Background
To foil evil Silverlight developers, there are several restrictions on the way Silverlight can access resources from domains other than the one they originate from. These restrictions are meant to prevent the use of Silverlight for denial-of-service attacks and the like. Read more at MSDN.
In practical terms, these restrictions mean that your Silverlight application cannot access resources (such as images, html content, etc.) from other domains unless those other domains have said it is okay for Silverlight (and/or Flash) applications to do so. But there is a nice handy exception to this rule: If your application is running installed, out-of-the-browser, with elevated trust, then it is not restricted in this way.
The Application
As an example, let’s consider an application that can take an XBOX Live gamer tag and fetch the associated Avatar for that gamer tag. Avatars can be retrieved from XBOX using this URL structure:
http://avatar.xboxlive.com/avatar/{GAMER-TAG}/avatar-body.png
So, all our app needs to do is construct this URL, make an HTTP GET to get the image, and then display that image. Nothing to it – the code looks like this (you can download the whole app below):
1: private void Button_Click(object sender, RoutedEventArgs e)
2: {
3: var gamerTag = GamerTagTextBox.Text;
4: var url = string.Format(UrlTemplate, Uri.EscapeUriString(gamerTag));
5: var request = WebRequest.Create(url);
6: request.BeginGetResponse(GetResponseCallback, request);
7: }
8:
9: private void GetResponseCallback(IAsyncResult ar)
10: {
11: Dispatcher.BeginInvoke(() =>
12: {
13: var request = ar.AsyncState as HttpWebRequest;
14: var response = request.EndGetResponse(ar);
15: var image = new BitmapImage();
16: image.SetSource(response.GetResponseStream());
17: AvatarImage.Source = image;
18: });
19: }
It’s worth noting that an easier way to pull this off is just to set the image’s source directly to the URL instead of doing an HTTP GET, but if you do it that way, you don’t get the SecurityException error that I want to highlight.
The important code is Lines 14 through 17. This is where the response from the HTTP GET is processed and the source of the image is set.
What WON’T Work
If you run this code in a default Silverlight application running in a browser, here’s what happens.
Ouch! We are not allowed to talk to XBOX.com since our Silverlight application did not originate from XBOX.com.
What WILL Work
To make this work we have a couple of choices
- Write a proxy service that lives on our server. This service can then talk to XBOX.com. While not the focus of this post, this is a reasonable solution.
- Set our app to run out of the browser with elevated security. If out-of-browser is not an option for you, then look into Option #1. If it is an option, here’s how it’s done.
Enable OOB
First, open up your project properties, go to the Silverlight tab, and enable out-of-browser.
Next, open the Out-of-Browser settings, and check the box for elevated privileges.
And finally, to make your debug experience a good one, open up the Debug tab of the Properties, and set your application to start as an out-of-browser app.
The Finished Product
That’s it! Now your app can talk to other domains, such as XBOX.com and retrieve resources from them.
Finishing Up
So there you have it – accessing cross-domain resources with Silverlight 4. It’s worth noting that if you require this sort of access for your application, then you should make it easy for users to install your app to their desktop and probably prevent it from running unless it’s out-of-browser. You can read more on that at MSDN.
Special thanks to cdeweese for showing me the Avatar-fetching URL in the first place and for pair programming the Fetcher app with me.
Resources