Overview of Silverlight Security Policies

As a security measure, the Silverlight run time validates all outgoing socket connections against an XML policy file supplied by the host from which the Silverlight client is downloaded. The download host must either run a standalone policy server or use a web server as a policy server. Ice for Silverlight includes a basic implementation of a policy server that you can use deploy with your own applications.

If you do not want to use a standalone policy server, you can also use the web server on the download host as a policy server by adding a clientaccesspolicy.xml file at the document root directory. You must also set Ice.ClientAccessPolicyProtocol to Http for this deployment to work correctly.

Silverlight limits the range of ports to which a client can connect. As a result, you must configure your Ice server to listen on a TCP port within the range 4502 to 4534. The policy file can limit this range to an even smaller number of ports if necessary, and provides additional flexibility in controlling the client's access to server-side resources. For example, the following configuration grants the client access to ports in the range 4502 to 4506:

{zcode}
<?xml version="1.0" encoding ="utf-8"?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from>
        <domain uri="*" />
      </allow-from>
      <grant-to>
        <socket-resource port="4502-4506" protocol="tcp" />
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>
{zcode}

Out of browser applications (OOB) are not subject to these limitations: you do not need to use a policy server for OOB applications and you can use ports outside the 4502-4534 port range.

 

Silverlight Policy Server

For your convenience, the Ice installer for Windows includes two versions of a Silverlight policy server: one for .NET in the bin subdirectory, and another for .NET Compact Framework in the bin\cf subdirectory. A copy of the policy file shown earlier is provided in config\PolicyResponse.xml. In a source distribution, you can find the code for the policy server in cs\src\PolicyServer.

The policy server accepts two command-line arguments:

{zcode}
policyserver <ip-address> <policy-file>
{zcode}

The ip-address argument selects the interface on which to listen, and policy-file indicates the Silverlight policy file to be returned for every request. The server always listens on port 943, which is the standard port used by the Silverlight run time.

See Also