Microsoft believes Google Chrome Frame lowers security of IE

Google's recent release of Google Chrome Frame wasn't entirely expected, though that's not to say it wasn't welcome. Some people questioned the usefulness of it, whilst others were overjoyed. Regardless of public opinion, it was to be expected that Microsoft wouldn't be entirely pleased about the whole idea, and they've just given their official thoughts on the software, according to the lads at Ars Technica.

To give you a quick overview of Google Chrome Frame, the aim is for it to give Internet Explorer the rendering and javascript engines of the Chrome browser, which is of benefit to web developers and obviously users also. However, with great power comes great responsibility, and in this case, Microsoft believes that the security of its web browser has been compromised. In an email to Ars Technica, Microsoft stated, "With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers. Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take."

In short, Microsoft believes that the Chrome Frame doubles the risk to a user when browsing the Internet. This is, quite simply, a bit ridiculous. Ars Technica said, "Somehow we doubt there is a significant amount of malware specifically targeting Chrome, and for whatever exists, we're pretty sure most would fail when encountering IE + Google Chrome Frame. These Web attacks would be written to be able to circumvent Chrome's security measures and would simply not expect Internet Explorer's security layers," which makes sense. To add to that, Google is constantly updating its browser with security updates and other features, to ensure that it stays secure for those who use it.

There are many reasons as to why Chrome Frame isn't as big of a security risk as Microsoft makes it out to be, though no software is perfect. It will be interesting to see if Google has anything further to say on the matter, but they'll probably keep quiet from this point on.

Report a problem with article
Previous Story

"Broadband Tax" could become UK law

Next Story

Apple emerging as big player in the games industry

88 Comments

Commenting is disabled on this article.

Microsoft has a good argument here. Think about it from a non-"CHROME IS AWESOME!!!!!!!!!" standpoint.

In its default configuration, Microsoft has control over IE. If a security issue pops up, Microsoft patches it.

If you're using Google's plugin, and there's a security issue, Microsoft can't patch it, and, if exploited, Microsoft will probably be blamed for it.

That being said, the browser this plugin is mostly targeted toward (IE6) is primarily used in enterprises. Enterprises normally use IE6 because they need IE6's rendering engine.

This plugin will be a very niche product.

Google wants to dominate the world! They wants your blood type, first born and everything else to put in their database to share with the world. ;)

Microsoft might sound protective about their IE 8 because they have the right to be. They have been sued for being a monopoly then they are bitched at after they open up and other companies crap blames MS for being the problem. So the world will never be happy with ONE PRODUCT that does it all very well because that product doesn't exist. If it did it would be broken down into other parts because it would look like a MONOPOLY!

You now have freedom of choice more than ever yet we still go back to MS to blame. If you don't like it - don't use it. Why argue over it. IE 6 will still be around when you come back and read about it a year from now. So get used to it.

mrmomoman said,
Google wants to dominate the world! They wants your blood type, first born and everything else to put in their database to share with the world. ;)

As if MS doesn't do that. When are you people going to learn?

Frame is a bit useless tbh, people will still be using IE6, and therefore we have to support it when we develop websites.
I'm actually really good at making my websites completely perfect across the browsers, it's easy to cleanly get around IE6's niggles!

Who really gives a hoot? To have this Chrome Frame work, don't both the user and server have to install/code certain things? I bet penetration of this 'plugin' will be next to zero.

Tom W said,
I have to agree, now you have to patch both IE and Google Chrome Frame. Might as well just install Chrome and stop using IE ;)

That is probably the reaction Google is expecting to result from "Frame".

While pure attack surface for vulnerabilities is important, more important IMHO is that ChromeFrame doesn't support IE security and privacy features like delete browsing history and InPrivate; see http://code.google.com/p/chromium/issues/detail?id=22846. The commentary indicates that it may actually be by design -- in this case poor design, since users aren't really even supposed to know that ChromeFrame is there for a given site; they expect IE settings to apply all the time. Also the commentary indicates that the SmartScreen phishing filter is not used when ChromeFrame is being used.

