IE in general

IE and frameMode = redirect

Tests have shown that using Internet Explorer with frameMode = redirect does not work when IE's Trusted sites security levels are set to High. If Trusted sites security levels are set to Low IE displays a question to the user whether she wants to accept the redirect and then the redirect takes place.

IE9

IE9 sends XdomainRequest as text_plain

When receiving XdomainRequests from IE9, the requests are sent with Content-type: text/plain. This is something the merchant application might need to handle differently from requests that are received as Content-type: application/x-www-form-urlencoded. 

Note: Some merchants have experienced that IE9 may send requests without any content type specified, thus it is recommended that merchants take this fact into consideration and parse the input manually as if they were of content-type application/x-www-form-urlencoded. 
Instead of calling request.getParameter(«paramName»); the parameters must be fetched by calling request.getInputStream(); and subsequently parse the input stream manually.

IE9 and X-ua-compatible

To force Internet Explorer to use the latest engine (i.e. not pretending to be IE8 when it actually is IE9), add the X-ua-compatible parameter as an http response header: bc. X-ua-compatible:IE=edge,chrome=1 
response.setHeader("X-UA-Compatible", "IE=edge,chrome=1");

IE9 and withCredentials

IE9 does not support the use of withCredentials, which means merchants cannot rely on the use of cookies for session handling in this case.

IE11

IE 11 and show-hide password dialogue

On devices with IE11 and Windows 8.1 and build versions 11.0.9600 16384 through 11.0.9600 16438 the second password may disappear after both new password have been entered and the buttons Show password and Hide password have been tapped during a password change-process. 

This bug is resolved by installing the Cumulative Security Update for Internet Explorer 11 for Windows 8.1 (KB2925418) or newer. This problem does not occur on devices with build versions 11.0.9600 16521 and newer.

IE and security zones

Internet Explorer assigns all websites to a security zone. The default zone is the Internet zone. If the URL follows the UNC naming convention, does not include any periods or it bypasses the proxy server, it will automatically be assigned to the Local Intranet zone¹.

Web sites assigned to different security zones are generally not allowed to communicate with each other. If the merchant application has been assigned to either the Local Intranet zone or in Trusted sites, the *.bankid.no domain also needs to be assigned to the same security zone as the merchant application.

IE and frameMode=”window”

The Helper and the Web-client communicate through the use of postMessage. IE only allows postMessage between a window and an embedded iframe. This effectively means that frameMode="window" does not work on IE.

Firefox

Firefox and character ‘;’ in merchant URL

Firefox versions 33 – 35 in combination with merchantURLs containing the character ';' have revealed problems with regards to how Firefox handles CSP. The error was reported to Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1094067. A fix was included in version 37.