Welcome  |  Sign In
Skip Navigation Links
Microsoft Developer Network
Click to Rate and Give Feedback
MSDN
MSDN Library
Web Development
Silverlight
 How to: Make a Service Available Ac...
How to: Make a Service Available Across Domain Boundaries
[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

Using Silverlight for cross-domain communication requires guarding against several types of security vulnerability that can be used to exploit Web applications. Cross-site forgery is a class of exploits that becomes a threat when allowing cross-domain calls. This exploit involves a malicious Silverlight control transmitting unauthorized commands to a third-party service, without the user's knowledge. To prevent cross-site request forgery, Silverlight only allows site-of-origin communication by default for all requests other than images and media. For example, a Silverlight control hosted at http://contoso.com/mycontrol.aspx can only access services on that same domain by default – for example http://contoso.com/service.svc, but not a service at http://fabrikam.com/service.svc. This prevents a malicious Silverlight control hosted on the http://contoso.com domain from calling unauthorized operations on a service hosted on the http://fabrikam.com domain.

To enable a Silverlight control to access a service in another domain, the service must explicitly opt-in to allow cross-domain access. By opting-in, a service states that the operations it exposes can safely be invoked by a Silverlight control, without potentially damaging consequences to the data the service stores.

Silverlight supports two different mechanisms for services to opt-in to cross-domain access:

  • Place a clientaccesspolicy.xml file at the root of the domain where the service is hosted to configure the service to allow cross-domain-access.
  • Place a valid crossdomain.xml file at the root of the domain where the service is hosted. The file must mark the entire domain public. Silverlight supports a subset of the crossdomain.xml schema.

To use a clientaccesspolicy.xml file to allow cross-domain access

  1. Build a service than enables access by a Silverlight client. For more information about how to do this, see How to: Build a Service for Silverlight Clients.

  2. Create a clientaccesspolicy.xml file that allows access to the service. The following configuration allows access from any other domain to all resources on the current domain.

    <?xml version="1.0" encoding="utf-8"?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="*">
        <domain uri="*"/>
      </allow-from>
      <grant-to>
        <resource path="/" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>

  3. Save the clientaccesspolicy.xml file to the root of the domain where the service is hosted. If, for example, the service is hosted in http://fabrikam.com then the file must be located at http://fabrikam.com/clientaccesspolicy.xml.

  4. The valid values for the headers attribute are the wildcard (“*”) which allows all headers that have not been blacklisted and a comma separated list of allowed headers. These allowed headers may use a wildcard suffix, for example, “X-CUSTOM-*”.

  5. Alternatively, if you want to allow access form only one other domain, such as http://contoso.com, the clientaccesspolicy.xml should contain the following configuration.

    <?xml version="1.0" encoding="utf-8"?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="*">
        <domain uri="http://contoso.com"/>
      </allow-from>
      <grant-to>
        <resource path="/" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>

  6. Test that the access is enabled by invoking the service from the other domain.

To use a crossdomain.xml file to allow cross-domain access

  1. Build a service than enables access by a Silverlight client. For more information about how to do this, see How to: Build a Service for Silverlight Clients.

  2. Create a crossdomain.xml file that contains the following configuration. The file must be configured to allow access to the service from any other domain, or it is not recognized by Silverlight.

    <?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

  3. Save the crossdomain.xml file to the root of the domain where the service is hosted. If, for example, the service is hosted in http://fabrikam.com then the file must be located at http://fabrikam.com/crossdomain.xml.

  4. Test that the service is enabled by invoking the service from the other domain.

Send comments about this topic to Microsoft.

© 2008 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Page view tracker