I’m building a system with Silverlight (SL) on the Client side and some wcf-services supporting this client. Now – as the wcf-services are located in services.mydomain.com; and the SL client is exposed on www.mydomain.com – I’m having a problem.
It turns out that the SL cross domain calls are disabled by default, but needs to be allowed on the service (?). How bizarre is this? Why is it not the SL client that needs to be allowed to be calling out of the “native” domain (www.mydomain.com)? It seems very “reverse” to me?
Anyway – an xml-file named (clientaccesspolicy.xml) should be placed in the root of your domain (not webserver!). It seems a common misconception that it should be placed in the root of the webserver. This is not technically correct, it should be exposed like this instead: www.mydomain.com/clientaccesspolicy.xml. That this also happens to be the root of the webserver in some cases, is just pure coincidence.
Now – the really important part is this: remember to add the attribute (http-request-headers=”*”) to the “allow-from” tag (see below). Otherwise you are continuously presented with problems on the Client when calling out from the SilverLight application/control.