Microsoft Security Bulletin MS02-023 and IFRAMES

From: Steve Armstrong (big.steve.arm@sympatico.ca)
Date: 05/31/02 

From: "Steve Armstrong" <big.steve.arm@sympatico.ca>
Date: Thu, 30 May 2002 22:27:04 -0700

Hi,

This is in reference to the following patch:

Microsoft Security Bulletin MS02-023

15 May 2002 Cumulative Patch for Internet Explorer
(Q321232)
Originally posted: May 15, 2002

and its effect on Outlook's display of IFRAMES. Since
HTML e-mail is in the Restricted Zone by default, and
IFRAMES are now disabled for Restricted Zone content,
IFRAMES are not being displayed within Outlook mail. In
other words, IFRAMES are now being ignored, which is fine.

However, if you read the HTML 4.01 Specification, the
section on IFRAMES in particular (see
http://www.w3.org/TR/html4/present/frames.html#h-16.5) you
will see the following (and I quote):

The *contents* of the IFRAME element, on the other hand,
should only be displayed by user agents that do not
support frames or are configured not to display frames.

Outlook is not adhering to the spec and hence is not HTML
4.01 compliant. If I put an IMG tag as the content of an
IFRAME tag, then Outlook, as a user agent that is
configured not to display IFRAMES, should show the image.
It does not, and hence I believe this to be a bug in the
aforementioned patch. If MS is going to configure Outlook
not to display IFRAMES by default, then to adhere to the
HTML spec, they *must* process the HTML that is given as
the content (i.e., the body) between the start and end
IFRAME tags.

Any way that this can be logged as a bug?

Thanks,
-Steve