And who knows if ChromeFrame respects security settings such as disabling script or plugins for certain zones. In general it seems like a solution looking for a problem; if you want to use Chrome, just use Chrome, rather than trying to create a frankenstein hybrid of Chrome and IE.

I agree that those features pose an increased chance of getting hit by vulnerabilities.

People must choose Chrome or IE (in this case) but I don't like that mess that Google is creating with Chrome Frame.

after install chrome frame, my ie8 started crashing for no apparent reason.....
even on sites that don't have the chrome frame meta tag....

i'm sure those people who're stuck with IE6 in their offices aren't allowed to use google wave too... so this add-on is kind of useless....

my company's firewall basically blocks everything that doesn't originate from a fixed set of IPs, no interwebz, no facebooks, no msn.... IE6 is used just for intranet stuff.

however the isolated "internet stations" located at lobbies do install the latest stuff, Opera, FF, IE8, Chrome etc. Strangely there're few users, even during lunchtime or breaks...

This only makes sense if you look at the fact that a version of IE running the Chrome plugin would be susceptible to vulnerabilities in either IE or Chrome.

Well in a way, they're correct. If an IE user has google frame installed, then they're open to both exploits that target IE AND google frame. But this is the same for things like Flash, Adobe reader and just about any other plugin.

Well, I can understand Microsoft's point. By using Chrome Frame you do open yourself up to any vulnerabilities that Chrome Frame may have, and Microsoft has no way of knowing what the security of Chrome Frame may be or when someone may find a hole. So the warning does make sense...

Though I really can't for the life of me understand who would really have a need for this. It seems like a waste to me...

Microsoft is exaggerating this but they are technically correct. If you use Chrome Frame then you are subject to vulnerabilities in both IE and Chrome Frame. Realistically, it's not something to be too concerned with.

1st of all - Im Toyota and no american cars get enough fuel mileage, so we developed a hybrid engine that can go into any american car to make it get better mileage. That is the non-technical way this comes off (or am I wrong).

2nd - Users of IE 6 (which i assume is at the heart of why this came up) use the rendering engine in IE because specific websites like intranets and software with tie-ins to browser presentations (in business thats called time keeping software, payroll software, human resources staff software, accounting software) are designed directly for the use and configuration of the IE engine in 6. If these people could use Chrome or FF and have these software packages render properly then IE 6 could actually be allowed to rest in peace. However, (and most "website" developers who cry boo-hoo over "standards" dont tell you) is that it will cost billions world wide to change and update this software, the majority of which has no direct relationship or use of the "internet" as all the people here that keep complaining about IE6 and there web standards would let you believe. It will cost billions and years of commitment to get these old software choices to change, So much of that business architecture was developed when there was no idea that a "cloud" would ever exist and no one saw the internet as more than what existed in the mid 90's. If Microsoft suddenly said IE6 RIP and we will send an update to kill it, you would have major world wide companies and even some governments who will crash and be dead in the water without IE6 and its "non-standards". To those who say will "why dont they just all get new software and every company and corporation needs to keep up to date with the pc i just got at home, if i can do it why cant they" all I say to you is The world is bigger than if your layourt looks right on facebook or if you can properly add a video to your youtube page.

Finally - Here is an idea, instead of everyone whining about IE6 and its non-standards why dont companies make their browsers like FF, Chrome, Opera, Safari, with an add-on so that your new browser can manage to dumb itself down to the IE6 engine as needed specifically for intranets and other needs like that. If you can do that, then maybe then I would believe that IE6 will go away, until then deal with it!

The trouble is that that's circumventing the problem as opposed to solving it. The problem in the first place is simply that IE6 is old and crap, and then to top it off people banked on the "Microsoft standards" becoming global standards, and as a result, we're plagued forever with an endless collection of ****ty intranet applications which result in billion dollar corporations being stuck with IE6 until the apocalypse.

What the world needs is the web equivalent of the millenium bug drive. Get all the web developers to upgrade IE6 applications to standards compliant applications, and then let the whole world move on. Unfortunately such a scenario would cost far too much than to simply keep IE6 forever.

