Enabling X-Domain access to your Data Services

In the Astoria V1.5 CTP2 release, we introduced support for X-Domain and Out Of Browser access to Data Services in our Silverlight client library.

This blog post talks about how to enable Cross-Domain access to Data Services from the Silverlight client library.

I am a Service author, How do I enable X-Domain access to Data Services I host in my applications?

You would need to deploy a ClientAccessPolicy.xml file to enable X-Domain and Out Of Browser access to Data Services hosted by your applications.

The CAP.xml file should be deployed at the root of the Web Server hosting the Data Services and should not require authentication to access the file.

What is a ClientAccessPolicy.xml file?

A client access policy file defines the Services that client Silverlight applications can call
and the capabilities that these service calls can have.
Here is a sample client access policy.xml file :

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="*">
        <domain uri="https://ui.norhtwind.com"/>
      </allow-from>
      <grant-to>
        <resource path="/Northwind.svc" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>

Anatomy of  a ClientAccessPolicy.xml file:

The CAP.xml file contains a lot of sections to allow fine tuning of client access.
For a Data Service author, the following are relevant sections of the file:

1. <allow-from>

Defines all the domains that are affected by this policy.

Defines the sites that are allowed to access resources in a certain policy.

By using the allow-from element for a particular policy, you implicitly deny access for all non-listed domains.

If allow-from is empty, then the policy file grants access to no sites.

The “http-request-headers”  attribute of this node specifies the HTTP Request headers that client Service calls are allowed to pass to the Service.

For a Data Services Silverlight client application, the following headers are required

    1. X-Http-Method
    2. DataServiceVersion 
    3. Accept
    4. Content-Type
    5. Location
    6. MimeType 
    7. MaxDataServiceVersion

2. <allow-from><domain/></allow-from>

The “uri” attribute of the “domain” node specifies the domain in which the client accessing the Service has to be hosted
to be able to call the Service.

3. <grant-to>

The “<grant-to>” node specifies the Services which are allowed to be accessed by clients.

4. <grant-to><resource/></grant-to>

Each service , access to which is governed by the CAP.xml file, is represented by a <resource> node in the <grant-to> section of the CAP.xml file .

The <resource> node contains two important attributes.

    1. path : this attribute is the relative path of the Data Service
    2. include-subpaths  : this attribute specifies if paths based off of the resource path are allowed. This value should be set to true for a Data Service.

Additional references:

  1. Clientaccesspolicy.xml file Schema
  2. Making a Service Available Across Domain Boundaries