SLightS3 - Cross Domain Policy Information

NOTE: The crossdomainpolicy.xml example and sample download have changed with the release of version 1.2.0.  If you have not yet downloaded 1.2.0 or are unsure which version you have, please re-download it and implement your policy document as described below.  The notable change is that SLightS3 now uses "PUT" instead of "POST" for uploads which requires the http-methods element to be specified.

Microsoft Silverlight leverages a crossdomainpolicy.xml file to prevent cross-domain access to resources on sites other than the domain that serves the Silverlight application.  This security mechanism helps prevent cross site forgery attacks.  The crossdomainpolicy.xml file must be located in the root of the website you are attempting to access and it must supply the appropriate permissions for your Silverlight application.

In the case of SLightS3 in conjunction with Amazon's S3 service, the clientaccesspolicy.xml file must reside in the bucket(s) you are attempting to upload your files to.  For instance, if you are attempting to upload the file 'foo.txt' to a bucket named 'foobucket', you must have a clientaccesspolicy.xml file in the 'foobucket' bucket.  The clientaccesspolicy.xml file must also be set to 'public-read'.  To verify your client access policy file, try browsing to:  http://foobucket.s3.amazonaws.com/clientaccesspolicy.xml.

Below is an example of how a crossdomainpolicy.xml file is structured, or you can download a sample crossdomainpolicy.xml document.  These are provided as samples only and provide broad access to your resources.  We strongly recommend using the informaiton provided on the official Network Security Access Restrictions in Silverlight page on MSDN to properly secure your cross domain policy file.

<?xml version="1.0" encoding="utf-8"?>
    <access-policy>
        <cross-domain-access>
            <policy>
                <allow-from http-methods="*" http-request-headers="*">
                    <domain uri="http://www.exampledomain.com"/>
                    <domain uri="https://www.exampledomain.com"/>
                </allow-from>
                <grant-to>
                    <resource path="/" include-subpaths="true"/>
                </grant-to>
            </policy>
        </cross-domain-access>
    </access-policy>