Monday, 25 February 2008

Silverlight 2 and the Flash Cross Domain Policy Files

In Silverlight 1.1 alpha (today), you cannot make cross domain network calls from within Silverlight. So for example if you deployed your Silverlight application to chrishay.com then you would not be able to make a network call (web service request, http request etc.) to bob.com, as security dictates that only calls to chrishay.com are allowed.

In Silverlight 2 this restriction has been relaxed, so that you will also be able to make call to a server which contains either via a Silverlight XML Policy file (I have no details on this), or to a server which contains a flash cross domain policy file (this information comes from Scott Guthries Silverlight DIGG Silverlight client article

Since Silverlight 2 supports the flash crossdomain policy file, this means that any site that currently gives flash access also will allow silverlight access. (DIGG is the example given in ScottGu's blog).

So in this article i will talk a little about this file (as this will work in Silverlight 2 when it is released).

In order to implement the Flash Cross Domain policy you must have a file on your server named crossdomain.xml that is accessible to the outside world. For example you can view the DIGG cross domain policy file here. (tip click on view source).

The following xml will allow Silverlight or Flash hosted on any website to make requests to your service.



<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>


If you wish to restrict access to your service to a specific website (e.g. microsoft.com), the example is changed to the following



<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.microsoft.com" />
</cross-domain-policy>


This hopefully will help you decide which sites you wish to expose access to your own webservices to. It should also allow you to beaver around the internet and find sites (such as DIGG) which has a cross domain policy file that you can connect to already.

No comments: