Should schemas fetched via an HTTP redirect be trusted?

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

From: "Costello, Roger L." <costello@mitre.org>
To: "xml-dev@lists.xml.org" <xml-dev@lists.xml.org>
Date: Mon, 29 Jun 2015 18:37:23 +0000

Hi Folks,

Thank you Liam for the excellent explanation.

Consider this scenario:

An XML Schema contains this xs:import element:

	<xs:import schemaLocation="http://www.example.com/book.xsd"; />

At validation time the XML schema validator dereferences the URL in schemaLocation.

The web server at http://www.example.com returns an HTTP redirect (status code = 307) to this URL: http://www.elsewhere.com/book.xsd 

The HTTP layer that lies under, and is used by, the schema validator receives the redirect status code and then fetches the schema at http://www.elsewhere.com/book.xsd 

Should that fetched schema be trusted?

How do I know if the schema validator is actually using the right schemas?

Should schema validation ever be done using schemas that are not local?

/Roger

Follow-Ups:
- Re: [xml-dev] Should schemas fetched via an HTTP redirect be trusted?
  - From: David Carlisle <d.p.carlisle@gmail.com>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]