Cross-domain XSLT document() function in Firefox
I'm a fan of firefox. For many good reasons tied to both my user and developer experiences. So I've been first frustrated when I discovered a feature that all browsers seem to implement in a good way but not firefox. Explanations:This feature is related to the XSLT processor embedded in the browser, I'm using to quickly render XML documents into HTML without having to set up a web application.
Here is a sample:
1. the XML page opened directly with the browser:
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet href="backend-system-versions.xsl" type="text/xml"?>
<?xml-stylesheet href="backend-system-versions.xsl" type="text/xsl"?><!-- IE hack -->
<services>
<service href="http://my.server1/RestService1"/>
<service href="http://my.server2/RestService2"/>
</services>
Note: this XML doc refers to web services RestService1 and RestService2 of different domains my.server1 and my.server2 that are supposed to return the following XML I integrate in my page:
<?xml version="1.0" encoding="UTF-8"?>
<root>
... usefull things ...
</root>
2. the XSL stylesheet looks like:
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:template match="service">
<xsl:apply-templates select="document(@href)/root">
</xsl:apply-templates>
<xsl:template match="root">
... nice HTML rendering ...
</xsl:template>
...
</xsl:stylesheet>
The issue with firefox is the document(@href)function call which opens the XML document given by accessing the URI contained in the href attribute of the service node. Well... on IE and Safari it does, but not on firefox 2.According to the Firefox bug #353886 this is to avoid a security hole.
It means that if my XSL stylesheet contains a document('https://your.bank/account') and if your browser (IE or Safari) have your certificate to access your bank account, my page hosted on my server accesses your bank account and you are in trouble...
So, is Firefox the only secure browser ? I'm not frustrated anymore :)
Now, as a general notice, trying to access a foreign domain using either XSLT document() function or an XMLHttpRequest is a fault. Your web browser should not allow that.
Or at least inform you what the page is trying to do. Maybe an option for firefox ?
Anyway, I have to set up a webapp for my stuff now...
Labels: cross-domain, document(), firefox, XMLHttpRequest, xslt
posted by Thibault Cantegrel at
1:00 PM
7 Comments:
Please, can you send me an Joos´s invitation? I am in Spain and i do not know anybody here that have one...
If yes (I hope), please send it to
jmnieves@gmail.com
Thanks
JM
By
José Manuel, at 11:29 AM
Please, can you send me an Joos´s invitation?
If yes (I hope), please send it to
doubletao@hotmail.com
By
Anonymous, at 6:00 PM
Hi,
I am looking for a Joost Invite. This seems like a great program and I would really like to be part of this experiment.
Please send the invite to:
forthefamily443@yahoo.com
Thank you,
Forthefamily443
By
Anonymous, at 9:29 PM
Bonjour Thibault,
Blog sympa bravo !
Je te sais fortement sollicité pour obtenir des invitation à Joost, pour autant, si tu pouvais m'en faire parvenir une, ce serait plutôt sympa. Je pourrais découvrir ce nouveau média.
Merci d'avance et bonne continuation.
Cyrille
Cyrilleb77@hotmail.com
By
Anonymous, at 5:35 PM
Bonjour Thibault,
Je viens à mon tour, solliciter une invitation pour joindre le monde de Joost qui m'intéresse vivement.
Merci à l'avance,
Robert Allard
robert-allard@videotron.ca
By
Anonymous, at 2:39 AM
funny that i am about the fifth to ask you for an invite...for yoost..it seems like a long shot but nevertheless I ll try....
My name is Korinna and I am a doctor...working in Sweden..I hope and wish you are not in need for any medical advice, but just in case..I am available...
Yours truly,
Korinna
korinnazoi@yahoo.com
By
korinna, at 11:23 PM
Korinna, you are not the fifth... you are just commenting the wrong post ;)
.Thibault.
By
Thibault Cantegrel, at 2:30 PM
Post a Comment
Links to this post:
Create a Link
<< Home