Table2CSS logo Table2CSS is a tool that can convert your table-based websites to tableless layouts, replace deprecated HTML tags with modern CSS and reformat your HTML code. Click here for more information

What is the meaning of the Mark-Of-The-Web and what effect does it have on HTML code and JavaScript code

What is the purpose of the Mark-Of-The-Web

Mark-Of-The-Web (MOTW) is a specially formed HTML comment which is recognized by Internet Explorer (IE) inside the displayed web page and then used by IE to set additional security restrictions for the scripts, ActiveX controls and DHTML behaviors that run on that web page.

What is the format of the Mark-Of-The-Web?

The mark of the web is a regular HTML comment which has a specific format recognized by Internet Explorer. When a web page is loaded from the local filesystem IE looks in the first 2048 bytes of the page for a comment which looks like this:

<!-- saved from url=(NNNN)SOMEURL -->

where NNNN is the character length of SOMEURL and SOMEURL is a valid URL. If the MOTW matches this format, IE uses SOMEURL to find the security zone matching that URL and applies the security restrictions of that zone to the loaded page. Please note that the security restrictions are applied only if they are stricter than the security restrictions of the local security zone.

In most cases SOMEURL is an HTTP URL like, but it can also be any valid URL like about:internet (in this case the restrictions of the Internet Zone are applied) or http://localhost (in this case the restrictions of the local zone are used).

Which programs add Mark-Of-The-Web to web pages? Mark-Of-The-Web is added implicitly by Internet Explorer when the user saves a web page on his local filesystem, using the "File/Save As" dialog in Internet Explorer. In this case the MOTW is inserted into the HTML code between the document type and the <html> opening tag.

Also please note that most HTML editors treat the MOTW as a regular HTML comment (which it is), so they preserve it while editing the page.

How does the Mark-Of-The-Web affect the restrictions of code running inside the web page?

Restrictions enforced by MOTH are those of the security zone corresponding for the URL in the MOTW. In most cases this means that:

  1. Starting from IE6 for Windows XP SP2, IE6 will refuse to run any active content (scripts, ActiveX or binary behaviors) when the page is being run in the local security zone. This means that if you attempt to open an web page from your local computer and the page does NOT have a Mark-Of-The-Web, then it will not be able to run any JavaScript (or any other active content). The browser will display a warning message and by default will refuse to run the active content.

    The workaround in this case is to add a generic mark of the web which will instruct IE to run the page in the internet security zone: <!-- saved from url=(0014)about:internet -->

    Alternatively you can avoid adding the mark of the web to your page, and re-configure the security settings of the local zone to allow running of JavaScript and/or other active content from your local drive from the Internet Options of Internet Explorer.

  2. When a local page which DOES have a mark of the web tries to access a page stylesheet embedded or external will fail with access denied error (E_ACCESSDENIED with code 0x80070005). For example this code will fail because of the restrictions of the MOTW:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    <!-- saved from url=(0022) -->
    <style type="text/css">
    body {background-color: gray;}
    <body onload="alert (document.styleSheets [0].rules);">

    The solution in this case is to remove the mark of the web from the page and allow running of JavaScript and/or other active content from your local drive from the Internet Options of Internet Explorer.