xml - XSL not working in Google Chrome

Question

I've seen plenty of posts all around about this... but I can not, for the life of me, figure out what my problem is! Google Chrome just displays a blank page when I try to transform XML with XSL. When I view source, I see the raw XML. IE works.

I have an XML document that looks like this...

<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="http://localhost/xsl/listXSL.php"?>
<links>
  <link id="1" name="Google Home Page" url="http://www.google.com/" clicks="0" />
  <link id="2" name="Facebook" url="http://www.facebook.com/" clicks="1" />
  <link id="3" name="Gmail" url="http://gmail.com" clicks="2" />
</links>

... and then the linked XSL file which looks like this...

<?xml version="1.0" encoding="ISO-8859-1"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
  <xsl:for-each select="links/link">
    <a>
        <xsl:attribute name="href">
            <xsl:value-of select="@url" />
        </xsl:attribute>
        <xsl:value-of select="@name" />
    </a><br />
  </xsl:for-each>
</xsl:template>
</xsl:stylesheet>

You might notice that the XSL file is actually a PHP file, but this works fine in other browsers and I've tried changing it to .xsl for Chrome, but it doesn't help. What I'm doing wrong here?

Answer 1

The reason this doesn't work is due to a security concern that Chrome has addressed in a controversial way^[1][2][3][4], by blocking XML files from accessing local XSLT files in the same directory, while HTML files can access .CSS files in the same directory just fine.

The justification given by the Chrome team in 2008 was this:

---

Imagine this scenario:

1. You receive an email message from an attacker containing a web page as an attachment, which you download.

2. You open the now-local web page in your browser.

3. The local web page creates an whose source is https://mail.google.com/mail/.

4. Because you are logged in to Gmail, the frame loads the messages in your inbox.

5. The local web page reads the contents of the frame by using JavaScript to access frames[0].document.documentElement.innerHTML. (An Internet web page would not be able to perform this step because it would come from a non-Gmail origin; the same-origin policy would cause the read to fail.)

6. The local web page places the contents of your inbox into a and submits the data via a form POST to the attacker's web server. Now the attacker has your inbox, which may be useful for spamming or identify theft.

There is nothing Gmail can do to defend itself from this attack.

---

I do agree it's annoying, as a fix you've got 2 solutions:

1. Try running chrome with the --allow-file-access-from-files switch (I've not tested this myself)

2. Upload it to a host, and everything will be fine.