Using Silverlight 2.0 clientaccesspolicy.xml vs. crossdomain.xml for Web-Service cross-domain access

Cesar De la Torre

To enable a Silverlight control to access a web service (like a WCF Service) in another domain, the service must explicitly allow cross-domain access. Doing so, a service states that the operations it exposes can safely be invoked by a Silverlight control, without potentially damaging consequences to the data the service stores.

Silverlight supports two different mechanisms for services to opt-in to cross-domain access:
•    Place a clientaccesspolicy.xml file at the root of the domain where the service is hosted to configure the service to allow cross-domain-access.
•    Place a valid crossdomain.xml file at the root of the domain where the service is hosted. Silverlight supports a subset of the crossdomain.xml schema. This file format is supported as well by ADOBE FLASH (originally by them).


The question many developers could ask is, ok, which format/file do I use?.

Well, even though crossdomain.xml is supported by ADOBE FLASH, as well, there is a limitation in current SL20 Beta2 version: If you use crossdomain.xml, the file must mark the entire domain public. I mean, the file must be configured to allow access to the web service from any other domain, or it is not recognized by Silverlight… (Keep in mind that this is a Silverlight’s limitation, probably by design).

You should configure crossdomain.xml like that:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "">
  <allow-http-request-headers-from domain="*" headers="*"/>

So, because of that, I’d always use clientaccesspolicy.xml which allows me to specify all domains OR just specific domains, like the following:

<?xml version="1.0" encoding="utf-8"?>
      <allow-from http-request-headers="*">
        <domain uri=""/>
        <resource path="/" include-subpaths="true"/>

btw, you could always use both files within your Web-Service, so then, Silverlight client apps would check first clientaccesspolicy.xml and apply specific restrictions based on specific domains, no matter what crossdomain.xml says.

Of course, crossdomain.xml will be used by FLASH client apps.

So this is the answer!: "Use both files (if you want Flash support for your web-service), but apply specific restrictions into clientaccesspolicy.xml" for Silverlight client apps".

Here you can see the Silverlight’s Cross Domain Policy Flow:



Remember!, Always save the clientaccesspolicy.xml  or the crossdomain.xml file into the root of the domain/web-site where the service is hosted. If, for example, the service is hosted in then the file must be located at You cannot put it within your App’s Virtual Directory, like This is wrong and it won’t work


Discussion is closed.

Feedback usabilla icon