Cross domain access from Silverlight

By | September 15, 2012
Silverlight control hosted at http://myserver/mypage.aspx can access only services on that same domain by default – for example http://myserver/service.svc, but not a service at http://otherserver/service.svc. This prevents a malicious Silverlight control hosted on the http://myserver domain from calling unauthorized operations on a service hosted on the http://otherserver domain.

To enable a Silverlight control to access a service in another domain, the service must explicitly opt-in to allow cross-domain access. By opting-in, a service states that the operations it exposes can safely be invoked by a Silverlight control, without potentially damaging consequences to the data that the service stores.

To allow cross domain access place clientaccesspolicy.xml and crossdomain.xml file at the root of the domain where the service is hosted. In the above example the file will be placed at the http://otherserver.

 
Create a clientaccesspolicy.xml file to allow the access from any other domain to service of the current domain.

 

  

   

      

        

      

      

        

      

    

  

 

There are three types of wildcards allowed:

 

1.      :This option is used to allow access to all domains of the same scheme. An HTTP service will allow all HTTP callers. An HTTPS service will allow all HTTPS callers.

 

2.      http://*”/> or https://*”/>:The first option is used to allow access to HTTP service from HTTP callers and HTTPS service from HTTP callers. The second option is used to allow access to HTTP service from HTTPS callers and HTTPS service from HTTPS callers.

 
3.       http://*.myserver.com”/>(subdomain):This option uses a wildcard at the first segment of the path (“http://*.contoso.com“, for example) that allows all subdomains of the domain specified. So for the example.http://web.myserver.com would be allowed. Note that a uri path where the wildcard does not occur as a prefix (http://web.*.com, for example) is disallowed.

 
To prevent malicious attacks, you should never provide one client access policy file for both HTTP and HTTPS services on your domain that enable calls from both HTTP and HTTPS clients.

 
To allow access to specific domain, you need specify the particular uri e.g. http://otherserver.com”/>. So http://myserver/service.svc service will be accessible from only http://otherserver.com (other domain).

You can implicitly deny access for all domains not listed in a element tag in a Silverlight policy file.

Create a crossdomain.xml file that contains the following configuration. The file must be configured to allow access to the service from any other domain, or it is not recognized by Silverlight 4.

  

 

Leave a Reply