Silverlight and Cross Site Scripting


If you have spent anytime with Silverlight, you've likely run across the cross-site scripting issue.  Essentially, the browser doesn't let you do web requests from other sites than the one you're hosted in.   This is to prevent nasty script kiddies from doing nefarious things. 

While I hope that Microsoft solves this in the way that Flash does (essentially a white-list that is located on the server that says what sites are ok), I do suggest a workaround: proxy calls offsite through your server.  You can create a simple service on your site that returns data from another site. Then in Silverlight its a matter of making a request up to your own server to get the data and work with it in whatever way you want.

Luckily with .NET 3.5 and WCF's new REST stack, this is really easy.  For example, here is a simple WCF service using the new WebGet attribute to specify that it can be called like a REST service:

[ServiceContract(Namespace = "")]
[AspNetCompatibilityRequirements(
       RequirementsMode = 
            AspNetCompatibilityRequirementsMode.Allowed)]
public class Service
{
  // Add [WebGet] attribute to use HTTP GET
  [WebGet(ResponseFormat=WebMessageFormat.Xml)]
  [OperationContract]
  public XElement DoWork()
  {
    return XDocument.Load("http://wildermuth.com/rss").Root;
  }
}

The trick here is to add the WebGet attribute to your method.  Note I am specifying that I want XML (JSON is the default) so I can get the data back to Silverlight as XML. As a return type I am specifying XElement (XDocument may make more sense but its not Serializable) so we load a XDocument and just return the root of the document.  Voila, a service you can call from Silverlight to call out to another service.

I could have changed this to accept a parameter with the request to make and I didn't do this on purpose.  You can imagine if you leave an open relay like that open, you're inviting script kiddies to do nasty things. 

What do you think?



Shawn
Shawn Wildermuth
Author, Teacher, and Coach




My Courses

Wilder Minds Training
Vue.js by Example (New Lower Price)
Bootstrap 4 by Example (New Lower Price)
Intro to Font Awesome 5 (Free Course)
Pluralsight
Building an API with ASP.NET Core (New Course)
Building a Web App with ASP.NET Core, MVC6, EF Core, Bootstrap and Angular (updated for 2.2)
Less: Getting Started (New)
Using Visual Studio Code for ASP.NET Core Projects
Implementing ASP.NET Web API

Application Name WilderBlog Environment Name Production
Application Ver v4.0.30319 Runtime Framework x86
App Path D:\home\site\wwwroot\ Runtime Version .NET Core 4.6.27617.04
Operating System Microsoft Windows 10.0.14393 Runtime Arch X86