When you read about XML's features, you very rarely see anything about security, which could lead you to think that XML documents are inherently secure or that built-in mechanisms somehow guarantee their security. Because XML is plain text, the first option is clearly false unless you encrypt and decrypt your text offline. The second option applies—somewhat—but only on the client side of the client/sever equation.

On the client side, XML can be as dangerous as HTML code. Although XML doesn't contain script code, an XML document could bring along with it an Extensible Style Language (XSL) transformer that needs risky COM objects. Fortunately, the security zones available in Internet Explorer (IE) 4.0 and higher can help you manage the incoming XML data on the client side. Recall that IE security zones let you group sites based on their supposed damage risk. You can place sites into one of four zones: Local Intranet, Trusted, Internet, and Restricted.

When it comes to loading XML data, Microsoft XML Parser (MSXML) considers secure only those documents that come from the current domain. If a user attempts to load a page that uses MSXML to access data from a different domain, what happens depends mostly on where the page is coming from. The following simple rules control XML data access across domains within the same zone:

  • Access from one Local Intranet site to another is subject to acceptance, and the system promptly informs the user that data is being accessed across domains.
  • The system always permits access from one Trusted site to another.
  • The system always denies access from one Internet zone site to another or from one Restricted site to another.

MSXML treats files on the local computer as if they were part of a fifth Internet zone. Accessing data across zones is more serious and subject to more complex rules. The guiding principle is that cross-zone access is allowed only if more trusted zones access data from less trusted zones. For example, an instance of MSXML that is running on a Local Intranet site can access data on only Local Intranet or Internet-zone sites. A Trusted site that hosts MSXML can use all remote XML resources except those on the local computer or from Restricted sites. Finally, MSXML that is running locally can go everywhere except Restricted sites. In no case, however, can you jump across protocols, from HTTP to HTTP over Secure Sockets Layer (HTTPS).

On the server side, security is completely up to you. You need to create applications to manage security for XML documents as well as referenced external entities, Document Type Definitions (DTDs), and style sheets. Those helper documents must receive the same level of security protection as the XML files themselves. To ensure permissions and security, you can use the conventional authentication techniques you use for any other resource available on the server.