Hello,
Having discovered what I believe to be two CSS bugs in IE7, I have
submitted bug reports to MS. AFAIK, these don't get acted on until they
receive votes form others to say they are worth investigating.
As (I naively assume) it's in everyone's interest to see IE7 support CSS
properly, would anyone care to vote for these bugs, so that they might
get fixed before IE7 comes out of beta?
The bug IDs are 79985 and 79991 and you can find direct links to them
below (you'll need to log in with a passport account).
Thanks https://connect.microsoft.com/feedba...edbackID=79991 https://connect.microsoft.com/feedba...edbackID=79985
--
Alan Silver
(anything added below this line is nothing to do with me)
May 29 '06
19  2197 
To further the education of mankind, "Alan J. Flavell"
<fl*****@physic s.gla.ac.uk> vouchsafed: On Tue, 30 May 2006, Neredbojias wrote:
Is this IE7 only?
I guess it depends on your settings in IE6.
In IE6 I get (onscreen):
<title>Take Cover</title>
<meta http-equiv=refresh
content="1; URL=http://ppewww.ph.gla.a c.uk/~flavell/tests/tests.txt">
<body onload="alert(' Boo! ... All your base are belong to us.')">
Well, that's the content of the spoof JPG file alright. But on IE6 I
get a security alert telling me that scripts are mostly harmless, and
inviting me to proceed (many users wouldn't even have configured that,
I suppose), and if I consent, then it does the js, after which it does
the refresh.
Hmmm, that was in Win2k. On an independent copy of IE6 in XP SP2,
which incidentally has been configured to "trust" our web server,
there's no security alert, it goes directly to the jscript-ed alert,
after which it does the refresh.
IOWs, no redirect or js.
It sounds as if you have yours configured more safely than many
another user, then...
But it looks as if yours has decided to display it as plain text,
despite having been told that it's a JPEG image. Which is at least
safer than parsing it as HTML.
Yes, and I could have easily reset a few things in the past, but darned
if I remember what.
I still say that Mozilla (which announces that the image cannot be
displayed because it contains errors) and Opera (which displays an
[IMAGE] placeholder where the broken image should have been) are
behaving to the spirit of RFC2616.
FYI, I also get the same response as Mark Parnell in ff.
(WinXP Sp2 w/ all updates.)
--
Neredbojias
Infinity has its limits.
Alan J. Flavell wrote: [1] except for the purposes of demonstration, anyway. What /does/
7beta do when confronted by this URL, by the way?
http://ppewww.ph.gla.ac.uk/~flavell/tests/spoof.jpg
It is not a bug, it is a completely correct behavior for HTTP. You
asked for a document spoof.jpg. At the moment of the initial request UA
has no means to know if it's an image, HTML document or some all new
electronic format requiring a plugin to install. It doesn't know it as
file extension is meaningless in HTTP: it doesn't prove anything and it
doesn't imply anything. Your server reported this resource to be
Content-Type of text/html. Any standard compliant UA has to try to
render it as text/html.
It is a very common mistake though to transfer Windows file extension
schemas onto Web.
See more at:
<http://groups.google.c om/group/comp.infosystem s.www.authoring .html/tree/browse_frm/thread/90b0fb057ff808f 4/2bd5a9bc6dab7dd 6?rnum=11&hl=en &_done=%2Fgroup %2Fcomp.infosys tems.www.author ing.html%2Fbrow se_frm%2Fthread %2F90b0fb057ff8 08f4%2F%3Fhl%3D en%26#doc_bffe6 ec35225b386>
Alan J. Flavell wrote: [1] except for the purposes of demonstration, anyway. What /does/
7beta do when confronted by this URL, by the way?
http://ppewww.ph.gla.ac.uk/~flavell/tests/spoof.jpg
VK <sc**********@y ahoo.com> wrote: Your server reported this resource to be
Content-Type of text/html. Any standard compliant UA has to try to
render it as text/html.
Are you sure? When I request it, the server identifies it as
Content-Type: image/jpeg
Any compliant web browser will treat it as a (broken) JPEG image. Anything
that treats it as HTML is broken.
--
Darin McGrew, mc****@stanford alumni.org, http://www.rahul.net/mcgrew/
Web Design Group, da***@htmlhelp. com, http://www.HTMLHelp.com/
"If you loan $20 to someone you never see again, it was probably worth it."
