Cross-domain requests to ArcGIS Spatial Data Server

The Adobe Flash Player and Microsoft Silverlight plug-ins cannot access web services that reside outside the domain where the web application originates unless the web server includes a client access policy file. Adobe Flex uses the crossdomain.xml client access policy file. Microsoft Silverlight uses the clientaccesspolicy.xml file. Therefore, to allow your Adobe Flex or Microsoft Silverlight applications to access your ArcGIS Spatial Data Server feature services on a different domain, the appropriate client access policy file must be placed in the web server's root directory.

The client access policy files can be installed in the web server root directory when you install ArcGIS Spatial Data Server for IIS; choose to install the cross-domain policy files when you run the installation wizard.

ArcGIS Spatial Data Server for the Java Platform installs the client access policy files in the Java installation directory (for example, C:\Program Files\ArcGIS\SDS10.1\java). Copy the crossdomain.xml or clientaccesspolicy.xml file to your web server's root directory.

In all cases, you can edit the policy file to include a list of only the domains that you trust.

To learn how to create or modify a crossdomain.xml file, see the Adobe cross-domain policy file specification.

To learn how to create or modify a clientaccesspolicy.xml file, see Making a service available across domain boundaries and Network security access restrictions in Microsoft Silverlight in the Microsoft Developer Network documentation.

CautionCaution:

Client access policy files, or the lack thereof, do not guarantee that your site is safe from all cross-site vulnerabilities. For example, applications or scripts not running in Flash Player or Silverlight could invoke your services directly through REST, regardless of the content in the client access policy files.

Copyright © 1995-2012 Esri. All rights reserved.
7/19/2012