Microsoft today released documentation to help Web developers build secure Silverlight applications. Silverlight 2 allows applications to make Web requests to third-party domains (whereas Silverlight 1.0 was limited to requests only to the site of origin.) It also allows applications to open TCP sockets. And this, while increasing the potential functionality of Silverlight apps, also increases security risks.
Silverlight’s approach to security is to give Web sites the ability to explicitly declare that their domain allows cross-domain traffic. Microsoft says:
“A domain can allow Silverlight applications to make third-party Web requests to it by publishing a clientaccesspolicy.xml file at its root. (For example, you can see Microsoft’s file at https://microsoft.com/clientaccesspolicy.xml). The Web site can specify which URLs are allowed to call cross-domain, as well as which domains are allowed to make those calls. If you own two domains—contoso.com and fabrikam.com—and you want to allow contoso.com to communicate with a Web service on fabrikam.com, you can [set policies to allow this].”
Other security pitfalls exist, such as the server calling potentially malicious XAP (pronounced ZAP) files. XAP is the file extension for a Silverlight-based application package (.xap). Microsoft says:
“Since this XAP can actually read the HTTP response, traditional CSRF-prevention techniques, such as nonces, won’t work. This XAP is effectively indistinguishable from a real user at this point. Remember that all the user’s cookies and HTTP authentication is sent along as well, so the session will appear to be valid.”
Microsoft recommends using advanced security techniques like threat modeling to determine the potential weak spots where hackers can invade.
How do the security risks of Silverlight 2 sound compared to risks of using a competitor like Adobe Air?
Also see: Server Quest II – the ContestMoonlight 1.0 available to bring Silverlight to Linux
Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers.bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)Sign up for the
SSH PowerShell for the massesWe-Fi: find Wi-Fi hotspots anywhere, anytime!Windows 7 post-beta leaks – why you should worryMicrosoft secretly tests uninstall option for IE in Windows 7Six of the best gadgets from Microsoft TechFestReader’s Choice for Best Windows open source Projects Microsoft to give away one million training vouchers Follow Microsoft Subnet on Twitter




