FIX: XML Improperly Loads Data Through an ASP Redirect Across Domains or Protocols (290908)


The information in this article applies to:

  • Microsoft XML 2.0
  • Microsoft XML 2.5
  • Microsoft XML 2.6
  • Microsoft XML 3.0
This article was previously published under Q290908

SYMPTOMS

You are able to load an XML document by using an Active Server Pages (ASP) page that redirects output from a file on a different domain or through a different protocol from the original request, but you expect the attempt to redirect to be denied.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This bug was corrected in Microsoft XML 3.0 Service Pack 1.

For additional information on other fixes included in Microsoft XML 3.0 Service Pack 1, click the article number below to view the article in the Microsoft Knowledge Base:

292935 INFO: List of Issues Fixed in Microsoft XML 3.0 Service Pack 1

For the latest information and downloads of MSXML, refer to the following MSDN Web site at:

http://msdn.microsoft.com/xml/default.asp

MORE INFORMATION

Steps to Reproduce Behavior

  1. Create the testredirect HTML document.
    1. Create a new text document by using Microsoft Notepad or another text editor.
    2. Paste the following code into the new text document:
      <HTML>
<HEAD>
    <TITLE>Repro Code for Q290908</TITLE>
</HEAD>
<BODY>
	There should be an error, but with versions of MSXML prior to MSXML 3, SP1, there is none.
	<SCRIPT FOR=window EVENT=onload>
	document.expando = false;
	Verify();

	function Verify()
	{  
		var strResponse = "";
		
	    var xmlDoc = new ActiveXObject("MSXML2.DOMDocument");
	    xmlDoc.async = false;

	    try
	    {
	        var fileName = "http://localhost/redirect1.asp"  ;
	        xmlDoc.load(fileName);  

	        strResponse = "No error in loading:\n" + fileName;
	        strResponse += "\n";
	        strResponse += xmlDoc.xml;
	    }
	    catch(e)
	    {
	        strResponse = "file : " + fileName + "\n";
	        strResponse += "error# :\n";
	        strResponse += e.number + "\n";
	        strResponse += "description :\n*";
	        strResponse += e.description + "*";
	    }	
	    
	    alert(strResponse);
	}
	</SCRIPT>
</BODY>
</HTML>
    3. Save the text file as C:\InetPub\wwwroot\testredirect.html.
  2. Create the redirect1 ASP page, which will redirect to the third ASP page, using the file:// protocol.
    1. Create a new text document by using Microsoft Notepad or another text editor.
    2. Paste the following code into the new text document:
      <%@ Language=VBScript %>
<%
Response.Redirect "file://c|\inetpub\wwwroot\redirect2.asp"
%>
    3. Save the text file as C:\InetPub\wwwroot\redirect1.asp
  3. Create the redirect2 ASP page.
    1. Create a new text document by using Microsoft Notepad or another text editor.
    2. Paste the following code into the new text document:
      <%@ Language=VBScript %>
<%
Response.ContentType = "text/xml"
Response.Write "<test>This is a test</test>"
%>
    3. Save the text file as C:\InetPub\wwwroot\redirect2.asp
  4. Browse to the test.html from a computer on which MSXML 3.0 Service Pack 1 has not been installed, and note that the code does not produce an Access Denied error as it should, but improperly loads the data.
Modification Type:MajorLast Reviewed:10/16/2002
Keywords:kbBug kbDSupport KbMSXML300SP1fix kbMSXMLnosweep KB290908
©2002 Microsoft Corporation. All rights reserved.