Darin McGrew wrote: VK <sc**********@y ahoo.com> wrote: Your server reported this resource to be
Content-Type of text/html. Any standard compliant UA has to try to
render it as text/html.
Are you sure? When I request it, the server identifies it as
Content-Type: image/jpeg
It is? Sorry then.
Any compliant web browser will treat it as a (broken) JPEG image. Anything
that treats it as HTML is broken.
Full ACK. I guess IE yet didn't have enough of security exploits over
spoofed images. After several major outbreaks they at least fixed the
hole for <img> element
<body>
<!-- this will not work -->
<img src="http://ppewww.ph.gla.a c.uk/~flavell/tests/spoof.jpg">
</body>
Well, just another reason do not use IE: not even out of love to
standards, but out of primitive security considerations.
P.S. To OP: I don't see big reason to file bugs to MSDN on this
particular issue. I presume (possibly wrongly) that the basic HTTP
mechanics is known to them. It took seven majot security outbreaks on
Win XP with spoofed images: then they funally fix it more-or-less
properly for <img>. Another few outbreaks - and they will fix this one
too. It is another common sense practice: never migrate on newer IE
until at least the first service pack is released with the most crutial
security fixes.
VK wrote: Your server reported this resource to be Content-Type of text/html.
Any standard compliant UA has to try to render it as text/html.
Negative, Spock; you are wrong again. The server is reporting it as
image/jpeg. That's the whole point.
--
Jack.
On Wed, 31 May 2006, Mark Parnell wrote: Deciding to do something for the good of humanity, "Alan J. Flavell"
<fl*****@physic s.gla.ac.uk> declared in
comp.infosystem s.www.authoring.stylesheets:
I still say that Mozilla (which announces that the image cannot be
displayed because it contains errors) and Opera (which displays an
[IMAGE] placeholder where the broken image should have been) are
behaving to the spirit of RFC2616.
FWIW, my copy of Firefox (1.5) just displays the URI as text
That's odd - thanks for the report. It seems to be version-dependent.
VK wrote: Darin McGrew wrote: VK <sc**********@y ahoo.com> wrote: Your server reported this resource to be
Content-Type of text/html. Any standard compliant UA has to try to
render it as text/html.
Are you sure? When I request it, the server identifies it as
Content-Type: image/jpeg
It is? Sorry then.
That was a quick retreat. Had you asserted, "Your server reported this
resource to be Content-Type of text/html", without checking that that
was so?
In article <11************ **********@j55g 2000cwa.googleg roups.com>, VK
<sc**********@y ahoo.com> writes P.S. To OP: I don't see big reason to file bugs to MSDN on this
particular issue.
I didn't, I reported two CSS bugs to them. This issue was introduced by
Mr Flavell, who was demonstrating that IE is full of security holes. Not
sure why he felt he needed to prove that as we all know its security is
as good as its CSS, but I've given up on this thread. I was trying to
help us all out and got flamed for it.
--
Alan Silver
(anything added below this line is nothing to do with me)
Alan Silver wrote: VK writesP.S. To OP: I don't see big reason to file bugs to MSDN on this
particular issue.
I didn't, I reported two CSS bugs to them. This issue was introduced by
Mr Flavell, who was demonstrating that IE is full of security holes. Not
sure why he felt he needed to prove that as we all know its security is
as good as its CSS, but I've given up on this thread. I was trying to
help us all out and got flamed for it.
Sorry then. As your OP did not describe the nature of filed bugs, I
tried to get it out of the thread. The OT-flood is a killer...much
worser then non-proper quoting btw.
I have a problem with the links though:
"Error: The page you have requested is unavailable or you do not have
access."
(I furfilled the Microsoft Connect registration).
In article <11************ **********@i40g 2000cwc.googleg roups.com>, VK
<sc**********@y ahoo.com> writes Alan Silver wrote:VK writes >P.S. To OP: I don't see big reason to file bugs to MSDN on this
>particular issue.
I didn't, I reported two CSS bugs to them. This issue was introduced by
Mr Flavell, who was demonstrating that IE is full of security holes. Not
sure why he felt he needed to prove that as we all know its security is
as good as its CSS, but I've given up on this thread. I was trying to
help us all out and got flamed for it.
Sorry then. As your OP did not describe the nature of filed bugs, I
tried to get it out of the thread. The OT-flood is a killer...much
worser then non-proper quoting btw.
