Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Guidelines on Active Content and Mobile Code



Wayne Jansen, Theodore Winograd, Karen A. Scarfone


Active content technologies allow code, in the form of a script, macro, or other kind of portable instruction representation, to execute when the document is rendered. Like any technology, active content can be used to deliver essential services, but it can also become a source of vulnerability for exploitation by an attacker. The purpose of this document is to provide an overview of active content and mobile code technologies in use today and offer insights for making informed IT security decisions on their application and treatment. The discussion gives details about the threats, technology risks, and safeguards for end user systems, such as desktops and laptops. Although various end user applications, such as email clients, can involve active content, Web browsers remain the primary vehicle for delivery and are underscored in the discussion. The tenets presented for Web browsers apply equally well to other end user applications and can be inferred directly. [Supersedes SP 800-28 (October 2001):]
Special Publication (NIST SP) - 800-28 Ver 2
Report Number
800-28 Ver 2


Active content, email security, malware, mobile code, Web security


Jansen, W. , Winograd, T. and Scarfone, K. (2008), Guidelines on Active Content and Mobile Code, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed June 18, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created March 7, 2008, Updated February 19, 2017