Why does my browser warn about .mdz downloads?
You may see a security warning when downloading an .mdz file — Firefox in particular may describe it as an executable. Opening an .mdz file executes nothing. It is a standard ZIP archive holding plain Markdown text and media assets (see the spec); the format has no macro or scripting capability, and viewers only render its content. Like any archive, it can of course carry whatever files its author packed into it — treat extracted contents from unknown sources with the same caution as any downloaded ZIP. The browser warning, though, is about none of that. This page explains where it actually comes from and what can be done about it.
The short version
The .mdz extension has a legacy name collision. Long before MDZip, Microsoft Access (versions 97–2003) used .mdz for its Database Wizard Template files, which could carry macro code. Security tooling of that era added the whole Access family — .mda, .mdb, .mde, .mdt, .mdw, .mdz — to hardcoded "potentially dangerous" lists, and those lists are still in place today, two decades after Access stopped using the format.
The warning is triggered by the file extension alone. It says nothing about the actual file's content, where it came from, or what's inside it.
A short history of
.mdz: Access wasn't even the extension's only prior tenant. In the Winamp era,.mdzalso denoted a ZIP-compressed MOD tracker music module (alongside.s3z,.itz, and.xmz), playable directly in Winamp and music trackers. Amusingly, that.mdzwas also just a ZIP archive with different contents. That use is long dormant and appears on no caution lists — only the Access legacy does.
Where you'll encounter it
| Software | Behavior | Trigger |
|---|---|---|
| Firefox | Treats .mdz as an executable file type; download warnings, no "always open" association |
.mdz is in Firefox's built-in executable-extensions list (source, with the comment "Access Wizard Template") |
| Chrome / Edge | Mild: downloads you initiate proceed normally; automatic (non-clicked) downloads may be interrupted | .mdz is in Chromium's download file-type policy as ALLOW_ON_USER_GESTURE |
| Outlook (desktop, web, Outlook.com) | Blocks .mdz attachments entirely |
.mdz is on Microsoft's blocked-attachments list |
| Gmail | Not blocked (Gmail's list includes .mde but not .mdz) |
— |
Mitigations
For everyone
- The warning is safe to dismiss for files from a source you trust — in Chrome/Edge choose Keep, in Firefox choose Allow download. The warning reflects the extension's legacy, not the file's contents — which you can inspect yourself: rename it to
.zipand open it with any archive tool. - Share links, not attachments. Outlook blocks
.mdzas an attachment, but a download link works everywhere. - When email attachment is the only option, just rename it: add
.zipto the filename (document.mdz→document.mdz.zip). No re-compression needed — an.mdzalready is a ZIP, byte for byte, so the renamed file is a perfectly ordinary ZIP attachment. The recipient deletes the.zipsuffix to restore it, or opens it directly with any archive tool.
Firefox
There is no per-extension setting — the executable classification is compiled into the browser, not configurable via about:config. The warning can be dismissed per download. (We plan to request removal upstream; see below.)
Chrome / Edge (managed environments)
Administrators can exempt .mdz for specific domains with the ExemptDomainFileTypePairsFromFileTypeDownloadWarnings enterprise policy:
[{ "file_extension": "mdz", "domains": ["mdzip.org", "your-intranet.example"] }]
Outlook (receiving .mdz attachments)
For classic Outlook on Windows, the Level1Remove registry value unblocks specific extensions (adjust 16.0 to your Office version):
Key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security
Value: Level1Remove (String)
Data: .mdz
For Outlook on the web / Exchange Online, administrators can remove .mdz from the blocked list via Set-OwaMailboxPolicy (-BlockedFileTypes / -AllowedFileTypes).
What we're doing about it
- Correcting the record with file-extension databases (fileinfo.com and similar), which security vendors and search results draw from — this is gradually taking effect.
- Preparing upstream requests to Mozilla and the Chromium project to retire
.mdzfrom their lists, on the grounds that Access Wizard Templates have been obsolete since Access 2007 and the extension's active use today is MDZip. - We considered renaming the extension and decided against it: the plausible alternatives collide with other formats in active use, and the legacy lists are a fixable problem — the format itself is sound.
This page renders from mdz-warnings.mdz — one self-contained file. Download it, open it in the web editor, or read how these pages are made.