<!-- saved from url=(0014)about:internet --> vs

[G Doucet]

I know I haven't done any HTML since I upgraded to winXP last November - I previously had win98 - but I'm getting errors that I
never had before.

Please note that I am currently working on a small "quick-reference" web site for my work. I am creating it on my home computer,
and then emailing the htm and image files to my work laptop. On occasion, I also email some files back to my home computer. Also
note that I create my htm files using NotePad, and some of my files do have short javascript code.

Anyway, one problem that has been bothering me is Internet Explorer's popup message which says something like this:

---------------
To help protect your security, Internet Explorer has restricted this file from showing active content that could access your
computer. Click here for options...
---------------

Also, I noticed that some links were no longer working and that while viewing files on my own hard drive, I could see on the bottom
right of the Internet Explorer window that it was treating some of my files as if they were risky - showing the red circle with the
white bar.



Well first, I found that when I email a file from my laptop to my home computer, it sets some kind of file attribute, and Internet
Explorer will treat this as a risky file, unless I clear this attribute in the file's properties.

Second, I found that when I email a file from my laptop to my home computer, it adds the comment text <!-- saved from
url=(0022)http://internet.e-mail --> to the top of my html code and thus some links don't appear to work unless I remove this
comment. BTW, is it my Outlook Express adding this, and if so, can I turn off this feature?

Third, I found that my IE6 will show that popup message on local files (for some reason) but I also found that I could add the
following to the top of my html file as a workaround <!-- saved from url=(0014)about:internet --> to apparently get Internet
Explorer to think it's a file from the Internet?



Now this workaround comment (as I call it) does get rid of that annoying popup, but it creates another problem for me. My anchors
that are linked to images no longer work. For example:

<a href="image.gif>motor gears</a>

This used to work, but nothing happens when you click on the ablce link with <!-- saved from url=(0014)about:internet --> at the top
of my file.

Can someone help me with this new XP environment?
G Doucet

 

[Beauregard T. Shagnasty]

Second, I found that when I email a file from my laptop to my home
computer, it adds the comment text <!-- saved from
url=(0022)http://internet.e-mail --> to the top of my html code and
thus some links don't appear to work unless I remove this comment.
BTW, is it my Outlook Express adding this, and if so, can I turn off
this feature?

I think (awfully sure) that Outlook Express is the culprit. Last year I
was assisting a newbie with writing html files. I would email a complete
file as an attachment. When she would do a Save from her OE, that line
would get added.

We never found a way to make it stop doing that. Each file she saved,
she then had to edit it with a text editor to remove that silly comment.

Try setting yourself up with a modern email client instead of OE.
Thunderbird should remove the problem.
http://www.mozilla.com/thunderbird/

 

[John Hosking]

Well first, I found that when I email a file from my laptop to my home computer, it sets some kind of file attribute, and Internet
Explorer will treat this as a risky file, unless I clear this attribute in the file's properties.

Second, I found that when I email a file from my laptop to my home computer, it adds the comment text <!-- saved from
url=(0022)http://internet.e-mail --> to the top of my html code and thus some links don't appear to work unless I remove this
comment. BTW, is it my Outlook Express adding this, and if so, can I turn off this feature?

Well, I don't know how you're doing the mailing now, but I would think
that if you took all the files (HTML, images, CSS, etc.) and zipped them
into one .zip file, and e-mailed yourself _that_, you wouldn't have any
problems with OE or anything else meddling in your files.

 

[Jukka K. Korpela]

- - I am currently working on a small "quick-reference"
web site for my work. I am creating it on my home computer, and then
emailing the htm and image files to my work laptop.

Others have suggested that you use email software other than Outlook Express
or send the files as zipped (which is easy when using Windows XP, since it
has built-in support to zipping). I guess either of those approaches is
sufficient for the problem you describe here and in your Subject: header,
but there's a little more.

Also, I noticed that some links were no longer working and that while
viewing files on my own hard drive, I could see on the bottom right
of the Internet Explorer window that it was treating some of my files
as if they were risky - showing the red circle with the white bar.