TechGuyPA has a good point. I remember in the Air Force they were using a networked inventory system that was over thirty years old. I'm not sure if they replaced it yet but one of the reasons it was till around was because they couldn't afford to make the switch.

Good to know you didn't even attempt to understand what this is doing before going off on your tangent.

FYI, when installed all pages will be rendered with IE's default rendering engine unless the page specifies it wants to use Chrome Frame at which point the rendering engine will be swapped on the fly for that page and that page only.

Microsoft has a point here, but it's not because they hate the Chrome plugin. The fact is that IE has enough security holes (discovered and undiscovered) and Chrome also has its fair share of security holes (again, discovered AND undiscovered), this plugin potentially exposes a user to both sets of security issues, and therefore makes the browser vulnerable to both IE-specific attacks and Chrome specific attacks.

All addons for IE hurt its security. Microsoft has supported them for years knowing this. Not sure why they are throwing a fit over this.

I think every IE user I know at work has at least 1 or 2 pointless toolbars running. I feel sorry for them.

Shadrack said,
All addons for IE hurt its security. Microsoft has supported them for years knowing this. Not sure why they are throwing a fit over this.

What's more a secure threat, an addon that shows video files or an addon that communicates with internet, executes scripts and stores local data, etc?

Shadrack said,
All addons for IE hurt its security. Microsoft has supported them for years knowing this. Not sure why they are throwing a fit over this.

I think every IE user I know at work has at least 1 or 2 pointless toolbars running. I feel sorry for them.

Ummmm....plugins for ANY browser do that, though

Shadrack said,
All addons for IE hurt its security. Microsoft has supported them for years knowing this. Not sure why they are throwing a fit over this.

Because it's about Google, a competitor.

lordcanti86 said,

Ummmm....plugins for ANY browser do that, though

That wasn't his point. The point was that "why are they complaining now".

Jugalator said,

That wasn't his point. The point was that "why are they complaining now".

Isn't it obvious? Because Chrome Frame poses much more threat some Google Toolbar. For example it makes you vulnerable to RoR XSS attacks on lots of sites (like twitter).

RealFduch said,
For example it makes you vulnerable to RoR XSS attacks on lots of sites (like twitter).

No it doesn't, since it's already fixed.

geoken said,
No it doesn't, since it's already fixed.

His point was that with Google Frame installed, you are now vulnerable to exploits that could affect Chrome but not stand-alone IE.

People are focusing on Microsofts statement--which surely was dumb--but I think Google releasing an IE Chrome plugin was a pretty sleazy business move by Google in itself. There isn't demand for it, its just a way to kick dirt at Microsoft.

At least I hope this makes MS's IE team move faster. They should stop trying to do large 1.x updates and do smaller and faster x.1 or x.5 updates like other browsers.

A new version once a year doesn't cut it.

Well Google would argue there is demand for it, as IE's javascript engine isn't up to scratch and instead of the Google dev's wasting time writing workarounds/limiting functionality of some of their new products (Wave) they've given the option of Google Frame...

One of the main reasons Google started working on their own browser was because they weren't happy with the speed/progression of the established browsers, and since Chrome has been about both Opera and Firefox have made significant improvements in their javascript engines to be able to compete.

brianshapiro said,
People are focusing on Microsofts statement--which surely was dumb--but I think Google releasing an IE Chrome plugin was a pretty sleazy business move by Google in itself. There isn't demand for it, its just a way to kick dirt at Microsoft.

The fact that Microsoft's web browser's rendering and javascript engine can be hijacked from a 3rd party just shows how lousy their security model is. I'm not saying other browsers are immune to this. But if Google can do it, what is stopping anyone else....nothing...

User ignorance is going to be a tough one to overcome i'm afraid...

Which is a good thing, no doubt. Which is why I feel the IE team should be working on a quick IE8.1 or 8.5 that boosts the performance of the javascript engine to match the others. No need for new features and such, just speed and whatever other support they can fit in.

Shadrack said,
The fact that Microsoft's web browser's rendering and javascript engine can be hijacked from a 3rd party just shows how lousy their security model is.

