How do you build a clientaccesspolicy.xml for this API?

Question

I have a RESTlike API that I want to access from Silverlight. It needs to support the following:

• All requests are made over SSL
• Allow GET, POST, PUT, DELETE (or just any)
• Allow any request headers
• Allow requests from any host

Pretty much wide open. I'm a little confused by the docs so does anyone have an example of what it might look like?

Answer 1

Something wide-open but only allowing https and not http would look something like this and would need to be named clientaccesspolicy.xml and placed in the web root:

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="*" http-methods="*">
        <domain uri="https://*" />
      </allow-from>
      <grant-to>
        <resource path="/" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>

If you want to allow both http and https access you need to explicitly list both of them under the allow-from node as it is opt-in and a simple * wildcard will not work for SSL.

Edit: Added http-methods="*" per John's comment to allow methods other than GET and POST.

Answer 2

Some hints on where to get started:

• Get Tim Heuer's Cross Domain helpers
• Use Silverlight Spy's Cross-domain Access Policy Validator if you get stuck: http://timheuer.com/blog/archive/2008/04/06/silverlight-cross-domain-policy-file-snippet-intellisense.aspx

Answer 3

Here is the MSDN Documentation on the matter: Making a Service Available Across Domain Boundaries.