Freigeben über

Defining Cross Domain Policy

  • Artikel

Last time I talked a bit about the need for a cross-domain access policy in the Silverlight security policy system. Today I'll go into more detail about that example cross-domain policy file that I showed you.

 <?xml version="1.0" encoding="utf-8"?>
<access-policy>
  <cross-domain-access>
      <allow-from http-request-headers="*">      
        <domain uri="*”/>
      </allow-from>      
      <grant-to>      
        <resource path="/" include-subpaths="true"/>
      </grant-to>      
  </cross-domain-access>
</access-policy>

You might see four spots where you can plug in your own values to define policy.

The http-request-headers attribute is a comma separated list of HTTP headers that are allowed to be passed by the domain. The default is that no HTTP headers are allowed. Using WCF with Silverlight requires allowing HTTP headers in order to work correctly.

The domain uri is the allowed domain that is being granted access by this policy. The scheme used in the domain uri is significant.

The resource path is the allowed resource that you are granting access to the domain uri by this policy. The resource path is always relative to the root of the domain.

The include-subpaths attribute allows you to specify whether the resource path should be treated as a prefix or as an exact match. The default is that the match has to be exact.

The official definition of this format is provided by this DTD.

 <!ELEMENT access-policy (cross-domain-access)>
<!ELEMENT cross-domain-access (policy+)>
<!ELEMENT policy (allow-from)>
<!ELEMENT policy (grant-to)>
<!ELEMENT allow-from (domain+)>
<!ATTLIST allow-from http-request-headers CDATA>
<!ELEMENT domain EMPTY >
<!ATTLIST domain uri CDATA #REQUIRED>
<!ELEMENT grant-to (resource+)>
<!ELEMENT grant-to (socket-resource+)>
<!ELEMENT grant-to EMPTY>
<!ATTLIST resource path CDATA #REQUIRED>
<!ATTLIST resource include-subpaths (true|false) "false">
<!ATTLIST socket-resource port CDATA #REQUIRED protocol #REQUIRED>

You'll notice that because I've only been talking about HTTP resources, there are some parts specific to sockets in the DTD that don't appear in the example.

Tim Heuer has a translation of the cross-domain policy file DTD to a schema and directions for using the schema with Visual Studio.

Next time: Cross Domain Policy Extras

Comments

  • Anonymous
    September 21, 2008
    Today's post wraps up the series on cross-domain policy files with some side stories that you probably