Wednesday, June 17, 2009


Every new technology brings its own mechanism to mitigate security threats. This post discusses on how silverlight deals with cross site scripting.

What is Cross Site Scripting?
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.

To avoid Cross-Site Scripting (XSS), Silverlight runtime enforces restrictions in the framework APIs. Any cross domain request requires that the server has explicitly granted permissions to access its resources from Silverlight client. Cross domain access means the Silverlight client is making network calls to domain which is not same as the domain from which the client itself has been downloaded. The restrictions are same as what Flash based clients also experience.
To allow flash based clients to access its resources, servers need to place a policy file at the root of the domain called crossdomain.xml and all access permission in that file.
Silverlight uses the same logic to allow the APIs to access cross domain resources. It supports flash based policy file. It also supports a file specific to Silverlight clients named as clientaccesspolicy.xml. This is also a xml based file with published format but different from flash format.Silverlight runtime first tries to download the clientaccesspolicy.xml file and if found, all access permissions are granted using this file. If this file is not available, it tries to download flash based policy file. If none is found, access is denied. These files are not downloaded in case of same domain access.

No comments: