URL Access Restrictions in Silverlight

Microsoft Silverlight will reach end of support after October 2021. Learn more.

For security reasons, the Silverlight runtime restricts access to certain classes of URLs from the WebClient and HTTP classes in the System.Net namespace. There are similar access restrictions applied by the runtime to other classes including the Image and MediaElement classes in the System.Windows.Controls namespace. The runtime also applies access restrictions to XAML source files and font files based on the class of URL. These restrictions are implemented in the Silverlight 2 and later runtime.

The connections affected are access to cross-zone, cross-domain, and cross-scheme URLs. These restrictions are designed to prevent networking threats (for example, threats based on a Silverlight application run from an internet server getting access to resources on a local intranet server).

The common URL classes are as follows:

  • Cross-scheme URL: A Silverlight application downloaded from an HTML page from a web server with one scheme (HTTP, for example) tries to access resources from the same server or a different server using a different scheme (HTTPS, for example).
NoteNote:

You can access resources with a cross-scheme URL (allowed between HTTP and HTTPS) on Silverlight, but you need to explicitly enable this with a security policy file. See Network Security Access Restrictions in Silverlight topic for more information.

  • Cross-domain URL: A Silverlight application downloaded from a web server tries to access resources on a different target server (for example, an application that is hosted on www.contoso.com trying to access content on www.fabrikam.com). The Silverlight runtime commonly uses security policy files downloaded from the target server to determine if this access should be allowed. 
NoteNote:

You can access resources cross domain on Silverlight, but you need to explicitly enable this with a security policy file. See Network Security Access Restrictions in Silverlight topic for more information.

  • Cross-zone URL: Internet Explorer defines the concept of security zones with a security level assigned to each zone. Four zones are defined: Internet, Local intranet, Trusted sites, and Restricted sites. In addition, the local machine is also considered to be another zone. A Silverlight application downloaded from a web server in one security zone tries to access resources on a target server in a different security zone. Cross-zone access restrictions are designed to prevent a Silverlight application downloaded from a server in the Internet zone from accessing resources in the more trusted Local Intranet, Trusted Sites, and local machine zones. This prevents a Silverlight application run from a remote internet server from getting access to resources on the local intranet and other resources (an elevation of privilege). Cross-zone access is blocked even if a security policy file on the target server would allow the resource to be accessed. Note that cross-zone access is not restricted for applications downloaded from the server in the Local intranet zone to resources on an internet server. However, any access cross-domain requires a security policy file. Cross-zone access restrictions are implemented only for Silverlight 2 and later applications running on Windows. The concept of security zones and cross-zone access is not currently supported for Silverlight applications running on the Apple OS X.

The table below summarizes the rules that restrict access to URLs from the WebClient and HTTP classes in the System.Net namespace and also includes the restrictions on some other Silverlight classes and components.

WebClient and HTTP classes

Image class, MediaElement class for progressive downloads (media, images, ASX, etc.)

XAML source files

Font files

Streaming media

Allowed schemes

HTTP, HTTPS

HTTP, HTTPS, FILE

HTTP, HTTPS, FILE

HTTP, HTTPS, FILE

HTTP

Cross-scheme access

Allowed between HTTP and HTTPS.

Not allowed

Not allowed

No

Not allowed from HTTPS

Cross-domain access

Requires a security policy file.

Allowed

Allowed if not HTTPS to HTTPS

Not allowed

Allowed if not HTTPS to HTTPS.

Cross-zone access (on Windows)

Not allowed from an Internet zone to more restrictive zones.

Not allowed from an Internet zone to more restrictive zones, except if the target domain is localhost.

Not allowed from an Internet zone to more restrictive zones.

Not allowed from an Internet zone to more restrictive zones.

Not allowed from an Internet zone to more restrictive zones.

Redirection allowed

Allowed to same site and scheme.

Allowed cross-domain and cross-scheme only with a security policy file.

Allowed to same scheme and same or different sites.

Not allowed

Not allowed

Not allowed

NoteNote:

When users get an error that results from one of these access policies being violated, the error may not indicate the exact cause.

If you have a Silverlight application that is hosted on one Web server and you try to use WebClient and HTTP classes in the System.Net namespace from this application to access a resource that stored on another web server (a cross-domain URL), the request will fail unless a security policy file is made available on the other server that explicitly allows this access. The request will also fail on Windows if the Silverlight application was downloaded from the Internet zone and the cross-domain URL is to the site in a more restrictive zone (Local intranet, Trusted sites, or local machine) even if a security policy is made available.

If you want to host your Silverlight application and store your images on different servers, the restrictions are as follows:

  • You cannot store your images on a site that uses the HTTPS scheme if you are hosting your application on an HTTP site (cross-scheme).

  • You can store your images on a cross-domain site as long as the scheme of that cross-domain site is the same as the scheme of the site hosting your application.

  • Silverlight applications running on Windows cannot store images on a server in the Local Intranet zone if the application was downloaded from the Internet zone (cross-zone), except if the target domain is localhost.

  • You can redirect to another image URL as long as the URL uses the same scheme.