Other Things You Should Know About Internet Explorer 7

A number of small, but important changes have been made to Internet Explorer 7 that may affect your Web-based applications or your users.

Clipboard Access Is Disabled

This is a big change from prior versions of the browser. HTML code can no longer access the clipboard using the window.clipboardData object without user consent in the Internet Zone. Of course, an ActiveX control can access the clipboard, and ActiveX vendors implement their own security protections for programmatic clipboard access in different Zones. Note that user-initiated clipboard actions, for example the oncut, oncopy, and onpaste handlers will not prompt the user.

Script URLs

Embedding script into a URL attribute works differently in Internet Explorer 7. For example, the following snippet:

 <html>    <a href= "javascript:alert('click');">click</a> </html>

is transparently evaluated by the browser as:

 <html>    <a href= "#" onclick= "alert('click');">click</a> </html>

Notably, the following use of a script URI no longer executes at all because JavaScript is not a valid source for IMG tags:

 <html>    <IMG src="javascript:alert('bang');"> </html>

Good-bye PCT and SSL2 (and Good Riddance), Hello AES!

Private Communication Technology (PCT) was developed by Microsoft and Visa International to correct a number of weaknesses in SSL2 (Murray 2000). SSL2 has some very serious security weaknesses and these are addressed in SSL3 and its successor, TLS. Because SSL3 is now broadly available and because it addresses the issues in SSL2, PCT has been deprecated and no longer supported in Windows Vista. And because SSL2 is so weak, it is disabled by default in Internet Explorer 7. If your Web site uses only SSL2 or PCT, it will fail to work correctly with Internet Explorer 7, and in fact it won’t work in Mozilla FireFox v2 either. If your Web site requires SSL2, it’s time to upgrade the configuration! Windows Vista also disables the weak 40- and 56-bit ciphers while adding new ciphers, including 256-bit Advanced Encryption Standard (AES).

Window Origin

This change will have little effect on most Web applications. Any dialog box that pops up from Internet Explorer 7 will automatically have an address bar with the originating address, which helps the user determine if the Web page has come from a trusted Web site or not.