Internet Explorer 8 was released last week at MIX09. It’s likely many users may already be running either the RTM version or one of the earlier betas.
IE 8 is more secure than previous versions (see Stay Safer Online for a list of IE8’s security features), including some of the default settings. Here’s one of those changes and how it may impact your OWA users (and potentially result in a helpdesk call).
A user gets an HTML message with images. When viewing the message in OWA, the user sees missing images, as shown below:
Instead of this:
Is that the web beacon and form filtering feature of OWA 2007 at work?
OWA 2007: Web beacon and form filtering
Web beacons (aka “web bugs”) are very small, transparent image files in web pages and HTML email. These ‘invisible’ images are commonly used by web sites to track visitors, along with cookies. When you inadvertently download such an image in an HTML email message, it calls home and tells Mr. Spammer: “I made it! The email address is valid, and someone even viewed the message!”
In Exchange 2007, OWA blocks web beacons, and displays the following prompt inline in the information bar (where header information such as subject, sender, recipient, and timestamp are displayed).
If users determine the message is from a trusted sender and safe to open, they can unblock the blocked content by clicking on the “Click here” link in the information bar (highlighted in Figure 3 above).
Web beacon and HTML form filtering behavior can be controlled for an OWA virtual directory. Use the Set-OwaVirtualDirectory cmdlet to toggle the FilterWebBeaconsAndHtmlForms property, as shown in How to Control Web Beacon and HTML Form Filtering for Outlook Web Access.
But you don’t see the familiar click here link in the message!
The Tale of The Two Prompts
You’re accessing OWA (or any other web page for that matter) over a secure HTTPS session. The page has images or other unsecure content (not unsecure as in malicious content, but the content is accessed using HTTP) it wants the browser to display. The first time the browser faces this scenario, it sends alarm bells ringing. It warns you, the user almighty, and asks you what you wish to do.
You may even remember the IE prompt— even if vaguely so. Yes, the one you dismissed by clicking the “Yes” button, without giving it any thought? Afterall, what harm could a lowly web page do to your highly secure computer?
In IE8, the prompt has been reworded, and the choices reordered. Here’s what the shiny new prompt looks like.
As you can see, users instinctively clicking the “Yes” button continue to be protected by Internet Explorer 8. They do not end up in an insecure state! Moreover, the dialog is clearer and more informative, compared to the one found in previous versions of IE. Here’s the dialog from IE 7: