Comments at the bottom of this message:

"Joe Fawcett" wrote:

> "Steve" <Steve@d...> wrote in message 
> news:3A15C5CE-0CB3-466C-A571-54A815B4FE69@m......
> > Hi,
> >
> > I'm using browser-based XSL transformations, obtaining XML files that
> > specify the corresponding XSL stylesheet to use, all via HTTPS from a Java
> > App Server (Tomcat 5.5.20 to be precise).  One of the XSL stylesheets uses
> > the XPath document() function to return an XML document.  The href 
> > attribute
> > associated with the document() function references a servlet on the Java 
> > App
> > Server that dynamically creates the required XML and returns it.  This 
> > works
> > fine when the servlet is accessed via HTTP, but fails in IE (6 and 7) when
> > the servlet is accessed via HTTPS.  Firefox has no such problems.
> >
> > I look at the server logs, and the HTTP(S) request initiated by document()
> > is being received by the server and XML content returned.  However, IE
> > displays the following web page:
> >
> > The XML page cannot be displayed
> >
> > Cannot view XML input using XSL style sheet. Please correct the error and
> > then click the Refresh button, or try again later.
> > --------------------------------------------------------------------------------
> >
> > The download of the specified resource has failed.
> >
> > Is there some configuration setting in IE that is preventing this from
> > working?  Is there something I need to do to get this going or is this a
> > known bug?
> >
> > Many thanks,
> > -Steve
> >
> IE is stricter on security than Firefox in this matter and treats this as a 
> cross domain request as you're using a different protocol. You can sometimes 
> fix this by changing cross domain settings in IE, there are a number of 
> different sections in the zone security panels.
> You could also try the approach of accessing the main XSLT via https.

But I'm not using different protocols (i.e., HTTP vs. HTTPS)!   The entire 
web application is accessed via HTTPS, not just the XML returned by this one 
particular document() function call.  In other words, the XML document that 
contains the initial stylesheet reference is accessed via HTTPS.  Thus, I 
assume that the referenced stylesheet must be fetched via HTTPS as well, 
since how else could it be returned to IE (i.e., there is no HTTP path 
available to fetch the stylesheet).  This stylesheet then makes a document() 
function call back to the same server / same web app to return some 
dynamically created XML.  This must also be happening via HTTPS, since once 
again, there is no HTTP path available.

Thus, I don't understand your reference to a cross domain request since only 
HTTPS requests are being made and they're all going to the same web 
application on the same server.  Anyway, I don't think I can ask my user 
community to change IE security settings to have the application work 
properly.  Unless there are other ideas, it looks like I'm going to have to 
change to server-side transformations or tell folks that IE is not supported 
(ya right :-).

Thanks,
-Steve