) Silverlight cross-origin access to WebService

Make Service Cross-origin boundary available

To use cross-origin communication, you need to prevent several types of security vulnerabilities that can be used for illegal use of web applications.Program."Cross-Site forgery"(Cross-site forgery), as a means of exploits, can be a threat when cross-origin calls are allowed. This exploitation includes the transmission of unauthorized Silverlight controls to third-party services without the user's knowledge. To avoid cross-site Request Forgery, Silverlight only allows source site communication for all requests except images and media. For example, the Silverlight control that is hosted on a http://contoso.com/mycontrol.aspx can by default only access services in the same domain, such as http://contoso.com/service.svc, but not services located in the http://fabrikam.com/service.svc. This avoids unauthorized calls to services hosted on the http://contoso.com domain by the malicious Silverlight control on the http://fabrikam.com domain.

To allow the Silverlight control to access services in other domains, the Service must explicitly allow cross-origin access. By selecting, the Service declares that its public operations can be safely called by the Silverlight control, without causing potential harm to the data stored by the Service.

Silverlight 2.0 supports two different mechanisms for Service Selection for cross-origin access:

• Place a clientaccesspolicy. xml file in the root directory of the domain hosting the service to configure the service to allow cross-origin access.
• Place a valid crossdomain. xml file in the root directory of the domain hosting the service. This file must mark the entire domain as public. Silverlight supports a subset of the crossdomain. xml architecture.

Use the clientaccesspolicy. xml file to allow cross-origin access

2. Build a service that allows the Silverlight client to access. For more information about how to perform this operation, see How to: build a service for the Silverlight client.

4. Create a clientaccesspolicy. xml file that allows access to the service. The following configuration allows access to all resources in the current domain from any other domain.

   Copy code

   <? XML version = "1.0" encoding = "UTF-8"?> <Access-Policy> <cross-domain-access> <Policy> <allow-from http-request-headers = "*"> <domain uri = "*"/> </ allow-from> <grant-to> <resource Path = "/" include-subpaths = "true"/> </grant-to> </Policy> </Cross-Domain -Access> </access-Policy>

6. Save the clientaccesspolicy. xml file to the root directory of the domain hosting the service. For example, if the service is hosted on a http://fabrikam.com, the file must be located at http://fabrikam.com/clientaccesspolicy.xml.

8. The valid values of the header attribute include wildcards (*) that allow all non-blacklisted headers and comma-separated lists of allowed headers. These allowed headers can use wildcard suffixes, such as "X-CUSTOM -*".

10. Alternatively, clientaccesspolicy. xml should contain the following configuration if you only allow access from one of the other domains, such as a http://contoso.com.

    Copy code

    <? XML version = "1.0" encoding = "UTF-8"?> <Access-Policy> <cross-domain-access> <Policy> <allow-from http-request-headers = "*"> <domain uri = "http://contoso.com"/> </ allow-from> <grant-to> <resource Path = "/" include-subpaths = "true"/> </grant-to> </Policy> </Cross-Domain -Access> </access-Policy>

12. You can call services from other domains to test whether access is enabled.

Use the crossdomain. xml file to allow cross-origin access

1. Build a service that allows the Silverlight client to access. For more information about how to perform this operation, see How to: build a service for the Silverlight client.

2. Create a crossdomain. xml file containing the following configurations. The file must be configured to allow access to the service from any other domain, otherwise Silverlight 2.0 will not recognize it.

   Copy code

   <? XML version = "1.0"?> <! Doctype cross-domain-Policy System "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-Policy> <allow-http-request-headers-from domain = "*" headers = "*"/> </Cross-Domain-Policy>

3. Store the crossdomain. xml file in the root directory of the domain hosting the service. For example, if the service is hosted on a http://fabrikam.com, the file must be located at http://fabrikam.com/crossdomain.xml.

4. Call a service from another domain to test whether access to the service is allowed.

From: http://msdn.microsoft.com/zh-cn/library/cc197955 (vs.95). aspx