I'm aware of the Same-Origin policy issues of serving content that references content on another server. However, I found CORS (Cross-Origin Resource Sharing) and was hoping it would do what I want. I haven't yet had any luck mainly because I don't fully understand it. I'm also having a hard time finding examples of CORS and XML/XSLT.
Here is what I have done:
1. Added the following to my web.config
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
2. Created the following XML file called hello.xml
and uploaded it to scott.host/
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="http://scott.host/hello.xsl"?>
<hello-world> <greeter>An XSLT Programmer</greeter> <greeting>Hello, World!</greeting></hello-world>
3. Created the following XSL file called hello.xsl
and uploaded it to another domain (same server)
<?xml version="1.0"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:template match="/hello-world">
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<BODY>
<H1>
<xsl:value-of select="greeting"/>
</H1>
<xsl:apply-templates select="greeter"/>
</BODY>
</HTML>
</xsl:template>
<xsl:template match="greeter">
<DIV>from <I><xsl:value-of select="."/></I></DIV>
</xsl:template>
</xsl:stylesheet>
When I access http://scott.host/hello.xml
it displays properly, with the transform, as expected. However, when I access http://otherdomain/hello.xml
I get the Request for cross-domain XSLT was denied
error.
Am I doing something wrong?
Note: I have disabled the Access-Control-Allow-Origin
entry in my webconfig after posting this.
References:
As far as I have tested, the support depends on the browser, Mozilla browsers do support it, as with http://home.versanet.de/~martin-honnen/xslt/test2015070201.xml the stylesheet from http://home.arcor.de/martin.honnen/cdtest/test2015070201.xsl is applied by Firefox, while IE (tested with IE 11) says
Die Anforderung für domänenübergreifendes XSLT wurde verweigert." ("The request for a cross-domain XSLT was refused")
and Chrome also gives a similar error
Unsafe attempt to load URL http://home.arcor.de/martin.honnen/cdtest/test2015070201.xsl from frame with URL http://home.versanet.de/~martin-honnen/xslt/test2015070201.xml. Domains, protocols and ports must match.