1 Reply Latest reply on Jul 23, 2013 3:29 AM by asabban

    Injecting a modified Compatibility View List for IE10

    oliver.huf

      Aloha!

       

      While planning our migration to Internet Explorer 10 we came across the IE10 Compatibility View List (iecvlist.xml).

      It's a Microsoft-maintained XML file that's listing "special" sites which require IE10 to downgrade itself to it's "former self" - e.g. IE9/8/7.

      As of this month, the URL is http://iecvlist.microsoft.com/IE10/1152921505002013023/iecompatviewlist.xml

       

      The .xml is being pulled during browser startup from a non-configurable URL with Microsoft.

      The plan is, to tap into the browser request and to have MWG inject a modified version of that xml file, enriched with our own domain list.

      The rule set looks a lot like the proxy.pac distribution rule (it was derived from that one).

       

      The injection works quite well, with one considerably heavy backdraw: whenever IE tries to access the URL via https, I will only see the CONNECT on MWG's troubleshoot log (yes, we're using MWG 7.3.2).

      So it seems that IE somehow checks the validity of the URL even before it requests the file itself!

      The same request works pretty well with Firefox. (I agree: that's a pretty useless exercise :-) )

       

      So has someone tried something like this? Any hints on how to force IE to load the file?

      I'll appreciate your comments...

       

      Oliver.

       

      BTW: I will be glad to post the exported rule set as soon as I find out how to remove company-sensitive information (like the loghandler definition) from the rule export file.

      McAfee _ Web Gateway_1.jpg

      McAfee _ Web Gateway_2.jpg

      McAfee _ Web Gateway_3.jpg

        • 1. Re: Injecting a modified Compatibility View List for IE10
          asabban

          Hello,

           

          when you only see the CONNECT request in the logs, what is the status code shown? When only the CONNECT is visible it is possible that SSL Scanner is not executed to terminate the SSL tunnel. The SSL tunnel needs to be terminated before you can see URLs in the logs, and before this happens the rules won't be executed since MWG does not see the "URL" specified in your rules but only the host name.

           

          Can you check that SSL is really decrypted? There must be an "enable content inspection" setting which is called for this URL when the browser accesses it. It is still possible that the browser validates the server certificate... in this case you won't have a chance to put in your own list.

           

          A rather simple alternative may be this approach: Create a list of URLs you want the compatibility mode for. When such a URL is called add a custom "X-UA-Compatible" HTTP header which enabled compatibility view for this URL. This should do the trick as well :-)

           

          Best,

          Andre