Open
Bug 315080
Opened 20 years ago
Updated 3 years ago
XSLT throws security error when chrome xslt files want use document() with local file.
Categories
(Core :: XSLT, defect)
Tracking
()
NEW
People
(Reporter: cyril.giraudon, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051104 Firefox/1.5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051104 Firefox/1.5
A chrome extension or a xulrunner application can load an XSLT file from the chrome (or from the local file system).
This XSLT file can use the XSLT document() function with chrome file (chrome://...) but not with local file (file://...) and raises a security error:
"Security error: Content at chrome://mytest/content/mytest.xul may not load data from file file:///home/cyril/mytest/xml"
at the line of the XSLT file :
<xsl:copy-of select="document('file:///home/cyril/mytest.xml')"/>
I think this is a penalizing behavior for local applications (or extensions).
Reproducible: Always
Steps to Reproduce:
1.have a chrome extension
2.have an XSLTProcessor loading a chrome XSLT stylesheet "sheet.xslt"
3.add the line <xsl:copy-of select="document('file:///home/cyril/mytest.xml')"/> to "sheet.xslt" where file:///home/cyril/mytest/xml is any local file.
Actual Results:
"Security error: Content at chrome://mytest/content/mytest.xul may not load data from file file:///home/cyril/mytest/xml"
Expected Results:
what happened with a chrome file:
xsl:copy-of select="document('chrome:///home/cyril/mytest.xml')"/>
mytest.xml is inserted in the DOM.
|
||
Comment 1•19 years ago
|
||
The same holds true for <xsl:import/> statements. If you load an XSLT from a chrome:// URI which includes an import statement with href pointing to e.g. file:// or http://, the same security error is thrown.
This renders XSLT files unable to include any other XSLT files unless they are coming from a chrome:// URI as well.
|
||
Updated•19 years ago
|
Assignee: peterv → xslt
Status: UNCONFIRMED → NEW
Ever confirmed: true
Hmm.. do we want to allow chrome stylesheets to load stylesheets from anywhere else? I guess that would make sort of sense.
|
|
||
Comment 3•19 years ago
|
||
(In reply to comment #2)
> Hmm.. do we want to allow chrome stylesheets to load stylesheets from anywhere
> else? I guess that would make sort of sense.
I believe so. And doron said so as well.
|
||
Updated•18 years ago
|
Summary: XSLT throws secutity error when chrome xslt files want use document() with local file. → XSLT throws security error when chrome xslt files want use document() with local file.
|
||
Comment 4•18 years ago
|
||
I believe this bug is occuring for me too, where I have an XML document loaded in a <browser> or <iframe> element (via chrome URL) in a XUL application, with a PI referencing an XSLT at a chrome URL (or a local filesystem URL for that matter)
I want to help with this one, but need a point in the right direction. I'm not afraid of rolling up my sleeves and doing some C++.
|
|
||
Comment 5•18 years ago
|
||
Copying Axel on this, as we've had some discussion about it already...
|
||
Updated•16 years ago
|
Assignee: xslt → nobody
QA Contact: keith → xslt
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•