Chrome不能打开XSLT 修饰的XML文件

今晚Chrome加载XML文件发现并不能够被加载出来但是查看源代码却发现可以显示出来，用DTD 验证了一下并没有问题，那么谷歌这么高级的浏览器怎么可能不支持加载XML 文件呢？

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet  type="text/xsl" href="hello.xsl"?>
<breakfast_name>
	<food>
		<name>Baozi</name>
		<description>猪肉白菜</description>
	</food>
</breakfast_name>

XSLT代码如下

<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml">
  <body style="font-family:Arial,helvetica,sans-serif;font-size:12pt;
        background-color:#EEEEEE">
    <xsl:for-each select="breakfast_name/food">
      <div style="background-color:teal;color:white;padding:4px">
        <span style="font-weight:bold;color:white">
        <xsl:value-of select="name"/></span>
      </div>
      <div style="margin-left:20px;margin-bottom:1em;font-size:10pt">
        <xsl:value-of select="description"/>
      </div>
    </xsl:for-each>
  </body>
</html>

代码是没有任何问题的，那么到底是什么原因呢？

然后去百度了一下发现因为Chrome 为了安全性不允许访问同一directory下的XSLT和XML文件但是CSS　HTML却是可以的

The reason this doesn't work is due to a security concern that Chrome has addressed in a controversial way^[1][2][3][4], by blocking XML files from accessing local XSLT files in the same directory, while HTML files can access .CSS files in the same directory just fine.

The justification given by the Chrome team in 2008 was this:

---

Imagine this scenario:

1. You receive an email message from an attacker containing a web page as an attachment, which you download.

2. You open the now-local web page in your browser.

3. The local web page creates an whose source is https://mail.google.com/mail/.

4. Because you are logged in to Gmail, the frame loads the messages in your inbox.

5. The local web page reads the contents of the frame by using JavaScript to access frames[0].document.documentElement.innerHTML. (An Internet web page would not be able to perform this step because it would come from a non-Gmail origin; the same-origin policy would cause the read to fail.)

6. The local web page places the contents of your inbox into a and submits the data via a form POST to the attacker's web server. Now the attacker has your inbox, which may be useful for spamming or identify theft.

There is nothing Gmail can do to defend itself from this attack.

---

解决方式：

I do agree it's annoying, as a fix you've got 2 solutions:

1. Try running chrome with the --allow-file-access-from-files switch (I've not tested this myself)

2. Upload it to a host, and everything will be fine.