[Webkit-unassigned] [Bug 10313] xsl:import and document() don't work in stylesheets loaded via XMLHttpRequest

Thu Sep 2 13:56:29 PDT 2010

https://bugs.webkit.org/show_bug.cgi?id=10313

--- Comment #66 from Martin Blom <martin at blom.org>  2010-09-02 13:56:28 PST ---
(In reply to comment #57)

Adam and Alexey,

Here's how I would assume that things should work:

* A stylesheet loaded via XHR has its "Referer-URI" set to the final
  redirect and a security origin created from that URI.
* A stylesheet loaded by the PI has its Referer-URI set to the final
  redirect and a security origin created from that URI.
* A stylesheet created from document.implementation inherits Referer-URI
  and security origin from document.
* A stylesheet created from DOMParser.parseFromString inherits Referer-URI
  and security origin from the frame's document.
* A stylesheet created from another stylesheet using
  XSLTProcessor.transformToDocument() inherits Referer-URI and security
  origin from the frame's document

When the stylesheet is executed, its security origin is used to check if a
child sheet can be loaded and to create the Origin header. If so, its
"Referer-URI" should be used as the Referer header.

* A stylesheet loaded via xsl:include, xsl:import or the document() XPath
function etc. has its "Referer-URI" set to the final redirect and a security
origin created from that URI.

Are my assumptions correct here?

Also, I don't understand Adam's concerns about DOMParser.parseFromString().
How can parsing an XML document in any way open up for XSS attacks? Sure,
you can take the node and insert it into you DOM or execute it as a
stylesheet, but how is that different from doing eval() on any other
string? Indeed, embedding a small stylesheet in JS code that uses a few
xsl:import tags sounds quite useful to me, and I would expect it to work.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.