MHTML in Chromium

Posted byericlawPosted inbrowsers, webTags:, , , , , ,

The MHTML file format (aka “Webpage, single file”) allows a single file to contain the multiple resources that are used to load a webpage (script, css, images, etc).

Edge (Chromium) has an option to use the format when saving the current page via Ctrl+S or the Save page as... menu command:

Saving MHTML from Save Page As…

… but the browser’s code has limited support for the MHTML format, meaning that it often cannot render files that it itself did not create, and even when loading files that it did create, there are several intentional restrictions.

Restriction: No Script

Reloading a saved MHTML file in Edge/Chrome/Chromium/etc will disable script.

Interestingly, when Chromium saves an MHTML file, it omits the <script> and <noscript> blocks entirely. If you saved the MHTML file from another tool that included script, when reloaded in Chromium, its script is not executed and a notice is shown in the Developer Tools Console:

Restriction: Disabled Forms

When loading a MHTML file, form controls like text fields and buttons are disabled, preventing the user from filling or submitting a form:

Restriction: Resources May not load

Chromium uses very restrictive rules for Same-Origin-Policy evaluation that can often prevent embedded resources (including images and stylesheets from loading) properly, leading to missing content and console warnings:

Limitation: Encodings

Internet Explorer’s MHTML component supported a variety of content-encodings that are not supported in Chromium. I fixed one bug but there are numerous other limitations in MHTML support.

Workaround: IEMode

If you need to load legacy MHTML content to load in Edge, your best bet is to configure the file to load in IEMode.

Edge includes some code which attempts to automatically detect whether a given MHTML file is compatible with Edge mode, e.g. checking for a Saved by Blink marker:

UPDATE: Note that opening MHT files in Internet Explorer represents a large attack surface, because it means that a bad actor could send a victim a malicious MHT file that exploits a 0-day in Internet Explorer.

If the victim opens the downloaded MHT and it switches to load in IE Mode automatically, the attacker could possibly escape the weaker IE sandbox and cause havoc. As of Edge 118, a downloaded MHT file (identified by a Zone.Identifier alternate data stream, aka mark of the web) will not open in IE Mode automatically unless a new group policy is enabled to accept the security risk.

-Eric

Published by ericlaw

Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ Microsoft 2001-2012, and 2018-, working on Office, IE, and Edge. Now a GPM for Microsoft Defender. My words are my own, I do not speak for any other entity.

Leave a comment