• 1. London, UK
  • 2. New York, NY
  • 3. Sydney, Australia
  • 4. Melbourne, Australia
  • 5. Moscow, Russia
  • 6. Singapore
  • 7. Paris, France
  • 8. Chicago, IL
  • 9. Hong Kong
  • 10. Houston, TX

Tuesday, March 24, 2009

 

Internet Explorer 8 and OWA: Where Are The Images?

Posted by Bharat Suneja at 10:49 AM
Internet Explorer 8 was released last week at MIX09. It's likely many users may already be running either the RTM version or one of the earlier betas.

IE 8 is more secure than previous versions (see Stay Safer Online for a list of IE8's security features), including some of the default settings. Here's one of those changes and how it may impact your OWA users (and potentially result in a helpdesk call).

A user gets an HTML message with images. When viewing the message in OWA, the user sees missing images, as shown below:

Screenshot: An HTML message with missing images in Outlook Web Access
Figure 1: An HTML message rendered in OWA with missing images

Instead of this:

Screenshot: An HTML message with images in Outlook Web Access
Figure 2: HTML message with images rendered in OWA

Is that the web beacon and form filtering feature of OWA 2007 at work?

OWA 2007: Web beacon and form filtering

Web beacons (aka "web bugs") are very small, transparent image files in web pages and HTML email. These 'invisible' images are commonly used by web sites to track visitors, along with cookies. When you inadvertently download such an image in an HTML email message, it calls home and tells Mr. Spammer: "I made it! The email address is valid, and someone even viewed the message!"

In Exchange 2007, OWA blocks web beacons, and displays the following prompt inline in the information bar (where header information such as subject, sender, recipient, and timestamp are displayed).


Figure 3: The web beacon and form filtering feature displays a prompt in the information bar to allow user to unblock content

If users determine the message is from a trusted sender and safe to open, they can unblock the blocked content by clicking on the "Click here" link in the information bar (highlighted in Figure 3 above).

Web beacon and HTML form filtering behavior can be controlled for an OWA virtual directory. Use the Set-OwaVirtualDirectory cmdlet to toggle the FilterWebBeaconsAndHtmlForms property, as shown in How to Control Web Beacon and HTML Form Filtering for Outlook Web Access.

But you don't see the familiar click here link in the message!

The Tale of The Two Prompts
You're accessing OWA (or any other web page for that matter) over a secure HTTPS session. The page has images or other unsecure content (not unsecure as in malicious content, but the content is accessed using HTTP) it wants the browser to display. The first time the browser faces this scenario, it sends alarm bells ringing. It warns you, the user almighty, and asks you what you wish to do.

You may even remember the IE prompt— even if vaguely so. Yes, the one you dismissed by clicking the "Yes" button, without giving it any thought? Afterall, what harm could a lowly web page do to your highly secure computer?

In IE8, the prompt has been reworded, and the choices reordered. Here's what the shiny new prompt looks like.

Screenshot: Internet Explorer 8 prompt when accessing insecure content over a secure session
Figure 4: Security warning in Internet Explorer 8, clearly informing users about blocked content, and the potential security impact of displaying such content

As you can see, users instinctively clicking the "Yes" button continue to be protected by Internet Explorer 8. They do not end up in an insecure state! Moreover, the dialog is clearer and more informative, compared to the one found in previous versions of IE. Here's the dialog from IE 7:

Screenshot: Internet Explorer 8 prompt when accessing insecure content over a secure session
Figure 5: The 'Security Information' prompt in Internet Explorer 7, prompting users about nonsecure items

Labels: , , ,

4 Comments:

June 17, 2009 12:35 PM
Anonymous Anonymous said...

Is there a way for IE8 to allows show both secure and nonsecure content?

 
August 3, 2009 1:25 PM
Anonymous Anonymous said...

This is the most annoying thing in IE8. I hate being constantly asked if I want to view all content - I do not need to be babysitted. I would rather get the occasional virus and have to reformat my harddrive and re-install my OS than constantly be annoyed by not seeing the content I want to view.

 
October 13, 2009 8:18 AM
Anonymous Anonymous said...

You'd rather risk losing your data than be annoyed? That's certainly one way to look at it.

 
March 11, 2010 3:10 AM
Anonymous Anonymous said...

http://blogs.msdn.com/askie/archive/2009/05/14/mixed-content-and-internet-explorer-8-0.aspx

 

Post a Comment

Links to this post:

Create a Link

<< Home