Programming with .NET - General

Difference between clientaccesspolicy.xml and crossdomain.xml

Hi,

Just want to know what is the difference between clientaccesspolicy.xml and crossdomain.xml files in Silverlight Application. Are both files needed in the root of the domain where the service is hosted to configure the service to allow cross-domain-access.

regards,

Parimal

Re: Difference between clientaccesspolicy.xml and crossdomain.xml

Not both files are needed in the root of the domain, but I personally think clientaccesspolicy is better because it can also be used to set configuration for Sockets.

Difference are stated in the Documentation in Beta 2

Silverlight supports two types of security policy files:

Flash policy file - the existing crossdomain.xml policy file used by Adobe Flash. This policy file can only be used by the WebClient and HTTP classes in the System.Net namespace. A Flash policy file must allow access to all domains to be used by the Silverlight 2 runtime.
Silverlight policy file - the Silverlight policy file that can be used by the WebClient and HTTP classes in the System.Net namespace and also by the sockets classes in the System.Net.Sockets namespace. This policy file has a different format than the Flash policy file.

All in all, Silverlight policy can be used by all kinds of Connection between Client and Server.

Refer to your question, if you only put one of them onto the root, cross-domain-access is also allowed, but for crossdomain.xml CrossDomain for Sockets doesn't allow.

Re: Difference between clientaccesspolicy.xml and crossdomain.xml

I've just wrestled with the cross domain beast all weekend, I don't think I necessarily won, I'm battered and bruised but managed to post my learnings from the struggle here.

But in a nutshell, you don't need either if you host your SL app with your WCF service. If you want to go cross domain then my experience is that clientaccesspolicy.xml doesn't work, at least not with my setup (WCF service hosted in a console app). You must not have a clientaccesspolicy.xml and you must have a crossdomain.xml file that looks something like this:

<!DOCTYPE cross-domain-policy SYSTEM “http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd”>
<cross-domain-policy>
<allow-access-from domain=”*” />
<allow-http-request-headers-from domain=”*” headers=”SOAPAction” />
</cross-domain-policy>

Note the second last line, it's different to what MSDN suggests you use. This works what MSDN has does not work.

Just a note, watching a http sniffer I could see my SL app requesting the clientaccesspolicy.xml file and it was successfully returned by my service...but still the cross domain exception occurred.

Re: Difference between clientaccesspolicy.xml and crossdomain.xml

Firstly, these files are refered by server only when there is request from different domain to check if the application making the request has sufficient rights to access the service.

Crossdomain.xml File:
This file is defined by Adobe Flash. It can be used if you want your service to grant access to both Adobe and Silverlight application.

ClientAccessPolicy.xml file:
This file is defined by Silverlight. It can be used only granting access to Silverlight applications., however this file provides more granular control over allowed domains.

Whenever there is request from Silverlight application, first the clientaccesspolicy file is checked. If not present crossdomain file is refered to check the permission.

More details can be found in 'Introducing Silverlight 4' by Ashish Ghoda.

Thanks
Abhilash

Please remember to mark the replies as answers if they help and unmark them if they provide no help.