Security message when trying to reference XML stylesheet in local system

RESOLVED DUPLICATE of bug 397894

Status

()

Firefox
General
RESOLVED DUPLICATE of bug 397894
10 years ago
10 years ago

People

(Reporter: Andre-John Mas, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9) Gecko/2008051206 Firefox/3.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9) Gecko/2008051206 Firefox/3.0

If I have a an XML file that references an styleheet, such as:

<?xml-stylesheet href="RenderDependencyDetails.xsl" type="text/xsl"?>

and the current path of both the xml and xsl are the local file system, then instead of having the page rendered I get a white page. Looking in the console I get a message:

Security Error: Content at file:///C:/Workspace/MyXmlDoc.xml may not load data from file:///C:/Workspace/xslref/RenderDependencyDetails.xsl.

If I put into the path of an http web server and reference them via http then the page renders (no security error).

I would expect a file on the local file system referencing another file on the local file system to not generate a security error and instead render the page. Basically an file referencing another file in the same context should be considered safe.

Note that I have compared behaviour with Safari 3.1.1, Opera 9.5 and IE6 and they are all able to render the XML document when both the XML and XSL are in the local file system. Firefox 3 is an exception. I haven't tested in Firefox 2, so I can't confirm whether this is a regression at this point. 

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
(Reporter)

Comment 1

10 years ago
Created attachment 322265 [details]
Test case illustrating the issue

Note, that while preparing the test case I notice that if the file does not specify a relative path, ie it is in the same directory, then everything renders fine. What causes the failure in Firefox is when the file is not in the same directory, for example:

Case 1 (works):
  Files:  abcdef.xml, 123456.xsl
  stylehseet ref: <?xml-stylesheet href="123456.xsl" type="text/xsl"?>	

  works fine: abcdef.xml makes reference to 123456.xsl 
   
Case 2 (fails):
  Files: data/abcdef.xml, xsl/123456.xsl
  stylehseet ref: <?xml-stylesheet href="../xsl/123456.xsl" type="text/xsl"?>

  fails: data/abcdef.xml makes reference to xsl/123456.xsl

Comment 2

10 years ago
Local file security has been tightened in Firefox 3. See http://ejohn.org/blog/tightened-local-file-security/ and bug 230606
(Reporter)

Comment 3

10 years ago
Couldn't there be an exception mechanism provided, like https web site certificates?

Comment 4

10 years ago
There is a pref you can toggle, see bug 397894 comment 6
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 397894
You need to log in before you can comment on or make changes to this bug.