Silverlight Rest Service, Security Exception

Question

I am trying to get Silverlight to work with a quick sample application and am calling a rest service on a another computer. The server that has the rest service has a clientaccesspolicy.xml which looks like:

<access-policy>
    <cross-domain-access>
        <policy>
            <allow-from http-request-headers="*">
                <domain uri="*"/>
            </allow-from>
            <grant-to>
                <resource path="/" include-subpaths="true"/>
            </grant-to>
        </policy>
    </cross-domain-access>
</access-policy>

And is being picked up (at least according to the the network traces I have run), and there is no request for crossdomain.xml. The C# code looks like:

public Page()
{
    InitializeComponent();

    string restUrl = "http://example.com/rest_service.html?action=test_result";

    WebClient testService = new WebClient();
    testService.DownloadStringCompleted += new DownloadStringCompletedEventHandler(testService_DownloadStringCompleted);
    testService.DownloadStringAsync(new Uri(restUrl, UriKind.Absolute));

}

void testService_DownloadStringCompleted(object sender, DownloadStringCompletedEventArgs e)
{
    if (e.Error == null)
    {
        LoadTreeViewWithData(e.Result);
    }
}

However, I always get the following Security Error back:

{System.Security.SecurityException ---> System.Security.SecurityException: Security error.
   at System.Net.BrowserHttpWebRequest.InternalEndGetResponse(IAsyncResult asyncResult)
   at System.Net.BrowserHttpWebRequest.c__DisplayClass5.b__4(Object sendState)
   at System.Net.AsyncHelper.c__DisplayClass2.b__0(Object sendState)
   --- End of inner exception stack trace ---
   at System.Net.AsyncHelper.BeginOnUI(SendOrPostCallback beginMethod, Object state)
   at System.Net.BrowserHttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.WebClient.GetWebResponse(WebRequest request, IAsyncResult result)
   at System.Net.WebClient.DownloadBitsResponseCallback(IAsyncResult result)}

What am I doing wrong? And why doesn't the security error tell me some more useful information?

Answer 1

If you haven't already done so, I'd first try changing the restUrl to something simpler like a static HTML page on the same server (or if need be on your own server) just to verify your main code works.

Assuming the security exception is specific to that REST URL (or site), you might take a look at the URL Access Restrictions in Silverlight 2 article. There are some non-obvious security rules involving file types and "internet zones" in addition to the more well-known cross domain rules.

I second the complaint about many exception messages in Silverlight not being very helpful. The above referenced MSDN article contains an amusing note:

When users get an error that results from one of these access policies being violated, the error may not indicate the exact cause.

Answer 2

I couldn't do cross domain REST HTTP deletes without adding http-methods="*" to the allow-from element in the clientaccesspolicy.xml. When I added the http-methods attribute, then everything worked and the SecurityException stopped happening.