Internet Explorer 10

<< Click to Display Table of Contents >>

RayQC Advanced > 7.3 u4 > User Guide > Rules Overview > Browser Readiness Test 

Internet Explorer 10

Below are the set of rules which can be used to test a web application for readiness for Internet Explorer 10.

 

W001 - Obsolete HTML Tags

Description: RayQC Advanced scans the web application for the use of obsolete HTML tags and JavaScript methods.

Background: There is a number of obsolete HTML tags and connected JavaScript methods in Windows Internet Explorer 10.

More Information: http://msdn.microsoft.com/en-us/library/ff806183%28v=vs.94%29.aspx

Manual Remediation: Re-engineer the web application not to use the obsolete HTML tags anymore. With CSS and JavaScript the same functionality can be achieved.

W002 - DHTML Editing Control Compatibility

Description: RayQC Advanced scans the web application for the use of the ActiveX DHTML Editing Control.

Background: Since Windows Internet Explorer 5, the DHTML Editing Control has been available for HTML, Active Server Pages (ASP), ASP.NET pages, and for other documents accessed with HTTP. Due to security reasons, the support for this control was dropped by Microsoft since Windows Vista, which was shipped with Windows Internet Explorer 7. Web applications might fail to load the control if they have the save-for-scripting DHTML Editing control implemented (<Object ID="editor">). If this is the case, an image placeholder will be displayed. Additionally, exceptions might be thrown by any script that refers to the control. Because the script evaluation is terminated by script exceptions, other functions which are controlled by the script might also stop working.

More Information: http://msdn.microsoft.com/en-us/library/aa663363.aspx

Manual Remediation: Re-engineer the web application not to use the DHTML Editing Control anymore. There is a downloadable original control in a signed Windows Installer package called DHTMLEd.msi provided by Microsoft, which could be used if re-engineering is not practicable. (Caution: This is a workaround! The security risks identified by Microsoft will remain since the application itself is left unchanged.)

W003 - CreateElement() Method Compatibility

Description: RayQC Advanced scans the web application for angle brackets which are used in arguments passed to the createElement() method.

Background: An element node in the Document Object Model (DOM) hierarchy is created by the createElement() method. Since Windows Internet Explorer 9, the support for the use of angle brackets (< >) within the createElement() method has been dropped by Microsoft. If those characters are contained within the argument of the createElement() method, parts of the web application might fail to work.

More Information: http://msdn.microsoft.com/en-us/library/ff986077(v=VS.85).aspx

Manual Remediation: Re-engineer the web application not to use angle brackets in the createElement() method anymore. Pass the element name and use the setAttribute() method to set the values of the required attributes instead.

W004 - Obsolete arguments.caller

Description: RayQC Advanced scans the web application for the arguments.caller property.

Background: Prior to Windows Internet Explorer 9, along with the creation of argument objects, a property named "caller" was created. The reference to the argument object of the function which originally called the argument object was stored inside the property. Since Windows Internet Explorer 9 the arguments.caller property is no longer supported by Microsoft. The script error "object is null or undefined" will occur if a script tries to use this property. Because of this, parts of the web application might fail to work.

More Information: http://msdn.microsoft.com/en-us/library/gg622933(v=VS.85).aspx

Manual Remediation: Re-engineer the web application not to use the arguments.caller property anymore. Use the Windows Internet Explorer 8 Compatibility View where this is not practicable. Trigger the view by using the meta attribute value "X-UA-Compatible".

W005 - Obsolete Document Object Model (DOM) Event Features

Description: RayQC Advanced scans the web application for the following DOM event features: attachEvent(), detachEvent(), createEventObject(), and fireEvent().

Background: The following DOM event features are no longer supported by Microsoft since Windows Internet Explorer 9: attachEvent(), detachEvent(), createEventObject(), and fireEvent().

More Information: http://msdn.microsoft.com/en-us/library/ff986080(v=vs.85).aspx

Manual Remediation: Re-engineer the web application not to use the outdated DOM event features. There are W3C standard conform replacements which should be used instead.

W006 - Conditional Comments Compatibility

Description: RayQC Advanced scans the web application for conditional comments which are used to detect the version number of the Windows Internet Explorer. (Take care: This rule might detect false positives for web applications which use conditional comments to fix some well-known visual glitches for older Windows Internet Explorer versions!)

