289666 - Security Error generated when trying to use XSLTProcessor on an asynchronous response to an XMLHttpRequest

Status: RESOLVED INVALID

(Core :: Security, defect)

Description

[Michael Kraft [:morac]]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

I am working with an xhtml file that fetches an XML file from a machine on my
LAN using XMLHttpRequest and then transforms it using the
XSLTProcessor.transformToFragment command.

Everything works fine if I do the fetch in synchronous mode, but if I use
asynchronous mode the following security exception is thrown when the
XSLTProcessor.transformToFragment() function tries to access the
XMLHttpRequest.responseXML field:

Error: [Exception... "Security error"  code: "1000" nsresult: "0x805303e8
(NS_ERROR_DOM_SECURITY_ERR)"  location: "file:///file.xhtml Line: 58"]
Source File: file:///file.xhtml
Line: 58


Here is code that works.  The stylesheet is defined in the xhtml file.  I
changed the actual URL to "URL" since it is to a local machine on my LAN:

var xsltNS = 'http://www.w3.org/1999/XSL/Transform';
var xsltSheet = document.getElementsByTagNameNS(xsltNS, 'stylesheet')[0];
var xsltProcessor = new XSLTProcessor();
xsltProcessor.importStylesheet(xsltSheet);
var myXMLHTTPRequest = new XMLHttpRequest();
netscape.security.PrivilegeManager.enablePrivilege('UniversalBrowserRead');
myXMLHTTPRequest.open("GET", 'https://URL', false,'username','password');
myXMLHTTPRequest.send(null);
var xmlDoc = myXMLHTTPRequest.responseXML;
var fragment = xsltProcessor.transformToFragment(xmlDoc, document);


The following code generates a security error when the transformToFragment line
is hit:

function handleResponse()
{
  var xsltNS = 'http://www.w3.org/1999/XSL/Transform';
  var xsltSheet = document.getElementsByTagNameNS(xsltNS, 'stylesheet')[0];
  var xsltProcessor = new XSLTProcessor();
  xsltProcessor.importStylesheet(xsltSheet);
  var xmlDoc = myXMLHTTPRequest.responseXML;
  var fragment = xsltProcessor.transformToFragment(xmlDoc, document);
}

var myXMLHTTPRequest = new XMLHttpRequest();
netscape.security.PrivilegeManager.enablePrivilege('UniversalBrowserRead');
myXMLHTTPRequest.onreadystatechange = handleResponse;
myXMLHTTPRequest.open("GET", 'https://URL', true,'username','password');
myXMLHTTPRequest.send(null);


Since the XML file is generated on the fly, it can take a while to download and
in SYNC mode the browser is non-responsive until the response comes in, which is
why I want to use ASYNCH mode.

I can't see why using ASYNCH mode would be any less safe than using SYNC mode. 
  Shouldn't both versions of the code above have the same results?

Reproducible: Always

Steps to Reproduce:
1. Fetch a XML page using XMLHttpRequest in asynchronous mode.
2. Try to use XSLTProcessor.transformToFragment(...) to transfor the XML to a node.

Actual Results:  
Error: [Exception... "Security error"  code: "1000" nsresult: "0x805303e8
(NS_ERROR_DOM_SECURITY_ERR)"

Expected Results:  
Transformed the XML to a node as it does when XMLHttpRequest in synchronous mode
is used.

Comment 1

[Michael Kraft [:morac]]

I entered the code that generated the error incorrectly. I left out the check
for to see if the response came in.  It should read:

function handleResponse() {
// if finished fetching page and no errors occurred
if ((myXMLHTTPRequest.readyState == 4) && 
    (myXMLHTTPRequest.status < 300) && 
    (myXMLHTTPRequest.responseText!="")) {

  code from handleResponse() above

}
}

Comment 2

[Michael Kraft [:morac]]

I tested this on the latest trunk build of Firefox as of April 9, 2005 and got
the same exact results.

Comment 3

[Michael Kraft [:morac]]

Someone managed to get ASYNC working by inserting a 2nd 
netscape.security.PrivilegeManager.enablePrivilege('UniversalBrowserRead');
line as the first line in the handleResponse() function.

I'm withdrawing this bug, though it would have been nice if the browser spit out
a better error message.