• Making a Service Available Across Domain Boundaries


    Silverlight

    Using Silverlight version 4 for cross-domain communication requires guarding against several types of security vulnerability that can be used to exploit Web applications. Cross-site forgery is a class of exploits that becomes a threat when allowing cross-domain calls. This exploit involves a malicious Silverlight control transmitting unauthorized commands to a third-party service, without the user's knowledge. To prevent cross-site request forgery, Silverlight allows only site-of-origin communication by default for all requests other than images and media. For example, a Silverlight control hosted at http://contoso.com/mycontrol.aspx can access only services on that same domain by default – for example http://contoso.com/service.svc, but not a service at http://fabrikam.com/service.svc. This prevents a malicious Silverlight control hosted on the http://contoso.com domain from calling unauthorized operations on a service hosted on the http://fabrikam.com domain.

    To enable a Silverlight control to access a service in another domain, the service must explicitly opt-in to allow cross-domain access. By opting-in, a service states that the operations it exposes can safely be invoked by a Silverlight control, without potentially damaging consequences to the data that the service stores.

    Silverlight 4 supports two different mechanisms for services to opt-in to cross-domain access:

    • Place a clientaccesspolicy.xml file at the root of the domain where the service is hosted to configure the service to allow cross-domain access.
    • Place a valid crossdomain.xml file at the root of the domain where the service is hosted. The file must mark the entire domain public. Silverlight supports a subset of the crossdomain.xml schema .

    For more information about cross-scheme access, see Network Security Access Restrictions in Silverlight .

    To use a clientaccesspolicy.xml file to allow cross-domain access

    1. Build a service that enables access by a Silverlight client. For more information about how to do this, see How to: Build a Service for Silverlight Clients .

    2. Create a clientaccesspolicy.xml file that allows access to the service. The following configuration allows access from any other domain to all resources on the current domain.

      <?xml version="1.0" encoding="utf-8"?>
      <access-policy>
        <cross-domain-access>
          <policy>
            <allow-from http-request-headers="SOAPAction">
              <domain uri="*"/>
            </allow-from>
            <grant-to>
              <resource path="/" include-subpaths="true"/>
            </grant-to>
          </policy>
        </cross-domain-access>
      </access-policy>
      

      Alternatively, if you want to allow access from only one other domain, such as http://contoso.com, replace the <domain uri="*"/> line within the <allow-from> element of the clientaccesspolicy.xml file above with the line <domain uri="http://contoso.com"/> .

      To allow access to an HTTPS service from any Silverlight control hosted over HTTP application, you need to put the <domain uri=”http://*” /> element inside your <allow-from> element.

      The valid values for the headers attribute are:

      1. the wildcard (“*”) - which allows all headers that have not been blacklisted
      2. a comma-separated list of allowed headers. These allowed headers can use a wildcard suffix, for example, “X-CUSTOM-*”.

      To enable the service for access over TCP sockets, add <socket-resource port="4502" protocol="tcp" /> to the <grant-to> element, where the 4502 is the port value where the service is hosted.

    3. Save the clientaccesspolicy.xml file to the root of the domain where the service is hosted. If, for example, the service is hosted in http://fabrikam.com then the file must be located at http://fabrikam.com/clientaccesspolicy.xml.

    4. Test that the access is enabled by invoking the service from the other domain.

    To use a crossdomain.xml file to allow cross-domain access

    1. Build a service that enables access by a Silverlight client. For more information about how to do this, see How to: Build a Service for Silverlight Clients .

    2. Create a crossdomain.xml file that contains the following configuration. The file must be configured to allow access to the service from any other domain, or it is not recognized by Silverlight 4.

      <?xml version="1.0"?>
      <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
      <cross-domain-policy>
        <allow-http-request-headers-from domain="*" headers="SOAPAction,Content-Type"/>
      </cross-domain-policy>
      
    3. Save the crossdomain.xml file to the root of the domain where the service is hosted. If, for example, the service is hosted in http://fabrikam.com, then the file must be located at http://fabrikam.com/crossdomain.xml.

    4. Test that the service is enabled by invoking the service from the other domain.

    Link:http://msdn.microsoft.com/en-us/library/cc197955%28v=vs.95%29.aspx
    作者:Angelo Lee
    本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利.
  • 相关阅读:
    集中式(SVN)和分布式(Git)版本控制系统的简单比较
    Mac 提示安装包已损坏
    React 获取 url 参数 —— this.props.match
    编写一个 Chrome 浏览器扩展程序
    webpack 配置学习笔记
    Python 进阶学习笔记
    Python 入门学习笔记
    (转)Unity3d各种坑
    unity3d 网页游戏客户端工程构建方案
    (转)在Unity3D的网络游戏中实现资源动态加载
  • 原文地址:https://www.cnblogs.com/yefengmeander/p/2887718.html
Copyright © 2020-2023  润新知