XSL无法在Google Chrome中使用 [英] XSL not working in Google Chrome

问题描述

我已经看到很多关于这个的帖子......但是我不能在我的生活中找出我的问题是什么！当我尝试使用XSL转换XML时，Google Chrome只显示一个空白页面。当我查看源代码时，我看到了原始XML。 IE有效。

我有一个看起来像这样的XML文档...

 <？xml version =1.0encoding =ISO-8859-1？> 
<？xml-stylesheet type =text / xslhref =http：//localhost/xsl/listXSL.php？> 
< links> 
< link id =1name =Google Home Pageurl =http://www.google.com/clicks =0/> 
< link id =2name =Facebookurl =http://www.facebook.com/clicks =1/> 
< link id =3name =Gmailurl =http://gmail.comclicks =2/> 
< / links> 
  

...然后是链接的XSL文件，看起来像这样...

 <？xml version =1.0encoding =ISO-8859-1？> 
< xsl：stylesheet version =1.0xmlns：xsl =http://www.w3.org/1999/XSL/Transform> 
< xsl：template match =/> 
< xsl：for-each select =links / link> 
< a> 
< xsl：attribute name =href> 
< xsl：value-of select =@ url/> 
< / xsl：attribute> 
< xsl：value-of select =@ name/> 
< / a>< br /> 
< / xsl：for-each> 
< / xsl：template> 
< / xsl：stylesheet> 
  

您可能注意到XSL文件实际上是一个PHP文件，但在其他浏览器中可以正常工作，我试着将它改为Chrome的.xsl，但它没有帮助。我在这里做错了什么？

解决方案

原因不起作用是由于Chrome已解决的安全问题以有争议的方式 ^{[1] [2] [3] [4]} ，通过阻止XML文件访问同一目录中的本地XSLT文件，而HTML文件可以访问同一目录中的.CSS文件。

Chrome团队在2008年此：

---

想象一下这种情况：

1. 您收到来自包含网页作为附件的攻击者的电子邮件，其中y ou download。




2. 您在浏览器中打开即时本地网页。 >本地网页创建的来源为 https://mail.google.com/mail/ 。




3. 因为您已登录到Gmail，框架会将邮件加载到收件箱中。

本地网页通过使用JavaScript访问帧[0​​] .document.documentElement.innerHTML来读取帧的内容。 （互联网网页无法执行此步骤，因为它来自非Gmail原始网址;同源策略会导致读取失败。）


4. 本地网页将收件箱中的内容放入a中，并通过表单POST将数据提交给攻击者的Web服务器。现在，攻击者拥有自己的收件箱，这可能对发送垃圾邮件或识别盗窃有用。

以防御这种攻击。




---





我同意这很烦人，作为一个解决方案，你有两个解决方案： / p>






1. 尝试使用运行chrome - 允许文件访问文件 switch（我没有自己测试过）

>





I've seen plenty of posts all around about this... but I can not, for the life of me, figure out what my problem is! Google Chrome just displays a blank page when I try to transform XML with XSL. When I view source, I see the raw XML. IE works.

I have an XML document that looks like this...

<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="http://localhost/xsl/listXSL.php"?>
<links>
  <link id="1" name="Google Home Page" url="http://www.google.com/" clicks="0" />
  <link id="2" name="Facebook" url="http://www.facebook.com/" clicks="1" />
  <link id="3" name="Gmail" url="http://gmail.com" clicks="2" />
</links>

... and then the linked XSL file which looks like this...

<?xml version="1.0" encoding="ISO-8859-1"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
  <xsl:for-each select="links/link">
    <a>
        <xsl:attribute name="href">
            <xsl:value-of select="@url" />
        </xsl:attribute>
        <xsl:value-of select="@name" />
    </a><br />
  </xsl:for-each>
</xsl:template>
</xsl:stylesheet>

You might notice that the XSL file is actually a PHP file, but this works fine in other browsers and I've tried changing it to .xsl for Chrome, but it doesn't help. What I'm doing wrong here?

解决方案

The reason this doesn't work is due to a security concern that Chrome has addressed in a controversial way^[1][2][3][4], by blocking XML files from accessing local XSLT files in the same directory, while HTML files can access .CSS files in the same directory just fine.

The justification given by the Chrome team in 2008 was this:

---

Imagine this scenario:

1. You receive an email message from an attacker containing a web page as an attachment, which you download.

2. You open the now-local web page in your browser.

3. The local web page creates an whose source is https://mail.google.com/mail/.

4. Because you are logged in to Gmail, the frame loads the messages in your inbox.

5. The local web page reads the contents of the frame by using JavaScript to access frames[0].document.documentElement.innerHTML. (An Internet web page would not be able to perform this step because it would come from a non-Gmail origin; the same-origin policy would cause the read to fail.)

6. The local web page places the contents of your inbox into a and submits the data via a form POST to the attacker's web server. Now the attacker has your inbox, which may be useful for spamming or identify theft.

There is nothing Gmail can do to defend itself from this attack.

---

I do agree it's annoying, as a fix you've got 2 solutions:

1. Try running chrome with the --allow-file-access-from-files switch (I've not tested this myself)

2. Upload it to a host, and everything will be fine.

这篇关于XSL无法在Google Chrome中使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！