Re: Nmap's XSL headers ignored in Firefox

[Daniel Miller <bonsaiviking () gmail com>]

On 01/07/2014 03:27 PM, Jacek Wielemborek wrote:
> List,
>
> I just tried to generate a few Nmap XML files and noticed that Firefox doesn't
> seem to load them. I tried to bug the #firefox guys on Mozilla's IRC channel,
> but got no meaningful reply. Here's what I tried:
>
> 1.
>
> nmap localhost -oX file.xml --webxml && firefox file.xml
>
> Gives an "unknown error" (805303f4) message. Google suggests that it's because
> Firefox doesn't read external XSL's by default.
This is a security setting for Firefox that isn't likely to be changed. 
Basically, the --webxml option will only work with some browsers or XLST 
engines, and there's nothing Nmap can do to change it. The XSL that is 
referenced (https://svn.nmap.org/nmap/docs/nmap.xsl) is served with the 
proper Content-Type, so that's good.

> 2.
>
> nmap localhost -oX file.xml && firefox file.xml
>
> Results in a blank webpage. Tried to replace "/usr/bin/../share" with
> "/usr/share" in the file, no help.
Yet another Firefox security thing. In order for this to work, you need 
to set `security.fileuri.strict_origin_policy` to "false" in Firefox's 
about:config in order for it to work.
> 3.
>
> nmap localhost -oX file.xml
> sed -i 's@file:///usr/bin/../share/nmap/nmap.xsl () nmap xsl@g' file.xml
> cp /usr/share/nmap/nmap.xsl .
> firefox file.xml
>
> Works, but it's ugly.
This should probably be the default. Using a relative URI for the XSL 
will work in most situations. If this were the default, there should 
probably be a --system-xsl option to restore the previous behavior. We 
could even add an option to copy the system XSL into the current 
directory, since Nmap knows where it should be based on the 
installation. Thoughts?

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/