RSS feeds with application/rss+xml or application/atom+xml should be rendered with XMLTreeViewer

RSS feeds with application/rss+xml or application/atom+xml should be rendered with XMLTreeViewer

This check was added as part of https://chromiumcodereview.appspot.com/11048039/ 

Probably the purpose of the above CL was to avoid the feed being directed towards the download manager 
to be downloaded. This may be a side-effect of the CL.

We should allow these feeds to be treated normally with their respective MIME types. This is helpful in case
the feed contains any style information attached with them which would then be transformed. (I agree, we are
about to remove the XSLT support). If not, at least these can be shown as XML tree with the help of XMLTreeViewer.

BUG=104358
R=abarth@chromium.org, simonjam@chromium.org

[vivekg_samsung, 2013-08-08 10:28:09]

Please take a look at the first WIP patch for this. Thank you!

[abarth-chromium, 2013-08-08 17:50:29]

not lgtm.  That check is there for security.  For better or worse, people put
untrusted data in RSS feeds hosted on their origin.

[abarth-chromium, 2013-08-08 17:51:50]

This behavior wasn't added in that CL.  We've had this behavior since the
beginning of the product.  I suspect it was temporarily changed while we
supported web intents.

[vivekg_samsung, 2013-08-09 04:53:58]

On 2013/08/08 17:51:50, abarth wrote:
> This behavior wasn't added in that CL.  We've had this behavior since the
> beginning of the product.  I suspect it was temporarily changed while we
> supported web intents.

Thanks Adam for the review. Its working as expected then.

I am wondering if your comment
https://code.google.com/p/chromium/issues/detail?id=104358#c12 would still be
applicable in that we can show these feeds as XML tree view rather than plain
text. In this case we will not honor the associated stylesheet information and
will not do any transformation. 

Would showing such feeds as XML tree view pose any security issues?

Thoughts?

[abarth-chromium, 2013-08-09 07:19:02]

On Thu, Aug 8, 2013 at 9:53 PM, <vivek.vg@samsung.com> wrote:

> On 2013/08/08 17:51:50, abarth wrote:
>
>> This behavior wasn't added in that CL.  We've had this behavior since the
>> beginning of the product.  I suspect it was temporarily changed while we
>> supported web intents.
>>
>
> Thanks Adam for the review. Its working as expected then.
>
> I am wondering if your comment
>
https://code.google.com/p/**chromium/issues/detail?id=**104358#c12<https://co...
still be
> applicable in that we can show these feeds as XML tree view rather than
> plain
> text. In this case we will not honor the associated stylesheet information
> and
> will not do any transformation.
>
> Would showing such feeds as XML tree view pose any security issues?
>
> Thoughts?
>

Using text/plain is a bit of a hack from the old days before we had the
good security technology we have today.  If I were doing this again today,
I would use CSP's sandbox directive to protect the web site from XSS while
still letting the browser treat the content as XML.

That said, I'm trying to remove XSLT support from the product.  One of the
main use cases for XSLT is to transform RSS feeds.  As long as we don't
support that use case, it's easier to remove support for XSLT...  Certainly
enabling XSLT for RSS feeds in one release and ripping out XSLT entirely in
a subsequent release would send mixed messages.  Perhaps we should switch
to the sandbox approach after removing XSLT support?

Adam

[vivekg_samsung, 2013-08-09 13:43:15]

On 2013/08/09 07:19:02, abarth wrote:
> On Thu, Aug 8, 2013 at 9:53 PM, <mailto:vivek.vg@samsung.com> wrote:
> 
> > On 2013/08/08 17:51:50, abarth wrote:
> >
> >> This behavior wasn't added in that CL.  We've had this behavior since the
> >> beginning of the product.  I suspect it was temporarily changed while we
> >> supported web intents.
> >>
> >
> > Thanks Adam for the review. Its working as expected then.
> >
> > I am wondering if your comment
> >
>
https://code.google.com/p/**chromium/issues/detail?id=**104358#c12%3Chttps://...
> still be
> > applicable in that we can show these feeds as XML tree view rather than
> > plain
> > text. In this case we will not honor the associated stylesheet information
> > and
> > will not do any transformation.
> >
> > Would showing such feeds as XML tree view pose any security issues?
> >
> > Thoughts?
> >
> 
> Using text/plain is a bit of a hack from the old days before we had the
> good security technology we have today.  If I were doing this again today,
> I would use CSP's sandbox directive to protect the web site from XSS while
> still letting the browser treat the content as XML.
> 
> That said, I'm trying to remove XSLT support from the product.  One of the
> main use cases for XSLT is to transform RSS feeds.  As long as we don't
> support that use case, it's easier to remove support for XSLT...  Certainly
> enabling XSLT for RSS feeds in one release and ripping out XSLT entirely in
> a subsequent release would send mixed messages.  Perhaps we should switch
> to the sandbox approach after removing XSLT support?
> 
> Adam

Thanks once again Adam. I agree with you on removal of XSLT being the priority.
We will come back to this CL once XSLT removal is completed. Thanks!