I have a silverlight app (hosted at intranet.mydomain.net) and a WCF service at (webservices.mydomain.net)
Do I need a cross-site policy file? If so, what would it look like to only allow access from intranet.mydomain.net?
+3
A:
You might want to check out the following link about 'How to Use Cross Domain Policy Files With Silverlight' by Tim Heuer.
http://silverlight.net/learn/videos/all/how-to-use-cross-domain-policy-files-with-silverlight/
Here is another page from Tim Heuer's blog that you can read through that has examples as well:
I would consider writing your own WCF service that lives with your silverlight app and handles the request to your external WCF service. This way you leave nothing open and only communication to your controlled service is allowed (although the service you mentioned might be under your control).
This method is also useful when the other service is out of your hands and could change often. You could control how this is handled via your own service and never need to update your silverlight control (assuming the changes are not drastic).
Kelsey
2009-12-07 16:51:37
+2
A:
Yes, you will need a clientaccesspolicy.xml file in the ROOT of your service domain(webservices.mydomain.net).
By default, Silverlight supports calls to Web services on the same domain or site of origin. Same domain means that calls must use the same sub domain, protocol, and port. This is for security reasons and prevents cross-domain forgery.
Here is an example file:
<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://intranet.mydomain.net"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
This would allow requests only from intranet.mydomain.net.
Edit
It has been asked: How would this work if I have two WCF Services? /ServiceA/a.svc and /ServiceB/b.svc and I want ServiceA to to be open to anyone, anywhere, and ServiceB to only work from my intranet?
Your policy file would look like this:
<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*"/>
</allow-from>
<grant-to>
<resource path="/ServiceA/" include-subpaths="true"/>
</grant-to>
</policy>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://intranet.mydomain.net"/>
</allow-from>
<grant-to>
<resource path="/ServiceB/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
DaveB
2009-12-07 17:42:40
How would this work if I have two WCF Services? `/ServiceA/a.svc` and `/ServiceB/b.svc` and I want ServiceA to to be open to anyone, anywhere, and ServiceB to only work from my intranet? Is that possible from the crossdomain file?
Nate Bross
2009-12-07 19:09:18
I have edited my answer.
DaveB
2009-12-07 20:02:04
Would this work on Safari? It seems like Safari doesn't support cross domain xml-s by default. Of course, it might not matter...
Gyuri
2009-12-07 20:08:20
In fact, Safari and Firefox...
Gyuri
2009-12-07 20:08:53
This alone would not prevent someone from using the service, but it will make sure that no silverlight clients use it. Other means of lock-down would be needed to prevent access flat-out.
Nate Bross
2009-12-08 16:08:47