What I’d like to see in IE12

As the holidays approach, I’ve decided to publish my “wishlist” for the next version of Internet Explorer. I’ve been pretty good this year, so hopefully the IE team will deliver some of these presents. :-)

Please remember: I’m just an MVP, and I don’t have any magic powers that would guarantee that any of my wishes come true.

Update:  In April 2014, the IE team launched http://status.modern.ie, which provides an overview of IE feature support including a roadmap for new feature implementation. You can add suggestions and vote on them using the WebPlatform UserVoice and the Browser Interface UserVoice.

New Feature Support

1. HSTS: HTTP Strict-Transport-Security is a relatively simple feature that allows a site to demand that all accesses take place over a secure (HTTPS) connection, with no certificate errors. This feature can be weakly emulated by pinning a site in IE8 or later, but that requires user-interaction and doesn’t cover all scenarios. All major competitive browsers now support this feature. Update: In Development

2. Support HTTP2.0 on Windows 7. Support for this newer/faster replacement for the aging HTTP/1.1 protocol was brought to Windows 8.1 with IE11 but IE 11 users on Windows 7 were left out, presumably due to the platform dependencies required to support the new protocol (e.g. it requires changes in SChannel to allow NPN/ALPN extensions in the TLS handshake).

For bonus points, I’d love to see a way for .NET applications to be able to negotiate SPDY/HTTP2 connections (even if it requires a native PInvoke) as this would dramatically simplify adding support for these protocols to Fiddler.

3. Server-Sent-Events. SSE allows JavaScript to very simply collect and process a stream of messages from a server. The unidirectional stream is simpler than WebSockets and the programming model is convenient for JavaScript programmers. This feature overlaps others (e.g. XHR with streaming, WebSockets) and thus is just syntactic sugar, but it’s oh-so-tasty syntactic sugar. Update: Under consideration

4. Developer Tools Support for P3P. Today, IE is the only browser that supports the P3P privacy-protection standard, and as a consequence web developers often encounter problems with it. Today, IE's developer tools do not warn the developer if their cookies are being impacted by P3P and thus they often assume that IE is somehow “broken” when it is behaving as designed. Note: It would actually be great to see this for ALL security features; for instance, F12 could help debug problems where sites have been blocked by X-Frame-Options. Update: P3P Appears to be gone entirely in Windows 10 Preview

5. Native Dictionary.IE added spell-checking in version 10, but the Kindle and Mac browsers have gotten me addicted to being able to quickly get a definition for any word on a webpage. The legacy Accelerators feature could have been a way to get this, but it requires configuration and is not nearly as seamless as the native feature in other products.

6. Preserve-3d support. Basically everyone else supports this, and the workarounds for lack of support are awkward. Update: In Development, Shipped in Win10 Preview

7. An off-by-default option to disable (or require confirmation) of the use of the backspace key as a back button. Some users hate this feature (there are many bugs on CONNECT) and even developers inside the IE team have complained that there's no way to turn this off. Tracked as UserVoice here.

8. A UI option to enable warning the user if Certificate Revocation checks fail to complete. Today, incomplete checks are silent and this makes certificate revocation checks unsuitable for handling key-compromise revocations like the many thousands of revocations caused by HeartBleed. By default, IE should also downgrade any EV site which does not complete revocation checks by removing the green bar. Beyond exposing the "Warn on revocation incomplete" option in the UI, IE/SChannel should support the MustStaple flag for certificates.

Bug Fixes

1. When IE8 introduced the postMessage API, it had a bug whereby you could not use the API to communicate between browser windows. This bug is now over four years old and is an interoperability problem. It needs to be fixed.

2. When IE8 introduced the localStorage API, it had a bug whereby you could not use the API to share data between browser sessions. This bug is now over four years old and should be fixed.

3. Over the years, we thought we fixed most of the “Cannot SaveAs an image in its native format” bugs, and offered a “Save As PNG” option for the corner cases. Recently, an IE user discovered that the SaveAs code cannot handle URL fragments in the image URL and hits the fallback codepath unnecessarily. This should be an easy fix.

4. A customer recently uncovered a bug whereby, if a server sends two instances of a cookie on a single response (one a session cookie and one a persistent cookie) it’s possible that both cookies will be immediately discarded (test case). This is clearly a corner case (servers shouldn’t be doing this and should be fixed) but this should be straightforward to fix.

5. In IE10, we updated IE to behave like other browsers when following redirects when the original URL contained a fragment. However, a corner-case was missed and IE10/IE11 do not behave the same as other browsers when a chain of two or more redirects is processed and one of the redirects in the middle introduces a URL fragment.

6. IE11 introduced a regression where users InPrivate can be unmasked. This is a regression from IE10 and should be fixed. Update: This was quietly fixed in a monthly update.

7. IE10 introduced a regression where proxy settings changes are lost. This is very irritating for Fiddler users and impacts other customers too. Still repros in Windows 10 Preview.

I suspect I’ll be adding to my wishlist over time. If you have succinct straightforward suggestions for additions, please sound off in the comments below!

Update: Below, Chris Love makes an important point: IE team has an official feedback mechanism at connect.microsoft.com. Also, I'm not looking for a laundry list of "Here's a bunch of proposal/spec hyperlinks, Go! " The IE Engineers are aware of all of the popular sites (CanIUse, etc) and track virtually all of the public specifications. The point here is to provide feedback on the things that we think may have been overlooked, or which may be more important than they initially appear. The best suggestions explain why you think the feature in question is not only valuable, but more valuable than anything else with a similar development cost.


PS: Perf Guru Steve Souders recently posted his Browser Perf Wishlist.