Background: There are non-standard conditional comments provided by the Windows Internet Explorer which are used to provide content which is optimized for a specific browser, for example, the use of specific HTML, CSS, or JavaScript code(<!--[if IE 7]> <p>You are using Windows Internet Explorer 7.</p> <![endif]-->). Web applications using conditional comments might serve incompatible content due to not recognizing Windows Internet Explorer 10 since the major version number has been changed in Windows Internet Explorer 10.

More Information: http://msdn.microsoft.com/en-us/library/ms537512(v=vs.85).aspx

Manual Remediation: Re-engineer the web application not to use conditional comments. W3C proposals like JavaScript-based feature detection should be used instead.

W007 - Changed User-Agent String

Description: RayQC Advanced scans the web application for the use of the user-agent string for browser or system detection. The common Javascript frameworks jQuery, jQuery UI, Prototype, MooTools, and Cufon will not be scanned. (Take Care: This rule might detect false positives for web applications which use the user-agent string for adjunct purposes like statistical data collection)

Background: The user-agent string submits browser details, such as name, version number, running platform, etc., to the hosting server when accessing a web application (User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)). This information can be used to provide content which has been optimized for the specific browser. Some web applications might not recognize the user-agent string and therefore serve incompatible content, because the user-agent string has been changed in Windows Internet Explorer 10.

More Information: http://msdn.microsoft.com/en-us/library/cc848857%28v=vs.85%29.aspx

Manual Remediation: Re-engineer the web application not to use the user-agent string, but to use feature support detection instead. Use the Windows Internet Explorer 7 Compatibility View where this is not practicable. Trigger the view by using the meta attribute value "X-UA-Compatible".

W008 - Use of "onload" and "onreadystatechange" Event

Description: RayQC Advanced scans the web application for the attachment of both events ("onload" and "onreadystatechange") to one script element.

Background: The standard-based and interoperable load event for script elements has been introduced since Windows Internet Explorer 9. Before the introduction of Windows Internet Explorer 9, the only event for script elements that was supported was the non-interoperable "onreadystatechange" event. This event is still supported in Windows Internet Explorer to make sure existing websites are still compatible. For sites which register for both, "onload" and "onreadystatechange", events, there might be two callbacks now. This might lead to the production of unexpected results or failure of a part of the web application.

More Information: http://msdn.microsoft.com/en-us/library/hh180173(v=VS.85).aspx

Manual Remediation: Re-engineer the web application to exclusively use the "onload" event for scripts that need a load event.

W009 - JavaScript Framework Compatibility

Description: RayQC Advanced scans the web application for the use of older versions of JavaScript frameworks which are not compatible with Windows Internet Explorer 10. jQuery (prior to 1.5.1), jQuery UI (prior to 1.6.8), MooTools (prior to 1.3), Prototype (prior to 1.7), and Cufon (prior to 1.09i) are the frameworks that will be scanned.

Background: Features to improve the standards for compliance and interoperability with other web browser were introduced and modified by Microsoft since Windows Internet Explorer 9. A lot of JavaScript frameworks have functions which rely on functions of earlier versions of Windows Internet Explorer. In Windows Internet Explorer 10, some well-known JavaScript frameworks might not work as they should. Most of these JavaScript frameworks already received updates to fix this. Nonetheless, there are still a lot of web applications where the older versions of these frameworks are still in use and which have not yet been updated.

More Information: http://msdn.microsoft.com/en-us/library/hh180175(v=VS.85).aspx

Manual Remediation: Ask the manufacturer to deliver a framework which is compatible to Microsoft Internet Explorer 10. Use the Windows Internet Explorer 7 Compatibility View if there is no compatible framework. Trigger the view by using the meta attribute value "X-UA-Compatible".

W010 - Unconventional Protocol Handlers

Description: RayQC Advanced scans the web application for the use of unconventional protocols in script redirections and hyperlinks.

Background: The prefix of the URL address refers to a protocol name (http://www.raynet.de for a HTTP protocol, javascript:alert('Welcome') for a JavaScript protocol). An application can be registered to a URL protocol. If this is the case, since Windows Internet Explorer 9, the Application Protocol Handler Dialog will be shown when the application is launched. This is a security feature which should protect users from executing an application containing dangerous or malicious content by accident. The dialog will be shown with each execution of the request until the dialog for this protocol has been disabled. The information, that a program which is not installed is required for the launch of the web application, will be shown if no application is registered to a URL protocol.

More Information: http://msdn.microsoft.com/en-us/library/dd565637(VS.85).aspx

Manual Remediation: Uncheck the Always as before opening this type of address checkbox after using a link to prevent further displays of the Application Protocol Handler Dialog by Windows Internet Explorer 10. Portions of a web application might not work if no application is configured to handle a non-standard protocol.

W011 - Status Bar Text Changes

Description: RayQC Advanced scans the JavaScript properties window.status and window.defaultStatus for the use of scripts that change the status bar content.

Background: Since Windows Internet Explorer 7, web applications are no longer allowed to use scripts to configure the status bar in the internet or restricted zones. Because of this, calls to the JavaScript properties window.status or window.defaultStatus might silently fail. By this measure, attackers should no longer be able to spoof the status bar.

More Information: http://msdn.microsoft.com/en-us/ie/aa740486

Manual Remediation: Check the Allow status bar updates via script checkbox which you will find in the custom security level in the Internet Options setting in Windows Internet Explorer 10 to allow the configuration of the status bar by scripts which use the window.status and window.defaultStatus methods.

W012 - Obsolete Dynamic Properties

Description: RayQC Advanced scans the web application for obsolete dynamic properties in CSS or JavaScript code.

Background: Property values could be set as formulas, not only as constants, through the use of dynamic CSS properties since Windows Internet Explorer 5. Authors were provided with the ability to reference property values from other values by using a dynamic property, and they were thereby offered an unparalleled flexibility when designing their webpages. But this also led to a damaging impact on standard compliance, performance, reliability, and security considerations. Dynamic properties are obsolete since Windows Internet Explorer 8, but there is still support for web applications which use dynamic properties and are displayed in Windows Internet Explorer 5 (Quirks) mode or Windows Internet Explorer 7 Standards mode.

More Information: http://msdn.microsoft.com/en-us/library/ms537634(v=vs.85).aspx

Manual Remediation: Replace the dynamic properties functionality with JavaScript event listeners.

W013 - Conformity to the Request for Comments (RFC) Guidelines

Description: RayQC Advanced scans the web application for the use of URLs that do not meet the requirements of the RFC 3986 and 3987 guidelines.

Background: To prevent malformed URLs from fooling Windows Internet Explorer, the URL is parsed to assure that it meets the RFC guidelines after being entered into the address bar since Windows Internet Explorer 7. The web application will be allowed to appear with a restricted functionality if it fails to pass the verification process. This might lead to an unexpected behavior of the web application.

More Information: https://msdn.microsoft.com/en-us/library/dd565653(v=vs.85).aspx

Manual Remediation: Re-engineer the web application and make sure that all URLs used in the web application meet the requirements of the RFC 3986 and 3987 guidelines.

W014 - CSS Compatibility

Description: RayQC Advanced scans the web application for the use of CSS features which are not supported by Windows Internet Explorer 10.

Background: The support for the W3C CSS standard has been improved with each new release of Windows Internet Explorer (:focus {sRules} is supported by Windows Internet Explorer 10, but it is not supported by Windows Internet Explorer 7). There is a full compliance with CSS 2.1 and many CSS 3 features are supported in Windows Internet Explorer 10.

More Information: http://msdn.microsoft.com/en-us/library/cc351024(v=vs.85).aspx

Manual Remediation: Re-engineer the web application to use only CSS features which are supported by Windows Explorer 10.

W015 - XSLT (Extensible Stylesheet Language Transformations) Changes

Description: RayQC Advanced scans the web application for the use of unsupported XSLT elements. Legacy XSL namespaces, legacy stylesheets processing instructions, and XSLT output directives are the features that will be scanned.

Background: XSLT is used for the modification of XML documents and is a declarative language based on XML. The processing of XML and XSLT files has been modified for the improvement of conformation to the standards of other browsers and the compatibility to other browsers since Windows Internet Explorer 9. Chiefly, there have been changes to some of the non-standard behaviors relating to the processing of XSLT files. These might cause web applications to show unexpected behavior or a limited functionality.

More Information: http://msdn.microsoft.com/en-us/library/hh180178(v=vs.85).aspx

Manual Remediation: Re-engineer the web application by migrating to a compatible and standardized XSLT namespace. Microsoft has prepared some migration scenarios.

