About a decade ago, you could open an XML file locally with IE8, and when that XML file contained a XSLT stylesheet reference:
<?xml-stylesheet href="https://trusted.org/stylesheet.xsl"?>
but then over a few years this stopped working for all browsers. There is an obvious security concern, same-origin policy, and Chrome (and probably by now other browsers) do not even allow a local file: stylesheet reference, even if it is from the exact same directory.
I understand why there may be risks, but I don't understand why XSLT in particular poses such risks as the XSLT 1.0 implemented on browsers cannot even do anything malicious. OTOH, I can source JavaScript scripts from local files just fine, and if I'd be concerned about anything it would be java script doing malicious things, not XSLT!
I think the solution was way too harsh and not even-handedly applied. There should be a way for the user to configure trusted URLs at least trusted HTTPS URLs from where such stylesheets may be loaded. If not, the entire stylesheet feature is essentially killed off.
What is the current status of this? And why is nobody addressing this? Nobody but me seems to even complain or recognize the irony that XSLT is so totally blocked while JavaScript is open? It seems as if it is an act of ignorance or even deliberate attempt to kill XSLT functionality from existence.
I know there are some work-arounds like starting chrome with some special command line option which essentially turns off all such security. But that's just more nonsense in the design of this all if you make a system unusable for purported security concerns and then give only one way to overcome this by turning off all security guards. Makes no sense.
Comments? Solutions?
UPDATE: there seems to be some Windows / Internet Explorer specific way to configure the stylesheet URL as a trusted site, because I heard that it works for someone using a higher version of IE. But I don't know what exact settings they are using. Would be great to hear from someone who has that particular scenario figured out.
question from:
https://stackoverflow.com/questions/65885895/is-there-really-no-way-with-any-modern-browser-to-apply-a-remote-xslt-stylesheet 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
