Google, stop sticking your Chrome Frame in my IE!

IE Chrome Logo mashup

In September, Google announced they were developing a plugin for Internet Explorer that would provide the ability to render a page with Google Chrome if it contains a tag from the web developer noting their desire for you to use it. Why would developers choose to do this? Google argues it drags Internet Explorer kicking and screaming into the future by enabling a faster JavaScript rendering engine, HTML 5, and better CSS and layout handling.

As I began to look into the technological underpinnings of this move alarm bells sounded deep within the security center of my brain. Pages that use this tag will bypass add-ons designed to consume content from the IE rendering engine. Viewing pages through Chrome Frame effectively disables add-ons like our Sophos Web Content Scanning add-on that are designed to secure a user’s browsing experience.

I wasn’t the only one concerned, as a lot of press mentioned Microsoft’s reaction, and even browser rival Mozilla’s two cents. Immediately we began to receive inquiries from customers as well.

Colin Coulter from animation company Aardman contacted us requesting we add Chrome Frame to our controlled applications list. John Stringer, our product manager who oversees our application list, has notified me that we will in fact be adding this plugin to our controlled applications in next month’s release.

Colin’s reaction to Chrome Frame adds another dimension to the discussion of its impact for IT administrators. In Colin’s email he states: “It makes our job as a support department that much more difficult. The thought of a browser running a sub browser via a plug-in! Imagine trying to support that if/when it goes wrong?”

The webification of applications, standards that are evolving at a breakneck pace, and users’ increasing mobility are creating a very difficult environment for administrators. We don’t need to provide even more ways of increasing the attack surface and creating nightmare support scenarios. I agree with Mozilla’s Mike Shaver when he suggests users who want access to a fast browser and cutting edge content should just be encouraged to use a better browser.

The integrated application control in Sophos Anti-Virus will not only be able to stop users from running Chrome Frame, but also controls Chrome, Firefox, Firefox Portable, Internet Explorer, Safari, Opera and many other browsers. This function is designed to help administrators reduce the threat surface and make informed decisions as to what tools are allowed to bring down content from the increasingly dangerous web.

Mozilla itself was a victim of this problem when Microsoft installed two insecure plugins into Firefox early this year without notice or approval from users. Browsers hijacking browsers? Really? The simpler our networks are the easier they are to secure. Google, please stop introducing more complexity. We expect better of you.