I want to provide silverlight app to my customer while hosting the app at my own site for streamlined maintenance.
my Silverlight .xap is hosted in, let say, domain me-supplier.com
i want to embed it in, let say, domain my-customer.com
It works perfectly for http://my-customer.com, not for https://my-customer.com
i have added the (me-supplier.com hosted) cross domain silverlight policy file to allow my-customer.com
i have configured the mime types for .xap
the silverlight app needs html dom access so the iframe approach is not viable i believe.
this works for javascript code, so why not for silverlight ? any idea, workaround ?
Is the silverlight app also on https? If not, you might be hitting a security wall which does not allow to intermix http and https application domains
I think the answers to this question may explain it.
Generally HTTPS doesn't like you drawing data between domains within a page because the certificate is tied to the current domain.
Related
I'm sending simple messages to Google Analytics from a Silverlight app. They look something like this (data changed):
http://www.google-analytics.com/collect?v=1&tid=foobar&cid=foobar&t=pageview&dp=foobar&dt=foobar
Very simple API. If I use HTTP it works beautifully.
If I use HTTPS, I run afoul of Silverlight's cross domain policies. According to the docs, google-analytics.com needs to approve the cross-domain call by hosting either a clientaccesspolicy.xml (Silverlight-specific) or crossdomain.xml (original used by FLASH). Turns out they do host crossdomain.xml, and I can see that Silverlight downloads it (via Fiddler), but apparently Silverlight doesn't like the file's content and doesn't allow HTTPS calls to that domain (System.Security.SecurityException).
So.. at least at the moment, I can't use Google Analytics from Silverlight using HTTPS. Does anyone know a work around for this issue?
Note, I can't just use HTTP, because that causes IE to issue a "Allow Mixed Content" prompt which causes problems for some of our customers. I need to use HTTPS like the rest of our app.
EDIT: OK, I took a totally different approach, using HtmlPage.Window.Invoke to call a 3 line Javascript function to do the asynchronous send rather than using WebClient in the Silverlight code. Works like a champ. Anybody see any potential problems with that?
I suspect there may be a way to make this work, because I know google-analytics.com is very cross-domain friendly for exactly this reason.
If you absolutely can't get it to work another option would be to proxy the hits. If you do this, you'll want to make sure to use the ua and uip override fields in the hit you're sending so that they show up in Google Analytics with the IP address and User Agent of the original visitor and not your server.
Here's some more info on using a proxy server with the Measurement Protocol:
https://developers.google.com/analytics/devguides/collection/protocol/v1/devguide#using-a-proxy-server
It is really unclear what to use when you want to put ads on a cross-platform web application published as is on a website and also on the stores through phonegap.
Admob, Adsense ...?
Moreover, which one has a simple html/js integration system?
For now, I am using inmobi and their js api is very simple and nice, but I have cross domain problems...
Can you help clarify ?
this is Akshay, JS Dev, InMobi. InMobi is an ad-distributor. The ads/creatives are made by the advertisers. Also, these ads are placed in an iframe so that these ads cannot access the data present in your page, thus providing security. Because some ads try to "burst" out of the iframe, chrome throws the warning. However, these warnings can be safely ignored and will not affect your website's functionality.
That being said, InMobi's javascript is not responsible for these issues, rather the advertiser and InMobi has no control over this. There are some ad networks which require a dummy page to be present on your domain. By using such ad networks, the chrome warnings disappear (because the iframe is on your server and cross domain problems do not occur). However, by doing so, the ad has complete access to your webpage, compromising security.
I have an application on google app engine that serves an html file with the following script
<script>
ChemDoodle.iChemLabs.getMoleculeFromDatabase('pubchem', 'morphine', function(mol){
alertMolecule(mol);
});
</script>
This uses a XHR level 2 request, which requires that iChemLabs (or whoever the server side people are) enable support for my domain. What is the domain that the server side (with XHR enabled) should enable? I don't really understand how data can be routed through the app engine domain if the request is coming from an html page sitting on an app-user's computer?
I think you are talking about Cross-Origin Resource Sharing (CORS) which is method that web servers can use to let the browser know which sites (identified by domain) can share information with each other.
Mozilla has a good detailed run through of how it should work. It relatively new and only modern browsers implement it.
Nothing is "routed through" anybodies apps, all you are doing is telling the browser that sitea.com is happy to share data and accept requests that originated from an application originally served by siteb.com
We have a Silverlight app which we wrote which calls a Silverlight-enabled data service. The Silverlight app cannot require a login, as it is required to present data to the unauthenticated public.
We have some schmoe who took the time to examine our Silverlight app, one way or another figure out what service it is calling, and then wrote his own client to slurp off the data so he can post it on his site and pretend like it is his. We need to prevent this.
How can i limit my data service somehow to ONLY accept requests from my silverlight app? I tried using the allow-from domain uri setting in the clientaccesspolicy.xml file to limit access to the service only from the domain in which the silverlight app sits (say mydomain.com). This did absolutely nothing though, and the service is still serving up requests to clients from outside the domain. (I tested this by putting my SL app on a different domain under our control).
What is the proper/best/most effective way to limit the data service so only our app can use it? Thanks!!!
I'm using SL 3 and .NET 3.5.
The clientaccesspolicy.xml tells the Silverlight application which Webservice it can consume. Not preventing people accessing the Webservice.
You can try using a authentication login even though its not required. This prevents 'schmoes' accessing your webservice.
Also use Dotfuscator to prevent 'schoes' to disassemble your Silverlight application and acquire the login.
Silverlight webservice security follows the same patterns you'd use for ASP.NET security, especially services exposed to AJAX. The best way to do make use of ASP.NET's authentication.
RIA Services is an even better way to handle this. It rides on top of the ASP.NET authorization, but validates on both the client and server-side automatically to combat service spoofing. It let you take care of both client and server-side authorization by adding attributes to your methods indicating that the method requires authorized access, and by which groups or users if you need to be specific.
In addition to wire-side security and obfuscation, remember that clients can attach a debugger to Silverlight applications running in their browser. See this example from MSDN Magazine's Security IQ Test, November 2008.
In a silverlight application, I want to access the page the silverlight .xap file from an HTTP subdomain, but have the web services access a different subdomain for sensitive information over HTTPS.
I set up clientaccesspolicy.xml at the root of the subdomain and it lets the silverlight app access its services over http, but not over https. It gives the cross domain access error that it would give normally without a clientaccesspolicy in place.
I know that browsers themselves have a lot of restrictions about mixing http and https. Am I trying to do something that is not allowed?
Check out:http://silverlight.net/forums/t/12741.aspx
You can either make https calls to the
same domain or http cross-domain
calls, but not https cross-domain
calls.
This is described in
http://msdn2.microsoft.com/en-us/library/cc189008(VS.95).aspx
(see "If not HTTPS" in the matrix)
By JohnSpurlock
This is out of date since Silverlight 2.0 was released. You can now do most cross-domain scenarios with the appropriate configuration. http://msdn.microsoft.com/en-us/library/cc197955(VS.95).aspx
The important thing to note here that is not in the above information clearly is you must have access to the "ROOT" level of the domain request, and the clientaccesspolicy.xml must reside at that level.
If for example you have a production environment that your application is behind a load balancer that directs traffic as most large companies do to your application via the URI, you then have a little bit of a problem.
Example: http://mydomain.com/MyApplication/* goes to your server, where your app resides.
http://mydomain.com/clientaccesspolicy.xml is where the policy exists.