Mark of the Web
The Mark of the Web (MOTW) is a feature of Windows Internet Explorer that enhances security. MOTW enables Internet Explorer to force webpages to run in the security zone of the location the page was saved from—as long as that security zone is more restrictive than the Local Machine zone—instead of the Local Machine zone. When you are developing webpages, the MOTW enables you to test your HTML documents in the security zone where you intend the pages to run. Adding the MOTW to your webpages also enables you to fully test their compatibility with users' security settings.
Here we learn about these concepts:
- What is the Mark of the Web?
- The Mark of the Web and Internet Explorer compatibility
- Adding the Mark of the Web to HTML documents
- How Internet Explorer uses the Mark of the Web
- Local Machine Zone Lockdown
- How the Mark of the Web enhances computer security
The MOTW is a comment added to the HTML markup for a webpage. When a user opens the webpage from their local machine, Internet Explorer references this comment to determine the security zone in which it should run the page. Here's a valid MOTW comment.
<!-- saved from url=(0023)http://www.contoso.com/ -->
To be valid, a MOTW comment must follow some simple rules.
- The comment must start with the following.
- The comment must end with the following.
-->Note The closing comment must be immediately followed by the end of line, which must be expressed as a CRLF ("\r\n") sequence. Extraneous whitespace is not supported and will cause the mark to fail.
- The comment must contain a value that indicates the string length of the URL that follows, in the form (####). Be aware that the length in (####) can be less than the length of the URL; however, Internet Explorer uses only as many characters as are indicated to map the file to a security zone. At a minimum, the string length should indicate the number of characters in the complete URL up to the end of the top-level domain name (.com, .org, .net, and so on for Internet sites). If the length in (####) is greater than the URL's length, Internet Explorer ignores the comment and loads the webpage in the Local Machine zone.
- The comment must contain the webpage's URL immediately following the string length.
- The comment must appear in the first 2,048 bytes of the HTML document, within the HTML markup.
For situations where the domain is not yet known, Internet Explorer recognizes two generic comments. The
about:internet comment specifies the Internet zone and should be formatted like this.
<!-- saved from url=(0014)about:internet -->
http://localhost comment specifies the Local Intranet zone and is correctly formatted like this.
<!-- saved from url=(0016)http://localhost -->
The HTML comment must be correctly formatted for Internet Explorer to parse the information correctly. Correct format includes inserting a space immediately following the opening comment delimiter ("<!--") and just before the closing comment delimiter ("-->"). The line must end in with a carriage return/line feed sequence (CR/LF). (Some HTML editors only insert a linefeed character (LF).)
The MOTW feature is recognized starting with Microsoft Internet Explorer 4.0. Beginning with Microsoft Internet Explorer 6 for Windows XP Service Pack 2 (SP2), you can also add the comment to multipart HTML (MHT) files and to XML files. Be aware that earlier versions of Internet Explorer won't recognize a MOTW comment tag in either MHT or XML files.
There are two ways the MOTW can be added to an HTML document:
- When the user saves a page off the Web, Internet Explorer automatically inserts the MOTW comment into the HTML markup. The MOTW appears immediately following the !DOCTYPE declaration.
- You can manually insert a MOTW when you're developing HTML pages that need to run in a different security zone from that of your development environment. With the MOTW inserted, you can preview HTML documents in the appropriate security zone; typically this zone is the Internet zone, but Internet Explorer obeys your computer's security zone rules. This way you can make sure the content functions as expected, and you can monitor any security issues with the content. Additionally, you can ensure that the Information bar security UI element is displayed as appropriate, and thus optimize user experience. For more info about the correct format to use when adding MOTW comments to your HTML pages, see What is the Mark of the Web?.
This example shows a correctly formatted MOTW comment.
<!doctype html> <!-- saved from url=(0023)http://www.contoso.com/ --> <html> <head> <title>A Mark of the Web Example.</title> </head> <body> <p>Hello, World</p> </body> </html>
To determine the current zone of a webpage that is displayed in Internet Explorer, right-click the page and click Properties. Zone information is displayed along with other information about the current page.
When a user opens a locally hosted HTML file, Internet Explorer looks for the MOTW and carries out these steps:
- Internet Explorer locates the comment that starts with the following.
- Internet Explorer reads as many characters in the URL as are indicated in the string length value, and parses the URL.
- Internet Explorer uses the zone settings on the user's computer to determine which security policy to apply to the webpage. Internet Explorer can then force the webpage to open in a security zone other than the Local Machine zone. For example, if the URL within the MOTW is listed in the user's Restricted sites list, the webpage will open in the Restricted sites zone and the Restricted sites zone's security settings will apply.
In cases where the generic MOTW comment (
<!-- saved from url=(0014)about:internet -->) is used because the domain name is unknown, the "about:internet" forces Internet Explorer to host the webpage in the Internet zone.
Add a MOTW to every HTML document whose contents would be restricted by Internet Explorer's Local Machine zone lockdown security feature. These examples show when to insert a MOTW:
- You are coding pages that will be viewed from a CD, DVD, or other local storage device. (Be aware that users can, but won't necessarily, exempt local content from this security feature.)
- You are providing product documentation as HTML pages run from the local computer.
- You need to preview webpages locally before uploading them to a website.
- You are creating webpages that include frames.
Many HTML pages contain content such as script, Microsoft ActiveX controls, or binary behaviors. These pages are known as active HTML documents. Prior to Windows XP SP2, the content on a user's local file system—except for content cached by Internet Explorer—was regarded as trusted and was therefore assigned to the Local Machine security zone. The Local Machine zone allowed files to run in Internet Explorer with few restrictions. Attackers found that they could exploit the Local Machine zone and its looser restrictions to access a user's computer. By using controls that are restricted to trusted zones, an attacker could elevate privileges and compromise the user's computer. The attacker would then have unrestricted access to the computer's content.
To mitigate this security risk, Internet Explorerlocks down the Local Machine zone. When the user opens an HTML document, Internet Explorer prohibits active content from running and displays an Information bar. The user must then decide whether to permit the action that triggered the Information bar. The Local Machine zone lockdown prevents the user's computer from automatically executing any scripts, and from using any ActiveX and other controls. See About URL Security Zones for more info about the Local Machine zone.
Because the Local Machine zone has so few security restrictions, active HTML documents running on the local machine have access to the computer's entire file system. The MOTW help Internet Explorer protect the user from the risks of running these documents in the Local Machine zone. By referencing the MOTW, Internet Explorer can force these webpages into a zone that has more restrictions, such as the Internet zone. At the same time, the MOTW cannot be used to elevate webpages to a zone with fewer restrictions. Forced out of the Local Machine zone, the active content has no access to the computer's file system.
Additionally, cross-domain requests both to and from the active HTML documents fail, so that code running from these webpages cannot access the user's hard disk.