Agreed.
I have a problem with the links though:
"Error: The page you have requested is unavailable or you do not have
access."
(I furfilled the Microsoft Connect registration).
Hmm, looking at the list of available programs, I can't see the one for
IE. I wonder if they took it off in the last day or so.
Try going to http://connect.microsoft.com/ and clicking on the
"Available programs" link. This will require you to log into Passport.
Once you are taken to the programs list, copy https://connect.microsoft.com/feedba...spx?SiteID=136 into your
browser address bar. That takes you to the IE feedback page. If you
enter 79985 or 79991 as IDs, you can see the two bug reports.
I'm not happy that they've taken IE off the programs list. That sounds
like they've stopped feedback and are going ahead with what they have.
That means we'll get another buggy IE for the next few years. Ho hum, I
was really hoping they'd get it right this time. Wrong again ;-(
Ta ra
--
Alan Silver
(anything added below this line is nothing to do with me) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Steve |
last post by:
I just spent waaaaaaaaaaaayy too much time trying to track down an error that was incorrectly reported just now, and I would like to see if someone
can explain to me why it was reported that way.
The purpose of the code is simply to delete a record and then redirect back to the page where the delete was started. The code looks like this:
elseif ($_GET == "delete")
{
$query = "delete from product_subcategory2 where product_sku=$_GET and...
|
by: Randy Birch |
last post by:
Reposted as the original is reported as deleted from the server.
re: MSComCtl Listview control cashes after installing VB6/VS6 SP6
I have been advised that this problem has been reproduced and a hotfix has
been prepared. The supporting KB article and hotfix download link have yet
to be posted, but I can provide you with the following information for those
requiring an immediate fix:
|
by: Brett C. |
last post by:
Anthony Baxter, our ever-diligent release manager, mentioned this past week
that Python 2.3.5 will most likely come to fruition some time in January (this
is not guaranteed date). This means that in order to have enough time to
proper evaluate new patches and bugs they must be reported **now**! A one
month lead time is necessary to properly look at, test, and commit patches, let
alone coming up with solutions to any reported bugs.
...
|
by: Ayende Rahien |
last post by:
Recently I've encountered two highly annoying bugs in the framework,
anyone who knows how to solve them would be most appriciated.
1) I'm trying to do Process.Start(url); and get a Win32Exception, after
quite a bit of testing I found out that the reason for this is that I
didn't have STAThread attribute. Process.Start(url) throws when I don't
have an attribute at all, or when I have MTAThrea, anyone can tell me
why?
I looked around, and...
|
by: Dinesh Jain |
last post by:
Hi All,
I am developing an application under Framework 1.0 and really getting
unsolvalble problems-
1. System.ExecutionEngineException in Unknown module:
Occurs sometimes not frequent. (Might be Marshalling problems - read
from MSDN)
| | |
by: Dachshund Digital |
last post by:
I don't know if anyone else is have issues with VB 2005 Express, but we
are, on multiple machines, it crashes during compiles, we have to do
'clean solution' almost very other time we compile.
The IDE hangs all the time. This happens on clean builds of XP SP2,
existing XP workstations, and even our Test 2003 Server.
Is anyone else having these issues? At this point, I have recommended
to management we return to VS IDE 2003, at least...
|
by: Mladen Gogala |
last post by:
I recently reported a bug about problem with OCI8 driver
and here is a little exchange that I had with a developer
with nickname "tony2001". Obviously, persuading people to
check the report is rather hard. Next time I encounter a bug,
I will not report it. The bug number is:36119
22 Jan 2:39am CET] gogala at sbcglobal dot net
Description:
------------
|
by: Peter Oliphant |
last post by:
A few of the bugs I've followed have been reported by MS as fixed in the
MSDN Product Feedback Center. But as far as I can tell, there have been no
updates to the versions on our systems. So, what good are fixes to bugs if
the versions on our machines are still old and still have the bug?
I guess I'm asking, how to we get fixes to bugs to VS C++.NET? I'm using
both Express and Pro, and I'm guessing the two would require different...
|
by: John Nagle |
last post by:
Back in March, I posted this:
That was for M2Crypto 0.17.
It's still broken in M2Crypto 0.18.
And there's no RPM or Windows binary.
Nobody actually uses this stuff, do they?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
