IE8 and that meta tag
Ben wrote X-UA-Compatible: let sleeping intranets lie?, which was post I wanted to write about browser version switching because is all about intranets and their applications and nothing about the internet. So after writing a long reply on Ben’s blog, I decided to expand/express my views here.
I understand the business implications of why browser version switching is being done, Microsoft needs to do it keep the big players (Oracle, IBM etc.) in the intranet and related web application market happy. I just do not agree with the implementation and implications for all future users of IE8.
It would be better if IE8 had all it’ features turn on by default, and in a corporate environment the administrators could select which sites must be treated like IE7 (much like what sites bypassing proxy settings). If MS wanted better uptake of IE8 then an option to treat like IE6 would be a big selling point. A large number of corporate environments like our office are still IE6 because of payroll and finance systems (they do not work in IE7).
IE8 or later should not default to IE7 if that meta tag is not present, because could cause security issues to all users. Suppose a flaw/exploit of IE7 is found, it could easily be fixed in the IE8 or IE9 engine, but you can’t fix the IE7 engine because it will break IE7 intranets (history lesson, improved security features of IE7 are one reason many places are still with IE6).
So all IE8+ users will be put at risk, because any web page without a specific meta tag, will behave like IE7 and have all it’s security issues. And people who want to exploit that issue just forget to include that metatag ;-)
A better way would be let users or IT administrators decide which sites be treated as old school, lower security version and everything else gets the high tech, high security version. Who cares if it is a few pixels out on rendering as long as it works and is secure.