Microsoft Adds Clickjacking Protection to IE8 RC1
Protection against malicious Web attacks and tweaks to a feature that lets users browse the Internet privately are among updates Internet Explorer users can test in the first release candidate for IE8, which Microsoft made available Monday.
As first reported by the IDG News Service Friday, Microsoft released the feature-complete version of IE8 to the Web Monday. Microsoft added performance tweaks to existing features and one major security update to block Web attacks known as "clickjacking" that the company said makes IE8 the only Web browser to offer such protection.
Clickjacking lets hackers put a transparent filter on sites so they can view what information a user is accessing and what activities that user is doing, said James Pratt, an IE senior product manager at Microsoft. For example, if someone is on a bank Web site, attackers can use clickjacking to see the user's bank information and acquire passwords, and the user will not know the information is being viewed remotely, he said.
The security feature that thwarts clickjacking in IE8 RC1 allows Web-site content owners to put a tag in a page header that will help detect and prevent clickjacking. If a site that uses the IE8 tag detects clickjacking, it will give Web users an error screen letting them know that the content host has chosen not to allow that content, and gives them the option to open the content in a new window that is protected from the attack.
Microsoft also in RC1 expanded the functionality of a feature it introduced in the IE8 beta 2 release called InPrivate. InPrivate has two settings -- InPrivate Browsing, which lets users browse the Web without creating a record of where they've been or enabling cookies, and InPrivate Blocking, which has been renamed in RC1 to InPrivate Filtering.
InPrivate Filtering lets people set a threshold for how many times third-party content appears on sites they are browsing before the feature allows them to view information on how those third-party content owners are collecting information about browsing habits. That threshold can be set between three times and 30 times.
For example, Pratt said that if the same third-party advertisement appears 10 times on Web sites that a user is browsing in a session and the person's InPrivate Filtering threshold is set to 10, the user can then view how the third-party content owner is collecting information about browsing activities.
The Compatibility View introduced in IE8 beta 2 also got a refresh in RC1. The feature allows users to view Web sites that may not be compatible with current Web standards IE8 supports in another view so the sites render properly.
Microsoft added more support for current Web standards such as CSS (Cascading Style Sheets) and RSS in IE7, but sites that were designed for previous versions of IE that didn't support these standards didn't work properly. One of Microsoft's chief goals for IE8 is to make it as Web standards-compatible as possible, but also to ensure older sites can be viewed the way they were designed.
In IE8 RC1, Microsoft built into the browser a list of common Web sites that it discovered must be viewed in Compatibility View mode to render properly, Pratt said. Now when someone browses these sites in IE8 RC1, they automatically appear in that mode without a user having to click on a "Compatibility View" button, as they had to in IE8 beta 2, he said.
Microsoft also tweaked browser performance features so IE8 RC1 opens faster as an application and also opens new tabs or Web pages faster, the company said.
More information about IE8 RC1 can be found in a fact sheet on Microsoft's Web site.