xml-dev - RE: [xml-dev] What the .... ? Referencing XSL stylesheets across domains

RE: [xml-dev] What the .... ? Referencing XSL stylesheets across domains

[ Lists Home | Date Index | Thread Index ]

To: "Wayne Steele" <xmlmaster@hotmail.com>,<jim@anconafamily.com>,<xml-dev@lists.xml.org>
Subject: RE: [xml-dev] What the .... ? Referencing XSL stylesheets across domains
From: "Sebastian Schnitzenbaumer" <schnitz@mozquito.com>
Date: Thu, 15 Aug 2002 01:07:42 +0200
Thread-index: AcJDyAcpgVgcvPHARgabMlPKM2lmJwAG5Jm+
Thread-topic: [xml-dev] What the .... ? Referencing XSL stylesheets across domains

Wayne,
 
thanks for checking.
 
I have my blog in RSS. I want to see the RSS file
with an XSL stylesheet from somewhere else
on the web and allow other people to see this too. 
(ie. a XSL for printing as a web service)
 
I have to expect IE users won't see this page 
until they add my site to the trusted zone. I do
see a problem here. They don't understand why all this
is necessary, it's supposed to be a stylesheet
and just work over the web, like CSS does.
Instead it seems like it is being handled as a 
program that needs local quarantine. Why is it 
dangerous to load an XSL from somewhere else?
 
- Sebastian
 
 

	-----Ursprüngliche Nachricht----- 
	Von: Wayne Steele 
	Gesendet: Mi 14.08.2002 21:23 
	An: jim@anconafamily.com; xml-dev@lists.xml.org 
	Cc: Sebastian Schnitzenbaumer 
	Betreff: RE: [xml-dev] What the .... ? Referencing XSL
stylesheets across domains
	
	

	I just verified the behaviour you're reporting (in IE6).
	But if I add markuplanguage.oss4u.de to the "Trusted Sites" zone
in IE, and
	allow cross-domain scripting for these sites, everything works
fine.
	
	I don't think there's a problem here.
	
	-Wayne Steele
	
	>From: Jim Ancona <scarhill@yahoo.com>
	>Reply-To: jim@anconafamily.com
	>To: xml-dev@lists.xml.org
	>CC: Sebastian Schnitzenbaumer <schnitz@mozquito.com>
	>Subject: RE: [xml-dev] What the .... ? Referencing XSL
stylesheets across
	>domains
	>Date: Thu, 8 Aug 2002 09:10:05 -0700 (PDT)
	>
	>--- Sebastian Schnitzenbaumer <schnitz@mozquito.com> wrote:
	> > http://markuplanguage.oss4u.de/test3.xml
	> > references
http://www.w3.org/Style/XSL/stylesheets/public2html.xsl
	> >
	> > This works in Mozilla (the result looks bogus, I'm just
testing), my IE6
	> > says access denied. I just want to hear from someone "yes,
this is true,
	> > we've known this for years, or, no, actually it does work,
you must
	> > have some other bug". Please let me know...
	>
	>Note that MSDN[1] says the URI in the xsl-stylesheet PI "is the
Uniform
	>Resource Identifier (URI) of the style sheet. This URI is
relative to the
	>location of the XML document itself." The W3C REC that defines
the PI[2]
	>has no
	>such restriction.
	>
	>Since Microsoft allows the <msxsl:script> extension which
permits embedded
	>script code in stylesheets, it might be that this behavior is
designed to
	>prevent some kind of cross-site scripting exploit.
	>
	>Jim
	>
	>[1] -
	
>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xmlsdk
/htm/xml_concepts_369f.asp
	>
	>[2] - http://www.w3.org/TR/xml-stylesheet/
	>
	>=====
	>Jim Ancona
	>jim@anconafamily.com                     jancona@xevo.com
	
	
	
_________________________________________________________________
	Send and receive Hotmail on your mobile device:
http://mobile.msn.com

Prev by Date: RE: [xml-dev] SLAIX (was: Can XLink be fixed)
Next by Date: RE: [xml-dev] SLAIX (was: Can XLink be fixed)
Previous by thread: RE: [xml-dev] What the .... ? Referencing XSL stylesheets across domains
Next by thread: RE: [xml-dev] What the .... ? Referencing XSL stylesheets across domains
Index(es):
- Date
- Thread