OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   RE: [xml-dev] What the .... ? Referencing XSL stylesheets across domains

[ Lists Home | Date Index | Thread Index ]

I don't know the specific reasons why IE decided to disable this, but I think Wayne is on the right track.  Some of the reason may also be implementation-driven.  The browser itself runs as a trusted application on the desktop, but any plugins that are run within the browser are assumed to be untrustworthy.  Since the browser calls the XSLT transform as a plugin (COM) component, it subjects the XSLT processor to the same security constraints that would be applied to any other plugin.
 
On the one hand, you could say, "It should treat XSLT processor the same way as CSS", but on the other hand you might say "thank heavens that people can't take control of my machine by exploiting buffer overruns in the XSLT processor."  In other words, the CSS linking code is trusted at a higher level than the XSLT processor (since it's part of the app), but maybe it's a good thing that XSLT is less trusted.  To run XSLT at the same privilege level would mean that you are assuming the XSLT processor is completely free of any security vulnerabilities.  And, since the spec only discusses how to attach CSS styles (and IE probably uses different syntax than what can be inferred from other relevant standards for attaching XSLT) the IE behavior with XSLT is basically a "convention", albeit a defacto one shared by Netscape.  So there isn't a compelling standards-conformance reason to support this, and especially not considering the risks of "what if we found six months later that there was a buffer overrun exploit?"  So from a risk/benefit standpoint, it is "better safe than sorry".
 
Also, people across the industry these days are getting really paranoid about scenarios that involve connecting to network resources on a users behalf.  Even innocent-seeming things like an external entity in XML that will be expanded inline.  There are all sorts of ways to trick a mass of people into unwittingly performing a denial-of-service attack against a target server, by tricking their web browser or xml parser into resolving some external references.  So I think in the current environment, there would even be some people who think that it was a mistake to let CSS link stuff on other domains.
 
Just some thoughts..
 
 
-----Original Message----- 
From: Wayne Steele [mailto:xmlmaster@hotmail.com] 
Sent: Wed 8/14/2002 5:40 PM 
To: schnitz@mozquito.com; jim@anconafamily.com; xml-dev@lists.xml.org 
Cc: 
Subject: RE: [xml-dev] What the .... ? Referencing XSL stylesheets across domains



	1. XSL Stylesheets can (in IE's implemetation) execute Javascript and
	VBScript code.
	
	2. There is a bunch of literature on "Cross Site Scripting" attacks. see
	http://www.google.com/search?q=cross+site+scripting
	I don't really understand the problem, but I do know that it's real.
	
	3. Are you even allowed to load CSS from any arbitrary URL, or does it give
	you the same errors?
	
	4. Why can't just you put the XSL on the same domain?
	<aside>I wonder what would happen if you put it there as an HTTP redirect to
	the "real one" out on the web?</aside>
	
	-Wayne Steele
	
	
	>From: "Sebastian Schnitzenbaumer" <schnitz@mozquito.com>
	>To: "Wayne Steele"
	><xmlmaster@hotmail.com>,<jim@anconafamily.com>,<xml-dev@lists.xml.org>
	>Subject: RE: [xml-dev] What the .... ? Referencing XSL stylesheets across
	>domains
	>Date: Thu, 15 Aug 2002 01:07:42 +0200
	>
	>Wayne,
	>
	>thanks for checking.
	>
	>I have my blog in RSS. I want to see the RSS file
	>with an XSL stylesheet from somewhere else
	>on the web and allow other people to see this too.
	>(ie. a XSL for printing as a web service)
	>
	>I have to expect IE users won't see this page
	>until they add my site to the trusted zone. I do
	>see a problem here. They don't understand why all this
	>is necessary, it's supposed to be a stylesheet
	>and just work over the web, like CSS does.
	>Instead it seems like it is being handled as a
	>program that needs local quarantine. Why is it
	>dangerous to load an XSL from somewhere else?
	>
	>- Sebastian
	>
	>
	>
	>       -----Ursprüngliche Nachricht-----
	>       Von: Wayne Steele
	>       Gesendet: Mi 14.08.2002 21:23
	>       An: jim@anconafamily.com; xml-dev@lists.xml.org
	>       Cc: Sebastian Schnitzenbaumer
	>       Betreff: RE: [xml-dev] What the .... ? Referencing XSL
	>stylesheets across domains
	>
	>
	>
	>       I just verified the behaviour you're reporting (in IE6).
	>       But if I add markuplanguage.oss4u.de to the "Trusted Sites" zone
	>in IE, and
	>       allow cross-domain scripting for these sites, everything works
	>fine.
	>
	>       I don't think there's a problem here.
	>
	>       -Wayne Steele
	>
	>       >From: Jim Ancona <scarhill@yahoo.com>
	>       >Reply-To: jim@anconafamily.com
	>       >To: xml-dev@lists.xml.org
	>       >CC: Sebastian Schnitzenbaumer <schnitz@mozquito.com>
	>       >Subject: RE: [xml-dev] What the .... ? Referencing XSL
	>stylesheets across
	>       >domains
	>       >Date: Thu, 8 Aug 2002 09:10:05 -0700 (PDT)
	>       >
	>       >--- Sebastian Schnitzenbaumer <schnitz@mozquito.com> wrote:
	>       > > http://markuplanguage.oss4u.de/test3.xml
	>       > > references
	>http://www.w3.org/Style/XSL/stylesheets/public2html.xsl
	>       > >
	>       > > This works in Mozilla (the result looks bogus, I'm just
	>testing), my IE6
	>       > > says access denied. I just want to hear from someone "yes,
	>this is true,
	>       > > we've known this for years, or, no, actually it does work,
	>you must
	>       > > have some other bug". Please let me know...
	>       >
	>       >Note that MSDN[1] says the URI in the xsl-stylesheet PI "is the
	>Uniform
	>       >Resource Identifier (URI) of the style sheet. This URI is
	>relative to the
	>       >location of the XML document itself." The W3C REC that defines
	>the PI[2]
	>       >has no
	>       >such restriction.
	>       >
	>       >Since Microsoft allows the <msxsl:script> extension which
	>permits embedded
	>       >script code in stylesheets, it might be that this behavior is
	>designed to
	>       >prevent some kind of cross-site scripting exploit.
	>       >
	>       >Jim
	>       >
	>       >[1] -
	>
	> >http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xmlsdk
	>/htm/xml_concepts_369f.asp
	>       >
	>       >[2] - http://www.w3.org/TR/xml-stylesheet/
	>       >
	>       >=====
	>       >Jim Ancona
	>       >jim@anconafamily.com                     jancona@xevo.com
	>
	>
	>
	>_________________________________________________________________
	>       Send and receive Hotmail on your mobile device:
	>http://mobile.msn.com
	>
	>
	>
	
	
	
	
	_________________________________________________________________
	Join the world’s largest e-mail service with MSN Hotmail.
	http://www.hotmail.com
	
	
	-----------------------------------------------------------------
	The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
	initiative of OASIS <http://www.oasis-open.org>
	
	The list archives are at http://lists.xml.org/archives/xml-dev/
	
	To subscribe or unsubscribe from this list use the subscription
	manager: <http://lists.xml.org/ob/adm.pl>
	
	





 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS