Open
Bug 245463
Opened 20 years ago
Updated 2 years ago
Rich error report for stylesheets not loaded due to security
Categories
(Core :: XSLT, enhancement)
Tracking
()
NEW
People
(Reporter: dontneedyouraccount, Assigned: peterv)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a2) Gecko/20040526 Firefox/0.8.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a2) Gecko/20040526 Firefox/0.8.0+ Stylesheet at remote URL (http://www.gzegzolka.com/cvx.xsl) used by local XML file is not loading. Relative local URLs works fine. You can download "example.xml" at http://www.gzegzolka.com/example.xml (works fine online) and test it on your local drive. Reproducible: Always Steps to Reproduce: 1. Save "http://www.gzegzolka.com/example.xml" locally 2. Open local copy of "example.xml" in Firefox Actual Results: I see untransformed content. Expected Results: Show transformed content.
Comment 1•20 years ago
|
||
That is the expected behaviour, we do not allow cross site XSLT (which is the same as file <-> web) for security reasons.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 2•20 years ago
|
||
(In reply to comment #1) > That is the expected behaviour, we do not allow cross site XSLT (which is the > same as file <-> web) for security reasons. I don't think it's good not to allow sth "for security reasons". You may add option to allow cross site XSLT. It's great way to update a lot of world-wide-spread files by replacing XSL file on the web server. This time I prefer MSIE behaviour.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
a lot of unsecure things are usefull, and a lot of things in IE are unsecure. Neither of these properties makes them less unsecure.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago → 20 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 4•20 years ago
|
||
I'm still think it's bug. Why? Because it doesn't work. I don't see any error message, I see untransformed content without any information WHY it's untransformed. And I still think there should be a way to allow cross site XSLT.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
I think prefs to allow for unsecure features are in general frowned upon. Why should we include a feature that we recommend everyone to not turn on? Even if it is usefull for your application, you would expose all your users to a security risk. I agree though it could be argued that we need some sort of errorreporting. At least we should put a warning in the console.
Updated•20 years ago
|
Severity: major → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
QA Contact: keith → core.xslt
Summary: Stylesheet at remote URL used by local XML file is not loading → Rich error report for stylesheets not loaded due to security
Reporter | ||
Comment 6•20 years ago
|
||
I think best solution is Yes/No message box with `don't ask again` checkbox.
Comment 7•20 years ago
|
||
I don't want to see any more comments sounding like "security is an option". period.
Reporter | ||
Comment 8•20 years ago
|
||
(In reply to comment #7) > I don't want to see any more comments sounding like "security is an option". > period. So, don't turn your computer on. It's most secure, also for your eyes etc... ;-)
Could someone clarify something for me: are the security rules with regard to the loading of XSLT documents different from (or the same as) those that govern the location of CSS documents? If they are different (more strict), then why? What are the dangerous actions that the XSLT could perform that the CSS could not? The only thing that comes to mind would be an infinitely recursive XSLT document, but mozilla would be vulnerable to that even if it came from the same server as the xml document. It seems to me that a common application for client-side XSLT would be where the xml documents are generated dynamically from an application server, and where the xslt document is referenced from a static content server. To my mind that makes this restriction seem a bit severe.
(In reply to comment #9) > Could someone clarify something for me: are the security rules with regard to > the loading of XSLT documents different from (or the same as) those that > govern the location of CSS documents? > > If they are different (more strict), then why? Yes they are more strict. IIRC we decided this because XSLT can create scripts. With css it's relativly harmless to link to some random sites css file. However if you link to some random persons XSLT stylesheet that person could modify the stylesheet and then perform a cross-site script attack on your website. So this is not so much to protect the user as to protect the web-author. Though i'm not super convinced that this is needed. After all, we do support linking to .js files on random servers. Though there it is much more obvious that you should trust the site you're linking to.
Comment 11•19 years ago
|
||
> Though i'm not super convinced that this is needed. After all, we
> do support linking to .js files on random servers.
I'd like to see XSLT follow the same policy. Mozilla's current policy
is killing my opportunity to use client-side XSLT for a real project.
Why can't you just place a copy of the stylesheet that you want to use on the same server as your xml? We don't want to lower security without a very good usecase. There are still risks with allowing fetching data from other severs. Basically we'd allow an xml-file that potentially contains sensitive data to be loaded from other servers which could be located inside a firewall or password protected site. The only thing that'd stop us from loading just any xml file is that the file has to have an xsl:version attribute on the top level element to be a valid stylesheet.
