1. Before allowing a connection to a network resource, the Silverlight runtime will try to download a security policy file from the domain that hosts the network resource. There are two different methods used to download the security policy that depend on whether the connection request was from a WebClient or HTTP class or whether the connection request was from sockets.
2. One additional restriction on using the sockets classes is that the destination port range that a network application is allowed to connect to must be within the range of 4502-4534.
3. A机器创建了一个SocketServer,监听4502端口(4502-4534中的某一个)
1. B机器上的Silverlight程序请求连接A机器上的4502端口;
2. B机器的Silveright Runtime向A机器的943端口请求Policy文件;
3. A机器发送给B一份Policy文件;
4. B机器上的Silverlight程序与A机器上的4502端口建立连接;
5. A与B之间访问的安全策略遵照B收到的Policy文件执行(B机器上的Silverlight程序可以访问A机器上的那些信息);
The Silverlight version 3 runtime supports two primary means for networking applications to connect with remote hosts:
- WebClient and HTTP classes in the System.Net namespace - these classes use the HTTP or HTTPS protocol for network communication.
- Sockets classes in the System.Net.Sockets namespace - these classes provide a low-level sockets interface that can be used for more general network communication.
In both cases, there is a need to provide security and prevent Silverlight applications from initiating unauthorized connections. Potential networking threats to be mitigated include:
- Denial of Service (DoS) attacks – A large number of remote hosts are used to attack a target site so that the target is unable to service valid requests.
- DNS Rebinding attacks – Use DNS to force a remote host to rebind a trusted host name (site of origin) to a victim’s IP address, thus allowing access to a host other than site of origin.
- Reverse tunnel attack – Use a remote client’s outgoing connection as a back tunnel to the client’s private network.
Basics of the Security Policy System
Silverlight supports two types of security policy files:
- Flash policy file - the existing crossdomain.xml policy file used by Adobe Flash. This policy file can only be used by the WebClient and HTTP classes in the System.Net namespace. A Flash policy file must allow access to all domains to be used by the Silverlight runtime.
- Silverlight policy file - the Silverlight policy file that can be used by the WebClient and HTTP classes in the System.Net namespace and also by the sockets classes in the System.Net.Sockets namespace. This policy file has a different format than the Flash policy file.
Before allowing a connection to a network resource, the Silverlight runtime will try to download a security policy file from the domain that hosts the network resource. There are two different methods used to download the security policy that depend on whether the connection request was from a WebClient or HTTP class or whether the connection request was from sockets.
If the connection request was from a WebClient or an HTTP class to a cross-domain site, the Silverlight runtime tries to download the security policy file using the HTTP protocol. The Silverlight runtime first tries to download a Silverlight policy file with a name of "clientaccesspolicy.xml" at the root of the requested target domain using the HTTP protocol.
If the "clientaccesspolicy.xml" is either not found (the web request returns a 404 status code), returned with an unexpected mime-type, is not valid XML, or has an invalid root node, then the Silverlight runtime will issue a request for the Flash policy file with a name of "crossdomain.xml" at the root of the requested target domain, using the HTTP protocol.
HTTP redirects for the policy file are not allowed. A redirect for a policy file will result in a SecurityException of access denied.
If a "clientaccesspolicy.xml" file is returned, but contains an error other than the ones listed above, then no further cross domain requests to that domain will be allowed.
If a valid "clientaccesspolicy.xml" file is returned, that file will be used as the policy file for that cross-domain request for the remainder of the client session of the Silverlight application, and will be used to determine the validity of all subsequent cross-domain requests to that domain.
The Flash policy file must allow connections to all domains for it to be used by the Silverlight WebClient and HTTP classes.
If a Silverlight policy file is returned (even if there is an error in parsing the file), it is used as the policy file for that cross-domain request and all subsequent requests to that server for the entire session of the Silverlight application. If a Silverlight policy file is not found, the Silverlight runtime then tries to download a Flash policy named "crossdomain.xml" at the root of the requested target domain using the HTTP protocol. The Flash policy file must allow connections to all domains for it to be used by the Silverlight WebClient and HTTP classes.
If the connection request was from sockets to the site (cross-domain or site of origin), the Silverlight runtime tries to open a connection using TCP to a well-known port (port 943) on the target site. If a TCP connection can be established, the Silverlight runtime sends the special string <policy-file-request/> to the server to request a Silverlight policy file. The Silverlight runtime then waits to receive a reply from the target site that contains a Silverlight policy file. If this Silverlight policy file is returned (even if there is an error in parsing the file), it is used as the policy file for that socket request and all subsequent requests to that target site for the entire session of the Silverlight application.
If the policy file retrieved is successfully parsed and grants permission, a connection is finally opened to the target host. If the policy file retrieved is invalid and cannot be correctly parsed, then connections to the network resource are denied by the Silverlight runtime and any connection requests will fail. If no policy file is found, then connections to the network resource are denied by the Silverlight runtime and any connection requests will fail.
One additional restriction on using the sockets classes is that the destination port range that a network application is allowed to connect to must be within the range of 4502-4534. These are the only destination ports allowed by a connection from a Silverlight application using sockets. If the target port is not within this port range, the attempt to connect will fail. It is possible for a target server to receive connections on a port from this restricted range and redirect it to a different port (a well-known port, for example) if this is needed to support a specific existing application protocol.
To deploy a security policy file for use by connections from the WebClient and HTTP classes, system administrators need to configure a web service for each IP address that is to provide the policy file definition and make the Silverlight or Flash policy file available over HTTP.
To deploy a security policy file on a server for sockets, system administrators need to configure a separate authentication service on port 943 for each IP address that is to provide the policy file definition.
Ref:http://msdn.microsoft.com/en-us/library/cc645032(VS.95).aspx