Monday, January 23, 2006

IE's "Mark of the Web"

Researching the Blocking issue I came upon the "Mark of the Web" feature added to MSIE following the release of XP-SP2, which locked down the local_machine URL security zone.
How the Mark of the Web Enhances Computer Security

Because the Local Machine zone has so few security restrictions, active HTML documents running on the local machine have access to the computer's entire file system. The MOTW aids Internet Explorer in protecting the user from the risks of running these documents in the Local Machine zone. By referencing the MOTW, Internet Explorer can force these Web pages into a zone that has more restrictions, such as the Internet zone. At the same time, the MOTW cannot
be used to elevate Web pages to a zone with fewer restrictions. Forced out of the Local Machine zone, the active content has no access to the computer's file system. Note Windows XP SP2 applications—including Internet Explorer 6—that take advantage of the
Local Machine Zone Lockdown security feature run in an even more restricted environment than the Internet zone. Additionally, cross-domain requests both to and from the active HTML documents fail, so
that code running from these Web pages cannot access the user's hard drive.

That makes sense, but it seems to contradict the explanation below by Dave Massy on the IEBlog, which I find a little confusing. I don't seem to be the only one, based on the comments to his posting (see "There does seem to be a some continued confusion around the LMZ lockdown").

I have not tested the functionality yet myself to see if I can figure it out, but I did notice that this box has only one file with that tag in it.

Here are some discussions of this:

Mark of the Web posted in March 2005 at the IEBlog by Dave Massey of MS
Tricks with Mark of the Web: Behaviors, XML files at Adi Oltean's(MSFT) AntiMail weblog
This UK site has good discussion of the issues surrounding the LocalMachine zone.
Changes to Functionality in Windows XP Service Pack 2 - Part 5: Enhanced Browsing Security


Post a Comment

<< Home