Just like Firebug "hijacks" web page rendering in Firefox....

Shadrack said,
The fact that Microsoft's web browser's rendering and javascript engine can be hijacked from a 3rd party just shows how lousy their security model is. I'm not saying other browsers are immune to this. But if Google can do it, what is stopping anyone else....nothing...

User ignorance is going to be a tough one to overcome i'm afraid...

ZOMG A user-installed plugin can replace the rendering engine!!!! Just like how IE Tab can replace Firefox's rendering engine! Oh noes!

/sarcasm

Shadrack said,
The fact that Microsoft's web browser's rendering and javascript engine can be hijacked from a 3rd party just shows how lousy their security model is. I'm not saying other browsers are immune to this. But if Google can do it, what is stopping anyone else....nothing...

User ignorance is going to be a tough one to overcome i'm afraid...


I am with you on this.

As I said, other browsers are vulnerable to these same "exploits," as they choose to be. The developers should fix these issues not complain to the 3rd party develper

brianshapiro said,
People are focusing on Microsofts statement--which surely was dumb--but I think Google releasing an IE Chrome plugin was a pretty sleazy business move by Google in itself. There isn't demand for it, its just a way to kick dirt at Microsoft.

LOL, so you have a problem with innovation that leads to IE gaining 10x as good performance and HTML 5 support? No demand for it? What about all the next generation web services being held captive by IE 6/7/8 and their lack for HTML 5 support? I can tell you haven't read the IEBlog comment section lately. There are complaints from web developers for almost each of their posts there, having to remind them about cross-browser interoperability through better standards support. It's sometimes as if they're living in their corporate bubble.

Google is going to use this to push Google Wave, and it'll sure make life easier for a number of developers. This is far more useful to many than a Flash plugin, or PDF integration.

Jugalator said,
LOL, so you have a problem with innovation that leads to IE gaining 10x as good performance and HTML 5 support?

You were already told about HTML5 and Chrome non-standard behaviors. Now go away and stop spreading your lies.

brianshapiro said,
People are focusing on Microsofts statement--which surely was dumb--but I think Google releasing an IE Chrome plugin was a pretty sleazy business move by Google in itself. There isn't demand for it, its just a way to kick dirt at Microsoft.

How do you know there is no demand for it? It is not up to you, or Microsoft, or Micorsoft lackeys to say what is or is not in demand. What do you care, don't use it. You should be happy, a different company has gone out of there way to make one of Microsofts products useable. A lot of people are stuck on ie6, now they can keep using it, and get the benefits of a modern browser.

RealFduch said,
You were already told about HTML5 and Chrome non-standard behaviors. Now go away and stop spreading your lies.

What lies? Google already has near release versions of Wave being used by beta tester. This service runs perfectly in every browser but IE. Google is also trying to increase the 'desktop-like' qualities of their web apps with local caching and drag and drop operations.

Those aren't lies, they're facts.

This is, quite simply, a bit ridiculous. Ars Technica said, "Somehow we doubt there is a significant amount of malware specifically targeting Chrome, and for whatever exists, we're pretty sure most would fail when encountering IE + Google Chrome Frame. These Web attacks would be written to be able to circumvent Chrome's security measures and would simply not expect Internet Explorer's security layers," which makes sense.

Security by obscurity? "They wouldn't guess you have Chrome Frame" bla bla bla..
How lame!

P.S. Don't forget the story when Firefox had url parsing vulnerability which could be exploited by starting firefox from IE?

P.P.S. If some people see an ActiveX control that plays video as a security thread, then what is an ActiveX control that communicates with internet, executes scripts and stores local data?

Security by obscurity? "They wouldn't guess you have Chrome Frame" bla bla bla..
How lame!

Uh, that's not security by obscurity. That concept is about hiding things and hoping no one will find it, such as a password. But this is about creating a VERY TINY FRACTION for malware to target. Do you think they'll care to do that, when they don't even care much for Mac, which has 10% of the market? Of course not!

