Solved

remote xsl security problem

Posted on 2004-09-14
13
2,638 Views
Last Modified: 2011-10-03
Using MSIE 6.0; WinXP SP1; MSXML3 (3/19/04)

I am trying to display an xml page with an imbedded style sheet.  Meaning with the statements:

<?xml version="1.0" encoding="UTF-8" ?>
<?xml-stylesheet type="text/xsl" href="http://thor8.blue.astrology.com/g3/xsl/gal_ydf_1.xsl"?>

A) From my local machine (at philh.staff.astrology.com) , I get a security warning dialog box that says:

Internet Explorer
This page is accessing information that is not under its
control. This poses a security risk. Do you want to continue?
Yes / No

If I click Yes, the XML page renders properly.  I get no further warnings (for other XML pages) during the same session.

B) From a remote machine (at saturn.staff.astrology.com), I get the following error message and cannot continue.

The XML page cannot be displayed
Cannot view XML input using XSL style sheet.
Please correct the error and then click the Refresh button, or try again later.
--------------------------------------------------------------------------------
Access is denied. Error processing resource 'http://thor8.blue.astrology.com/g3/xsl/gal_ydf_1.xsl'.


I can live with the warning dialog (but would prefer not to) but I need to overcome the error message.

Thank you,
Phil Henningsen

0
Comment
Question by:PHenningsen
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 6

Expert Comment

by:zulu_11
Comment Utility
the problem is of security..when u access the file from your remote location *saturn.staff.astrology.com*...the XML has the instruction to use the XSL from *http://thor8.blue.astrology.com/g3/xsl/gal_ydf_1.xsl*...now i'm very sure that this is not accessible to the PUBLIC as such so...when the system does a request to this file..it gets a security access failure and hence the error..

One workaround could be that..u can place the XSL file locally on the remote machine...a place where the PUBLIC can access the XSL file or you can give the permission to the file from your system..the choice is yours..

Zulu
0
 
LVL 6

Expert Comment

by:zulu_11
Comment Utility
i was going through other question and came across this Question

http://www.experts-exchange.com/Web/Web_Languages/XML/Q_21107281.html

i think this maybe another workaround for your problem..

Zulu
0
 

Author Comment

by:PHenningsen
Comment Utility
A) I do NOT want to distribute the XSL to each local machine.  I want ONE shared XSL.  Yor said "you can give the permission to the file from your system".  OK.  HOW???  Please be specific.  I have tried....

B) Re your 2nd comment:  Mike Sharp ends with "I would suggest server-side transformation."  OK  HOW???  Please be specific.

Phil
0
 
LVL 26

Expert Comment

by:rdcpro
Comment Utility
Server-side transformation means the the XML/XSLT transformation is done on the server, and HTML is sent to the client.  This allows all browsers to be supported.  Also, it allows you to cache pre-compiled XSLT, set parameters on the server prior to transformation, and other nice things.  Exactly how would depend on your server platform.  

The cross-domain data access issue you're having can be resolved one of several ways.

1.  place the XSLT in a central location on your server, and use redirection or server-side aggregation to make it appear to be served from whatever domain the request is executing from.  So, if you're looking at an XML document served over HTTP from philh.staff.astrology.com, there is some server-side code that retrieves the XSLT from whereever it's stored and serves it to the client.  Exact method depends on platform, but this is how RSS news aggregation works.  Your server uses HTTP to get a copy of the resource, caches it locally, and uses the copy whenever necessary.  Or maybe you don't cache it, but live with the latency of client requests from Server A, who requests from Server B, who responds to Server A who responds to Client.

2. place your XSLT on a site in the intranet that is "trusted".  You can instruct IE to add the trusted site manually (Tools > Internet Options > Security > Trusted Sites > Sites...add to trusted sites) or if you're in a windows domain, you can set a domain security policy that does this.

3.  Use server-side transformation.  Exactly how depends on the platform, but let's say for example it's ASP.  This example shows how to cache the pre-compiled XSLT for optimum performance:

http://rdcpro.com/Members/rdcpro/snippets/cachingtemplates/

The transformation sends the HTML result directly to the client.  

4. Embed the XSLT in the XML, according to my suggestions in

http://www.experts-exchange.com/Web/Web_Languages/XML/Q_21107281.html

Personally, I think server-side transformation is the simplest...especially when the application must be cross-browser.

Regards,
Mike Sharp
0
 
LVL 26

Expert Comment

by:rdcpro
Comment Utility
By the way, the issue isn't because the location at http://thor8.blue.astrology.com/g3/xsl/gal_ydf_1.xsl isn't accessible to the public, but that a resource loaded from Domain A cannot access resources in Domain B.  This is called Cross-domain Data Access; it's a security risk and you can set your IE security settings to various values that either disable it, prompt before allowing, or basically allow it.  You should only allow cross domain data access to sites you trust, so don't ever set  the Internet zone to "allow".  

Regards,
Mike Sharp
0
 

Author Comment

by:PHenningsen
Comment Utility
1. I would prefer to do server-side transformation....  However, I am working with totally Windows-centric, non-Java servers.  Is there a way in that environment?

2. Re cross-domain data access.  The XSL *is* in a central & trusted (by my definition) location.  I just can't get IE to trust it.  From my machine (philh.staff.astrology.com), under Internet Options > Security > Trusted Sites, I have added both "thor8.blue.astrology.com" and "http:thor8.blue.astrology.com".  My "reward" is the ERROR message
  The XML page cannot be displayed
  Cannot view XML input using XSL style sheet.
  Please correct the error and then click the Refresh button, or try again later.
  --------------------------------------------------------------------------------
  Access is denied. Error processing resource 'http://thor8.blue.astrology.com/g3/xsl/gal_ydf_1.xsl'.

If I Remove *everyone* from Trusted sites, I get the WARNING message
  Internet Explorer
  This page is accessing information that is not under its
  control. This poses a security risk. Do you want to continue?
  Yes / No

If I click Yes, the XML page renders properly.  I get no further warnings (for other XML pages) during the same session.

Under Internet Options > Security "Custom Level..." most options are Enabled, a couple are Prompt and nothing is Disabled.  This goes for the first three zones.  And there are no Restricted sites.

[ Again: Using MSIE 6.0; WinXP SP1; MSXML3 (3/19/04) ]

Thanks for your help,
Phil Henningsen
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 26

Expert Comment

by:rdcpro
Comment Utility
Oh, well if it's windows centric, server side transformation is no problem, and is by far the preferable approach IMHO.

Is the server ASP.NET or ASP?  Windows 2000 or Windows 2003?  

Regards,
Mike  Sharp
0
 

Author Comment

by:PHenningsen
Comment Utility
Server OSs are Win2K, although I run WinXP on "my" machine.
IIS is 5.?  (5.0 on Win2K, 5.5 on WinXP... is that about right?)
We have steered away from ASP (I don't know the diff between ASP and ASP.NET)
Most local programming is done in Delphi.
0
 
LVL 26

Expert Comment

by:rdcpro
Comment Utility
Oh, I thought you were running this as a "web site".  You are doing this as a windows application?  Your Delphi application is acting as a web server?

I'm not really conversant in Delphi, but you can use (as far as I know) the same COM objects.  The simplest transform would be (using Javascript on the server, meaning in an application and not in the browser):

var xmlDoc = new ActiveXObject("Msxml2.DomDocument")
xmlDoc.load("file system path to XML document")
var xslDoc = new ActiveXObject("Msxml2.DomDocument")
xslDoc.load("file system path to XML document")

OutputString = xmlDoc.transformNode(xslDoc)

then you write the string where ever you want.  Using the XSLTemplate processor is better, though, and allows you to set parameters and transform to streams.  But you can transform to a stream with:

OutputStream = xmlDoc.transformNodeToObject(xslDoc)

Now, there might be another possibility, given your unusual situation.  I wouldn't ordinarily recommend this, because it's not practical for delivery over the interenet, but you can use HTML Applications.  These run with elevated security permissions, and they're basically an HTML page with an *.hta extension.  You ordinarily load them from your filesystem or a network share, but they can be delivered from a web server, except there is a security warning.  For an example of how to do client-side transformations across domains like this, visit my web site at:

http://rdcpro.com/Members/rdcpro/tools

and download the HTA version of my transformation tool, called transformToolSave.zip.  

This runs in client side javascript, and you can do some pretty fancy stuff this way on the client.

Regards,
Mike Sharp
0
 

Author Comment

by:PHenningsen
Comment Utility
Yes, my final target is a Delphi application, part of which acts as a web server.  (Delphi has a TWebBrowser component that wraps the IWebBrowser2 interface from Microsoft’s SHDOCVW.DLL)

However, the same problem exists using MSIE directly to display the XML file.

It's going to take me a bit to digest your last posting.

Meanwhile, back to cross-domain data access, how do I set the Security properties to eliminate the Error message?

TIA,
Phil
0
 
LVL 26

Accepted Solution

by:
rdcpro earned 500 total points
Comment Utility
That error message sounds like an authentication or authorizaton issue, from the server side.  If you download that tool I mentioned,  you should be able to see the response code...I'm betting you get a 401.1, 401.2 or 401.3 or something.  If the tool doesn't show you the code, you can use the xmlHttp.getAllResponseHeaders method and pop an alert to display them in the browser.  You can also pop up the xmlHttp.responseText, or look directly at the status code.  For example, add an alert:

alert(xmlHttp.status + "\r\n" + xmlHttp.statusText)


When a site is trusted, I believe IE will present a hash of your credentials, but other than that it shouldn't be any different than if the site was not trusted.  It sounds like something at the server is refusing to honor the request in this instance.  Are you authenticated in an Active Directory domain?

Regards,
Mike Sharp
0
 

Author Comment

by:PHenningsen
Comment Utility
It's a nifty tool.  I'll have to play with it more in the future.

Meanwhile, I have apparently Enabled the applicable Security Setting (what a "zoo" that is) so I no longer get an Error.

Thanks very much for your help!
0
 

Expert Comment

by:cyric_74
Comment Utility

PHenningsen,

You say you enabled the security setting you needed to get this working..  What was it!?!
I'm giong through that same grief right now.

0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
cleaning xml string 2 45
XML namaspace 2 35
Parsing the XML data to SQL Server 4 48
Convert Oracle data into XML document 2 35
The Problem How to write an Xquery that works like a SQL outer join, providing placeholders for absent data on the outer side?  I give a bit more background at the end. The situation expressed as relational data Let’s work through this.  I’ve …
Browsing the questions asked to the Experts of this forum, you will be amazed to see how many times people are headaching about monster regular expressions (regex) to select that specific part of some HTML or XML file they want to extract. The examp…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now