The Mark of the Web (MOTW) is a feature of Windows Internet Explorer that enhances security by enabling Internet Explorer to force webpages to run in the security zone of the location the page was saved from—as long as that security zone is more restrictive than the Local Machine zone—instead of the Local Machine zone. When you are developing webpages, the MOTW enables you to test your HTML documents in the security zone where you intend the pages to run. Adding the MOTW to your webpages also enables you to fully test their compatibility with users' security settings.

This topic contains the following sections.

• What is the Mark of the Web? 
• The Mark of the Web and Internet Explorer Compatibility 
• Adding the Mark of the Web to HTML Documents 
• How Internet Explorer Uses the Mark of the Web 
• The Local Machine Zone Lockdown 
• How the Mark of the Web Enhances Computer Security 

What is the Mark of the Web?

The MOTW is a comment added to the HTML markup for a webpage. When a user opens the webpage from a local machine, Internet Explorer references this comment to determine the security zone in which it should run the page. Following is an example of a valid MOTW comment.

<!-- saved from url=(0023)http://www.contoso.com/ -->

To be valid, a MOTW comment must follow some simple rules.

• The comment must start with the following.

  
   <!-- saved from url= 

• The comment must end with the following.

  
   --> 

• The comment must contain a value to indicate the string length of the URL that follows, in the form (####). Note that the length in (####) can be less than the length of the URL; however, Internet Explorer uses only as many characters as are indicated to map the file to a security zone. At a minimum, the string length should indicate the number of characters in the complete URL up to the end of the top-level domain name (.com, .org, .net, and so on for Internet sites). If the length in (####) is greater than the URL's length, Internet Explorer ignores the comment and loads the webpage in the Local Machine zone.
• The comment must contain the webpage's URL immediately following the string length.
• The comment must appear in the first 2,048 bytes of the HTML document, within the HTML markup.

For situations where the domain is not yet known, Internet Explorer recognizes two generic comments. The about:internet comment specifies the Internet zone and should be formatted as follows.

<!-- saved from url=(0014)about:internet -->

The http://localhost comment specifies the Local Intranet zone and is properly formatted as follows.

<!-- saved from url=(0016)http://localhost -->

The HTML comment must be properly formatted for Internet Explorer to parse the information correctly. Proper format includes inserting a space immediately following the opening delimiter " <!-- " and just before the closing delimiter " --> ". The line must end in CR LF. Some HTML editors insert only a LF.

The Mark of the Web and Internet Explorer Compatibility

The MOTW feature is recognized by Microsoft Internet Explorer 4.0 and later. Beginning with Internet Explorer 6 for Windows XP Service Pack 2 (SP2), you can also add the comment to multipart HTML (MHT) files and to XML files. Note that earlier versions of Internet Explorer will not recognize a MOTW comment tag in either MHT or XML files.

Adding the Mark of the Web to HTML Documents

There are two ways the MOTW can be added to an HTML document:

• When the user saves a page off the web, Internet Explorer automatically inserts the MOTW comment into the HTML markup. The MOTW appears immediately following the !DOCTYPE declaration.
• You can also manually insert a MOTW when you are developing HTML pages that need to run in a different security zone from that of your development environment. With the MOTW inserted, you can preview HTML documents in the appropriate security zone; typically this zone is the Internet zone, but Internet Explorer obeys your computer's security zone rules. This way you can make sure the content functions as expected, and you can monitor any security issues with the content. Additionally, you can ensure that the Information bar security UI element is displayed as appropriate, and thus optimize user experience. For more information on the correct format to use when adding MOTW comments to your HTML pages, see What is the Mark of the Web? in this topic.

The following example show a properly formatted MOTW.

<!doctype html>
<!-- saved from url=(0023)http://www.contoso.com/ -->
<html>
  <head>
    <title>A Mark of the Web Example.</title>
  </head>
  <body>
     <p>Hello, World</p>
  </body>
</html>

To determine the current zone of a webpage that is displayed in Internet Explorer, right-click the page and then click Properties. The Zone field reports the zone used to display the current webpage.

How Internet Explorer Uses the Mark of the Web

When a user opens a locally hosted HTML file, Internet Explorer looks for the MOTW and carries out the following steps:

1. Internet Explorer locates the comment that starts with the following.

   
    <!-- saved from url= 

   If a webpage contains more than one MOTW, Internet Explorer will always parse the first MOTW and ignore subsequent ones.
2. Internet Explorer reads as many characters in the URL as are indicated in the string-length value, and parses the URL.
3. Internet Explorer uses the zone settings on the user's computer to determine which security policy to apply to the webpage. Internet Explorer can then force the webpage to open in a security zone other than the Local Machine zone. For example, if the URL within the MOTW is listed in the user's Restricted sites list, then the webpage will open in the Restricted sites zone and the Restricted sites zone's security settings will apply.

In cases where the generic MOTW (<!-- saved from url=(0014)about:internet -->) is used because the domain name is unknown, the "about:internet" forces Internet Explorer to host the webpage in the Internet zone.

You should add a MOTW to every HTML document whose contents would be restricted by Internet Explorer's Local Machine zone lockdown security feature. Following are examples of when to insert a MOTW:

• You are coding pages that will be viewed from a CD. (Note that users can, but won't necessarily, exempt CD content from this security feature.)
• You are providing product documentation as HTML pages run from the local computer.
• You need to preview webpages locally before uploading them to a website.
• You are creating webpages that include frames.

The Local Machine Zone Lockdown

Many HTML pages contain content such as script, Microsoft ActiveX controls, or binary behaviors. These pages are known as active HTML documents. Prior to Windows XP SP2, the content on a user's local file system—except for content cached by Internet Explorer—was regarded as trusted and was therefore assigned to the Local Machine security zone. The Local Machine zone allowed files to run in Internet Explorer with few restrictions. Attackers found that they could exploit the Local Machine zone and its looser restrictions to access a user's computer. By using controls that are restricted to trusted zones, an attacker could elevate privileges and compromise the user's computer. The attacker would then have unrestricted access to the computer's content.

To mitigate this security risk, Internet Explorer "locks down" the Local Machine zone. When the user opens an HTML document, Internet Explorer prohibits active content from running and displays an Information bar. The user must then decide whether to permit the action that triggered the Information bar. The Local Machine zone lockdown prevents the user's computer from automatically executing any scripts, and from using any ActiveX and other controls. See About URL Security Zones for more information on the Local Machine zone.

How the Mark of the Web Enhances Computer Security

Because the Local Machine zone has so few security restrictions, active HTML documents running on the local machine have access to the computer's entire file system. The MOTW aids Internet Explorer in protecting the user from the risks of running these documents in the Local Machine zone. By referencing the MOTW, Internet Explorer can force these webpages into a zone that has more restrictions, such as the Internet zone. At the same time, the MOTW cannot be used to elevate webpages to a zone with fewer restrictions. Forced out of the Local Machine zone, the active content has no access to the computer's file system.

Additionally, cross-domain requests both to and from the active HTML documents fail, so that code running from these webpages cannot access the user's hard disk.