on websites or specific pages	Applies to Internet Explorer 7 Standards or “Strict” mode and above: XML prologs in first line of source code no longer cause DOCTYPE declarations to fail Box model overflow content now intersects box, no longer auto-grows box div to fit content Certain CSS filters (for example, HTML, _underscore, and /*/ comment) are no longer supported Only outermost OBJECT in nested objects is instantiated Applications that relied on SELECT element to get an HWND to use with Microsoft Win32 APIs may break because SELECT element is now a windowless control Channel Definition Format (CDF) is no longer supported, in favor of RSS feeds XBM, an imaging format designed for X-based systems, is no longer supported BASE tags outside of the HEAD document are no longer allowed	Applies to Internet Explorer 8 Standards mode and above: Unclosed P elements are now automatically closed when followed by TABLE, FORM, NOFRAMES, or NOSCRIPT elements Malformed HTML is no longer supported, in favor of well-formed, valid markup “className” attribute syntax no longer supported, in favor of “class” syntax The attributes collection no longer contains all possible attributes recognized by Internet Explorer Attribute ordering has changed, affecting attributes collection, innerHTML, and outerHTML GetElementById is case sensitive and no longer searches name attributes Generic CSS prefix selectors (that is, v\:* syntax) no longer supported, in favor of explicit tag names CSS expressions no longer supported, in favor of improved CSS support or DHTML logic Code intended for custom JSON object methods may conflict with IE8’s new native JSON object Unset initial properties on the currentStyle object now return their initial value Unspecified properties values on the currentStyle object style object now return empty string (example)

Standards Compliance Updates

Applies to specified document modes
IE8 Compatibility View mode, on by default for intranet, generally reverts standards updates from IE7 to IE8
Use the EmulateIE7 X-UA-Compatible HTTP header or META tag to enable Compatibility View mode on websites or specific pages

Applies to Internet Explorer 7 Standards or “Strict” mode and above:

XML prologs in first line of source code no longer cause DOCTYPE declarations to fail
Box model overflow content now intersects box, no longer auto-grows box div to fit content
Certain CSS filters (for example, *HTML, _underscore, and /**/ comment) are no longer supported
Only outermost OBJECT in nested objects is instantiated
Applications that relied on SELECT element to get an HWND to use with Microsoft Win32 APIs may break because SELECT element is now a windowless control
Channel Definition Format (CDF) is no longer supported, in favor of RSS feeds
XBM, an imaging format designed for X-based systems, is no longer supported
BASE tags outside of the HEAD document are no longer allowed

Applies to Internet Explorer 8 Standards mode and above:

Unclosed P elements are now automatically closed when followed by TABLE, FORM, NOFRAMES, or NOSCRIPT elements
Malformed HTML is no longer supported, in favor of well-formed, valid markup
“className” attribute syntax no longer supported, in favor of “class” syntax
The attributes collection no longer contains all possible attributes recognized by Internet Explorer
Attribute ordering has changed, affecting attributes collection, innerHTML, and outerHTML
GetElementById is case sensitive and no longer searches name attributes
Generic CSS prefix selectors (that is, v\:* syntax) no longer supported, in favor of explicit tag names
CSS expressions no longer supported, in favor of improved CSS support or DHTML logic
Code intended for custom JSON object methods may conflict with IE8’s new native JSON object
Unset initial properties on the currentStyle object now return their initial value
Unspecified properties values on the currentStyle object style object now return empty string (example)

Note

For sites and applications where accessibility is a concern, be sure to update ARIA syntax across all Internet Explorer rendering modes.

Check the complete list of CSS updates from Internet Explorer 6 to Internet Explorer 8.

