IE8 removes expression

Date November 7, 2008

From the IE8 blog, it would appear that the next version of Internet Explorer will not support CSS expressions by default (still will be available in quirks and IE7 mode, but by default this will be turned off).

This is really good news, and an indication that once again Microsoft are doing their best to make attackers really have to work for their prize.  At BlueHat there was one presentation that was pretty much only about used expression is various mischievous ways (see CSS: The Sexy Assassin).  Despite the examples, I couldn’t really see a legitimate use of CSS expressions, and I’m struggling to even thing of a site that I’ve reviewed that has ever used them.  Removing them give the attacker one less thing to play with with is a good thing.

Next up is removing the ability to have transparent (offsite) iframes.

Category Posted in Security

One Response to “IE8 removes expression”

  1. November 10th, 2008 at 6:53 am

    Rob said:

    re: “a legitimate use of CSS expressions”
    Being able to apply behaviors with CSS selectors is a huge boon for developers, which is why there are so many Javascript libraries for applying behaviors in other browsers (http://www.google.com/search?q=javascript+behavior)

    Rather than remove it, I’d rather see MS *secure* CSS Expressions (apply all the same security checks as standard Javascript), and other vendors implement the same feature.


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>