Must ... not ... throw ... HTML ... stones

January 12 2007

I'm well aware that people who live in glass houses shouldn't throw stones.  But anything I write about this is a mere pebble compared to the comments on today's most "dugg" story (2762 diggs at this moment):

As I type this post I still can't believe it. I'm literally stunned. If you haven't already heard, I'm talking about the recent news that Outlook 2007, released next month, will stop using Internet Explorer to render HTML emails and instead use the crippled Microsoft Word rendering engine.
It's interesting to think about this in the context of Notes 8, which moves for the first time to use an embedded browser control to render HTML e-mail.  Microsoft's claim appears to be that this move is in the interest of security, so that IE vulnerabilities can't be exploited through Outlook e-mails.  Guess they really need that execution control list model.

Some have also suggested that Microsoft is looking to further the lock-in integration among the components of Office 2007.  And I'm sure it's no coincidence that the Exchange 2007 CAL no longer entitles use of Outlook stand-alone...looks like you'll be buying a full Office license even for those e-mail only users now.

Additional link: WebProNews: Kiss your CSS goodbye with Outlook 2007 >

Ed Brill Highland Park, IL USA Category:  Microsoft  Add/View Comments [21]

Post a Comment

  1. 1  Volker Weber http://vowe.net/about | 1/12/2007 7:44:11 PM

    So you think it is a good idea that Notes 8 and Sametime 7.5 use Internet Explorer to render HTML?

  1. 2  Rob McDonagh http://www.CaptainOblivious.com | 1/12/2007 8:32:20 PM

    Put me down as *not* thinking it's a good idea. We call it "Internet Exploder" for a reason...

  1. 3  Lee Davis  | 1/12/2007 9:26:46 PM

    This is real problem for Microsoft; surprising since IIRC better security was a bullet point for IE7. And Notes is better. yada yada.

    OTOH, I have always been skeptical of the embedded browser control, only if the control was IE. ( Embedding Mozilla/Firefox or WebKit/KHTML could get a safe, cross-platform, reasonablely compliant solution. )

    1) IE is the least standards-compliant browser.

    2) IE is the least secure

    3) IE is the least cross-platform

    Does this mean the ironical situation that for some of the security bugs in IE, that Outlook will be less vulnerable to the IE holes than Notes clients? E.g. If there is yet another buffer-overflow in IE, then I do not see how ECLs are going to protect that.

    IBM has always been cautious is the polite word regarding supporting new things, due to QA among others. But doesn't this mean that at least once a month Windows Update will run and new code will change a component of N8 and how the mail in Notes is rendered. E.g., the Eolas changes went into IE?

    If IBM is going to have to come up with solutions that do not involve embedded IE for linux and Mac, then wouldn't one of those solutions work for Notes on Windows as well?

    The public perception that IE is unsafe and if Outlook does not use it and Notes does, then ... I am not sure if this is deliberate on Micrososft's part. But it is hard to make the case that there is justice in Life since the deficiencies in IE are Micrsoft's responsibility.

    Oh well, it is what it is and I will just have to trust IBM's solution.

  1. 4  Henry Ferlauto http://www.geniusinside.com | 1/12/2007 10:53:32 PM

    With IBM embracing so many open standards, one has to ask aloud (read: Ed - Please tell us the official company line) why IBM does fully embrace Mozilla?

    It's great to see support for Firefox with DWA/iNotes and other Lotus products; but why isn't Firefox given at least equal footin

  1. 5  Nathan T. Freeman http://www.openntf.org/nathan/escape.nsf | 1/13/2007 7:45:56 AM

    @3 - "E.g. If there is yet another buffer-overflow in IE, then I do not see how ECLs are going to protect that."

    They need the ECL in IE, is what I think Ed meant.

    Actually, they have it. It's called Zones. But hardly anyone uses it. Because they mostly just click on "yes" all the time when prompted.

    @1 - if Notes 8 will ONLY use IE to display HTML email, then no, this is a terrible thing. But given that there's a Linux client for Notes 8, ONLY using IE would be impossible. Unless they're just not going to render it on that platform.

  1. 6  Scott Gentzen http://www.scottandmargo.net | 1/13/2007 9:07:07 AM

    Am I the only one that prefers to not have HTML formatted email?

    I use Outlook 2003 at work and my default sending format is plan text. Sometimes I switch to rich text if what I'm writing is better present bulletized. All received messages are converted to plain text for display. Sometimes I have to convert a message back, but at least 99% of my work email is written, sent viewed and replied to in plain text. I don't have to worry about how some folks' stationery makes their email unreadable among other things.

    At home when I was on linux, I used Silpheed which did this text conversion as well. Now on the Mac, I dont' think Mail.app does this, but it does a pretty good job of making inbound HTML emails harmless if sometimes less than readable. I don't think my messages out are going plain text but I don't do any formatting to them so they'll come out OK if they're read that way.

  1. 7  Kurt B http://www.onthehoist.com | 1/13/2007 9:57:28 AM

    If you look at this from an end-user's standpoint that's where it will get messy. Until now HTML e-mails have worked very well in Outlook, better than in Notes. In our shop one of the most common complaints is about this issue. Well now we won't be alone as it will happen to Outlook users as well. Word HTML rendering? Coming from a development background that just hurts. Microsoft's own KB entries show how poor the formatting support will be.

  1. 8  John Head http://www.johndavidhead.com | 1/13/2007 11:19:22 AM

    Maybe Microsoft thinks this is a way to push the OpenXML formats that come with Office 2007?

