Should schemas fetched via an HTTP redirect be trusted?

From: "Costello, Roger L." <costello@mitre.org>
To: "xml-dev@lists.xml.org" <xml-dev@lists.xml.org>
Date: Mon, 29 Jun 2015 18:37:23 +0000

Play the video

Hi Folks,

Thank you Liam for the excellent explanation.

Consider this scenario:

An XML Schema contains this xs:import element:

	<xs:import schemaLocation="http://www.example.com/book.xsd" />

At validation time the XML schema validator dereferences the URL in schemaLocation.

The web server at http://www.example.com returns an HTTP redirect (status code = 307) to this URL: http://www.elsewhere.com/book.xsd 

The HTTP layer that lies under, and is used by, the schema validator receives the redirect status code and then fetches the schema at http://www.elsewhere.com/book.xsd 

Should that fetched schema be trusted?

How do I know if the schema validator is actually using the right schemas?

Should schema validation ever be done using schemas that are not local?

/Roger

Follow-Ups:
- Re: Should schemas fetched via an HTTP redirect be trusted?
  - From: David Carlisle <d.p.carlisle@gmail.com>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Subscribe in XML format

RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >