Welcome to the Milos Blog!

Sunday, February 08, 2009
Self-Hosted WCF Cross-Domain Service Call Policies

Yesterday I blogged about a new Milos feature that allows to self-host Basic HTTP services, which is a feature that is useful when one has a service that is hosted using other bindings, but wants to expose the Basic HTTP binding in addition to others, which is typically done in Silverlight or browser scenarios (click here for yesterday's post).

When hosting Basic HTTP services for Silverlight, it is also important to know that Silverlight by default can only call services that are part of the same web application as the Silverlight app itself. This will practically never be the case when you self -host a Basic HTTP service. To allow that service to be called from Silverlight, the service must opt in to be callable across domains. (Note: Different ports also count as different domains in this case). This is a security restriction to avoid cross-site attacks.

Using the Milos self-host Basic HTTP feature, you can also enable cross-domain calling like so:

ServiceGarden.AllowCrossDomainCalls();

For instance, if you want to host a service that is available both over TCP/IP and Basic HTTP and allows cross-domain calls, it could be done like so:

ServiceGarden.AllowCrossDomainCalls();
ServiceGarden.AddServiceHostNetTcp(typeof(EventService));
ServiceGarden.AddServiceHostBasicHttp(typeof(EventService));

Note that the cross-domain call only relates to HTTP based access, but not to other protocols.

Note also that the cross-domain call is enabled by means of a policy that is now available. You can browse to that policy using your web browser. For instance, if you run this in a test environment on localhost, you can now browse to http://localhost/clientaccesspolicy.xml, to see the exact settings that are exposed. This is what Silverlight accesses to allow a cross-domain call.

Note that it is possible to set additional parameters. In particular, you can specify which sites can make a cross domain call. For instance, if you only want to accept calls from www.Microsoft.com and www.Google.com, you can restrict the cross domain calls in the following fashion:

ServiceGarden.AllowCrossDomainCalls(new Uri[] {
    new Uri("http://www.Microsoft.com"),
    new Uri("http://www.Google.com") });

Note that these features are available on the ServiceGarden class as well as the development host. When the development host is used, the policy is listed in the UI as an additional service endpoint.

 

Posted @ 1:40 PM by Egger, Markus (markus@code-magazine.com)

Post a Comment:

Comment Title (required):

Your Name (optional):

Your Email (optional):

Your Web Site (optional):

Your Comment (required):

Archive:
November, 2010 (1)
July, 2009 (2)
February, 2009 (2)
January, 2009 (1)
December, 2008 (1)
October, 2008 (3)
June, 2008 (1)
April, 2008 (3)
February, 2008 (1)
January, 2008 (1)
December, 2007 (1)
October, 2007 (2)
September, 2007 (2)
July, 2007 (1)
June, 2007 (2)
May, 2007 (4)
April, 2007 (6)
March, 2007 (8)
February, 2007 (3)
January, 2007 (2)
December, 2006 (2)
November, 2006 (2)

Blog Stats:
Posts: 51
RSS Syndication

Contact:

EPS Software Corp.
6605 Cypresswood Dr., Suite 300
Spring, TX 77379
United States

Phone: 832-717-4445
Email: info@MilosSolutionPlatform.com

Other EPS Properties

EPS Software Homepage
EPS Custom Software
CoDe Magazine
CoDe Focus Magazine
VFPConversion.com
WPFExperts.com
MarkusEgger.com

(c) by EPS Software Corp. 2001 - 2013