Loading a bad xml file (as template) in IE results in "Access Denied" error.

[justinrowles]

If an IE user attempts to load a badly formed xml file as a template, they will not see the SAX parse error, but instead see an 'error on page'. If they open the error, it is an 'Access Denied' error.

This is because the server returns a 500 error along with the exception message. IE decides not to show the exception, but to load its own 500 message from file. Then it notices that the source for the parent page is the GeoNetwork server, but the source for the iframe is the local disk, and triggers its own cross-site scripting defences!

[justinrowles]

I would argue that the server should not be returning a 500 error. There has not been an internal error.

A normal 200 response with the correct error message should be the result.

This is not, it appears, how GeoNetwork has been designed. There is no obvious facility to return a message without throwing an exception up to Jetty and thus returning a 500. If anyone can show me how that is intended to be done, then I will provide a patch.

[justinrowles]

I've done this, patch attached.

There are three reasons we might fail:

• internal server error (don't catch exception, returns 500)
• invalid xml (catch exception, return 200 + error message via new xlst)
• xml is not schema valid (catch exception, return 200 + error message via new xlst)

The patch is against trunk at time of writing, which is almost 2.6.4. It should patch in without issues immediately after 2.6.4 is released.