As far as I can see, the problem is that IE treats such a local file as
belonging to "risk zone" - even though if you view the Internet settings,
they probably show the risk zone as empty. This is tough for developers, but
it's meant to protect users who might have copies of www pages on their disk
without knowing about the problems. (Changing the properties of the risk
zone might not be a good idea, since some day you might really want to put
some sites into the risk zone.)

Thus, to test pages containing JavaScript code, it is best to test them
after uploading them onto a www server (though before announcing them or
linking to them). Naturally you can and normally should test everything else
locally. That way you will automatically test that the page works _somehow_
when JavaScript is disabled, too.

Well first, I found that when I email a file from my laptop to my
home computer, it sets some kind of file attribute, and Internet
Explorer will treat this as a risky file, unless I clear this
attribute in the file's properties.

Well spotted.

Second, I found that when I email a file from my laptop to my home
computer, it adds the comment text <!-- saved from
url=(0022)http://internet.e-mail --> to the top of my html code and
thus some links don't appear to work unless I remove this comment.

That sounds strange. Which kinds of links don't work? Are you referring just
to links to images as described later?

Anyway, that comment is harmful as such, since _anything_ before the
<!DOCTYPE> declaration throws IE into "quirks mode" (i.e., intentionally
broken mode of operation where IE 6+ simulates errors of older versions of
the browser).

BTW, is it my Outlook Express adding this, and if so, can I turn off
this feature?

It's certainly OE _on saving_ the file. The email message that you send with
IE does not contain such a string. OE adds it when saving the file (and even
if you just click on the attachment icon to open it in a browser).

Third, I found that my IE6 will show that popup message on local
files (for some reason) but I also found that I could add the
following to the top of my html file as a workaround <!-- saved
from url=(0014)about:internet --> to apparently get Internet Explorer
to think it's a file from the Internet?

That's quite astonishing. Apparently IE treats local files as being in the
risk zone _unless_ they have that magic comment _and_ have the "risky file
from the Internet" flag cleared. I might see some strange logic behind this,
which probably means I'm getting mad and they are going to take me away...

The way I see is that IE actually _prevents_ JavaScript execution in this
case, or makes dependent on the user's permission, depending on the security
settings for the risk zone.

Now this workaround comment (as I call it) does get rid of that
annoying popup, but it creates another problem for me. My anchors
that are linked to images no longer work. For example:
<a href="image.gif>motor gears</a>

I was able to reproduce the problem but then I got very confused: removing
the comment did not change the situation, and for a copy of the file things
were different. I should probably start testing from scratch (with a file
that just created locally) - but I think I've seen enough and will just
avoid using OE to receive HTML attachments.

 

[G Doucet]

I guess I'm ok as far as sending files between the two computers, I was just wondering how and why my html files were being modified
in the process.

Also, the html files that I am writing will not be used on a web server. They will just be on my laptop's hard drive.

But being local files, Internet Explorer keeps showing a popup message on the html files which contain javascripts. This is really
annoying.

While searching the Internet about this, I found that by adding <!-- saved from url=(0014)about:internet --> at the top of my html
file, the popups go away. BTW, does anyone else use this?

But now my links to images don't work. Here's an example: I placed a test.htm file and image.gif file on my desktop. Test.htm is
like this:

<HTML>
<BODY>
<A href="image.gif" target="_blank">test</A>
</BODY>
</HTML>

And like this, the link works. But if I add that so called workaround comment, the link doesn't work. Example:

<!-- saved from url=(0014)about:internet -->
<HTML>
<BODY>
<A href="image.gif" target="_blank">test</A>
</BODY>
</HTML>

Any ideas why?
PS. My links to htm files are ok.
G Doucet

 

[Dan]

But being local files, Internet Explorer keeps showing a popup message on the html files which contain javascripts. This is really
annoying.

What does a *decent* browser, like Mozilla Firefox, do?