  1. 9  Richard Schwartz http://www.rhs.com/poweroftheschwartz | 1/13/2007 11:30:08 AM

    @5: Just to be clear, and ECL (or any other type of sandbox approach) in IE would still give no protection against buffer overflows.

  1. 10  Volker Weber http://vowe.net/about | 1/13/2007 1:05:18 PM

    Nathan, I rephrase the question for you:

    So you think it is a good idea that Notes 8 and Sametime 7.5 use Internet Explorer to render HTML on Windows?

  1. 11  GarryL  | 1/13/2007 3:35:19 PM

    I think that using IE on Windows was probably one of those good-idea-at-the-time thoughts. Must admit to being very surprised and thought the same as probably many others - why not Mozilla?

    Its open sourced, has a good reputation and IBM has already nabbed the OpenOffice code for the productivity tools (Workplace Rich Client / Notes 8), so it is a really odd, almost inconsistent (given their warmth towards open source), lazy? decision.

    I think that at some point IBM change this. Probably waaay to late for 8.0 though.

  1. 12  Keith Brooks http://kbmsg.blogspot.com | 1/13/2007 5:56:10 PM

    C'mon Volker, IBM knows its clients all use IE, for better and worse.

    The ones that do allow alternatives, well, you can never make them happy anyway.

    But if Lotus could code it like they do for browser links so you can "choose" your rendering not just in html but in "select your brwoser type" that would be very cool.

  1. 13  Giuseppe Grasso http://www.dominopoint.it | 1/13/2007 6:06:10 PM

    it's on slashdot too { Link }

    and here's some details form MS:

    { Link }

  1. 14  Bill Geimer  | 1/14/2007 12:47:34 AM

    Makes one wonder what the Mac 8.0 client will use for html.

  1. 15  axel  | 1/14/2007 1:48:58 PM

    Why is Lotus yet heavily coupled to IE in some of its products?

    Because in a certain period of time IE was much better than netscape and Mozilla not there yet. During that time maybe the same people who now cry out "Why IE" were rudely calling for "more modern design of Webstuff". And that meant IE at that time.

    If the Lotus labs would have told them: You get your nice IE stuff, but we need 6 month more to shield our code against the proprietary IE usage to adopt other browsers more quickly in the future, the very same complainers would have shouted: "I need it now, now, now. You understand nothing about the tuff business realities".

    Ahhh. So many opinions about whats wrong and so few hands.

  1. 16  Kerr  | 1/14/2007 5:08:19 PM

    Eclipse has a component for an embedded browser. Different host platforms have different browsers defined as the embedded browser. On Windows this is IE, for better or worse. There is quite a lot of discussion about allowing Firefox (or some Mozilla flavour) to act as the embedded browser control in Eclipse on windows at some time in the future.

    Is Notes 8 going to be using the eclipse embedded browser control?

  1. 17  Nathan T. Freeman http://www.openntf.org/nathan/escape.nsf | 1/14/2007 5:27:18 PM

    "So you think it is a good idea that Notes 8 and Sametime 7.5 use Internet Explorer to render HTML on Windows?"

    Could your baiting be any more obvious? ;-)

    I think it's a good idea that Notes 8 and Sametime 7.5 use browser-of-choice of the user/adminitrator to render HTML on Windows (or any platform for that matter.)

    Any other implementation is a decidedly NOT a good idea -- even if it's Mozilla on all platforms, but without giving choice.

  1. 18  axel  | 1/15/2007 1:24:54 AM

    In Eclipse community the strict coupling between OS and the Browser construction has been a contentious issue. Actually it appears to have been filed as a bug in their bugzilla.

    Here is the bug including discussion of the swt-browser widget for Eclipse.

    https://bugs.eclipse.org/bugs/show_bug.cgi?id=79213

    Actually there are Eclipse plug-in projects which embed Mozilla in Windows. After 2006-01-10 12:52:01 the discussion gets more interesting. The AJAX Toolkit Framework (aditional plug-ins) seems to support embedding Mozilla in Windows since 2006.

    They talk about including it in swt propper in 3.3 timeframe (which means that by their rules MAC OS must be supported too).

    Confusing. But they are moving.

  1. 19  Kevin Mort  | 1/15/2007 7:56:50 AM

    I personally dislike HTML email for a number of reasons, and since I don't use Outlook I could care less if they break or cripple support for it in Outlook 2007.

    In fact if MS does manage to bust it, and overall use of the HTML formatted mail drops because of that, then I can't say I would have any complaints.

    K.

  1. 20  Axel Janssen  | 1/15/2007 11:28:31 AM

    ... and I wanted to contribute no other but:

    a) its important that notes8 user org may choose Mozilla / IE as they like no matter which os.

    b) you can't say, that eclipse platform can't support it. Actually according to a Eclipse bugzilla the issue is adressed to be fixed for the Eclipse 3.3 timeframe.

    c) in the discussion of bug 79213 some well known people have highlighted the importance of the issue (Ed Burnette, Stefan Mathias Aust) and quite of bunch of duplicates appeared, which is allways a good indicator for the importance of a bug.

  1. 21  Ed Brill http://www.edbrill.com | 1/17/2007 9:37:29 AM

    In followup to all of this, the rendering in Notes 8 mail that uses the embedded browser can be turned off through an INI variable. (Credit Nathan Freeman for asking in the design partner feedback forum)