Damon Payne: Hand waving software architect

103db signal to noise ratio at < .03% total harmonic distortion
Solution Architect, software developer, geek
Damon Payne at Blogged
2009 Microsoft MVP - Client App Dev
2007 Microsoft MVP - Solution Architecture
 Monday, July 21, 2008
« News to some: CarSpot.com acquired | Main | Klipsch Palladium P-39F and P-27C »
Does Silverlight cross domain security make sense?

Adam Kinney has post some articles in the past showing a Silverlight application for displaying gamer cards.  When the Playstation 3 finally caught up and created a "Portable ID", I thought this would be a decent chance to demonstrate some Silverlight chops. Yes, I have a PS3 and not an XBox360.  I thought maybe I'd make an application with unnecessary animations and sounds for fun, perhaps allow you to sort friends and setup notifcations that are not available from the PSN.  Here's my Playstation portable ID:

The gist of the online status is simply a JPG, in my case http://pid.us.playstation.com/user/drpayne.jpg , that gets updated when your status changes via the console.  Excited to run off and write code I created a Silverlight 2 app and set about downloading this JPG.  Except that it doesn't work because of Silverlight's cross domain security policies.  I'm not a genious in TCP/IP or DNS/BIND, but the policies used by Silverlight (mimicing those used by Flash) seem overly restrictive and make some scenarios that should be common and easy difficult or un-doable.  There may be a reverse-tunnel situation or similar DNS trickery that is capable with this type of application, but denial of service?  Check out what I just did in this blog posting:

<img border=0 src="http://pid.us.playstation.com/user/drpayne.jpg"/

When the markup for this page is downloaded to your browser, the browser then issues seperate http requests for content that lives on other servers.  That content comes from us.playstation.com, and Google analytics, and Blogged, and others.  This is, seemingly, not a security or denial of service risk in this particular situation.  The PS3 network site shown above did not need to place a client policy XML file in the server root, and in fact they would need to do work to prevent cross domain access of this type.  Sure, Silverlight has more than just HTTP networking capabilities, in fact for a future article I have a full blown instant messanger application implemented in Silverlight using Sockets.  In terms of being a good Technology Citizen, I can see Microsoft wanting to be very careful concerning what it allows devlopers to do with more general socket programming.  But HTTP?  Isn't this part of what the web is "about" ?

What do you think?  Is the cross domain policy employed by Silverlight too restrictive?  Does it not go far enough?  Just right?

Gaming | Silverlight

Monday, July 21, 2008 12:20:51 PM (Central Standard Time, UTC-06:00)  #    Disclaimer  |  Comments [0]  |  Trackback Related posts:
Going to MIX 2010
Using MEF to Work Offline in Silverlight 3
Silverlight 4
Speaking at Chippewa Valley Code Camp 2009
Silverlight and Mailto:
Speaking at MadCamp and 7 Fest