 

[Jukka K. Korpela]

I guess I'm ok as far as sending files between the two computers,

Are you responding to something? It is normal practice on Usenet to quote or
paraphrase what you are commenting on. It's now impossible to see whether
you understood the previous messages that suggested working ways to overcome
the problem.

 

[aatcbbtccctc]

Third, I found that my IE6 will show that popup message on
local files (for some reason) but I also found that I could add
the following to the top of my html file as a workaround
<!-- saved from url=(0014)about:internet --> to apparently
get Internet Explorer to think it's a file from the Internet?

This is the poorly known and generally misunderstood "Mark Of The Web",
or MOTW. It adjusts the operation of the "Local Machine Lockdown"
feature that was added in Windows XP SP2.

Quoting from elsewhere: "The role of the MOTW is more prominent with
IE6 for Windows XP SP2 because of increased security restrictions in
the Local Machine zone. When you are developing Web content, the MOTW
enables you to test your active HTML documents in the security zone
where you intend the pages to run, instead of in the increased security
restrictions of the Local Machine zone."

In short, with IE6 on XP SP2, local files are subjected, by default, to
*more* security restrictions (not *less*) that remote files. By adding
the MOTW, you tell IE6 to treat those files like remote files when
deciding what restrictions to apply to them.

HTH
TC (MVP MSAccess)
http://tc2.atspace.com

 

[TC]

(reposted with corrected Author)

Third, I found that my IE6 will show that popup message on
local files (for some reason) but I also found that I could add
the following to the top of my html file as a workaround
<!-- saved from url=(0014)about:internet --> to apparently
get Internet Explorer to think it's a file from the Internet?

This is the poorly known and generally misunderstood "Mark Of The Web",
or MOTW. It adjusts the operation of the "Local Machine Lockdown"
feature that was added in Windows XP SP2.

Quoting from elsewhere: "The role of the MOTW is more prominent with
IE6 for Windows XP SP2 because of increased security restrictions in
the Local Machine zone. When you are developing Web content, the MOTW
enables you to test your active HTML documents in the security zone
where you intend the pages to run, instead of in the increased security
restrictions of the Local Machine zone."


In short, with IE6 on XP SP2, local files are subjected, by default, to
*more* security restrictions (not *less*) that remote files. By adding
the MOTW, you tell IE6 to treat those files like remote files when
deciding what restrictions to apply to them.


HTH
TC (MVP MSAccess)
http://tc2.atspace.com

 

[Andy Dingley]

TC wrote:

This is the poorly known and generally misunderstood "Mark Of The Web",
or MOTW. It adjusts the operation of the "Local Machine Lockdown"
feature that was added in Windows XP SP2.

Hang on - have I got this right?

Suppose I'm an 3v1l h4xx0r d00d, out to perform evil upon your IE
browser. I manage to deploy my nasty payload to your machine, but IE
saves you because the local filesystem is now seen as untrustworthy
(I'll let the stupidity of this approach pass for a moment).

Now I'm thwarted and my evil doings are as naught. But if I add the
mystical incantation <!-- saved from url=(0014)about:internet --> to my
payload files, they'll start being powerfully evil again ?

Excuse me if I'm somewhat underwhelmed by this particular bit of
Security Theatre....

 

[TC]

Hang on - have I got this right?

Suppose I'm an 3v1l h4xx0r d00d, out to perform evil upon your IE
browser. I manage to deploy my nasty payload to your machine, but IE
saves you because the local filesystem is now seen as untrustworthy
(I'll let the stupidity of this approach pass for a moment).

Now I'm thwarted and my evil doings are as naught. But if I add the
mystical incantation <!-- saved from url=(0014)about:internet --> to my
payload files, they'll start being powerfully evil again ?

Excuse me if I'm somewhat underwhelmed by this particular bit of
Security Theatre....

1. The change increases the default security of the Local Zone. I think
that's a good idea.

2. It is not a "mystical incantation". It is clearly documented in
MSDN:
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/overview/motw.asp

3. It faciliates local testing of pages that will eventually be run
from other security zones (Internet, Restricted, Trusted, etc.).

TC (MVP MSAccess)
http://tc2.atspace.com

 

[Andy Dingley]

1. The change increases the default security of the Local Zone. I think
that's a good idea.

You get to write to my filesystem, I'm 0wned already. Let's concentrate
on not having the first Bad Thing happen in the first place.

2. It is not a "mystical incantation". It is clearly documented in
MSDN:

That's the point. Here's a security measure that's well-intentioned, if
somewhat weak. Then they've publically written down how to make a key
to unlock it.

 

[TC]

You get to write to my filesystem, I'm 0wned already.

No, that depends on what I can write, and where I can write it. I can't
own your PC by writing text files to the TEMP directory.

MOTW relates specifically to content written by browsers (possibly
running under restricted accounts) to the places that browsers can
actually write to. That is the context in which to discuss it. *All*
security mechanisms become irrelevant if the attacker can write
anything to anywhere.

That's the point. Here's a security measure that's well-intentioned, if
somewhat weak. Then they've publically written down how to make a key
to unlock it.

Unlock what?

Go to groups.google.com. View the first few lines of the source
(without saving it). Now File : SaveAs the page, and look at the saved
source. You'll see that *IE itself* has added the MOTW. Run the saved
file locally - all is good. Now remove the MOTW, and run it again -
you'll get the active content warning.

Adding the MOTW has not "unlocked" anything. It has not let the page do
anything that it couldn't do before. It has not magically elevated the
page above the Internet Zone permissions.

TC (MVP MSAccess)
http://tc2.atspace.com

 

[G Doucet]

No, that depends on what I can write, and where I can write it. I can't
own your PC by writing text files to the TEMP directory.

MOTW relates specifically to content written by browsers (possibly
running under restricted accounts) to the places that browsers can
actually write to. That is the context in which to discuss it. *All*
security mechanisms become irrelevant if the attacker can write
anything to anywhere.



Unlock what?

Go to groups.google.com. View the first few lines of the source
(without saving it). Now File : SaveAs the page, and look at the saved
source. You'll see that *IE itself* has added the MOTW. Run the saved
file locally - all is good. Now remove the MOTW, and run it again -
you'll get the active content warning.

Adding the MOTW has not "unlocked" anything. It has not let the page do
anything that it couldn't do before. It has not magically elevated the
page above the Internet Zone permissions.

TC (MVP MSAccess)
http://tc2.atspace.com

The Mark Of The Web must be generally misunderstood because I am at a loss.

It is written here http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/overview/motw.asp that to mitigate the
security risk of attackers trying to exploit the Local Machine zone and its looser restrictions to access my computer, Internet
Explorer 6 for Windows XP SP2 "locks down" the Local Machine zone.


So I'm guessing that prior to Internet Explorer 6 for Windows XP SP2, the local zone was like a free for all, and that now with
Internet Explorer 6 for Windows XP SP2, the local zone is lock down. It must be because now I get prompted when I open one of my
own HTML files on my D: drive just because it has two lines of simple javascript!?

It is also written that the Mark of the Web (MOTW) is a feature of Microsoft Internet Explorer that enhances security by enabling
Internet Explorer to force Web pages to run in the security zone of the location the page was saved from as long as that security
zone is more restrictive than the Local Machine zone.

I don't know what that means "the location the page was saved from", because I created my own HTML files from scratch using notepad,
and I didn't save them from anywhere!?

It is also written there that by referencing the MOTW, Internet Explorer can force web pages into a zone that has more restrictions,
such as the Internet zone. At the same time, the MOTW cannot be used to elevate Web pages to a zone with fewer restrictions.

Well first they say that the local zone is locked down and now they say that the MOTW can't raise IE to a less restricitve zone.
It's not making sense.

Help.
G Doucet

 

[Eric B. Bednarz]

Anyway, that comment is harmful as such, since _anything_ before the
<!DOCTYPE> declaration throws IE into "quirks mode"

<http://bednarz.nl/+/sgml/doctype/exploder/cc>

(this would actually be useful if the version vector was set to 7, but
in that case less verbosity is required to make a difference

<http://bednarz.nl/+/sgml/doctype/exploder/pi>

 

[Andy Dingley]

You'll see that *IE itself* has added the MOTW.

Agreed.

Now what's to stop the 3v1l h4xx0r adding that mark themselves, before
writing the page ?

This is annotation that says "Trust this page, it's OK really", but
it's also trivial to forge it.


If they _really_ needed a "MotW", then it should have used a
secure(sic) PK implementation and been made unforgeable.

 

[TC]

The Mark Of The Web must be generally misunderstood because I am at a loss.

Hi, G

I'm at the end of a long day, so I may need to postpone answering you
until tomorrow (Thursday, where I live).

Cheers,
TC (MVP MSAccess)
http://tc2.atspace.com

 

[TC]

Agreed.

Now what's to stop the 3v1l h4xx0r adding that mark themselves, before writing the page ?

Nothing. But you still need to focus on who is creating the file & how
they are creating it.

o If the file is being created through the normal operation of IE,
then, including the MOTW does not /elevate/ the page's priviliges (ie.
it does not make them /higher/ than they were before). It stops IE
/degrading/ the pages priviliges (ie. making them /lower/ than they
were before). So the hacker is wecome to add the MOTW to their pages as
much as he likes. This does not gain him anything that he did not have
before. Indeed, as I have shown, IE will actually add the mark for him!

o If the file is being created by someone who has somehow obtained
unauthorized access to the local filesystem, then, all bets are off,
and the MOTW is irrelevant.

This is annotation that says "Trust this page, it's OK really", but it's also trivial to forge it.

No - that's not what it says. The MOTW says, "Dear IE, please run this
page under the security restrictions applicable to the Zone (Internet,
Trusted, or Restricted) that is applicable to the URL in the MOTW."

The only way that this would be a problem, is if a page from a website
in the Internet Zone, could include an MOTW that asked for that page to
be run in the Trusted Zone - thus illegally elevating the priviliges of
that page.

I haven't tested that case myself, but, I'm absolutely confident that
MS know what they are doing with this, and therefore, that it would
*not* serve to elevate the untrusted page's security zone. But I will
test this in due course.

In summary, you shouldn't assume that the MS folks who desiged this
feature, are total idiots, and have overlooked something as simple as
the hacker adding his own MOTW. They've made various security bloopers
over the years - but they aren't total idiots. You can't seriously
believe that there are folks in MS thinking: "D'oh!! We forgot that the
hacker could add an MOTW himself!!"

TC (MVP MSAccess)
http://tc2.atspace.com

 

[TC]

I haven't tested that case myself, but, I'm absolutely confident that
MS know what they are doing with this, and therefore, that it would
*not* serve to elevate the untrusted page's security zone. But I will
test this in due course.

Here's what I'm guessing:

o A page author can *not* use an MOTW in such a way as to illegally
elevate the priviliges of that page *when the page is run from the
relevant site on the web*. IE will prevent this somehow. (Perhaps it
will delete the illegal MOTW, or put the various MOTWs in some
particular order in the file, or whatever.)

But:

o A person with access to the local filesystem can add an MOTW to a
page, so when that page is run *from disk*, it will have higher
priviliges that it had when it was run from the web. *But*, that's not
a break, because a person with access to the local filesystem can break
the system in arbitrary other ways, independent of the presence or
absence of MOTWs.

I'll see if testing confirms all this. But not now, as I am off for a
meal.

TC (MVP MSAccess)
http://tc2.atspace.com

 

[TC]

Back from dinner.

Here's my final guess, prior to actually testing it: IE will *ignore*
all MOTWs in pages that are run from the web (as opposed to pages that
are run from the local filesystem).

This, if true, would prove my contention that you can not use MOTW to
illegally elevate your page permissions - unless you have access to the
local filesystem (and can alter the filesystem copy of the page *and*
get the user to run it from there - in which case, the system is owned
regardless).

I'll test this tomorrow. But that's my bet on how it will work.

TC (MVP MSAccess)
http://tc2.atspace.com