xml transform over https

[Luther Baker]

My team is using the FO library to generate PDFs.

We are also required to use https.

The XSL transform page fed into javax.xml.transform.Transformer starts
with

<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:fo ="http://www.w3.org/1999/XSL/Format">

---

Now, when displaying the PDF, Internet Explorer is popping an alert
saying "This page contains both secure and nonsecure items. Do you
want to display the nonsecure items?"

And no particular preferences in IE take this away. ENABLE MIXED
CONTENT and WARN IF CHANGING ... are both set correctly, yet we still
get the popup. I can only think that this xsl file is causing us
trouble.

Now, before looking at this problem - I believed that namespace uri
strings were simply that, unique identifiers. Not necessarily valid
internet URLs. Since transorms work without a connection to the
internet, it seems to make sense. Yet, as soon as I put
https:///www.w3.org/1999/XSL/Transform into this header, I get the
infamous "javax.xml.transform.TransformerException: stylesheet
requires attribute: version".

Can someone explain to me why the URI needs to be exactly
http://www.w3.org/1999/XSL/Transform and is there any way around this?
I'd like to get everything within the https environment, to use https
- as I'd like to get rid of that popup.

Thanks,

-LutherB

 

[Julian Reschke]

...
Can someone explain to me why the URI needs to be exactly
http://www.w3.org/1999/XSL/Transform and is there any way around this?
...

Because, as you said, it's just a string. But it's also an *identifier*
-- if it doesn't match character by character, the XSLT engine will not
recognize the language.

I'd say this is a browser bug -- namespace URIs should be irrelevant for
security considerations (unless of course something really accesses them).

Julian

 

[Julian Reschke]

My team is using the FO library to generate PDFs.

We are also required to use https.

The XSL transform page fed into javax.xml.transform.Transformer starts
with

<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:fo ="http://www.w3.org/1999/XSL/Format">

---

Now, when displaying the PDF, Internet Explorer is popping an alert
saying "This page contains both secure and nonsecure items. Do you
want to display the nonsecure items?"

...

Speaking of which -- if the transformation happens server-side, why
would the exact syntax of the XSLT ever affect the generated PDF data
stream? I guess there's something else wrong with the content you're
sending.

 

[Martin Honnen]

My team is using the FO library to generate PDFs.

We are also required to use https.

The XSL transform page fed into javax.xml.transform.Transformer starts
with

<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:fo ="http://www.w3.org/1999/XSL/Format">

---

Now, when displaying the PDF, Internet Explorer is popping an alert
saying "This page contains both secure and nonsecure items. Do you
want to display the nonsecure items?"

And no particular preferences in IE take this away. ENABLE MIXED
CONTENT and WARN IF CHANGING ... are both set correctly, yet we still
get the popup. I can only think that this xsl file is causing us
trouble.

Now, before looking at this problem - I believed that namespace uri
strings were simply that, unique identifiers. Not necessarily valid
internet URLs. Since transorms work without a connection to the
internet, it seems to make sense. Yet, as soon as I put
https:///www.w3.org/1999/XSL/Transform into this header, I get the
infamous "javax.xml.transform.TransformerException: stylesheet
requires attribute: version".

Can someone explain to me why the URI needs to be exactly
http://www.w3.org/1999/XSL/Transform and is there any way around this?
I'd like to get everything within the https environment, to use https
- as I'd like to get rid of that popup.

I am pretty sure the warning IE gives has nothing to do with the
namespace URIs. Your XSLT transformation is done on the server isn't it?
So IE doesn't even see the XSL stylesheet.
I don't know what kind of page you generate but maybe you have an
<iframe> in there pointing to a non https URL. That is when IE usually
gives the warning.
If you post a URL maybe we can find out what causes the warning but I
don't think the whole problem is related to XML thus asking in an IE
group might be a better way.

 

[Luther Baker]

I am pretty sure the warning IE gives has nothing to do with the
namespace URIs. Your XSLT transformation is done on the server isn't it?
So IE doesn't even see the XSL stylesheet.
I don't know what kind of page you generate but maybe you have an
<iframe> in there pointing to a non https URL. That is when IE usually
gives the warning.
If you post a URL maybe we can find out what causes the warning but I
don't think the whole problem is related to XML thus asking in an IE
group might be a better way.

There is no iframe, we just post to a servlet, feed the XSL info the
FO engine, and then return the PDF contents to the browser. The
browser prompts the user, and on saying OK, the PDF is downloaded and
ADOBE opens.

I agree with you, its probably got nothing to do with the XSLT, but
I'm not sure why IE feels the content is mixed.

I will try and IE newsgroup.

Thanks,

-LutherB