Thursday, May 31, 2007

Faster Websites and the related PowerPoint deck presented in the first paragraph provide useful tips on perf optimization for your website.

The only tip I disagree with is #13, turn off ETags. The tip neglects the fact that (for IIS at least) you can have your servers use synchronized ETags to prevent the load-balancing problem.

Wednesday, May 30, 2007

Fiddler v1.3 Beta Released

This release is mostly a backport of Fiddler2 bugfixes. This may be the last release of Fiddler v1.x, since Fiddler v2.x is superior in almost every way.

Fiddler Inspector API: Breaking Change Notification

In the current version of Fiddler, the HTTPRequestHeaders and HTTPResponseHeaders objects are defined in a separate standalone assembly called Plugins.dll. This was done primarily as an ease-of-use mechanism for VS2003, which doesn't have a simple way to add references to types from an .EXE from inside the IDE.

That limitation was removed from VS2005, and hence if these objects are moved inside Fiddler.exe, there will be some minor performance gains, and some extensibility and ease-of-development improvements as well.

I plan to merge the Plugins.dll types into Fiddler.exe shortly.

Please let me know ASAP if you have written or distributed custom inspectors that you are unable to recompile to the new model.


Friday, May 25, 2007

Fiddler2 v2.0.9 now available

Version of Fiddler2 has been released.

Improved WebTest code
More explicit http errors on malformed response.
Support for HTTPS connection reuse
Support for upstream HTTPS gateway
Check for oSesssion["x-no-decrypt"] flag on HTTPS CONNECT sessions; if present, traffic in CONNECT is not decrypted
Fixed persistence of IgnoreServerCertErrors setting
Added FiddlerObject.UI.ResumeBreakpointedSession(oSession);
Improved Inspectors
Fixed Content-Length calculation for RequestBuilder-sent entity bodies that contain non-ASCII characters
Correctly handle drag/drop of .SAZ Session Archive files onto Session List.
uriContains now correctly case-insensitive
Added new oSession["",""] indexer

Thursday, May 24, 2007

oSession["flags"] documentation

Check out for a complete list of flags that can influence Fiddler's handling of a session.

Wednesday, May 23, 2007

Fiddler2 Alpha now available

If you're interested in previewing the next version of Fiddler2, please give a try and provide me with feedback.

Fiddler2Alpha includes many bugfixes, new features, and improved HTTPS performance.



Friday, May 18, 2007

Internet Explorer Security Zones Arcana

The following is an interesting Internet Explorer issue that one of our MVPs recently noticed. He writes:

We have a group policy object that sets Zone Elevation to Prompt for the Local Computer Zone ("Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone/Web sites in less privileged Web content zones can navigate into this zone" set to "Enabled: Prompt"). We also have disabled the Local Machine Zone Lockdown (LMZL) for Internet Explorer (under Windows Components/Internet Explorer/Security Features/Local Machine Zone Lockdown Security).

When I subsequently visit, I’m prompted about zone elevation to “ieframe.dll” when I mouse over the “Children”, “Families”, etc. menu links on the left side of the page. What’s up with that?

Using Fiddler to view the HTTP traffic as I interact with the site, I don’t see any HTTP requests made as I hover over the menu. If there really is a navigation leading to Zone elevation, it’s not using the HTTP protocol.

At this point, I still don’t know much, but I’ve got a few hunches…

IE made a number of changes to URL handling in IE7, but I know that ieframe.dll contains the error pages that IE7 displays when a navigation fails. I suspect that the Zone elevation prompt is actually being triggered by the navigation to an error page. Unfortunately, even when I click to “Allow” the Zone Elevation, I don’t see an error page, so I can’t confirm my theory.

Now, another thing I know is that IE7 changed how Javascript-protocol URIs are handled. Specifically, we no longer allow the Javascript URI protocol to serve as an IMG source or navigation target. Hyperlinks are a special case; when a page includes a tag like <a href="javascript: runFn()">, IE7 will treat that HTML as if it were written <a href="#" onclick="runFn();">. This change helps simplify and reduce attack surface in the navigation codepath.

Using Fiddler’s “Find” feature to look for javascript: turns up, which contains the script:

document.body.insertAdjacentHTML("beforeEnd","<iframe id='"+BL+"' src='javascript: void 0;'

This may well be the source of the problem. Using Fiddler’s QuickExec box, I type bpafter menulib.js to set a response breakpoint at the download of the script file. Hitting CTRL+F5 in IE refetches the entire page and its resources, and Fiddler breaks into editing mode when menulib.js is downloaded.

Now, since I suspect that the javascript: void 0; is causing the problem, I change the script line to:

document.body.insertAdjacentHTML("beforeEnd","<iframe id='"+BL+"' src='about:blank'

... and click Fiddler’s “Run to completion” button to send my modified script to Internet Explorer. Mousing around the menus, I no longer see the Zone Elevation prompt.

So, I know how to fix the URI, and but why would a Zone Elevation occur?

When you turn off LMZL, you also turn off the feature that forces all res:// URIs into the Internet Zone. The failed frame navigation to 'javascript: void 0;' navigates to a HTML resource inside IEFrame.dll using the RES protocol. Since IEFrame.dll is on the local machine, this results in a Zone Elevation.

EricLaw at Orlando TechEd 2007...

I'll be giving a talk at TechEd 2007 and working the Internet Explorer booth. If you'll be at TechEd too, please stop by and say hello!

WEB323 The RSS Platform in Microsoft Internet Explorer: Pushing Out Rich Data to Your Users
6/4/2007 1:15PM-2:30PM N220 F
Internet Explorer 7 provides a rich RSS platform that you can use to push rich data out to your users. Many sites offer RSS feeds with simple text to their users, but most end users don’t know what that glowing orange button does, and fewer realize how they can use it pull down their favorite Podcasts, VidCasts, and other rich media. Learn how to add RSS to your Web site, create simple list extensions that enrich the data you push out, how to push include rich media in your feed, drive traffic to your site, get your user hooked to your content, and how you can create client side applications that use the built in platform.

Wednesday, May 16, 2007

Fiddler2 WebView Inspector Released

The WebView Inspector for Fiddler2 has been released.

Essentially, this simple inspector shows the HTML Response as it would appear when rendered by Internet Explorer.

Check it out here:

* Note: By design, the Inspector itself does not perform any downloads or fixup relative URLs, and hence pages viewed in the Inspector will often be missing images and stylesheets.

Meddler v2.0.4 released

Version 2.0.4 of the Meddler HTTP Generation tool has been released.

Learn more here:

Tuesday, May 15, 2007

SyntaxView 2.0.1

The SyntaxView v2.0.1 Inspector has been posted to

The only significant improvement is support for CSS highlighting.

Saturday, May 12, 2007

New Fiddler Beta v1.2.3.2

A minor new beta of Fiddler is now available. Please let me know if you encounter any problems. - Released 5/7/07
  • Rewrote WebForms and Hex Inspectors
  • oSession.uriContains is now correctly case-insensitive
  • Rewrote SampleRules.js to use uriContains rather than IndexOf
  • Added new oSession["REQUEST/RESPONSE/SESSION",""] indexer