Example files to be revised wrt. xsi:noNamespaceSchemaLocation.

[DrCaFr]

Do we still need attribute xsi:noNamespaceSchemaLocation="xmcf_3_1_1.xsd" in <xmcf/> element?

Compare this with STEP AP242 XML. @maxungerer may support with more detailed information.

[maxungerer]

I recently learned that schema locations with URLs should not be included in an XSD header due to the risk of man-in-the-middle attacks. For further readings see chapter "Remote Schema Poisoning" in https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html

[economidis-nick]

I think we had discussed this at some point but did not move this way.

As far as I can remember, we chose the noNamespaceSchemaLocation for 2 reasons:

• systems without access to internet, will have no way to access a specific location.
• we chose a 'no-namespace' schema to keep the file readable, without every element having a namespace prepended to it. We also wanted to have no breaking changes to xmcf3.0 . Adding namespace would certainly v3.1 files appear very different from files of previous versions.

If I am not mistaken, we are consistent with FATXML.

I do not object to revising it though. What would you propose that we use instead of the xsi:noNamespaceSchemaLocation="xmcf_3_1_1.xsd" ? Could you provide a link to the STEP schema and point me to the relevant line, please ?

[DrCaFr]

I am not sure, how noNamespaceSchemaLocation my allow for a man-in-the-middle attack. We really need to consider that confusions may occur :wink: …