Open Bug 205294 Opened 22 years ago Updated 8 months ago

Signing XSLT/web-scripts-access.xml for remote file access with document()

Categories

(Core :: XSLT, enhancement)

Product:
Core
Component:
XSLT
Platform:
x86
Linux
Type:
enhancement

Tracking

()

People

(Reporter: dominique.hazael-massieux, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020610 Debian/1.2.5-1 Build Identifier: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020610 Debian/1.2.5-1 It's fairly easy to develop an XSLT-only rss newsreader, and using mozilla as the client for this newsreader should be straightforward (and would benefit from the good HTTP cache and implementation of the browser). But it's currently not really doable, because (with good reasons) Mozilla doesn't load documents from "foreign" URIs (the choice of the same domain as rule is debatable, but that's a whole different topic). In Javascript, you can sign your scripts and use a specific function to change this default behavior. Is there anything for this in the XSLT engine? (I don't mind if that means tweaking preferences by hand, I just wish there was a way to do it). [FWIW, I tested with Mozilla 1.4 and go the same result as with my current day to day version, Mozilla 1.0]. Reproducible: Always Steps to Reproduce:
The new security model described in http://lxr.mozilla.org/mozilla/source/extensions/webservices/docs/New_Security_Model.html might be a better alternative. (btw, that's a bad hack to get around namespaces ;-), I wonder if xpath2 has *:item) Mitch, the new security model page has a chapter on signed stuff, which sounds like you'd rather not see more places that use that. So, from a security review side, would you give a vote for signing, web-scripts-access.xml or both for XSLT document() function and loosing up same-site-policy?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Signing XSLT for remote files access with document() → Signing XSLT/web-scripts-access.xml for remote file access with document()
I thought I would drop my 2 cents in on this one. We're pretty open with our data to people within the company and we like to give people a lot of flexibility so many of our servers serve up XML. Using XSLT people can pull data together to create their own personal reports, or whatever they need. In our current environment, The XSLT may be served up by 1 machine while the root xml document is served up by another, and the XSLT calls out to another server to get related data. The current security model of mozilla is preventing us from moving the cpu and memory intensive transformations to the clients. The way we correlate data using the document function seems like a very legitimate use. Its certainly powerful. IE allows the user to specify trusted domains. Currently, Mozilla does not. It would extremely helpful to us (and our sad slow old machine) if it supported similar functionality. Not only that, but it would give us one more compelling reason to tell people to use mozilla instead of IE, which we love to do.
Trusted domains or security zones is a different solution to the same problem (and certainly a different bug, search bugzilla). That solution is not xslt specific and discussions about it does not belong in this bug.
QA Contact: keith → xslt
Severity: normal → S3

This might be doable using CSP now, not sure.

Assignee: peterv → nobody
You need to log in before you can comment on or make changes to this bug.