Carousel objects access with XMLHttpRequest
In order to access the content of a carousel file, the XMLHttpRequest object can be used with the following constraints:
- Parameters passed to the open() method:
- method: Shall be set to “GET”.
- url: Can be relative (to the location of the current page in the carousel’s file system) or an absolute dvb:
- async: shall be set to true.
- user and password: Ignored.
- status: Set to 200 when the DSM-CC object is found and to 404 if it cannot be accessed – e.g. the object is not present in the carousel or if the carousel has been unmounted (due to another request).
- statusText: implementation dependent.
- Headers are not relevant for carousel access:
- Calls to setRequestHeader() are ignored.
- getResponseHeader() shall return null and getAllResponseHeaders() shall return an empty string.
- Values of the responseText and responseXML properties are shown in Table 10.
Table 10: Values of the responseText and responseXML properties
|Returns the “text response entity body” as defined in XMLHTTPRequest.
|If the file has the extension “.xml”, returns the “XML response entity body” as defined in XMLHTTPRequest. Otherwise, returns null.
|Comma-separated list of names (File name, Stream Event name or Directory name) of all objects in the directory. These names shall not include path information.
|Comma-separated list of names of all events in the Stream Event object.
Examples of dvb: URLs that may be used with the XMLHttpRequest object are:
/weather/data.xml(absolute path from the root of the carousel of the current page)
../weather/data.xml (relative path to the current page)
dvb://1..1.B8/weather/data.xml (0xB8 is the component tag)
Application developers should be aware that in some circumstances an attacker may be able to modify the broadcast signal carrying a carousel file. Applications should be written to be tolerant of incorrectly formatted data or values which are outside the expected range without hanging up, locking up or crashing.
Application developers should be aware that if a broadband-delivered application uses data from a carousel in a way that would result in it being executed by the browser, then the level of security of that application is then only as secure as the carousel delivery mechanism. Broadband-delivered applications should avoid such use unless the protection mechanism described in clause 9 of ETSI TS 102 809  is in use.