Introducing HTML Applications: DHTML Goes out of the Browser

As of December 2011, this topic has been archived. As a result, it is no longer actively maintained. For more information, see Archived Content. For information, recommendations, and guidance regarding the current version of Internet Explorer, see Internet Explorer Developer Center.

Loren Kohnfelder
Microsoft Corporation

Updated March 18, 1999


Examples of HTA Solutions
A Very Simple HTA
Using the <APPLICATION> Tag
Passport and HailStorm
Frames and Security
Putting It All Together

Internet Explorer 5 introduces HTML Applications (HTA). They allow you to use the same Dynamic HTML technology (DHTML) "out of the browser" to write standalone applications. With HTA you can write an application the same way you write a Web page with DHTML and script, or you can take content originally authored for the Web and turn it into an application.

Being "out of the browser" means that HTAs differ from Web pages in two important ways:

  • Your application is written completely in DHTML but runs in its own window without the browser menus and toolbars. This means your application fully defines the user interface.
  • Your application is fully trusted and free from the restrictions placed on Web pages for security reasons. Unlike Web pages, which run when visited, users will need to trust your HTA; however, once installed and run, your HTA can potentially do anything any program can

Examples of HTA Solutions

You can use HTAs to author a wide range of applications. Here are a few of the most common scenarios for which HTAs provide an excellent solution:

  • Retarget a Web-page application. You can easily convert an existing applications constructed from Web pages to run as a Windows application as HTA. As an HTA, the application can work outside the Web security model, can fully define its own user interface, and can be run from the Start menu.
  • Applications that deal with HTML content. HTAs are a great way to manipulate HTML via the DHTML object model. Applications that create or edit HTML, check validity of links of a site, compare content of sites, and so forth are very easy to write using the HTA framework.
  • Provide applications to an enterprise with Web distribution. Since HTAs can be based on content delivered over HTTP and cached, all the advantages of the connected Web model can be used to deploy HTAs without the effort of installation, updating, and maintenance associated with the traditional application-deployment model. As HTA components are updated on a central server, the clients will download and incorporate the new pieces seamlessly.
  • Write a simple application. If you don't know programming languages, but can write DHTML and script, you can put together a simple application quickly, using familiar Web authoring tools.

A Very Simple HTA

The best way to understand how an HTA works is to actually write one:

      <TITLE>Simple HTML Application</TITLE>
      This is a simple HTML Application.
      <BUTTON onclick="self.close()">Exit</BUTTON>

This sample code is a simple HTML page: Giving it the file name extension *.hta is what makes this an HTML application. Launch the .hta file to start the application. The <TITLE> "Simple HTML Application" becomes the application window title, the window content area is the text of the <BODY>, and the <BUTTON> labeled "Exit" is defined as an HTML button.

This application contains an exit button because the application is running without the user interface that the browser provides for Web pages.

This simplest of examples demonstrates how an HTML page can be turned into an HTA application. Anything you can do with DHTML and script in the browser will work within the HTA application window-content area.

Using the <APPLICATION> Tag

While HTA is, for the most part, an extension of the same DHTML functionality you use to author great Web content, there are a few features specific to the needs of an application that are implemented using the <HTA:APPLICATION> tag. By using this tag, you can specify an icon for the application, control the window caption and border, and so forth.

The application tag should appear in the <HEAD> section and consist of a few attribute declarations that customize the appearance and features of the application window. In the example above, the following tag inserted below <HEAD> specifies an icon for the application, and that the window should have no system menu.

<HTA:APPLICATION ICON=simple.ico sysMenu=no>

For more information on features that may be specified for the <HTA:APPLICATION> tag, see

Frames and Security

Since HTAs run as fully trusted applications, certain security precautions are necessary when HTAs use Web content that is not equally trusted. While the HTA is free of all security restrictions, it is important to maintain the usual Web-security constraints for untrusted content within the HTA (as determined by the zone settings for the particular Web page). Thus, for security purposes, a frame containing HTML within an HTA is treated exactly as it is within the browser.

On the other hand, in some cases a frame might actually be a functional part of the HTA—in which case it needs to be able to interact and do all the same things that the HTA itself can do. For instance, if you wrote a wizard HTA, it might be convenient to have an outer framework, with title and forward/back buttons, and an inner frame that defined the content for individual panes of the wizard. These frames would need to work as part of the HTA, and, of course, only appropriate and trustworthy content would be put into the frame—certainly not content from any URL whatsoever.

The HTA container page defines which frames are, and are not, trusted by use of a special attribute on the <FRAME> or <IFRAME> tag that is unique to HTAs. By specifying TRUSTED=YES, the HTA infers all of its privileges upon the content it navigates into the frame. Absent this attribute or with TRUSTED=NO, the frame content is handled just like HTML in the browser. Since only HTAs can declare a TRUSTED attribute (which is ignored for HTML within the browser), it is impossible for untrusted content to assert trust it does not have.

Putting It All Together

Believe it or not, this short article has introduced you to all of the basic features that are particular to HTML Applications. The DHTML platform provides the additional rich functionality you need to make compelling real-world applications with HTAs.

Once you have a great HTA, you will need to deliver it to users. As with Web content, there are a number of approaches to choose from. Basically, HTAs can either be installed as files on the machine, just as other applications are, or HTAs may be downloaded from the Web.

Installing HTA files on a machine can be done in the same way as the files that constitute any applications: copy the files from a disk or network, by means of any installer tool or self-extracting executable file. The HTA will run when launched from a shell folder, from a link in the Start menu, or from a command line, and so forth.

Alternatively, HTAs may also be downloaded over HTTP or HTTPS just as Web pages are. Downloading allows a single copy of the HTA, maintained on the server, to be used by a large number of clients, which don't have to explicitly install the HTA on each machine. Further, the latest updated versions on the server will be propagated to the clients as needed with each download.

The advantages of downloading need to considered against some possible disadvantages that may or may not be significant, depending on the user's requirements. First, downloaded applications can only be used when the client machine is connected to the network: if users need to use the HTA while offline, installing the files may be the best choice. Second, there is an issue of security and trust: just as the user needs to choose whether or not to run or save an executable file downloaded over the Web, the same decision needs to be made for any HTA every time it is downloaded. (Since HTAs are trusted applications, it would be unsafe to allow any Web page to download and run any HTA without the user's consent.)

Hybrid combinations of installed files and downloaded content can, in some cases, be a good compromise as a delivery mechanism for HTAs. Since all images, subframes, and components of HTAs may be designated by any URL, it is possible to install just the HTA file on the client machine and have all the other pieces delivered as needed via HTTP. Since the HTA file is installed it can be launched without additional warnings to the user; once running, the HTA can dynamically pull down other pieces over the Web as needed and be guaranteed to always get the latest updated content from the server.


Built of the same stuff that powers the Web—DHTML technologies—HTAs can be deployed like standalone applications, like Web pages, or as a hybrid of both.

Loren Kohnfelder is a program manager on the Internet Explorer team.