Yesterday we've published Silvester - Silverlight Twitter widget and the idea was to let people put it on their blogs. To use the widget you need only an HTML snippet placed somewhere on your blog/profile page. The snippet contains an <object> tag that refers the widget's XAP file from our domain. So what you actually do is refer a resource from other domain, a.k.a x-domain scenario or cross-domain scenario.
Silverlight is a client technology and as such it sets a lot security requirements to keep the applications secure by default.
What I should do if I want to use a XAP file from other domain?
For security reasons in cross-domain activation scenarios all interaction between the host HTML page and the Silverlight application is disabled by default. To make your Silverlight application available for use in an x-domain scenario you need to set the ExternalCallersFromCrossDomain property in the AppManifest.xml file.
1: <Deployment xmlns="http://schemas.microsoft.com/client/2007/deployment"
2: xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
3: ExternalCallersFromCrossDomain="FullAccess">
4: ...
5: </Deployment>
ExternalCallersFromCrossDomain is an enumeration of type System.Windows.CrossDomainAccess with the following values:
- NoAccess - default in a cross-domain scenario - no access for cross domain callers
- ScriptableOnly - script access only, i.e. access to Scriptable objects
More info about this is available on MSDN.
Related Articles
Deployment.ExternalCallersFromCrossDomain Property on MSDN
CrossDomainAccess Enumeration on MSDN
HTML Bridge: Security Settings on MSDN
Breaking Changes Between Beta 1 and Beta 2 on MSDN