Reputation: 78190
XML in a frame does not load XSLT - whose problem is this, Chrome, Firefox or mine?
I have a very basic ASP.NET MVC 5 application, hosted on an intranet server, where one of the pages has an iframe to display a document:
<div class="document-view-container">
...
<iframe class="document-frame" src="@Url.Action("GetDocumentImage", "Imaging", ...)" ></iframe>
...
</div>
The returned document is sometimes a PDF served as application/pdf, sometimes a piece of text served as text/plain, and sometimes an XML served as text/xml.
The GetDocumentImage method retrieves the document contents from a database and returns it using File:
return File(doc.document.ToArray(), doc.mime_type);
When the document happens to be an XML, it often includes a reference to a stylesheet with which it should be viewed:
<?xml-stylesheet type="text/xsl" href="//server.local/folder/content/grn.xslt"?>
<document>
...
</document>
Sometimes that stylesheet comes from the same subdomain as what the @Url.Action() returns (i.e. same origin with the iframe), but sometimes it does not.
When it does not, the stylesheet is successfully loaded and used in Firefox, but Chrome refuses to load the stylesheet and displays an error in console,
Unsafe attempt to load URL
http://server.local/folder/content/grn.xsltfrom frame with URLhttp://documents.server/imaging/GetDocumentImage/52855. Domains, protocols and ports must match.
This is a known problem, but my understanding was that it only applies to local files, not to files served from a server, and one of the solutions is specifically to host the files on a server. Besides, it works in Firefox.
What is the source of this problem?
- Is it Chrome, that treats the XML in an
iframeas a local file and therefore incorrectly prevents it from requesting a stylesheet from the server? - Is it Firefox, that has a security issue where it would allow an XML file from an
iframerequest a stylesheet when it should be prohibited? - Is it me, who is not serving the XML from the server properly enough making Chrome mistake it for a local file?
What is the proper way to fix it?
Upvotes: 1
Views: 548
Answers (1)
Reputation: 167716
I think there are different policies, in Firefox you are able to request the stylesheet as Firefox uses CORS (https://www.w3.org/wiki/CORS#xml-stylesheet_processing_instruction_.28XMLSS.29) on xml-stylesheet based requests while Chrome does not apply CORS on such requests, nor does Safari/Webkit (https://bugs.webkit.org/show_bug.cgi?id=110880).
So the latter block the attempt, the former only fulfills it as it uses CORS for the request and your app on http://documents.server/ is set up to allow requests to anyone by answering with access-control-allow-origin: *. If http://documents.server/ would not do that then the cross origin loading would fail even in Firefox.
Upvotes: 2
Related Questions
- XSL Browser Issue
- iframe not loading its source on specific kind of pages: XML and Chrome pages
- XSLT works in IE, not in Chrome or Firefox
- xml xslt not displaying in ie or chrome but dipsplaying in firefox just fine
- XML, XSL not rendering in Chrome, just showing XSL in Firefox
- Clientside XSLT in Mozilla/Firefox fails
- XML + XSLT rendering in IE but not in other browsers
- Displaying XML with IE IFRAMES
- How can I render HTML from XML within an iframe?
- How to load XML (with xslt) generated by javascript into an IFRAME?