Mark of the Web (Internet Explorer)

Switch View :
Classic
Lightweight
ScriptFree
Mark of the Web

[This documentation is preliminary and is subject to change.]

The Mark of the Web (MOTW) is a feature of Windows Internet Explorer that enhances security by enabling Internet Explorer to force webpages to run in the security zone of the location the page was saved from—as long as that security zone is more restrictive than the Local Machine zone—instead of the Local Machine zone. When you are developing webpages, the MOTW enables you to test your HTML documents in the security zone where you intend the pages to run. Adding the MOTW to your webpages also enables you to fully test their compatibility with users' security settings.

This topic contains the following sections.

What is the Mark of the Web?

The MOTW is a comment added to the HTML markup for a webpage. When a user opens the webpage from their local machine, Internet Explorer references this comment to determine the security zone in which it should run the page. Following is an example of a valid MOTW comment.


<!-- saved from url=(0023)http://www.contoso.com/ -->

To be valid, a MOTW comment must follow some simple rules.

  • The comment must start with the following.
    
 <!-- saved from url=
  • The comment must end with the following. 
    
 -->
  • The comment must contain a value to indicate the string length of the URL that follows, in the form (####). Note that the length in (####) can be less than the length of the URL; however, Internet Explorer uses only as many characters as are indicated to map the file to a security zone. At a minimum, the string length should indicate the number of characters in the complete URL up to the end of the top-level domain name (.com, .org, .net, and so on for Internet sites). If the length in (####) is greater than the URL's length, Internet Explorer ignores the comment and loads the webpage in the Local Machine zone.
  • The comment must contain the webpage's URL immediately following the string length.
  • The comment must appear in the first 2,048 bytes of the HTML document, within the HTML markup.

For situations where the domain is not yet known, Internet Explorer recognizes two generic comments. The about:internet comment specifies the Internet zone and should be formatted as follows.


<!-- saved from url=(0014)about:internet -->

The http://localhost comment specifies the Local Intranet zone and is properly formatted as follows.


<!-- saved from url=(0016)http://localhost -->

Note  The availability of the Local Intranet zone depends on the configuration of the computer viewing the webpage. For more information, see Internet Explorer Blog: Dude, Where's My Local Intranet Zone?.

The HTML comment must be properly formatted for Internet Explorer to parse the information correctly. Proper format includes inserting a space immediately following the opening delimiter " <!-- " and just before the closing delimiter " --> ". The line must end in CR LF. Some HTML editors only insert a LF.

The Mark of the Web and Internet Explorer Compatibility

The MOTW feature is recognized by Microsoft Internet Explorer 4.0 and later. Beginning with Microsoft Internet Explorer 6 for Windows XP Service Pack 2 (SP2), you can also add the comment to multipart HTML (MHT) files and to XML files. Note that earlier versions of Internet Explorer will not recognize a MOTW comment tag in either MHT or XML files.

Adding the Mark of the Web to HTML Documents

There are two ways the MOTW can be added to an HTML document:

  1. When the user saves a page off the Web, Internet Explorer automatically inserts the MOTW comment into the HTML markup. The MOTW appears immediately following the !DOCTYPE declaration.
  2. You can also manually insert a MOTW when you are developing HTML pages that need to run in a different security zone from that of your development environment. With the MOTW inserted, you can preview HTML documents in the appropriate security zone; typically this zone is the Internet zone, but Internet Explorer obeys your computer's security zone rules. This way you can make sure the content functions as expected, and you can monitor any security issues with the content. Additionally, you can ensure that the Information bar security UI element is displayed as appropriate, and thus optimize user experience. For more information on the correct format to use when adding MOTW comments to your HTML pages, see What is the Mark of the Web? in this topic.

The following example show a properly formatted MOTW.


<!doctype html>
<!-- saved from url=(0023)http://www.contoso.com/ -->
<html>
  <head>
    <title>A Mark of the Web Example.</title>
  </head>
  <body>
     <p>Hello, World</p>
  </body>
</html>

To determine the current zone of a webpage that is displayed in Internet Explorer, right-click the page and then choose Properties. Zone information is displayed along with other information about the current page.

How Internet Explorer Uses the Mark of the Web

When a user opens a locally hosted HTML file, Internet Explorer looks for the MOTW and carries out the following steps:

  1. Internet Explorer locates the comment that starts with the following. 
    
 <!-- saved from url=
    If a webpage contains more than one MOTW, Internet Explorer will always parse the first MOTW and ignore subsequent ones.
  2. Internet Explorer reads as many characters in the URL as are indicated in the string length value, and parses the URL.
  3. Internet Explorer uses the zone settings on the user's computer to determine which security policy to apply to the webpage. Internet Explorer can then force the webpage to open in a security zone other than the Local Machine zone. For example, if the URL within the MOTW is listed in the user's Restricted sites list, then the webpage will open in the Restricted sites zone and the Restricted sites zone's security settings will apply.

In cases where the generic MOTW (<!-- saved from url=(0014)about:internet -->) is used because the domain name is unknown, the "about:internet" forces Internet Explorer to host the webpage in the Internet zone.

You should add a MOTW to every HTML document whose contents would be restricted by Internet Explorer's Local Machine zone lockdown security feature. Following are examples of when to insert a MOTW:

  • You are coding pages that will be viewed from a CD. (Note that users can, but won't necessarily, exempt CD content from this security feature.)
  • You are providing product documentation as HTML pages run from the local computer.
  • You need to preview webpages locally before uploading them to a website.
  • You are creating webpages that include frames.

