Restricting cross-domain requests to ArcGIS Server

By default, ArcGIS Server allows cross-domain requests so that the Adobe Flash Player, Microsoft Silverlight, and Javascript clients can invoke the server's services from any domain.

If you want to restrict requests to specific domains for Adobe Flash Player and Microsoft Silverlight, you can place a set of client access policy files at the root level of your web server and edit them to list only the domains you trust. If you don't have a set of client access policy files already on your web server, an easy way to get them is to choose for them to be installed as part of the ArcGIS Web Adaptor setup.

If you want to restrict requests to specific domains for Javascript applications, you can configure ArcGIS Server to trust only certain domains. You'll do this using the ArcGIS Server Administrator Directory.

See the sections below to learn how to restrict requests from Adobe Flash Player, Microsoft Silverlight, and Javascript applications.

Restricting requests from Adobe Flash Player and Microsoft Silverlight applications

The Adobe Flash Player and Microsoft Silverlight plug-ins are not allowed to access web services that reside outside the domain where the web application originates. The only exception is if the web server being accessed includes a client access policy file listing the web application's domain as approved for cross-domain requests. When working with Adobe Flex, the client access policy file is named crossdomain.xml. When working with Microsoft Silverlight, the file is typically clientaccesspolicy.xml (although Silverlight can also work with crossdomain.xml).

By default, ArcGIS Server allows cross-domain requests. A set of client access policy files are placed on your GIS server for this purpose when you install ArcGIS Server. These should not be removed, opened, or modified.

If you want to prevent usage of your web services by Flex and Silverlight applications hosted on other domains, you should install the ArcGIS Web Adaptor and place a separate set of client access policy files at the root level of your web server. The Web Adaptor setup can optionally create these files for you. Regardless of how you get them, you can modify this set of files to include a list of only the domains that you trust. This reduces the possibility that an unknown Flash Player or Silverlight control could send malicious commands to your web services.

Below is the crossdomain.xml file installed by the Web Adaptor. You can modify this to be more restrictive. To learn about how to modify this file see the Adobe cross-domain policy file specification.

crossdomain.xml installed by the Web Adaptor:

<?xml version="1.0" ?> 
<cross-domain-policy>
 <allow-access-from domain="*"/>
 <site-control permitted-cross-domain-policies="all"/>
 <allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy>

Below is the clientaccesspolicy.xml file installed by the Web Adaptor. You can modify this to be more restrictive. To learn how to modify a clientaccesspolicy.xml file, see Making a service available across domain boundaries and Network security access restrictions in Microsoft Silverlight.

clientaccesspolicy.xml installed by the Web Adaptor:

<?xml version="1.0" encoding="utf-8" ?> 
<access-policy>
 <cross-domain-access>
  <policy>
   <allow-from http-request-headers="*">
    <domain uri="*"/>
   </allow-from>
   <grant-to>
    <resource path="/" include-subpaths="true"/>
   </grant-to>
  </policy>
 </cross-domain-access>
</access-policy>
CautionCaution:

Client access policy files, or the lack thereof, do not guarantee that your site is safe from all cross-site vulnerabilities. For example, applications or scripts not running in Flash Player or Silverlight could invoke your services directly through REST, regardless of the content in the client access policy files.

Restricting requests from Javascript applications

By default, ArcGIS Server allows all Javascript applications access to web services. If you want to prevent usage of your web services by certain Javascript applications hosted on other domains, you can configure ArcGIS Server to include a list of only the domains that you trust. This reduces the possibility that an unknown application could send malicious commands to your web services.

Steps:
  1. Open the ArcGIS Server Administrator Directory and log in with a user that has administrative access to the server. The URL is formatted http://gisserver.domain.com:6080/arcgis/admin.
  2. Click system > handlers > rest > servicesdirectory.
  3. On the Services Directory page, click edit.
  4. In the AllowedOrigins field, specify a comma-separated list of machines and their domain names that are allowed to access your web services, for example, machine.esri.com, host.arcgis.com, gisserver.example.com.
    NoteNote:

    Use of the * wildcard character as a substitute for the machine name is not supported. You must specify the fully qualified domain name of the machine in the list.

  5. Click Save.
9/1/2015