Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: What the .... ? Referencing XSL stylesheets across domains
 I missed most of this discussion, but I came across this problem a while ago too (if I'm understanding the problem right :)). The two options: 1. Add the domain you are trying to access into the Trusted Sites of IE. 2. The option I choose was slightly "odd". Well we had a load of stylesheets in multiple domains so I didn't have much option (I never architected the infrastructure!!). When the stylesheet was referenced I simply replaced the server stylesheet with a ServerXmlHttp which retrieved the appropriate stylesheet and wrote it back. It solved all my probs and had to cross domain issues. That any use? I know it's not great. This cross domain this has its pluses and minuses. IE isn't to now the other stylesheet isn't malicious...but I think some kind of quarantine of the stylesheet that is on the other domain and check prior to execution would be very useful. Cheers, Steven. -----Original Message----- From: Sebastian Schnitzenbaumer [mailto:schnitz@m...] Sent: 15 August 2002 16:49 To: Dare Obasanjo; bryan; xml-dev@l... Subject: RE: What the .... ? Referencing XSL stylesheets across domains And I agree too, of course. But that wasn't the issue. I never asked about VBscript in my XSL in the first place. And I wasn't aware how harmful XSL can be. An XML stylesheet wasn't meant to be a security problem in the first place, and extending it for some 20% cases (allowing scripts) so it is treated as a security problem for the other 80% cases (just using XSL as it is) doesn't make sense to me. CSS was never extended with scripts and works just fine cross-domain in IE and all other browsers. Why can't just the stylesheets with scripts get the quarantine behaviour? Why must every cross-domain XSL be treated as if it would contain a malicious script, even though it doesn't use script at all? This would be similar to saying you can't view plain HTML pages unless its a trusted site because the HTML could possibly contain a malicious script. As it stands, I'm afraid your cure is worse than the disease, - Sebastian -----Ursprüngliche Nachricht----- Von: Dare Obasanjo Gesendet: Do 15.08.2002 16:39 An: Sebastian Schnitzenbaumer; bryan; xml-dev@l... Cc: Betreff: RE: What the .... ? Referencing XSL stylesheets across domains Security and convenience are a continuom. In today's internet connected world, one typically has to trade up some convenience if they want security. We are all witnesses to what happened when Microsoft leaned more towards convenience than security in our products. I'm quite glad that we've decided to shift to the other side and trade up convenience for more security. I'm sure many others agree. -----Original Message----- From: Sebastian Schnitzenbaumer [mailto:schnitz@m...] Sent: Thu 8/15/2002 5:52 AM To: bryan; xml-dev@l... Cc: Subject: RE: What the .... ? Referencing XSL stylesheets across domains I've invented this great new language the other day, it only has four characters: °, o, 8 and . So now I would say: .oo88o°8o°°...°.8ooo and ...oo8o8o°o°o8.o.o8.oo.8°°.. and sometimes I'd even express myself thru ooo888°°° or, in very special cases, I'd say °°°888ooo I wrote a poem the other day: o..8.o.88.°°°.8.ooo.o88o°°°° ..o8.8ooo8.oo8.ooo.8°8°8°8 ooo..o.88o°8o°8o°8o°oo°°°° Beautiful, isn't it? Oh, you can't read this? I'm afraid the stylesheet that someone else did that translates this into english is considered harmful... Please understand! You must be protected, this evil stylesheet could: - Make you blind thru evil use of colors and contrast - Collapse the wave function so the probability of your desktop being different in the future is slightly increased. - Sebastian -----Ursprüngliche Nachricht----- Von: bryan Gesendet: Do 15.08.2002 11:08 An: xml-dev@l... Cc: Betreff: RE: What the .... ? Referencing XSL stylesheets across domains Sebastian Schnitzenbaumer wrote: >>Why is it >>dangerous to load an XSL from somewhere else? Joshua Allen wrote: >On the one hand, you could say, "It should treat XSLT processor the same >way as CSS", but on the other hand you might say "thank heavens that people >can't take control of my machine by exploiting buffer overruns in the XSLT >processor." I don't think you could say "it should treat XSLT processor the same way as CSS" what with the possibility to create extensions functions that use vbscript, javascript, can call com components etc. By the way, in case anyone didn't see this article: http://www.theregister.co.uk/content/archive/24815.html MS downloads wd-xsl to Windows-XP for search. Not the same subject but somewhat related. ----------------------------------------------------------------- The xml-dev list is sponsored by XML.org <http://www.xml.org>, an initiative of OASIS <http://www.oasis-open.org> The list archives are at http://lists.xml.org/archives/xml-dev/ To subscribe or unsubscribe from this list use the subscription manager: <http://lists.xml.org/ob/adm.pl> 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