Anyway, the only hilarious part about all this, is that Microsot is admitting the IE plugin infrastructure is insecure. If an insecure component (according to them) can take over their browser due to their own damn platform's support and blessings, what the hell does that say about Microsoft? Google hasn't violateed any rules here, they haven't hacked IE or anything to get this done. They've written a plugin to the paper, and Microsoft is immediately taking the crybaby stance because it's about a competitor that has TEN TIMES as good performance as IE. Never mind Google Chrome winning the Pwn2Own contest, and their tight security via their sandboxing model.

Of course Microsoft thinks this way - the competition is proving, once again, that Microsoft's products just aren't good enough. Heaven forbid someone else gets it right for them without a Microsoft stamp of approval.

If IE wasn't "good enough" then people wouldn't use it. For a vast majority of people it is still the best browser available.

No sale for your bias here, sorry.

C_Guy said,
If IE wasn't "good enough" then people wouldn't use it. For a vast majority of people it is still the best browser available.

No sale for your bias here, sorry.


No, people don't know any better. Most people think that Microsoft is their operating system, and Word is their browser. When something breaks on a website, they have no idea whether is is the OS, Windows, Paint, the website, the developer, or the Internet which is the problem. They just move on, hope for the best.

cakesy said,

No, people don't know any better. Most people think that Microsoft is their operating system, and Word is their browser. When something breaks on a website, they have no idea whether is is the OS, Windows, Paint, the website, the developer, or the Internet which is the problem. They just move on, hope for the best.

Exactly. Most people who do know what a browser is and that there is more than
one use firefox (probably). Just because the majority of people use IE doesn't mean anything because that's the browser people have by default.

Here's an idea for Microsoft: fix your browser to comply with web standards so people don't have to use plugins in order to get a decent rendering engine in it!

Since when did you need a plugin for things to render correctly? You got a list of sites or are you just regurgitating rubbish you've read?

I'm curious to know what "finished" standard(s) is not supported in IE8 [granted speed improvements need to be made], unless of course you're referring to HTML5 which I believe as of yet is now "standard".

m.keeley said,
Since when did you need a plugin for things to render correctly? You got a list of sites or are you just regurgitating rubbish you've read?

Experience developing for IE > examples; sites usually use hacks to get around some of IE's standards support.

simon360 said,
Experience developing for IE > examples; sites usually use hacks to get around some of IE's standards support.

I do web development, I've had to use hacks to deal with Firefox, Safari, and Opera also, not just IE. I haven't developed for Chrome enough to know about it.

IE is progressing with standards support on the same timeline as every other browser, FF2 in many ways was no better than IE6 in meeting standards, Mozilla was just really loud about the ways they were meeting standards and IE wasn't. Which was a good move as a challenge to IE to improve its standards, but it was kind of misleading. FF3, released around the same time as IE8, is the first version thats good on standards.

And I'm not sure what the big deal about HTML5 is, I'd rather have CSS3 implemented first.

simon360 said,
Experience developing for IE > examples; sites usually use hacks to get around some of IE's standards support.

I also have to use hacks for FF etc so how is IE the only bad giy?

m.keeley said,
I also have to use hacks for FF etc so how is IE the only bad giy?



It's not, yet many people think that it's only IE that uses hacks. All this hack business started with silly Netscape and it's stupid quirks mode. So thank them for this mess.

If anything, rendering wise, all this chrome frame does is shows that IE8's only real weakpoint performance wise is in javascript. Since in the end, the way I read it, chrome frame uses chromes javascript engine basically.

simon360 said,
Experience developing for IE > examples; sites usually use hacks to get around some of IE's standards support.

and 90% of people are dumb. So what? How does bad sites prove anything?
HTML5? Not till 2023. Until then everything is non-standard.
HTML? Why do you have to use !non-standard! <element> tag for flash movies for Firefox, Chrome and Safary?
CSS?
-moz-inline-box, -webkit-border-radius, -moz-border-radius, -moz-box-shadow, -moz-selection, e.originalTarget, getBoxObjectFor(), getBoundingClientRect() etc etc etc. Doesn't that ring your "non-standard proprietary extensions" bell?
XML? Firefox is the only browser taht has faulty non-standard implementation of XSL transforms.

And I'm seeing more and more titles like "Firefox CSS Magic: Consider this post an evolving receptacle for Firefox-specific CSS tricks."

RealFduch said,
and 90% of people are dumb. So what? How does bad sites prove anything?
HTML5? Not till 2023. Everything until then is non-standard extensions.
HTML? Why do you have to use !non-standard! tag for flash movies for Firefox, Chrome and Safary?
CSS?
-webkit-border-radius, -moz-border-radius, -o-border-radius etc etc etc. Doesn't that ring your "non-standard proprietary extensions" bell?
XML? Firefox is the only browser taht has faulty non-standard implementation of XSL transforms.


+1

You said it man.

RealFduch said,
and 90% of people are dumb. So what? How does bad sites prove anything?
HTML5? Not till 2023. Until then everything is non-standard.
HTML? Why do you have to use !non-standard! <element> tag for flash movies for Firefox, Chrome and Safary?
CSS?
-moz-inline-box, -webkit-border-radius, -moz-border-radius, -moz-box-shadow, -moz-selection, e.originalTarget, getBoxObjectFor(), getBoundingClientRect() etc etc etc. Doesn't that ring your "non-standard proprietary extensions" bell?
XML? Firefox is the only browser taht has faulty non-standard implementation of XSL transforms.

And I'm seeing more and more titles like "Firefox CSS Magic: Consider this post an evolving receptacle for Firefox-specific CSS tricks."

In all fairness, the CSS hacks that Firefox implements extend the CSS 2.1 specification, the hacks the developers use for IE are to bring it into line with the CSS 2.1 specification. This doesn't apply to IE8 obviously, but then, neither does the Chrome plugin aside from the script engine.

roadwarrior said,
Here's an idea for Microsoft: fix your browser to comply with web standards so people don't have to use plugins in order to get a decent rendering engine in it!

Microsoft has been working to increase standards compliance with IE 7 and 8, and 8 supports standards fairly well. I agree that standards support is necessary, but they are making strides in this direction.

With IE8, much of the major rendering problems I had with it are gone. That's not to say I haven't heard, just in the past 2 weeks, that "I'm not upgrading, nor is my company upgrading, to IE8 -- the person who services my computers said it would break a lot of sites". It makes me, as a web developer hate the browser all the more because people aren't upgrading because of pathetic misinformation. Needless to say, I've changed them over to Firefox ... but still, they were very misinformed (there is IE7 emulation if it truly does break a site).

May main problem with it now, though, is it's JavaScript engine. It's extremely slow (compared to FF, and certainly compared to Chrome or Safari) and sometimes finicky. I feel sorry for anyone that has to suffer through how awful and slow IE is...

I see a lot of statements above that sound smart, but reveal quite the opposite to me. People, if you just use any GUI or any WYSIWYG such as FrontPage for design, then take my advice. Validate your page first. IF it passes, test it with different browsers. Rinse and repeat. If you are not doing that, then I don't believe you understand much about the standards and your statement is bias at best.

roadwarrior said,
Here's an idea for Microsoft: fix your browser to comply with web standards so people don't have to use plugins in order to get a decent rendering engine in it!

For the last time, IE8 is compliant with CURRENTLY RATIFIED web standards. HTML5 and CSS3 are NOT ratified standards yet.

FFS

Majesticmerc said,


Did you miss the word "Recommendation" on each of those documents you linked to? Both directly underneath the title of the document and in the vertical-text image on the upper left?

roadwarrior said,
Here's an idea for Microsoft: fix your browser to comply with web standards so people don't have to use plugins in order to get a decent rendering engine in it!

Here's an idea for Google. Quit making everything you touch phone home like a lost step child!!
Here's another too. Quit making things, period!!

PatriotB said,
Did you miss the word "Recommendation" on each of those documents you linked to? Both directly underneath the title of the document and in the vertical-text image on the upper left?

Well I tell you what then, take these recommendations and ignore them, and then see how well you do as a web developer. A recommendation doesn't need to be labelled as a standard to be a standard, all it needs is mass adoption.

