User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9) Gecko/2008051206 Firefox/3.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9) Gecko/2008051206 Firefox/3.0 If I have a an XML file that references an styleheet, such as: <?xml-stylesheet href="RenderDependencyDetails.xsl" type="text/xsl"?> and the current path of both the xml and xsl are the local file system, then instead of having the page rendered I get a white page. Looking in the console I get a message: Security Error: Content at file:///C:/Workspace/MyXmlDoc.xml may not load data from file:///C:/Workspace/xslref/RenderDependencyDetails.xsl. If I put into the path of an http web server and reference them via http then the page renders (no security error). I would expect a file on the local file system referencing another file on the local file system to not generate a security error and instead render the page. Basically an file referencing another file in the same context should be considered safe. Note that I have compared behaviour with Safari 3.1.1, Opera 9.5 and IE6 and they are all able to render the XML document when both the XML and XSL are in the local file system. Firefox 3 is an exception. I haven't tested in Firefox 2, so I can't confirm whether this is a regression at this point. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 322265 [details] Test case illustrating the issue Note, that while preparing the test case I notice that if the file does not specify a relative path, ie it is in the same directory, then everything renders fine. What causes the failure in Firefox is when the file is not in the same directory, for example: Case 1 (works): Files: abcdef.xml, 123456.xsl stylehseet ref: <?xml-stylesheet href="123456.xsl" type="text/xsl"?> works fine: abcdef.xml makes reference to 123456.xsl Case 2 (fails): Files: data/abcdef.xml, xsl/123456.xsl stylehseet ref: <?xml-stylesheet href="../xsl/123456.xsl" type="text/xsl"?> fails: data/abcdef.xml makes reference to xsl/123456.xsl
Local file security has been tightened in Firefox 3. See http://ejohn.org/blog/tightened-local-file-security/ and bug 230606
Couldn't there be an exception mechanism provided, like https web site certificates?
There is a pref you can toggle, see bug 397894 comment 6