Closed Bug 236328 Opened 21 years ago Closed 21 years ago

xml-stylesheet will not allow remote href even if the XML file is local

Categories

(Core :: XSLT, enhancement)

Product:
Core
Component:
XSLT
Platform:
x86
Windows 2000
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: andy.dowling, Assigned: peterv)

References

Details

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:) Gecko/20040302 This isn't a bug per se, but here goes... The Mozilla security architecture prevents an XML file located on one site (say http://www.sitea.com/input.xml from referencing an XSL stylesheet on another site (http://www.siteb.com/style.xsl). For example, the preamle of input.xml includes: <?xml-stylesheet href="http://www.siteb.com/style.xsl" type="text/xml"?> It makes sense to deny this for security reasons. However, if input.xml is loaded into the browser from a *local* file, should the local input.xml not be permitted to reference a remote stylesheet? (i.e. similar to the Applet security model). Any comments? Thanks, Andy Reproducible: Always Steps to Reproduce: 1. 2. 3.
This is the general scheme mozilla uses in "no cross site scripting". We actually don't even implement that check in XSLT, we just call into the security manager, which deals with that the way it does.
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → WONTFIX
*** Bug 236332 has been marked as a duplicate of this bug. ***
*** Bug 294617 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.