Cross-Domain Calls and Policies

Silverlight enforces a level of protection so that it cannot be used to invoke web services that are on a different domain than the server that hosts the Silverlight application. For example, a Silverlight 2 application that is hosted on silverlight-data.com can request services that are also hosted on silverlight-data.com. However, if a Silverlight 2 application that is hosted on yourmailserver.net requests a service that is hosted on silverlight-data.com, by default the application’s request will not be permitted (see Figure 5-7).

Cross-domain access

Figure 5-7. Cross-domain access

Understanding Cross-Domain Restrictions

As a security precaution, Silverlight does not allow calls across domain boundaries. By default, this measure prevents Silverlight applications from accessing any web service that is hosted on a domain or domain-and-port combination that is different from the domain that hosts the Silverlight application. The target site can specify which domains can access its services if it implements the Silverlight policy file (clientaccesspolicy.xml) or the Flash policy file (crossdomain.xml) at the website’s root. At least one of these files must exist in the website’s root. It is important to remember that the policy file must be placed at the website’s root, and not at the web application’s root.

Silverlight is a browser plug-in, so it adheres to the same standards ...

Get Data-Driven Services with Silverlight 2 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.