W017 - Obsolete DirectX-based Filters and Transitions Reference

Description: RayQC Advanced scans the web application for the use of DirectX-based filters and transitions which are no longer supported in Windows Internet Explorer 10.

Background: Web developers were allowed to add multimedia-style effects to their webpages by the usage of a set of visual filters and transitions since Windows Internet Explorer 4.0. They are called DX filters because of their underlying implementation, DirectX, and their long-form syntax (filter:progid:DXImageTransform.Microsoft.Alpha(opacity=75)). There exists a standard-based alternative to common DX filters since Windows Internet Explorer 9. In Windows Internet Explorer 10, you can still use the legacy feature in the document modes 5, 7, and 8, though the performance will be inferior to their hardware-accelerated, standard-based replacements.

More Information: http://msdn.microsoft.com/en-us/library/ms532853%28v=vs.85%29.aspx

Manual Remediation: Re-engineer the web application to use standard-based technologies. Use the Windows Internet Explorer Compatibility View where this is not practicable. Trigger the view by using the meta attribute value "X-UA-Compatible".

W018 - Obsolete Vector Markup Language (VML) Elements

Description: RayQC Advanced scans the web application for the use of obsolete VML elements.

Background: VML, which was used to create vector graphics that were displayed in web applications, is no longer supported by Microsoft since Windows Internet Explorer 10. In Windows Internet Explorer 10 you can still use the legacy feature in the document modes 5, 7, 8, and 9, though the performance will be inferior to their hardware-accelerated, standard-based replacements.

More Information: http://msdn.microsoft.com/en-us/library/ie/hh801223%28v=vs.85%29.aspx

Manual Remediation: Re-engineer the web application to use standard-based technologies like e.g. Scalable Vector Graphics (SVG) format. Use the Windows Internet Explorer Compatibility View where this is not practicable. Trigger the view by using the meta attribute value "X-UA-Compatible".

W019 - Microsoft Internet Explorer plug-in Compatibility in the Windows UI

Description: RayQC Advanced scans the web application for embedded content for which the use of external plug-ins is required.

Background: Windows Internet Explorer 10 offers two different ways of browsing. There is the Windows Internet Explorer in the Windows UI and there is the Windows Internet Explorer for the desktop, which are both using the same technology for the rendering of web applications. Even though, the behavior and feel might differ. For example, the Adobe Flash support is limited and other plug-ins, like Java applets, are not supported by the Windows Internet Explorer in the Windows UI. If using Windows Internet Explorer 10 in the Windows UI, web applications that rely on these technologies might not be able to work as anticipated.

More Information: https://msdn.microsoft.com/nl-be/library/hh920753(v=vs.85).aspx

Manual Remediation: Re-engineer the web application to use standard-based technologies, which includes supported HTML5 features, to work properly with Windows Internet Explorer 10 in the Windows UI.

W020 - XML Data Islands Compatibility

Description: RayQC Advanced scans the web application for the use of obsolete XML data islands.

Background: The support for XML data islands has been dropped by Microsoft since Windows Internet Explorer 10. They are now parsed in HTML in order to improve compatibility and compliance with HTML5. Pages which are written for Windows Internet Explorer or pages that use browser sniffing to modify their behavior in Windows Internet Explorer will be influenced by this.

More Information: http://msdn.microsoft.com/en-us/library/ie/hh801224(v=vs.85).aspx

Manual Remediation: Re-engineer the web application not to use XML data islands anymore. Use other technologies or use meta tags that can define document compatibility with Microsoft Internet Explorer 10 instead.

W021 - Obsolete VBScript Code

Description: RayQC Advanced scans the web application for the use of VBScript code.

Background: VBScript code is no longer supported as scripting language for Windows Internet Explorer since Windows Internet Explorer 11. If displayed in the edge mode, web applications will not execute VBScript code.

More Information: http://msdn.microsoft.com/en-us/library/ie/dn384057(v=vs.85).aspx

Manual Remediation: Re-engineer the web application to use JavaScript instead of VBScript.

W026 - Binary Elements Behaviors Binding

Description: RayQC Advanced scans the web application for binary behaviors which are no longer bound automatically.

Background: To provide greater consistency with other popular browsers, Internet Explorer does not automatically bind binary element behaviors.

More Information: http://msdn.microsoft.com/en-us/library/ff986078(v=vs.85).aspx

Manual Remediation: Re-engineer the web application to not use manually binding controls.