OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   RE: [xml-dev] What the .... ? Referencing XSL stylesheets across domains

[ Lists Home | Date Index | Thread Index ]

I missed most of this discussion, but I came across this problem a while
ago too (if I'm understanding the problem right :)).

The two options:

1. Add the domain you are trying to access into the Trusted Sites of IE.

2. The option I choose was slightly "odd". Well we had a load of
stylesheets in multiple domains so I didn't have much option (I never
architected the infrastructure!!). When the stylesheet was referenced I
simply replaced the server stylesheet with  a ServerXmlHttp which
retrieved the appropriate stylesheet and wrote it back. It solved all my
probs and had to cross domain issues.

That any use? I know it's not great. This cross domain this has its
pluses and minuses. IE isn't to now the other stylesheet isn't
malicious...but I think some kind of quarantine of the stylesheet that
is on the other domain and check prior to execution would be very
useful.

Cheers,
Steven.

-----Original Message-----
From: Sebastian Schnitzenbaumer [mailto:schnitz@mozquito.com] 
Sent: 15 August 2002 16:49
To: Dare Obasanjo; bryan; xml-dev@lists.xml.org
Subject: RE: [xml-dev] What the .... ? Referencing XSL stylesheets
across domains

And I agree too, of course. But that wasn't the issue. I never
asked about VBscript in my XSL in the first place. And I
wasn't aware how harmful XSL can be. An XML stylesheet
wasn't meant to be a security problem in the first place,
and extending it for some 20% cases (allowing scripts) so it is 
treated as a security problem for the other 80% cases (just
using XSL as it is) doesn't make sense to me. CSS 
was never extended with scripts and works just fine 
cross-domain in IE and all other browsers. Why
can't just the stylesheets with scripts get the quarantine
behaviour? Why must every cross-domain XSL be treated as if 
it would contain a malicious script, even though it doesn't use
script at all? This would be similar to saying you can't view
plain HTML pages unless its a trusted site because the HTML
could possibly contain a malicious script. 
 
As it stands, I'm afraid your cure is worse than the disease,
 
- Sebastian

	-----Ursprüngliche Nachricht----- 
	Von: Dare Obasanjo 
	Gesendet: Do 15.08.2002 16:39 
	An: Sebastian Schnitzenbaumer; bryan; xml-dev@lists.xml.org 
	Cc: 
	Betreff: RE: [xml-dev] What the .... ? Referencing XSL
stylesheets across domains
	
	

	Security and convenience are a continuom. In today's internet
connected world, one typically has to trade up some convenience if they
want security. We are all witnesses to what happened when Microsoft
leaned more towards convenience than security in our products. I'm quite
glad that we've decided to shift to the other side and trade up
convenience for more security.
	
	I'm sure many others agree.
	
	        -----Original Message-----
	        From: Sebastian Schnitzenbaumer
[mailto:schnitz@mozquito.com]
	        Sent: Thu 8/15/2002 5:52 AM
	        To: bryan; xml-dev@lists.xml.org
	        Cc:
	        Subject: RE: [xml-dev] What the .... ? Referencing XSL
stylesheets across domains
	       
	       
	
	        I've invented this great new language the other day, it
only
	        has four characters: °, o, 8 and .
	       
	        So now I would say:
	       
	        .oo88o°8o°°...°.8ooo
	       
	        and
	       
	        ...oo8o8o°o°o8.o.o8.oo.8°°..
	       
	        and sometimes I'd even express myself thru
	        ooo888°°°
	        or, in very special cases, I'd say
	        °°°888ooo
	       
	        I wrote a poem the other day:
	        o..8.o.88.°°°.8.ooo.o88o°°°°
	        ..o8.8ooo8.oo8.ooo.8°8°8°8
	        ooo..o.88o°8o°8o°8o°oo°°°°
	       
	        Beautiful, isn't it?
	       
	        Oh, you can't read this? I'm afraid the stylesheet that
someone
	        else did that translates this into english is considered
harmful...
	        Please understand! You must be protected, this evil
stylesheet
	        could:
	       
	        - Make you blind thru evil use of colors and contrast
	        - Collapse the wave function so the probability of your
	        desktop being different in the future is slightly
increased.
	       
	        - Sebastian
	       
	       
	       
	       
	       
	                -----Ursprüngliche Nachricht-----
	                Von: bryan
	                Gesendet: Do 15.08.2002 11:08
	                An: xml-dev@lists.xml.org
	                Cc:
	                Betreff: RE: [xml-dev] What the .... ?
Referencing XSL
	        stylesheets across domains
	              
	              
	       
	                Sebastian  Schnitzenbaumer wrote:
	                >>Why is it
	                >>dangerous to load an XSL from somewhere else?
	              
	                Joshua Allen wrote:
	                >On the one hand, you could say, "It should
treat XSLT processor
	        the
	                same >way as CSS", but on the other hand you
might say "thank
	        heavens
	                that people >can't take control of my machine by
exploiting
	        buffer
	                overruns in the XSLT >processor."
	              
	                I don't think you could say "it should treat
XSLT processor the
	        same way
	                as CSS" what with the possibility to create
extensions functions
	        that
	                use vbscript, javascript, can call com
components etc.
	              
	                By the way, in case anyone didn't see this
article:
	
http://www.theregister.co.uk/content/archive/24815.html
	              
	                MS downloads wd-xsl to Windows-XP for search.
Not the same
	        subject but
	                somewhat related.
	              
	              
	              
	              
	              
	              
	
-----------------------------------------------------------------
	                The xml-dev list is sponsored by XML.org
<http://www.xml.org>,
	        an
	                initiative of OASIS <http://www.oasis-open.org>
	              
	                The list archives are at
http://lists.xml.org/archives/xml-dev/
	              
	                To subscribe or unsubscribe from this list use
the subscription
	                manager: <http://lists.xml.org/ob/adm.pl>
	              
	              
	       
	       
	
	







 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS