Search code examples
xmlxsltcorssame-origin-policy

Can I use CORS to view an XML file that references an XSLT on a remote server?

I'm aware of the Same-Origin policy issues of serving content that references content on another server. However, I found CORS (Cross-Origin Resource Sharing) and was hoping it would do what I want. I haven't yet had any luck mainly because I don't fully understand it. I'm also having a hard time finding examples of CORS and XML/XSLT.

Here is what I have done:

1. Added the following to my web.config

  <httpProtocol>
   <customHeaders>
     <add name="Access-Control-Allow-Origin" value="*" />
   </customHeaders>
  </httpProtocol>

2. Created the following XML file called hello.xml and uploaded it to scott.host/

 <?xml version="1.0"?>
 <?xml-stylesheet type="text/xsl" href="http://scott.host/hello.xsl"?>
 <hello-world>   <greeter>An XSLT Programmer</greeter>   <greeting>Hello, World!</greeting></hello-world>

3. Created the following XSL file called hello.xsl and uploaded it to another domain (same server)

 <?xml version="1.0"?>
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
   <xsl:template match="/hello-world">
     <HTML>
       <HEAD>
         <TITLE></TITLE>
       </HEAD>
       <BODY>
         <H1>
           <xsl:value-of select="greeting"/>
         </H1>
         <xsl:apply-templates select="greeter"/>
       </BODY>
     </HTML>
   </xsl:template>
   <xsl:template match="greeter">
     <DIV>from <I><xsl:value-of select="."/></I></DIV>
   </xsl:template>
 </xsl:stylesheet>

When I access http://scott.host/hello.xml it displays properly, with the transform, as expected. However, when I access http://otherdomain/hello.xml I get the Request for cross-domain XSLT was denied error.

Am I doing something wrong?

Note: I have disabled the Access-Control-Allow-Origin entry in my webconfig after posting this.

References:

Solution

  • As far as I have tested, the support depends on the browser, Mozilla browsers do support it, as with http://home.versanet.de/~martin-honnen/xslt/test2015070201.xml the stylesheet from http://home.arcor.de/martin.honnen/cdtest/test2015070201.xsl is applied by Firefox, while IE (tested with IE 11) says

    Die Anforderung für domänenübergreifendes XSLT wurde verweigert." ("The request for a cross-domain XSLT was refused")

    and Chrome also gives a similar error

    Unsafe attempt to load URL http://home.arcor.de/martin.honnen/cdtest/test2015070201.xsl from frame with URL http://home.versanet.de/~martin-honnen/xslt/test2015070201.xml. Domains, protocols and ports must match.