For security reasons, the Silverlight runtime restricts access to certain classes of URLs from the WebClient and HTTP classes in the System.Net namespace. There are similar access restrictions applied by the runtime to other classes including the Image and MediaElement classes in the System.Windows.Controls namespace. The runtime also applies access restrictions to XAML source files and font files based on the class of URL. These restrictions are implemented in the Silverlight 2 and later runtime.
The connections affected are access to cross-zone, cross-domain, and cross-scheme URLs. These restrictions are designed to prevent networking threats (for example, threats based on a Silverlight application run from an internet server getting access to resources on a local intranet server).
The common URL classes are as follows:
-
Cross-scheme URL: A Silverlight application downloaded from an HTML page from a web server with one scheme (HTTP, for example) tries to access resources from the same server or a different server using a different scheme (HTTPS, for example).
Note:
|
|---|
|
You can access resources with a cross-scheme URL (allowed between HTTP and HTTPS) on Silverlight, but you need to explicitly enable this with a security policy file. See Network Security Access Restrictions in Silverlight topic for more information. |
-
Cross-domain URL: A Silverlight application downloaded from a web server tries to access resources on a different target server (for example, an application that is hosted on www.contoso.com trying to access content on www.fabrikam.com). The Silverlight runtime commonly uses security policy files downloaded from the target server to determine if this access should be allowed.
|
Note:
|
|---|
|
You can access resources cross domain on Silverlight, but you need to explicitly enable this with a security policy file. See Network Security Access Restrictions in Silverlight topic for more information. |
-
Cross-zone URL: Internet Explorer defines the concept of security zones with a security level assigned to each zone. Four zones are defined: Internet, Local intranet, Trusted sites, and Restricted sites. In addition, the local machine is also considered to be another zone. A Silverlight application downloaded from a web server in one security zone tries to access resources on a target server in a different security zone. Cross-zone access restrictions are designed to prevent a Silverlight application downloaded from a server in the Internet zone from accessing resources in the more trusted Local Intranet, Trusted Sites, and local machine zones. This prevents a Silverlight application run from a remote internet server from getting access to resources on the local intranet and other resources (an elevation of privilege). Cross-zone access is blocked even if a security policy file on the target server would allow the resource to be accessed. Note that cross-zone access is not restricted for applications downloaded from the server in the Local intranet zone to resources on an internet server. However, any access cross-domain requires a security policy file. Cross-zone access restrictions are implemented only for Silverlight 2 and later applications running on Windows. The concept of security zones and cross-zone access is not currently supported for Silverlight applications running on the Apple OS X.
The table below summarizes the rules that restrict access to URLs from the WebClient and HTTP classes in the System.Net namespace and also includes the restrictions on some other Silverlight classes and components.
|
|
WebClient and HTTP classes |
Image class, MediaElement class for progressive downloads (media, images, ASX, etc.) |
XAML source files |
Font files |
Streaming media |
|---|---|---|---|---|---|
|
Allowed schemes |
HTTP, HTTPS |
HTTP, HTTPS, FILE |
HTTP, HTTPS, FILE |
HTTP, HTTPS, FILE |
HTTP |
|
Cross-scheme access |
Allowed between HTTP and HTTPS. |
Not allowed |
Not allowed |
No |
Not allowed from HTTPS |
|
Cross-domain access |
Requires a security policy file. |
Allowed |
Allowed if not HTTPS to HTTPS |
Not allowed |
Allowed if not HTTPS to HTTPS. |
|
Cross-zone access (on Windows) |
Not allowed from an Internet zone to more restrictive zones. |
Not allowed from an Internet zone to more restrictive zones, except if the target domain is localhost. |
Not allowed from an Internet zone to more restrictive zones. |
Not allowed from an Internet zone to more restrictive zones. |
Not allowed from an Internet zone to more restrictive zones. |
|
Redirection allowed |
Allowed to same site and scheme. Allowed cross-domain and cross-scheme only with a security policy file. |
Allowed to same scheme and same or different sites. |
Not allowed |
Not allowed |
Not allowed |
|
Note:
|
|---|
|
When users get an error that results from one of these access policies being violated, the error may not indicate the exact cause. |
If you have a Silverlight application that is hosted on one Web server and you try to use WebClient and HTTP classes in the System.Net namespace from this application to access a resource that stored on another web server (a cross-domain URL), the request will fail unless a security policy file is made available on the other server that explicitly allows this access. The request will also fail on Windows if the Silverlight application was downloaded from the Internet zone and the cross-domain URL is to the site in a more restrictive zone (Local intranet, Trusted sites, or local machine) even if a security policy is made available.
If you want to host your Silverlight application and store your images on different servers, the restrictions are as follows:
-
You cannot store your images on a site that uses the HTTPS scheme if you are hosting your application on an HTTP site (cross-scheme).
-
You can store your images on a cross-domain site as long as the scheme of that cross-domain site is the same as the scheme of the site hosting your application.
-
Silverlight applications running on Windows cannot store images on a server in the Local Intranet zone if the application was downloaded from the Internet zone (cross-zone), except if the target domain is localhost.
-
You can redirect to another image URL as long as the URL uses the same scheme.
Concepts
Other Resources
I have started off with creating my first silverlight app and I am trying to read the xml results from an RSS feed.
My code looks like this right now:
WebClient client = newWebClient();
client.DownloadStringCompleted += (s,ea) =>{
System.Diagnostics.Debug.WriteLine(ea.Result);
};
client.DownloadStringAsync(newUri("http://windowsteamblog.com/windows_phone/b/windowsphone/rss.aspx"));
And I am getting this exception while running the app:
{System.Security.SecurityException: Security error.
at System.Net.Browser.BrowserHttpWebRequest.InternalEndGetResponse(IAsyncResult asyncResult)
at System.Net.Browser.BrowserHttpWebRequest.<>c__DisplayClass5.<EndGetResponse>b__4(Object sendState)
at System.Net.Browser.AsyncHelper.<>c__DisplayClass4.<BeginOnUI>b__1(Object sendState)}
I understand that this kind of a cross domain call could cause Silverlight to apply a security check, but in this case, I have no control over the service. So, how do I add/use the clientaccesspolicy.xml or crossdomainpolicy.cml files?
Is there a workaround? Am I missing something?
This seems to me a very common scenario that many would have tried...
Any help would be appreciated..
On first read, it would seem you could do this - but it does not work for me.
When I've re-read the article, it's actually a bit ambiguous to me and suggests that clientaccesspolicy.xml may only be able to affect WebClient classes etc, but in the case of Image specifically - the cross-scheme behaviour can't be changed.
Can someone clear this up for me pls?
I just need a way to show https images in an http xap - or to know that it is 100% not possible, by-design etc...