Comment 13•19 years ago
|
||
The app server that produces the xml serves only dynamic content. The xslt is static content, and should reside on the static content server. (The app server's thread pool for handling http requests should not be bothered with this task, in my opinion.) The production installation happens to have a proxy that sits in front of both, so mozilla would work fine there. The killer is that setting up this special configuration on each developer seat just to accomodate this weakly-justified security policy in one browser is a hard one to sell. They'll just end up using IE, and no doubt make us dependent upon its quirks. I agree that we can jump through hoops to make this work. I just think that anything that encourages developers to use IE should give pause. Mozilla shouldn't bleed mindshare without a very good, specific reason. (Which I think we're still waiting on.)
Well, a very good reason is that allowing loading an XSLT from an arbitary server means that we allow loading XML data from arbitary servers, which would be a very big security problem. Such security issues has made headlines in the past. The only difference here would be that the data has to have a certain attribute set, but I'm far from convinced that that is enough. Possibly we could leverage the security model that webservices use. I don't know the details of it but basically a server is able to flag that it's allowed to connect to it from anywhere and that it doesn't contain sensitive information.
Comment 15•19 years ago
|
||
(In reply to comment #14) > Well, a very good reason is that allowing loading an XSLT from an arbitary > server means that we allow loading XML data from arbitary servers, which would > be a very big security problem. Such security issues has made headlines in the past. Exactly - loading cross domain XML files is a no-no. > The only difference here would be that the data has to have a certain attribute > set, but I'm far from convinced that that is enough. > > Possibly we could leverage the security model that webservices use. I don't know > the details of it but basically a server is able to flag that it's allowed to > connect to it from anywhere and that it doesn't contain sensitive information. The model is described in http://lxr.mozilla.org/mozilla/source/extensions/webservices/docs/New_Security_Model.html I guess we could consider the model for XSLT, but what we really need is to standardize it for doing cross domain XML loading.
Reporter | ||
Comment 16•19 years ago
|
||
I still think XSLT stylesheets are most useful when they are loaded from one server. I'm using many XML files on different machines and they all require the same XSLT stylesheet... Sometimes this stylesheet changes, how to replace it automatically on many different machines?
Reporter | ||
Comment 17•19 years ago
|
||
PS. ...this security model makes Mozilla XSLT useless for me.
Summary: Rich error report for stylesheets not loaded due to security → Rich error report for stylesheets not loaded due to "security ;-)"
Assignee | ||
Comment 18•19 years ago
|
||
Please stop spamming and doing useless changes.
Summary: Rich error report for stylesheets not loaded due to "security ;-)" → Rich error report for stylesheets not loaded due to security
Yeah, standardizing it for all XML seems like a good way to go. We could even hook it up in the nsExpatDriver which'll make it really apply to all xml. Though a more logical place would probably be the sinks, though unfortunatly that would mean codeduplication.
Comment 20•19 years ago
|
||
> Exactly - loading cross domain XML files is a no-no.
Is 'domain' here defined as in the standard DNS sense, or is there some
other meaning?
The reason that I ask is that I'm mostly interested in being able to fetch
my transform from a different machine in the same domain. (Or even from
the same IP address but a different port!)
Domain is, iirc, defined as compleate DNS name. I.e. not just 'foo.com' but 'www.sub.foo.com'. And a different port is also considered a different domain, i.e. 'www.foo.com' is different from 'www.foo.com:8081'
Comment 22•15 years ago
|
||
(In reply to comment #15) > (In reply to comment #14) > > Well, a very good reason is that allowing loading an XSLT from an arbitary > > server means that we allow loading XML data from arbitary servers, which would > > be a very big security problem. Such security issues has made headlines in the > past. > > Exactly - loading cross domain XML files is a no-no. Why? I really can't figure it out. Firefox can load script files from evil.com quite happily, so why not load xsl files that can only really load more documents, or format things, or insert scripts (which we can already load anyway). Also, if an XML file has a style-sheet and fail to find it, or is not authorized to get it, it should really display as if it had no style sheet, and pop down the yellow "this page try to.... ". A completely empty page and a notice in an error log that no one reads is not really helpful. bug 394708, which I found first, seems to be a dup of this, really.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•