Silverlight WCF Service Cross Domain Question

Question

I have a silverlight app (hosted at intranet.mydomain.net) and a WCF service at (webservices.mydomain.net)

Do I need a cross-site policy file? If so, what would it look like to only allow access from intranet.mydomain.net?

Answer 1

You might want to check out the following link about 'How to Use Cross Domain Policy Files With Silverlight' by Tim Heuer.

http://silverlight.net/learn/videos/all/how-to-use-cross-domain-policy-files-with-silverlight/

Here is another page from Tim Heuer's blog that you can read through that has examples as well:

http://timheuer.com/blog/archive/2008/04/06/silverlight-cross-domain-policy-file-snippet-intellisense.aspx

I would consider writing your own WCF service that lives with your silverlight app and handles the request to your external WCF service. This way you leave nothing open and only communication to your controlled service is allowed (although the service you mentioned might be under your control).

This method is also useful when the other service is out of your hands and could change often. You could control how this is handled via your own service and never need to update your silverlight control (assuming the changes are not drastic).

Answer 2

Yes, you will need a clientaccesspolicy.xml file in the ROOT of your service domain(webservices.mydomain.net).

By default, Silverlight supports calls to Web services on the same domain or site of origin. Same domain means that calls must use the same sub domain, protocol, and port. This is for security reasons and prevents cross-domain forgery.

Here is an example file:

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="*">
        <domain uri="http://intranet.mydomain.net"/>
      </allow-from>
      <grant-to>
        <resource path="/" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>

This would allow requests only from intranet.mydomain.net.

Edit

It has been asked: How would this work if I have two WCF Services? /ServiceA/a.svc and /ServiceB/b.svc and I want ServiceA to to be open to anyone, anywhere, and ServiceB to only work from my intranet?

Your policy file would look like this:

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="*">
        <domain uri="http://*"/>
      </allow-from>
      <grant-to>
        <resource path="/ServiceA/" include-subpaths="true"/>
      </grant-to>
    </policy>

    <policy>
      <allow-from http-request-headers="*">
        <domain uri="http://intranet.mydomain.net"/>
      </allow-from>
      <grant-to>
        <resource path="/ServiceB/" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>