The Local Machine Zone Lockdown

Many HTML pages contain content such as script, Microsoft ActiveX controls, or binary behaviors. These pages are known as active HTML documents. Prior to Windows XP SP2, the content on a user's local file system—except for content cached by Internet Explorer—was regarded as trusted and was therefore assigned to the Local Machine security zone. The Local Machine zone allowed files to run in Internet Explorer with few restrictions. Attackers found that they could exploit the Local Machine zone and its looser restrictions to access a user's computer. By using controls that are restricted to trusted zones, an attacker could elevate privileges and compromise the user's computer. The attacker would then have unrestricted access to the computer's content.

To mitigate this security risk, Internet Explorer "locks down" the Local Machine zone. When the user opens an HTML document, Internet Explorer prohibits active content from running and displays an Information bar. The user must then decide whether to permit the action that triggered the Information bar. The Local Machine zone lockdown prevents the user's computer from automatically executing any scripts, and from using any ActiveX and other controls. See About URL Security Zones for more information on the Local Machine zone.

How the Mark of the Web Enhances Computer Security

Because the Local Machine zone has so few security restrictions, active HTML documents running on the local machine have access to the computer's entire file system. The MOTW aids Internet Explorer in protecting the user from the risks of running these documents in the Local Machine zone. By referencing the MOTW, Internet Explorer can force these webpages into a zone that has more restrictions, such as the Internet zone. At the same time, the MOTW cannot be used to elevate webpages to a zone with fewer restrictions. Forced out of the Local Machine zone, the active content has no access to the computer's file system.

Note  When Local Machine Zone Lockdown is enabled, Internet Explorer runs in an environment more restricted than the Internet zone. For more information, see Internet Explorer Local Machine Lockdown.

Additionally, cross-domain requests both to and from the active HTML documents fail, so that code running from these webpages cannot access the user's hard disk.

 

 

Build date: 2/14/2012

Community Content

sompong utsahatana
sompong utsahatana
utsaha_01@hotmail.co.th

sompong utsahatana
utsaha_01@hotmail.co.th
Enter comment here.utsaha_01@hotmail.co.th

sompong utsahatana
utsaha_01@hotmail.co.th
Enter comment here.utsaha_01@hotmail.co.th

sompong utsahatana
utsaha_01@hotmail.co.th
Enter comment here.utsaha_01@hotmail.co.th

sompong utsahatana
utsaha_01@hotmail.co.th
Enter comment here.utsaha_01@hotmail.co.th

sompong utsahatana
Mark of the web is not working with ActiveX object
Hi, I have tried with <!-- save url=(0014)about:internet--> to avoid activex alert but it is not working.$0 when i tried with <!-- save url=(0016)http://localhost-->.It is working in IE7.when i tried the same in IE9 getting error message "automation server can't create object" . I am creating ActiveX object in my code.$0 Please help me on this issue

sompong utsahatana
pong
Enter comment here.utsaha_01@hotmail.co.th

sompong utsahatana
"Mark of the web" colliqual use
People sometimes use the term "Mark of the web" to refer to Attachment Execution Service.  That's the service which causes the properties to display the text "This file came from another computer and might be blocked," and may cause a warning to display when the user tries to launch an application.  That use is technically inaccurate, but it may help to know that Attachment Execution Service is documented in http://technet.microsoft.com/en-us/library/dd277349.aspx

sompong utsahatana
utsaha_01@hotmail.co.th
utsaha_01@hotmail.co.th

karencole50
Need to know how to insert the comment
I need to know the exact code for submitting the HTML comment that ends the "Internet Explorer restricted this webpage from running scripts and ActiveX controls" information bar from popping up. I need it on every page of our website, including the XML ones, so I need to know both how to insert the code into a standard HTML page and also how to insert it into an XML page. I need to know the exact language to use in each case. The website in question is ours, and it's hosted through a hosting company, and not on our server.

felix turner
MOW requires file to be saved in DOS format.
It seems that a MOW does not work if the HTML file is saved with Unix style line breaks. This means that a MOW created on a Mac will not work. The HTML file needs to be saved in windows/dos format for the MOW to work.

To convert from unix to dos format on a mac, use the perl command line action described here: http://kb.iu.edu/data/acux.html

akjdflkjnhsdfgkljhdgfskjlhgdfkjlhgfdskjlhgdfjklhgd
MOTW for xml files
"..you can also add the comment to ... XML files".

Thats all very nice, and essential for my app to run in ie (without local machine lockdown), but a little more detail would be useful. I can't add a MOTW to the first line of the xml file, 'coz the first line needs to be the xml declaration. Adding it to the next line seems to make no difference - I still can't open the xml file in the internet zone (ie acces it), and I can't access it with a script from a local html file (with a MOTW). Any help would be appreciated...


Thomas Lee
MOTW limits HTML developers

When using
<!-- saved from url=(0014)about:internet -->

This simple thing won't work:
<A HREF="test.jpg"><IMG SRC="test.jpg"></A>
Link won't open.

Additionally, a local SYSTEM doctype for XML will not work, and including it will prevent the page from displaying.

This is because a page marked as MOTW is displayed as if it were served from a temporary folder with no way up. You can get the same result without MOTW by opening the page as an e-mail attachment.


yecril
MOTW must be on a separate line
MOTW works between the DOCTYPE and the HTML if it is on a separate line.

George Birbilis
Cannot show popup dialogs when you use &lt;!-- saved from url=(0014)about:internet --&gt;
Note that when you use <!-- saved from url=(0014)about:internet --> you won't be able to how popup dialogs from your HTML pages when you test them locally (with the default security zone settings at least). When testing online the page will still work fine and show its popup HTML windows.