Sunday, February 08, 2009
Self-Hosted WCF Cross-Domain Service Call Policies
Yesterday I blogged about a new Milos feature that allows to self-host Basic HTTP services, which is a feature that is useful when one has a service that is hosted using other bindings, but wants to expose the Basic HTTP binding in addition to others, which is typically done in Silverlight or browser scenarios (click here for yesterday's post).
When hosting Basic HTTP services for Silverlight, it is also important to know that Silverlight by default can only call services that are part of the same web application as the Silverlight app itself. This will practically never be the case when you self -host a Basic HTTP service. To allow that service to be called from Silverlight, the service must opt in to be callable across domains. (Note: Different ports also count as different domains in this case). This is a security restriction to avoid cross-site attacks.
Using the Milos self-host Basic HTTP feature, you can also enable cross-domain calling like so: