Restricting cross-domain requests to ArcGIS Server
By default, ArcGIS Server allows cross-domain requests so that the Adobe Flash Player and Microsoft Silverlight plug-ins can invoke the server's services from any domain. If you want to restrict requests from other domains, you can place a set of client access policy files at the root level of your web server and edit them to list only the domains you trust. If you don't have a set of client access policy files already on your web server, an easy way to get them is to choose for them to be installed as part of the ArcGIS Web Adaptor setup.
What are client access policy files and how do they relate to ArcGIS Server?
The Adobe Flash Player and Microsoft Silverlight plug-ins are not allowed to access web services that reside outside the domain where the web application originates. The only exception is if the web server being accessed includes a client access policy file listing the web application's domain as approved for cross-domain requests. When working with Adobe Flex, the client access policy file is named crossdomain.xml. When working with Microsoft Silverlight, the file is typically clientaccesspolicy.xml (although Silverlight can also work with crossdomain.xml).
By default, ArcGIS Server allows cross-domain requests. A set of client access policy files are placed on your GIS server for this purpose when you install ArcGIS Server. These should not be removed, opened, or modified.
If you want to prevent usage of your web services by Flex and Silverlight applications hosted on other domains, you should install the ArcGIS Web Adaptor and place a separate set of client access policy files at the root level of your web server. The Web Adaptor setup can optionally create these files for you. Regardless of how you get them, you can modify this set of files to include a list of only the domains that you trust. This reduces the possibility that an unknown Flash Player or Silverlight control could send malicious commands to your web services.
Below is the crossdomain.xml file installed by the Web Adaptor. You can modify this to be more restrictive. To learn about how to modify this file see the Adobe cross-domain policy file specification.
crossdomain.xml installed by the Web Adaptor:
<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permitted-cross-domain-policies="all"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>
Below is the clientaccesspolicy.xml file installed by the Web Adaptor. You can modify this to be more restrictive. To learn how to modify a clientaccesspolicy.xml file, see Making a service available across domain boundaries and Network security access restrictions in Microsoft Silverlight.
clientaccesspolicy.xml installed by the Web Adaptor:
<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
Client access policy files, or the lack thereof, do not guarantee that your site is safe from all cross-site vulnerabilities. For example, applications or scripts not running in Flash Player or Silverlight could invoke your services directly through REST, regardless of the content in the client access policy files.