On Fri Sep 19 12:25:58 2025 +0000, Jacek Caban wrote:
The quoted rationale would explain why it would be allowed only on http document URLs, but here you check request URL, so I don't see how it's relevant. Ad-hoc parsing or comparing URLs is rarely a good idea. A valid absolute URL may have "//" part missing or a relative URL may have "://" as part of the query. We'd probably need to use `IUri` interface to combine URLs and then perform checks on it if we really need them. The rest of the logic seems questionable. Are you sure we don't want to allow https XDRs from http documents? We don't want to allow things like file protocol, but that's not specific to XDR.
I mean, for the https/http scheme "mismatch" I did add a test for it in this patch. I also searched to see if it's a consequence of something else or it's a false lead, but according to this:
http://web.archive.org/web/20100605063836/http://blogs.msdn.com/b/ieinternal...
It's how it's supposed to work, and the error (E_ACCESSDENIED) is legit. See (1) and (7). Do you have better ideas how to implement that?