Which is then a different standard. Seeing how IE is the major browser and has the most use, then ActiveX is a standard right? Yet, technically, I don't think it is?

If we're just going to go with what is used the most, then by default, all the funky stuff IE does that people hate, since they're used more, are standards automatically.

Yet that's hardly the case, in my opinion a "standard" can't be a standard if each browser treats it differently. Which means you have to use hacks, be it for older things with IE, or even newer ones for the other browsers. Whenever a hack is needed period, that "standard" (HTML5/CSS3) isn't standard since you have to do different things to get it to work.

I hope this makes sense to people.

GP007 said,
Which is then a different standard. Seeing how IE is the major browser and has the most use, then ActiveX is a standard right? Yet, technically, I don't think it is?

If we're just going to go with what is used the most, then by default, all the funky stuff IE does that people hate, since they're used more, are standards automatically.

Yet that's hardly the case, in my opinion a "standard" can't be a standard if each browser treats it differently. Which means you have to use hacks, be it for older things with IE, or even newer ones for the other browsers. Whenever a hack is needed period, that "standard" (HTML5/CSS3) isn't standard since you have to do different things to get it to work.

I hope this makes sense to people.

Just because it's a component of the worlds most broken operating system doesn't make it widely used, or a standard, at all. Its not even a recommendation. ActiveX is a part of IE, yes, but it's not widely used, not even slightly, its also proprietary technology, which by definition excludes it from being a standard.

HTML, CSS and so forth are written recommendation which the majority of decent web developers use to make their websites accessible to everyone, and that is what makes them industry standards.

If a hack is required to make a PDF work on a different PDF reader, that doesn't make the PDF standard any less of a standard, it just makes the developers of the reader incompetent. The same applies to Internet Explorer and CSS. CSS is still the standard method of styling web pages, the hacks are required due to the [former] incompetence of the Internet Explorer designers.

m.keeley said,
Since when did you need a plugin for things to render correctly? You got a list of sites or are you just regurgitating rubbish you've read?

Well... for example, take the Acid 3 test with IE8... it pathetically fails

djesteban said,
Well... for example, take the Acid 3 test with IE8... it pathetically fails

Yeah. And take for exaple that recent XSS vulnerability in all Ruby on Rails sites (twitter for example)... IE8 (unlike Chrome) failed to be vulnerable too.

djesteban said,
Well... for example, take the Acid 3 test with IE8... it pathetically fails

And how many websites do you know that use any of the things tested in the acid3 test? Or even the acid 2 test for that matter?

/- Razorfold said,
And how many websites do you know that use any of the things tested in the acid3 test? Or even the acid 2 test for that matter?

Razorfold, do you understand the concept of standards and "proper" coding? That's what Acid test is about. Now answer your question. How many website use HTML codes?

RealFduch said,
...
HTML? Why do you have to use !non-standard! <element> tag for flash movies for Firefox, Chrome and Safary?
...

I think this is my favourite part of this post, mainly for the complete lack of understanding behind it.

(Hint: Firefox, like Safari, Chrome, Opera and even IE, uses the standard <object> tag)

brianshapiro said,
IE is progressing with standards support on the same timeline as every other browser, FF2 in many ways was no better than IE6 in meeting standards

That's the biggest load of BS I've ever heard.

Ever heard of something called the ACID test?

The_Decryptor said,

I think this is my favourite part of this post, mainly for the complete lack of understanding behind it.

(Hint: Firefox, like Safari, Chrome, Opera and even IE, uses the standard <object> tag)

No they use <embed> (not <element>) tag. Try use it on the webpage and it works in FF. FF inherited it from another non-standard monster (Netscape).

djesteban said,
Well... for example, take the Acid 3 test with IE8... it pathetically fails

Well, considering that CSS3 isn't a standard yet, I fail to see yours, or anyone else's reasoning behind it. When all the browsers support CSS 3 and can pass the acid 3 test then the acid 4 test will be out and you'll still be screaming "but IEx doesn't pass the acid 4 test." Truly pathetic.