	Design Changes from Internet Explorer 6 to Internet Explorer 7	Design Changes from Internet Explorer 7 to Internet Explorer 8
Security Improvements Apply regardless of document mode Security features can be turned off using Group Policy	window.opener trick used to bypass the window.close prompt is no longer allowed Object caching protection is enabled by default, which blocks access to references of objects when users browse to a new domain (applies to Internet Explorer 6 and later on Windows XP Service Pack 2 and later) DHTML scriptlets are now disabled by default Scripts that write to the status bar are now blocked URL creation may fail if URLs do not meet RFC guidelines HTTPS pages will display an error page if site is configured to SSLv2 only, or if site security certificate is outdated, invalid, has errors, or has weak ciphers Only “punycode” encoded internationalized domain names are supported; other formats like ANSI and UTF-8 are now blocked Cross-domain script URLs, redirected navigation in DOM objects, and frame navigations are now blocked Modal or modeless dialogs created from script might seem slightly bigger Unsecure protocols view-source, Gopher (at the WinINET level), and Telnet no longer work	XSS filter is on by default, blocking script patterns that most frequently resemble Type-1 XSS attacks, unless disabled by site developer via X-XSS-Protection HTTP header Cross-domain, cross-document communication hacks like SCRIPT SRC are no longer supported, in favor of safer XDM and XDR AJAX features AJAX-enabled sites that manually manipulate the hash of the URL may be broken by the new window.location.hash navigation property New AJAX features like XDM have native properties that may conflict with existing custom properties File upload control only submits the file path, not the full path, to the server HTML or script delivered with an “image/*” MIME type is blocked from executing Navigating a top-level frame to a site in a different security context opens a new window or tab instead of navigating within the existing frame UTF-7 encoded script is forced into Windows-1252 encoding, which may cause plain text rendering HTTP/HTTPS “mixed mode” pages display a dialog that defaults to displaying secure items only (vs. previous nonsecure default); users may mistakenly choose to block HTTP elements, like key images DEP/NX is on by default, blocking certain add-ons (that is, ActiveX controls and COM objects) built with older versions of ATL from running code marked “non-executable” in memory Content returned by a web proxy if an SSL tunnel is not established in response to a CONNECT request to the original server is blocked
Architectural Changes Apply regardless of document or compatibility mode	Protected Mode, also a key security feature, is enabled by default for Internet, Intranet, and Restricted Sites zones, which blocks browser extensions that could pose a security risk from running and lower privilege applications from accessing higher privilege processes, like the Start Menu, the Control Panel, and the Windows registry (applies to Internet Explorer 7 and later on Windows Vista and later)	Protected Mode Update: Intranet now runs in medium (instead of low) integrity level by default Loosely Coupled IE may block add-ons (that is, ActiveX controls and COM objects) that: 1) Use windows hierarchy techniques to locate UI frame and tab windows (which now run in separate processes at different integrity levels), 2) Create a subclass of the UI frame (now at medium integrity level) from a low-integrity tab process, 3) Use unsupported messaging techniques between UI frame and tabs

Security Improvements

Apply regardless of document mode
Security features can be turned off using Group Policy

window.opener trick used to bypass the window.close prompt is no longer allowed
Object caching protection is enabled by default, which blocks access to references of objects when users browse to a new domain (applies to Internet Explorer 6 and later on Windows XP Service Pack 2 and later)
DHTML scriptlets are now disabled by default
Scripts that write to the status bar are now blocked
URL creation may fail if URLs do not meet RFC guidelines
HTTPS pages will display an error page if site is configured to SSLv2 only, or if site security certificate is outdated, invalid, has errors, or has weak ciphers
Only “punycode” encoded internationalized domain names are supported; other formats like ANSI and UTF-8 are now blocked
Cross-domain script URLs, redirected navigation in DOM objects, and frame navigations are now blocked
Modal or modeless dialogs created from script might seem slightly bigger
Unsecure protocols view-source, Gopher (at the WinINET level), and Telnet no longer work

XSS filter is on by default, blocking script patterns that most frequently resemble Type-1 XSS attacks, unless disabled by site developer via X-XSS-Protection HTTP header
Cross-domain, cross-document communication hacks like SCRIPT SRC are no longer supported, in favor of safer XDM and XDR AJAX features
AJAX-enabled sites that manually manipulate the hash of the URL may be broken by the new window.location.hash navigation property
New AJAX features like XDM have native properties that may conflict with existing custom properties
File upload control only submits the file path, not the full path, to the server
HTML or script delivered with an “image/*” MIME type is blocked from executing
Navigating a top-level frame to a site in a different security context opens a new window or tab instead of navigating within the existing frame
UTF-7 encoded script is forced into Windows-1252 encoding, which may cause plain text rendering
HTTP/HTTPS “mixed mode” pages display a dialog that defaults to displaying secure items only (vs. previous nonsecure default); users may mistakenly choose to block HTTP elements, like key images
DEP/NX is on by default, blocking certain add-ons (that is, ActiveX controls and COM objects) built with older versions of ATL from running code marked “non-executable” in memory
Content returned by a web proxy if an SSL tunnel is not established in response to a CONNECT request to the original server is blocked

Architectural Changes

Apply regardless of document or compatibility mode

Protected Mode, also a key security feature, is enabled by default for Internet, Intranet, and Restricted Sites zones, which blocks browser extensions that could pose a security risk from running and lower privilege applications from accessing higher privilege processes, like the Start Menu, the Control Panel, and the Windows registry (applies to Internet Explorer 7 and later on Windows Vista and later)

Protected Mode Update: Intranet now runs in medium (instead of low) integrity level by default
Loosely Coupled IE may block add-ons (that is, ActiveX controls and COM objects) that: 1) Use windows hierarchy techniques to locate UI frame and tab windows (which now run in separate processes at different integrity levels), 2) Create a subclass of the UI frame (now at medium integrity level) from a low-integrity tab process, 3) Use unsupported messaging techniques between UI frame and tabs

Appendix 3: Internet Explorer 6 to Internet Explorer 8 Browser Changes

Additional resources