From: Ashley Sheridan > On Wed, 2010-02-10 at 10:17 -0500, Bob McConnell wrote: >> From: Robert Cummings >>> Lester Caine wrote: >>>> James McLean wrote: >>>>> On Wed, Feb 10, 2010 at 2:26 PM, <clanc...@cybec.com.au> wrote: >>>>>> On Thu, 04 Feb 2010 02:39:03 +0100, joc...@iamjochem.com (Jochem >> Maas) wrote: >>>>>>> as for using IE6 ... WTF ... you do realise this is essentially a >> web >>> developers mailing list right? >>>>>> The interesting things in my websites go on behind-the-scenes, in >> the PHP, and produce >>>>>> relatively straightforward HTML. I have avoided the well-known bugs >> in IE6, and think my >>>>>> webpages display correctly on any of the modern browsers, but as >> Microsoft delights in >>>>>> rearranging everything in every update, and making the features you >> need ever harder to >>>>>> find, I stick to IE6 for my everyday work. >>>>> Wow. Ignoring the issue that IE6 will soon be EOL (finally), and >>>>> ignoring how bad it is at handling anything even remotely modern, >> your >>>>> workstation must be a haven for virii, spyware and malware... IE6 >> has >>>>> just about the worst security track record out there, at least on >> the >>>>> desktop anyway. >>>>> >>>>> If you must have IE6 for whatever reason, stick it on Windows >>>>> installed on a VM and upgrade your main workstation browser to >>>>> something more recent. At least a VM can be backed up at a >> known-good >>>>> point and if^H^Hwhen it gets compromised it can be deleted easily >> and >>>>> replaced with your backup. >>>>> >>>>> I'll make it easy for you: http://www.getfirefox.com :) >>>> >>>> Since a large section of our USER base is still tied to W2k and does >> not have >>>> access to install other software, the call for IE6 to die is STILL >> somewhat >>>> premature! >>>> What is needed is someone to kick M$ to sort the mess out by at least >> allowing >>>> IE8 to install on W2k machines, rather than telling hundreds of >> councils they >>>> have to replace ALL their computers :( >>>> >>>> The alternative is to convince M$ controlled councils that Firefox is >> OK and >>>> that using it will not invalidate their contracts - but then all the >> work >>>> currently being done to convert legacy setups to work with *IE7* >> would have to >>>> be scrapped and reworked on Firefox. Many of my customers have only >> just got >>>> funds to start an *IE7* roll out! Redoing all that work for IE8 is >> yet another >>>> problem for which money is not available. >>> >>> Microsoft WANTS them to spend money upgrading... that's the point of
>>> questionable feature enhancement and the breaking of file formats so >>> that older software can't read it properly. If the councils really >> want >>> to save money they'd move to Linux. As for "all the work being done to >>> >>> convert legacy setups to work with IE7"... this is the WRONG >>> philosophy... it should be "all the work being done to convert legacy >>> systems to work with Standards" with a little bit of "with IE7 >>> compatibility layer on top". The target is standards, that way in the >>> future they aren't locked in still. >> >> Our SOP is to generate standards compliant pages, validate them with >> Firefox and the HTML Validator add-on, then deal with the deviant >> browsers. It's a lot less work than trying to do it the other way >> around. There are a few minor issues, such as W3C still refusing to >> allow the autocomplete attribute for forms, while PCI requires it. But >> those are few and far between. > > The W3C validator rejects that autocomplete attribute because it still > isn't in any valid standard. Some browsers have introduced it, and PCI > requires it to be there for browsers that recognise it, but it's not a > good security feature, as browsers don't have to honor it and they can > still claim standards compliance. It's a good attribute though, and > makes sense in many situations, so it probably should be included in > the standards I think. I understand why the validator acts the way it does, I just don't understand why W3C acts the way it does. They started out documenting what browsers do, and calling that the standard. Now they seem to think they are above that and can dictate to the browser developers what they should do. That's bass ackwards, and completely unreasonable. They should still be documenting the best practices as they evolve in the browsers and incorporate them into the standards. In the case of autocomplete, they need to document what it should be doing in order to be a real security feature and require browsers actually do that for compliance. The current state where it simply provides security theatre is untenable. Yes, I have already lost that argument here. The PCI auditors have a lot more leverage than I do. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
