Friday, September 14, 2012

Cross domain access from Silverlight

Silverlight control hosted at http://myserver/mypage.aspx can access only services on that same domain by default – for example http://myserver/service.svc, but not a service at http://otherserver/service.svc. This prevents a malicious Silverlight control hosted on the http://myserver domain from calling unauthorized operations on a service hosted on the http://otherserver domain.

To enable a Silverlight control to access a service in another domain, the service must explicitly opt-in to allow cross-domain access. By opting-in, a service states that the operations it exposes can safely be invoked by a Silverlight control, without potentially damaging consequences to the data that the service stores.

To allow cross domain access place clientaccesspolicy.xml and crossdomain.xml file at the root of the domain where the service is hosted. In the above example the file will be placed at the http://otherserver.
Create a clientaccesspolicy.xml file to allow the access from any other domain to service of the current domain.
<?xml version="1.0" encoding="utf-8"?>
      <allow-from http-request-headers="SOAPAction">
        <domain uri="*"/>
        <resource path="/" include-subpaths="true"/>
There are three types of wildcards allowed:
1.      <domain uri=”*”/>:This option is used to allow access to all domains of the same scheme. An HTTP service will allow all HTTP callers. An HTTPS service will allow all HTTPS callers.
2.      <domain uri=”http://*”/> or <domain uri=”https://*”/>:The first option is used to allow access to HTTP service from HTTP callers and HTTPS service from HTTP callers. The second option is used to allow access to HTTP service from HTTPS callers and HTTPS service from HTTPS callers.
3.       <domain uri=”http://*”/>(subdomain):This option uses a wildcard at the first segment of the path ("http://*", for example) that allows all subdomains of the domain specified. So for the example. would be allowed. Note that a uri path where the wildcard does not occur as a prefix (http://web.*.com, for example) is disallowed.
To prevent malicious attacks, you should never provide one client access policy file for both HTTP and HTTPS services on your domain that enable calls from both HTTP and HTTPS clients.
To allow access to specific domain, you need specify the particular uri e.g. <domain uri=””/>. So http://myserver/service.svc service will be accessible from only (other domain).

You can implicitly deny access for all domains not listed in a <domain> element tag in a Silverlight policy file.

Create a crossdomain.xml file that contains the following configuration. The file must be configured to allow access to the service from any other domain, or it is not recognized by Silverlight 4.

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "">
  <allow-http-request-headers-from domain="*" headers="SOAPAction,Content-Type"/>

No comments:

Post a Comment