Comments on: Using Fiddler to trick Silverlight into allowing a crossdomain Web Request http://www.leggetter.co.uk/2009/10/30/using-fiddler-to-trick-silverlight-into-allowing-a-crossdomain-web-request.html Real-time web and social media software consultant Thu, 11 Mar 2010 14:06:17 +0000 http://wordpress.org/?v=abc hourly 1 By: Raghuraman http://www.leggetter.co.uk/2009/10/30/using-fiddler-to-trick-silverlight-into-allowing-a-crossdomain-web-request.html/comment-page-1#comment-4945 Raghuraman Fri, 29 Jan 2010 22:25:32 +0000 http://www.leggetter.co.uk/?p=425#comment-4945 Good Post Phil !!! Good Post Phil !!!

]]> By: Fred http://www.leggetter.co.uk/2009/10/30/using-fiddler-to-trick-silverlight-into-allowing-a-crossdomain-web-request.html/comment-page-1#comment-4944 Fred Fri, 29 Jan 2010 21:24:47 +0000 http://www.leggetter.co.uk/?p=425#comment-4944 A user opens their browser. In one tab they go to <a href="http://www.mybank.com" rel="nofollow">www.mybank.com</a> and authenticateĀ themselves getting some kind of session cookie. In another tab they go to <a href="http://www.evilsite.com" rel="nofollow">www.evilsite.com</a> and download a Silverlight application. The Silverlight application tries to do a HTTP GET on <a href="http://www.mybank.com" rel="nofollow">www.mybank.com</a> but the Silverlight application won't allow it because there's no cross-domain policy. So, the user opens up Fiddler and fakes a cross-domain policy thereby allowing the Silverlight client from <a href="http://www.evilsite.com" rel="nofollow">www.evilsite.com</a> to do an HTTP GET to <a href="http://www.mybank.com" rel="nofollow">www.mybank.com</a> and their authentication cookie then flows over and the code from <a href="http://www.evilsite.com" rel="nofollow">www.evilsite.com</a> is now reading/writing data to <a href="http://www.mybank.com" rel="nofollow">www.mybank.com</a>. But I don't think that particular user can really complain that Silverlight ( or Flash ) didn't try to do the right thing for them but can't really stop them taking out a gun, loading both barrels and blowing their own foot right off? A user opens their browser.

In one tab they go to http://www.mybank.com and authenticateĀ themselves getting some kind of session cookie.

In another tab they go to http://www.evilsite.com and download a Silverlight application.

The Silverlight application tries to do a HTTP GET on http://www.mybank.com but the Silverlight application won’t allow it because there’s no cross-domain policy.

So, the user opens up Fiddler and fakes a cross-domain policy thereby allowing the Silverlight client from http://www.evilsite.com to do an HTTP GET to http://www.mybank.com and their authentication cookie then flows over and the code from http://www.evilsite.com is now reading/writing data to http://www.mybank.com.
But I don’t think that particular user can really complain that Silverlight ( or Flash ) didn’t try to do the right thing for them but can’t really stop them taking out a gun, loading both barrels and blowing their own foot right off?

]]> By: A Real Time Rich Internet Application (RTRIA) Example « Phil Leggetter – Software Consultant http://www.leggetter.co.uk/2009/10/30/using-fiddler-to-trick-silverlight-into-allowing-a-crossdomain-web-request.html/comment-page-1#comment-3600 A Real Time Rich Internet Application (RTRIA) Example « Phil Leggetter – Software Consultant Tue, 03 Nov 2009 20:37:42 +0000 http://www.leggetter.co.uk/?p=425#comment-3600 [...] Important: To get the sample application to stream real-time data from the Twitter real-time feed you will need to use Fiddler to trick Silverlight into allowing a crossdomain Web Request. [...] [...] Important: To get the sample application to stream real-time data from the Twitter real-time feed you will need to use Fiddler to trick Silverlight into allowing a crossdomain Web Request. [...]

]]>