Closed Bug 435449 Opened 16 years ago Closed 16 years ago

Security message when trying to reference XML stylesheet in local system

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 397894

People

(Reporter: andrejohn.mas, Unassigned)

Details

Attachments

(1 file)

Test case illustrating the issue
1.53 KB, application/octet-stream
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9) Gecko/2008051206 Firefox/3.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9) Gecko/2008051206 Firefox/3.0

If I have a an XML file that references an styleheet, such as:

<?xml-stylesheet href="RenderDependencyDetails.xsl" type="text/xsl"?>

and the current path of both the xml and xsl are the local file system, then instead of having the page rendered I get a white page. Looking in the console I get a message:

Security Error: Content at file:///C:/Workspace/MyXmlDoc.xml may not load data from file:///C:/Workspace/xslref/RenderDependencyDetails.xsl.

If I put into the path of an http web server and reference them via http then the page renders (no security error).

I would expect a file on the local file system referencing another file on the local file system to not generate a security error and instead render the page. Basically an file referencing another file in the same context should be considered safe.

Note that I have compared behaviour with Safari 3.1.1, Opera 9.5 and IE6 and they are all able to render the XML document when both the XML and XSL are in the local file system. Firefox 3 is an exception. I haven't tested in Firefox 2, so I can't confirm whether this is a regression at this point. 

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Note, that while preparing the test case I notice that if the file does not specify a relative path, ie it is in the same directory, then everything renders fine. What causes the failure in Firefox is when the file is not in the same directory, for example:

Case 1 (works):
  Files:  abcdef.xml, 123456.xsl
  stylehseet ref: <?xml-stylesheet href="123456.xsl" type="text/xsl"?>	

  works fine: abcdef.xml makes reference to 123456.xsl 
   
Case 2 (fails):
  Files: data/abcdef.xml, xsl/123456.xsl
  stylehseet ref: <?xml-stylesheet href="../xsl/123456.xsl" type="text/xsl"?>

  fails: data/abcdef.xml makes reference to xsl/123456.xsl
Local file security has been tightened in Firefox 3. See http://ejohn.org/blog/tightened-local-file-security/ and bug 230606
Couldn't there be an exception mechanism provided, like https web site certificates?
There is a pref you can toggle, see bug 397894 comment 6
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: