Security model for XSL stylesheets and transformations
Draft 1
2007-10-03 / jl@opera.com


* Description of the problem

XSL stylesheets can be linked into arbitrary documents, and can in
turn import/include other stylesheets during the stylesheet parsing
stage and load external XML resources during the transformation stage,
using the document() function.

Stylesheet linking and import/include is not very different from what
is possible (without particular security checks) using other style
languages, such as CSS, but it is likely easier to extract information
in an imported XSL stylesheet from importing stylesheet, and in either
case, all information that results from the transformation is
available through regular DOM API:s for scripts running in the
document's URI, regardless of stylesheet URI:s.

Resource loading using the document() function, on the other hand, is
essentially equivalent to DOM 3 Load/XMLHttpRequest in usability, with
the only limitation being that unlike XMLHttpRequest, document() can
only be used to fetch resources that are well-formed XML documents.


* Security policy

The security policy employed is a simple same-origin check between the
document that initially linked the stylesheet in and the stylesheet
URI (in the case of stylesheet linking or import/include) or the
resource URI (in the case of document() usage.)  Exceptions are that
URI:s using the 'data' scheme are always allowed in both cases.

Firefox implements the same strict security policy, except for the
'data' scheme exception, which they don't have.
