OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   RE: [xml-dev] What the .... ? Referencing XSL stylesheets across domains

[ Lists Home | Date Index | Thread Index ]

I just verified the behaviour you're reporting (in IE6).
But if I add markuplanguage.oss4u.de to the "Trusted Sites" zone in IE, and 
allow cross-domain scripting for these sites, everything works fine.

I don't think there's a problem here.

-Wayne Steele

>From: Jim Ancona <scarhill@yahoo.com>
>Reply-To: jim@anconafamily.com
>To: xml-dev@lists.xml.org
>CC: Sebastian Schnitzenbaumer <schnitz@mozquito.com>
>Subject: RE: [xml-dev] What the .... ? Referencing XSL stylesheets across 
>domains
>Date: Thu, 8 Aug 2002 09:10:05 -0700 (PDT)
>
>--- Sebastian Schnitzenbaumer <schnitz@mozquito.com> wrote:
> > http://markuplanguage.oss4u.de/test3.xml
> > references http://www.w3.org/Style/XSL/stylesheets/public2html.xsl
> >
> > This works in Mozilla (the result looks bogus, I'm just testing), my IE6
> > says access denied. I just want to hear from someone "yes, this is true,
> > we've known this for years, or, no, actually it does work, you must
> > have some other bug". Please let me know...
>
>Note that MSDN[1] says the URI in the xsl-stylesheet PI "is the Uniform
>Resource Identifier (URI) of the style sheet. This URI is relative to the
>location of the XML document itself." The W3C REC that defines the PI[2] 
>has no
>such restriction.
>
>Since Microsoft allows the <msxsl:script> extension which permits embedded
>script code in stylesheets, it might be that this behavior is designed to
>prevent some kind of cross-site scripting exploit.
>
>Jim
>
>[1] -
>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xmlsdk/htm/xml_concepts_369f.asp
>
>[2] - http://www.w3.org/TR/xml-stylesheet/
>
>=====
>Jim Ancona
>jim@anconafamily.com                     jancona@xevo.com


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com





 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS