在文档中有这么段话:
There are important security considerations before you allow Silverlight clients to access Web services in a cross-do situation. Whenever you put a cross-do policy file in place you should configure your Web server hosting the Web services to disable browser caching. This enables you to easily update the file or restrict access to your Web services necessary. _disibledevent="谈谈Silverlight个跨域安全考虑" />
还要介绍说明点是Silverlight Runtime在检测安全策略文件时是先检测clientaccesspolicy.xml再检测crossdo.xml文件(当然拉自己东西肯定先检测了)旦请求完成策略文件在整个应用会话周期内直有效(这个感觉和浏览器为了防止DNS Rebinding攻击做法是类似)也就是说不用每次都请求这个文件了如果第次请求该文件失败那么接下来请求同样也会失败
策略文件只能放置在根目录下无论你当前请求资源是位于网站WebSite哪个目录下
策略文件本身不允许服务器将其重定向响应状态码只能是200或者404但是请求资源本身是可以被重定向只要源URL和目标URL都在跨域策略文件中声明了
最新评论