[GeoNetwork-devel] [GeoNetwork opensource Developer website] #298: Loading a bad xml file (as template) in IE results in "Access Denied" error.

#298: Loading a bad xml file (as template) in IE results in "Access Denied"
error.
--------------------------+-------------------------------------------------
Reporter: justinrowles | Owner: geonetwork-devel@…
     Type: defect | Status: new
Priority: major | Milestone: v2.6.0 RC2
Component: General | Version: v2.6.0RC0
Keywords: |
--------------------------+-------------------------------------------------
If an IE user attempts to load a badly formed xml file as a template, they
will not see the SAX parse error, but instead see an 'error on page'. If
they open the error, it is an 'Access Denied' error.

This is because the server returns a 500 error along with the exception
message. IE decides not to show the exception, but to load its own 500
message from file. Then it notices that the source for the parent page is
the GeoNetwork server, but the source for the iframe is the local disk,
and triggers its own cross-site scripting defences!

--
Ticket URL: <http://trac.osgeo.org/geonetwork/ticket/298&gt;
GeoNetwork opensource Developer website <http://trac.osgeo.org/geonetwork&gt;
GeoNetwork opensource is a standards based, Free and Open Source catalog application to manage spatially referenced resources through the web. It provides powerful metadata editing and search functions as well as an embedded interactive web map viewer. This website contains information related to the development of the software.

#298: Loading a bad xml file (as template) in IE results in "Access Denied"
error.
--------------------------+-------------------------------------------------
Reporter: justinrowles | Owner: geonetwork-devel@…
     Type: defect | Status: new
Priority: major | Milestone: v2.6.0 RC2
Component: General | Version: v2.6.0RC0
Keywords: |
--------------------------+-------------------------------------------------

Comment(by justinrowles):

I would argue that the server should not be returning a 500 error. There
has not been an ''internal'' error.

A normal 200 response with the correct error message should be the result.

This is not, it appears, how GeoNetwork has been designed. There is no
obvious facility to return a message without throwing an exception up to
Jetty and thus returning a 500. If anyone can show me how that is
intended to be done, then I will provide a patch.

--
Ticket URL: <http://trac.osgeo.org/geonetwork/ticket/298#comment:1&gt;
GeoNetwork opensource Developer website <http://trac.osgeo.org/geonetwork&gt;
GeoNetwork opensource is a standards based, Free and Open Source catalog application to manage spatially referenced resources through the web. It provides powerful metadata editing and search functions as well as an embedded interactive web map viewer. This website contains information related to the development of the software.

#298: Loading a bad xml file (as template) in IE results in "Access Denied"
error.
--------------------------+-------------------------------------------------
Reporter: justinrowles | Owner: geonetwork-devel@…
     Type: defect | Status: new
Priority: major | Milestone: v2.6.1
Component: General | Version: v2.6.0RC0
Keywords: |
--------------------------+-------------------------------------------------
Changes (by ticheler):

  * milestone: v2.6.0 => v2.6.1

--
Ticket URL: <http://trac.osgeo.org/geonetwork/ticket/298#comment:2&gt;
GeoNetwork opensource Developer website <http://trac.osgeo.org/geonetwork&gt;
GeoNetwork opensource is a standards based, Free and Open Source catalog application to manage spatially referenced resources through the web. It provides powerful metadata editing and search functions as well as an embedded interactive web map viewer. This website contains information related to the development of the software.

#298: Loading a bad xml file (as template) in IE results in "Access Denied"
error.
--------------------------+-------------------------------------------------
Reporter: justinrowles | Owner: geonetwork-devel@…
     Type: defect | Status: new
Priority: major | Milestone: v2.6.2
Component: General | Version: v2.6.0RC0
Keywords: |
--------------------------+-------------------------------------------------
Changes (by heikki):

  * milestone: v2.6.1 => v2.6.2

--
Ticket URL: <http://trac.osgeo.org/geonetwork/ticket/298#comment:3&gt;
GeoNetwork opensource Developer website <http://trac.osgeo.org/geonetwork&gt;
GeoNetwork opensource is a standards based, Free and Open Source catalog application to manage spatially referenced resources through the web. It provides powerful metadata editing and search functions as well as an embedded interactive web map viewer. This website contains information related to the development of the software.