Allowing cross-domain access from Silverlight to a standalone WCF-Service


Silverlight by default only let’s you access services which come from the same domain as the domain that served the Silverlight control. This guards against some types of security vulnerabilities.

A service can however opt-in to allow calls from Silverlight controls hosted on other domains. To do this a service has to provide a clientaccesspolicy.xml or crossdomain.xml file, which specifies the access policy for this service.

Silverlight, when asked to do a cross-domain call, will look for this file at the root of the domain where the target service is hosted.

The following is a sample clientaccesspolicy.xml file:

<?xml version="1.0" encoding="utf-8"?>
      <allow-from http-request-headers="SOAPAction">
        <domain uri="*"/>
        <resource path="/" include-subpaths="true"/>

You can also use a crossdomain.xml file, which is used by Adobe Flash, but is also recognized by Silverlight.

Standalone WCF-Services

It’s easy to provide the required file for a service hosted on web server like IIS. For a standalone WCF service however, there is no built-in functionality to achieve this.

You can however create a separate service which is responsible only for serving the required policy file and make it available at the services domain root.

The idea is copied from this forum entry (thanks Yi-Lun Luo):

Creating the web service class

public class CrossDomainPolicyRetrieverService
    [OperationContract, WebGet(UriTemplate = "crossdomain.xml")]
    public Stream GetFlashPolicy()
        return getPolicy("crossdomain.xml");

    [OperationContract, WebGet(UriTemplate = "clientaccesspolicy.xml")]
    public Stream GetSilverlightPolicy()
        return getPolicy("clientaccesspolicy.xml");

    private static Stream getPolicy(string file)
        if (!File.Exists(file))
            WebOperationContext.Current.OutgoingResponse.StatusCode = HttpStatusCode.NotFound;
            return null;

        WebOperationContext.Current.OutgoingResponse.ContentType = "application/xml";
        return File.OpenRead(file);

This simple web service has 2 methods corresponding to the two files mentioned above. It will search for the file in the application directory and return them as the response for the file.

Configuring the service

To configure the service add the following lines to your app.config file:

<?xml version="1.0"?>
      <!-- snip... regular services -->

      <service name="MyNamespace.CrossDomainPolicyRetrieverService">
        <endpoint address="" binding="webHttpBinding"
            <dns value="localhost"/>
             <!-- Root Domain where the other services are hosted -->
            <add baseAddress="http://localhost:8732/"/>
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="false"/>
        <behavior name="policyBehavior">
          <webHttp  />  
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
  <!-- snip... -->

Testing the service

To should now be able to access the policy files using any web browser and pointing it at /clientaccesspolicy.xml (e.g. http://localhost:8732/clientaccesspolicy.xml)

By setting a breakpoint inside the service methods, you can easily watch Silverlight accessing the corresponding resource files.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: