Silverlight and Cross Site Scripting

If you have spent anytime with Silverlight, you've likely run across the cross-site scripting issue.  Essentially, the browser doesn't let you do web requests from other sites than the one you're hosted in.   This is to prevent nasty script kiddies from doing nefarious things. 

While I hope that Microsoft solves this in the way that Flash does (essentially a white-list that is located on the server that says what sites are ok), I do suggest a workaround: proxy calls offsite through your server.  You can create a simple service on your site that returns data from another site. Then in Silverlight its a matter of making a request up to your own server to get the data and work with it in whatever way you want.

Luckily with .NET 3.5 and WCF's new REST stack, this is really easy.  For example, here is a simple WCF service using the new WebGet attribute to specify that it can be called like a REST service:

[ServiceContract(Namespace = "")]
[AspNetCompatibilityRequirements(
       RequirementsMode = 
            AspNetCompatibilityRequirementsMode.Allowed)]
public class Service
{
  // Add [WebGet] attribute to use HTTP GET
  [WebGet(ResponseFormat=WebMessageFormat.Xml)]
  [OperationContract]
  public XElement DoWork()
  {
    return XDocument.Load("http://wildermuth.com/rss").Root;
  }
}

The trick here is to add the WebGet attribute to your method.  Note I am specifying that I want XML (JSON is the default) so I can get the data back to Silverlight as XML. As a return type I am specifying XElement (XDocument may make more sense but its not Serializable) so we load a XDocument and just return the root of the document.  Voila, a service you can call from Silverlight to call out to another service.

I could have changed this to accept a parameter with the request to make and I didn't do this on purpose.  You can imagine if you leave an open relay like that open, you're inviting script kiddies to do nasty things. 

What do you think?

Comments:

Gravatar

Does this trick work for WCF service only? I don't have any experience with WCF service. I want the trick to work with normal web service and ADO.NET Data Service. When I posted about Astoria and Silverlight in my blog, I faced the cross-domain problem.. :(

Will your trick be worked with ASP.NET web service or ADO.NET Data Service?

Michael Sync (Posted Wednesday, January 16, 2008 )

Gravatar

No This should work with normal asmx web services too.. The other way to do it is adding a dynamic script block which uses JSON and javascript callback.

Harshit (Posted Monday, February 11, 2008 )

Gravatar

It appears that this *can* be solved in the same way as Flash here and now.

Excerpt: "The solution is to enable cross site scripting for the WCF service. This is done by adding a file named clientaccesspolicy.xml at the root of the site. In this file you can specify which sites you allow to do cross site access."

See the following URL

http://blogs.microsoft.co.il/blogs/shaharron/archive/2008/10/25/silverlight-and-wcf-cross-site-scripting-issue.aspx

C T (Posted Thursday, January 15, 2009 )

Gravatar

C T,

Yes a security access file (clientaccesspolicy.xml or Flash's version) does get around this too.

Shawn Wildermuth (Posted Thursday, January 15, 2009 )


 



 
Save Cancel